Securing private registry

At our company, we are planning to create some kind of “docker build pipeline”, which should allow the developers in the teams to create their own containers. Currently, the building of docker containers and deployment is now very free-form. Some people build containers locally and upload it the registry.

In order to reason about the quality of the containers we use in our datacenter, we want to create process that is easy to use, repeatable and can enforce certain validation checks before uploading/pushing a container into the (private) registry.

Now my question is: how do you guys make sure that the containers which are pushed to your private registry are “okay” and “validate” against your centralised set of rules? What are best practices?

We already use two access files in Nginx to distinguish credentials authorized to pull only and those with push/pull rights.
We plan to use two Registries. One for automated build from what is in Git and second for pushing tested and production ready containers.
Automated build could be triggered by commit to repository (or as you prefer) and following steps easily scripted to build container, run set of tests against it and if it pass push the container to Registry. With this approach, developers won’t be able to push to Registry, only build machine can. They can only commit new code to Git repository.
Push to production Registry should happen after long-term tests and might be manual by one responsible person or automatic if you trust your scripts and tests.

we are currently thinking about the same problem.
Our project consists of a number of services that each finally become a docker image. So we use a commit-triggered build configuration which builds, tests and dockerizes each service separately. The resulting images are tagged with a version + build number (e.g. 1.5-54) and pushed to our private registry. the :latest tag is always set to the latest image version ( :wink: ).

Now from these images, we can run our integration and system tests. If they go green as well, we plan to push the combination of images either into a second registry (just as @okgemaltoprg) or re.tag them with something like a stable tag for usage in production.

We use Bamboo as our build server and Artifactory to host the docker registry.


Thank you both, for your replies. Interesting stuff. Until now, we haven’t considered running two registries.

And about validation of the images? Any thoughts on that? For example, checking/validating:

  • exposed ports
  • world readable/writable files
  • etc.

What kind of mechanisms can we use for this?