Introduction to Docker Trusted Registry
Since you are here, you have probably heard of Docker. When you search it in Google the first result is: "Docker - Build, Ship, and Run Any App, Anywhere" - don't believe me, try it yourself. That sounds great but in the means of Privacy and protecting your intellectual property, it doesn't. This is because of the question "Ship to where ?", to Docker hub where the whole world can just do a simple pull and have all your work at his disposal?
In this blog post I will introduce you to the Docker Trusted Registry and its benefits. It is a registry service that you can run on-premise or in virtual private cloud, where it is safe behind your company firewall. From here it is easy to store and manage your Docker images, which are the building blocks of your application stack. Trusted Registry is available in conjunction with a commercially supported Docker Engine to provide you with the peace of mind and support needed for your application environment. It is part of the Docker Datacenter Subscription which also includes a Universal Control Panel. The Docker Trusted registry is easy to install and integrate with your existing infrastructure.
Short technical brief
• Supports a wide range of storage drivers like S3, Azure, Swift and local system which of course can also be a network drive. They come in handy when you are considering a cluster installation and all of the cluster members need access to a certain file system.
• LDAP/AD integration which means all users will authenticate with your company's directory service. With it you can configure various role-based access levels like admin, user or read-only access. Sure if you are a small company you can rely on the manual user control and the kind of access you provide. In both cases you have user auditing which can be used to track any user activities.
• Trusted registry gets you started fast with intuitive and easy to use GUI. There you can apply non-disruptive patches and releases. Upgrading to the latest minor, patch, or major release is just a one-button click within the application.
Table below describes what you get in more details from the Docker Datacenter Subscription:
Let's jump to the interesting part
- Make sure your machine has the minimum of:
• Linux kernel version 3.10 or higher
• CS Docker Engine version 1.13.0 or higher
• 4.00 GB of RAM
• 3.00 GB of available disk space
- And your hosts are running one of these operating systems:
• CentOS 7.1 or 7.2
• Red Hat Enterprise Linux 7.0, 7.1, 7.2, or 7.3
• Ubuntu 14.04 LTS or 16.04 LTS
• SUSE Linux Enterprise 12
- Make sure you have installed Docker engine on your host .
Since DTR requires Docker Universal Plane (UCP), you need to install it first, here is how to do that:
- Create a volume folder "/var/lib/docker/volumes/ucp-controller-server-certs/_data/". Therе you will put your external certificates. "ca.pem" -Your root CA certificate; "cert.pem" - Your signed certificate, followed by any intermediate certificates; "key.pem" - Your private key. Friendly advise, do not change the certificate file names.
- Install the UCP controller. The command bellow is just an example, make sure to change them before executing.
$docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp install -i \
--host-address 192.168.1.101 \ #Specify the visible IP for this node
--controller-port 8443 \ #Port on which UCP will be accessible
--disable-tracking \ #Disable anonymous tracking and analytics
--disable-usage \ #Disable anonymous usage reporting
--admin-username admin \ #Admin user credentials
--admin-password MakeUpGoodPassPlease \
--external-server-cert \ #flag if you’re using server certificates signed by an external CA
--san registry.itgix.com \
- Reboot the whole machine, this is experience talking.
- Check if the UCP application is accessible, if not, check what docker processes are running "docker ps -a"
- If you decided to have AD authentication, login to UCP with admin credentials and configure LDAP/AD authentication. When we install DTR, the configuration will be automatically transferred.
Time for the actual Docker Trusted Registry installation:
$curl -k https://registry.itgix.com:8443/ca > ucp-ca.pem #Get the signed certificate for next step
- To install DTR use the docker/dtr image
$docker run -it --rm docker/dtr:2.2.4 install \
--ucp-url registry.itgix.com:8443 \ #The UCP URL including domain and port
--ucp-node ucp.itgix.com \ #The hostname of the target UCP node. Set to empty string or “random” to pick one at random.
--dtr-external-url registry.itgix.com:443 \ #URL of the host or load balancer clients use to reach DTR. Format https://host[:port]
--ucp-username admin \ #Admin user credentials
--ucp-password MakeUpGoodPassPlease \
--ucp-ca "$(cat ucp-ca.pem)" #External signed certificate
- Again I would recommend to reboot the machine.
- Check if the DTR application is accessible, if not, check what docker processes are running "docker ps -a"
Next steps are to configure a backend storage for DTR. Make sure you provide enough disk space whether you choose S3, Azure, Swift or a local system.
Make a quick push and pull test. Remember that you first have to do a 'docker login <DTR-url>' so when you do a 'docker push/pull' it knows there is an additional repo to search for images.
Any comments and questions are most certainly welcomed. It would be really interesting for me to have discussion on the subject Docker Trusted Registry