1.8 Docker Registry

1. Local Docker Registry

A local Docker registry is a private storage location where Docker images are stored and managed. Unlike the default Docker Hub registry, a local registry is hosted on your infrastructure, giving you control over the images.

This is a very important feature of Docker that enables faster operations especially on locally developed images and containers. The Docker registry works in a manner which is quite similar in many respects to that of Git. If you recall the workshop demonstration of the inspect and history commands, an image is a sequence of layers and each time one develops an image locally, the registry stores only the difference from the previous version. As a result, image development and distribution can be done efficiently.

1.1 Importance of a Local Docker Registry:

1. Security: Storing images locally reduces the risk of exposing sensitive images on public registries. You can control who accesses and pulls images.

2. Performance: A local registry speeds up the deployment process by reducing the time needed to pull images, especially in environments with limited internet connectivity or high network latency.

3. Customization: You can enforce policies on image storage, versioning, and access control. This is crucial for managing large-scale deployments.

4. Cost Efficiency: Avoid bandwidth and storage costs associated with public registries, especially when dealing with large images or many deployments.

5. Offline Access: A local registry allows you to work in environments without internet access, such as air-gapped systems.

1.2 Setting Up a Local Docker Registry

You can easily set up a local Docker registry using the official Docker registry image:

docker run -d -p 5000:5000 --name registry registry:2

This command runs a local registry on port 5000. You can then push and pull images like this:

Tag an image:

docker tag my-image localhost:5000/my-image

Push the image:
Terminal window
```
docker push localhost:5000/my-image
```
Pull the image:
Terminal window
```
docker pull localhost:5000/my-image
```

2. Container Capabilities

Docker allows you to specify the exact capabilities that a container can have by using the --cap-add and --cap-drop options. These options are part of Docker’s security model, which lets you grant or revoke Linux capabilities to containers, controlling what they can do.

2.1 Example: Allowing a Container to Use the `NET_ADMIN` Capability

Suppose you want to create a container with the ability to modify network settings. By default, containers don’t have this permission, but you can grant it using the NET_ADMIN capability.

Here’s how to do it:

docker run -d --name my-container --cap-add NET_ADMIN ubuntu sleep infinity

--cap-add NET_ADMIN: This grants the NET_ADMIN capability, allowing the container to modify network interfaces, routing tables, etc.
ubuntu: The base image used for the container.
sleep infinity: Keeps the container running indefinitely for demonstration purposes.

2.2 Testing the Capability:

You can now execute a command within the container that requires NET_ADMIN, like setting up a new network interface:

docker exec -it my-container ip link add dummy0 type dummy
docker exec -it my-container ip link show dummy0

Without --cap-add NET_ADMIN, the first command would fail because the container would lack the necessary permission.

2.3 Dropping Unnecessary Capabilities

If you want to run a more secure container by dropping capabilities, you can use --cap-drop:

docker run -d --name secure-container --cap-drop ALL ubuntu sleep infinity

This command removes all default capabilities, running the container with minimal privileges.