Let's start a Docker registry container (we pulled the Docker registry container in the Getting Ready section of this recipe) with the following command:
$ docker run -d -p 5000:5000 --name registry registry:2
If we now issue a docker ps command, we can see that our registry container is up and running on port 5000.
Now let's push a container to the registry to test it out.
To do this we need to tag an image with a specific naming convention.
Let's run the following command:
$ docker tag adderservice localhost:5000/adderservice
If we now issue a docker images command, we should see the tag against our adderservice image:
REPOSITORY TAG IMAGE ID CREATED SIZE
adderservice latest ced38dc8a822 2 hours ago 235 MB
localhost:5000/adderservice latest ced38dc8a822 2 hours ago 235 MB
We can now push the image to our local registry:
$ docker push localhost:5000/adderservice
We can check that this was successful by pulling the image back again:
$ docker pull localhost:5000/adderservice
Running a registry in this configuration is not all that useful because the registry is only accessible over the localhost interface.
To run a registry in production, we should use a full domain registry that requires a domain certificate.
However, to run a local development registry, say for our development teams office, we can use a self-signed certificate.
Let's use the openssl tool to create a self-signed certificate:
$ cd micro
$ mkdir certs
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout
certs/localhost.key -x509 -days 365 -out certs/localhost.crt
Before we can generate the certificate, openssl will ask some questions. For most of the questions we can simply press Enter. However, the Common Name prompt should be passed localhost as the response:
Common Name (e.g. server FQDN or our name) []:localhost
Now that we have generated our certificate, we need to tell Docker about it.
To do this on Mac we run the following:
$ sudo security add-trusted-cert -d -r trustRoot
-k /Library/Keychains/System.keychain certs/localhost.crt
On Linux the equivalent command would be as follows:
$ sudo cp certs/localhost.crt /etc/docker/certs.d/localhost:5000/ca.crt
Some Linux distributions require other steps to allow Docker to use a self-signed certificate. See https://docs.docker.com/registry/insecure/#troubleshooting-insecure-registry.
On Windows (assuming the ProgramData directory is at C:ProgramData) we can add our certificate with the following:
$ copy certslocalhost.crt C:ProgramDatadockercerts.dlocalhost5000ca.crt
We now need to restart Docker to allow the Daemon to pick up the certificate. Once Docker has restarted, we can spin up our registry container passing the certificate configuration via the necessary environment variables:
$ cd micro
$ docker run -d -p 5000:5000 --name registry -v `pwd`/certs:/certs
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/localhost.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/localhost.key registry:2
Finally, we can tag and push our adderservice image to our secured registry:
$ docker tag adderservice localhost:5000/adderservice
$ docker push localhost:5000/adderservice
Whist there is currently no official command-line client to query the contents of a Docker registry, we can interface directly to the the registry HTTP API. For instance, curl https://localhost:5000/v2/_catalog will return a list of all images in the local private registry in JSON format.
In order to pull and push images from other machines, for example, other developers in our team, we can simply share the generated certificate file.