Certainly the kind of deployment explained on my previous article does not suit certain type of deployment. While Let’s Encrypt makes it easier for anybody who own a domain to obtain ssl certificate, you will still need to have a domain, Public IP, and a DNS server to complete the process
For development purposes, or on properly secured environment, you can get by with insecure local private registry. The “insecure” bit refers to either the use of http instead of https, or the usage of self-signed certificate, the configuration on each node on a swarm to force them to trust it. this article will cover both
Insecure Registry with http
The easiest way to provide registry server to a swarm is by providing http-only registry. By default the docker daemon on each node only trust 127.0.0.1 or localhost to provide insecure registry. To instruct the docker daemon to trust other addresses, open or create /etc/docker/daemon.json
surfer@AWN1:~$ sudo nano /etc/docker/daemon.jsonAnd add the following lines
{ "insecure-registries":["regs.mach5.web.id:5000" ] }Replace “regs.mach5.web.id” with your own domain, and make sure it is reachable from every nodes on the swarm. Save the file, and restart the docker service.
surfer@AWN1:~$ sudo systemctl restart docker
Repeat these steps on all members of the swarm. To see whether the address has been trusted, do this on any member of the swarm:
surfer@AWN1:~$ sudo docker info
On “Insecure Registries” it should say
Insecure Registries: regs.mach5.web.id:5000 127.0.0.0/8
Let’s test it out by pulling out something from public image registry such as
sudo docker pull php:apache
Tag the image
sudo docker tag php:apache regs.mach5.web.id:5000/php-apache
Push it to the local image server
sudo docker push regs.mach5.web.id:5000/php-apache
The image should now be available on the local repository, and we should be able to deploy them to the swarm by doing something like this
sudo docker service create --name php regs.mach5.web.id:5000/php-apache
Insecure Registry with self-signed SSL certificate
We can, however use HTTPS and self-signed SSL certificate by forcing the nodes to trust the certificate that we created and signed.
First, create a self-signed certificate
openssl req -newkey rsa:4096 -nodes -sha256 -keyout privkey.key -x509 -days 365 -out domain.crt
Put the name of the server when asked:
Common Name (e.g. server FQDN or YOUR name) []:regs.mach5.web.id
At the end of the process, we should have “privkey.key” file which contain your private key, and “domain.crt” which contain the self-signed SSL certificate. Put it on a directory, let say /data/docker/certs
The second part is to create the htpasswd file for authentication purpose. Do
sudo docker run --entrypoint htpasswd registry:2 -Bbn reg1 securePassReg1 > /data/docker/auth/htpasswd
..And startup our docker registry container
sudo docker run -d --restart=always --name regs -v /data/docker/auth:/auth -v /data/docker/certs:/certs -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:8442 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.key -p 8442:8442 registry:2
Test logging in to the registry by doing:
sudo docker login regs.mach5.web.id:8442
And you’ll probably greeted with this:
Username: regs Password: Error response from daemon: Get https://regs.mach5.web.id:8442/v2/: x509: certificate signed by unknown authority
Which obviously is due to the registry container using self-signed certificate. To get around this, we can instruct docker to trust the certificate. To do that, create these directories:
sudo mkdir /etc/docker/certs.d sudo mkdir /etc/docker/certs.d/regs.mach5.web.id:8442
Replace regs.mach5.web.id with your own domain address, and copy the domain’s SSL certificate to the directory we have just created.
sudo cp /data/docker/certs/domain.crt /etc/docker/certs.d/regs.mach5.web.id\:8442/
And restart the docker daemon
sudo systemctl restart docker
Copy and transfer the certificate to all member of the swarm, and repeat the rest of the these steps, and you should now be able to log into the registry server.
After we have logged in to the server, we can start pushing images to the registry and creating services from images stored in the registry. To do that, modify the service creation command to look like this:
sudo docker service create --with-registry-auth --name php regs.mach5.web.id:5000/php-apache
Each member of the swarm should be able to pull images from the private local registry on service creation