Run a docker-registry pull through cache (in production) so you can
- cache docker pulled docker images in your companies network to reduce the extern traffic load
- e.g. reduce amount of request done to the official
hub.dockerg.comregistry (and avoid rate limit issues) - use a shared credentials to access a private registry, without involving authentication on the client side
You can use it for some or all, as you like.
This concept is called pull-through cache, see official docs;
- https://docs.docker.com/registry/recipes/mirror/
- https://circleci.com/docs/2.0/docker-hub-pull-through-mirror/
Most of the pull through registries i found (like this) offer some what of a custom image, including a custom nginx - why i want to reuse building blocks. They also rather tend to not give you not fast upstart.
This is the main difference, we use the official registry image and we use an standalone ssl-offloader traefik which
also gives us the ability to use ACME or what ever you pick from (or use no off-loader at all - or your own).
Also, you can just add more registries and thus add several caches, if you need those - all with one ssl-offloader.
Use this repository to run it in production or test, use it as an fast upstart and use it as building blocks.
It should not used as a docker-registry boilerplate, this one is designed to be a pull-through cache, not a private docker registry:
First create the .env file using cp env.local.example .env and adjust the values
USERNAME1andPASSWORD1for upstream authenticationCACHE_DOMAIN1for your domain you want to access the pull-through cache with
If you want, set the custom UPSTREAM_REGISTRY1 to use your private registry as upstream.
docker-compose up -d
# or
./start.shThat's about it.
Pulls the newest images of registry and traefik and if needed, apply those.
./update.sh
The easiest mode to enable SSL is simply replacing the first line in you .env with
COMPOSE_FILE=docker-compose.yml:docker-compose-traefik-http.yml
So we switch from traefik non ssl (testing) to httpd challenge based SSL via ACME.
docker-compose up -dIf you want to use DNS based challenges for ACME, e.g. since you are in a private network, change .env to
COMPOSE_FILE=docker-compose.yml:docker-compose-traefik-dns.yml
And add the following variables to your .env
TRAEFIK_ACME_CHALLENGE_DNS_PROVIDER=cloudflare
TRAEFIK_ACME_CHALLENGE_DNS_CREDENTIALS=CF_DNS_API_TOKEN=<YOURTOKEN>Be sure to replace ` with your cloudflare API token.
Chose a difference provider and adjust the credentials if you like/need. of course.
The providers you can pick from can be found in the traefik docs.
Be sure to adjust the CF_DNS_API_TOKEN key to whatever your provider needs.
If you want to host more registries, since each registry-cache can only have one upstream, you can easily do so.
See the docker-compose-registry2.yml and add it to your .env file
COMPOSE_FILE=docker-compose.yml:docker-compose-traefik-http.yml::docker-compose-registry2.yml
Be suer to set USERNAME2/PASSWORD2/CACHE_DOMAIN2/UPSTREAM_REGISTRY2 (be sure to notice the 2 .. second registry)
in the .env file.
That's it, your traefik will take care of all the rest.
If you like, copy docker-compose-registry2.yml to docker-compose-registry3.yml .. change the ENV vars, set them
and you have the third. Repeat as often as you like