Nexus OSS3 as Private Docker Registry - chaitanyavangalapudi/devops-scripts GitHub Wiki

When your application services are dockerized, you need to host a private docker registry for your internal docker images. You can pull and run Docker image of registry using docker-compose or you can use the private registry provided by GitLab.

In this article we will discuss how we can configure Nexus OSS3 as Private Docker Registry. We assume that Nexus OSS3 is already installed, up and running. We are going to discuss about exposing the URLs via HTTP Only.

Before performing below operations, login to Nexus3 UI as Administrator. If you are using corporate network with proxy, make sure to configure proxy in Nexus so that the public images can be pulled through proxy docker hub without causing issues by navigating to

Server Administration and Configuration >> System >> HTTP

and enter HTTP Proxy and HTTPS Proxy. If UserName/Password are required for proxy authentication, enter those details as well.

Note: The Docker repository requires 2 different ports. We are going to use 8082 - for group repo for pull from the proxy repository and 8083 - for private repo for pull and push to the private repository.

Step #1 create a private (hosted) repository for our private images

Step # 1.1 Create Blob for private docker repository

Navigate to

Server Administration and Configuration >> Repository >> Blob Stores

Select Type as "File", Enter a name of your choice - private-docker-registry and create Blob Store. This will ensure that data for every repository will be in a different folder and organized properly.

Step # 1.2 Configure Private Docker Registry

This will be used as the registry for the docker images that we create through build.

Navigate to

Server Administration and Configuration >> Repository >> Repositories >> Create Repository

Select "docker(hosted)" from the Options listed in the page.

  • Enter Name as "private-docker-repo"
  • Select Online
  • Under Repository Connectors, enter HTTP port as 8083
  • Select - Under Docker Registry API Support >> Enable Docker V1 API
  • Select - Under Blob Store >> private-docker-registry - Previously created Blob Store
  • Select - Deployment Policy - ** Allow Redeploy**

Create Repository after selecting all these options. It will create a new private docker repository.

Step #2 create a proxy repository pointing to Docker Hub

Step # 2.1 Create Blob for docker proxy repository

Navigate to

Server Administration and Configuration >> Repository >> Blob Stores

Select Type as "File", Enter a name of your choice - docker-hub-proxy and create Blob Store. This will ensure that data for every repository will be in a different folder and organized properly.

Step # 2.2 Configure Docker Hub Proxy

A repository that proxies everything you download from the official registry, Docker Hub. Next time you download the same dependency, it will be cached in your Nexus and docker pull will download the cached image very quickly.

Navigate to

Server Administration and Configuration >> Repository >> Repositories >> Create Repository

Select "docker(proxy)" from the Options listed in the page.

  • Enter Name as "docker-hub-proxy"
  • Select Online
  • Under Proxy >> Remote Storage >> Enter official docker Hub Repository which is "https://registry-1.docker.io/"
  • Select Under Proxy >> Docker Index >> "Use Docker Hub"
  • Select "Auto Blocking Enabled"
  • Select - Under Blob Store >> docker-hub-proxy - Previously created Blob Store for proxy
  • Select - Negative Cache >> Not Found Cache enabled

Create Repository after selecting all these options. It will create a new proxy repository for Docker Hub.

Step #3 create a group repository to provide all the above configured repositories under a single URL

This is optional step. The group repository will group all the above repositories and provide you a single URL to configure your clients to download docker images.

Step # 3.1 Create Blob for docker group repository

Navigate to

Server Administration and Configuration >> Repository >> Blob Stores

Select Type as "File", Enter a name of your choice - docker-group-repo and create Blob Store. This will ensure that data for every repository will be in a different folder and organized properly.

Step # 3.2 Create docker group repository as conglomeration of previously created repos

Navigate to

Server Administration and Configuration >> Repository >> Repositories >> Create Repository

Select "docker(group)" from the Options listed in the page.

  • Enter Name as "docker-group-repo"
  • Select Online
  • Under Repository Connectors, enter HTTP port as 8082
  • Select - Under Blob Store >> docker-group-repo - Previously created Blob Store for proxy
  • Under Group >> Member Repositories >> add previously created repositories namely private-docker-repo, docker-hub-proxy

Create repository will create group docker repo. You can create as many repositories as you need and group them all in the group repo. This step is actually optional to use Nexus 3 as a Docker repository, because we can stick to pulling and pushing to the proxy and hosted repositories, but group repository will make things easy to pull both private and public images.

Client Configuration to use the configured Docker Repositories

Step 1: Configure Docker Daemon on your host which is client to Nexus Docker Repository

To interact with your repository, the first thing is to configure the Docker daemon on your host to accept working with HTTP instead of HTTPS.

How exactly to do this config depends on your operating system, so you should check **dockerd **documentation. On RHEL/CentOS we can do this by adding below content to /etc/docker/daemon.json:

Let us assume your repo is http://192.131.21.20

{
  "insecure-registries": [
    "http://192.131.21.20:8082",
    "http://192.131.21.20:8083"
  ],
  "disable-legacy-registry": true
}

Step 2: Configure Docker to use HTTP Proxy

If your machine is behind corporate proxy, you need to configure HTTP Proxy on both Nexus OSS and your Client. You can configure HTTP Proxy on client by editing http-proxy.conf under /etc/systemd/system/docker.service.d/

[root@localhost /]# cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://user:[email protected]:8080"
Environment="HTTPS_PROXY=http://user:[email protected]:8080"
Environment="NO_PROXY=localhost,127.0.0.1"

Step 3: Restart Docker

After this, restart the docker daemon on your machine by running

sudo systemctl daemon-reload
sudo systemctl restart docker

Using Private Docker Repo and Group repo

docker login : Login to the private Nexus Repo

Now we have to authenticate client machine to connect to the repo:

docker login -u admin -p admin123 192.131.21.20:8082
docker login -u admin -p admin123 192.131.21.20:8083

This will create an entry in ~/.docker/config.json in your home directory:

{
	"auths": {
		"192.131.21.20:8082": {
			"auth": "YWRtaW46YWRtaW4xMjM="
		},
		"192.131.21.20:8083": {
			"auth": "YWRtaW46YWRtaW4xMjM="
		}
}

It is preferred to create different user for deployment which doesn't have full administrative privileges, just deployment privileges and use that for pull and push operations on these repos.

docker pull and push

After login, To pull images from your repo, use (notice port 8082 being used) your group repo:

docker pull 192.131.21.20:8082/hello-world

docker pull 192.131.21.20:8082/your-private-image

You can pull both your Private images and public images from Docker Hub using your Group repo with port 8082. You can pull only your private images from private repo hosted at port 8083.

To push your private images to private docker repo, you have to tag the image with a tag that points to the private repo hosted on port 8083.

docker tag your-private-image:1 192.131.21.20:8083/your-private-image:1

docker push 192.131.21.20:8083/your-private-image:1

To pull your private images from the repo, you can use:

docker pull 192.131.21.20:8082/your-private-image:latest

OR

docker pull 192.131.21.20:8083/your-private-image:latest

Both ports will work. This is because using port 8083 will connect directly to the hosted repo, while using port 8082 will connect to the group repo, which contains the hosted repo. You can browse the repositories created and find the pulled images at: (replace the IP and other fields in the URL accordingly)

http://192.131.21.20:8081/#browse/browse:docker-hub-proxy

http://192.131.21.20:8081/repository/docker-hub-proxy/v2/library/hello-world/manifests/latest

Important Note:

  • When you make a request using the Docker client, you need to provide a hostname and port followed by the Docker image. Docker client does not support the use of a context to specify the path to the registry like http://192.131.21.20:8081/repository/private-docker-repo/ as the namespace and image name are embedded in the URLs it uses.
  • This is why requests to repositories on the repository manager are served on a specific and separate port from the rest of the application instead of how most other repositories serve content via a path i.e. nexushostname/repositoryName/path_to_content.
  • We need to setup repository connectors for each repository to receive push requests (private repos) and a single repository connector for pull requests (group - all private repos + proxy repo for Docker Hub) on different ports.

Does not work:

docker pull 192.131.21.20:8081/repository/private-docker-repo/hello-world:latest

Does work:

docker pull 192.131.21.20:8083/hello-world:latest
docker pull 192.131.21.20:8082/hello-world:latest

Since we cannot include the repository name in the Docker client request, we use a Repository Connector to assign a port to the Docker repository which can be used in Docker client commands. The Repository Connector is found in the settings for each docker repository.

References: