Using a private docker repository

Image source: www.lifeofpix.com

After setting up docker to work in a private environment with an internet proxy it is now time to create a private on premise docker repository (aka docker registry) to store, version and share docker images.

The public repository (as the name says) is public. If you want to maintaine your confidential docker images the public repository is not the place to do that.

In this post i will explain how to install and setup a local docker repository on Red Hat Enterprise Linux. Installation should be also straight forward on other linux distros.
I recommand using the pre build docker images for the docker registry. Setting up docker registry directly on a host typically leads to strange errors like:

Error: Invalid registry endpoint https://0.0.0.0:5000/v1/: Get https://0.0.0.0:5000/v1/_ping: http: error connecting to proxy http://localhost:3128: dial tcp 127.0.0.1:3128: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 0.0.0.0:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/0.0.0.0:5000/ca.crt

To install your private docker registry execute

docker run -p 5000:5000 -d registry

docker then downloads the needed files (image layers) from the public repository and starts the docker registry.

To push images to your private repository add the repository address to the image tag.
So first pull a docker image from the public repository:

docker pull wasdev/websphere-liberty

Pulling repository wasdev/websphere-liberty

1204ea402069: Pulling dependent layers

511136ea3c5a: Download complete

01bf15a18638: Download complete

30541f8f3062: Download complete

...

ed842b4d44db: Download complete

Status: Downloaded newer image for wasdev/websphere-liberty:latest

Then re-tag it in order to push it in your local private repository

docker tag wasdev/websphere-liberty localhost:5000/websphere-liberty7

Now you can push it to your private repository

docker push localhost:5000/websphere-liberty

The push refers to a repository [localhost:5000/websphere-liberty] (len: 1)

Sending image list

Pushing repository localhost:5000/websphere-liberty (1 tags)

Image 511136ea3c5a already pushed, skipping

01bf15a18638: Pushing [==================>          ] 76.29 MB/201.6 MB 26s

...

1204ea402069: Image successfully pushed

Pushing tag for rev [1204ea402069] on
{http://localhost:5000/v1/repositories/websphere-liberty/tags/latest}

docker recognizes localhost:5000 as a repository. However keep in mind that docker needs a dot (.) or a colon (:) to regonize that you want to push the image to a seperate repository.
The re-tagging is needed as the docker requires that the respository adress name is part of the image name.

Read More

Using Docker behind a proxy

Docker draws currently a lot of attention on the (quite old) linux container concept.
Docker is a lightwight solution for system level virtualisiation which allows the deployment of operating systems and applications to be more portable (e.g. to different cloud platforms).

One usecase is to use docker behind a enterprise proxy system. Some times this proxy systems do SSL/TLS inspection, which means that this systems repleace SSL/TLS certificates.
Docker can be configured to use this proxy systems.

Configuration

To configure docker to work with an http(s) proxy edit the docker system configuration file.

vi /etc/sysconfig/docker

Add the HTTP_PROXY / HTTPS_PROXY environment variables. Authentication is also supported but optional.

export HTTP_PROXY="http://<user>:<password>@<proxy-host>:<proxy-port>"

export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"

HTTP_PROXY="http://<user>:<password>@<proxy-host>:<proxy-port>"

HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"

If your proxy system uses NTLM / NTLMv2 authentication you have to use an intermediate proxy like cntlm, that handles the actual NTLM authentication. After setting up cntlm simply add the cntlm proxy adress to the docker system configuration file.

export HTTP_PROXY="http://localhost:3128"

export HTTPS_PROXY="http://localhost:3128"

HTTP_PROXY="http://localhost:3128"

HTTPS_PROXY="http://localhost:3128"

It is currently the best to add both variants - one time with "export" and one time without it.
The "export" is needed when starting docker with the services utitility (service docker start). When starting docker with the old init.d scripts (/etc/rc.d/init.d/docker start) export is not needed.
When the proxy settings are ignored docker prints out:

dial tcp 162.242.195.84:443: connection timed out

If the proxy system does SSL/TLS inspection, the proxy usually signs the particular server certificate with its own proxy root certificates.
This leads to the following docker exception when you try to pull images from the public docker repository:

x509: certificate signed by unknown authority

To solve this add the proxy root certificate to the trusted certificates of your docker host (underlying linux systems that hosts docker binaries). However the setup depends on your linux distribution.
I will explain it based on CentOS Linux (and Red Hat Enterprise Linux).
First copy the proxy root certificate to the ca-trust area.

cp /tmp/<proxy-root-certificate>.crt /etc/pki/ca-trust/source/anchors/
 
Then update the trusted certificates 

update-ca-trust extract
  
After that docker needs to be restarted.

service docker restart

Further readings:

http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767441 

Read More