The other day I got Ouroboros talking to my private Docker registry. The thing is, my Docker registry was only available locally. If I wanted to build my stack on a different computer, I'd be stuck! So I wanted to expose my private Docker registry on the big Internet, but at the same time restricting access to it.
This is how I did it...
First, I told my Nginx-gen and Let's Encrypt companion containers to prepare a virtualhost file and SSL certificates for my registry server, I shut down the default 5000 port on the host computer, using expose instead of ports, and I instructed the registry to use SSL certificates for communication + simple authentication for access control. All easily done straight in the docker-compose.yaml file like this: ''' myregistry: container_name: myregistry image: registry:2 networks:
Also, notice the /auth/.htpasswd reference. In order for this to work, yoy need to mount a registry auth file directory under volumes, but you also need to generate the actual auth-file like this:
docker run --entrypoint htpasswd registry:2 -Bbn <username> <password> > ~/my-docker-data/registry/auth/.htpasswd
Finally you need to update your container definitions in the docker-compose.yaml file to actually point to your new private repo for this to be of any use; e.g.:
Of course, now Ouroboros will check for images updates not from localhost, but form your new docker host. And this host is now secured with a username+password, so you need to tell Ouroboros how to provide credentials. This is how you do that; just mount a very specific file (Linux) to your Ouroboros container:
volumes: - $HOME/.docker/config.json:/root/.docker/config.json
In order for the config.json file to be populated by credentials, you need to log on to your Docker registry once with the user that owns the referenced $HOME directory:
docker login -u<username> -p<password> your.docker.vhost.com
Now you're set! You provision containers from your own private Docker repository. You can acces this repository form anywhere if you got the right credentials, and Ouroboros knows how to pull new updates applying the correct credentials.