mirror of
https://github.com/docker/docs.git
synced 2026-04-12 06:19:22 +07:00
3132 lines
189 KiB
XML
3132 lines
189 KiB
XML
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
|
||
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
|
||
<channel>
|
||
<title>Docker-trusted-registries on Docker Docs</title>
|
||
<link>http://localhost/docker-trusted-registry/</link>
|
||
<description>Recent content in Docker-trusted-registries on Docker Docs</description>
|
||
<generator>Hugo -- gohugo.io</generator>
|
||
<language>en-us</language>
|
||
<atom:link href="http://localhost/docker-trusted-registry/index.xml" rel="self" type="application/rss+xml" />
|
||
|
||
<item>
|
||
<title>Admin guide</title>
|
||
<link>http://localhost/docker-trusted-registry/adminguide/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/adminguide/</guid>
|
||
<description>
|
||
|
||
<h1 id="docker-trusted-registry-administrator-s-guide">Docker Trusted Registry Administrator&rsquo;s Guide</h1>
|
||
|
||
<p>This guide explains the tasks and functions an administrator of Docker Trusted Registry needs to understand such as reporting, logging, system management,
|
||
performance metrics, optimizing the Trusted Registry file size, and deleting containers.
|
||
For tasks Docker Trusted Registry users need to accomplish, such as pushing and pulling
|
||
images, please look at the <a href="../docker-trusted-registry/userguide/">User&rsquo;s Guide</a>.</p>
|
||
|
||
<h2 id="reporting">Reporting</h2>
|
||
|
||
<h3 id="dashboard">Dashboard</h3>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-metrics.png" alt="Docker Trusted Registry Dashboard&lt;/admin/metrics/&gt;" /></p>
|
||
|
||
<p>The &ldquo;Docker Trusted Registry Dashboard displays &ldquo;hardware&rdquo; resource utilization and network traffic metrics for the Docker Trusted Registry host as well as for each of its contained services. The CPU and RAM usage meters at the top indicate overall resource usage for the host, while detailed time-series charts are provided below for each container providing a Docker Trusted Registry service.</p>
|
||
|
||
<p>In addition, if your registry is using a filesystem storage driver, you will see a usage meter indicating used and available space on the storage volume. Third-party storage back-ends are not supported, so if you are using one, this meter will not be displayed.</p>
|
||
|
||
<p>You can mouse-over the charts or meters to see detailed data points.</p>
|
||
|
||
<p>Clicking on a service name (i.e., &ldquo;load_balancer&rdquo;, &ldquo;admin_server&rdquo;, etc.) will
|
||
display the network, CPU, and memory (RAM) utilization data for the specified
|
||
service. See below for a
|
||
<a href="#services">detailed explanation of the available services</a>.</p>
|
||
|
||
<h3 id="logs">Logs</h3>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-logs.png" alt="System Logs page&lt;/admin/logs/&gt;" /></p>
|
||
|
||
<p>Click &ldquo;Logs&rdquo; in the global nav bar at the top of page to view the logs from your Docker Trusted Registry&rsquo;s containers. You will see
|
||
log sections on this page for each service in your Docker Trusted Registry instance. Older or newer
|
||
logs can be loaded by scrolling up or down. See below for a
|
||
<a href="#services">detailed explanation of the available services</a>.</p>
|
||
|
||
<p>Docker Trusted Registry&rsquo;s log files can be found on the host in <code>/usr/local/etc/dtr/logs/</code>. The
|
||
files are limited to a maximum size of 64mb. They are rotated every two weeks,
|
||
when the aggregator sends logs to the collection server, or they are rotated if
|
||
a logfile would exceed 64mb without rotation. Log files are named <code>&lt;component
|
||
name&gt;-&lt;timestamp at rotation&gt;</code>, where the &ldquo;component name&rdquo; is the service it
|
||
provides (<code>manager</code>, <code>admin-server</code>, etc.).</p>
|
||
|
||
<h3 id="usage-statistics-and-crash-reports">Usage statistics and crash reports</h3>
|
||
|
||
<p>During normal use, Docker Trusted Registry generates usage statistics and crash reports. This
|
||
information is collected by Docker, Inc. to help us prioritize features, fix
|
||
bugs, and improve our products. Specifically, Docker, Inc. collects the
|
||
following information:</p>
|
||
|
||
<ul>
|
||
<li>Error logs</li>
|
||
<li>Crash logs</li>
|
||
</ul>
|
||
|
||
<h2 id="emergency-access-to-docker-trusted-registry">Emergency access to Docker Trusted Registry</h2>
|
||
|
||
<p>If your authenticated or public access to the Docker Trusted Registry web interface has stopped
|
||
working, but your Docker Trusted Registry admin container is still running, you can add an
|
||
<a href="https://docs.docker.com/articles/ambassador_pattern_linking/">ambassador container</a>
|
||
to get temporary unsecure access to it by running:</p>
|
||
|
||
<pre><code>$ docker run --rm -it --link docker_trusted_registry_admin_server:admin -p 9999:80 svendowideit/ambassador
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> This guide assumes that you are a member of the <code>docker</code> group,
|
||
or have root privileges. Otherwise, you may need to add <code>sudo</code> to the example
|
||
command above.</p>
|
||
</blockquote>
|
||
|
||
<p>This will give you access on port <code>9999</code> on your Docker Trusted Registry server - <code>http://&lt;dtr-host-ip&gt;:9999/admin/</code>.</p>
|
||
|
||
<h3 id="ssh-access-to-host">SSH Access to host</h3>
|
||
|
||
<p>As an extra measure of safety, make sure you have SSH access to the Docker Trusted Registry host before you start using Docker Trusted Registry.</p>
|
||
|
||
<p>If you are hosting Docker Trusted Registry on an EC2 host launched from the AWS Marketplace AMI, note that the user is <code>ec2-user</code>:
|
||
<code>/path/to/private_key/id_rsa ec2-user@&lt;dtr-dns-entry&gt;</code>.</p>
|
||
|
||
<h2 id="services">Services</h2>
|
||
|
||
<p>Docker Trusted Registry runs several Docker services which are essential to its reliability and
|
||
usability. The following services are included; you can see their details by
|
||
viewing the <a href="#dashboard">Docker Trusted Registry Dashboard</a> and <a href="#logs">Logs</a> pages:</p>
|
||
|
||
<ul>
|
||
<li><code>admin_server</code>: Used for displaying system health, performing upgrades,
|
||
configuring settings, and viewing logs.</li>
|
||
<li><code>load_balancer</code>: Used for maintaining high availability by distributing load
|
||
to each image storage service (<code>image_storage_X</code>).</li>
|
||
<li><code>log_aggregator</code>: A microservice used for aggregating logs from each of the
|
||
other services. Handles log persistence and rotation on disk.</li>
|
||
<li><code>image_storage_X</code>: Stores Docker images using the <a href="http://docs.docker.com/registry/spec/api/">Docker Registry HTTP API V2</a>. Typically,
|
||
multiple image storage services are used in order to provide greater uptime and
|
||
faster, more efficient resource utilization.</li>
|
||
<li><code>postgres</code>: A database service used to host authentication (LDAP) data and other datasets as needed by Docker Trusted Registry.</li>
|
||
</ul>
|
||
|
||
<h2 id="docker-trusted-registry-system-management">Docker Trusted Registry system management</h2>
|
||
|
||
<p>The <code>docker/trusted-registry</code> image is used to control the Docker Trusted Registry system. This
|
||
image uses the Docker socket to orchestrate the multiple services that comprise
|
||
Docker Trusted Registry.</p>
|
||
|
||
<pre><code> $ sudo bash -c &quot;$(sudo docker run docker/trusted-registry [COMMAND])&quot;
|
||
</code></pre>
|
||
|
||
<p>Supported commands are: <code>install</code>, <code>start</code>, <code>stop</code>, <code>restart</code>, <code>pull</code>, <code>info</code>,
|
||
<code>export-settings</code>, <code>diagnostics</code>, <code>status</code>, <code>upgrade</code>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: <code>sudo</code> is needed for <code>docker/trusted-registry</code> commands to
|
||
ensure that the Bash script is run with full access to the Docker host.</p>
|
||
</blockquote>
|
||
|
||
<h3 id="install"><code>install</code></h3>
|
||
|
||
<p>Install Docker Trusted Registry.</p>
|
||
|
||
<h3 id="start"><code>start</code></h3>
|
||
|
||
<p>Start Docker Trusted Registry containers that are not running.</p>
|
||
|
||
<h3 id="stop"><code>stop</code></h3>
|
||
|
||
<p>Stop Docker Trusted Registry containers that are running.</p>
|
||
|
||
<h3 id="restart"><code>restart</code></h3>
|
||
|
||
<p>Stop and then start the Docker Trusted Registry containers.</p>
|
||
|
||
<h3 id="status"><code>status</code></h3>
|
||
|
||
<p>Display the current running status of only the Docker Trusted Registry containers.</p>
|
||
|
||
<pre><code>$ sudo bash -c &quot;$(docker run docker/trusted-registry status)&quot;
|
||
INFO [1.1.0-alpha-001472_g8a9ddb4] Attempting to connect to docker engine dockerHost=&quot;unix:///var/run/docker.sock&quot;
|
||
INFO [1.1.0-alpha-001472_g8a9ddb4] Running status command
|
||
docker_trusted_registry_load_balancer
|
||
Daemon [default (unix:///var/run/docker.sock)]
|
||
Id: 4d6abd5c39acda25e3d3ccf7cc2acf00f32c7786a7e86fb56daf7fd67584ce9f
|
||
Created: 2015-06-16 21:52:53+00:00
|
||
Status: Up 4 minutes
|
||
Image: docker/trusted-registry-nginx:1.1.0-alpha-001472_g8a9ddb4
|
||
Ports:
|
||
tcp://0.0.0.0:443 -&gt; 443
|
||
tcp://0.0.0.0:80 -&gt; 80
|
||
Command:
|
||
nginxWatcher
|
||
Linked To:
|
||
None
|
||
|
||
docker_trusted_registry_auth_server
|
||
Daemon [default (unix:///var/run/docker.sock)]
|
||
Id: 22d5c1cf988338638dd810bc8111295f71713e81338d16298028122d33eed64a
|
||
Created: 2015-06-16 21:52:46+00:00
|
||
...
|
||
</code></pre>
|
||
|
||
<h3 id="info"><code>info</code></h3>
|
||
|
||
<p>Display the version and info for the Docker daemon, and version and image ID&rsquo;s
|
||
of Docker Trusted Registry.</p>
|
||
|
||
<pre><code>$ sudo bash -c &quot;$(docker run docker/trusted-registry info)&quot;
|
||
INFO [1.1.0-alpha-001472_g8a9ddb4] Attempting to connect to docker engine dockerHost=&quot;unix:///var/run/docker.sock&quot;
|
||
{
|
||
&quot;DockerEngine&quot;: {
|
||
&quot;Version&quot;: {
|
||
&quot;ApiVersion&quot;: &quot;1.20&quot;,
|
||
&quot;Arch&quot;: &quot;amd64&quot;,
|
||
&quot;GitCommit&quot;: &quot;55bdb51&quot;,
|
||
&quot;GoVersion&quot;: &quot;go1.4.2&quot;,
|
||
&quot;KernelVersion&quot;: &quot;3.16.0-4-amd64&quot;,
|
||
&quot;Os&quot;: &quot;linux&quot;,
|
||
&quot;Version&quot;: &quot;1.6.0&quot;
|
||
},
|
||
&quot;Info&quot;: {
|
||
&quot;ID&quot;: &quot;QUMM:6SGD:6ZK4:TLJD:LTX7:64Z5:WP4Y:NE3N:TY7P:Y2RR:KVGO:IWRX&quot;,
|
||
&quot;Containers&quot;: 15,
|
||
&quot;Driver&quot;: &quot;btrfs&quot;,
|
||
&quot;DriverStatus&quot;: [],
|
||
&quot;ExecutionDriver&quot;: &quot;native-0.2&quot;,
|
||
&quot;Images&quot;: 2793,
|
||
&quot;KernelVersion&quot;: &quot;3.16.0-4-amd64&quot;,
|
||
&quot;OperatingSystem&quot;: &quot;Debian GNU/Linux stretch/sid&quot;,
|
||
&quot;NCPU&quot;: 4,
|
||
&quot;MemTotal&quot;: 12305711104,
|
||
&quot;Name&quot;: &quot;t440s&quot;,
|
||
&quot;Labels&quot;: null,
|
||
&quot;Debug&quot;: true,
|
||
&quot;NFd&quot;: 43,
|
||
&quot;NGoroutines&quot;: 85,
|
||
&quot;SystemTime&quot;: &quot;2015-06-17T04:24:54.634746915+10:00&quot;,
|
||
&quot;NEventsListener&quot;: 1,
|
||
&quot;InitPath&quot;: &quot;/usr/bin/docker&quot;,
|
||
&quot;InitSha1&quot;: &quot;&quot;,
|
||
&quot;IndexServerAddress&quot;: &quot;https://index.docker.io/v1/&quot;,
|
||
&quot;MemoryLimit&quot;: false,
|
||
&quot;SwapLimit&quot;: false,
|
||
&quot;IPv4Forwarding&quot;: true,
|
||
&quot;DockerRootDir&quot;: &quot;/data/docker&quot;,
|
||
&quot;HttpProxy&quot;: &quot;&quot;,
|
||
&quot;HttpsProxy&quot;: &quot;&quot;,
|
||
&quot;NoProxy&quot;: &quot;&quot;
|
||
}
|
||
},
|
||
&quot;DTR&quot;: {
|
||
&quot;Version&quot;: &quot;1.1.0-alpha-001472_g8a9ddb4&quot;,
|
||
&quot;GitSHA&quot;: &quot;8a9ddb4595c3&quot;,
|
||
&quot;StorageDriver&quot;: &quot;filesystem&quot;,
|
||
&quot;AuthDriver&quot;: &quot;dtr&quot;,
|
||
&quot;ImageIDs&quot;: {
|
||
&quot;Garant&quot;: &quot;59bc135c362ad7e44743800b037061976210a9cc6aec323c3ea6eb93ebb513ca&quot;,
|
||
&quot;Registry&quot;: &quot;6aba58d8bbe71b14edd538a20ac98e1279577bbef461ca25fd2794dcb017c1dc&quot;,
|
||
&quot;AdminServer&quot;: &quot;af4dfb1f386e3e07b612f5f59f08166ce499ef1dfc619d499a42c53c5e424acf&quot;,
|
||
&quot;Manager&quot;: &quot;3abc65af8385e63d61af40a1393438d0d720e6bf2a60c1b15b7a17a2a0d8965b&quot;,
|
||
&quot;LogAggregator&quot;: &quot;01da5d7ef561a251c0c63b860a95d55b602cc70347192ef34acd3b1c5bcd317f&quot;,
|
||
&quot;Nginx&quot;: &quot;631537f98c8876050fae00106c8db424d03e408b27cc14b5eb1fc11abbaba03b&quot;
|
||
},
|
||
&quot;LicenseKeyID&quot;: &quot;2Y6QPUBxoYEms6pIysneyum6SZY_QxE9v4zLF8i1wBNZ&quot;
|
||
}
|
||
}
|
||
</code></pre>
|
||
|
||
<h3 id="diagnostics"><code>diagnostics</code></h3>
|
||
|
||
<p>The <code>diagnostics</code> command is used to extract configuration and run time data
|
||
about your containers for support purposes.</p>
|
||
|
||
<p>The output includes the <code>docker inspect</code> output for all
|
||
containers, running and not, so please check the resulting files for passwords
|
||
and other proprietary information before sending it.</p>
|
||
|
||
<p><code>$ sudo bash -c &quot;$(docker run docker/trusted-registry diagnostics)&quot; &gt; diagnostics.zip</code></p>
|
||
|
||
<blockquote>
|
||
<p><strong>Warning:</strong> These diagnostics files may contain secrets that you need to remove
|
||
before passing on - such as raw container log files, Azure storage credentials, or passwords that may be
|
||
sent to non-Docker Trusted Registry containers using the <code>docker run -e PASSWORD=asdf</code> environment variable
|
||
options.</p>
|
||
</blockquote>
|
||
|
||
<p>Stream to STDOUT a zip file containing CSDE and Docker Trusted Registry configuration, state, and log
|
||
files to help the Docker Enterprise support team:</p>
|
||
|
||
<ul>
|
||
<li>your Docker host&rsquo;s <code>ca-certificates.crt</code></li>
|
||
<li><code>containers/</code>: the first 20 running, stopped and paused containers <code>docker inspect</code>
|
||
information and log files.</li>
|
||
<li><code>dockerEngine/</code>: the Docker daemon&rsquo;s <code>info</code> and <code>version</code> output</li>
|
||
<li><code>dockerState/</code>: the Docker daemon&rsquo;s container states, image states, daemon log file, and daemon configuration file</li>
|
||
<li><code>dtrlogs/</code>: the Docker Trusted Registry container log files</li>
|
||
<li><code>manager/</code>: the Docker Trusted Registry <code>/usr/local/etc/dtr</code> configuration directory and manager <code>info</code> output. See the <a href="#export-settings">export settings section</a> for more details.</li>
|
||
<li><code>sysinfo/</code>: Host information</li>
|
||
<li><code>errors.txt</code>: errors and warnings encountered while running diagnostics</li>
|
||
</ul>
|
||
|
||
<h3 id="export-settings"><code>export-settings</code></h3>
|
||
|
||
<p>Export the Docker Trusted Registry configuration files for backup or diagnostics use.</p>
|
||
|
||
<p><code>$ sudo bash -c &quot;$(docker run docker/trusted-registry export-settings)&quot; &gt; export-settings.tar.gz</code></p>
|
||
|
||
<blockquote>
|
||
<p><strong>Warning:</strong> These diagnostics files may contain secrets that you need to remove
|
||
before passing on - such as Azure storage credentials.</p>
|
||
</blockquote>
|
||
|
||
<p>Stream to STDOUT a gzipped tar file containing the Docker Trusted Registry configuration files from <code>/usr/local/etc/dtr/</code>:</p>
|
||
|
||
<ul>
|
||
<li><code>garant.yml</code></li>
|
||
<li><code>generatedConfigs/nginx.conf</code></li>
|
||
<li><code>generatedConfigs/stacker.yml</code></li>
|
||
<li><code>hub.yml</code></li>
|
||
<li><code>license.json</code></li>
|
||
<li><code>ssl/server.pem</code></li>
|
||
<li><code>storage.yml</code></li>
|
||
</ul>
|
||
|
||
<h2 id="client-docker-daemon-diagnostics">Client Docker Daemon diagnostics</h2>
|
||
|
||
<p>To debug client Docker daemon communication issues with Docker Trusted Registry, we also provide
|
||
a diagnostics tool to be run on the client Docker daemon.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Warning:</strong> These diagnostics files may contain secrets that you need to remove
|
||
before passing on - such as raw container log files, Azure storage credentials, or passwords that may be
|
||
sent to non-Docker Trusted Registry containers using the <code>docker run -e PASSWORD=asdf</code> environment variable
|
||
options.</p>
|
||
</blockquote>
|
||
|
||
<p>You can download and run this tool using the following command:</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> If you supply an administrator username and password, then the
|
||
<code>diagnostics</code> tool will also download some logs and configuration data
|
||
from the remote Docker Trusted Registry server.</p>
|
||
</blockquote>
|
||
|
||
<pre><code>$ wget https://dhe.mycompany.com/admin/bin/diagnostics &amp;&amp; chmod +x diagnostics
|
||
$ sudo ./diagnostics dhe.mycompany.com &gt; enduserDiagnostics.zip
|
||
DTR administrator password (provide empty string if there is no admin server authentication):
|
||
WARN [1.1.0-alpha-001472_g8a9ddb4] Encountered errors running diagnostics errors=[Failed to copy DTR Adminserver's exported settings into ZIP output: &quot;Failed to read next tar header: \&quot;archive/tar: invalid tar header\&quot;&quot; Failed to copy logs from DTR Adminserver into ZIP output: &quot;Failed to read next tar header: \&quot;archive/tar: invalid tar header\&quot;&quot; error running &quot;sestatus&quot;: &quot;exit status 127&quot; error running &quot;dmidecode&quot;: &quot;exit status 127&quot;]
|
||
</code></pre>
|
||
|
||
<p>The zip file will contain the following information:</p>
|
||
|
||
<ul>
|
||
<li>your local Docker host&rsquo;s <code>ca-certificates.crt</code></li>
|
||
<li><code>containers/</code>: the first 20 running, stopped and paused containers <code>docker inspect</code>
|
||
information and log files.</li>
|
||
<li><code>dockerEngine/</code>: the local Docker daemon&rsquo;s <code>info</code> and <code>version</code> output</li>
|
||
<li><code>dockerState/</code>: the local Docker daemon&rsquo;s container states, image states, log file, and daemon configuration file</li>
|
||
<li><code>dtr/</code>: Remote Docker Trusted Registry services information. This directory will only be populated if the user enters a Docker Trusted Registry &ldquo;admin&rdquo; username and password.</li>
|
||
<li>- <code>dtr/logs/</code>: the remote Docker Trusted Registry container log files. This directory will only be populated if the user enters a Docker Trusted Registry &ldquo;admin&rdquo; username and password.</li>
|
||
<li>- <code>dtr/exportedSettings/</code>: the Docker Trusted Registry manager container&rsquo;s log files and a backup of the <code>/usr/local/etc/dtr</code> Docker Trusted Registry configuration directory. See the <a href="#export-settings">export settings section</a> for more details.</li>
|
||
<li><code>sysinfo/</code>: local Host information</li>
|
||
<li><code>errors.txt</code>: errors and warnings encountered while running diagnostics</li>
|
||
</ul>
|
||
|
||
<h3 id="starting-and-stopping-docker-trusted-registry">Starting and stopping Docker Trusted Registry</h3>
|
||
|
||
<p>If you need to stop and/or start Docker Trusted Registry (for upgrading, troubleshooting, etc.), use the following commands:</p>
|
||
|
||
<p><code>sudo bash -c &quot;$(docker run docker/trusted-registry stop)&quot;</code>
|
||
<code>sudo bash -c &quot;$(docker run docker/trusted-registry start)&quot;</code></p>
|
||
|
||
<h2 id="see-also">See also</h2>
|
||
|
||
<p>For information on installing Docker Trusted Registry, take a look at the <a href="docker-trusted-registry/install.md">Installation instructions</a>.</p>
|
||
|
||
<ul>
|
||
<li>To configure for your environment, see the
|
||
<a href="../docker-trusted-registry/configuration/">Configuration instructions</a>.</li>
|
||
<li>To use Docker Trusted Registry, see the <a href="../docker-trusted-registry/userguide/">User guide</a>.</li>
|
||
<li>To upgrade, see the <a href="upgrade.md">Upgrade guide</a>.</li>
|
||
<li>To see previous changes, see the <a href="../docker-trusted-registry/release-notes/">release notes</a>.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Configuration options</title>
|
||
<link>http://localhost/docker-trusted-registry/configuration/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/configuration/</guid>
|
||
<description>
|
||
|
||
<h1 id="configuring-docker-trusted-registry">Configuring Docker Trusted Registry</h1>
|
||
|
||
<h2 id="overview">Overview</h2>
|
||
|
||
<p>This page will help you properly configure Docker Trusted Registry so it can
|
||
run in your environment.</p>
|
||
|
||
<p>Start with Docker Trusted Registry loaded in your browser and click &ldquo;Settings&rdquo; in the global nav
|
||
bar at the top of the page to view configuration options. You&rsquo;ll see menus
|
||
organizing the options for configuring:</p>
|
||
|
||
<ul>
|
||
<li>General Settings (ports, proxies, etc.)</li>
|
||
<li>Security settings</li>
|
||
<li>Storage settings</li>
|
||
<li>Your Docker Trusted Registry license</li>
|
||
<li>Authentication settings</li>
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong>
|
||
Saving changes you&rsquo;ve made to settings may restart various services, as follows:
|
||
* General settings: full Docker Trusted Registry restart
|
||
* License change: full Docker Trusted Registry restart
|
||
* SSL change: Nginx reload
|
||
* Storage config: only registries restart
|
||
* Authentication config: no restart</p>
|
||
</blockquote>
|
||
|
||
<h2 id="general-settings">General Settings</h2>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-settings.png" alt="Domain and Ports page&lt;/admin/settings#http&gt;" /></p>
|
||
|
||
<ul>
|
||
<li><em>Domain Name</em>: <strong>required</strong> defaults to an empty string, the fully qualified domain name assigned to the Docker Trusted Registry host.</li>
|
||
<li><em>HTTP Port</em>: defaults to 80, used as the entry point for the image storage service. To see load balancer status, you can query
|
||
http://&lt;dtr-host&gt;/load_balancer_status.</li>
|
||
<li><em>HTTPS Port</em>: defaults to 443, used as the secure entry point for the image storage service.</li>
|
||
<li><em>HTTP proxy</em>: defaults to an empty string, proxy server for HTTP requests.</li>
|
||
<li><em>HTTPS proxy</em>: defaults to an empty string, proxy server for HTTPS requests.</li>
|
||
<li><em>No proxy</em>: defaults to an empty string, proxy bypass for HTTP and HTTPS requests.</li>
|
||
<li><em>Upgrade checking</em>: enables or disables automatic checking for Docker Trusted Registry software updates.</li>
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: If you need Docker Trusted Registry to re-generate a self-signed certificate at some
|
||
point, you&rsquo;ll need to first delete <code>/usr/local/etc/dtr/ssl/server.pem</code>, and
|
||
then restart the Docker Trusted Registry containers, either by changing and saving the &ldquo;Domain Name&rdquo;,
|
||
or using <code>bash -c &quot;$(docker run docker/trusted-registry restart)&quot;</code>.</p>
|
||
</blockquote>
|
||
|
||
<h2 id="security">Security</h2>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-settings-security.png" alt="Security settings page&lt;/admin/settings#security&gt;" /></p>
|
||
|
||
<ul>
|
||
<li><em>SSL Certificate</em>: Used to enter the hash (string) from the SSL Certificate.
|
||
This cert must be accompanied by its private key, entered below.</li>
|
||
<li><em>SSL Private Key</em>: The hash from the private key associated with the provided
|
||
SSL Certificate (as a standard x509 key pair).</li>
|
||
</ul>
|
||
|
||
<p>In order to run, Docker Trusted Registry requires encrypted communications via HTTPS/SSL between (a) the Docker Trusted Registry and your Docker Engine(s), and (b) between your web browser and the Docker Trusted Registry admin server. There are a few options for setting this up:</p>
|
||
|
||
<ol>
|
||
<li>You can use the self-signed certificate Docker Trusted Registry generates by default.</li>
|
||
<li>You can generate your own certificates using a public service or your enterprise&rsquo;s infrastructure. See the <a href="#generating-ssl-certificates">Generating SSL certificates</a> section for the options available.</li>
|
||
</ol>
|
||
|
||
<p>If you are generating your own certificates, you can install them by following the instructions for
|
||
<a href="#adding-your-own-registry-certificates-to-dtr">Adding your own registry certificates to Docker Trusted Registry</a>.</p>
|
||
|
||
<p>On the other hand, if you choose to use the Docker Trusted Registry-generated certificates, or the
|
||
certificates you generate yourself are not trusted by your client Docker hosts,
|
||
you will need to do one of the following:</p>
|
||
|
||
<ul>
|
||
<li><p><a href="#installing-registry-certificates-on-client-docker-daemons">Install a registry certificate on all of your client Docker daemons</a>,</p></li>
|
||
|
||
<li><p>Set your <a href="#if-you-can-t-install-the-certificates">client Docker daemons to run with an unconfirmed connection to the registry</a>.</p></li>
|
||
</ul>
|
||
|
||
<h3 id="generating-ssl-certificates">Generating SSL certificates</h3>
|
||
|
||
<p>There are three basic approaches to generating certificates:</p>
|
||
|
||
<ol>
|
||
<li><p>Most enterprises will have private key infrastructure (PKI) in place to
|
||
generate keys. Consult with your security team or whomever manages your private
|
||
key infrastructure. If you have this resource available, Docker recommends you
|
||
use it.</p></li>
|
||
|
||
<li><p>If your enterprise can&rsquo;t provide keys, you can use a public Certificate
|
||
Authority (CA) like &ldquo;InstantSSL.com&rdquo; or &ldquo;RapidSSL.com&rdquo; to generate a
|
||
certificate. If your certificates are generated using a globally trusted
|
||
Certificate Authority, you won&rsquo;t need to install them on all of your
|
||
client Docker daemons.</p></li>
|
||
|
||
<li><p>Use the self-signed registry certificate generated by Docker Trusted Registry, and install it
|
||
onto the client Docker daemon hosts as shown below.</p></li>
|
||
</ol>
|
||
|
||
<h3 id="adding-your-own-registry-certificates-to-docker-trusted-registry">Adding your own Registry certificates to Docker Trusted Registry</h3>
|
||
|
||
<p>Whichever method you use to generate certificates, once you have them
|
||
you can set up your Docker Trusted Registry server to use them by navigating to the &ldquo;Settings&rdquo; page,
|
||
going to &ldquo;Security,&rdquo; and putting the SSL Certificate text (including all
|
||
intermediate Certificates, starting with the host) into the
|
||
&ldquo;SSL Certificate&rdquo; edit box, and the previously generated Private key into
|
||
the &ldquo;SSL Private Key&rdquo; edit box.</p>
|
||
|
||
<p>Click the &ldquo;Save&rdquo; button, and then wait for the Docker Trusted Registry Admin site to restart and
|
||
reload. It should now be using the new certificate.</p>
|
||
|
||
<p>Once the &ldquo;Security&rdquo; page has reloaded, it will show <code>#</code> hashes instead of the
|
||
certificate text you pasted in.</p>
|
||
|
||
<p>If your certificate is signed by a chain of Certificate Authorities that are
|
||
already trusted by your Docker daemon servers, you can skip the &ldquo;Installing
|
||
registry certificates&rdquo; step below.</p>
|
||
|
||
<h3 id="installing-registry-certificates-on-client-docker-daemons">Installing Registry certificates on client Docker daemons</h3>
|
||
|
||
<p>If your certificates do not have a trusted Certificate Authority, you will need
|
||
to install them on each client Docker daemon host.</p>
|
||
|
||
<p>The procedure for installing the Docker Trusted Registry certificates on each Linux distribution has
|
||
slightly different steps, as shown below.</p>
|
||
|
||
<p>You can test this certificate using <code>curl</code>:</p>
|
||
|
||
<pre><code>$ curl https://dtr.yourdomain.com/v2/
|
||
curl: (60) SSL certificate problem: self signed certificate
|
||
More details here: http://curl.haxx.se/docs/sslcerts.html
|
||
|
||
curl performs SSL certificate verification by default, using a &quot;bundle&quot;
|
||
of Certificate Authority (CA) public keys (CA certs). If the default
|
||
bundle file isn't adequate, you can specify an alternate file
|
||
using the --cacert option.
|
||
If this HTTPS server uses a certificate signed by a CA represented in
|
||
the bundle, the certificate verification probably failed due to a
|
||
problem with the certificate (it might be expired, or the name might
|
||
not match the domain name in the URL).
|
||
If you'd like to turn off curl's verification of the certificate, use
|
||
the -k (or --insecure) option.
|
||
|
||
$ curl --cacert /usr/local/etc/dtr/ssl/server.pem https://dtr.yourdomain.com/v2/
|
||
{&quot;errors&quot;:[{&quot;code&quot;:&quot;UNAUTHORIZED&quot;,&quot;message&quot;:&quot;access to the requested resource is not authorized&quot;,&quot;detail&quot;:null}]}
|
||
</code></pre>
|
||
|
||
<p>Continue by following the steps corresponding to your chosen OS.</p>
|
||
|
||
<h4 id="ubuntu-debian">Ubuntu/Debian</h4>
|
||
|
||
<pre><code> $ export DOMAIN_NAME=dtr.yourdomain.com
|
||
$ openssl s_client -connect $DOMAIN_NAME:443 -showcerts &lt;/dev/null 2&gt;/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt
|
||
$ sudo update-ca-certificates
|
||
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
|
||
Running hooks in /etc/ca-certificates/update.d....done.
|
||
$ sudo service docker restart
|
||
docker stop/waiting
|
||
docker start/running, process 29291
|
||
</code></pre>
|
||
|
||
<h4 id="rhel-centos">RHEL/Centos</h4>
|
||
|
||
<pre><code> $ export DOMAIN_NAME=dtr.yourdomain.com
|
||
$ openssl s_client -connect $DOMAIN_NAME:443 -showcerts &lt;/dev/null 2&gt;/dev/null | openssl x509 -outform PEM | sudo tee /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt
|
||
$ sudo update-ca-trust
|
||
$ sudo /bin/systemctl restart docker.service
|
||
</code></pre>
|
||
|
||
<h4 id="docker-machine-and-boot2docker">Docker Machine and Boot2Docker</h4>
|
||
|
||
<p>You&rsquo;ll need to make some persistent changes using <code>bootsync.sh</code> in your
|
||
Boot2Docker-based virtual machine (as documented in <a href="https://github.com/boot2docker/boot2docker/blob/master/doc/FAQ.md#local-customisation-with-persistent-partition">local customization</a>). To do this:</p>
|
||
|
||
<ol>
|
||
<li><code>docker-machine ssh dev</code> to enter the VM</li>
|
||
<li><code>vi /var/lib/boot2docker/bootsync.sh</code> (create it if it doesn&rsquo;t exist, or edit it if it does)</li>
|
||
</ol>
|
||
|
||
<p>Install the CA cert (or the auto-generated cert) by adding the following to
|
||
your <code>/var/lib/boot2docker/bootsync.sh</code>:</p>
|
||
|
||
<pre><code>#!/bin/sh
|
||
|
||
cat /var/lib/boot2docker/server.pem &gt;&gt; /etc/ssl/certs/ca-certificates.crt
|
||
</code></pre>
|
||
|
||
<p>Then get the certificate from the new Docker Trusted Registry server using:</p>
|
||
|
||
<pre><code>$ openssl s_client -connect dtr.yourdomain.com:443 -showcerts &lt;/dev/null 2&gt;/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem
|
||
</code></pre>
|
||
|
||
<p>If your certificate chain is complicated, you may want to use the changes in
|
||
<a href="https://github.com/boot2docker/boot2docker/pull/807/files">Pull request 807</a></p>
|
||
|
||
<p>Now you can either reboot your virtual machine, or run the following to
|
||
install the server certificate, and then restart the Docker daemon.</p>
|
||
|
||
<pre><code>$ sudo chmod 755 /var/lib/boot2docker/bootsync.sh
|
||
$ sudo /var/lib/boot2docker/bootsync.sh
|
||
$ sudo /etc/init.d/docker restart`.
|
||
</code></pre>
|
||
|
||
<h3 id="if-you-can-t-install-the-certificates">If you can&rsquo;t install the certificates</h3>
|
||
|
||
<p>If for some reason you can&rsquo;t install the certificate chain on a client Docker host,
|
||
or your certificates do not have a global CA, you can configure your Docker daemon to run in &ldquo;insecure&rdquo; mode. This is done by adding an extra flag,
|
||
<code>--insecure-registry host-ip|domain-name</code>, to your client Docker daemon startup flags.
|
||
You&rsquo;ll need to restart the Docker daemon for the change to take effect.</p>
|
||
|
||
<p>This flag means that the communications between your Docker client and the Docker Trusted Registry
|
||
Registry server are still encrypted, but the client Docker daemon is not
|
||
confirming that the Registry connection is not being hijacked or diverted.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: If you enter a &ldquo;Domain Name&rdquo; into the &ldquo;Security&rdquo; settings, it needs
|
||
to be DNS resolvable on any client Docker daemons that are running in
|
||
&ldquo;insecure-registry&rdquo; mode.</p>
|
||
</blockquote>
|
||
|
||
<p>To set the flag, follow the directions below for your operating system.</p>
|
||
|
||
<h4 id="ubuntu">Ubuntu</h4>
|
||
|
||
<p>On Ubuntu 14.04 LTS, you customize the Docker daemon configuration with the
|
||
<code>/etc/defaults/docker</code> file.</p>
|
||
|
||
<p>Open or create the <code>/etc/defaults/docker</code> file, and add the
|
||
<code>--insecure-registry</code> flag to the <code>DOCKER_OPTS</code> setting (which may need to be
|
||
added or uncommented) as follows:</p>
|
||
|
||
<pre><code>DOCKER_OPTS=&quot;--insecure-registry dtr.yourdomain.com&quot;
|
||
</code></pre>
|
||
|
||
<p>Then restart the Docker daemon with <code>sudo service docker restart</code>.</p>
|
||
|
||
<h4 id="rhel-centos-1">RHEL/Centos</h4>
|
||
|
||
<p>On RHEL/Centos, you customize the Docker daemon configuration with the
|
||
<code>/etc/sysconfig/docker</code> file.</p>
|
||
|
||
<p>Open or create the <code>/etc/sysconfig/docker</code> file, and add the
|
||
<code>--insecure-registry</code> flag to the <code>OPTIONS</code> setting (which may need to be
|
||
added or uncommented) as follows:</p>
|
||
|
||
<pre><code>OPTIONS=&quot;--insecure-registry dtr.yourdomain.com&quot;
|
||
</code></pre>
|
||
|
||
<p>Then restart the Docker daemon with <code>sudo service docker restart</code>.</p>
|
||
|
||
<h3 id="docker-machine-and-boot2docker-1">Docker Machine and Boot2Docker</h3>
|
||
|
||
<p>In your Boot2Docker-based virtual machine, you customize the Docker daemon configuration with the
|
||
<code>/var/lib/boot2docker/profile</code> file.</p>
|
||
|
||
<p>Open or create the <code>/var/lib/boot2docker/profile</code> file, and add an <code>EXTRA_ARGS</code>
|
||
setting as follows:</p>
|
||
|
||
<pre><code>EXTRA_ARGS=&quot;--insecure-registry dtr.yourdomain.com&quot;
|
||
</code></pre>
|
||
|
||
<p>Then restart the Docker daemon with <code>sudo /etc/init.d/docker restart</code>.</p>
|
||
|
||
<h2 id="image-storage-configuration">Image Storage Configuration</h2>
|
||
|
||
<p>Docker Trusted Registry image storage can be configured to use the local filesystem, or a cloud service
|
||
such as S3 or Azure.</p>
|
||
|
||
<p>See the <a href="http://docs.docker.com/registry/configuration/">Registry 2.0 configuration</a>
|
||
documentation for the full options specific to each driver.
|
||
Storage drivers can be added or customized via the <a href="http://docs.docker.com/registry/storagedrivers/#storage-driver-api">Docker Registry storage driver
|
||
API</a>.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-settings-storage.png" alt="Storage settings page&lt;/admin/settings#storage&gt;" /></p>
|
||
|
||
<p>After you select the image storage method you would like to use from the drop-down menu
|
||
near the top of the page, the UI will change to reflect the configuration settings
|
||
appropriate to the selected method.</p>
|
||
|
||
<p>You can either use the storage specific input boxes to configure the most common settngs
|
||
for local filesystem, S3 or Azure storage backends,
|
||
or use the full Yaml configuration file upload to have more detailed control.</p>
|
||
|
||
<p>You can view the current <code>storage.yaml</code> file on your Docker Trusted Registry Docker host in the <code>/usr/local/etc/dtr/</code>
|
||
directory.</p>
|
||
|
||
<h3 id="filesystem-settings">Filesystem settings</h3>
|
||
|
||
<p>The <a href="../registry/configuration/#filesystem">filesystem storage backend</a>
|
||
has only one setting - the &ldquo;Storage directory&rdquo;, the subdirectory of <code>/var/local/dtr/image-storage</code>
|
||
in which all registry files are stored.
|
||
The default value of <code>/local</code> means the files are stored in <code>/var/local/dtr/image-storage/local</code>.</p>
|
||
|
||
<h3 id="s3-settings">S3 settings</h3>
|
||
|
||
<p>The <a href="../registry/configuration/#s3">S3 storage backend</a> page allows you to set the
|
||
&ldquo;AWS region&rdquo;, &ldquo;Bucket name&rdquo;, &ldquo;Access Key&rdquo;, and &ldquo;Secret Key&rdquo;.</p>
|
||
|
||
<h3 id="azure-settings">Azure settings</h3>
|
||
|
||
<p>The <a href="../registry/configuration/#azure">Azure storage backend</a> page allows you to set
|
||
the &ldquo;Account name&rdquo;, &ldquo;Account key&rdquo;, &ldquo;Container&rdquo;, and &ldquo;Realm&rdquo;.</p>
|
||
|
||
<h3 id="yaml-configuration-file">Yaml configuration file</h3>
|
||
|
||
<p>If the Quick setup options above are not sufficient to configure your Registry
|
||
options, you can upload a YAML file.</p>
|
||
|
||
<p>The schema of this file is identical to that used
|
||
by the <a href="http://docs.docker.com/registry/configuration/">Registry 2.0</a>.</p>
|
||
|
||
<ul>
|
||
<li>If you are using the file system driver to provide local image storage, you
|
||
will need to specify a root directory which will get mounted as a sub-path of
|
||
<code>/var/local/dtr/image-storage</code>. The default value of this root directory is
|
||
<code>/local</code>, so the full path to it is <code>/var/local/dtr/image-storage/local</code>.</li>
|
||
</ul>
|
||
|
||
<h2 id="authentication">Authentication</h2>
|
||
|
||
<p>The &ldquo;Authentication&rdquo; settings lets Docker Trusted Registry administrators control access
|
||
to the Docker Trusted Registry web admin tool and to the Docker Trusted Registry.</p>
|
||
|
||
<p>The current authentication methods are <code>None</code>, <code>Managed</code> and <code>LDAP</code>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: if you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication
|
||
settings, you may need to use the <a href="../docker-trusted-registry/adminguide/#emergency-access-to-dtr">emergency access to the Docker Trusted Registry admin web interface</a>.</p>
|
||
</blockquote>
|
||
|
||
<h3 id="no-authentication">No authentication</h3>
|
||
|
||
<p>No authentication means that everyone that can access your Docker Trusted Registry web administration
|
||
site. This is not recommended for any use other than testing.</p>
|
||
|
||
<h3 id="managed-authentication">Managed authentication</h3>
|
||
|
||
<p>With <code>Managed</code> authentication, the Docker Trusted Registry admin can control users&rsquo; access by setting username/password pairs. The admin can then <a href="../docker-trusted-registry/api/">use the API</a> to give these users global &ldquo;admin&rdquo;, &ldquo;read-write&rdquo; or &ldquo;read-only&rdquo; privileges while assigning them Organization, Team or User repository access.</p>
|
||
|
||
<p>The &ldquo;read-only&rdquo; role can pull all images from the registry, &ldquo;read-write&rdquo; can
|
||
push and pull all images, and the &ldquo;admin&rdquo; role can push and pull and also access
|
||
the web administration UI and metrics dashboard.</p>
|
||
|
||
<p>When you create users and assign their roles via the API, you do not need
|
||
to assign those users roles using the Docker Trusted Registry admin web UI.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-settings-authentication-basic.png" alt="Managed authentication settings page&lt;/admin/settings#auth&gt;" /></p>
|
||
|
||
<ul>
|
||
<li>Choose the appropriate button to add one user, or to upload a CSV file containing username,
|
||
password pairs, and selection boxes for &ldquo;admin&rdquo;, &ldquo;read-write&rdquo;, and &ldquo;read-only&rdquo; roles.</li>
|
||
<li>You can also create, or allow others to create the username, password pair using the
|
||
<a href="../docker-trusted-registry/api/dtr_1_3_accounts/#create-an-account">Account API</a></li>
|
||
</ul>
|
||
|
||
<h3 id="ldap-authentication">LDAP authentication</h3>
|
||
|
||
<p>Using LDAP authentication allows you to integrate your Docker Trusted Registry into your
|
||
organization&rsquo;s existing LDAP user and authentication database.</p>
|
||
|
||
<p>To improve the performance of Docker Trusted Registry&rsquo;s Access Control Lists, User and Group
|
||
membership data is synced into Docker Trusted Registry&rsquo;s database at a configurable <em>LDAP Sync
|
||
Interval</em>. User passwords are not transferred during syncing; Docker Trusted Registry will defer to the LDAP server to validate username/password pairs.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: LDAP syncing does not create new user accounts or teams in Docker Trusted Registry. It
|
||
will only manage existing teams that have been specified to sync with LDAP.
|
||
Use the <a href="../docker-trusted-registry/api/">Docker Trusted Registry APIs</a> to create new users and
|
||
teams from your LDAP server.</p>
|
||
</blockquote>
|
||
|
||
<p>You can configure the &ldquo;userFilter&rdquo; to select the set of users that are candidates
|
||
for each of the &ldquo;admin&rdquo;, global &ldquo;read-write&rdquo;, and global &ldquo;read-only&rdquo; roles. Unlike &ldquo;Managed&rdquo;
|
||
authentication, the &ldquo;admin&rdquo; role is separate from the registry access roles, so
|
||
LDAP users in the &ldquo;admin&rdquo; role won&rsquo;t have access to Docker Trusted Registry images unless they are
|
||
also given the &ldquo;read-write&rdquo; or &ldquo;read-only&rdquo; role.</p>
|
||
|
||
<p>Alternativly, you can assign
|
||
<a href="../docker-trusted-registry/api/">Organization, Team or User repository roles using the API</a>.</p>
|
||
|
||
<p>Because connecting to LDAP involves existing infrastructure external to Docker Trusted Registry and
|
||
Docker, you will need to gather the details required to configure Docker Trusted Registry for your
|
||
organization&rsquo;s particular LDAP implementation.</p>
|
||
|
||
<p>You can test that you have the correct LDAP server information by connecting to
|
||
the LDAP server from inside a Docker container running on the same server as
|
||
your Docker Trusted Registry:</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: if the LDAP server is configured to use <em>StartTLS</em>, then you need to
|
||
add <code>-Z</code> to the <code>ldapsearch</code> command examples below.</p>
|
||
</blockquote>
|
||
|
||
<pre><code>docker run --rm -it svendowideit/ldapsearch -h &lt;LDAP Server hostname&gt; -b &lt;User Base DN&gt; -D &lt;Search User DN&gt; -w &lt;Search User Password&gt;
|
||
</code></pre>
|
||
|
||
<p>Or if the LDAP server is set up to allow anonymous access (which means your
|
||
<em>Search User DN</em> and <em>Search User Password</em> settings will remain empty):</p>
|
||
|
||
<pre><code>docker run --rm -it svendowideit/ldapsearch -h &lt;LDAP Server hostname&gt; -b &lt;User Base DN&gt; -x
|
||
</code></pre>
|
||
|
||
<p>The result of these queries should be a (very) long list - if you get an authentication error,
|
||
then the details you have are not sufficient - contact your organization&rsquo;s LDAP team.</p>
|
||
|
||
<p>The <em>User Login Attribute</em> key setting must match the field used in the LDAP server
|
||
for the user&rsquo;s login-name. On OpenLDAP, it&rsquo;s generally <code>uid</code>, and on Microsoft Active Directory
|
||
servers, it&rsquo;s <code>sAMAccountName</code>. The <code>ldapsearch</code> output above should allow you to
|
||
confirm which setting you need.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/admin-settings-authentication-ldap.png" alt="LDAP authentication settings page&lt;/admin/settings#auth&gt;" /></p>
|
||
|
||
<h4 id="ldap-configuration-options">LDAP Configuration options</h4>
|
||
|
||
<ul>
|
||
<li><em>LDAP Server URL</em>: <strong>required</strong> defaults to null, LDAP server URL (e.g., - ldap://example.com)</li>
|
||
<li><em>Use StartTLS</em>: defaults to unchecked, check to enable StartTLS</li>
|
||
<li><em>User Base DN</em>: <strong>required</strong> defaults to null, user base DN in the form (e.g., - dc=example,dc=com)</li>
|
||
<li><em>User Login Attribute</em>: <strong>required</strong> defaults to null, user login attribute (e.g., - uid or sAMAccountName)</li>
|
||
<li><em>Search User DN</em>: <strong>required</strong> defaults to null, search user DN (e.g., - domain\username)</li>
|
||
<li><em>Search User Password</em>: <strong>required</strong> defaults to null, search user password</li>
|
||
<li><em>LDAP Sync Interval</em>: <strong>required</strong> defaults to 1h0m0s, sets the interval for Docker Trusted Registry to sync with the LDAP db.</li>
|
||
<li><em>User Search filters</em>: allows you to configure LDAP queries to limit the users that have the roles:</li>
|
||
<li>* <em>User Filter</em>: This filter is used to select the objects to use as candidates for the role filters</li>
|
||
<li>* <em>Admin Role Filter</em>: Combined with the &ldquo;User Filter&rdquo; to specify users with the
|
||
&ldquo;Admin&rdquo; role - permitted to access the Docker Trusted Registry web UI</li>
|
||
<li>* <em>Read-Write Role Filter</em>: Combined with the &ldquo;User Filter&rdquo; to specify users permitted to
|
||
push images to, and pull images from Docker Trusted Registry</li>
|
||
<li>* <em>Read-Only Role Filter</em>: Combined with the &ldquo;User Filter&rdquo; to specify users permitted to
|
||
pull images from Docker Trusted Registry</li>
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: While the &ldquo;role&rdquo; filters are optional, keep in mind that if they are
|
||
left empty, all users will get those full privileges. In other words, if the
|
||
&ldquo;admin&rdquo; filter is left empty, all users will get admin privileges, if the
|
||
&ldquo;read-write&rdquo; filter is empty, all users can push/pull any image, etc. (This
|
||
behavior will be corrected in future versions.)</p>
|
||
</blockquote>
|
||
|
||
<h4 id="confirm-login-with-current-configuration">Confirm login with current configuration</h4>
|
||
|
||
<p>You can test your current LDAP configuration before saving it by entering a test username and password and then clicking &ldquo;Try Login&rdquo;. If the login succeeds, your configuration is working.</p>
|
||
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
|
||
<p>For information on getting support for Docker Trusted Registry, take a look at the <a href="../docker-trusted-registry/support/">Support information</a>.</p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Docker Trusted Registry Accounts & Repos API: Intro & Overview</title>
|
||
<link>http://localhost/docker-trusted-registry/api/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/api/</guid>
|
||
<description>
|
||
|
||
<h1 id="docker-trusted-registry-1-3-accounts-repos-api">Docker Trusted Registry 1.3: Accounts &amp; Repos API</h1>
|
||
|
||
<h2 id="introduction">Introduction</h2>
|
||
|
||
<p>The Accounts &amp; Repos API lets you integrate Docker Trusted Registry with your enterprise&rsquo;s organizational structure by providing fine-grained, role-based access control for your repositories. Specifically, this API provides:</p>
|
||
|
||
<ul>
|
||
<li><p>An API for account management, including creating an account, listing existing accounts, creating a team within an organization, listing teamns in an organization, getting a specific team, listing members of a team, adding and removing members from a team (if using a managed whitelist), or editing LDAP syncing configuration.</p></li>
|
||
|
||
<li><p>Methods for syncing members of a team in Docker Trusted Registry with an LDAP group filter configured by an admin.</p></li>
|
||
|
||
<li><p>An API for repository management and access control, including creating a repository, listing repositories for an account, adding collaborators to a repository, setting namespace-level access for teams, etc.</p></li>
|
||
</ul>
|
||
|
||
<p>The API is designed so that minimal data migration is required, only schema migration. There is no UI accompanying this API.</p>
|
||
|
||
<h2 id="overview">Overview</h2>
|
||
|
||
<p>This API defines two types of accounts that can own repositories: Users and Organizations. Account-owned (i.e., non-global) repos define a namespace similar to that of the Docker Hub, with two component names in the form <code>namespace/reponame</code>.</p>
|
||
|
||
<p>Repositories can be either public or private. Public repositories can be
|
||
read by any account in the system, but can only be written to by accounts granted explicit write access. Private repositories cannot be discovered by
|
||
any account that does not have at least explicit read access to that
|
||
repository.</p>
|
||
|
||
<h3 id="user-accounts">User accounts</h3>
|
||
|
||
<p>Docker Trusted Registry users can create a repository under their own namespace and can control which other users have read-only, read-write, or admin access to any
|
||
of their repositories.</p>
|
||
|
||
<p>User owned repositories can only be accessed by the owner and other
|
||
individual user accounts, i.e., you cannot grant access to a user-owned
|
||
repository to a team of users in an organization. If a repository requires this level of control, consider moving it within an organization namespace.</p>
|
||
|
||
<p>When the Docker Trusted Registry web admin tool is used to assign users global &ldquo;read-only&rdquo;,
|
||
&ldquo;read-write&rdquo;, or managed &ldquo;admin&rdquo; roles, they will have that access level to all
|
||
repositories. You can access and modify these roles with the API, using the
|
||
<code>_global</code> organization. However, you must have admin access in order to view and
|
||
edit the <code>_global</code> organization.</p>
|
||
|
||
<h3 id="organization-accounts">Organization accounts</h3>
|
||
|
||
<p>System administrators can also create an Organization account, with its own
|
||
namespace of repositories. Organization accounts are comprised of one or more teams which can be managed by anyone in an initial ‘owners’ team which is created by default. Teams can be created with either a managed whitelist of users known to the system or with an LDAP group search filter which is periodically synced automatically.</p>
|
||
|
||
<p>Any member of an organization’s owners team can create new repositories under
|
||
the organization’s namespace and can also create and edit other teams. Each team
|
||
can be given read-only or read-write access to all repositories in the
|
||
organization’s namespace and/or be granted separate levels of access on a
|
||
per-repository basis. However, permissions are additive, so you cannot override
|
||
a team level permission to prevent access to a specific repository.</p>
|
||
|
||
<p>Teams within an organization can also be granted read-only, read-write, or
|
||
admin level access to all repositories in the organizations namespace. This
|
||
allows a team to pull, push, and manage repositories for an organization,
|
||
but <em>not</em> manage the teams themselves.</p>
|
||
|
||
<p>Organization-owned repositories can only be given access to the teams within
|
||
that organization, i.e., you cannot grant access to an organization-owned
|
||
repository to an individual user account or team in another organization.
|
||
If this level of control is needed on a repository, you can add those
|
||
individual users to a team within the owning organization or add users in the
|
||
other organization’s team to a team within the owning organization.</p>
|
||
|
||
<h3 id="notable-differences-from-docker-hub">Notable differences from Docker Hub</h3>
|
||
|
||
<ul>
|
||
<li><p>Repositories must be explicitly created using the API. A <code>docker push</code> will
|
||
not create a repository if it does not exist. This prevents a typo from
|
||
creating an unwanted repository in Docker Trusted Registry. This policy will be globally enforced
|
||
in Docker Trusted Registry 1.3.</p></li>
|
||
|
||
<li><p>Organizations can only be created by system admins. This should prevent the
|
||
proliferation of unwanted organization accounts.</p></li>
|
||
|
||
<li><p>Collaborators on user-owned repositories can be given more granular
|
||
access than on Docker Hub. Docker Hub Registry offers only read-write access.
|
||
Docker Trusted Registry offers read-only, read-write, and admin access for
|
||
each user-owned repository.</p></li>
|
||
|
||
<li><p>Teams can be granted access to all repositories in an organization&rsquo;s
|
||
namespace. Docker Hub Registry offers team access control on a
|
||
per-repository level only, and only an organization&rsquo;s &lsquo;owners team can
|
||
manage access and create new repositories. Further, in the future, Docker
|
||
Trusted Registry will offer the ability to grant a team access and/or
|
||
management privileges to all repositories under a namespace.</p></li>
|
||
|
||
<li><p>Teams within an organization are visible to all members of the
|
||
organization. In Docker Hub Registry, users are &lsquo;invisible&rsquo; to teams to which
|
||
they do not belong. In Docker Trusted Registry, teams will be
|
||
visible to the members of the organization, but will not be able to see a
|
||
teams&rsquo;s members unless they are also a member of that team.</p></li>
|
||
</ul>
|
||
|
||
<h3 id="authentication">Authentication</h3>
|
||
|
||
<p>Clients authenticate API requests by providing Basic Auth credentials (
|
||
username and password) via an &ldquo;Authorization&rdquo; header for each request.</p>
|
||
|
||
<pre><code class="language-bash">$ curl --user readuser:password https://dtr.domain.com/api/v0/accounts
|
||
{
|
||
&quot;accounts&quot;: [
|
||
{
|
||
&quot;id&quot;: 1,
|
||
&quot;type&quot;: &quot;user&quot;,
|
||
&quot;name&quot;: &quot;admin&quot;,
|
||
},
|
||
{
|
||
&quot;id&quot;: 2,
|
||
&quot;type&quot;: &quot;user&quot;,
|
||
&quot;name&quot;: &quot;readuser&quot;,
|
||
},
|
||
{
|
||
&quot;id&quot;: 3,
|
||
&quot;type&quot;: &quot;user&quot;,
|
||
&quot;name&quot;: &quot;user&quot;,
|
||
}
|
||
]
|
||
}
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: If you are using Docker Trusted Registry&rsquo;s automatically generated, self-signed SSL
|
||
certificate
|
||
then you&rsquo;ll need to add <code>--insecure</code> to the curl examples.</p>
|
||
</blockquote>
|
||
|
||
<h3 id="api-documentation">API Documentation</h3>
|
||
|
||
<p>The following documents detail the API:</p>
|
||
|
||
<ul>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_accounts/">Accounts API Doc</a></li>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_teams/">Teams API Doc</a></li>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_repositories/">Repositories API Doc</a></li>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_user_repo_access/">User-Owned Repository Access API Doc</a></li>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_team_repo_access/">Organization-Owned Repository Access API Doc</a></li>
|
||
<li><a href="../docker-trusted-registry/api/dtr_1_3_team_repo_namespace_access/">Organization-Owned Repository Namespace Access API Doc</a></li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Install Docker Engine for AWS AMI (BDS)</title>
|
||
<link>http://localhost/docker-trusted-registry/install/engine-ami-launch/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/engine-ami-launch/</guid>
|
||
<description>
|
||
|
||
<h1 id="install-docker-engine-for-aws-ami-bds">Install Docker Engine for AWS AMI (BDS)</h1>
|
||
|
||
<p>This article walks you through the following steps to launch the <em>Docker Engine for AWS (Business Day Support)</em> AMI as an EC2 instance in the Amazon Web Services (AWS) cloud:</p>
|
||
|
||
<ol>
|
||
<li>Locate the <em>Docker Engine for AWS (Business Day Support)</em> AMI</li>
|
||
<li>Deploy with 1-Click Launch</li>
|
||
<li>Connect to the Docker Engine</li>
|
||
<li>Confirm the Docker Engine is running</li>
|
||
<li>Configure <em>Docker Engine for AWS</em> to use <em>Docker Trusted Registry for AWS</em></li>
|
||
<li>Push a Docker image to your <em>Docker Trusted Registry for AWS</em></li>
|
||
</ol>
|
||
|
||
<p>The <em>Docker Engine for AWS (Business Day Support)</em> AMI launches an instance of the commercially supported Docker Engine. Upgrading the Docker Engine to a non commercially supported version is not supported. This AMI requires the use of Docker Trusted Registry for AWS (Business Day Support) to maintain a supported configuration.</p>
|
||
|
||
<p>To learn more about <em>Docker Engine for AWS</em> visit our <a href="https://www.docker.com/aws">AWS Documentation</a>.</p>
|
||
|
||
<p>You can refer to the <a href="../engine/misc/">overview</a> to see additional information on the general install process.</p>
|
||
|
||
<h2 id="prerequisites">Prerequisites</h2>
|
||
|
||
<p>You can locate, install, and launch the AMI from the Amazon AWS Marketplace, or with the AWS EC2 Console by selecting the AMI from the &ldquo;Launch Instance&rdquo; dialog. Both the AWS Marketplace and the AWS EC2 Console require that you have an AWS account to launch the AMI.</p>
|
||
|
||
<p>If your account is supplied through your company, your company&rsquo;s administrator must have given you permissions to launch EC2 instances. If you receive a permissions error when following these instructions, contact your AWS administrator for help.</p>
|
||
|
||
<h1 id="install-procedure">Install procedure</h1>
|
||
|
||
<p>These instructions show you how to locate, install, and launch the Docker Engine from Amazon&rsquo;s AWS Marketplace. The AWS Marketplace allows you to do a &ldquo;1-Click Launch&rdquo; or &ldquo;Manual Launch&rdquo;.</p>
|
||
|
||
<p>The <em>Manual Launch</em> allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as:</p>
|
||
|
||
<ul>
|
||
<li>Instance type</li>
|
||
<li>VPC settings</li>
|
||
<li>Storage</li>
|
||
<li>Instance tags</li>
|
||
<li>Security Group settings</li>
|
||
</ul>
|
||
|
||
<p>The <em>1-Click Launch</em> is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a <em>1-Click Launch</em>. The entire process should take about 20 minutes to complete.</p>
|
||
|
||
<h2 id="locate-the-docker-engine-for-aws-business-day-support-ami">Locate the Docker Engine for AWS (Business Day Support) AMI</h2>
|
||
|
||
<ol>
|
||
<li><p>If you haven&rsquo;t already done so, open your browser to the <a href="https://aws.amazon.com/marketplace">Amazon Marketplace</a>.</p></li>
|
||
|
||
<li><p>Search the Marketplace for &ldquo;Docker Engine for AWS (Business Day Support)&rdquo;.</p></li>
|
||
|
||
<li><p>Select the &ldquo;Docker Engine for AWS (Business Day Support)&rdquo; AMI from the list of results.</p>
|
||
|
||
<p>The Marketplace entry provides details on the product.</p></li>
|
||
|
||
<li><p>Press &ldquo;Continue&rdquo; to move to the launch step.</p>
|
||
|
||
<p>If you are not logged into AWS, the system prompts you to.</p></li>
|
||
|
||
<li><p>Enter your AWS login credentials.</p>
|
||
|
||
<p>When your login succeeds, the browser displays the &ldquo;Launch on EC2&rdquo; page.</p></li>
|
||
|
||
<li><p>Make sure that the &ldquo;1-Click Launch&rdquo; tab is selected.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="deploy-with-1-click-launch">Deploy with 1-Click Launch</h2>
|
||
|
||
<p>You can deploy the Docker Engine AMI to an Instance in a private or public subnet. A private subnet provides added security but also prevents your Docker Engine instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Docker Engine instance via a Bastion host or a management instance within your VPC.</p>
|
||
|
||
<p>These instructions launch an EC2 instance into a public subnet with a public IP, so that gaining access to it in the &ldquo;Connect to the Docker Engine&rdquo; section is simplified.</p>
|
||
|
||
<p>The following steps walk you through the 1-Click Launch settings:</p>
|
||
|
||
<ol>
|
||
<li><p>From the &ldquo;Software Pricing&rdquo; box, select a &ldquo;Subscription Term&rdquo; and an &ldquo;Applicable Instance Type.&rdquo;</p>
|
||
|
||
<p>These two options contribute to the overall cost of running your choice of EC2 instance. The combination of these two fees make up the running costs of your EC2 instance, and are shown in the &ldquo;Cost Estimator&rdquo; box. Make sure you understand these costs before launching your instance.</p></li>
|
||
|
||
<li><p>Select the version you want to deploy from the list of available versions.</p></li>
|
||
|
||
<li><p>Select the Region you want to deploy to from the &ldquo;Region&rdquo; dropdown.</p></li>
|
||
|
||
<li><p>Select the VPC and Subnet you want to deploy to from the &ldquo;VPC&rdquo; and &ldquo;Subnet&rdquo; dropdowns.</p></li>
|
||
|
||
<li><p>From the Security Group box, select &ldquo;Create new based on seller settings&rdquo;.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/aws-engine-sg-rules.png" alt="" /></p>
|
||
|
||
<p>This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies.</p></li>
|
||
|
||
<li><p>Select an existing or add a new key pair using the &ldquo;Key Pair&rdquo; box.</p>
|
||
|
||
<p>If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched.</p></li>
|
||
|
||
<li><p>Review your choices and check the values in the Cost Estimator.</p>
|
||
|
||
<p>Changing your selected Region and VPC settings can cause your selected EC2 instance type to reset to the default value of &ldquo;m3.medium&rdquo;.</p></li>
|
||
|
||
<li><p>If you are happy with your configuration and estimated charges, click &ldquo;Launch with 1-Click&rdquo;.</p></li>
|
||
|
||
<li><p>Go to the <a href="https://console.aws.amazon.com/ec2/v2/home">EC2 Dashboard</a> to view your instance.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="connect-to-the-docker-engine">Connect to the Docker Engine</h2>
|
||
|
||
<p>You administer your Docker Engine using the <code>docker</code> command line tool. You can run the <code>docker</code> command line tool directly from your Docker Engine EC2 Instance, or remotely from another machine with network connectivity to your Docker Engine EC2 Instance. These instructions administer the Docker Engine directly from the Docker Engine EC2 Instance.</p>
|
||
|
||
<p>To connect to the command line of your Docker Engine EC2 Instance:</p>
|
||
|
||
<ol>
|
||
<li><p>Log into the AWS Console.</p></li>
|
||
|
||
<li><p>Go to the EC2 Dashboard.</p></li>
|
||
|
||
<li><p>Choose the &ldquo;Running Instances&rdquo; option.</p></li>
|
||
|
||
<li><p>Right-click your Docker Engine EC2 Instance and choose &ldquo;Connect&rdquo;.</p></li>
|
||
|
||
<li><p>Copy and paste the &ldquo;Example:&rdquo; command into a terminal window.</p></li>
|
||
|
||
<li><p>Change the username from &ldquo;root&rdquo; to &ldquo;ec2-user&rdquo;.</p>
|
||
|
||
<p>After changing the username from &ldquo;root&rdquo; to &ldquo;ec2-user&rdquo;, the command should look like the following:</p>
|
||
|
||
<p><code>$ ssh -i &lt;key-pair&gt; ec2-user@52.27.119.45</code></p>
|
||
|
||
<p>The <key-pair> will reflect the name of the key pair you launched the instance with and the IP address will match the IP of your Docker Engine EC2 Instance.</p></li>
|
||
|
||
<li><p>Press <code>Return</code>.</p>
|
||
|
||
<p>Connecting to the Docker Engine EC2 Instance will gnerate and authentication warning. This is expected behavior and you can continue.</p>
|
||
|
||
<p>If you&rsquo;re connecting from a Windows machine, you&rsquo;ll need to have an SSH client isntalled and in your PATH variable.</p></li>
|
||
</ol>
|
||
|
||
<p>For more information about connecting to your Docker Engine EC2 Instance over SSH, right-click your EC2 Instance and choose &ldquo;Connect&rdquo;.</p>
|
||
|
||
<h2 id="confirm-the-docker-engine-is-ready-to-use">Confirm the Docker Engine is ready to use</h2>
|
||
|
||
<p>The Docker daemon is configured to automatically start with your Docker Engine EC2 Instance.</p>
|
||
|
||
<p>Run the <a href="https://docs.docker.com/reference/commandline/version"><code>docker version</code></a> command from the command line of your Docker Engine EC2 Instance:</p>
|
||
|
||
<pre><code> $ sudo docker version
|
||
Client version: 1.6.2-cs5
|
||
Client API version: 1.18
|
||
Go version (client): go1.4.2
|
||
Git commit (client): 9c454bd
|
||
OS/Arch (client): linux/amd64
|
||
Server version: 1.6.2-cs5
|
||
Server API version: 1.18
|
||
Go version (server): go1.4.2
|
||
Git commit (server): 9c454bd
|
||
OS/Arch (server): linux/amd64
|
||
</code></pre>
|
||
|
||
<p>If you get a &ldquo;FATA[0000]&rdquo; error for the server portion of the output, make sure you are using <code>sudo</code> at the beginning of the command. If you are using <code>sudo</code> and still get the error, check the status of the Docker service with the <code>sudo service docker status</code> command, and try restarting the service with the <code>sudo service docker restart</code> command.</p>
|
||
|
||
<h2 id="configuring-the-docker-engine-to-use-docker-trusted-registry">Configuring the Docker Engine to use Docker Trusted Registry</h2>
|
||
|
||
<p>This section of the guide walks you through the steps to configure <em>Docker Engine for AWS</em> to use <em>Docker Trusted Registry for AWS</em> as its image registry.</p>
|
||
|
||
<p>This guide assumes you have a working version of <em>Docker Trusted Registry for AWS</em> running in your AWS VPC at &ldquo;ec2-52-24-229-123.us-west-2.compute.amazonaws.com&rdquo;. You will need to substitute this value with the correct value for your environment for the remainder of this guide.</p>
|
||
|
||
<p>For information on installing Docker Trusted Registry for AWS, see our <a href="https://www.docker.com/aws">AWS Documentation</a>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Docker Trusted Registry is only supported with the commercially supported Docker Engine. For more information see the <a href="https://www.docker.com/compatibility-maintenance">online compatibility matrix</a>.</p>
|
||
</blockquote>
|
||
|
||
<ol>
|
||
<li><p>Save the Domain name of your Docker Trusted Registry for AWS service to an environment variable:</p>
|
||
|
||
<p><code>$ export DOMAIN_NAME=ec2-52-24-229-123.us-west-2.compute.amazonaws.com</code></p>
|
||
|
||
<p>Don&rsquo;t forget to substitute the Domain name in the command above with the correct domain name in your environment.</p></li>
|
||
|
||
<li><p>Retrieve the certificate from your Docker Trusted Registry server and store it locally on the Docker Engine for AWS EC2 Instance:</p>
|
||
|
||
<p><code>$ sudo openssl s_client -connect $DOMAIN_NAME:443 -showcerts &lt;/dev/null 2&gt;/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt</code></p></li>
|
||
|
||
<li><p>Add the retrieved certificate as a trusted root:</p>
|
||
|
||
<p><code>$ sudo update-ca-certificates</code></p></li>
|
||
|
||
<li><p>Restart the Docker service:</p>
|
||
|
||
<p><code>$ sudo service docker restart</code></p></li>
|
||
</ol>
|
||
|
||
<p>Your <em>Docker Engine for AWS</em> EC2 Instance is now configured to be able to push and pull images to your instance of <em>Docker Trusted Registry for AWS</em>.</p>
|
||
|
||
<h2 id="push-a-docker-image-to-your-docker-trusted-registry-for-aws">Push a Docker image to your Docker Trusted Registry for AWS</h2>
|
||
|
||
<p>You push and pull images to Docker Trusted Registry using the normal <a href="https://docs.docker.com/reference/commandline/push"><code>docker push</code></a> and <a href="https://docs.docker.com/reference/commandline/pull"><code>docker pull</code></a> commands.</p>
|
||
|
||
<p>The following steps walk you through the process of pulling an image from Docker Hub, pushing that same image to your Docker Trusted Registry, and then pulling it back from your Docker Trusted Registry.</p>
|
||
|
||
<p>This guide assumes your Docker Trusted Registry is reachable at &ldquo;ec2-52-24-229-123.us-west-2.compute.amazonaws.com&rdquo;. You will need to substitute this value with the DNS name of your own Docker Trusted Registry. All commands are ran from your <em>Docker Engine for AWS</em> EC2 Instance.</p>
|
||
|
||
<ol>
|
||
<li><p>Pull a Docker image from Docker Hub with the <a href="https://docs.docker.com/reference/commandline/pull"><code>docker pull</code></a> command:</p>
|
||
|
||
<pre><code>$ sudo docker pull busybox
|
||
latest: Pulling from busybox
|
||
cf2616975b4a: Pull complete
|
||
79722f6accc3: Pull complete
|
||
0f864637f229: Pull complete
|
||
busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
|
||
Digest: sha256:c451012efb6e79b9cf93f48a326a195acfcdf01cadf4271d678d03e031c214d3
|
||
Status: Downloaded newer image for busybox:latest
|
||
</code></pre></li>
|
||
|
||
<li><p>Verify the image is stored locally with the <a href="https://docs.docker.com/reference/commandline/images"><code>docker images</code></a> command:</p>
|
||
|
||
<pre><code>$ sudo docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
busybox latest 0f864637f229 2 days ago 2.433 MB
|
||
</code></pre></li>
|
||
|
||
<li><p>Tag the image for storage in your Docker Trusted Registry using the <a href="https://docs.docker.com/reference/commandline/tag"><code>docker tag</code></a> command:</p>
|
||
|
||
<p><code>$ sudo docker tag 0f864637f229 ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1</code></p>
|
||
|
||
<p>This will tag the local busybox image (0f864637f229) so that it can be pushed to the &ldquo;devops&rdquo; repository in your Docker Trusted Registry at &ldquo;ec2-52-24-229-123.us-west-2.compute.amazonaws.com&rdquo;. Don&rsquo;t forget to substitute the image ID (0f864637f229) and the domain anme of the Docker Trusted Registry with the appropriate values for your environment.</p></li>
|
||
|
||
<li><p>Log in to the Docker Trusted Registry with the <a href="https://docs.docker.com/reference/commandline/login"><code>docker login</code></a> command:</p>
|
||
|
||
<p><code>$ sudo docker login ec2-52-24-229-123.us-west-2.compute.amazonaws.com</code></p>
|
||
|
||
<p>By default, Docker Trusted Registry requires you to login before you can push and pull images. It is recommended that you create user accounts with the appropriate permissions on the &ldquo;Settings&rdquo; &gt; &ldquo;Auth&rdquo; tab in the Docker Trusted Registry Administration web interface.</p></li>
|
||
|
||
<li><p>Push the local tagged BusyBox image to your Docker Trusted Registry with the <a href="https://docs.docker.com/reference/commandline/push"><code>docker push</code></a> command:</p>
|
||
|
||
<pre><code>$ sudo docker push ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox
|
||
The push refers to a repository [ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox] (len: 1)
|
||
0f864637f229: Image already exists
|
||
79722f6accc3: Image successfully pushed
|
||
cf2616975b4a: Image successfully pushed
|
||
Digest: sha256:06a01d4fc44fd4d3fb9fbb808e337822b2af3a97ca1ffdde7c0548eae33d3fec
|
||
</code></pre></li>
|
||
|
||
<li><p>Delete the local copies of the &ldquo;busybox&rdquo; image from the Docker Engine EC2 Instance using the <a href="https://docs.docker.com/reference/commandline/rmi"><code>docker rmi</code></a> command:</p>
|
||
|
||
<p><code>$ sudo docker rmi -f 0f864637f229</code></p>
|
||
|
||
<p>You may need to run the command above command twice. The first time you run the command, it deletes the tagged image we created earlier with the <code>docker tag</code> command. The second time you run the command it deletes the image pulled from Docker Hub.</p></li>
|
||
|
||
<li><p>Verify there are no local copies of the &ldquo;busybox&rdquo; image:</p>
|
||
|
||
<pre><code>$ sudo docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
</code></pre></li>
|
||
|
||
<li><p>Pull a copy of the busybox image from your Docker Trusted Registry:</p>
|
||
|
||
<pre><code>$ sudo docker pull ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1
|
||
0.1: Pulling from ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox
|
||
cf2616975b4a: Pull complete
|
||
79722f6accc3: Pull complete
|
||
0f864637f229: Already exists
|
||
Digest: sha256:06a01d4fc44fd4d3fb9fbb808e337822b2af3a97ca1ffdde7c0548eae33d3fec
|
||
Status: Downloaded newer image for ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1
|
||
</code></pre></li>
|
||
|
||
<li><p>Verify that the image is now stored locally:</p>
|
||
|
||
<pre><code>$ sudo docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox 0.1 0f864637f229 2 days ago 2.433 MB
|
||
</code></pre></li>
|
||
</ol>
|
||
|
||
<p>You have now successfully deployed the <em>Docker Engine for AWS (Business Day Support)</em> AMI and configured it to work with <em>Docker Trusted Registry for AWS (Business Day Support)</em>.</p>
|
||
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
|
||
<p>For more information on using Docker Enginer in AWS, visit our <a href="https://www.docker.com/aws">AWS Documentation</a>.</p>
|
||
|
||
<h2 id="see-also">See also</h2>
|
||
|
||
<ul>
|
||
<li>To configure for your environment, see
|
||
<a href="../docker-trusted-registry/configuration/">Configuration instructions</a>.</li>
|
||
<li>To use Docker Trusted Registry, see <a href="../kitematic/userguide/">the User guide</a>.</li>
|
||
<li>To make administrative changes, see <a href="../docker-trusted-registry/adminguide/">the Admin guide</a>.</li>
|
||
<li>To see previous changes, see <a href="../release-notes/">the release notes</a>.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Install Docker Subscription for AWS (BYOL))</title>
|
||
<link>http://localhost/docker-trusted-registry/install/dtr-ami-byol-launch/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/dtr-ami-byol-launch/</guid>
|
||
<description>
|
||
|
||
<h1 id="install-docker-subscription-for-aws-byol">Install Docker Subscription for AWS (BYOL)</h1>
|
||
|
||
<p>This article walks you through the process of launching the <em>Docker Subscription
|
||
for AWS (BYOL)</em> AMI as an EC2 instance in the Amazon Web Services (AWS) cloud.
|
||
The Trusted Registry installation includes a single instance of the commercially
|
||
supported Docker Engine.</p>
|
||
|
||
<p>You can install additional instances of the commercially supported Docker Engine
|
||
either on premise or through AWS. For more information, see the <a href="../docker-trusted-registry/install/">installation
|
||
overview</a> for Trusted Registry.</p>
|
||
|
||
<p>The remainder of this document refers to the running instance of this AMI as a “Trusted Registry”.</p>
|
||
|
||
<h2 id="prerequisites">Prerequisites</h2>
|
||
|
||
<p>You need the following to complete this guide:</p>
|
||
|
||
<ul>
|
||
<li>An AWS account with permissions to launch EC2 Instances.</li>
|
||
<li>A valid Docker subscription license.</li>
|
||
</ul>
|
||
|
||
<p>Contact your AWS administrator if your AWS account is provided by your company and you do not have permissions to launch EC2 Instances.</p>
|
||
|
||
<p>If you do not have a valid Docker Subscription license the following options are available:</p>
|
||
|
||
<ul>
|
||
<li>Use the <em>Docker Trusted Registry for AWS (Business Day Support)</em> AMI and the <em>Docker Engine for AWS (Business Day Support)</em> AMI, both of which include the cost of a Docker Subscription.</li>
|
||
<li>Register for a <a href="https://hub.docker.com/enterprise/trial/">Free 30 Day Trial</a>.</li>
|
||
<li><a href="https://www.docker.com/contact">Contact Docker</a> to obtain a quote for a Docker Subscription.</li>
|
||
</ul>
|
||
|
||
<h1 id="install-procedure">Install procedure</h1>
|
||
|
||
<p>These instructions show you how to locate, install, and launch a Trusted Registry using the <em>Docker Subscription for AWS (BYOL)</em> AMI from Amazon&rsquo;s AWS Marketplace.</p>
|
||
|
||
<p>The AWS Marketplace allows you to do a &ldquo;1-Click Launch&rdquo; or &ldquo;Manual Launch&rdquo;.</p>
|
||
|
||
<p>The <em>Manual Launch</em> allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as:</p>
|
||
|
||
<ul>
|
||
<li>Instance type</li>
|
||
<li>VPC settings</li>
|
||
<li>Storage</li>
|
||
<li>Instance tags</li>
|
||
<li>Security Group settings</li>
|
||
</ul>
|
||
|
||
<p>The <em>1-Click Launch</em> is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a <em>1-Click Launch</em>. The entire process should take about 15 minutes to complete.</p>
|
||
|
||
<h2 id="locate-the-docker-trusted-registry-ami">Locate the Docker Trusted Registry AMI</h2>
|
||
|
||
<ol>
|
||
<li><p>If you haven&rsquo;t already done so, open your browser to the <a href="https://aws.amazon.com/marketplace">Amazon AWS Marketplace</a>.</p></li>
|
||
|
||
<li><p>Search the Marketplace for &ldquo;Docker Subscription for AWS (BYOL)&rdquo;.</p></li>
|
||
|
||
<li><p>Select the &ldquo;Docker Subscription for AWS (BYOL)&rdquo; AMI from the list of results.</p>
|
||
|
||
<p>The Marketplace entry provides details on the product.</p></li>
|
||
|
||
<li><p>Press &ldquo;Continue&rdquo; to move to the launch step.</p>
|
||
|
||
<p>If you are not logged into AWS, the system prompts you to.</p></li>
|
||
|
||
<li><p>Enter your AWS login credentials.</p>
|
||
|
||
<p>When your login succeeds, the browser displays the &ldquo;Launch on EC2&rdquo; page.</p></li>
|
||
|
||
<li><p>Make sure that the &ldquo;1-Click Launch&rdquo; tab is selected.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="deploy-the-1-click-launch">Deploy the 1-Click Launch</h2>
|
||
|
||
<p>You can deploy a Trusted Registry instance to a private or public subnet. A private subnet provides added security but also prevents your Trusted Registry instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Trusted Registry via a Bastion host or a management instance within your VPC.</p>
|
||
|
||
<p>These instructions launch a Trusted Registry on an EC2 instance in a public subnet with a public IP, so that gaining access to it in the &ldquo;Connecting to the Docker Trusted Registry Administration web interface&rdquo; section is simplified.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Deploying a Trusted Registry instance to an AWS Public Subnet will automatically assign it a Public IP and Public DNS. Do not forget that AWS Public IPs and Public DNS names change when an EC2 Instance is rebooted. If you want your Trusted Registry EC2 Instance to be directly accessible over the internet you should assign it an Elastic IP.</p>
|
||
</blockquote>
|
||
|
||
<p>The following steps walk you through the 1-Click Launch settings:</p>
|
||
|
||
<ol>
|
||
<li><p>Select the version you want to deploy from the list of available versions.</p></li>
|
||
|
||
<li><p>Select the Region you want to deploy to from the &ldquo;Region&rdquo; dropdown.</p></li>
|
||
|
||
<li><p>Select the EC2 Instance type</p>
|
||
|
||
<p>Be sure to check the &ldquo;Pricing Details&rdquo; and &ldquo;Cost Estimator&rdquo; boxes when changing EC2 Instance types.</p></li>
|
||
|
||
<li><p>Select the VPC and Subnet you want to deploy to from the &ldquo;VPC&rdquo; and &ldquo;Subnet&rdquo; dropdowns.</p></li>
|
||
|
||
<li><p>From the Security Group box, select &ldquo;Create new based on seller settings&rdquo;.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/aws-dtr-sg-rules.png" alt="" /></p>
|
||
|
||
<p>This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies..</p></li>
|
||
|
||
<li><p>Select an existing or add a new key pair using the &ldquo;Key Pair&rdquo; box.</p>
|
||
|
||
<p>If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched.</p></li>
|
||
|
||
<li><p>Review your choices and check the values in the Cost Estimator.</p>
|
||
|
||
<p>Changing your selected Region and VPC settings can cause your selected EC2 Instance type to reset to the default value of &ldquo;m3.2xlarge&rdquo;.</p></li>
|
||
|
||
<li><p>If you are happy with your configuration and estimated charges, click &ldquo;Launch with 1-Click&rdquo;.</p></li>
|
||
|
||
<li><p>Go to the <a href="https://console.aws.amazon.com/ec2/v2/home">EC2 Dashboard</a> to view your instance.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="connect-to-the-docker-trusted-registry-administration-web-interface">Connect to the Docker Trusted Registry Administration web interface</h2>
|
||
|
||
<p>You administer your Trusted Registry server via the Administration web
|
||
interface (hereafter referred to as <em>DTR Administration web interface</em>).</p>
|
||
|
||
<p>You can configure your own custom DNS names for your EC2 instance
|
||
using CNAME records and so forth. Or, you can use the default DNS names provided by
|
||
AWS. These instructions use the default DNS name provided by AWS.</p>
|
||
|
||
<p>The DTR Administration web interface is exposed on port 443 (HTTPS) of
|
||
the EC2 instance. To connect to the DTR Administration web
|
||
interface:</p>
|
||
|
||
<ol>
|
||
<li><p>Log into the AWS Console.</p></li>
|
||
|
||
<li><p>Go to the EC2 Dashboard.</p></li>
|
||
|
||
<li><p>Choose the &ldquo;Running Instances&rdquo; option.</p></li>
|
||
|
||
<li><p>Select the Trusted Registry EC2 instance.</p></li>
|
||
|
||
<li><p>Select the &ldquo;Description&rdquo; tab.</p></li>
|
||
|
||
<li><p>Locate the Public DNS or Public IP of the EC2 instance.</p></li>
|
||
|
||
<li><p>Copy the Public DNS or Public IP into your browser&rsquo;s address bar and press <code>return</code>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Connecting to the DTR Administration web
|
||
interface may result in a certificate related browser warning. This is
|
||
expected behavior and you can bypass the warning.</p>
|
||
</blockquote></li>
|
||
</ol>
|
||
|
||
<p>The interface prompts you for the username and password.</p>
|
||
|
||
<ol>
|
||
<li><p>Enter &ldquo;admin&rdquo; for the username.</p></li>
|
||
|
||
<li><p>For the password, use the EC2 Instance ID.</p>
|
||
|
||
<p>You&rsquo;ll find the Instance ID on the &ldquo;Description&rdquo; tab on the EC2 Dashboard as shown in the image below:</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/aws-instance-id.png" alt="" /></p></li>
|
||
</ol>
|
||
|
||
<h2 id="configure-the-docker-trusted-registry-service">Configure the Docker Trusted Registry Service</h2>
|
||
|
||
<p>When you first login to the DTR Administration web interface you are prompted to complete two configuration items:</p>
|
||
|
||
<ol>
|
||
<li><p>Configure the &ldquo;Domain name&rdquo; on the &ldquo;General&rdquo; tab of the &ldquo;Settings&rdquo; page.</p>
|
||
|
||
<p>This should be a fully qualified domain name that you have configured for your Trusted Registry service.</p>
|
||
|
||
<p>Enter your desired domain name and click the &ldquo;Save and restart&rdquo; button at the bottom of the page.</p>
|
||
|
||
<p>After the Trusted Registry server restarts, return to the DTR Administration web interface. The browser displays another certificate related browser warning. Changing the Domain Name property of your Trusted Registry server generates a new self-signed certificate. Again, this is expected behavior and you can bypass the warning.</p>
|
||
|
||
<p>Log back in to the DTR Administration web interface.</p></li>
|
||
|
||
<li><p>License your copy of Docker Trusted Registry from the &ldquo;License&rdquo; tab of the &ldquo;Settings&rdquo; page.</p>
|
||
|
||
<p>Your Docker Trusted Registry license file is available from Docker Hub. To download it, login to Docker Hub and click your username in the top right corner. Choose &ldquo;Settings&rdquo; and select the &ldquo;Licenses&rdquo; tab. Click the download button beneath your license.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/dtr-license-download.png" alt="" /></p>
|
||
|
||
<p>From the Docker Trusted Registry Administration web interface, select &ldquo;Settings&rdquo; and then &ldquo;License&rdquo;. Under the &ldquo;Apply a new license&rdquo; heading select &ldquo;Choose File&rdquo;. Select your downloaded license file and click &ldquo;Save and restart&rdquo;.</p></li>
|
||
</ol>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Restarting your Trusted Registry from the DTR Administration web interface, or as part of the above procedures, does not restart the EC2 instance. Therefore, the Public IP and Public DNS of the EC2 instance does not change.</p>
|
||
</blockquote>
|
||
|
||
<p>Log into the DTR Administration web interface and change the default password for the &ldquo;admin&rdquo; account from the &ldquo;Auth&rdquo; tab on the &ldquo;Settings&rdquo; page.</p>
|
||
|
||
<p>Your Docker Trusted Registry server is now ready for use.</p>
|
||
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
|
||
<p>For more information on using DTR, go to the
|
||
<a href="https://docs.docker.com/docker-trusted-registry/userguide/">User&rsquo;s Guide</a>.</p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Install Trusted Registry for AWS AMI (BDS)</title>
|
||
<link>http://localhost/docker-trusted-registry/install/dtr-ami-bds-launch/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/dtr-ami-bds-launch/</guid>
|
||
<description>
|
||
|
||
<h1 id="install-trusted-registry-for-aws-ami-bds">Install Trusted Registry for AWS AMI (BDS)</h1>
|
||
|
||
<p>This article walks you through the process of launching the <em>Docker Trusted Registry for AWS (Business Day Support)</em> AMI as an EC2 instance in the Amazon Web Services (AWS) cloud.</p>
|
||
|
||
<p>This AMI launches an instance of Docker Trusted Registry (Trusted Registry). The remainder of this document refers to the running instance of this AMI as a “Trusted Registry”. This AMI requires the use of Docker Engine for AWS (Business Day Support).</p>
|
||
|
||
<p>If you have not already done so, make sure you have read the <a href="../docker-trusted-registry/install/">installation overview</a> for Trusted Registry.</p>
|
||
|
||
<h2 id="prerequisites">Prerequisites</h2>
|
||
|
||
<p>You can locate, install, and launch the AMI from the Amazon AWS Marketplace or with the AWS EC2 Console by selecting the AMI from the &ldquo;Launch Instance&rdquo; dialog. Both the AWS Marketplace and the AWS EC2 Console require that you have an AWS account to launch the AMI.</p>
|
||
|
||
<p>If your account is supplied through your company, your company&rsquo;s administrator must give you permissions to launch EC2 instances. If you receive a permissions error when following these instructions, contact your AWS administrator for help.</p>
|
||
|
||
<p>You will need to create a Key Pair, which is associated to your selected region. Refer to <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html">AWS Documentation</a> to learn how to do this.</p>
|
||
|
||
<h1 id="install-procedure">Install procedure</h1>
|
||
|
||
<p>These instructions show you how to locate, install, and launch a Trusted Registry from Amazon&rsquo;s AWS Marketplace. The AWS Marketplace allows you to do a &ldquo;1-Click Launch&rdquo; or &ldquo;Manual Launch&rdquo;.</p>
|
||
|
||
<p>The <em>Manual Launch</em> allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as:</p>
|
||
|
||
<ul>
|
||
<li>Instance type</li>
|
||
<li>VPC settings</li>
|
||
<li>Storage</li>
|
||
<li>Instance tags</li>
|
||
<li>Security Group settings</li>
|
||
</ul>
|
||
|
||
<p>The <em>1-Click Launch</em> is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a <em>1-Click Launch</em>. The entire process should take about 15 minutes to complete.</p>
|
||
|
||
<h2 id="locate-the-docker-trusted-registry-ami">Locate the Docker Trusted Registry AMI</h2>
|
||
|
||
<ol>
|
||
<li><p>If you haven&rsquo;t already done so, open your browser to the <a href="https://aws.amazon.com/marketplace">Amazon AWS Marketplace</a>.</p></li>
|
||
|
||
<li><p>Search the Marketplace for &ldquo;Docker Trusted Registry for AWS (Business Day Support)&rdquo;.</p></li>
|
||
|
||
<li><p>Select the &ldquo;Docker Trusted Registry for AWS (Business Day Support)&rdquo; AMI from the list of results.</p>
|
||
|
||
<p>The Marketplace entry provides details on the product.</p></li>
|
||
|
||
<li><p>Press &ldquo;Continue&rdquo; to move to the launch step.</p>
|
||
|
||
<p>If you are not logged into AWS, the system prompts you to.</p></li>
|
||
|
||
<li><p>Enter your AWS login credentials.</p>
|
||
|
||
<p>When your login succeeds, the browser displays the &ldquo;Launch on EC2&rdquo; page.</p></li>
|
||
|
||
<li><p>Ensure that the &ldquo;1-Click Launch&rdquo; tab is selected.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="deploy-the-1-click-launch">Deploy the 1-Click Launch</h2>
|
||
|
||
<p>You can deploy a Trusted Registry to a private or public subnet. A private subnet provides added security but also prevents your Trusted Registry instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Trusted Registry through a Bastion host or a management instance within your VPC.</p>
|
||
|
||
<p>These instructions launch an EC2 instance into a public subnet with a public IP so that gaining access to it in the &ldquo;Connecting to the Docker Trusted Registry Administration web interface&rdquo; section is simplified.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Deploying a Trusted Registry instance to an AWS Public Subnet will automatically assign it a Public IP and Public DNS. Remember that AWS Public IPs and Public DNS names change when an EC2 Instance is rebooted. If you want your Trusted Registry EC2 Instance to be directly accessible over the internet, you should assign it an Elastic IP.</p>
|
||
</blockquote>
|
||
|
||
<p>The following steps walk you through the 1-Click Launch settings:</p>
|
||
|
||
<ol>
|
||
<li><p>From the &ldquo;Software Pricing&rdquo; box, select a &ldquo;Subscription Term&rdquo; and an &ldquo;Applicable Instance Type.&rdquo;</p>
|
||
|
||
<p>These two options contribute to the overall cost of running your choice of EC2 instance. The combination of these two fees make up the running costs of your EC2 instance, and are shown in the &ldquo;Cost Estimator&rdquo; box. Make sure you understand these costs before launching your instance.</p></li>
|
||
|
||
<li><p>Select the version you want to deploy from the list of available versions.</p></li>
|
||
|
||
<li><p>Select the Region you want to deploy to from the &ldquo;Region&rdquo; dropdown menu. Remember you must have the appropriate permissions for the selected region.</p></li>
|
||
|
||
<li><p>Select the VPC and Subnet you want to deploy to from the &ldquo;VPC&rdquo; and &ldquo;Subnet&rdquo; dropdown menus.</p></li>
|
||
|
||
<li><p>From the Security Group box, select &ldquo;Create new based on seller settings&rdquo;.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/aws-dtr-sg-rules.png" alt="" /></p>
|
||
|
||
<p>This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies.</p></li>
|
||
|
||
<li><p>Select an existing or add a new key pair using the &ldquo;Key Pair&rdquo; box.</p>
|
||
|
||
<p>If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched. If you do not have a key pair, then you need to create one which is associated to your region.</p></li>
|
||
|
||
<li><p>Review your choices and check the values in the Cost Estimator.</p>
|
||
|
||
<p>Changing your selected Region and VPC settings can cause your selected EC2 instance type to reset to the default value of &ldquo;m3.2xlarge&rdquo;.</p></li>
|
||
|
||
<li><p>If you are satisfied with your configuration and estimated charges, click &ldquo;Launch with 1-Click&rdquo;.</p></li>
|
||
|
||
<li><p>Go to the <a href="https://console.aws.amazon.com/ec2/v2/home">EC2 Dashboard</a> to view your instance.</p>
|
||
|
||
<p>If your instance has no name, it may be hard to find depending on the instance list. Use the Key Name and/or Launch Time columns to help you find your instance. Once found, you can select your instance and name it.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="connect-to-the-docker-trusted-registry-administration-web-interface">Connect to the Docker Trusted Registry Administration web interface</h2>
|
||
|
||
<p>You administer your Trusted Registry server via the Administration web
|
||
interface. You can configure your own custom DNS names for your EC2 instance
|
||
using CNAME records and so forth. Or, you can use the default DNS names provided by
|
||
AWS. These instructions use the default DNS name provided by AWS.</p>
|
||
|
||
<p>The DTR Administration web interface is exposed on port 443 (HTTPS) of
|
||
the EC2 instance. To connect to the DTR Administration web
|
||
interface:</p>
|
||
|
||
<ol>
|
||
<li><p>Log into the AWS Console.</p></li>
|
||
|
||
<li><p>Go to the EC2 Dashboard.</p></li>
|
||
|
||
<li><p>Choose the &ldquo;Running Instances&rdquo; option.</p></li>
|
||
|
||
<li><p>Select the Trusted Registry EC2 instance.</p></li>
|
||
|
||
<li><p>Select the &ldquo;Description&rdquo; tab.</p></li>
|
||
|
||
<li><p>Locate the Public DNS or Public IP of the EC2 instance.</p></li>
|
||
|
||
<li><p>Copy the Public DNS or Public IP into your browser&rsquo;s address bar and press <code>return</code>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Connecting to the DTR Administration web
|
||
interface may result in a certificate related browser warning. This is
|
||
expected behavior and you can bypass the warning.</p>
|
||
</blockquote></li>
|
||
</ol>
|
||
|
||
<p>The interface prompts you for the username and password.</p>
|
||
|
||
<ol>
|
||
<li><p>Enter &ldquo;admin&rdquo; for the username.</p></li>
|
||
|
||
<li><p>For the password, use the EC2 Instance ID.</p>
|
||
|
||
<p>You&rsquo;ll find the Instance ID on the &ldquo;Description&rdquo; tab on the EC2 Dashboard as shown in the image below:</p>
|
||
|
||
<p><img src="../docker-trusted-registry/install/images/aws-instance-id.png" alt="" /></p></li>
|
||
</ol>
|
||
|
||
<h2 id="configure-the-docker-trusted-registry-service">Configure the Docker Trusted Registry Service</h2>
|
||
|
||
<p>When you first login to the DTR Administration web interface you are prompted to configure the &ldquo;Domain name&rdquo; on the &ldquo;General&rdquo; tab of the &ldquo;Settings&rdquo; page. The Domain Name should be a fully qualified domain name that you have configured for your DTR service. Enter your desired domain name and click the &ldquo;Save and restart&rdquo; button at the bottom of the page.</p>
|
||
|
||
<p>After the DTR server restarts, return to the DTR Administration web interface. The browser displays another certificate related browser warning. Changing the Domain Name property of your DTR server generates a new self-signed certificate. Again, this is expected behavior and you can bypass the warning.</p>
|
||
|
||
<p>Log into the Trusted Registry and change the default password for the &ldquo;admin&rdquo; account from the &ldquo;Auth&rdquo; tab on the &ldquo;Settings&rdquo; page in the DTR Administration web interface.</p>
|
||
|
||
<p>Your Docker Trusted Registry server is now ready for use.</p>
|
||
|
||
<h2 id="next-steps">Next steps</h2>
|
||
|
||
<p>For more information on using DTR, go to the
|
||
<a href="https://docs.docker.com/docker-trusted-registry/userguide/">User&rsquo;s Guide</a>.</p>
|
||
|
||
<h2 id="see-also">See also</h2>
|
||
|
||
<ul>
|
||
<li>To configure for your environment, see
|
||
<a href="../docker-trusted-registry/configuration/">Configuration instructions</a>.</li>
|
||
<li>To use Docker Trusted Registry, see <a href="../kitematic/userguide/">the User guide</a>.</li>
|
||
<li>To make administrative changes, see <a href="../docker-trusted-registry/adminguide/">the Admin guide</a>.</li>
|
||
<li>To see previous changes, see <a href="../release-notes/">the release notes</a>.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Manually Install the CS Docker Engine</title>
|
||
<link>http://localhost/docker-trusted-registry/install/install-csengine/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/install-csengine/</guid>
|
||
<description>
|
||
|
||
<h1 id="manually-install-the-cs-docker-engine">Manually Install the CS Docker Engine</h1>
|
||
|
||
<p>This document describes the process of obtaining and installing the Commercially
|
||
Supported Docker Engine (CS Engine). Installing CS Engine is a prerequisite for
|
||
installing the Docker Trusted Registry. You can use these instructions if you are installing CS Engine on physical or cloud infrastructure.</p>
|
||
|
||
<p>If your cloud provider is AWS, you have the option of installing CS Engine using an Amazon Machine Image (AMI) instead. For more information, read the <a href="../docker-trusted-registry/install/">installation overview</a> to understand your options.</p>
|
||
|
||
<h2 id="prerequisite">Prerequisite</h2>
|
||
|
||
<p>Installing CS Engine requires that you have a login to Docker Hub. If you have
|
||
not already done so, go to Docker Hub and <a href="https://hub.docker.com">sign up for an
|
||
account</a>.</p>
|
||
|
||
<p>Also, you must have a license for Docker Trusted Registry. This license allows
|
||
you to run both Docker Trusted Registry and CS Engine. Before installing,
|
||
<a href="(https://hub.docker.com/enterprise/">purchase a license or sign up for a free, 30 day trial license</a>).</p>
|
||
|
||
<h2 id="install-on-centos-7-1-rhel-7-0-7-1">Install on CentOS 7.1 &amp; RHEL 7.0/7.1</h2>
|
||
|
||
<p>This section explains how to install on CentOS 7.1 &amp; RHEL 7.0/7.1. Only these versions are supported. CentOS 7.0 is not supported. On RHEL, depending on your current level of updates, you may need to reboot your server to update its RHEL kernel.</p>
|
||
|
||
<ol>
|
||
<li><p>Log into the system as a user with root or sudo permissions.</p></li>
|
||
|
||
<li><p>Update your <code>yum</code> repositories.</p>
|
||
|
||
<pre><code>$ sudo yum update &amp;&amp; sudo yum upgrade
|
||
</code></pre></li>
|
||
|
||
<li><p>In a browser, log in to the <a href="https://hub.docker.com">Docker Hub</a> with the account you used to obtain your license.</p></li>
|
||
|
||
<li><p>Once you&rsquo;re logged in, go to your account&rsquo;s <a href="https://hub.docker.com/account/licenses/">Licenses</a> page.</p></li>
|
||
|
||
<li><p>In the &ldquo;Download and Install CS Engine&rdquo; locate the script appropriate to your system.</p></li>
|
||
|
||
<li><p>Copy the script, paste it into your terminal, and press Return.</p>
|
||
|
||
<pre><code>$ curl -s
|
||
https://packagecloud.io/install/repositories/Docker/cs-public/script.rpm.sh |
|
||
sudo bash sudo yum install docker-engine-cs
|
||
</code></pre></li>
|
||
|
||
<li><p>After the command completes, install the CS Engine with the following command:</p>
|
||
|
||
<pre><code>$ sudo yum install docker-engine-cs
|
||
</code></pre></li>
|
||
|
||
<li><p>Enable the Docker daemon as a service and then start it.</p>
|
||
|
||
<pre><code>$ sudo systemctl enable docker.service
|
||
$ sudo systemctl start docker.service
|
||
</code></pre></li>
|
||
|
||
<li><p>Verify the installation was successful by running a simple container.</p>
|
||
|
||
<pre><code>$ sudo docker run hello-world
|
||
Unable to find image 'hello-world:latest' locally
|
||
latest: Pulling from hello-world
|
||
b901d36b6f2fd75: Pull complete
|
||
0a6ba66e537a53a: Pull complete
|
||
hello-world:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
|
||
Digest: sha256:517f03be3f8169d84711c9ffb2b3235a4d27c1eb4ad147f6248c8040adb93113
|
||
Status: Downloaded newer image for hello-world:latest
|
||
|
||
|
||
Hello from Docker.
|
||
This message shows that your installation appears to be working correctly.
|
||
|
||
|
||
To generate this message, Docker took the following steps:
|
||
1. The Docker client contacted the Docker daemon.
|
||
2. The Docker daemon pulled the &quot;hello-world&quot; image from the Docker Hub.
|
||
3. The Docker daemon created a new container from that image which runs the
|
||
executable that produces the output you are currently reading.
|
||
4. The Docker daemon streamed that output to the Docker client, which sent it
|
||
to your terminal.
|
||
|
||
|
||
To try something more ambitious, you can run an Ubuntu container with:
|
||
$ docker run -it ubuntu bash
|
||
|
||
|
||
Share images, automate workflows, and more with a free Docker Hub account:
|
||
https://hub.docker.com
|
||
|
||
|
||
For more examples and ideas, visit:
|
||
https://docs.docker.com/userguide/
|
||
</code></pre></li>
|
||
|
||
<li><p>Optionally, add non-sudo access to the Docker socket by adding your user to the <code>docker</code> group.</p>
|
||
|
||
<pre><code>$ sudo usermod -a -G docker $USER
|
||
</code></pre></li>
|
||
</ol>
|
||
|
||
<p>Log out and log back in to have your new permissions take effect.</p>
|
||
|
||
<h2 id="install-on-ubuntu-14-04-lts">Install on Ubuntu 14.04 LTS</h2>
|
||
|
||
<ol>
|
||
<li><p>Log into the system as a user with root or sudo permissions.</p></li>
|
||
|
||
<li><p>Update your <code>yum</code> repositories.</p>
|
||
|
||
<pre><code>$ sudo apt-get update &amp;&amp; sudo apt-get upgrade
|
||
</code></pre></li>
|
||
|
||
<li><p>Install additional virtual drivers not in the base image.</p>
|
||
|
||
<pre><code>$ sudo apt-get install -y linux-image-extra-virtual
|
||
</code></pre>
|
||
|
||
<p>You may need to reboot your server to after updating the LTS kernel.</p></li>
|
||
|
||
<li><p>In a browser, log in to the <a href="https://hub.docker.com">Docker Hub</a> with the account you used to obtain your license.</p></li>
|
||
|
||
<li><p>Once you&rsquo;re logged in, go to your account&rsquo;s <a href="https://hub.docker.com/account/licenses/">Licenses</a> page.</p></li>
|
||
|
||
<li><p>In the &ldquo;Download and Install CS Engine&rdquo; locate the script appropriate to your system.</p></li>
|
||
|
||
<li><p>Copy the script, paste it into your terminal, and press Return.</p>
|
||
|
||
<pre><code>$ curl -s
|
||
https://packagecloud.io/install/repositories/Docker/cs-public/script.deb.sh | sudo bash sudo apt-get install docker-engine-cs
|
||
</code></pre></li>
|
||
|
||
<li><p>Run the following to install commercially supported Docker Engine and its dependencies:
|
||
|
||
$ sudo apt-get install docker-engine-cs</p></li>
|
||
|
||
<li><p>Confirm the Docker daemon is running with <code>sudo service docker start</code>.</p>
|
||
|
||
<pre><code>$ sudo service docker start
|
||
</code></pre></li>
|
||
|
||
<li><p>Optionally, add non-sudo access to the Docker socket by adding your user to the <code>docker</code> group.</p>
|
||
|
||
<pre><code>$ sudo usermod -a -G docker $USER
|
||
</code></pre>
|
||
|
||
<p>Log out and log back in to have your new permissions take effect.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="next-step">Next step</h2>
|
||
|
||
<p>You are ready to install <a href="install-dtry.md">Docker Trusted Registry</a>.</p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Manually install Trusted Registry</title>
|
||
<link>http://localhost/docker-trusted-registry/install/install-dtr/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/install-dtr/</guid>
|
||
<description>
|
||
|
||
<h1 id="manually-install-trusted-registry">Manually install Trusted Registry</h1>
|
||
|
||
<p>This document describes the process of obtaining, installing, and securing
|
||
Docker Trusted Registry. You can use these instructions if you are installing Trusted Registry on a physical or cloud infrastructure.</p>
|
||
|
||
<p>If your cloud provider is AWS, you have the option of installing Trusted Registry using an Amazon Machine Image (AMI) instead. For more information, read the <a href="../docker-trusted-registry/install/">installation overview</a> to understand your options.</p>
|
||
|
||
<h2 id="prerequisites">Prerequisites</h2>
|
||
|
||
<p>Docker Trusted Registry runs on the following 64-bit platforms:</p>
|
||
|
||
<ul>
|
||
<li>Ubuntu 14.04 LTS</li>
|
||
<li>RHEL 7.0 and 7.1</li>
|
||
<li>CentOS 7.1</li>
|
||
</ul>
|
||
|
||
<p>Docker Trusted Registry requires the latest commercially supported Docker Engine (CS Engine), running on a supported host.</p>
|
||
|
||
<p>The Docker daemon listens to the Unix socket (the default) so that it can be
|
||
bind-mounted into the Trusted Registry management containers. This allows
|
||
Trusted Registry to manage itself and its updates. For this reason, the host you
|
||
install on needs internet connectivity so it can access the updates.
|
||
Additionally, your host needs to have TCP ports <code>80</code> and <code>443</code> available for the
|
||
Docker Trusted Registry container port mapping.</p>
|
||
|
||
<p>Installing Trusted Registry requires that you have a login to Docker Hub (or the
|
||
user-name of an administrator of the Hub organization that obtained an
|
||
Enterprise license. If you already installed CS Engine, you should already have a <a href="https://hub.docker.com">Hub account</a>.</p>
|
||
|
||
<p>Also, you must have a license for Docker Trusted Registry. This license allows
|
||
you to run both Docker Trusted Registry and CS Engine. Before installing,
|
||
<a href="(https://hub.docker.com/enterprise/">purchase a license or sign up for a free, 30 day trial license</a>).</p>
|
||
|
||
<h2 id="install-docker-trusted-registry">Install Docker Trusted Registry</h2>
|
||
|
||
<p>Trusted Registry is a self-installing application built and distributed using
|
||
Docker and the <a href="https://hub.docker.com/">Docker Hub</a>. You install Docker Trusted
|
||
Registry by running the &ldquo;docker/trusted-registry&rdquo; container. Once installed, it
|
||
is able to restart and reconfigure itself using the Docker socket that is
|
||
bind-mounted to this container.</p>
|
||
|
||
<ol>
|
||
<li><p>Log in to the machine where you want to install Trusted Registry.</p></li>
|
||
|
||
<li><p>Verify that CS Engine is installed.</p>
|
||
|
||
<pre><code>$ docker --version
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> To remain compliant with your Docker Trusted Registry support agreement, you <strong>must</strong> use the current version of commercially supported Docker Engine. Running the open source version of Engine is <strong>not</strong> supported.</p>
|
||
</blockquote></li>
|
||
|
||
<li><p>Login into the Docker Hub from the command line.</p>
|
||
|
||
<pre><code>$ docker login
|
||
</code></pre></li>
|
||
|
||
<li><p>Install the Trusted Registry</p>
|
||
|
||
<pre><code> $ sudo bash -c &quot;$(sudo docker run docker/trusted-registry install)&quot;
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: <code>sudo</code> is needed for <code>docker/trusted-registry</code> commands to
|
||
ensure that the Bash script is run with full access to the Docker host.</p>
|
||
</blockquote>
|
||
|
||
<p>The command executes a shell script that creates the needed directories,
|
||
pulls the registry&rsquo;s images, and run its containers. Depending on your
|
||
internet connection, this process may take several minutes to complete. A successful outcome completes as follows:</p>
|
||
|
||
<pre><code> $ sudo bash -c &quot;$(sudo docker run docker/trusted-registry install)&quot;
|
||
Unable to find image 'docker/trusted-registry:latest' locally
|
||
Pulling repository docker/trusted-registry
|
||
c46d58daad7d: Pulling image (latest) from docker/trusted-registry
|
||
c46d58daad7d: Pulling image (latest) from docker/trusted-registry
|
||
c46d58daad7d: Pulling dependent layers
|
||
511136ea3c5a: Download complete
|
||
fa4fd76b09ce: Pulling metadata
|
||
fa4fd76b09ce: Pulling fs layer
|
||
ff2996b1faed: Download complete
|
||
...
|
||
fd7612809d57: Pulling metadata
|
||
fd7612809d57: Pulling fs layer
|
||
fd7612809d57: Download complete
|
||
Status: Downloaded newer image for docker/trusted-registry:latest
|
||
Unable to find image 'docker/trusted-registry:1.1.0' locally
|
||
Pulling repository docker/trusted-registry
|
||
c46d58daad7d: Download complete
|
||
511136ea3c5a: Download complete
|
||
...
|
||
Status: Image is up to date for docker/trusted-registry:1.1.0
|
||
INFO [1.0.0_8ce62a61e058] Attempting to connect to docker engine dockerHost=&quot;unix:///var/run/docker.sock&quot;
|
||
INFO [1.0.0_8ce62a61e058] Running install command
|
||
&lt;...output truncated...&gt;
|
||
Creating container docker_trusted_registry_load_balancer with docker daemon unix:///var/run/docker.sock
|
||
Starting container docker_trusted_registry_load_balancer with docker daemon unix:///var/run/docker.sock
|
||
Bringing up docker_trusted_registry_log_aggregator.
|
||
Creating container docker_trusted_registry_log_aggregator with docker daemon unix:///var/run/docker.sock
|
||
Starting container docker_trusted_registry_log_aggregator with docker daemon unix:///var/run/docker.sock
|
||
</code></pre></li>
|
||
|
||
<li><p>Use <code>docker ps</code> to list all the running containers.</p>
|
||
|
||
<p>The listing should show the following were started:</p>
|
||
|
||
<ul>
|
||
<li><code>docker_trusted_registry_load_balancer</code></li>
|
||
<li><code>docker_trusted_registry_image_storage_0</code></li>
|
||
<li><code>docker_trusted_registry_image_storage_1</code></li>
|
||
<li><code>docker_trusted_registry_admin_server</code></li>
|
||
<li><code>docker_trusted_registry_log_aggregator</code></li>
|
||
<li><code>docker_trusted_registry_auth_server</code></li>
|
||
<li><code>docker_trusted_registry_postgres</code></li>
|
||
</ul></li>
|
||
|
||
<li><p>Enter the <code>https://&lt;host-ip&gt;/</code>` your browser;s address bar to run the Trusted Registry interface.</p></li>
|
||
</ol>
|
||
|
||
<p>Your browser warns you that this is an unsafe site, with a self-signed,
|
||
untrusted certificate. This is normal and expected; allow this connection
|
||
temporarily.</p>
|
||
|
||
<h2 id="set-the-trusted-registry-domain-name">Set the Trusted Registry domain name</h2>
|
||
|
||
<p>The Docker Trusted Registry Administrator site will also warn that the &ldquo;Domain Name&rdquo; is not set.</p>
|
||
|
||
<ol>
|
||
<li><p>Select &ldquo;Settings&rdquo; from the global nav bar at the top of the page, and then set the &ldquo;Domain Name&rdquo; to the full host-name of your Docker Trusted Registry server.</p></li>
|
||
|
||
<li><p>Click the &ldquo;Save and Restart Docker Trusted Registry Server&rdquo; button to generate a new certificate, which will be used
|
||
by both the Docker Trusted Registry Administrator web interface and the Docker Trusted Registry server.</p></li>
|
||
|
||
<li><p>After the server restarts, you will again need to allow the connection to the untrusted Docker Trusted Registry web admin site.</p></li>
|
||
|
||
<li><p>You see a warning notification that this instance of Docker Trusted Registry is unlicensed. You&rsquo;ll correct this in the next section.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="apply-your-license">Apply your license</h2>
|
||
|
||
<p>The Docker Trusted Registry services will not start until you apply your license.
|
||
To do that, you&rsquo;ll first download your license from the Docker Hub and then
|
||
upload it to your Docker Trusted Registry web admin server. Follow these steps:</p>
|
||
|
||
<ol>
|
||
<li><p>If needed, log back into the <a href="https://hub.docker.com">Docker Hub</a>
|
||
using the user-name you used when obtaining your license. Under your name, go to Settings to display the Account Settings page. Click the Licenses submenu to display the Licenses page.</p></li>
|
||
|
||
<li><p>There is a list of available licenses. Click the download button to
|
||
obtain the license file you want.</p></li>
|
||
|
||
<li><p>Go to your Docker Trusted Registry instance in your browser, click Settings in the global nav bar. Click License in the Settings nav bar. Click the Choose File button. It opens a standard file browser. Locate and select the license file you downloaded in the previous step. Approve the selection to close the dialog.</p></li>
|
||
|
||
<li><p>Click the Save and restart button. Docker Trusted Registry quits and then restarts with the applied the license.</p></li>
|
||
|
||
<li><p>Verify the acceptance of the license by confirming that the &ldquo;Unlicensed copy&rdquo;
|
||
warning is no longer present.</p></li>
|
||
</ol>
|
||
|
||
<h2 id="secure-the-trusted-registry">Secure the Trusted Registry</h2>
|
||
|
||
<p>Securing Docker Trusted Registry is <strong>required</strong>. You will not be able to push
|
||
or pull from Docker Trusted Registry until you secure it.</p>
|
||
|
||
<p>There are several options and methods for securing Docker Trusted Registry. For
|
||
more information, see the <a href="../docker-trusted-registry/configuration/#security">configuration documentation</a></p>
|
||
|
||
<h2 id="push-and-pull-images">Push and pull images</h2>
|
||
|
||
<p>Now that you have Docker Trusted Registry configured with a &ldquo;Domain Name&rdquo; and
|
||
have your client Docker daemons configured with the required security settings,
|
||
you can test your setup by following the instructions for <a href="../kitematic/userguide/">Using Docker Trusted
|
||
Registry to Push and pull images</a>.</p>
|
||
|
||
<h2 id="docker-trusted-registry-web-interface-and-registry-authentication">Docker Trusted Registry web interface and registry authentication</h2>
|
||
|
||
<p>By default, there is no authentication set on either the Docker Trusted Registry
|
||
web admin interface or the Docker Trusted Registry. You can restrict access
|
||
using an in-Docker Trusted Registry configured set of users (and passwords), or
|
||
you can configure Docker Trusted Registry to use LDAP- based authentication.</p>
|
||
|
||
<p>See <a href="../docker-trusted-registry/configuration/#authentication">Docker Trusted Registry Authentication settings</a> for more details.</p>
|
||
|
||
<h2 id="see-also">See also</h2>
|
||
|
||
<ul>
|
||
<li>To configure for your environment, see the
|
||
<a href="../docker-trusted-registry/configuration/">configuration instructions</a>.</li>
|
||
<li>To use Docker Trusted Registry, see <a href="../kitematic/userguide/">the User guide</a>.</li>
|
||
<li>To make administrative changes, see <a href="../docker-trusted-registry/adminguide/">the Admin guide</a>.</li>
|
||
<li>To see previous changes, see <a href="../release-notes/">the release notes</a>.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Overview</title>
|
||
<link>http://localhost/docker-trusted-registry/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/</guid>
|
||
<description>
|
||
|
||
<h1 id="welcome-to-docker-trusted-registry">Welcome to Docker Trusted Registry</h1>
|
||
|
||
<p>Docker Trusted Registry lets you run and manage your own Docker image
|
||
storage service, securely on your own infrastructure behind your company
|
||
firewall. This allows you to securely store, push, and pull the images used by
|
||
your enterprise to build, ship, and run applications. Docker Trusted Registry also provides
|
||
monitoring and usage information to help you understand the workloads being
|
||
placed on it.</p>
|
||
|
||
<p>Specifically, Docker Trusted Registry provides:</p>
|
||
|
||
<ul>
|
||
<li>An image registry to store, manage, and collaborate on Docker images</li>
|
||
<li>Pluggable storage drivers</li>
|
||
<li>Configuration options to let you run Docker Trusted Registry in your particular enterprise
|
||
environment.</li>
|
||
<li>Easy, transparent upgrades</li>
|
||
<li>Logging, usage and system health metrics</li>
|
||
</ul>
|
||
|
||
<p>Docker Trusted Registry is perfect for:</p>
|
||
|
||
<ul>
|
||
<li>Providing a secure, on-premise development environment</li>
|
||
<li>Creating a streamlined build pipeline</li>
|
||
<li>Building a consistent, high-performance test/QA environment</li>
|
||
<li>Managing image deployment</li>
|
||
</ul>
|
||
|
||
<p>Docker Trusted Registry is built on <a href="https://github.com/docker/distribution">version 2 of the Docker registry</a>.</p>
|
||
|
||
<p>To get your copy of Docker Trusted Registry, including a free trial, visit <a href="https://hub.docker.com/enterprise/">the Docker Subscription page</a>. For more information on acquiring Docker Trusted Registry, see the <a href="../docker-trusted-registry/install/">install page</a>.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Important</strong>: Docker Trusted Registry must be used with the current version of the commercially
|
||
supported Docker Engine. You must install this version of Docker before
|
||
installing Docker Trusted Registry. For instructions on accessing and installing commercially
|
||
supported Docker Engine, visit the <a href="../docker-trusted-registry/install/#download-the-commercially-supported-docker-engine-installation-script">install page</a>.</p>
|
||
</blockquote>
|
||
|
||
<h2 id="available-documentation">Available Documentation</h2>
|
||
|
||
<p>The following documentation for Docker Trusted Registry is available:</p>
|
||
|
||
<ul>
|
||
<li><strong>Overview</strong> This page.</li>
|
||
<li><a href="../docker-trusted-registry/quick-start/"><strong>Quick Start: Basic User Workflow</strong></a> Go here to learn the
|
||
fundamentals of how Docker Trusted Registry works and how you can set up a simple, but useful
|
||
workflow.</li>
|
||
<li><a href="../docker-trusted-registry/userguide/"><strong>User Guide</strong></a> Go here to learn about using Docker Trusted Registry from day to
|
||
day.</li>
|
||
<li><a href="../docker-trusted-registry/adminguide/"><strong>Administrator Guide</strong></a> Go here if you are an administrator
|
||
responsible for running and maintaining Docker Trusted Registry.</li>
|
||
<li><a href="../docker-trusted-registry/install/"><strong>Installation</strong></a> Go here for the steps you&rsquo;ll need to install
|
||
Docker Trusted Registry and get it working.</li>
|
||
<li><a href="../docker-trusted-registry/configuration/"><strong>Configuration</strong></a> Go here to find out details about
|
||
setting up and configuring Docker Trusted Registry for your particular environment.</li>
|
||
<li><a href="../docker-trusted-registry/install/"><strong>Support</strong></a> Go here for information on getting support for Docker Trusted Registry.</li>
|
||
<li><a href="https://www.docker.com/docker-trusted-registry"><strong>The Docker Trusted Registry product page</strong></a>.</li>
|
||
<li><a href="https://www.docker.com/products/use-cases"><strong>Docker Trusted Registry Use Cases page</strong></a> showing an example CI/CD pipeline.</li>
|
||
<li><a href="https://www.docker.com/products/resources"><strong>Docker Trusted Registry and Docker tutorials and webinars</strong></a>.</li>
|
||
</ul>
|
||
|
||
<p>Note: Docker Trusted Registry requires that you use the commercially supported Docker Engine.</p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Prior release notes archive</title>
|
||
<link>http://localhost/docker-trusted-registry/prior-release-notes/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/prior-release-notes/</guid>
|
||
<description>
|
||
|
||
<h1 id="release-notes">Release Notes</h1>
|
||
|
||
<h2 id="docker-trusted-registry">Docker Trusted Registry</h2>
|
||
|
||
<h3 id="docker-trusted-registry-1-1-0">Docker Trusted Registry 1.1.0</h3>
|
||
|
||
<p>(23 June 2015)</p>
|
||
|
||
<p>This release of Docker Trusted Registry (formerly DHE) adds major integration with the AWS and Azure marketplaces, giving customers a smoother installation path. Docker Trusted Registry 1.1 also adds finer-grained permissions and improvements and additions to the UI and logging. Bugs in LDAP/AD integration have also been remediated, improving the stability and usability of Docker Trusted Registry. See below for specifics.</p>
|
||
|
||
<h4 id="new-features">New Features</h4>
|
||
|
||
<ul>
|
||
<li>New, more granular, <a href="../docker-trusted-registry/configuration/#authentication">roles for users</a>. Docker Trusted Registry users can now be assigned different levels of access (admin, r/w, r/o) to the repositories. <strong>Important:</strong> Existing Docker Trusted Registry users should make sure to see the note <a href="#dhe-1-0-upgrade-warning">below</a> regarding migrating users before upgrading.</li>
|
||
<li>A new storage status indicator for storage space. The dashboard now shows used and available storage space for supported storage drivers.</li>
|
||
<li>A new <a href="../docker-trusted-registry/adminguide/#client-docker-daemon-diagnostics">diagnostics tool</a> gathers and bundles Docker Trusted Registry logs, system information, container information, and other configuration settings for use by Docker support or as a backup.</li>
|
||
<li>Performance and reliability improvements to the S3 storage backend.</li>
|
||
<li>Docker Trusted Registry images are now available on the Amazon AWS and Microsoft Azure marketplaces.</li>
|
||
</ul>
|
||
|
||
<h4 id="fixes">Fixes</h4>
|
||
|
||
<p>The following notable issues have been remediated:</p>
|
||
|
||
<ul>
|
||
<li>Fixed an issue that caused Docker Trusted Registry logins to fail if some LDAP servers were unreachable.</li>
|
||
<li>Fixed a resource leak in Docker Trusted Registry storage.</li>
|
||
</ul>
|
||
|
||
<h4 id="dhe-1-0-upgrade-warning">DHE 1.0 Upgrade Warning</h4>
|
||
|
||
<p>Customers who are currently using DHE 1.0 <strong>must</strong> follow the <a href="https://forums.docker.com/t/upgrading-docker-hub-enterprise-to-docker-trusted-registry/1925">upgrading instructions</a> in our support Knowledge Base. These instructions will show you how to modify existing authentication data and storage volume settings to move to Docker Trusted Registry. Note that automatic upgrading has been disabled for DHE users because of these issues.</p>
|
||
|
||
<h3 id="docker-trusted-registry-1-0-1">Docker Trusted Registry 1.0.1</h3>
|
||
|
||
<p>(11 May 2015)</p>
|
||
|
||
<ul>
|
||
<li>Addresses compatibility issue with 1.6.1 CS Docker Engine</li>
|
||
</ul>
|
||
|
||
<h3 id="docker-trusted-registry-1-0-0">Docker Trusted Registry 1.0.0</h3>
|
||
|
||
<p>(23 Apr 2015)</p>
|
||
|
||
<ul>
|
||
<li>First release</li>
|
||
</ul>
|
||
|
||
<h2 id="commercially-supported-docker-engine">Commercially Supported Docker Engine</h2>
|
||
|
||
<h3 id="cs-docker-engine-1-6-2-cs5">CS Docker Engine 1.6.2-cs5</h3>
|
||
|
||
<p>(21 May 2015)</p>
|
||
|
||
<p>For customers running Docker Engine on <a href="https://www.docker.com/enterprise/support/">supported versions of RedHat Enterprise
|
||
Linux</a> with <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">SELinux
|
||
enabled</a>, the <code>docker build</code> and <code>docker run</code>
|
||
commands will not have DNS host name resolution and bind-mounted volumes may
|
||
not be accessible.
|
||
As a result, customers with SELinux will be unable to use hostname-based network
|
||
access in either <code>docker build</code> or <code>docker run</code>, nor will they be able to
|
||
<code>docker run</code> containers
|
||
that use <code>--volume</code> or <code>-v</code> bind-mounts (with an incorrect SELinux label) in
|
||
their environment. By installing Docker
|
||
Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled.</p>
|
||
|
||
<p>For example, you see will failures like:</p>
|
||
|
||
<pre><code>[root@dtr ~]# docker -v
|
||
Docker version 1.6.0-cs2, build b8dd430
|
||
[root@dtr ~]# ping dtr.home.org.au
|
||
PING dtr.home.org.au (10.10.10.104) 56(84) bytes of data.
|
||
64 bytes from dtr.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms
|
||
^C
|
||
--- dtr.home.org.au ping statistics ---
|
||
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
|
||
rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms
|
||
[root@dtr ~]# docker run --rm -it debian ping dtr.home.org.au
|
||
ping: unknown host
|
||
[root@dtr ~]# docker run --rm -it debian cat /etc/resolv.conf
|
||
cat: /etc/resolv.conf: Permission denied
|
||
[root@dtr ~]# docker run --rm -it debian apt-get update
|
||
Err http://httpredir.debian.org jessie InRelease
|
||
|
||
Err http://security.debian.org jessie/updates InRelease
|
||
|
||
Err http://httpredir.debian.org jessie-updates InRelease
|
||
|
||
Err http://security.debian.org jessie/updates Release.gpg
|
||
Could not resolve 'security.debian.org'
|
||
Err http://httpredir.debian.org jessie Release.gpg
|
||
Could not resolve 'httpredir.debian.org'
|
||
Err http://httpredir.debian.org jessie-updates Release.gpg
|
||
Could not resolve 'httpredir.debian.org'
|
||
[output truncated]
|
||
|
||
</code></pre>
|
||
|
||
<p>or when running a <code>docker build</code>:</p>
|
||
|
||
<pre><code>[root@dtr ~]# docker build .
|
||
Sending build context to Docker daemon 11.26 kB
|
||
Sending build context to Docker daemon
|
||
Step 0 : FROM fedora
|
||
---&gt; e26efd418c48
|
||
Step 1 : RUN yum install httpd
|
||
---&gt; Running in cf274900ea35
|
||
|
||
One of the configured repositories failed (Fedora 21 - x86_64),
|
||
and yum doesn't have enough cached data to continue. At this point the only
|
||
safe thing yum can do is fail. There are a few ways to work &quot;fix&quot; this:
|
||
|
||
[output truncated]
|
||
</code></pre>
|
||
|
||
<p><strong>Affected Versions</strong>: All previous versions of Docker Engine when SELinux
|
||
is enabled.</p>
|
||
|
||
<p>Docker <strong>highly recommends</strong> that all customers running previous versions of
|
||
Docker Engine update to this release.</p>
|
||
|
||
<h4 id="how-to-workaround-this-issue"><strong>How to workaround this issue</strong></h4>
|
||
|
||
<p>Customers who choose not to install this update have two options. The
|
||
first option is to disable SELinux. This is <em>not recommended</em> for production
|
||
systems where SELinux is typically required.</p>
|
||
|
||
<p>The second option is to pass the following parameter in to <code>docker run</code>.</p>
|
||
|
||
<pre><code> --security-opt=label:type:docker_t
|
||
</code></pre>
|
||
|
||
<p>This parameter cannot be passed to the <code>docker build</code> command.</p>
|
||
|
||
<h4 id="upgrade-notes"><strong>Upgrade notes</strong></h4>
|
||
|
||
<p>When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
|
||
then restart Docker Trusted Registry.</p>
|
||
|
||
<p>If you are running with SELinux enabled, previous Docker Engine releases allowed
|
||
you to bind-mount additional volumes or files inside the container as follows:</p>
|
||
|
||
<pre><code> $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro &lt;imagename&gt;
|
||
</code></pre>
|
||
|
||
<p>In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct
|
||
SELinux context. For example, if you want to mount <code>foobar.txt</code> as read-only
|
||
into the container, do the following to create and test your bind-mount:</p>
|
||
|
||
<ol>
|
||
<li><p>Add the <code>z</code> option to the bind mount when you specify <code>docker run</code>.</p>
|
||
|
||
<pre><code>$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z &lt;imagename&gt;
|
||
</code></pre></li>
|
||
|
||
<li><p>Exec into your new container.</p>
|
||
|
||
<p>For example, if your container is <code>bashful_curie</code>, open a shell on the
|
||
container:</p>
|
||
|
||
<pre><code>$ docker exec -it bashful_curie bash
|
||
</code></pre></li>
|
||
|
||
<li><p>Use <code>cat</code> to check the permissions on the mounted file.</p>
|
||
|
||
<pre><code>$ cat /foobar.txt
|
||
the contents of foobar appear
|
||
</code></pre>
|
||
|
||
<p>If you see the file&rsquo;s contents, your mount succeeded. If you receive a
|
||
<code>Permission denied</code> message and/or the <code>/var/log/audit/audit.log</code> file on
|
||
your Docker host contains an AVC Denial message, the mount did not succeed.</p>
|
||
|
||
<pre><code>type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm=&quot;cat&quot; name=&quot;foobar.txt&quot; dev=&quot;xvda2&quot; ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
|
||
</code></pre>
|
||
|
||
<p>Recheck your command line to make sure you passed in the <code>z</code> option.</p></li>
|
||
</ol>
|
||
|
||
<h3 id="cs-docker-engine-1-6-2-cs4">CS Docker Engine 1.6.2-cs4</h3>
|
||
|
||
<p>(13 May 2015)</p>
|
||
|
||
<p>Fix mount regression for <code>/sys</code>.</p>
|
||
|
||
<h3 id="cs-docker-engine-1-6-1-cs3">CS Docker Engine 1.6.1-cs3</h3>
|
||
|
||
<p>(11 May 2015)</p>
|
||
|
||
<p>Docker Engine version 1.6.1 has been released to address several vulnerabilities
|
||
and is immediately available for all supported platforms. Users are advised to
|
||
upgrade existing installations of the Docker Engine and use 1.6.1 for new installations.</p>
|
||
|
||
<p>It should be noted that each of the vulnerabilities allowing privilege escalation
|
||
may only be exploited by a malicious Dockerfile or image. Users are advised to
|
||
run their own images and/or images built by trusted parties, such as those in
|
||
the official images library.</p>
|
||
|
||
<p>Please send any questions to security@docker.com.</p>
|
||
|
||
<h4 id="cve-2015-3629-https-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2015-3629-symlink-traversal-on-container-respawn-allows-local-privilege-escalation"><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629">CVE-2015-3629</a> Symlink traversal on container respawn allows local privilege escalation</strong></h4>
|
||
|
||
<p>Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace
|
||
breakout upon respawn of a container. This allowed malicious images to write
|
||
files to the host system and escape containerization.</p>
|
||
|
||
<p>Libcontainer and Docker Engine 1.6.1 have been released to address this
|
||
vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine.</p>
|
||
|
||
<p>Discovered by Tõnis Tiigi.</p>
|
||
|
||
<h4 id="cve-2015-3627-https-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2015-3627-insecure-opening-of-file-descriptor-1-leading-to-privilege-escalation"><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627">CVE-2015-3627</a> Insecure opening of file-descriptor 1 leading to privilege escalation</strong></h4>
|
||
|
||
<p>The file-descriptor passed by libcontainer to the pid-1 process of a container
|
||
has been found to be opened prior to performing the chroot, allowing insecure
|
||
open and symlink traversal. This allows malicious container images to trigger
|
||
a local privilege escalation.</p>
|
||
|
||
<p>Libcontainer and Docker Engine 1.6.1 have been released to address this
|
||
vulnerability. Users running untrusted images are encouraged to upgrade
|
||
Docker Engine.</p>
|
||
|
||
<p>Discovered by Tõnis Tiigi.</p>
|
||
|
||
<h4 id="cve-2015-3630-https-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2015-3630-read-write-proc-paths-allow-host-modification-information-disclosure"><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630">CVE-2015-3630</a> Read/write proc paths allow host modification &amp; information disclosure</strong></h4>
|
||
|
||
<p>Several paths underneath /proc were writable from containers, allowing global
|
||
system manipulation and configuration. These paths included <code>/proc/asound</code>,
|
||
<code>/proc/timer_stats</code>, <code>/proc/latency_stats</code>, and <code>/proc/fs</code>.</p>
|
||
|
||
<p>By allowing writes to <code>/proc/fs</code>, it has been noted that CIFS volumes could be
|
||
forced into a protocol downgrade attack by a root user operating inside of a
|
||
container. Machines having loaded the timer_stats module were vulnerable to
|
||
having this mechanism enabled and consumed by a container.</p>
|
||
|
||
<p>We are releasing Docker Engine 1.6.1 to address this vulnerability. All
|
||
versions up to 1.6.1 are believed vulnerable. Users running untrusted
|
||
images are encouraged to upgrade.</p>
|
||
|
||
<p>Discovered by Eric Windisch of the Docker Security Team.</p>
|
||
|
||
<h4 id="cve-2015-3631-https-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2015-3631-volume-mounts-allow-lsm-profile-escalation"><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631">CVE-2015-3631</a> Volume mounts allow LSM profile escalation</strong></h4>
|
||
|
||
<p>By allowing volumes to override files of <code>/proc</code> within a mount namespace, a user
|
||
could specify arbitrary policies for Linux Security Modules, including setting
|
||
an unconfined policy underneath AppArmor, or a <code>docker_t</code> policy for processes
|
||
managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for
|
||
malicious images to configure volume mounts such that files of proc may be overridden.</p>
|
||
|
||
<p>We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions
|
||
up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged
|
||
to upgrade.</p>
|
||
|
||
<p>Discovered by Eric Windisch of the Docker Security Team.</p>
|
||
|
||
<h4 id="apparmor-policy-improvements"><strong>AppArmor policy improvements</strong></h4>
|
||
|
||
<p>The 1.6.1 release also marks preventative additions to the AppArmor policy.
|
||
Recently, several CVEs against the kernel have been reported whereby mount
|
||
namespaces could be circumvented through the use of the sys_mount syscall from
|
||
inside of an unprivileged Docker container. In all reported cases, the
|
||
AppArmor policy included in libcontainer and shipped with Docker has been
|
||
sufficient to deflect these attacks. However, we have deemed it prudent to
|
||
proactively tighten the policy further by outright denying the use of the
|
||
<code>sys_mount</code> syscall.</p>
|
||
|
||
<p>Because this addition is preventative, no CVE-ID is requested.</p>
|
||
|
||
<h3 id="cs-docker-engine-1-6-0-cs2">CS Docker Engine 1.6.0-cs2</h3>
|
||
|
||
<p>(23 Apr 2015)</p>
|
||
|
||
<ul>
|
||
<li>First release, please see the <a href="http://docs.docker.com/v1.6/release-notes/">Docker Engine 1.6.0 Release notes</a>
|
||
for more details.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Quick-start: Basic Workflow</title>
|
||
<link>http://localhost/docker-trusted-registry/quick-start/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/quick-start/</guid>
|
||
<description>
|
||
|
||
<h1 id="docker-trusted-registry-quick-start-guide-basic-user-workflow">Docker Trusted Registry Quick Start guide: Basic User Workflow</h1>
|
||
|
||
<h2 id="overview">Overview</h2>
|
||
|
||
<p>This Quick Start Guide gives you a hands-on look at the basics of using
|
||
Docker Trusted Registry, Docker&rsquo;s on-premise image storage application.
|
||
This guide will walk you through using Docker Trusted Registry to complete a typical, and critical,
|
||
part of building a development pipeline: setting up a Jenkins instance. Once you
|
||
complete the task, you should have a good idea of how Docker Trusted Registry works and how it might
|
||
be useful to you.</p>
|
||
|
||
<p>Specifically, this guide demonstrates the process of retrieving the
|
||
<a href="https://registry.hub.docker.com/_/jenkins/">official Docker image for Jenkins</a>,
|
||
customizing it to suit your needs, and then hosting it on your private instance
|
||
of Docker Trusted Registry located inside your enterprise’s firewalled environment. Your developers
|
||
will then be able to retrieve the custom Jenkins image in order to use it to
|
||
build CI/CD infrastructure for their projects, no matter the platform they&rsquo;re
|
||
working from, be it a laptop, a VM, or a cloud provider.</p>
|
||
|
||
<p>You will perform the following steps:</p>
|
||
|
||
<ol>
|
||
<li>Pulling the official Jenkins image from the public Docker Hub</li>
|
||
<li>Customizing the Jenkins image to suit your needs</li>
|
||
<li>Pushing the customized image to Docker Trusted Registry</li>
|
||
<li>Pulling the customized image from Docker Trusted Registry</li>
|
||
<li>Launching a container from the custom image</li>
|
||
<li>Using the new Jenkins container</li>
|
||
</ol>
|
||
|
||
<p>You should be able to complete this guide in about thirty minutes.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> This guide assumes you have installed a working instance of Docker Trusted Registry
|
||
reachable at dtr.yourdomain.com. If you need help installing and configuring
|
||
Docker Trusted Registry, please consult the
|
||
<a href="install.md">installation instructions</a>.</p>
|
||
</blockquote>
|
||
|
||
<h2 id="pulling-the-official-jenkins-image">Pulling the official Jenkins image</h2>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> This guide assumes you are familiar with basic Docker concepts such
|
||
as images, containers, and registries. If you need to learn more about Docker
|
||
fundamentals, please consult the
|
||
<a href="http://docs.docker.com/userguide/">Docker user guide</a>.</p>
|
||
</blockquote>
|
||
|
||
<p>First, you will retrieve a copy of the official Jenkins image from the Docker Hub. By default, if
|
||
Docker can&rsquo;t find an image locally, it will attempt to pull the image from the
|
||
Docker Hub. From the CLI of a machine running the Docker Engine on your network, use
|
||
the
|
||
<a href="https://docs.docker.com/reference/commandline/pull"><code>docker pull</code></a>
|
||
command to pull the public Jenkins image.</p>
|
||
|
||
<pre><code>$ docker pull jenkins
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> This guide assumes you can run Docker commands from a machine where
|
||
you are a member of the <code>docker</code> group or have root privileges. Otherwise, you
|
||
may need to add <code>sudo</code> to the example commands below.</p>
|
||
</blockquote>
|
||
|
||
<p>Docker will start the process of pulling the image from the Hub. Once it has completed, the Jenkins image should be visible in the output of a <a href="https://docs.docker.com/reference/commandline/images"><code>docker images</code></a> command, which lists your available images:</p>
|
||
|
||
<pre><code>$ docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
jenkins latest 1a7cc22b0ee9 2 weeks ago 888 MB
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Because the <code>pull</code> command did not specify any tags, it will pull
|
||
the latest version of the public Jenkins image. If your enterprise environment
|
||
requires you to use a specific version, add the tag for the version you need
|
||
(e.g., <code>jenkins:1.609.2</code>).</p>
|
||
</blockquote>
|
||
|
||
<h2 id="customizing-the-jenkins-image">Customizing the Jenkins image</h2>
|
||
|
||
<p>Now that you have a local copy of the Jenkins image, you&rsquo;ll customize it so that
|
||
the containers it builds will integrate with your infrastructure. To do this,
|
||
you&rsquo;ll create a custom Docker image that adds a Jenkins plugin that provides
|
||
fine grained user management. You&rsquo;ll also configure Jenkins to be more secure by
|
||
disabling HTTP access and forcing it to use HTTPS.
|
||
You&rsquo;ll do this by using a <code>Dockerfile</code> and the <code>docker build</code> command.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> These are obviously just a couple of examples of the many ways you
|
||
can modify and configure Jenkins. Feel free to add or substitute whatever
|
||
customization is necessary to run Jenkins in your environment.</p>
|
||
</blockquote>
|
||
|
||
<h3 id="creating-a-build-context">Creating a <code>build</code> context</h3>
|
||
|
||
<p>In order to add the new plugin and configure HTTPS access to the custom Jenkins
|
||
image, you need to:</p>
|
||
|
||
<ol>
|
||
<li>Create a text file that defines the new plugin</li>
|
||
<li>Create copies of the private key and certificate</li>
|
||
</ol>
|
||
|
||
<p>All of the above files need to be in the same directory as the Dockerfile you
|
||
will create in the next step.</p>
|
||
|
||
<ol>
|
||
<li><p>Create a build directory called <code>build</code>, and change to that new directory:</p>
|
||
|
||
<p>$ mkdir build &amp;&amp; cd build</p></li>
|
||
</ol>
|
||
|
||
<p>In this directory, create a new file called <code>plugins</code> and add the following
|
||
line:</p>
|
||
|
||
<pre><code>role-strategy:2.2.0
|
||
</code></pre>
|
||
|
||
<p>(The plugin version used above was the latest version at the time of writing.)</p>
|
||
|
||
<ol>
|
||
<li>You will also need to make copies of the server&rsquo;s private key and certificate. Give the copies the following names - <code>https.key</code> and <code>https.pem</code>.</li>
|
||
</ol>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Because creating new keys varies widely by platform and
|
||
implementation, this guide won&rsquo;t cover key generation. We assume you have
|
||
access to existing keys. If you don&rsquo;t have access, or can&rsquo;t generate keys
|
||
yourself, feel free to skip the steps involving them and HTTPS config. The
|
||
guide will still walk you through building a custom Jenkins image and pushing
|
||
and pulling that image using Docker Trusted Registry.</p>
|
||
</blockquote>
|
||
|
||
<h3 id="creating-a-dockerfile">Creating a Dockerfile</h3>
|
||
|
||
<p>In the same directory as the <code>plugins</code> file and the private key and certificate,
|
||
create a new <a href="https://docs.docker.com/reference/builder/"><code>Dockerfile</code></a> with the
|
||
following contents:</p>
|
||
|
||
<pre><code> FROM jenkins
|
||
|
||
#New plugins must be placed in the plugins file
|
||
COPY plugins /usr/share/jenkins/plugins
|
||
|
||
#The plugins.sh script will install new plugins
|
||
RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins
|
||
|
||
#Copy private key and cert to image
|
||
COPY https.pem /var/lib/jenkins/cert
|
||
COPY https.key /var/lib/jenkins/pk
|
||
|
||
#Configure HTTP off and HTTPS on, using port 1973
|
||
ENV JENKINS_OPTS --httpPort=-1 --httpsPort=1973 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk
|
||
</code></pre>
|
||
|
||
<p>The first <code>COPY</code> instruction in the above will copy the <code>plugins</code> file created
|
||
earlier into the <code>/usr/share/jenkins</code> directory within the custom image you are
|
||
defining with the <code>Dockerfile</code>.</p>
|
||
|
||
<p>The <code>RUN</code> instruction will execute the <code>/usr/local/bin/plugins.sh</code> script with
|
||
the newly copied <code>plugins</code> file, which will install the listed plugin.</p>
|
||
|
||
<p>The next two <code>COPY</code> instructions copy the server&rsquo;s private key and certificate
|
||
into the required directories within the new image.</p>
|
||
|
||
<p>The <code>ENV</code> instruction creates an environment variable called <code>JENKINS_OPT</code> in
|
||
the image you are about to create. This environment variable will be present in
|
||
any containers launched form the image and contains the required settings to
|
||
tell Jenkins to disable HTTP and operate over HTTPS.</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> You can specify any valid port number as part of the <code>JENKINS_OPT</code>
|
||
environment variable declared above. The value <code>1973</code> used in the example is
|
||
arbitrary.</p>
|
||
</blockquote>
|
||
|
||
<p>The <code>Dockerfile</code>, the <code>plugins</code> file, as well as the private key and
|
||
certificate, must all be in the same directory because the <code>docker build</code>
|
||
command uses the directory that contains the <code>Dockerfile</code> as its &ldquo;build
|
||
context&rdquo;. Only files contained within that &ldquo;build context&rdquo; will be included in
|
||
the image being built.</p>
|
||
|
||
<h3 id="building-your-custom-image">Building your custom image</h3>
|
||
|
||
<p>Now that the <code>Dockerfile</code>, the <code>plugins</code> file, and the files required for HTTPS
|
||
operation are created in your current working directory, you can build your
|
||
custom image using the
|
||
<a href="https://docs.docker.com/reference/commandline/build"><code>docker build</code> command</a>:</p>
|
||
|
||
<pre><code>docker build -t dtr.yourdomain.com/ci-infrastructure/jnkns-img .
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> Don&rsquo;t miss the period (<code>.</code>) at the end of the command above. This
|
||
tells the <code>docker build</code> command to use the current working directory as the
|
||
&ldquo;build context&rdquo;.</p>
|
||
</blockquote>
|
||
|
||
<p>This command will build a new Docker image called <code>jnkns-img</code> which is based on
|
||
the public Jenkins image you pulled earlier, but contains all of your
|
||
customization.</p>
|
||
|
||
<p>Please note the use of the <code>-t</code> flag in the <code>docker build</code> command above. The
|
||
<code>-t</code> flag lets you tag an image so it can be pushed to a custom repository. In
|
||
the example above, the new image is tagged so it can be pushed to the
|
||
<code>ci-infrastructure</code> repository within the <code>dtr.yourdomain.com</code> registry (your
|
||
local Docker Trusted Registry instance). This will be important when you need to <code>push</code> the
|
||
customized image to Docker Trusted Registry later.</p>
|
||
|
||
<p>A <code>docker images</code> command will now show the custom image alongside the Jenkins
|
||
image pulled earlier:</p>
|
||
|
||
<pre><code>$ docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
dtr.yourdomain.com/ci-infrastructure/jnkns-img latest fc0ab3008d40 2 minutes ago 888.1 MB
|
||
jenkins latest 1a7cc22b0ee9 2 weeks ago 888 MB
|
||
</code></pre>
|
||
|
||
<h2 id="pushing-to-docker-trusted-registry">Pushing to Docker Trusted Registry</h2>
|
||
|
||
<blockquote>
|
||
<p><strong>Note</strong>: If your Docker Trusted Registry instance has authentication enabled, you will need to
|
||
use your command line to <code>docker login &lt;dtr-hostname&gt;</code> (e.g., <code>docker login
|
||
dtr.yourdomain.com</code>).</p>
|
||
|
||
<p>Failures due to unauthenticated <code>docker push</code> and <code>docker pull</code> commands will
|
||
look like :</p>
|
||
|
||
<pre><code>$ docker pull dtr.yourdomain.com/hello-world
|
||
Pulling repository dtr.yourdomain.com/hello-world
|
||
FATA[0001] Error: image hello-world:latest not found
|
||
|
||
$ docker push dtr.yourdomain.com/hello-world
|
||
The push refers to a repository [dtr.yourdomain.com/hello-world] (len: 1)
|
||
e45a5af57b00: Image push failed
|
||
FATA[0001] Error pushing to registry: token auth attempt for registry
|
||
https://dtr.yourdomain.com/v2/:
|
||
https://dtr.yourdomain.com/auth/v2/token/
|
||
?scope=repository%3Ahello-world%3Apull%2Cpush&amp;service=dtr.yourdomain.com
|
||
request failed with status: 401 Unauthorized
|
||
</code></pre>
|
||
</blockquote>
|
||
|
||
<p>Now that you’ve created the custom image, it can be pushed to Docker Trusted Registry using the
|
||
<a href="https://docs.docker.com/reference/commandline/push"><code>docker push</code> command</a>:</p>
|
||
|
||
<pre><code>$ docker push dtr.yourdomain.com/ci-infrastructure/jnkns-img
|
||
511136ea3c5a: Image successfully pushed
|
||
848d84b4b2ab: Image successfully pushed
|
||
71d9d77ae89e: Image already exists
|
||
&lt;truncated ouput...&gt;
|
||
492ed3875e3e: Image successfully pushed
|
||
fc0ab3008d40: Image successfully pushed
|
||
</code></pre>
|
||
|
||
<p>You can view the traffic throughput from the custom image being pushed, by selecting <code>Network</code> from the <code>Load Balancer</code> tile on the Docker Trusted Registry Dashboard:
|
||
<img src="http://i.imgur.com/8KlHj9u.png" alt="" /></p>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/console-push.png" alt="Docker Trusted Registry console push throughput" /></p>
|
||
|
||
<p>Once the image is successfully pushed, it can be downloaded, or pulled, by any
|
||
Docker host that has access to Docker Trusted Registry.</p>
|
||
|
||
<h2 id="pulling-from-docker-trusted-registry">Pulling from Docker Trusted Registry</h2>
|
||
|
||
<p>To pull the <code>jnkns-img</code> image from Docker Trusted Registry, run the
|
||
<a href="https://docs.docker.com/reference/commandline/pull"><code>docker pull</code></a>
|
||
command from any Docker Host that has access to your Docker Trusted Registry instance:</p>
|
||
|
||
<pre><code>$ docker pull dtr.yourdomain.com/ci-infrastructure/jnkns-img
|
||
latest: Pulling from dtr.yourdomain.com/ci-infrastructure/jnkns-img
|
||
511136ea3c5a: Pull complete
|
||
848d84b4b2ab: Pull complete
|
||
71d9d77ae89e: Pull complete
|
||
&lt;truncated ouput...&gt;
|
||
492ed3875e3e: Pull complete
|
||
fc0ab3008d40: Pull complete
|
||
dtr.yourdomain.com/ci-infrastructure/jnkns-img:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
|
||
Status: Downloaded newer image for dtr.yourdomain.com/ci-infrastructure/jnkns-img:latest
|
||
</code></pre>
|
||
|
||
<p>You can view the traffic throughput from the custom image being pulled on the Docker Trusted Registry Dashboard.</p>
|
||
|
||
<p>Now that the <code>jnkns-img</code> image has been pulled locally from Docker Trusted Registry, you can view it
|
||
in the output of the <code>docker images</code> command:</p>
|
||
|
||
<pre><code> $ docker images
|
||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
|
||
dtr.yourdomain.com/ci-infrastructure/jnkns-img latest fc0ab3008d40 2 minutes ago 888.1 MB
|
||
</code></pre>
|
||
|
||
<h2 id="launching-a-custom-jenkins-container">Launching a custom Jenkins container</h2>
|
||
|
||
<p>Now that you’ve successfully pulled the customized Jenkins image from Docker Trusted Registry, you
|
||
can create a container from it with the
|
||
<a href="https://docs.docker.com/reference/commandline/run"><code>docker run</code> command</a>:</p>
|
||
|
||
<pre><code>$ docker run -p 1973:1973 --name jenkins01 dtr.yourdomain.com/ci-infrastructure/jnkns-img
|
||
/usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy
|
||
/usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -&gt; init.groovy.d/tcp-slave-angent-port.groovy
|
||
copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME
|
||
/usr/share/jenkins/ref/plugins/role-strategy.hpi
|
||
/usr/share/jenkins/ref/plugins/role-strategy.hpi -&gt; plugins/role-strategy.hpi
|
||
copy plugins/role-strategy.hpi to JENKINS_HOME
|
||
/usr/share/jenkins/ref/plugins/dockerhub.hpi
|
||
/usr/share/jenkins/ref/plugins/dockerhub.hpi -&gt; plugins/dockerhub.hpi
|
||
copy plugins/dockerhub.hpi to JENKINS_HOME
|
||
&lt;truncated output...&gt;
|
||
INFO: Jenkins is fully up and running
|
||
</code></pre>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> The <code>docker run</code> command above maps port 1973 in the container
|
||
through to port 1973 on the host. This is the HTTPS port you specified in the
|
||
Dockerfile earlier. If you specified a different HTTPS port in your
|
||
Dockerfile, you will need to substitute this with the correct port numbers for
|
||
your environment.</p>
|
||
</blockquote>
|
||
|
||
<p>You can view the newly launched a container, called <code>jenkins01</code>, using the
|
||
<a href="https://docs.docker.com/reference/commandline/ps"><code>docker ps</code> command</a>:</p>
|
||
|
||
<pre><code>$ docker ps
|
||
CONTAINER ID IMAGE COMMAND CREATED STATUS ...PORTS NAMES
|
||
2e5d2f068504 dtr.yourdomain.com/ci-infrastructure/jnkns-img:latest &quot;/usr/local/bin/jenk About a minute ago Up About a minute 50000/tcp, 0.0.0.0:1973-&gt;1973/tcp jenkins01
|
||
</code></pre>
|
||
|
||
<h2 id="accessing-the-new-jenkins-container">Accessing the new Jenkins container</h2>
|
||
|
||
<p>The previous <code>docker run</code> command mapped port <code>1973</code> on the container to port
|
||
<code>1973</code> on the Docker host, so the Jenkins Web UI can be accessed at
|
||
<code>https://&lt;docker-host&gt;:1973</code> (Don&rsquo;t forget the <code>s</code> at the end of <code>https</code>.)</p>
|
||
|
||
<blockquote>
|
||
<p><strong>Note:</strong> If you are using a self-signed certificate, you may get a security
|
||
warning from your browser telling you that the certificate is self-signed and
|
||
not trusted. You may wish to add the certificate to the trusted store in order
|
||
to prevent further warnings in the future.</p>
|
||
</blockquote>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/jenkins-ui.png" alt="Jenkins landing page" /></p>
|
||
|
||
<p>From within the Jenkins Web UI, navigate to <code>Manage Jenkins</code> (on the left-hand
|
||
pane) &gt; <code>Manage Plugins</code> &gt; <code>Installed</code>. The <code>Role-based Authorization Strategy</code>
|
||
plugin should be present with the <code>Uninstall</code> button available to the right.</p>
|
||
|
||
<p><img src="../docker-trusted-registry/assets/jenkins-plugins.png" alt="Jenkins plugin manager" /></p>
|
||
|
||
<p>In another browser session, try to access Jenkins via the default HTTP port 8080
|
||
<code>http://&lt;docker-host&gt;:8080</code>. This should result in a &ldquo;connection timeout&rdquo;,
|
||
showing that Jenkins is not available on its default port 8080 over HTTP.</p>
|
||
|
||
<p>This demonstration shows your Jenkins image has been configured correctly for
|
||
HTTPS access, your new plugin was added and is ready for use, and HTTP access
|
||
has been disabled. At this point, any member of your team can use <code>docker pull</code>
|
||
to access the image from your Docker Trusted Registry instance, allowing them to access a
|
||
configured, secured Jenkins instance that can run on any infrastructure.</p>
|
||
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
|
||
<p>For more information on using Docker Trusted Registry, take a look at the
|
||
<a href="../docker-trusted-registry/userguide/">User&rsquo;s Guide</a>.</p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Release notes</title>
|
||
<link>http://localhost/docker-trusted-registry/release-notes/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/release-notes/</guid>
|
||
<description>
|
||
|
||
<h1 id="release-notes-docker-trusted-registry-commercially-supported-docker-engine">Release Notes: Docker Trusted Registry &amp; Commercially Supported Docker Engine</h1>
|
||
|
||
<h2 id="prior-versions">Prior Versions</h2>
|
||
|
||
<p>These notes refer to the current and immediately prior releases of Docker Trusted Registry and the commercially supported Docker Engine. For notes on older versions of these, see the <a href="../docker-trusted-registry/prior-release-notes/">prior release notes archive</a>.</p>
|
||
|
||
<h2 id="docker-trusted-registry">Docker Trusted Registry</h2>
|
||
|
||
<h3 id="docker-trusted-registry-1-3-3">Docker Trusted Registry 1.3.3</h3>
|
||
|
||
<p>(18 September 2015)</p>
|
||
|
||
<p>This release corrects the following issues in Docker Trusted Registry 1.3.2</p>
|
||
|
||
<ul>
|
||
<li>Fixed an issue related to LDAP integration for users of Oracle Virtual Directory.</li>
|
||
<li>Corrected an issue where Docker Trusted Registry would not accept a given certificate if the configured domain was only in the Subject Alternative Names (SANs) field and not in the Common Name (CN) field of the certificate.</li>
|
||
</ul>
|
||
|
||
<h3 id="docker-trusted-registry-1-3-2">Docker Trusted Registry 1.3.2</h3>
|
||
|
||
<p>(16 September 2015)</p>
|
||
|
||
<p>This release addresses the following change in Docker Trusted Registry 1.3.2 and is only available to customers who purchased DTR through Amazon Web Services (AWS) Marketplace.</p>
|
||
|
||
<ul>
|
||
<li>Docker Trusted Registry (DTR) now supports Amazon Web
|
||
Services (AWS) Integrated Billing. Previously, AWS users were required to
|
||
separately purchase a DTR license from Docker. AWS users can try DTR
|
||
out-of-the-box.</li>
|
||
</ul>
|
||
|
||
<h3 id="docker-trusted-registry-1-3-1">Docker Trusted Registry 1.3.1</h3>
|
||
|
||
<p>(31 August 2015)</p>
|
||
|
||
<p>This release corrects the following issues in Docker Trusted Registry 1.3.0</p>
|
||
|
||
<ul>
|
||
<li>The dashboard page was calculating incorrect stats.</li>
|
||
<li>LDAP group sync failed to handle paginated results for extremely large groups.</li>
|
||
<li>The repo delete endpoint returned incorrect error codes under certain conditions.</li>
|
||
</ul>
|
||
|
||
<h3 id="docker-trusted-registry-1-3-0">Docker Trusted Registry 1.3.0</h3>
|
||
|
||
<p>(26 August 2015)</p>
|
||
|
||
<p>This release addresses a few bugs and issues in Docker Trusted Registry 1.2.0 and introduces some new features and functionality, including:</p>
|
||
|
||
<ul>
|
||
<li><p>A completely new user-interface for the Admin application brings Docker Trusted Registry in line with other Docker products and provides greater ease-of-use.</p></li>
|
||
|
||
<li><p>A new Accounts &amp; Repos API provides new fine-grained role-based access control down to the per-repo level. See the <a href="../docker-trusted-registry/api/">API&rsquo;s documentation</a> for more information.</p></li>
|
||
|
||
<li><p>Improvements to the handling of configuration changes so that fewer restarts are required.</p></li>
|
||
|
||
<li><p>Multiple security improvements and bug fixes.</p></li>
|
||
</ul>
|
||
|
||
<h3 id="docker-trusted-registry-1-2-0">Docker Trusted Registry 1.2.0</h3>
|
||
|
||
<p>(23 July 2015)</p>
|
||
|
||
<p>This release adds CentOS support and addresses a few bugs and issues in Docker Trusted Registry 1.1.0:</p>
|
||
|
||
<ul>
|
||
<li>Fixes an issue where for certain configurations of Docker Trusted Registry, proxy configuration settings and variables were not being passed to all Docker Trusted Registry containers and thus were not being respected.</li>
|
||
<li>Documentation links in the UI now point to correct docs.</li>
|
||
<li>Generated support info bundles have been scrubbed to remove highly sensitive data.</li>
|
||
<li>Certifies support for CentOS 7.1.</li>
|
||
</ul>
|
||
|
||
<h2 id="commercially-supported-docker-engine">Commercially Supported Docker Engine</h2>
|
||
|
||
<h3 id="cs-docker-engine-1-6-2-cs7">CS Docker Engine 1.6.2-cs7</h3>
|
||
|
||
<p>(12 October 2015)</p>
|
||
|
||
<p>As part of our ongoing security efforts, <a href="http://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7" target="_blank">a vulnerability was discovered</a> that
|
||
affects the way content is stored and retrieved within the Docker Engine and CS
|
||
Docker Engine. Today we are releasing a security update that fixes this
|
||
issue in both Docker Engine 1.8.3 and CS Docker Engine 1.6.2-cs7. The <a
|
||
href="https://github.com/docker/docker/blob/master/CHANGELOG.md#161-2015-10-12"
|
||
target="_blank">change log for Docker Engine 1.8.3</a> has a complete list of
|
||
all the changes incorporated into both the open source and commercially
|
||
supported releases.</p>
|
||
|
||
<p>We recommend that users upgrade to CS Docker Engine 1.6.2-cs7.
|
||
If you are unable to upgrade to CS Docker Engine 1.6.2-cs7 right away, remember to only pull content from trusted sources.</p>
|
||
|
||
<p>To keep up to date on all the latest Docker Security news, make sure you check
|
||
out our <a href="http://www.docker.com/docker-security">Security page</a>, subscribe to our
|
||
mailing list, or find us in #docker-security.</p>
|
||
|
||
<h3 id="cs-docker-engine-1-6-2-cs6">CS Docker Engine 1.6.2-cs6</h3>
|
||
|
||
<p>(23 July 2015)</p>
|
||
|
||
<ul>
|
||
<li>Certifies support for CentOS 7.1.</li>
|
||
</ul>
|
||
|
||
<h3 id="cs-docker-engine-1-6-2-cs5">CS Docker Engine 1.6.2-cs5</h3>
|
||
|
||
<p>(21 May 2015)</p>
|
||
|
||
<p>For customers running Docker Engine on <a href="https://www.docker.com/enterprise/support/">supported versions of RedHat Enterprise
|
||
Linux</a> with <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">SELinux
|
||
enabled</a>, the <code>docker build</code> and <code>docker run</code>
|
||
commands will not have DNS host name resolution and bind-mounted volumes may
|
||
not be accessible.
|
||
As a result, customers with SELinux will be unable to use hostname-based network
|
||
access in either <code>docker build</code> or <code>docker run</code>, nor will they be able to
|
||
<code>docker run</code> containers
|
||
that use <code>--volume</code> or <code>-v</code> bind-mounts (with an incorrect SELinux label) in
|
||
their environment. By installing Docker Engine 1.6.2-cs5, customers can use Docker as intended on RHEL with SELinux enabled.</p>
|
||
|
||
<p>For example, you see will failures like:</p>
|
||
|
||
<pre><code>[root@dtr ~]# docker -v
|
||
Docker version 1.6.0-cs2, build b8dd430
|
||
[root@dtr ~]# ping dtr.home.org.au
|
||
PING dtr.home.org.au (10.10.10.104) 56(84) bytes of data.
|
||
64 bytes from dtr.home.gateway (10.10.10.104): icmp_seq=1 ttl=64 time=0.663 ms
|
||
^C
|
||
--- dtr.home.org.au ping statistics ---
|
||
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
|
||
rtt min/avg/max/mdev = 0.078/0.370/0.663/0.293 ms
|
||
[root@dtr ~]# docker run --rm -it debian ping dtr.home.org.au
|
||
ping: unknown host
|
||
[root@dtr ~]# docker run --rm -it debian cat /etc/resolv.conf
|
||
cat: /etc/resolv.conf: Permission denied
|
||
[root@dtr ~]# docker run --rm -it debian apt-get update
|
||
Err http://httpredir.debian.org jessie InRelease
|
||
|
||
Err http://security.debian.org jessie/updates InRelease
|
||
|
||
Err http://httpredir.debian.org jessie-updates InRelease
|
||
|
||
Err http://security.debian.org jessie/updates Release.gpg
|
||
Could not resolve 'security.debian.org'
|
||
Err http://httpredir.debian.org jessie Release.gpg
|
||
Could not resolve 'httpredir.debian.org'
|
||
Err http://httpredir.debian.org jessie-updates Release.gpg
|
||
Could not resolve 'httpredir.debian.org'
|
||
[output truncated]
|
||
|
||
</code></pre>
|
||
|
||
<p>or when running a <code>docker build</code>:</p>
|
||
|
||
<pre><code>[root@dtr ~]# docker build .
|
||
Sending build context to Docker daemon 11.26 kB
|
||
Sending build context to Docker daemon
|
||
Step 0 : FROM fedora
|
||
---&gt; e26efd418c48
|
||
Step 1 : RUN yum install httpd
|
||
---&gt; Running in cf274900ea35
|
||
|
||
One of the configured repositories failed (Fedora 21 - x86_64),
|
||
and yum doesn't have enough cached data to continue. At this point the only
|
||
safe thing yum can do is fail. There are a few ways to work &quot;fix&quot; this:
|
||
|
||
[output truncated]
|
||
</code></pre>
|
||
|
||
<p><strong>Affected Versions</strong>: All previous versions of Docker Engine when SELinux
|
||
is enabled.</p>
|
||
|
||
<p>Docker <strong>highly recommends</strong> that all customers running previous versions of
|
||
Docker Engine update to this release.</p>
|
||
|
||
<h4 id="how-to-workaround-this-issue"><strong>How to workaround this issue</strong></h4>
|
||
|
||
<p>Customers who choose not to install this update have two options. The
|
||
first option is to disable SELinux. This is <em>not recommended</em> for production
|
||
systems where SELinux is typically required.</p>
|
||
|
||
<p>The second option is to pass the following parameter in to <code>docker run</code>.</p>
|
||
|
||
<pre><code> --security-opt=label:type:docker_t
|
||
</code></pre>
|
||
|
||
<p>This parameter cannot be passed to the <code>docker build</code> command.</p>
|
||
|
||
<h4 id="upgrade-notes"><strong>Upgrade notes</strong></h4>
|
||
|
||
<p>When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
|
||
then restart Docker Trusted Registry.</p>
|
||
|
||
<p>If you are running with SELinux enabled, previous Docker Engine releases allowed
|
||
you to bind-mount additional volumes or files inside the container as follows:</p>
|
||
|
||
<pre><code> $ docker run -it -v /home/user/foo.txt:/foobar.txt:ro &lt;imagename&gt;
|
||
</code></pre>
|
||
|
||
<p>In the 1.6.2-cs5 release, you must ensure additional bind-mounts have the correct
|
||
SELinux context. For example, if you want to mount <code>foobar.txt</code> as read-only
|
||
into the container, do the following to create and test your bind-mount:</p>
|
||
|
||
<ol>
|
||
<li><p>Add the <code>z</code> option to the bind mount when you specify <code>docker run</code>.</p>
|
||
|
||
<pre><code>$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z &lt;imagename&gt;
|
||
</code></pre></li>
|
||
|
||
<li><p>Exec into your new container.</p>
|
||
|
||
<p>For example, if your container is <code>bashful_curie</code>, open a shell on the
|
||
container:</p>
|
||
|
||
<pre><code>$ docker exec -it bashful_curie bash
|
||
</code></pre></li>
|
||
|
||
<li><p>Use <code>cat</code> to check the permissions on the mounted file.</p>
|
||
|
||
<pre><code>$ cat /foobar.txt
|
||
the contents of foobar appear
|
||
</code></pre>
|
||
|
||
<p>If you see the file&rsquo;s contents, your mount succeeded. If you receive a
|
||
<code>Permission denied</code> message and/or the <code>/var/log/audit/audit.log</code> file on
|
||
your Docker host contains an AVC Denial message, the mount did not succeed.</p>
|
||
|
||
<pre><code>type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm=&quot;cat&quot; name=&quot;foobar.txt&quot; dev=&quot;xvda2&quot; ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
|
||
</code></pre>
|
||
|
||
<p>Recheck your command line to make sure you passed in the <code>z</code> option.</p></li>
|
||
</ol>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Support</title>
|
||
<link>http://localhost/docker-trusted-registry/support/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/support/</guid>
|
||
<description>
|
||
|
||
<h1 id="commercial-support-options">Commercial Support Options</h1>
|
||
|
||
<h2 id="how-to-get-support">How to get support</h2>
|
||
|
||
<p>Purchasing a Docker Trusted Registry License or Commercial Support subscription means your questions
|
||
and issues about Docker Trusted Registry will receive prioritized support.
|
||
You can file a ticket through <a href="mailto:support@docker.com">email</a> from your
|
||
company email address, or visit our <a href="https://support.docker.com">support site</a>.
|
||
In either case, you&rsquo;ll need to verify your email address, and then you can
|
||
communicate with the support team either by email or web interface.</p>
|
||
|
||
<p><strong>The availability of support depends on your <a href="https://www.docker.com/enterprise/support/">support subscription</a></strong></p>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Trusted Registry License</title>
|
||
<link>http://localhost/docker-trusted-registry/license/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/license/</guid>
|
||
<description>
|
||
|
||
<h1 id="licensing">Licensing</h1>
|
||
|
||
<p>To run Docker Trusted Registry, you need a Docker license, obtained either by
|
||
purchasing Docker Trusted Registry, acquiring a trial license, or through an AWS
|
||
hourly subscription. If you a purchase a license or you have a trial license, it is associated with your free Docker Hub account or Docker Hub organization.</p>
|
||
|
||
<h2 id="get-your-trusted-registry-license">Get your Trusted Registry License</h2>
|
||
|
||
<ol>
|
||
<li><p>Go to the <a href="https://hub.docker.com/enterprise/">Docker Subscription page</a> and select an edition. After completing a brief registration process, follow the steps to acquire it.</p>
|
||
|
||
<p><strong>Note</strong>: You may need to disable any pop-up blocker installed on your browser in order to complete the download.</p></li>
|
||
|
||
<li><p>After acquiring your license, view or download it by logging in to
|
||
Docker Hub, going to your account settings (gear icon at upper right), and
|
||
selecting <a href="https://hub.docker.com/account/licenses/">&ldquo;Licenses&rdquo;</a> from the
|
||
top nav bar. Download the license by clicking the cloud icon.</p></li>
|
||
</ol>
|
||
|
||
<p>The Licenses page displays your currently available licenses and if you selected the trial license, it also keeps track of how many trial days are remaining.</p>
|
||
|
||
<p>When installing Docker Trusted Registry, you must first obtain your license, then apply it.</p>
|
||
|
||
<p><strong>Note</strong> The Licenses page is where you download the CS engine script by selecting the operating system it needs to run on.</p>
|
||
|
||
<h2 id="see-also">See also</h2>
|
||
|
||
<ul>
|
||
<li>For information on how to download the CS engine, see <a href="install-csengine.md">Installing the CS engine</a>.</li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
<item>
|
||
<title>Trusted Registry installation overview</title>
|
||
<link>http://localhost/docker-trusted-registry/install/</link>
|
||
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
|
||
|
||
<guid>http://localhost/docker-trusted-registry/install/</guid>
|
||
<description>
|
||
|
||
<h1 id="trusted-registry-installation-overview">Trusted Registry Installation Overview</h1>
|
||
|
||
<p>Docker Trusted Registry is an enterprise-grade on-premise registry bundled with commercially supported Docker Engines (CS Engine). Use Docker Trusted Registry to manage your images, and the commercially supported Docker Engine to create, test, and share your application images. Together, these two Docker products can optimize your continuous integration (CI) and/or software deployment workflows.</p>
|
||
|
||
<p>Depending on your business requirements, there are two paths available for you to install Docker Trusted Registry (Trusted Registry). This document describes those options and prerequisites in order for you to make a decision that is best suited to your needs and provides the install directions for your selected path.</p>
|
||
|
||
<h2 id="install-options">Install options</h2>
|
||
|
||
<p>You can install Trusted Registry on premise or through a cloud provider. Currently, Docker supports installation on any cloud provider.</p>
|
||
|
||
<h2 id="get-a-license">Get a license</h2>
|
||
|
||
<p>Docker requires that you obtain a license to use the Trusted Registry. The installation path you choose (on premise or in the cloud) can affect the licensing methods available to you (bring your own license or cloud marketplace).</p>
|
||
|
||
<p>All installation paths support a license which you buy outright from Docker and
|
||
apply during the installation process. If you would like, you can get a free
|
||
trial license that is good for 30 days. To get a free trial or buy a
|
||
license go to the <a href="https://hub.docker.com/enterprise/">Subscription page</a>
|
||
on Docker Hub.</p>
|
||
|
||
<p>If you are installing on Microsoft Azure, you have the option of installing using the Virtual Hard Disk (VHD) in the Azure Marketplace. You should use a license you bought direct from Docker in this installation.</p>
|
||
|
||
<p>If you are installing on AWS, you have the option of installing using Amazon Machine Images (AMI). You can use a license you bought direct using the Docker&rsquo;s Bring Your Own License (BYOL) AMI. You can also choose to pay-as-you-go by installing with the AWS Business Day Support (BDS) AMI. Under the BDS model, your license is part of your Amazon Web Services (AWS) Business Support subscription.</p>
|
||
|
||
<h2 id="plan-your-install">Plan your install</h2>
|
||
|
||
<p>This section summarizes the process of installing Docker Trusted Registry.</p>
|
||
|
||
<p><strong>(Option 1) Install on physical infrastructure or a cloud provider</strong>
|
||
* Obtain a trial or paid license.
|
||
* Install the commercially supported Docker Engine.
|
||
* Install the Trusted Registry.</p>
|
||
|
||
<p><strong>(Option 2) Install using AWS AMI</strong>
|
||
* Decide if you are going to bring your own license or use a subscription.
|
||
* Depending on your choice:
|
||
* Obtain a trial or paid license and install the bring your own license (BYOL) AMI.
|
||
* Install the pay-as-you-go business day subscription (BDS) AMI.</p>
|
||
|
||
<p><strong>After installing either option</strong></p>
|
||
|
||
<ul>
|
||
<li>Start the DTR admin console.</li>
|
||
<li>If you have a license and not a subscription, install the license.</li>
|
||
<li>Configure your DTR installation.</li>
|
||
<li>Install additional CS engines on other systems.</li>
|
||
</ul>
|
||
|
||
<p>Remember, your support is based on your type of license. Each license has a single Trusted Registry and one or more CS engines. Your support for CS Engine installations is limited to the number of engines identified by your license.</p>
|
||
|
||
<p>Docker Trusted Registry requires that you use the latest version of the commercially supported Docker Engine. This means that when you upgrade Trusted Registry, you must also upgrade to the latest CS Engine.</p>
|
||
|
||
<h2 id="where-to-go-next">Where to go next</h2>
|
||
|
||
<ul>
|
||
<li><p>If you are installing on physical infrastructure or a cloud provider, first install the <a href="../docker-trusted-registry/install/install-csengine/">commercially supported Docker Engine</a> and then go on to install <a href="install-dtry.md">Trusted Registry</a>.</p></li>
|
||
|
||
<li><p>If you are installing on AWS and would like to use a pre-built AMI and a license you purchased, see <a href="../docker-trusted-registry/install/dtr-ami-byol-launch/">bringing your own license (BYOL)</a>.</p></li>
|
||
|
||
<li><p>If you are installing on AWS and would like to use the subscription license, see the <a href="../docker-trusted-registry/install/dtr-ami-bds-launch/">pay as you go BDS installation</a>.</p></li>
|
||
</ul>
|
||
</description>
|
||
</item>
|
||
|
||
</channel>
|
||
</rss> |