diff --git a/.zuul.yaml b/.zuul.yaml
index febcf8e462..f4b797c05b 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -476,6 +476,29 @@
       - testinfra/test_adns.py
       - testinfra/test_ns.py
 
+- job:
+    name: system-config-run-docker-registry
+    parent: system-config-run
+    description: |
+      Run the playbook for the docker registry.
+    nodeset:
+      nodes:
+        - name: bridge.openstack.org
+          label: ubuntu-bionic
+        - name: insecure-ci-registry01.opendev.org
+          label: ubuntu-bionic
+    host-vars:
+      insecure-ci-registry01.opendev.org:
+        host_copy_output:
+          '/var/registry/auth': logs
+          '/var/registry/certs': logs
+    files:
+      - .zuul.yaml
+      - playbooks/group_vars/registry.yaml
+      - playbooks/zuul/templates/group_vars/registry.yaml.j2
+      - playbooks/roles/registry/
+      - testinfra/test_registry.py
+
 - job:
     name: infra-prod-playbook
     description: |
@@ -524,6 +547,7 @@
         - system-config-run-eavesdrop
         - system-config-run-nodepool
         - system-config-run-docker
+        - system-config-run-docker-registry
         - system-config-build-image-jinja-init
         - system-config-build-image-gitea-init
         - system-config-build-image-gitea
@@ -542,6 +566,7 @@
         - system-config-run-eavesdrop
         - system-config-run-nodepool
         - system-config-run-docker
+        - system-config-run-docker-registry
         - system-config-upload-image-jinja-init
         - system-config-upload-image-gitea-init
         - system-config-upload-image-gitea
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index 299b5e9c6c..a8f59ef383 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -179,6 +179,8 @@ groups:
     - etherpad-dev[0-9]*.open*.org
   refstack:
     - refstack*.open*.org
+  registry:
+    - insecure-ci-registry[0-9]*.opendev.org
   review-dev:
     - review-dev[0-9]*.open*.org
   review:
diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index e70b9b2889..5b601943aa 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -57,3 +57,9 @@
   name: "Base: install and configure docker on docker hosts"
   roles:
     - install-docker
+
+- hosts: "registry:!disabled"
+  name: "Base: configure registry"
+  roles:
+    - install-docker
+    - registry
diff --git a/playbooks/group_vars/registry.yaml b/playbooks/group_vars/registry.yaml
new file mode 100644
index 0000000000..b4160e88d6
--- /dev/null
+++ b/playbooks/group_vars/registry.yaml
@@ -0,0 +1 @@
+registry_user: zuul
diff --git a/playbooks/roles/registry/README.rst b/playbooks/roles/registry/README.rst
new file mode 100644
index 0000000000..e69cc13e31
--- /dev/null
+++ b/playbooks/roles/registry/README.rst
@@ -0,0 +1 @@
+Install, configure, and run a Docker registry.
diff --git a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
new file mode 100644
index 0000000000..523b5c70dd
--- /dev/null
+++ b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
@@ -0,0 +1,19 @@
+# Version 2 is the latest that is supported by docker-compose in
+# Ubuntu Xenial.
+version: '2'
+
+services:
+  registry:
+    restart: always
+    image: registry:2
+    network_mode: host
+    environment:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
+      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
+    volumes:
+      - /var/registry/data:/var/lib/registry
+      - /var/registry/certs:/certs
+      - /var/registry/auth:/auth
diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml
new file mode 100644
index 0000000000..1121dff67e
--- /dev/null
+++ b/playbooks/roles/registry/tasks/main.yaml
@@ -0,0 +1,40 @@
+- name: Synchronize docker-compose directory
+  synchronize:
+    src: registry-docker/
+    dest: /etc/registry-docker/
+- name: Ensure registry volume directories exists
+  file:
+    state: directory
+    path: "/var/registry/{{ item }}"
+  loop:
+    - data
+    - certs
+    - auth
+- name: Install passlib
+  package:
+    name:
+      - python-passlib
+    state: present
+- name: Write htpassword file
+  htpasswd:
+    create: true
+    path: /var/registry/auth/htpassword
+    name: "{{ registry_user }}"
+    password: "{{ registry_password }}"
+- name: Write TLS private key
+  copy:
+    content: "{{ registry_tls_key }}"
+    dest: /var/registry/certs/domain.key
+- name: Write TLS certificate
+  copy:
+    content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
+    dest: /var/registry/certs/domain.crt
+- name: Install docker-compose
+  package:
+    name:
+      - docker-compose
+    state: present
+- name: Run docker-compose up
+  shell:
+    cmd: docker-compose up -d
+    chdir: /etc/registry-docker/
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 0ff4c311a6..ebd45fafb0 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -61,6 +61,7 @@
         - group_vars/adns.yaml
         - group_vars/nodepool.yaml
         - group_vars/ns.yaml
+        - group_vars/registry.yaml
         - host_vars/bridge.openstack.org.yaml
     - name: Display group membership
       command: ansible localhost -m debug -a 'var=groups'
diff --git a/playbooks/zuul/templates/group_vars/registry.yaml.j2 b/playbooks/zuul/templates/group_vars/registry.yaml.j2
new file mode 100644
index 0000000000..bd38909e75
--- /dev/null
+++ b/playbooks/zuul/templates/group_vars/registry.yaml.j2
@@ -0,0 +1,52 @@
+registry_password: testpassword
+registry_tls_cert: |
+  -----BEGIN CERTIFICATE-----
+  MIIDXTCCAkWgAwIBAgIJAKnLZ+dUZQ6UMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+  BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+  aWRnaXRzIFB0eSBMdGQwHhcNMTkwMTMxMTc0ODE5WhcNMTkwMzAyMTc0ODE5WjBF
+  MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+  ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEA3IwbwpVkQGheW95MNkquuh7Y+/KIemlbyxQZILUiRt4R4kLT+MAI0F1z
+  u/cCErICNOeVBRXq6yZpTPH0UuBVpSpbFXhsxaW3ICmvevtEAw/EJZHqI8cjTcoa
+  oWoOQEDDr2sCnWDVpnnyuGIBk+Lajro6wy8teSeASJDmxexRKFaWRghrMUO2SKr2
+  pGdgJzcX6kRMzvfVFxNBQHp8tsiePCYX6ItA5GCckpY+Ry2wtP/+SDso3JB0FT9X
+  cwU+jwOgJ/qoilYzJj/t6qkAERn7068YOgkYF/lE6xc0u9WipGzmWfPhK/FtsWR0
+  m5AahsxSkbrNGEmXXD1MvrdDsgTZTQIDAQABo1AwTjAdBgNVHQ4EFgQUtkzdWtTK
+  4Ikk/YJGwMfO9543baMwHwYDVR0jBBgwFoAUtkzdWtTK4Ikk/YJGwMfO9543baMw
+  DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUblwXaHPD15RkiIzvNIB
+  iYfinZZHV9zDolNMK4TaPh/e4rIzuqnDqaqt+JdgvLLWHpbmYoHEhawKx4zxq2ko
+  UsjRBFoH/MMvokCZiaePUMl0FgqCBgr5ExMM+ClTomTqDU/piEY8qEokiI+hsOKh
+  X38JQL1XrPiO56lutO6ZzsswTPsKx/jVAFGItmqg9qjjoo8klKRNcTBHRgCr7tRS
+  loxC6xb+4WxgNlnR1mFBHy/9TXh6awGFB5iR4vzmu0qPazmmz/ZuGgh64R2RE1e6
+  4RyZK/F5fqRZhU2E23CFF82sxrSxOfyvc6I+I7t+at4tWx/v0ButmDtpUfM6v+/i
+  gA==
+  -----END CERTIFICATE-----
+registry_tls_key: |
+  -----BEGIN PRIVATE KEY-----
+  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcjBvClWRAaF5b
+  3kw2Sq66Htj78oh6aVvLFBkgtSJG3hHiQtP4wAjQXXO79wISsgI055UFFerrJmlM
+  8fRS4FWlKlsVeGzFpbcgKa96+0QDD8QlkeojxyNNyhqhag5AQMOvawKdYNWmefK4
+  YgGT4tqOujrDLy15J4BIkObF7FEoVpZGCGsxQ7ZIqvakZ2AnNxfqREzO99UXE0FA
+  eny2yJ48Jhfoi0DkYJySlj5HLbC0//5IOyjckHQVP1dzBT6PA6An+qiKVjMmP+3q
+  qQARGfvTrxg6CRgX+UTrFzS71aKkbOZZ8+Er8W2xZHSbkBqGzFKRus0YSZdcPUy+
+  t0OyBNlNAgMBAAECggEAAgF0LyzUoJFSalt3Lfc355FoP8JQ42wZ3ZrtL5L2INbc
+  KsaYzuZQLjTrXIY+ipT72CdS/5zXahQLWRvKMQbBQKNF+MgDlTiQlcZLRj8Ku0xl
+  aEIPcwvYkliILXedcZAlN28tsuiyiLULNAoQIZwqiKnA5w2CyFtHm2FV9+7SPh+n
+  I1i5OzG0rnvIdOIk+ENgZAePmNSTktkH1HBcHhBkWjInhrxpojWgsjdljmxj5/qk
+  QaPuCBDQ6wZeU4WQ2OiQCjzxRxA06681N06vjq23x/nxpw3gDncbT01vRCYkmXVX
+  xqL0IrypDFOWqdWeqKLUCDnzpzf3OtUodnsfc+JQAQKBgQD0oh+PxqoaupStYD98
+  GIMTNGuG2Ii77vw92i4b8pPL8lg4edl3boDMj+q+Z9zONrYdEddwzHjLS+v2jwbf
+  YPXtZGVDGcYBONtb+vyUmbJtS6SXbatSvqMwG2E6aZypLN2DC4qTQsG2GKtDiAEk
+  +KRuahXaegY7TVxJVXZ7TfhaTQKBgQDmy3xeB2fV48sk5kKVtTZQkBGhtsn8MiOb
+  rmDBqH9hf7UUT8tmZrp747QwDpZTuwvtHkF/XechH4nHKnui14q2tyJ9fauxHXHt
+  omZ26ECzmjMJ0bk2mUQjPVnQZ/PtnIZEY5MRDOzNgh1GzP5s2tUiacyEJ+BgAq99
+  jYL1fQ/7AQKBgQDFuUvdP2s5k1icEVD+kilPGm1WXimWDIFf1Lqz6ArBKq1XaFT2
+  jSAZNrE7GGOFYP8s28DP8NQpLMIZVFzvq0TajOyzoV9CmZvi6ifAS8HFSQBNTFzO
+  0jq/pUGensH6ksKvKmLkx24eKi4ytPiH01fDzoa/QSVMRSi0NRlAbDKxeQKBgQCk
+  KpAfblMc4LjKWYN5a/njmmcASb4pRxzvCz3F4u4g0y9h8FR1VZNGtrSgDnA9xOn5
+  07CxQYE7nWxqoDxrm7gOufutmeu7w38bko4h/JixaHjvfh+px6GhE23EgX0QQmt7
+  T/z3fuMeV3QtvXkowwwiO3F/e8HtaVudCkDiEACDAQKBgBZhje6z3COHW4Nt/oos
+  gYojwgF6YQHXvfKxm6jjps77ar80XeID5wvuGj1HUw8f0IpnY/oh4TH6ddelnbEI
+  a1ccBlsEu6roxKAEJKuIUbGwV8tlWeaw+f9CoP3VvmtBW4SqA7c76J/9wgmypotk
+  lLz/WCDkOWqGgPF2gkdW09NZ
+  -----END PRIVATE KEY-----
diff --git a/testinfra/test_registry.py b/testinfra/test_registry.py
new file mode 100644
index 0000000000..e3277a649e
--- /dev/null
+++ b/testinfra/test_registry.py
@@ -0,0 +1,21 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['insecure-ci-registry.opendev.org']
+
+
+def test_registry_listening(host):
+    registry = host.socket("tcp://0.0.0.0:5000")
+    assert registry.is_listening