2015-06-08 00:58:53 +00:00
<!-- [metadata]>
+++
title = "Deploying a registry server"
description = "Explains how to deploy a registry server"
2015-06-12 08:10:03 +00:00
keywords = ["registry, service, images, repository"]
2015-06-08 00:58:53 +00:00
[menu.main]
parent="smn_registry"
2015-06-16 13:00:24 +00:00
weight=3
2015-06-08 00:58:53 +00:00
+++
<![end-metadata]-->
2015-04-19 00:06:51 +00:00
# Deploying a registry server
2015-04-03 18:12:34 +00:00
2015-06-12 08:10:03 +00:00
You need to [install Docker version 1.6.0 or newer ](https://docs.docker.com/installation/ ).
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
## Running on localhost
2015-05-22 09:14:55 +00:00
Start your registry:
2015-06-12 08:10:03 +00:00
docker run -d -p 5000:5000 --restart=always --name registry registry:2
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You can now use it with docker.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Get any image from the hub and tag it to point to your registry:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker pull ubuntu & & docker tag ubuntu localhost:5000/ubuntu
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
... then push it to your registry:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker push localhost:5000/ubuntu
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
... then pull it back from your registry:
2015-06-11 04:05:13 +00:00
2015-06-12 08:10:03 +00:00
docker pull localhost:5000/ubuntu
2015-06-11 04:05:13 +00:00
2015-06-12 08:10:03 +00:00
To stop your registry, you would:
2015-06-11 04:05:13 +00:00
2015-06-12 08:10:03 +00:00
docker stop registry & & docker rm -v registry
2015-06-11 04:05:13 +00:00
2015-06-12 08:10:03 +00:00
## Storage
2015-06-11 04:05:13 +00:00
2015-06-12 08:10:03 +00:00
By default, your registry data is persisted as a [docker volume ](https://docs.docker.com/userguide/dockervolumes/ ) on the host filesystem. Properly understanding volumes is essential if you want to stick with a local filesystem storage.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Specifically, you might want to point your volume location to a specific place in order to more easily access your registry data. To do so you can:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd` /data:/var/lib/registry \
registry:2
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
### Alternatives
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You should usually consider using [another storage backend ](https://github.com/docker/distribution/blob/master/docs/storagedrivers.md ) instead of the local filesystem. Use the [storage configuration options ](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage ) to configure an alternate storage backend.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Using one of these will allow you to more easily scale your registry, and leverage your storage redundancy and availability features.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
## Running a domain registry
2015-06-01 03:09:15 +00:00
2015-06-12 08:10:03 +00:00
While running on `localhost` has its uses, most people want their registry to be more widely available. To do so, the Docker engine requires you to secure it using TLS, which is conceptually very similar to configuring your web server with SSL.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
### Get a certificate
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Assuming that you own the domain `myregistrydomain.com` , and that its DNS record points to the host where you are running your registry, you first need to get a certificate from a CA.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Move and/or rename your crt file to: `certs/domain.crt` - and your key file to: `certs/domain.key` .
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Make sure you stopped your registry from the previous steps, then start your registry again with TLS enabled:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd` /certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You should now be able to access your registry from another docker host:
2015-07-10 21:10:25 +00:00
2015-06-12 08:10:03 +00:00
docker pull ubuntu
docker tag ubuntu myregistrydomain.com:5000/ubuntu
docker push myregistrydomain.com:5000/ubuntu
docker pull myregistrydomain.com:5000/ubuntu
2015-07-10 21:10:25 +00:00
2015-06-12 08:10:03 +00:00
#### Gotcha
A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle* . You can do this using the `cat` command:
cat server.crt intermediate-certificates.pem > certs/domain.crt
2015-06-12 08:10:03 +00:00
### Alternatives
2015-07-09 22:28:08 +00:00
2015-06-12 08:10:03 +00:00
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here ](insecure.md ).
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
## Restricting access
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Except for registries running on secure local networks, registries should always implement access restrictions.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
### Native basic auth
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
:warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first ](#running-a-domain-registry ) for this to work.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
First create a password file with one entry for the user "testuser", with password "testpassword":
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
mkdir auth
docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Make sure you stopped your registry from the previous step, then start it again:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd` /auth:/auth \
2015-08-12 20:37:33 +00:00
-e "REGISTRY_AUTH=htpasswd" \
2015-06-12 08:10:03 +00:00
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd` /certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You should now be able to:
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker login myregistrydomain.com:5000
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
And then push and pull images as an authenticated user.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
### Alternatives
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
1. You may want to leverage more advanced basic auth implementations through a proxy design, in front of the registry. You will find an example of such design in the [nginx proxy documentation ](nginx.md ).
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only make sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You will find [background information here ](spec/auth/token.md ), and [configuration information here ](configuration.md#auth ).
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
Beware that you will have to implement your own authentication service for this to work.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
## Managing with Compose
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
As your registry configuration grows more complex, dealing with it can quickly become tedious.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
It's highly recommended to use [Docker Compose ](https://docs.docker.com/compose/ ) to facilitate operating your registry.
Here is a simple `docker-compose.yml` example that condenses everything explained so far:
2015-05-22 09:14:55 +00:00
```
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
2015-06-11 04:05:13 +00:00
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
2015-06-12 08:10:03 +00:00
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
2015-05-22 09:14:55 +00:00
volumes:
2015-06-12 08:10:03 +00:00
- /path/data:/var/lib/registry
2015-05-22 09:46:23 +00:00
- /path/certs:/certs
2015-06-12 08:10:03 +00:00
- /path/auth:/auth
2015-04-02 15:11:19 +00:00
```
2015-06-12 08:10:03 +00:00
:warning: replace `/path` by whatever directory that holds your `certs` and `auth` folder from above.
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
You can then start your registry with a simple
2015-05-22 09:14:55 +00:00
2015-06-12 08:10:03 +00:00
docker-compose up -d
2015-05-22 09:14:55 +00:00
## Next
2015-04-10 22:16:13 +00:00
2015-06-12 08:10:03 +00:00
You will find more specific and advanced informations in the following sections:
- [Configuration reference ](configuration.md )
- [Working with notifications ](notifications.md )
- [Registry API ](spec/api.md )
- [Storage driver model ](storagedrivers.md )
<!--
- [Glossary ](glossary.md )
### Development resources
- [Building the registry ](building.md )
- [Architecture notes ](architecture.md )
-->