Build a private Docker registry warehouse that requires signature verification in Ubuntu

Source: Internet
Author: User
Tags openssl openssl x509 nginx reverse proxy docker hub docker registry


In a previous blog, "Setting up a Docker registry private warehouse in Ubuntu" introduces a simple way to build a Docker private repository. But it was used to modify the "--insecure-registry" parameters, which is used in the local area network, but also reluctantly suitable. But if you want to build a private warehouse server for a production environment, there is a big security risk. So, here is a method of using signature authentication, mainly through the Nginx reverse proxy, will not be trusted client requests are refused to achieve security purposes.

Experimental environment
服务端系统: ubuntu 16.04                        docker  17.12.0-ce客户端系统: ubuntu  14.04                       docker  17.12.0-ce

If you want to upgrade the Docker version of your system, please refer to this article: "Update and installation of the Ubuntu Docker version."
or refer to: "Docker Ubuntu 16.04 installs stable version, Community Edition Version".

Start the experiment.

Because we are using the Nginx service as a secure authentication server, we also need to install apache2-utils, which is used to generate user and user passwords. We use docker-compse here to define and run multiple Docker containers. We also need to use the Curl tool, which is primarily used to test experimental results.

Before you start the experiment, make sure you have installed the Docker-ce version.

Let's start with the experiment.

1 Installing the necessary tools
apt-get   install  -y  docker-compose  apache2-utils  curl  
2 Creating some file directories
mkdir  /docker-registrymkdir  /docker-registry/datamkdir  /docker-registry/nginxchown  root:root  /docker-registrycd   /docker-registry
3 Creating a Docker-compose.yml file (for defining Docker container properties)
[email protected]:/docker-registry# cat docker-compose.yml nginx:  image: "nginx:1.9"  ports:    - 443:443  links:    - registry:registry  volumes:    - /docker-registry/nginx/:/etc/nginx/conf.dregistry:  image: registry:2  ports:    -  environment:    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data  volumes:    - /docker-registry/data:/data

The Docker-compose.yml file first creates a registry container, its 5000 port and the host's 5000 port mappings. It stores the mirrored directory as a/data directory, bound to the/docker-registry/data of the host.

Then, the Nginx container will also be created, Nginx container through the-link parameters, and registry container connection, so that the Nginx container will know how to communicate with the registry container (in fact, the registry container IP will be bound to the Nginx container of/E Tc/hosts file).

4 Starting the container
docker-compose  up

Note: This command docker-compose will generate two containers from the docker-compose.yml script that was just written, normally the following output
If you want to stop, you can only use (Ctrl + C).

If you want to run in the background, you can use

docker-compose   up   -d
Create a Docker-registry.service file

Because Ubuntu versions prior to 14.01 only support upstart, if you want to use SYSTEMD management, you need to use Ubuntu 15.01 or more. So, I'm using the Ubuntu 16.04 system version, which comes with the SYSTEMD service.

vi     /etc/systemd/system/docker-registry.service   :[Unit]Description=Starting docker registry[Service]Environment= MY_ENVIRONMENT_VAR = /docker-registry/docker-compose.ymlWorkingDirectory=/docker-registryExecStart=/usr/bin/docker-compose upRestart=always[Install]

Description: Now, we can use the service docker-registry start/stop/restart command to manage Nginx and registry containers, very convenient.


Show that everything is fine.

Well, from here on, we can use the service docker-registry restart to restart the container.

5 Setting the configuration file for Nginx service


Upstream Docker-registry {server registry:5000;}  server {Listen 443;  server_name;  # SSL # SSL on;  # SSL_CERTIFICATE/ETC/NGINX/CONF.D/DOMAIN.CRT;  # ssl_certificate_key/etc/nginx/conf.d/domain.key;  # Disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411:see Issue #1486 ( chunked_transfer_encoding on  ; location/v2/{# does not allow connections from Docker 1.5 and earlier # Docker pre-1.6.0 does not properly set the U Ser agent on Ping, catch "Go *" user agents if ($http _user_agent ~ "^ (docker\/1\. ( 3|4|5 (?! \. [0-9]-dev)] |    Go). *$ ") {return 404;    } # To add Basic Authentication to v2 use Auth_basic setting plus Add_header # auth_basic "Registry.localhost";    # Auth_basic_user_file/etc/nginx/conf.d/registry.password;    # add_header ' docker-distribution-api-version ' registry/2.0 ' always; Proxy_pass httP://docker-registry;   Proxy_set_header Host $http _host; # Required for Docker client ' s sake proxy_set_header x-real-ip $remote _addr;    # Pass on real client ' s IP proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;    Proxy_set_header X-forwarded-proto $scheme;  Proxy_read_timeout 900; }}
service  docker-registry   restart curl   http://localhost:5000/v2/

The result would be this:
{}[email protected]:/docker-registry#

6 Set security rights authentication, create user
cd   /docker-registry/nginxhtpasswd -c registry.password mydockerNew password:Re-type new password:Adding password for user mydocker

Description: Use Apache2-utils's htpasswd tool to create a file that contains the user name and user password

Open registry.conf file again
vi   /docker-registry/nginx/registry.conf
Remove the comments from the next few lines
auth_basic "registry.localhost";auth_basic_user_file /etc/nginx/conf.d/registry.password;add_header ‘Docker-Distribution-Api-Version‘ ‘registry/2.0‘ always;
service docker-registry restartcurl  http://localhost:443/v2/[email protected]:~/docker-registry/nginx#  curl http://localhost:5043/v2/401 Authorization Required401 Authorization Requirednginx/1.9.15
Test again with user name and user password
curl http://mydocker:[email protected]:443/v2/{}[email protected]:~/docker-registry/nginx#

Description: Here, in fact, we have completed a LAN authentication function, but can not be used as a server. Because, you also need to set up SSL security authentication.

7 Set SSL Security Authentication 7.1 Open the registry.conf file again
vi  /docker-registry/nginx/registry.conf

Uncomment the following lines and fix the domain name:

upstream docker-registry {server registry:5000;}server {listen 443;server_name;# SSLssl on;ssl_certificate /etc/nginx/conf.d/domain.crt;ssl_certificate_key /etc/nginx/conf.d/domain.key;
7.2 Creating certification Authority
cd  /docker-registry/nginx

Create a new root key:

openssl genrsa -out dockerCA.key 2048

Create Root Certificate
Fill in the in the common Name and fill in the rest of the content.

openssl req -x509 -new -nodes -key dockerCA.key -days 10000 -out dockerCA.crt

Create Server key (this is referenced by Nginx Ssl_certificate_key)

openssl genrsa -out domain.key 2048

and create a new certificate.
Common Name continues to fill without setting a password.

openssl req -new -key domain.key -out

Finally, the signature is:

openssl x509 -req -in -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out domain.crt -days 10000


cd /docker-registry/nginxcp dockerCA.crt /usr/local/share/ca-certificates/

In order for the server to trust our certification authority certification, we need

update-ca-certificates && service docker restart && service docker-registry restart


curl https://mydocker:[email protected]/v2/#output should be{}[email protected]:/docker-registry/nginx#
8 copying DOCKERCA.CRT to the client
scp dockerCA.crt   [email protected]:/usr/local/share/ca-certificates[email protected]‘s password:dockerCA.crt 100% 1302 1.3KB/s 00:00

If the client does not have a/usr/local/share/ca-certificates directory, you need to create

9 Client Login Server Warehouse
update-ca-certificates && service docker restart#test login to fresh created repository:docker login https://docker-server.comUsername: mydockerPassword:Login Succeeded

Needs to be added in the/etc/hosts file # (This is the IP address of the server where I do the experiment)

9.1 Push mirroring on client
docker  pull    ubuntu    # 尝试在 docker hub 下载镜像docker  tag   ubuntu  #  将镜像打标签,作为区别docker   push   # 推送到 私有 docker registry 仓库

Confirm Test

在客户端将 镜像删除:docker   image  rm -f  ubuntu从 仓库下载 test-ubnutn 镜像:docker   pull


OK, it's a success.

If you encounter any problems during the experiment, look for Docker log files

Journalctl-u Docker # for Docker logs in the SYSTEMD journal
Journalctl | grep Docker # for system logs, that mention Docker


The main use of the function of the reverse proxy server, the implementation of security authentication management, enhanced access to the private warehouse security rights management.

Reference article:
"Private Docker Registry in Ubuntu Server 16.04"

Build a private Docker registry warehouse that requires signature verification in Ubuntu

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.