Exercise 1.4 - Working with a Container Registry

Return to Workshop

What it is

A basic container registry is a stateless, highly scalable server side application that stores and distributes container images. The docker registry is an open-source project offered under the permissive Apache license.

Why use it

You should use a private container registry if you want to:

  • tightly control where your images are being stored

  • fully own your images distribution pipeline

  • integrate image storage and distribution tightly into your in-house development workflow

First, lets install the docker-distribution package, to provide the registry software:

yum install -y docker-distribution

Next, lets set the service to auto-start at system boot:

systemctl enable docker-distribution

The container registry configuration file will need to be modified to allow the use of https (secure) communications. First, we will generate a certificate.

mkdir /etc/docker-distribution/certs
cd /etc/docker-distribution/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt

Answer the questions that OpenSSL asks, in any way that you see fit, but make sure that you specify a Common Name of localhost. Here is an example:

Generating a 4096 bit RSA private key
............................................................++
...............................................................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Ohio
Locality Name (eg, city) [Default City]:Dublin
Organization Name (eg, company) [Default Company Ltd]:workshop
Organizational Unit Name (eg, section) []:workshop
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:student@lab.local

To finish this configuration, let’s add the cert to the system’s trusted database:

cp domain.crt /etc/pki/tls/certs
update-ca-trust extract

Next, we will add secure mode to the container registry configuration. Edit the file '/etc/docker-distribution/registry/config.yml' to match the example below. Pay close attention to the last five lines, starting with tls, as these are required for configuration file.

vi /etc/docker-distribution/registry/config.yml
version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
    delete:
        enabled: true
http:
    addr: :5000
    tls:
      certificate: /etc/docker-distribution/certs/domain.crt
      key: /etc/docker-distribution/certs/domain.key
    host: https://localhost:5000
    relativeurls: false

Next, we can start the registry:

Start the registry
systemctl start docker-distribution

Before we upload anything, let’s take a look to see what images we have in the local image database:

podman images
REPOSITORY                            TAG      IMAGE ID       CREATED          SIZE
registry.access.redhat.com/rhel7      latest   7a840db7f020   2 days ago       211MB
docker.io/library/fedora              latest   cc510acfcd70   2 weeks ago      263MB
docker.io/library/fedora_postgresql   latest   b105a704d05d   10 minutes ago   495MB

Now, we will push the container to the local registry. Either of these two commands will work, showing that there is always more than one way to skin a cat.

Choose only one of the following two commands (buildah push or skopeo copy). Both accomplish the same purpose.
buildah push fedora_postgresql:latest localhost:5000/fedora_postgresql:latest

With Skopeo, we need to be a bit more specific, and specify the image ID that we saw, above, from podman images.

This image ID will vary, and you should use the value from the output produced on your workshop instance:
skopeo copy containers-storage:7a840db7f020 docker://localhost:5000/fedora_postgresql:latest

Next, let’s search the registry to make sure that our image made it, and is available:

podman search localhost:5000/postgresql
INDEX            NAME                               DESCRIPTION   STARS   OFFICIAL   AUTOMATED
localhost:5000   localhost:5000/fedora_postgresql                 0

Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop