Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (58 sloc) 4.02 KB

Using a private registry with Fn

For local development, or a team that wishes to keep their images off of the public Docker registry, a private registry may be useful. This can be hosted on your own server or local machine. See the Docker docs here for information on setting this up. A registry on localhost may greatly speed up iterative development in environments where the network is constrained.

To set up your fn service with authentication for any registry, you must provide fn with FN_DOCKER_AUTH env var:


You may provide multiple auths in this way, it's also possible to run the fn docker container with a volume mounted ~/docker/config.json or use a local version of fn against your locally configured dockerd.

This is where the FN_REGISTRY environment variable or --registry setting comes into play.

The FN_REGISTRY or --registry setting.

This determines where your images will be pushed to or deployed from. It can follow one of the following schemes:

  • myuser -><image>:<tag>. Used for interacting with the official docker registry.

  • -><image>:<tag>. A custom registry hosted at the given domain. The image is not nested under a path.

  • -><image>:<tag>. A custom registry hosted at the given port. (Useful for insecure http registries running on port 80/5000).

  •[port?]/path ->[port?]/path/<image>:<tag>. The image will be nested under the given path. This path can be more than one element.

Insecure HTTP registries

If your registry is not hosted over https, your Docker daemon must be configured to treat the registry as http only.

In most installations this will require adding the <hostname>:<port> to the insecure_registries configuration for the Docker daemon. See here for more details and troubleshooting. Docker-for-Mac will require changing a setting in the UI.

Example of a private registry on localhost

Starting a registry:2 container:

$ docker run -d -p 5000:5000 --name registry registry:2
$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
c18ac6172e0d        registry:2          "/ /e..."   2 seconds ago       Up 2 seconds>5000/tcp   registry

Given a function called "dummy":

$ ls ./dummy
func.go    func.yaml
$ cat ./dummy/func.yaml
version: 0.0.1
runtime: go
entrypoint: ./func

Upload it to your registry (notice the use of --registry):

$ fn deploy --app myapp --registry localhost:5000/some/path
Deploying dummy to app: myapp at path: /dummy
Bumped to version 0.0.2
Building image localhost:5000/some/path/dummy:0.0.2 ..
Pushing localhost:5000/some/path/dummy:0.0.2 to docker registry...The push refers to a repository [localhost:5000/some/path/dummy]
5fcef0dbce8b: Pushed
ce4a1aad8bd7: Pushed
88229188f6e3: Pushed
d82c387bddae: Pushed
0.0.2: digest: sha256:369e158767c89357142f4f394618838b04865af7ab6afc183b38b5f46a0ece3f size: 1155
Updating route /dummy using image localhost:5000/some/path/dummy:0.0.2...

Now you can use the route and function named "dummy" as normal.

Authenticating against private registries

Pushing images to registries that require authentication (like Dockerhub) will require the use of docker login from your developer machine. This will be as similar for your private registry if you have authentication enabled.

For pulling images you may also require your Docker daemon to be authenticated. This also needs to be done via docker login but the official documentation demonstrates useful alternatives for automating credential usage via a config file or external credential providers which is suggested for larger fleets of machines.

You can’t perform that action at this time.