Docker Private Registries¶
Docker fetches container images from registries. The Docker hub registry serves either public or private repositories, and you may also have a private registries to pull from.
Authenticate on private registries¶
Node Level¶
Beware, registries authenticated this way are available to all services.
$ sudo docker login some.private.registry
Service Level¶
Registries authenticated this way are only available to services of a namespace.
On a client computer (not a cluster node where you don’t want to share your registry access with all services)
$ docker login some.private.registry
This command has created a $HOME/.docker/config.json containing your credentials.
On a target cluster node, create a secret in the namespace you want to use the registry access and load the config.json content in the config.json secret key.
For example
$ om myns/sec/creds-some-private-registry create
$ om myns/sec/creds-some-private-registry edit --key config.json
# paste, save and exit
At this point, you can use the following setting in the DEFAULT or container sections of any service in the namespace
registry_creds = creds-some-private-registry
Install a Docker registry¶
Pre-requisites¶
An OpenSVC node with docker installed and running
CNI binaries installed
Access to the docker.io registry from the node
Service Creation¶
cat > /tmp/registry.template << EOF
[DEFAULT]
orchestrate = ha
nodes = {clusternodes}
[ip#1]
type = cni
netns = container#0
[container#0]
type = docker
image = ghcr.io/opensvc/pause
[container#1]
type = docker
image = registry
volume_mounts = {svcname}-data/registry:/var/lib/registry
netns = container#0
[volume#1]
name = {svcname}-data
size = {env.size}
access = rwo
[env]
size = 10g
EOF
svcmgr create -s test/registry --config /tmp/registry.template --provision
After a few seconds
$ om test/registry print status
registry up
`- instances
|- nuc-cva down idle
`- aubergine up idle, started
|- ip#1 ........ up cni default 10.22.0.122/16 eth12
|- volume#1 ........ up registry-data
|- container#0 ........ up docker container test..registry.container.0@ghcr.io/opensvc/pause
|- container#1 ........ up docker container test..registry.container.1@registry
`- sync#i0 ...O./.. up rsync svc config to nodes
The registry is up and running.
Avertissement
The docker registry does not deal with access control. As soon as the docker container is up, everyone is allowed to push/pull images to/from the registry. You can add authentification via the OpenSVC collector or a tier solution, or simply bind the registry to the loopback ip address for a development laptop.
Testing the registry¶
On the demonstration setup, the cluster name is « homepool2 », so the created registry is accessible via the cluster dns name registry.test.svc.homepool2
.
Tag an image to push to the private registry
$ sudo docker tag ghcr.io/opensvc/pause:latest registry.test.svc.homepool2:5000/google/pause:latest
Push the tagged image to the private registry
$ sudo docker push registry.test.svc.homepool2:5000/google/pause:latest
The push refers to a repository [registry.test.svc.homepool2:5000/google/pause]
5f70bf18a086: Pushed
e16a89738269: Pushed
latest: digest: sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105 size: 938