Use Docker Enterprise edition to build your own private registry server
- 2020-12-19 21:22:53
- OfStack
Docker is really cool, especially since moving Docker images is 10 points easier than using a virtual machine. If you are ready to use Docker, you must have pulled a complete mirror from Docker Hub. Docker Hub is Docker's cloud registry server service, which contains thousands of Docker images to choose from. If you develop your own software package and create your own Docker image, you may want to have your own private registry server. If you have a mirror with a proprietary license, or want to provide a complex continuous integration (CI) process for your build system, it's even better to have your own private registry server.
Docker Enterprise edition includes Docker trusted registry server Docker Trusted Registry (DTR). This is a highly available registry server with secure image management, built to run on your own data center or cloud-based architecture. Next, we'll learn that DTR is a key component that provides a secure, reusable, and continuous software supply chain. You can get started right away with our free hosted demo, or download and install it for a 30-day free trial. Here are the steps to start your own installation.
Configure Docker Enterprise edition
DTR runs on the Common Control panel (UCP), so a single-node cluster is installed before you start. If you already have your own UCP cluster, skip this step. On your docker managed host, run the following command:
# Pull and install UCP
docker run -it -rm -v /var/run/docker.sock:/var/run/docker.sock -name ucp docker/ucp:latest install
When UCP is up and running, there are a few things you can do before installing DTR. Open the browser for the instance of UCP you just installed. There should be a link at the end of the log output. If you already have an Docker Enterprise license, enter it on this screen. If you haven't already, visit the Docker store for a 30-day free trial.
With the license ready, you may need to change the port on which UCP runs under 1. Because this is a single-node cluster, DTR and UCP may run their web services on the same port. If you have an UCP cluster with more than one node, this is not a problem because DTR looks for nodes that need free ports. In UCP, click "Administrator Settings -" > Cluster configuration "and modify the controller port, such as 5443.
Install DTR
We want to install a simple, single-node instance of DTR. If you want to install DTR for actual production use, you will set it to high availability (HA) mode, which requires another storage medium, such as cloud-based object storage or NFS. Since we are currently installing a single node instance, we are still using the default local storage.
First we need to pull the bootstrap image of DTR. The boostrap image is a tiny stand-alone installer that includes all the containers, volumes, and logical networks needed to connect to UCP and to set up and start DTR.
Use the command:
# Pull and run DTR bootstrap
docker run -it -rm docker/dtr:latest install -ucp-insecure-tls
Note: By default, both UCP and DTR have their own certificates and are not recognized by the system. If you have set up UCP using the TLS certificate that the system trusts, you can omit it
-ucp-insecure-tls
Options. In addition, you can use
-ucp-ca
Option to specify UCP's CA certificate directly.
The DTR bootstrap image then lets you determine several Settings, such as the URL address for the UCP installation and the administrator's username and password. It only takes one to two minutes to pull all of the DTR images until the setup is complete.
Ensure 1 cut safety
Once all cuts are ready, you can push or pull images from the register server. Before doing this, let's set up the TLS certificate to communicate securely with DTR.
On Linux, we can use the following command (just make sure to change the DTR_HOSTNAME variable to properly map the DTR we just set) :
# from DTR pull CA Certificate (if curl Not available. You can use it wget )
DTR_HOSTNAME=< DTR The host name >
curl -k https://$(DTR_HOSTNAME)/ca > $(DTR_HOSTNAME).crt
sudo mkdir /etc/docker/certs.d/$(DTR_HOSTNAME)
sudo cp $(DTR_HOSTNAME) /etc/docker/certs.d/$(DTR_HOSTNAME)
# restart docker Daemons (at Ubuntu 14.04 On, the use of `sudo service docker restart` Command)
sudo systemctl restart docker
For Mac and Windows versions of Docker, we will install the client in different ways. Go to "Settings -. > Daemons, in the "Insecure Registration Server" section, enter your DTR hostname. Click "Apply" and the docker daemon should work fine after a restart.
Push and pull mirror images
Now we need to set up a warehouse to hold the images. This is a little different from Docker Hub. If you do not have an docker push warehouse, it will automatically create one. To create a repository, open https:// in your browser < Your DTR hostname > And use your administrator credentials to log in when prompted. If you add a license to UCP, DTR will automatically get that license. If not, please confirm uploading your license now.
After you go to the web page, click the "New Warehouse" button to create a new warehouse.
We will be creating a repository for Alpine linux, so type "alpine" in the name input and click "Save" (called "Create" in DTR 2.5 and later).
Now let's go back to the shell interface and enter the following command:
# pull Alpine Linux The latest version of
docker pull alpine:latest
# Log in to the new DTR The instance
docker login <Your DTR hostname>
# On the tag Alpine Enable to push it to you DTR
docker tag alpine:latest <Your DTR hostname>/admin/alpine:latest
# to DTR Push the mirror
docker push <Your DTR hostname>/admin/alpine:latest
That's it! We just pushed a copy of the latest Alpine Linux, re-labeled it to store it in DTR, and pushed it to our private registry server. If you want to pull the image to a different Docker engine, set your DTR certificate as shown above, and then execute the following command:
# from DTR Center pull mirror image
docker pull <Your DTR hostname>/admin/alpine:latest
DTR has many excellent image management features, such as caching, imaging, scanning, signing, and even automated supply chain strategies for mirrors. We'll explore these features in more detail in a later blog post.
conclusion