Docker Registry with Basic Authentication

In the last tutorial, we set up a secure docker registry. Now we want to add authentication to this registry to prevent any unauthorized user from pushing any image to our registry. This will not be a role-based authentication we will set up Basic Authentication.

Let's get started! First, we will create a directory named auth.

gaurav@learning-ocean:~$ mkdir auth

first, install htpasswd using below command

gaurav@learning-ocean:~$ apt-get install apache2-utils

Then we will use htpasswd to set up basic authentication.

gaurav@learning-ocean:~$ htpasswd -bnB gaurav password > auth/htpasswd
gaurav@learning-ocean:~$ cat auth/htpasswd
gaurav:$2y$05$ZDnhKI5nQvqNCFA94hY5e.rnIMD4KpTDkwMkA9jPVMe0g8wH06U7G
gaurav@learning-ocean:~$

Also notice we have used flags '-bnB' here 'b' stands for batch execution, 'n' is to display the output of command execution and 'B' is used to encrypt the password using bcrypt function.

We have defined username as 'gaurav' and password as 'password'.

The output of this command is generated in the auth folder in a file named 'htpasswd'.

You can see in the above output the username and password generated in the 'htpasswd' file.

Now we will run our container registry using the below command

gaurav@learning-ocean:~$ gaurav@learning-ocean:~$ docker container run -d -p 5000:5000 --name registry_basic -v "$(pwd)"/auth:/auth -v "$(pwd)"/certs:/certs -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
00c5f5104addda4f51d04264967286a18e9b9713d271e91183097979a50309ad
gaurav@learning-ocean:~$
gaurav@learning-ocean:~$ docker container ls
CONTAINER ID   IMAGE      COMMAND                  CREATED         STATUS         PORTS                    NAMES
00c5f5104add   registry   "/entrypoint.sh /etc…"   7 seconds ago   Up 2 seconds   0.0.0.0:5000->5000/tcp   registry_basic
gaurav@learning-ocean:~$

Our container registry is up and running after the above step.

Now if we try to push an image to this container registry without supplying username and password we get the following error.

gaurav@learning-ocean:~$ docker image push repo.docker.local:5000/redis
Using default tag: latest
The push refers to repository [repo.docker.local:5000/redis]
262de04acb7e: Preparing
45f6df634253: Preparing
e46136075591: Preparing
11f991845040: Preparing
dd1ebb1f5319: Preparing
814bff734324: Preparing
no basic auth credentials
gaurav@learning-ocean:~$

To push the image now, we will need to login to the container registry first. Use the below command to login to the container registry.

gaurav@learning-ocean:~$ docker login repo.docker.local:5000
Username: gaurav
Password:
WARNING! Your password will be stored unencrypted in /home/gaurav/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
gaurav@learning-ocean:~$

Now let's push the same image again.

gaurav@learning-ocean:~$ docker image push repo.docker.local:5000/redis
Using default tag: latest
The push refers to repository [repo.docker.local:5000/redis]
262de04acb7e: Pushed
45f6df634253: Pushed
e46136075591: Pushed
11f991845040: Pushed
dd1ebb1f5319: Pushed
814bff734324: Pushed
latest: digest: sha256:1bd57e1a42b99ae53412b582784d0362fa8205243ce5f289cb4f76de2907cb97 size: 1574
gaurav@learning-ocean:~$

The image is pushed successfully!

For logging out we can use the following command.

gaurav@learning-ocean:~$ docker logout repo.docker.local:5000
Removing login credentials for repo.docker.local:5000
gaurav@learning-ocean:~$