Disclamer: I run docker in a very small deployment so this in not a comprehensive guide on how to run Docker in large scale productions. It is intended to give developers and system administrators a starting point.
Let me get something out the way first. I have the bad habit of wanting to know how everything works, what makes them tick how do they function at least to certain level that will make me comfortable that I will not screw things up when things move to production. In some cases this turns out to be a big disadvantage since I can not adopt new technologies very easy but it pays off in the long run since I do not have to lunch something into production and figure the details later.
So as soon as I learn about docker the first thing I asked my self was “OK how do I make my own base image?”
It turns out that it is not very difficult. Debootstrap will do most of the work for you at least in building a basic file system. Here is a link that gives some details about how to do that although it is not the original article I used Docker - Create a base image.
Then comes the second question. How do you deploy docker images to production. It turns out that Docker has a public repository that can be used to upload and download images from, but what if you want to keep your images private? Well I suppose you can export them from your local machine as .tar.gz files and import them to server. The problem with that is that you will lose an important feature of docker and that is file-system layering. So what is layering? Your base image is not what you are going to use strait in production, but it will be the foundation of your final system. So at some point later you will want to build some task specific container that are based on your base image. When you deploy those images to production using docker pull the base images is downloaded once and then only the changes of every other image is downloaded saving both time and space on the server.
Docker registry
Docker registry is a software that help you build your private docker hub so you can manage your images without putting them out in the open. It is been a while since I build and run the one I use so a lot have change since then. Back then you had to build the registry with a Nginx frond end to handle SSL and authentication. I think the current release of docker registry can handle all the security on its own, rendering the Nginx service unnecessary. So if you are looking to build your own registry it is good to check the official docker documentation. Docker Registry
Security
This is a small list of things you should check when you have your docker registry up and running. Remember you are running your own registry to keep your images private. (Assumption: You are running the registry inside a docker container).
- You are using an SSL certificate. Event a self signed certificate is better that no certificate at all. In this case you may have to add your public key to each machine that is going to be pulling images from the registry.
- If you are using and Nginx or Apache for authentication make sure that your Docker Registry is not accessible from the public Internet through a different port. For example if you have used a -p
:<5000> option when you run the container with the registry. - It is good to restrict the IP range that has access to the registry even if the ranges are not accurate enough. For example if you are not sure what IP your next VM is going to take allow all range of the Data-center.
- If you are going to use iptables to limit access to any container it is usually the FORWARD chain that is used not the INPUT and OUTPUT chain.