Setting Up Docker Registry with S3 Storage
As you know , putting your container images in Docker public Registry is not a good idea, because anyone can pull it from docker registry. Fortunately, Docker provides “Registry 2”, making it simple for anyone to run a private Docker registry on your own server. It is a server side application which stores and let you distribute your docker images, while keeping it private within your team,using authentication. In this article, I’ll provide a brief introduction to the Registry2 integrated with S3 storage, which makes the registry data persistent.
Setting Up Registry with S3 Storage
Step1 : Create S3 bucket.
Step 2 : Create IAM User and Download access credentials
Step 3: Create new Policy granting following privileges for the new bucket created.
IAM user should have following privileges on the bucket
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”
Policy JSON should look like below
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | { “Version”: “2013-11-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “s3:ListBucket” ], “Resource”: [ “arn:aws:s3:::yournewbucketname” ] }, { “Effect”: “Allow”, “Action”: [ “s3:PutObject”, “s3:GetObject”, “s3:DeleteObject” ], “Resource”: [ “arn:aws:s3:::yournewbucketname/*” ] } ] } |
Step4 : Attach the new policy to the new user.
All the above steps has to be performed at AWS , using AWS portal or API
After Step 4, new IAM user get full access on the new bucket created for storing docker images. Now we have all the necessary data needed for starting registry container.
Start new registry container with following command
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | docker run \ —restart always \ –e SETTINGS_FLAVOR=s3 \ –e AWS_BUCKET=$BUCKET \ –e STORAGE_PATH=$BUCKET_PATH \ –e AWS_KEY=$AWS_KEY \ –e AWS_SECRET=$AWS_SECRET \ –e AWS_REGION=$AWS_REGION \ –e SEARCH_BACKEND=sqlalchemy \ –e GUNICORN_OPTS=[—preload] \ –p 5050:5000 \ —name registry \ –d registry:2 |
AWS_BUCKET : Name of the s3 bucket
STORAGE_PATH : Optional foldername, this can be used when the bucket already has some other folders and you don’t want to get confused.
AWS_KEY : Aws key for IAM user
AWS_SECRET : Secret key for new user
AWS_REGION : us-east or us-west
You can see the container status using the command
| 1 2 3 4 5 | docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2151c2f11337 registry:2 “/entrypoint.sh /etc/” 3 days ago Up 10 days 5000/tcp registry |
Registry is running and listening on exposed Port 5000. Now we can push our images to this registry, it will use s3 for storage. This way we ensure there will be no loss of data incase of any disk failure on the physical machine.
How to Push images to Registry?
Registry is ready now, we can push docker images to it. See the example below, here we will pull basic Centos7 image from docker registry, customize it and push the new image to our own Registry.
Step1 : Pull Centos7 image
| 1 2 3 | docker pull centos7 |
Step2 : Now we can customize it for our requirements.
You can start a container using centos7 image and install the required softwares/tools on it. Once done, you can commit the changes
| 1 2 3 | docker commit <containerid> myapp:latest |
Step3: Tag the new image
| 1 2 3 | docker tag myapp:latest 192.168.1.112:5000/myapp:latest |
Step4 : Push the image to Registry
| 1 2 3 | docker push 192.168.1.112:5000/myapp:latest |
Now the image is successfully pushed to newly created docker registry , you can share this registry endpoint and image details within your team and your team members can pull it. Please note, we haven’t enabled any authentication for this Registry, so make sure you open the port 5000 for known/internal IP addresses only. You can use iptables/firewalld for this.
Feel free to contact me if you have any questions or feedbacks, using the comments below ????