As a next step we’ll import the components of the Component pack into a Docker registry. If you have an existing registry in your company which you can use, you can skip right to the step where you upload the images in this repository. If you don’t, you’ll have the create the registry first.
Creating a private Docker registry
To install a private Docker registry, Docker needs to be installed on the server. You already have multiple servers with Docker installed at this point. I chose to use my Kubernetes Master for the Docker registry. To prepare this server for the registry I created the following directories:
mkdir -p /data/docker-registry/certs mkdir -p /data/docker-registry/auth mkdir -p /data/docker-registry/registry
As a next step you have to import a certificate for the registry. If you have an official certificate (like a wildcard certificate for your organisation), it’s highly preferred to use that one. If you don’t, follow the steps to create a self signed certificate and import it for use with Docker.
Using an official certificate for your Docker registry
Assuming your certificate is in pem/crt format:
cp <your certificate> /data/docker-registry/certs/domain.crt cp <your private key> /data/docker-registry/certs/domain.key
Creating a self-signed certificate for your Docker registry
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/docker-registry/certs/domain.key -x509 -days 365 -out /data/docker-registry/certs/domain.crt
Answer the questions and make sure you enter the fqdn for the CN (like yourserver.example.com).
To make sure your certificate is trusted, copy the certificate to the necessary places on all the Kubernetes masters and nodes:
mkdir -p /etc/docker/certs.d/<yourserver.example.com>:5000 cp <path-to>/domain.crt /etc/docker/certs.d/<yourserver.example.com>:5000/ca.crt
To prevent potential problems, also import the certificate in your OS’ trust store:
cp <path-to>/domain.crt /etc/pki/ca-trust/source/anchors/<yourserver.example.com>.crt update-ca-trust
Start the Registry
Run the following command to grab the container from the Docker repository and start it:
docker run -d -p 5000:5000 --restart=always --name registry -v /data/docker-registry/auth:/auth -v /data/docker-registry/certs:/certs -v /data/docker-registry/registry:/var/lib/registry -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" registry:2
It binds the directories for authorization, certificates and the actual data to your created directory and it sets the environment variables to use the certificate and basic authentication.
I’ve installed 2 environments with the Component pack recently and in both environments I ran into an error on above command. They weren’t the same error though. In my first environment, I had an error complaining about problems with IPv4 forwarding. The solution for that is this short script:
sudo bash -c 'cat << EOF > /etc/sysctl.d/docker-registry.conf net.ipv4.ip_forward=1 EOF' sysctl --system
In the other environment I had a problem with iptables: docker: Error response from daemon: driver failed programming external connectivity on endpoint : (iptables failed: iptables –wait -t nat -A DOCKER -p tcp -d 0/0 –dport 5000 -j DNAT –to-destination 126.96.36.199:5000 ! -i: iptables: No chain/target/match by that name.
The solution here was to simply restart Docker:
systemctl restart docker.service
Creating a Docker registry user account
To create a user account, you have to add one to the htpassword file in the /auth folder (/data/docker-registry/auth in you used the same paths as above). You need the htpasswd command for that which is not installed by default. You can save yourself the trouble of installing it by running the command inside the docker registry container. Open a shell in the container by typing:
docker exec -it registry /bin/sh
Next you can run the command inside the container and exit the container shell:
htpasswd -Bb /auth/htpasswd admin <your-password> exit
A warning here. I encountered the problem twice that somehow instead of getting a htpasswd file with 2 lines for 2 entries, I ended up with a file with both entries on one line (which won’t work). Just to be sure check your file:
If you have the same problem, edit the file and fix it.
In my notes I see I restarted the container at this point using:
docker container restart registry
But I suspect that’s not really necessary (it doesn’t hurt either though).
Another important part is making sure your firewall is open for the registry port. The simple version for this is:
firewall-cmd --permanent --add-port=5000/tcp firewall-cmd --reload
Importing the images
When your Docker registry is ready, you can import the images. First extract the Component pack to some directory using
unzip -d <extraction-directory>/ComponentPack_188.8.131.52.zip. Next type:
cd <extraction-directory>/microservices_connections/hybridcloud/support ./setupImages.sh -dr <yourserver.example.com>:5000 -u admin -p <your-registry-password>
You have the option to only import the images for the parts of the component pack you plan to use by adding the -st option at the end of the command with a selection of orientme,customizer,elasticsearch,boards-cp as described here. If you have the space (4,4 GB for all packages) I advice to install all images. I already had a case where I left out elasticsearch and had to import it later because, even though I didn’t want to install elasticsearch, I needed the images for other parts. Uploading the images takes a while, so a good time to get some coffee or have lunch.
That’s all there is for the Docker registry. In the next part we prepare the Kubernetes environment for the Component pack.
- Deploy a Registry Server
- Pushing Docker images to the registry
- Debugging DNS resolution – Kubernetes