We use openssl to create a self-signed certificate. This basically means we are our own certificate authority, we give credence to the certificate. The CRT file doubles as both the certificate authority key and the private key in a typical SSL exchange.
We register the certificate file in Docker by copying it to a relevant folder or registering it with Keychain in the case of Mac. Then we start our Docker registry container and we mount our certs folder into the container using the -v flag. This effectively means our certs folder is a shared folder between the host machine and the container.
Then we set two environment variables with the -e flag, which configures the registry to use the relevant key and certificate files in the mounted /certs folder.
It should be noted that using a self signed certificate is fine within a development setting for sharing images across a development team, as access to the certificate can be tightly controlled. However, a full domain registry or a hosted registry must be used in any deployment environment.
Instructions on how to run a secured domain registry can be found at https://docs.docker.com/registry/deploying/.
Docker tagging may seem a little confusing at first, so let's dig into the details a little.
A tag comprise of the following:
[registry host[:registry port]/]image name[:version]
In other words the registry host, port, and version part of the tag are optional. If no registry name is supplied, then any subsequent push command will attempt to push to the central Docker hub, which can be accessed at https://hub.docker.com/. Indeed, once we have signed up for an account we may push to and pull from this registry.
We may hear the terms repository and registry used interchangeably with regard to Docker. Strictly speaking, registry refers to a Docker registry server such as the private registry that we ran in the previous recipe or the central Docker hub. A repository refers to a collection of images; for example, we could create an account on the Docker Hub, create a repository against this account, and then push images into this repository.
Once an image has been tagged with a repository, the docker push command can be used to push images to that repository. We should emphasize that we're using an insecure local private registry, which is fine for experimentation. However, in a full production environment, a secured registry should always be used even when sitting behind multiple firewall layers.
We have been running the official Docker registry container; however, there are alternatives to this that we can install and run on premise:
We've been running the official Docker registry, which is freely available. Additional enterprise alternatives include the CoreOS Enterprise Registry, and Artifactory from JFrog also offers container artifact management.