I'm quite new to Docker, but feel using a Docker image is the best way to distribute a self-hosted SaaS application as simply as possible. I've learned that I can have a private registry for my applications.
How would I provide an authentication mechanism before accessing the image? I would need to create a new set of access credentials after the customer purchases the self-hosted product.
You will need to set-up a token based authentication with the docker registry to allow an external system to manage the log-in trough OAuth2. You will need to have an application that will manage the tokens (issuing and authentication).
The token manager will have configuration (credentials) for each of the customers that are entitled to pull the container.
You can check the docker repository document.
Related
I am trying to use Kubernetes and Jenkins for my deployment of micro services developed using Spring Boot. When I am exploring many YouTube videos and other documentation tutorials are using dockerhub.com as keeping published image as repository.
Can I deploy docker image in Kubernetes by using Jenkins docker image build without using this dockerhub.com ? Means I don't want to share client code in a public place. So can I use Jenkins without dockerhub.com?
You do need to use some registry- kubernetes needs a registry URL to be able to pull and instantiate a particular image as a container in a pod. To avoid having the images themselves be publicly accessible you have 2 options:
use a business account at a public registry. You can get one of these from Docker, or from other services like Google or Quay. When you push images using a business account, you get a private space in the public registry and only your account credentials can push and pull those images. In this case your Kubernetes- and your Jenkins- has to be configured with credentials derived from your account to be able to pull those private images into your cluster.
run a private registry in your cluster or on your non-cluster infrastructure There are many flavors of private registries, including Docker's, Atlassian's, and many others. This keeps your images entirely on your infrastructure. The tradeoff is that you have to configure and run this as a production service, and most private registries suitable for production use have a lot of moving parts for scalable image storage, indexing, backup, and so forth.
I've been considering to use my own private docker registry to distribute some of my projects publicly. However, the moment you add an authentication strategy to your registry, you loose public pull access to all its images.
Is there an easy way to tell the registry some images can be anonymously pulled (not pushed, of course) - in the same way https://hub.docker.com/ works?
I've been reading through https://docs.docker.com/registry docs but so far I found nothing on the matter. I guess it's a use case covered in EE Docker Trusted Registry and not included in the community version:
DTR uses Role Based Access Control (RBAC) to allow you to implement fine-grained access control policies for who has access to your Docker images.
You can check 3rdparty Registry projects that allow fine grain access like Portus or Harbor, I use harbor and the projects set as public can be pulled anonymously
I followed a docker-machine tutorial to setup a docker swarm in the cloud. I had setup a bunch of replicas and life is good. Now I need to give my teammates access to this docker swarm. How do I do that?
Should I share docker certificate files? Can each team member have an individual set of certificate files? Is there any way to setup OAuth or other form of SSO?
The Docker daemon doesn't do any extended client auth.
You can generate certificate's for each client from the CA that signed the swarm certificate, which is probably the minimum you want. Access to Docker is root access to the host so best not to hand out direct access to everyone, or outside of development.
For any extended authentication and authorisation you would need to put a broker between the Docker API and your clients. The easiest way to do this is to use a higher level management platform like Rancher or Shipyard, that can manage the swarm for you.
Mesos/Marathon/Mesosphere and Kubernetes are simliar in function but have more of their own idea of what clustering is.
I want only the CI tools or dedicated users to have write access to the Bluemix Docker registry. Developer or cloud admin accounts should not have write access to the registry. How can this be done?
You can now issue read-only or read-write tokens for IBM Bluemix Container Registry using the container-registry plugin for the bx command.
Tokens can either be non-expiring (unless revoked) or expire after 24 hours.
The use case of automating access is well covered by the documentation.
At this time it is not possible to have different image access levels for the users in the same cf org.
Security settings for clusters and deployments in IBM Bluemix Container service is documented here: https://console.bluemix.net/docs/containers/cs_security.html#cs_security
It may help you in your requirement ...
I just read the entire docs on securing a private Docker Registry. In addition to this, there seems to be a "Docker Trusted Registry", which is described as:
Docker Trusted Registry (DTR) lets you run and manage your own Docker image storage service, securely on your own infrastructure behind your company firewall.
Furthermore, the doc goes on to list a DTRs features:
An image registry to store, manage, and collaborate on Docker images
Pluggable storage drivers
Configuration options to let you run DTR in your particular enterprise environment.
Easy, transparent upgrades
Logging, usage and system health metrics
But doesn't the "normal" Docker Registry give me these as well?!?
Are these two things really the same, or is DTR some sort of commercialized offering of a Docker Registry? Or something else? I'm so confused!
New features in Docker Trusted Registry are:
Control access and permissions by user or organisation
Web UI to search and browse repos, manage users and setting
Integrate to CI and CD systems to automate workflows
LDAP/AD integration
Flexible storage
support User audit logs
Soft Delete image tags
Garbage collection
DTR is the paid support service for the registry - see https://hub.docker.com/enterprise/
Basically, they help you setup and will give you support down the road. It might have some niceties, otherwise you are left to your own to figure out how to run the registry.