Jumpstarting Private Docker Registry on FlashBlade

As a project of the open source community, Docker Registry is the subject of constant enhancements and changes vis a vis its operation in private datacenters. In this context, we strive to ensure that customers have a clear and up-to-date picture of how to setup and configure a private Docker Registry-as-a-Service on FlashBlade over NFS in a secured manner. We’ll jump into the details in this blog.

(See also our introduction to the use of Docker Registry and FlashBlade in the CI/CD process.)

Configuring a secured Private Docker Registry on FlashBlade over NFS

By default, Docker images are located in /var/lib/registry on the local machine. However, Docker allows the storage location of a private Docker Registry to be customized. The following steps are required to configure a private Docker Registry on FlashBlade over NFS. Configuring the NFS share on FlashBlade is simple and straightforward.

Proper network configuration is an important requirement for setting up a private Docker Registry on shared infrastructure like FlashBlade. For more information on network settings, refer to the reference architecture – “Registry-as-a-Service on FlashBlade”. Organizations may choose to have a secure or insecure private Docker Registry. openssl is used to configure the ca.crt and ca.key files for the Docker Registry – for instance registry.pure.lab.com, where pure.lab.com is the domain. In contrast to publicly hosted registry services, a private Docker Registry provides additional layers of security, such as integrations with LDAP and OAuth token authorization.

The NFS share is mounted on the /var/lib/registry path from three different nodes where the Docker Swarm cluster is configured. Docker Registry runs as a service on the Swarm cluster.

[root@sn1-r720-g09-17 ~]# cat /etc/fstab

10.21.236.202:/docker /var/lib/registry nfs hard,rw,bg,vers=3,tcp,nolock,timeo=600

[root@sn1-r720-g09-17 ~]# ls -al /var/lib/registry/
total 4
drwxr-xr-x 1 root root 0 Sep 10 10:41 .
drwxr-xr-x. 39 root root 4096 Sep 15 15:10 ..
drwxr-xr-x 1 root root 0 Sep 16 08:16 docker
drwxr-xr-x 1 root root 0 Sep 10 10:41 .fast-remove
drwxr-xr-x 1 root root 0 Sep 10 10:41 .snapshot

The newer versions of docker-17.09-ce and later support Registry v2, with docker-distribution. docker-registry now deprecated. This blog uses docker-18.06-ce.

[root@sn1-r720-g09-17 ~]# systemctl status docker-distribution.service

After a docker-distribution service has been started, it creates a config.yml file by default in the /etc/docker/registry directory. It’s very important to make certain changes to the default settings in the config.yml file, which has the ca.crt and ca.key for a secure private Docker Registry, and which communicates on port 5000 by default.

[[root@sn1-r720-g09-17 ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
tls:
certificate: /certs/ca.crt
key: /certs/ca.key
headers:
X-Content-Type-Options: [nosniff]

There are different ways to configure a private Docker Registry. The following steps highlight one of the ways to go about setup.

[root@sn1-r720-g09-17 ~]# docker pull registry:2

[root@sn1-r720-g09-17 ~]# docker service create –name registry -p 5000 -e DOCKER_REGISTRY_CONFIG=/etc/docker-distribution/registry/config.yml registry:2

Now the private Docker Registry is running on FlashBlade over NFS. The next step is to copy the ca.crt (certificate) from the Registry server to the /etc/docker/certs.d/registry.pure.lab.com:5000 directory on the build node where the Docker images are built. New Docker images can be built or pulled from library/docker and tagged before pushing to the private Docker Registry server.

[root@sn1-r720-g09-15 ~]# docker pull centos

[root@sn1-r720-g09-15 ~]# docker tag centos registry.pure.lab.com:5000/centos

[root@sn1-r720-g09-15 ~]# docker push registry.pure.lab.com:5000/centos

As this is a secured private Docker Registry, https is used to list the images pushed to the Registry along with the location of the ca.crt on the local node. Similarly, to pull any image from the private Docker Registry, the ca.crt is copied in the local /etc/docker/certs.d/registry.pure.lab.com:5000 directory and the docker pull operation is performed.

[root@sn1-r720-g09-15 ~]# curl –cacert /etc/docker/certs.d/registry.pure.lab.com:5000/ca.crt https://registry.pure.lab.com:5000/v2/_catalog

{“repositories”:[“centos”,”debian”,”node”,”wordpress“]}

[root@sn1-r720-g09-15 ~]#

The following video provides a step-by-step demonstration of setup and configuration of Registry-as-a-Service on FlashBlade.

To sum up, the case for workload automation and integration in a private Docker Registry powered by a data hub like FlashBlade is a strong one: organizations get seamless operations for end-users and the ability to run heterogenous workloads – including analytics and AI/ML – concurrently. FlashBlade itself adds the additional benefits of linear performance and capacity scaling, inline data reduction, and cost-efficiency. (See our blogpost Docker Registry and FlashBlade in the CI/CD process for more.)

As the open source version of private Docker registry continues to evolve, we’ll continue to provide essential guidelines for jumpstarting  a secured private Docker Registry over NFS on FlashBlade. The White Paper – Registry-as-a-Service provides more up-to-date information on Private Docker Registry on FlashBlade.