Mirroring private docker registry - docker

What is currently the recommended way to mirror a Private Docker Registry?
Mirroring functionality is provided by official docker-registry image but only for the Public Registry.
See documentation:
"Beware that mirroring only works for the public registry. You can not create a mirror for a private registry."
My use-case:
A bigger development team that is working in an office with a limited network. They only pull docker images from registries. Pushing is occasional and handled by Jenkins box hosted in AWS. Most of the images they use resides in our password protected Private Registry (served over https). So it's only natural to mirror/cache the Registry on a machine in a local network. If not for https I would just go for HTTP_PROXY and local squid install.
I'm sure I'm not the only one solving docker dev bandwidth problem. What do you do?

It is now possible to do this with the "proxy" settings in the configuration for a V2 registry. Just put up another registry (on a different server/port from any other private registry you have) and on every docker engine, set the '--registry-mirror' flag to point to it.
Just watch out for accidental pushes - always retag your images to the private registry or a private repository if you wish to keep them private.

Right now, I would recommend using the (new) golang registry (https://github.com/docker/distribution) instead of the (v1) python one, and go with the proxy solution (using HTTP_PROXY + a reverse proxy cache - squid, or whatever else pleases your tastes - I would probably use varnish).
Native support for "mirroring" built into the registry itself will come eventually, and later more flexible transports.

Related

How to achieve zero cost and secure deployment option using docker?

We are building a proprietary Java application based on Docker. Right now, we are using local docker installation and development is in progress. When we want to share this application, hope this should be deployed in some docker registry. Docker registry is free and opensource? or how can I securely+freely allow my customers to access my application?.Basically, we want zero cost secure deployment option using docker.
If you're fine with putting your docker images public - you can use the docker hub.
If you want to keep it private - you can opt for one of the free private registries, e.g. treescale
See a longer list of free private registries here

Is it possible to run one habor instance which accept push request of private images and proxing images from the dockerhub?

Im trying to setup a private Docker Registry with Harbor which is capable of storing "private" docker images and serving docker images from the Dockerhub.
Is there a way how I can run only one Harbor Instance?
From your description, it seems that you want to setup a private registry with Harbor and also want Harbor to cover the work of proxying/being a mirror of Dockhub, right?
The challenge is Harbor does not support proxy/mirror function so far. A possible workable but not perfect solution you can try is caching all the images of Dockhub through the replication feature provided by Harbor. That required the Harbor version > 1.9.0.

Feasibility of Docker image deploying without dockerhub.com and using in Jenkins

I am trying to use Kubernetes and Jenkins for my deployment of micro services developed using Spring Boot. When I am exploring many YouTube videos and other documentation tutorials are using dockerhub.com as keeping published image as repository.
Can I deploy docker image in Kubernetes by using Jenkins docker image build without using this dockerhub.com ? Means I don't want to share client code in a public place. So can I use Jenkins without dockerhub.com?
You do need to use some registry- kubernetes needs a registry URL to be able to pull and instantiate a particular image as a container in a pod. To avoid having the images themselves be publicly accessible you have 2 options:
use a business account at a public registry. You can get one of these from Docker, or from other services like Google or Quay. When you push images using a business account, you get a private space in the public registry and only your account credentials can push and pull those images. In this case your Kubernetes- and your Jenkins- has to be configured with credentials derived from your account to be able to pull those private images into your cluster.
run a private registry in your cluster or on your non-cluster infrastructure There are many flavors of private registries, including Docker's, Atlassian's, and many others. This keeps your images entirely on your infrastructure. The tradeoff is that you have to configure and run this as a production service, and most private registries suitable for production use have a lot of moving parts for scalable image storage, indexing, backup, and so forth.

Docker registry that allows public (anonymous) pull

I've been considering to use my own private docker registry to distribute some of my projects publicly. However, the moment you add an authentication strategy to your registry, you loose public pull access to all its images.
Is there an easy way to tell the registry some images can be anonymously pulled (not pushed, of course) - in the same way https://hub.docker.com/ works?
I've been reading through https://docs.docker.com/registry docs but so far I found nothing on the matter. I guess it's a use case covered in EE Docker Trusted Registry and not included in the community version:
DTR uses Role Based Access Control (RBAC) to allow you to implement fine-grained access control policies for who has access to your Docker images.
You can check 3rdparty Registry projects that allow fine grain access like Portus or Harbor, I use harbor and the projects set as public can be pulled anonymously

Modern status of private Docker registries/repos

So it's great that the public Docker registry exists; that way, if I want an out-of-the-box image for a MySQL server, or an nginx proxy, I can just use one pulled from the public registry as-is.
But obviously the public repo is no place to store my closed-source, application images. So I asked the Google Gods for the available options surrounding setting up private Docker registries, similar to how I publish all my binaries to a local Artifactory server. And I find the lack of private registry support most disturbing.
The main articles I found were:
https://docs.docker.com/registry/deploying/
https://github.com/docker/docker-registry
https://blog.docker.com/2013/07/how-to-use-your-own-registry/
However they are old and I know there have been recent major changes in Docker (libcontainer -> runc) that likely obsolesces them. So I ask: are there modern, Artifactory-like tools out there for hosting private Docker registries? If not, is there an easy recipe for rolling your own?
Bonus points if someone can explain to me the difference between: Docker indexes, registries and repositories.
First, the terminology:
A repository is a collection of images e.g the redis repository contains images for various versions of redis. A particular image is selected by specifying a tag e.g redis:3.0. If no tag is specified when pulling an image, it defaults to the latest tag.
A registry is a collection of repositories, the primary example being the Docker Hub.
"index" I think is old terminology that you can forget about.
(I expect bonus points now ;) )
As #Abdullah Jibaly points out, you can have private repositories on the Docker Hub.
You can also run your own registry, instructions are on the Docker distribution GitHub project. This is in no way obsoleted by runc (nor does it really have anything to do with runc).
There are also other hosted registry solutions such as http://quay.io.
https://hub.docker.com supports private images as well (similar to the github model), I'd start with that first.
I had the same task to look into recently. If you don't want to use the already mentioned private cloud offerings, there is (in the meanwhile) support for private (on premise) docker registries with:
JFrog Artifactory
Sonatype Nexus 3
GitLab
OpenShift

Resources