Ga Punya Server Buat Bikin Docker Registry?
Kalau ga ada masalah sama jumlah server, tinggal install nginx+registry versi docker dua-duanya.
Tapi untuk yang ga punya banyak server, kita bisa manfaatin server kita yang sudah terinstall nginx untuk setup docker private registry, domain, certificate (certbot) dan otentikasi (nginx httpd auth).
Jangan Banyak Alasan, Yuk Kita Buat
- Buat file baru docker-compose.yml isi dengan kode di bawah lalu jalankan dengan
docker-compose up -d
version: '3'
services:
registry:
image: registry:2.7.1
container_name: registry
ports:
- 127.0.0.1:5000:5000
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
REGISTRY_STORAGE_DELETE_ENABLED: 'true'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD, GET, OPTIONS, DELETE]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization, Accept]'
REGISTRY_HTTP_HEADERS_Access-Control-Max-Age: '[1728000]'
REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
volumes:
- registry-data:/data
volumes:
registry-data:
- Berikut nginx config nya, cukup copy bagian docker registry saja ya, saya anggap anda sudah terbiasa menggunakan nginx dan certbot.
upstream docker-registry {
server 127.0.0.1:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
server_name myprivateregistry.com;
server_tokens off;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
location / {
# add auth basic at root app
# dont forget to setup nginx-http-auth fail2ban
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/docker-registry-pass;
}
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file etc/nginx/docker-registry-pass;
## If $docker_distribution_api_version is empty, the header is not added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/myprivateregistry.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myprivateregistry.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = myprivateregistry.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name myprivateregistry.com;
return 404; # managed by Certbot
}
- Buat otentikasi
docker run --rm --entrypoint htpasswd registry:2 -Bbn usernamenya passwordnya > /etc/nginx/docker-registry-pass
-
Coba login,
docker login myprivateregistry.com
Login Berhasil
-
Kita test push image httpd ke private registry
docker tag httpd:2 myregistry.com/httpd:2
docker push myregistry.com/httpd:2
- Cek image katalog menggunakan curl
curl -X GET -u usernamenya:passwordnya https://myprivateregistry/v2/_catalog
Test Push lalu Cek Image Katalog
Referensi: