Docker Private Registry for Corporates

Now what exactly is private docker registry?

A private Docker registry is a secure, internal storage for Docker images within an organization. It allows authorized users to store, manage, and share Docker images privately, ensuring control over access, security, and compliance with organizational policies. It's used for storing container images used in building and deploying applications, offering benefits like enhanced security, performance, and customization compared to public registries.

What are the advantages of using a private docker registry over a public registry?

Using a private Docker registry offers several advantages over using a public registry like Docker Hub:

1. Security and Access Control: Private registries allow organizations to control access to Docker images,ensuring that only authorized users and systems can push or pull images. This enhances security by preventing unauthorized access or distribution of sensitive or proprietary software components.

2. Compliance: Private registries help organizations comply with industry regulations and internal security policies by keeping Docker images within controlled environments. This is crucial for handling confidential data or meeting specific compliance requirements.

3. Performance: Hosting Docker images internally or on a cloud platform closer to an organization's infrastructure can improve image download and upload speeds. This reduces latency compared to accessing images from public registries, especially useful for large-scale deployments or CI/CD pipelines.

4. Customization and Integration: Private registries can be customized to fit specific organizational needs. They can integrate with existing CI/CD pipelines, enforce image scanning for vulnerabilities, apply access controls via LDAP or OAuth, and implement image life cycle policies tailored to organizational workflows.

5. Reliability and Availability: Organizations can configure private registries for high availability and scalability,ensuring that Docker images are always accessible and reliable for development, testing, and production environments. This minimizes downtime and disruptions during software deployments.

6. Cost Management: While public registries like Docker Hub offer free usage tiers, they may require payment for additional usage or premium features. Private registries provide predictable costs and eliminate potential fees associated with exceeding usage limits or accessing premium features.

7. Offline Availability: Private registries enable offline access to Docker images, which is beneficial for environments with limited or no internet connectivity. This ensures continuity of development and deployment processes without dependency on external services.

In summary, using a private Docker registry provides enhanced security, compliance, performance, customization, and reliability compared to public registries, making it ideal for organizations that prioritize control, privacy, and operational efficiency in managing containerized applications.

What are the Demerits of using Docker-hub Private repository?

One major drawback of using Docker Hub's private repositories is cost. Unlike public repositories, which are free, Docker Hub charges for private repositories beyond a certain usage limit. This can lead to unexpected costs for organizations that heavily utilize private repositories for Docker image storage.

So to reduce the cost, we have a used Nexus Repository

What is Nexus Repository?

Nexus Repository, specifically Sonatype Nexus Repository Manager, is a popular repository manager used for storing and managing binary software artifacts. It acts as a centralized hub where organizations can store, organize, and distribute various types of software components and dependencies.

How does Nexus Repository Overcome the demerit of using a Private Docker-hub repository ?

Nexus Repository overcomes the limitations of Docker Hub private repositories by providing cost-effective, customizable, and secure artifact management. It offers robust access control, supports caching for faster performance, integrates with CI/CD pipelines, and handles various artifact formats. Unlike Docker Hub, Nexus Repository allows organizations to manage storage costs predictably and ensures compliance with regulatory requirements, making it ideal for enterprise-grade artifact management and distribution.

Here I will show to to set a private Repository on Nexus Repository

1. First, create an AWS instance with AMI as Canonical, Ubuntu, 24.04 LTS , Virtual server type (instance type) - t2.medium , Storage (volumes) - 1 volume(s) - 8 GiB & then launch the Instance

2. Connect to the SSH via MobaXterm or any other preferred SSH client.

3. Run Command

    sudo apt update 
    sudo apt install docker.io
    docker --verison
   

4. This will install docker , Now we need to to pull docker image.

    docker pull sonatype/nexus3
   

5. This might give you an error, because the Ubuntu user has no privileges to run docker commands by itself . Hence to give Ubuntu user the permissions we will run the following command.

sudo usermod -aG $USER

6. Now the Ubuntu user has the permissions to run the docker commands (it's not a good practice to use root user to do your tasks). We will proceed by pulling two images from Docker. Here the first command is used for a sample container.

    docker pull hello-world
    docker pull sonatype/nexus3
   

7. After pulling these two images we will run the container for Nexus.

    docker run -d -p 8081:8081 -p 5000:5000 sonatype/nexus3
   

   -d: This flag runs the container in detached mode, meaning it runs in the background.

   -p 8081:8081: This option publishes the container's port 8081 to the host port 8081. Sonatype Nexus uses port 8081 for web access by default.

   -p 5000:5000: This option publishes the container's port 5000 to the host port 5000. Port 5000 is not used by Sonatype Nexus by default, so this might be used for a different service or application running inside the container.

8. Access the Nexus container to retrieve the admin password.

    docker exec -it <container_id> /bin/bash
    cat sonatype-work/nexus3/admin.password
   

   docker exec: This command allows you to execute a command inside a running Docker container.

   -it: These are options used together to make the Docker command interactive (-i) and allocate a pseudo-TTY (-t), which allows you to interact with the shell session.

   /bin/bash: This is the command that you want to execute inside the container. Specifically, it starts a Bash shell (bash) session.

9. Log in to the Nexus web interface at http://<your-server-ip>:8081 using the retrieved password. Set a New Password .

   Navigate to Settings → Repository → Create Repository → Docker (hosted).

10. Go to Security → Realms. Add Docker Bearer Token Realm to the active realms.

    Save the changes. The Docker Bearer Token Realm specifically enables Docker clients to authenticate against Nexus using bearer tokens.

11. Nexus registry will use HTTP, hence we need to configure Docker to allow insecure registries. We will be adding a new file daemon.json in the /etc/docker/ location.

12. Add this content in the daemon.json

    {
      "insecure-registries": ["<your-nexus-ip>:5000"]
    }
    

13. Restart Docker.

sudo systemctl restart docker

14. Log in to your private registry.

    docker login <your-nexus-ip>:5000
    

15.Tag and push a Docker image to the Nexus repository.

docker tag hello-world:latest <your-nexus-ip>:5000/hello-world:latest
docker push <your-nexus-ip>:5000/hello-world:latest