Posted inHomeLab

Building a Private Docker Registry on Your HomeLab: Host & Manage Your Own Docker Images

HomeLab tutorial - IT technology blog
HomeLab tutorial - IT technology blog

The Frustration with Image Management

For a long time, my HomeLab workflow for Docker images felt… clunky. I’d build an application image on my development machine, push it to Docker Hub, then pull it down to my HomeLab server. This seemed like the standard way, and it worked, but it was far from ideal. Every time I iterated on a service, even just a minor bug fix, that image had to travel from my local machine, across my internet connection, up to Docker Hub, and then back down to my server.

The pain points became increasingly clear. Downloads felt slow, especially for larger images or when I was juggling multiple services. Then came Docker Hub’s rate limits – suddenly, my automated deployments were failing because I’d hit an anonymous pull limit.

It forced me to log in everywhere, which was an extra layer of friction. More critically, I was dealing with proprietary images, and the thought of pushing them to a public registry, even a private repository on Docker Hub, always gave me pause. I wanted more control, more privacy, and frankly, better performance on my local network.

Why Our Standard Workflow Fell Short

The root cause of these frustrations was simple: a complete reliance on external, public services for something that could, and perhaps should, live entirely within my local network. Our workflow defaulted to using Docker Hub for every image, whether it was a public base image or a custom application image built in-house.

When you build an image, Docker client, by default, tags it for `docker.io` (Docker Hub). This means every `docker push` sends your image over the internet. Every `docker pull` retrieves it over the internet. For a HomeLab environment, where multiple servers, VMs, and even Raspberry Pis might be running Docker, this creates unnecessary network traffic and latency.

Imagine building a new version of your custom Home Assistant add-on. You build it, push it to Docker Hub, then your Home Assistant server pulls it. That’s two round trips over the public internet for something that could have stayed within your LAN. This constant internet dependency was slowing down my development cycles and deployment times significantly.

Exploring Our Options

Recognizing the limitations, I started looking into alternatives to improve my Docker image management. There were a few obvious paths:

Public Registries (Docker Hub, GitHub Container Registry, GitLab Container Registry)

  • Pros: Incredibly easy to get started, often a generous free tier for public repositories, widely supported by CI/CD pipelines. Docker Hub is the default, so it feels natural.
  • Cons: Rate limits are a real issue for heavy users (like me, with my various HomeLab projects). Public exposure of image metadata, even for private repositories, might be a concern for some. Performance is inherently tied to your internet connection, making local network deployments slower than they could be.

Cloud-Managed Private Registries (AWS ECR, Google Container Registry, Azure Container Registry)

  • Pros: Highly scalable, robust security features, fully managed services meaning less maintenance overhead for me. They integrate well with their respective cloud ecosystems.
  • Cons: Cost. For a HomeLab, these can quickly become expensive, especially with data transfer fees. They still rely on the internet, so local network performance benefits aren’t realized. Vendor lock-in is also a consideration.

Self-Hosted Private Docker Registry

  • Pros: Full control over your images and data. Superior local network performance as images are pulled directly from your server. No rate limits. Potentially zero recurring cost (beyond hardware and electricity). Excellent for learning and understanding infrastructure.
  • Cons: Requires initial setup and ongoing maintenance. You’re responsible for security, backups, and certificate management.

Our Journey to a Self-Hosted Private Docker Registry

After weighing the options, the self-hosted private Docker Registry was the clear winner for my HomeLab. The promise of full control, local network speed, and no recurring costs perfectly aligned with the HomeLab ethos.

For me, and I believe for anyone serious about HomeLab, mastering self-hosted services like this registry is one of the essential skills to master. It provides a foundational piece of infrastructure that empowers more complex deployments and significantly improves workflow efficiency. After six months of running our own private Docker registry, I can confidently say it’s been one of the most impactful changes to my HomeLab setup.

Here’s how I set it up:

Prerequisites

You’ll need a server (a VM, a dedicated mini-PC, or even a robust Raspberry Pi) with Docker installed. Basic familiarity with Linux command line and networking concepts will be helpful.

Step 1: Running the Basic Registry (Ephemeral)

To start, we can run a basic registry container. This is primarily for testing and understanding the core functionality. It won’t persist any data if the container is removed.


docker run -d -p 5000:5000 --name registry registry:2

This command starts a Docker registry on port 5000 of your host machine. You could technically push and pull now, but your images wouldn’t survive a container restart, and it’s insecure.

Step 2: Persistent Storage

To ensure your images are permanent, we need to map a volume from your host machine into the container. I chose /mnt/registry on my host.


mkdir -p /mnt/registry
docker run -d -p 5000:5000 --restart=always --name registry -v /mnt/registry:/var/lib/registry registry:2

Now, all your registry data (the actual Docker image layers) will live in /mnt/registry on your host, surviving container restarts or recreation.

Step 3: Securing the Registry with HTTPS (Crucial!)

Docker clients, by default, refuse to push or pull from an insecure (HTTP) registry. This is a good security measure. For a HomeLab, the easiest way to secure it is with self-signed certificates. If you have a domain and public access, Let’s Encrypt with Nginx would be ideal, but for purely local use, self-signed works perfectly.

Generate Self-Signed Certificates

Create a directory for your certificates and generate them. Replace your-registry-ip with the actual IP address of your HomeLab server hosting the registry.


mkdir -p /mnt/registry/certs
cd /mnt/registry/certs

openssl req -newkey rsa:4096 -nodes -sha256 \
    -keyout domain.key -x509 -days 365 -out domain.crt \
    -subj "/C=US/ST=State/L=City/O=HomeLab/CN=your-registry-ip"

Important: The CN (Common Name) field should match the IP address or hostname you’ll use to access the registry from your other Docker clients.

Configure Docker Daemon to Trust Your Certificate

On every Docker client (your development machine, other HomeLab servers, etc.) that needs to interact with this private registry, you’ll need to tell Docker to trust your self-signed certificate.


mkdir -p /etc/docker/certs.d/your-registry-ip:5000
scp /mnt/registry/certs/domain.crt user@your-docker-client:/etc/docker/certs.d/your-registry-ip:5000/ca.crt
systemctl restart docker

Replace user@your-docker-client with the actual user and hostname/IP of your client machine. This step copies the domain.crt (which acts as a CA certificate for your registry) to the Docker daemon’s trusted certificates directory. After restarting Docker, it will trust your registry.

Step 4: Running the Registry with TLS

Now, stop and remove your existing registry container and start a new one, pointing it to your certificates.


docker stop registry
docker rm registry

docker run -d -p 5000:5000 --restart=always --name registry \
    -v /mnt/registry:/var/lib/registry \
    -v /mnt/registry/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    registry:2

The registry is now running securely over HTTPS.

Step 5: Pushing and Pulling Images

On your Docker client machine (where you configured the trusted certificate):

Tag an Image

First, you need to tag an existing image (or one you’ve just built) with your registry’s address.


docker tag my-local-image:latest your-registry-ip:5000/my-local-image:latest

Replace my-local-image:latest with your actual image name and tag, and your-registry-ip with your server’s IP.

Push the Image


docker push your-registry-ip:5000/my-local-image:latest

Pull the Image

From any Docker client configured to trust your certificate, you can now pull the image:


docker pull your-registry-ip:5000/my-local-image:latest

Step 6: Basic Authentication (Recommended)

While TLS encrypts traffic, it doesn’t restrict who can push/pull. For that, we need basic authentication. The registry supports htpasswd files.

Generate htpasswd File

First, create a directory for your auth file:


mkdir -p /mnt/registry/auth

Then, generate the htpasswd file using a temporary Docker container. Replace youruser and yourpassword:


docker run --entrypoint htpasswd registry:2 -Bbn youruser yourpassword > /mnt/registry/auth/htpasswd

Run Registry with Authentication

Stop and remove the existing registry, then start it again with the authentication environment variables:


docker stop registry
docker rm registry

docker run -d -p 5000:5000 --restart=always --name registry \
    -v /mnt/registry:/var/lib/registry \
    -v /mnt/registry/certs:/certs \
    -v /mnt/registry/auth:/auth \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    -e REGISTRY_AUTH="htpasswd,realm=Registry Realm,path=/auth/htpasswd" \
    registry:2

Log In to the Registry

On your Docker client, you’ll now need to log in before pushing or pulling:


docker login your-registry-ip:5000
Username: youruser
Password: yourpassword

Step 7: Using Nginx as a Reverse Proxy (Optional, but Good Practice)

For more advanced setups, or if you want to use a proper domain name with Let’s Encrypt certificates, running Nginx as a reverse proxy in front of your registry is a great idea. This allows you to run the registry container on an internal port (e.g., 5000) and expose Nginx on standard HTTPS port 443.

Here’s a simplified Nginx configuration snippet. You’d need to install Nginx separately or run it in a container.


server {
    listen 443 ssl;
    server_name your-registry-hostname.com your-registry-ip;

    ssl_certificate /etc/nginx/ssl/fullchain.pem; # Your Let's Encrypt or other cert
    ssl_certificate_key /etc/nginx/ssl/privkey.pem; # Your Let's Encrypt or other key

    client_max_body_size 0; # Allow large pushes

    location / {
        # Pass through basic auth headers if enabled on registry
        # proxy_set_header Authorization $http_authorization;

        proxy_pass http://localhost:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Docker Registry specific headers
        proxy_read_timeout 900s;
        proxy_connect_timeout 900s;
        proxy_send_timeout 900s;
        proxy_buffering off;
        proxy_request_buffering off;
    }
}

If using Nginx, your Docker clients would then connect to your-registry-hostname.com or your-registry-ip on port 443 (default HTTPS) instead of :5000.

What We’ve Learned After 6 Months

Running a private Docker registry for half a year has transformed my HomeLab experience. The most immediate and noticeable benefit has been the sheer speed. Pushing and pulling images across my gigabit local network is almost instantaneous compared to traversing the internet. This has dramatically sped up my development and deployment cycles, making experimentation and iteration much smoother.

I’ve gained complete control over my image repository. No more worrying about Docker Hub rate limits or unexpected service changes. I dictate the security, the storage, and the access. For sensitive projects, knowing the images never leave my local network provides invaluable peace of mind.

Maintenance has been minimal. The Docker registry container itself is incredibly stable. My primary tasks involve ensuring enough storage space (which is easily managed by expanding the host volume) and, in the case of self-signed certificates, remembering to renew them annually. If I were using Nginx with Let’s Encrypt, certificate renewal would be automated.

The satisfaction of owning this piece of infrastructure is immense. It’s not just about cost savings or performance; it’s about building a robust, resilient HomeLab ecosystem where I’m the master of my own destiny. It’s truly an empowering feeling to have built this foundational service.

Final Thoughts

Setting up your own private Docker registry might seem like an advanced step, but it’s a fundamental one for any serious HomeLab enthusiast or developer. It addresses critical issues of speed, security, and control that public registries simply can’t match for a local environment.

My experience over the past six months has proven its worth many times over. If you’re looking to elevate your Docker game and truly harness the power of your HomeLab, a self-hosted private Docker registry is an investment that pays dividends daily.

Share:
Tags: