Setup Docker Registry Privat: Kelola Image Sendiri di VPS

Docker Registry privat adalah solusi untuk menyimpan Docker image di server sendiri alih-alih di Docker Hub. Ini penting untuk: - **Keamanan:** Source code dan image tidak exposed ke public - **Biaya:** Docker Hub Pro $5/month per user. Self-hosted = gratis - **Performa:** Pull image dari server lokal jauh lebih cepat - **Compliance:** Beberapa industri mensyaratkan image disimpan di dalam negeri ## Opsi Self-Hosted Registry ### 1. Docker Registry (Official) Registry resmi dari Docker, sederhana dan lightweight. ### 2. Harbor Enterprise-grade registry dengan RBAC, vulnerability scanning, dan replication. ### 3. GitLab Container Registry Bagian dari GitLab, cocok jika sudah menggunakan GitLab CI/CD. Kita akan fokus pada **Docker Registry** (paling sederhana) dan **Harbor** (untuk production). ## Docker Registry (Basic) ### Install ```bash # Jalankan dengan Docker docker run -d --name registry \ -p 5000:5000 \ -v registry-data:/var/lib/registry \ --restart unless-stopped \ registry:2 ``` ### Push Image ```bash # Tag image untuk registry lokal docker tag myapp:latest localhost:5000/myapp:latest # Push ke registry docker push localhost:5000/myapp:latest # Pull dari registry docker pull localhost:5000/myapp:latest ``` ### Konfigurasi Docker Client Tambahkan registry ke daemon config (`/etc/docker/daemon.json`): ```json { "insecure-registries": ["localhost:5000"] } ``` ### Akses dari Remote Server ```bash # Dari server lain docker tag myapp:latest :5000/myapp:latest docker push :5000/myapp:latest ``` ## Docker Registry dengan HTTPS ### Generate Self-Signed Certificate ```bash mkdir -p /opt/registry/certs openssl req -newkey rsa:4096 -nodes -sha256 \ -keyout /opt/registry/certs/domain.key \ -x509 -days 365 \ -out /opt/registry/certs/domain.crt \ -subj "/CN=registry.yourdomain.com" ``` ### Jalankan dengan TLS ```yaml # docker-compose.yml version: "3.8" services: registry: image: registry:2 container_name: registry restart: unless-stopped ports: - 443:5000 volumes: - registry-data:/var/lib/registry - ./certs:/certs environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key REGISTRY_AUTH: htpasswd REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd volumes: registry-data: ``` ### Generate htpasswd (Authentication) ```bash # Install htpasswd apt install -y apache2-utils # Buat user mkdir -p /opt/registry/auth htpasswd -Bbn admin password123 > /opt/registry/auth/htpasswd # Tambah user baru htpasswd -Bb /opt/registry/auth/htpasswd user2 password456 ``` ### Push dengan Auth ```bash # Login ke registry docker login registry.yourdomain.com # Tag dan push docker tag myapp:latest registry.yourdomain.com/myapp:latest docker push registry.yourdomain.com/myapp:latest ``` ## Harbor — Enterprise Registry ### Install dengan Docker Compose ```bash # Download Harbor wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-online-installer-v2.11.0.tgz tar xzf harbor-online-installer-v2.11.0.tgz cd harbor # Copy config cp harbor.yml.tmpl harbor.yml ``` ### Konfigurasi harbor.yml ```yaml hostname: harbor.yourdomain.com https: port: 443 certificate: /opt/harbor/certs/harbor.crt private_key: /opt/harbor/certs/harbor.key harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data/harbor ``` ### Install ```bash ./install.sh --with-trivy ``` ### Fitur Harbor - **RBAC:** Role-based access control per project - **Vulnerability Scanning:** Otomatis scan image dengan Trivy - **Replication:** Sync image ke remote registry - **Tag Immutability:** Protect tags dari overwrite - **Webhook:** Notifikasi ke Slack/Telegram saat image di-push - **Audit Log:** Semua akses logged ## Mirror Registry Gunakan registry lokal sebagai mirror untuk Docker Hub. Image yang pernah di-pull akan di-cache lokal: ```yaml # docker-compose.yml untuk registry mirror services: registry-mirror: image: registry:2 container_name: registry-mirror restart: unless-stopped ports: - 5001:5000 environment: REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io volumes: - mirror-cache:/var/lib/registry volumes: mirror-cache: ``` ### Konfigurasi Docker Daemon `/etc/docker/daemon.json`: ```json { "registry-mirrors": ["http://localhost:5001"] } ``` ## Backup Registry ### Backup Script ```bash #!/bin/bash BACKUP_DIR="/backup/registry" DATE=$(date +%Y%m%d) # Stop registry (untuk konsistensi) docker stop registry # Backup data tar czf $BACKUP_DIR/registry-$DATE.tar.gz /var/lib/registry/ # Restart registry docker start registry # Cleanup find $BACKUP_DIR -mtime +7 -delete ``` ## Monitoring Registry ```bash # Check registry catalog curl -s https://registry.yourdomain.com/v2/_catalog # Check tags curl -s https://registry.yourdomain.com/v2/myapp/tags/list # Registry size docker exec registry du -sh /var/lib/registry/ ``` Docker Registry privat menghilangkan ketergantungan pada Docker Hub sekaligus memberikan kontrol penuh atas image artifacts. Untuk tim kecil, Docker Registry basic sudah cukup. Untuk enterprise dengan compliance requirement, Harbor adalah pilihan yang tepat.