Private Docker Registry

Kubernetes: Use your own private docker registry

User your own private docker registry for development or private/non-public projects.



Docker Setup

Start registry container:

$ docker run -d -p 5000:5000 --restart=always --name registry registry:2

check container:

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
d27ee6ca3baa        registry:2          "/ /etc…"   24 minutes ago      Up 2 seconds>5000/tcp   registry

and version:

$ docker exec d27ee6ca3baa registry -v
registry v2.7.1

try to login:

$ docker login

Authenticating with existing credentials...
Login did not succeed, error: Error response from daemon: Get http: server gave HTTP response to HTTPS client

Adjust or create a docker config (use proper ip/netmask):

cat <<EOF >/etc/docker/daemon.json 
   "insecure-registries": [""]

restart docker:

$ sudo service docker restart

and log in again:

$ docker login
Authenticating with existing credentials...
Login Succeeded

Kubernetes Setup

Reference: Kubernetes: Pull an Image from a Private Registry

Create a docker configuration file similar to the one you have in ~/.docker/config.json:

cat <<EOF >docker-config.json
	"auths": {
		"": {
			"auth": "YmxpbmtleWUuY2g6ZDBjazNyLmMwbQ=="
		"": {
			"auth": "YmxpbmtleWUuY2g6ZDBjazNyLmMwbQ=="
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.5 (linux)"

Now create a kubernetes secret from this docker-config.json file with:

$ kubectl create secret generic regcred --from-file=.dockerconfigjson=docker-config.json
secret/regcred created

# verify
$ kubectl get secret regcred --output=yaml
apiVersion: v1
  .dockerconfigjson: ...
kind: Secret
  creationTimestamp: "2019-05-29T14:01:36Z"
  name: regcred
  namespace: default
  resourceVersion: "1779592"
  selfLink: /api/v1/namespaces/default/secrets/regcred
  uid: 45cca5fe-821a-11e9-a954-525400fe342c

NOTE: auth is just base64 encoded username:password, e.g.:

$ echo "username:password" | base64

and to decode:

$ echo "dXNlcm5hbWU6cGFzc3dvcmQK" | base64 -d

Next, on each Kubernetes Node allow insecure registries:

cat >/etc/docker/daemon.json <<EOF 
  "insecure-registries": [""]

Then restart the docker daemon:

$ service docker restart
$ docker login

Docker registry cleanup

Log in to the registry container:

$ docker exec -it registry /bin/sh


$ cd /var/lib/registry/docker/registry/v2/repositories
$ rm -r old_repository

Double check (from outside):

$ curl -X GET localhost:5000/v2/_catalog

Reason: the docker container with the registry does not have Curl installed.

Docker cleanup


$ docker system prune --volumes -f


Remove all non-running containters.

$ docker ps -a | grep Exited | awk '{print $1}' | xargs docker rm

Next remove unused images:

$ docker image prune -a

WARNING! This will remove all images without at least one container associated to them.
Are you sure you want to continue? [y/N] y
Deleted Images:
deleted: sha256:da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e
deleted: sha256:e17133b79956ad6f69ae7f775badd1c11bad2fc64f0529cab863b9d12fbaa5c4

also see:

See also