Skip to content
Docker registry charm. Report bugs at:
Branch: master
Clone or download
VariableDeclared and kwmonroe Change permissions on config.yml (#36)
Changed permissions to 600 on config.yml.

Latest commit 7e2ed7c Jun 13, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
exec.d/docker-compose stub out docker-compose charm-pre-install (#34) May 20, 2019
lib/charms/layer Change permissions on config.yml (#36) Jun 13, 2019
actions.yaml New actions to list and remove images (#31) Apr 26, 2019
config.yaml config to delete by digest; host volume to persist local images (#32) Apr 27, 2019
copyright restructre charm to stop vendoring interfaces Oct 5, 2018
layer.yaml update for multiple frontend proxies (#26) Feb 14, 2019
metadata.yaml update for multiple frontend proxies (#26) Feb 14, 2019


This charm provides a registry for storage and distribution of docker images. See for details.


The registry is deployed as a stand alone application and supports integration with clients that implement the docker-registry interface.

Standalone Registry

For testing purposes, a simple, insecure registry can be deployed with:

juju deploy ~containers/docker-registry

Secure Registry with TLS

This charm supports TLS via the tls-certificates relation. This can be enabled by deploying and relating to a TLS provider, such as easyrsa:

juju deploy ~containers/docker-registry
juju deploy ~containers/easyrsa

juju add-relation easyrsa docker-registry

This charm also supports configuration-based TLS, which does not require a relation to a TLS provider. Instead, transfer required files and configure this charm as follows:

juju scp /my/local/ca.pem docker-registry/0:/home/ubuntu/ca.pem
juju scp /my/local/cert.crt docker-registry/0:/home/ubuntu/cert.crt
juju scp /my/local/cert.key docker-registry/0:/home/ubuntu/cert.key

juju config docker-registry \
  tls-ca-path=/home/ubuntu/ca.pem \
  tls-cert-path=/home/ubuntu/cert.crt \

Finally, custom TLS data may be provided as base64-encoded config options to the charm. The configured tls-*-blob data will be written to corresponding configured tls-*-path files:

juju config docker-registry \
  tls-ca-blob=$(base64 /path/to/ca) \
  tls-cert-blob=$(base64 /path/to/cert) \
  tls-key-blob=$(base64 /path/to/key)

Proxied Registry

This charm supports an http proxy relation that allows operators to control how the registry is exposed on the network. This is achieved by relating to a proxy provider, such as haproxy.

Note: SSL pass-thru is not supported between docker-registry and haproxy. Any registry SSL configuration must be removed before creating the proxy relation. If SSL is desired in a proxied environment, the administrator must ensure certificates used by the proxy are configured on the appropriate target units.

A proxied registry environment can be deployed as follows:

juju deploy ~containers/docker-registry
juju deploy haproxy

juju add-relation haproxy docker-registry

When multiple docker-registry units are deployed, the proxy will be configured with one unit chosen as the primary proxied service with remaining units configured as backups. This provides a highly available deployment that will fail over to a backup if the primary service becomes unavailable.

Note: HA deployments require the proxy to be in active-passive peering mode, which is the default for haproxy.

Nagios Monitoring

This charm supports monitoring with nagios:

juju deploy ~containers/docker-registry
juju deploy nrpe --series bionic

juju relate docker-registry nrpe

Kubernetes Integration

See the Private Docker Registry documentation for details on integrating this charm with Kubernetes.


Adding Images

To make an image available in the deployed registry, it must be tagged and pushed. This charm provides the push action to do this:

juju run-action --wait docker-registry/0 push \
  image=<image> pull=<True|False> tag=<optional-tag-name>

This action will always tag and push a local image to the registry. By specifying pull=True (the default), the action will first pull the given image and subsequently tag/push it.

The default image tag is 'net_loc/name:version', where 'net_loc' is the http-host config option or http[s]://[private-ip]:[port] if config is not set. The image tag can be overriden by specifying the tag action parameter.

Listing Images

List images known to the registry with the images action:

juju run-action --wait docker-registry/0 images \
  options=<extra-args> repository=<repository[:tag]>

This runs docker images on the registry machine. The optional options and repository parameters are passed through to the underlying command. For example, show non-truncated output with numeric image IDs:

juju run-action --wait docker-registry/0 images \
  options="--no-trunc --quiet"

Removing Images

Remove images from the registry with the rmi action:

juju run-action --wait docker-registry/0 rmi \
  options=<extra-args> image=<image [image...]>

This runs docker rmi on the registry machine. The image name (or space separated names) must be specified using the image parameter. The optional options parameter is passed through to the underlying command. For example, remove the ubuntu:18.04 image without deleting untagged parents:

juju run-action --wait docker-registry/0 rmi \
  options="--no-prune" image="ubuntu:18.04"


The registry is configured to start automatically with the dockerd system service. It can also be started or stopped with charm actions as follows:

juju run-action --wait docker-registry/0 stop
juju run-action --wait docker-registry/0 start



This charm supports basic (htpasswd) as well as token-based authentication. Configure either method as follows:

juju config docker-registry \
  auth-basic-user='admin' \

juju config docker-registry \
  auth-token-issuer='' \
  auth-token-realm='myorg' \
  auth-token-root-certs='$(base64 /path/to/file)' \

Delete by digest

The recommended way to delete images from the registry is to use the rmi action. If necessary, this charm can be configured to allow deletion of blobs and manifests by digest by setting the storage-delete config option to true:

juju config docker-registry storage-delete=true

Read-Only Mode

The registry can be switched to read-only mode by setting the storage-read-only config option to true:

juju config docker-registry storage-read-only=true

This may be useful when performing maintenance or deploying an environment with complex authentication requirements.

As an example, consider a scenario that requires unauthenticated pull and authenticated push access to the registry. This can be achieved by deploying this charm twice with the same storage backend (for example, a Swift object storage cluster):

juju deploy docker-registry public --config <storage-swift-opts>
juju deploy docker-registry private --config <storage-swift-opts>

Configure the unauthenticated public registry to be read-only, and enable authentication for the private registry:

juju config public storage-read-only=true
juju config private <auth-opts>

With a common storage backend and appropriate configuration, unauthenticated public users have a read-only view of the images pushed by authenticated private users.

Swift Storage

The charm supports Swift configuration options that can be used to store images in a Swift backend:

juju config docker-registry \
  storage-swift-authurl=<url> \
  storage-swift-container=<container> \
  storage-swift-password=<pass> \
  storage-swift-region=<region> \
  storage-swift-tenant=<tenant> \

Note: If any of the swift config options are set, they must all be set.

Also note that if the swift container is empty, requests to the registry may return 503 errors like the following:

{"errors":[{"code":"UNAVAILABLE","message":"service unavailable","detail":"health check failed: please see /debug/health"}]}

Per, upload an empty file called "files" at the root of the container to workaround the issue.


The docker-registry charm is free and open source software created by the ~containers team at Canonical.

You can’t perform that action at this time.