Docker CE on premises with private repository: possible? - docker

I am wondering if it is possible to setup Docker CE on premises with a private repository (using DTR engine or other alternative if they exist)? My company has some strict rules to not have things in the cloud...
I know this is possible with the EE version but I would like to start with the CE version for a few months to see if it will work in our environment.

There are two parts to your question:
deploying a registry itself
configuring docker engine instances to access the registry
For deploying the registry all you need to do is deploy it as answered by #sony vizio and outlined here https://docs.docker.com/registry/deploying/#run-a-local-registry
docker run -d -p 5000:5000 --restart=always --name registry registry:2
For configuring your docker engines to access this registry you will need to add insecture-registries to /etc/docker/daemon.json (provided the above deployment took place on host registry):
{
"insecure-registries": ["registry:5000"]
}
Images that you push to your local registry will need to be tagged with the registry host:port:
docker tag myimage registry:5000/myimage
docker push registry:5000/myimage
and then elsewhere
docker run registry:5000/myimage

I think what you are looking for is something like
docker run -d -p 5000:5000 --restart=always --name registry registry:2
docker reg server

Related

Pulling an image from local Docker registry

I installed a Docker registry to my server like below;
docker run -d -p 5000:5000 --name registry registry:2
So after that I pushed Alpine image to that registry.
docker pull alpine
docker image tag alpine localhost:5000/alpinetest
docker push localhost:5000/alpinetest
So the problem is I want to access this image from another server.
So I can run the command below from client to Docker registry's server;
user#clientserver ~
$ curl 10.10.2.18:5000/v2/_catalog
{"repositories":["alpinetest"]}
So how can I pull this "Alpinetest" image from another "clientserver"?
For example the command below is not working;
user#clientserver ~
$ docker pull 10.10.2.18:5000/alpinetest:latest
Using default tag: latest
Error response from daemon: Get "https://10.10.2.18:5000/v2/": http: server gave HTTP response to HTTPS client
Thanks!
On the machine that wants to pull the image, create or edit /etc/docker/daemon.json and enter this:
{
"insecure-registries": ["10.10.2.18:5000"]
}
and then run:
sudo systemctl restart docker
Just be aware that the registry is, just like it says, insecure. This setup shouldn't be used when the registry is accessed over the internet or in any other environment that you don't have full control over. But it's definitely nice for local tests.

Docker self-upgrade after restart

I'm looking for a way to pull the latest image in Docker vanilla after a container crashed/exited.
As in my current architecture, I don't have access to Docker Engine API but only to the container itself, I want to be able to update the container based on the image after this service is exited.
The Docker way to upgrade containers seems to be the following:
docker pull mysql
docker stop my-mysql-container
docker rm my-mysql-container
docker run --name=my-mysql-container --restart=always \
-e MYSQL_ROOT_PASSWORD=mypwd -v /my/data/dir:/var/lib/mysql -d mysql
But that's based on the Docker engine CLI API and as I explained before - that's not an approach that I want to try.
Is there a possible way to configure the Docker when the container is pulling again the image from the latest repository upon restart/crash?
What you are asking for is this.
Which seems possible using docker service update for which you will need docker swarm. With plain docker installed on single VM, don't seems feasible.
Hope this helps.

How to verify locally built docker images?

In this question it turned out, that I cannot use the sha256 mechanism in the FROM line in a Dockerfile to verify I am using the correct locally built non-DockerHub image in another derived image.
Is there another way to verify locally built Docker images? Some best practice maybe?
From docs:
By default, docker pull pulls images from Docker Hub. It is also
possible to manually specify the path of a registry to pull from
You can start a private docker registry on you localhost with the following command:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
Say your image name isubuntu Then push image to that specific registry with:
docker push localhost:5000/ubuntu
In your Dockerfile you can use:
From localhost:5000/ubuntu

Unable to push image to a docker registry configured as proxy cache

I followed this guide to setup a Docker v2 Registry acting as a local proxy cache for Docker Hub images. My Docker daemon is configured with both --insecure-registry and --registry-mirror options pointing to the same registry instance.
When pulling images it works correctly by caching them to the local store.
The problem is that when I try to push an image to such local private registry, I get a weird UNSUPPORTED error. The registry log says:
time="2015-11-09T13:20:22Z" level=error msg="response completed with error" err.code=UNSUPPORTED err.message="The operation is unsupported." go.version=go1.4.3 http.request.host="my.registry.io:5000" http.request.id=b1faccb3-f592-4790-bbba-00ebb3a3bfc1 http.request.method=POST http.request.remoteaddr="192.168.0.4:57608" http.request.uri="/v2/mygroup/myimage/blobs/uploads/" http.request.useragent="docker/1.9.0 go/go1.4.2 git-commit/76d6bc9 kernel/3.16.0-4-amd64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=2.035918ms http.response.status=405 http.response.written=78 instance.id=79970ec3-c38e-4ebf-9e83-c3890668b122 vars.name="mygroup/myimage" version=v2.2.0
If I disable proxy setting on the registry then the push works correctly. Am I missing something on the configuration or it is just that a private registry cannot act as a proxy cache at the same time?
Just ran into this myself. Turns out pushing to a private registry configured as a proxy is not supported. See
https://docs.docker.com/registry/configuration/#proxy
"Pushing to a registry configured as a pull through cache is currently unsupported".
That is too bad. Now I will have to will have to setup the local proxy cache as a separate registry.
#Konrad already linked to the explaination.
My solution requires the registry to persist its images on a docker volume, so that they stay available even when I kill & trash the container.
# run proxy registry persisting images on local host
docker stop registry
docker rm registry
docker run -d -p 5000:5000
-v ~/.docker/registry:/var/lib/registry \
--name registry \
registry:2
docker push localhost:5000/your-image:your-tag
# --> see successful push happening...
docker stop
docker rm registry
# re-run the registry as proxy, re-mounting the volume with the images
docker run -d -p 5000:5000 \
-e MIRROR_SOURCE=https://registry.example.net \
-e REGISTRY_PROXY_REMOTEURL=https://registry.example.net \
-e REGISTRY_PROXY_USERNAME="${REGISTRY_USER}" \
-e REGISTRY_PROXY_PASSWORD="${REGISTRY_PASSWORD}" \
-v ~/.docker/registry:/var/lib/registry \
--name registry \
registry:2
This fits my usual needs; I dunno if you can afford to throw away the container as I did (but theoretically you should; containers are supposed to be ephemeral).
Otherwise you'll have to docker save your-image:your-tag > your-image.tar, transfer it to the machine running your registry and then docker load -i your-image.tar. It's not ideal but should work.

Docker private registry with mirror

I created two Docker containers. The first one provides a private Docker registry and the second one is a mirror of the official Docker registry:
docker run -d --name registry -v /local/path/to/registry:/registry -e SETTINGS_FLAVOR=local -e STORAGE_PATH=/registry -p 5000:5000 registry
docker run -d --name mirror -v /local/path/to/mirror:/registry -e STORAGE_PATH=/registry -e STANDALONE=false -e MIRROR_SOURCE=https:/registry-1.docker.io -e MIRROR_SOURCE_INDEX=https://index.docker.io -p 5555:5000 registry
Now I would like to combine both. Whenever a user pulls images it should first query the private registry and then the mirror. And when images are pushed they should only be pushed to the private registry.
I do not have an idea about how this can be done. Any help is appreciated.
You cannot just force all docker push commands to push to your private registry. One reason is that you can have any number of those registers. You have to first tell docker where to push by tagging the image (see lower).
Here is how you can setup docker hosts to work with a running private registry and local mirror.
Client set-up
Lets assume that you are running both mirror and private registry on (resolvable) host called dockerstore. Mirror on port 5555, registry on 5000.
Then on client machine(s) you should pass extra options to docker daemon startup. In your case:
Add --registry-mirror=http://dockerstore:5555 to tell daemon to prefer using local mirror rather then dockerhub. source
Add --insecure-registry dockerstore:5000 to access the private registry without further configuration. See this answer
Restart docker daemon
Using the mirror
When you pull any image the first source will be the local mirror. You can confirm by running a docker pull, e.g.
docker pull debian
In the output there will be message that image is being pulled from your mirror - dockerstore:5000
Using local registry
In order to push to private registry first you have to tag the image to be pushed with full name of the registry. Make sure that you have a dot or colon in the first part of the tag, to tell docker that image should be pushed to private registry.
Docker looks for either a “.” (domain separator) or “:” (port separator) to learn that the first part of the repository name is a location and not a user name.
Example:
Tag 30d39e59ffe2 image as dockerstore:5000/myapp:stable
docker tag 30d39e59ffe2 dockerstore:5000/myapp:stable
Push it to private registry
docker push dockerstore:5000/myapp:stable
Then you can pull as well
docker pull dockerstore:5000/myapp:stable
If not present, create the file:
sudo nano /etc/docker/daemon.json
Then paste the following:
{
"registry-mirrors": [
"https://hub-mirror.c.163.com",
"https://mirror.baidubce.com"
]
}
Then retart Docker daemon
$ sudo systemctl restart docker
[Source]
Just to be clear, docker documentation confirms that:
It’s currently not possible to mirror another private registry. Only
the central Hub can be mirrored.
Repository names are intended to be global, that is the repository redis always refers to the official Redis image from the Docker Hub. If you want to use a private registry, you prefix the repository name with the name of the registry e.g. localhost.localdomain:5000/myimage:mytag.
So when you pull or push, it will automatically go to the relevant registry. The mirror should be easy to set up, you just pass the URL to the daemon with the --registry-mirror= argument.
This isn't perfect for enterprise users, hence this (closed) Docker issue.

Resources