IBM Support

Setup a Docker Private Registry on POWER Servers running Linux

Technical Blog Post


Abstract

Setup a Docker Private Registry on POWER Servers running Linux

Body

Docker Registry is a server side application that enables sharing of docker images. The public registry is hosted here. If accessing the public hosted registry is not an option due to company policy, firewall restrictions etc, then one can deploy a private registry. The registry code is open-source and available under Apache License. Note that the private registry doesn't have a web-ui like the public hosted registry. Private registry is just an application providing the registry API for docker engine to work with images.

 

Installing Docker Registry on RHEL 7.1 LE

A pre-built registry rpm is available from the Unicamp repository.

Add the Unicamp repository

# cat > /etc/yum.repos.d/unicamp.repo <<EOF
[unicamp]
name=Unicamp Repo for RHEL 7.1 LE
baseurl=http://ftp.unicamp.br/pub/ppc64el/rhel/7_1/docker-ppc64el/
enabled=1
gpgcheck=0
EOF

 

Install the docker-registry package

 

# yum install docker-registry

 

Build Registry from Source

In order to build from source, you'll need Go compiler. For Linux on Power, this is provided by GCC version 5.0 and beyond. You can get the latest IBM Advance Toolchain packages (AT 9.0) or use the 'Go' compiler shipped as part of your distribution. For Ubuntu , the package is named 'gccgo-5' and is part of the default package repository since version 15.04. However for RHEL 7.1 LE,  you need to either build GCC (version 5.0) from source or use the Advance Toolchain packages.

Here is a simple script to build the registry on Power platform. By default, the script will build a static binary and copy the same to '/usr/bin' and the configuration file to '/etc/registry'

 

#!/bin/bash
#Script to build registry on Power
#Requires Go compiler to be available in the PATH
#build_registry.sh [dynamic|static]
build_type=${1}
BUILD_TYPE=${build_type:-static}
SRC="https://github.com/docker/distribution.git&quot;
COMMIT_ID=ece8e132bf6585815fdd00990f6215122c58fb3f
CUR_DIR=`pwd`
INSTALL_DIR="${CUR_DIR}/go.bld"
BIN_DIR="${CUR_DIR}/go.bld/bin"
mkdir -p ${BIN_DIR}
GOPATH_BASE="${INSTALL_DIR}/src/github.com/docker"
mkdir -p ${GOPATH_BASE}
cd ${GOPATH_BASE}
git clone ${SRC}
cd distribution
git checkout -q ${COMMIT_ID}
export GOPATH="${GOPATH_BASE}/distribution/Godeps/_workspace:${INSTALL_DIR}:${GOPATH}"
if [ "${BUILD_TYPE}" == "static" ]
then
    BUILDFLAGS="-static -lnetgo"
else
    BUILDFLAGS=""
fi
go build -gccgoflags "${BUILDFLAGS}" -o ${BIN_DIR}/registry ./cmd/registry
#Copy the binary to system path
sudo cp ${BIN_DIR}/registry /usr/bin/registry
#To use the registry you need to copy the file cmd/registry/config-example.yml as config.yml and modify it as appropriate
sudo mkdir -p /etc/registry
sudo cp ./cmd/registry/config-example.yml  /etc/registry/config.yml

 

Configure Docker Private Registry

The default configuration file for the private registry can be found in /etc/registry/config.yml.

The default storage location is /var/lib/registry. If you plan to use a different location, change the 'rootdirectory' settings appropriately in the config.yml file

# cat /etc/registry/config.yml
version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: :5000
    headers:
        X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

Details on available configuration options can be found here - https://docs.docker.com/registry/configuration/

Create default Storage location for Registry

Default storage location is /var/lib/registry. Change it as appropriate.

# mkdir -p /var/lib/registry

 

Start Docker Private Registry over HTTP

# registry /etc/registry/config.yml &

This will start the registry service on port 5000

Configure Docker Engine to Use Private Registry

For RHEL, edit /etc/sysconfig/docker and add the following entry. Replace <registry_host> with actual IP address or hostname of the registry server.

other_args=”--insecure-registry <registry_host>:5000”

For Ubuntu, edit /etc/default/docker and add the following entry

DOCKER_OPTS=”--insecure-registry <registry_host>:5000”

Restart the docker service

# service docker restart

Configure Secure Docker Private Registry

On the registry server

 

# mkdir -p /etc/certs
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /etc/certs/domain.key -x509 -days 365 -out /etc/certs/domain.crt
# REGISTRY_HTTP_TLS_CERTIFICATE=/etc/certs/domain.crt REGISTRY_HTTP_TLS_KEY=/etc/certs/domain.key registry /etc/registry/config.yml &

 

The /etc/certs/domain.crt file is required to be copied to all the docker hosts

 

# scp /etc/certs/domain.crt <user>@<docker-host>:/tmp/domain.crt

 

On each docker host

 

# mkdir -p /etc/docker/certs.d/<registry_host>:5001/
# cp /tmp/domain.crt /etc/docker/certs.d/<registry_host>:5001/ca.crt
# service docker restart

 

Viewing Images in the Private Registry


Private registry doesn't provide a web UI like public registry. The only way to work with the private registry is via registry APIs described here.

 

For example to list the images using the API one can do this

 

In order to list the available tags for a specific image one can do this

# curl http://<registry_host>:5000/v2/<image_name>/tags/list

 

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW1W1","label":"Power ->PowerLinux"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm16170403

Page Feedback