Docker Private Registries

Docker fetches container images from registries. The Docker hub registry serves either public or private repositories, and you may also have a private registries to pull from.

Authenticate on private registries

Node Level

Beware, registries authenticated this way are available to all services.

$ sudo docker login some.private.registry

Service Level

Registries authenticated this way are only available to services of a namespace.

On a client computer (not a cluster node where you don’t want to share your registry access with all services)

$ docker login some.private.registry

This command has created a $HOME/.docker/config.json containing your credentials.

On a target cluster node, create a secret in the namespace you want to use the registry access and load the config.json content in the config.json secret key.

For example

$ om myns/sec/creds-some-private-registry create
$ om myns/sec/creds-some-private-registry edit --key config.json
# paste, save and exit

At this point, you can use the following setting in the DEFAULT or container sections of any service in the namespace

registry_creds = creds-some-private-registry

Install a Docker registry

Pre-requisites

  • An OpenSVC node with docker installed and running

  • CNI binaries installed

  • Access to the docker.io registry from the node

Service Creation

cat > /tmp/registry.template << EOF
[DEFAULT]
orchestrate = ha
nodes = {clusternodes}

[ip#1]
type = cni
netns = container#0

[container#0]
type = docker
image = ghcr.io/opensvc/pause

[container#1]
type = docker
image = registry
volume_mounts = {svcname}-data/registry:/var/lib/registry
netns = container#0

[volume#1]
name = {svcname}-data
size = {env.size}
access = rwo

[env]
size = 10g

EOF
svcmgr create -s test/registry --config /tmp/registry.template --provision

After a few seconds

$ om test/registry print status
registry                         up
`- instances
   |- nuc-cva                    down       idle
   `- aubergine                  up         idle, started
      |- ip#1           ........ up         cni default 10.22.0.122/16 eth12
      |- volume#1       ........ up         registry-data
      |- container#0    ........ up         docker container test..registry.container.0@ghcr.io/opensvc/pause
      |- container#1    ........ up         docker container test..registry.container.1@registry
      `- sync#i0        ...O./.. up         rsync svc config to nodes

The registry is up and running.

Avertissement

The docker registry does not deal with access control. As soon as the docker container is up, everyone is allowed to push/pull images to/from the registry. You can add authentification via the OpenSVC collector or a tier solution, or simply bind the registry to the loopback ip address for a development laptop.

Testing the registry

On the demonstration setup, the cluster name is « homepool2 », so the created registry is accessible via the cluster dns name registry.test.svc.homepool2.

Tag an image to push to the private registry

$ sudo docker tag ghcr.io/opensvc/pause:latest registry.test.svc.homepool2:5000/google/pause:latest

Push the tagged image to the private registry

$ sudo docker push registry.test.svc.homepool2:5000/google/pause:latest
The push refers to a repository [registry.test.svc.homepool2:5000/google/pause]
5f70bf18a086: Pushed
e16a89738269: Pushed
latest: digest: sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105 size: 938