• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide
  4. Operation Guide
  5. Container Registry
  6. Connecting to the Private Container Registry

Connecting to the Private Container Registry

Before you upload container images, ensure that your local Docker client can access the private container registry.

It is recommended to use Docker machines in the Open Telekom Cloud to access the container registry in the Open Telekom Cloud.   This is because network connectivity across regions is not always satisfactory and using Docker machines in other clouds or regions to access the container registry in the Open Telekom Cloud may experience network communication quality issues or even connectivity timeout.

Prerequisites

  • You have registered an account to the management console.
  • Docker 1.10.0 or a later version has been installed.

    You can download Docker at https://www.docker.com/ and install it by following the instructions provided at https://docs.docker.com/engine/installation/.

  • Your valid AK/SK file has been uploaded to the CCE.
  • A Linux machine is available.

    This machine will be used to generate the dockercfg file.

Procedure

  1. Log in to the CCE console. In the navigation pane, choose Container Registry. Record the Container registry address displayed on the Container Registry page.

    If you need to upload images through intranet, then connect to a container registry address that is internally accessible. This internally accessible address is statically set to 100.125.1.72:6443.

  2. Log in to your Docker client as the root user.
  3. Authorize the Docker client to access the private container registry.

    NOTE:

    Docker 17.05.0-ce is an example Docker version. Settings of Docker parameters vary with Docker version and OS. For more information on how to configure Docker parameters, visit https://docs.docker.com/datacenter/dtr/2.0/configure/config-security/.

    • Ubuntu 14.04:

      Run the following command to add the container registry address obtained in 1 to the end of the DOCKER_OPTS="--insecure-registry" line:

      vi /etc/default/docker

      Expected settings:

      # Use DOCKER_OPTS to modify the daemon startup options.
      DOCKER_OPTS="--insecure-registry {container_registry_address}"

      Run the following command to restart Docker:

      service docker restart

    • Ubuntu 16.04:
      Add the container registry address obtained in 1 as the value of the  insecure-registries parameter in the  /etc/docker/daemon.json file.
      {
      "insecure-registries": ["{container_registry_address}"]
      }

      Run the following commands to restart Docker:

      systemctl daemon-reload

      service docker restart

    • CentOS and similar distributions (for example, CentOS 7.3):
      NOTE:

      If a cluster node serves as your Docker client, configure Docker parameters in the same manner as when your Docker client runs CentOS or a similar distribution.

      Run the following command to obtain the path in which the Docker configuration file is located:

      service docker status

      At the line starting with Loaded, you will find the path in which the Docker configuration file is located.

      Example command output:

      # service docker status
      Redirecting to /bin/systemctl status docker.service
      docker.service - Docker Application Container Engine
         Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)
         Active: active (running) since Sat 2017-05-20 10:41:14 CST; 16min ago
           Docs: https://docs.docker.com

      Run the following command to append the container registry address obtained in 1 to the "--insecure-registry" at the line starting with ExecStart:

      vi /usr/lib/systemd/system/docker.service

      Expected settings:

      [Service]
      Type=notify
      ExecStart=/usr/bin/dockerd  --insecure-registry {container_registry_address}

      Run the following commands to restart Docker:

      systemctl daemon-reload

      service docker restart

    • OSX:

      On the Daemon tab page of Docker GUI, add the container registry address obtained in 1 to the Insecure registries list. Then restart Docker.

    • Windows 10:

      On the Daemon tab page of Docker GUI, add the container registry address obtained in 1 to the Insecure registries list. Then restart Docker.

    • OS Yosemite 10.10.2 or earlier; Windows 7 or earlier:
      1. Run the docker-machine ssh or boot2docker ssh command to log in to your Docker client.
      2. Add the container registry address obtained in 1 to the configuration option EXTRA_ARGS in the /var/lib/boot2docker/profile file of your Docker client.
      EXTRA_ARGS='
      --label provider=virtualbox
      --insecure-registry {container_registry_address}
      '
      CACERT=/var/lib/boot2docker/ca.pem
      DOCKER_HOST='-H tcp://0.0.0.0:2376'
      DOCKER_STORAGE=aufs
      DOCKER_TLS=auto
      SERVERKEY=/var/lib/boot2docker/server-key.pem
      SERVERCERT=/var/lib/boot2docker/server.pem

      Run the following command to restart Docker:

      service docker restart

  4. Download the dockercfg file.

    Method 1:

    In the navigation pane of the CCE console, choose Container Registry. On the  Container Registry page, choose  Upload Container Image >  Download a certificate file to download the  dockercfg file.
    Figure 1 Downloading a certificate file
    NOTE:

    After you click Download a certificate file, different browsers will respond differently. For some browsers, the browser downloads the dockercfg file to the local default directory automatically. For other browsers, you are prompted to confirm whether to open or save the downloaded dockercfg file.

    Example content in the dockercfg file:
    {"auths":{"172.20.124.81:443":{"auth":"******","email":""}}}

    In the dockercfg file, 172.20.124.81:443 is an example address of the container registry.

    The dockercfg file contains a container registry address that is externally accessible. If you need to connect to a container registry address that is internally accessible, change the container registry address in the dockercfg file to 100.125.1.72:6443.

    Method 2:

    1. Log in to the Linux machine you have prepared.
    2. Run the following commands to copy the AK/SK file and project ID to the Linux machine:

      AK={Access_key_ID}

      SK={Secret_access_key}

      PROJECTID={Project_ID}

      In these commands:

      • {Access_key_ID} must be replaced by the AK obtained in 1 in Uploading an AK/SK File.
      • {Secret_access_key} must be replaced by the SK obtained in 1 in Uploading an AK/SK File.
      • {Project_ID} must be replaced by the project ID displayed by choosing My Credential > Project List on the CCE console.
    3. Run the following command to copy the container registry address to the Linux machine:

      DOCKER_REGISTRY_IP={container_registry_address}

      In this command, {container_registry_address} must be replaced by the container registry address obtained in 1, for example, DOCKER_REGISTRY_IP=192.168.0.100:5443.

    4. Run the following commands to generate a dockercfg file:

      AKTMP="$PROJECTID-$AK-`date --date='1 year ' '+%Y%m%d%H%M%S'`"

      SKTMP=`printf "$AK" | openssl dgst -binary -sha256 -hmac "$SK" | od -An -vtx1 | sed 's/[ \n]//g' | sed 'N;s/\n//'`

      LOGINPWD="$AKTMP-$(printf "$AKTMP" | openssl dgst -binary -sha256 -hmac "$SKTMP" | od -An -vtx1 | sed 's/[ \n]//g' | sed 'N;s/\n//')"

      DOCKERCFG=$(echo -n "_auth_token:$LOGINPWD" | base64 | sed 's/[ \n]//g' | sed 'N;s/\n//')

      echo "{\"auths\":{\"$DOCKER_REGISTRY_IP\":{\"auth\":\"$DOCKERCFG\",\"email\":\"\"}}}"

  5. Obtain the config.json file, which is used for Dockerhub authentication during image uploading or downloading.

    • Method 1

      If your Docker client is a cluster node, use method 1.

      If this is the first time you log in to a cluster node, replace the initial password with a custom password before login.

      1. Log in to your Docker client as the root user. Run the following command to Base64-decode the value of auth parameter in the dockercfg file downloaded in 4:

        echo -n {auth}| base64 -d

        NOTE:

        For details about how to use the Base64 encryption and decryption tool in the Windows OS, visit https://support.microsoft.com/lt-lt/help/191239/sample-base-64-encoding-and-decoding.

        Download address of the Base64 encryption and decryption tool: https://sourceforge.net/projects/base64/.

      2. Run the following command to log in to the container registry:

        docker login -u _auth_token -p {_auth_token} {container_registry_address}

        In this command:
        • {_auth_token} must be replaced by the value of the _auth_token parameter obtained in 5.a.
        • {container_registry_address} must be replaced by the actual container registry address.

        Example command:

        docker login -u _auth_token -p ***** {container_registry_address}

        If Login Succeeded is displayed, the command has been successfully run. This command automatically generates the config.json file in the /root/.docker directory.

    • Method 2
      1. Log in to your Docker client as the root user or any other user who is authorized to perform Docker operations. Run the following command to open the ~/.docker directory in which the config.json file is located:

        cd ~/.docker

        NOTE:
        • If the ~/.docker directory does not exist on the Docker client, run the mkdir -p ~/.docker command to create a new one.
        • If your Docker client runs a Windows operating system, the config.json file is located in the %USERPROFILE%/.docker directory instead of the ~/.docker directory.
      2. Run the following command to copy the content of the dockercfg file to the config.json file.

        vi config.json

      3. Save the config.json file and exit.