Configuring authentication for the Docker CLI

To access the private image registry from outside your IBM® Cloud Private cluster, set up authentication from your computer to the cluster.

Required user type or access level: Cluster administrator or team administrator

Before you begin

1. You must install Docker on your computer. For more information, see Install Docker .

2. If you have Docker proxy enabled on your node complete the following steps.

   1. Add <cluster_CA_domain>:8500 to the NO_PROXY list. Where <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation.

       sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf
      

      The update resembles the following code.

       [Service]
        Environment="HTTP_PROXY=http://1.2.3.4:3128" "HTTPS_PROXY=http://1.2.3.4:3128"  "NO_PROXY=localhost,127.0.0.1,<cluster_CA_domain>:8500"
      

   2. Restart the Docker service.

       sudo systemctl daemon-reload
       sudo systemctl restart docker
      

For Linux

1. On the system that hosts the Docker image, add the following line to the /etc/hosts file.

   <master_ip> <cluster_CA_domain>
   

   Where <master_ip> is the IP address of the master host in your cluster, and <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation. If you did not specify a CA domain name, the default value is mycluster.icp. For more information, see Specifying your own certificate authority (CA) for IBM Cloud Private services.

2. On your computer, create a directory to store the Docker registry certificate.

   mkdir /etc/docker/certs.d/<cluster_CA_domain>:8500/
   

3. From the client machine (Linux operating system) secure a copy of the registry certificate from the master node of your IBM Cloud Private cluster. The <user> in the following command is the user who has sudo permissions.

   scp <user>@<cluster_CA_domain>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt /etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

4. On the client computer, restart the Docker service by running the following command:

   service docker restart
   

5. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

For macOS

1. On the client computer, add the following line to the /etc/hosts file:

   <master_ip> <cluster_CA_domain>
   

   <master_ip> is the IP address of the master host in your cluster, and <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation. If you did not specify a CA domain name, the default value is mycluster.icp. For more information, see Specifying your own certificate authority (CA) for IBM Cloud Private services.

2. From the client machine (macOS) secure a copy of the registry certificate from the master node of your IBM Cloud Private cluster.

   mkdir -p ~/.docker/certs.d/<cluster_CA_domain>\:8500
   scp root@<cluster_CA_domain>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt ~/.docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

3. From the client computer, add the certificate to the keychain.

   sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

4. On the client computer, restart the Docker service.

5. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

For Windows

1. On the system that hosts the Docker image, add the following line to the %SystemRoot%\System32\drivers\etc\hosts file.

   <master_ip> <cluster_CA_domain>
   

   <master_ip> is the IP address of the master host in your cluster, and <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation. If you did not specify a CA domain name, the default value is mycluster.icp. For more information, see Specifying your own certificate authority (CA) for IBM Cloud Private services.

2. Add your Docker registry certificate by completing the following steps:

   1. Select Start and enter Manage Computer Certificates in the search field.

   2. Select Manage Computer Certificates to open the certificate manager.

   3. Right-click Trusted Root Certification Authorities, and select All tasks > Import.

   4. Complete the wizard to configure the certificate. The defaults are often acceptable.

   5. Restart Docker for Windows to apply the changes.

3. From the master node of your IBM Cloud Private cluster, secure a copy of the registry certificate to the computer.

   scp /etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt \
   root@<client_node>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/
   

4. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

Boot2Docker for Windows

1. On your computer, run the following command to create a boot2docker directory to run Docker containers:

   mkdir /var/lib/boot2docker/certs
   

2. Convert your certifications to .pem format. Copy your certifications in to yourboot2docker. Run the following commands: to convert your certification:

   openssl x509 -inform der -in certificate.cer -out certificate.pem
   

   cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
   

3. Create a empty file for your certificates. Creating an empty file allows your certificates to be copied in to the correct directory. Run the following command:

   touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh
   

4. With your text editor, run the following command to access your file:

   vi /var/lib/boot2docker/bootlocal.sh
   

5. Save your file by running the following command:

   mkdir -p /etc/docker/certs.d && cp certs/certificate.pem /etc/docker/certs.d
   

6. Restart your computer. Run the following command:

   docker-machine restart default