Deploy a Docker images registry
Deploying a Docker images registry can be used to get rid of the connection between the Cyberwatch server and the images registry harbor.cyberwatch.fr
hosted and available online.
It can also provide ways to better handle images updates that will be deployed on the Cyberwatch nodes for the application updates.
Several methods exist in order to deploy a working Docker images registry. Two of these are described in the documentation below.
The first one consists in deploying an Harbor registry, the second one explains how to deploy a local Docker registry.
The benefits of using Harbor is that it provides a graphical user interface. It can be used for the images replication and many other features not possible using a local Docker registry.
Deploy the Harbor registry (recommended)
The deployment of a Harbor registry is explained in Harbor’s official documentation
Once the deployment is done, replication rules can be set up to replicate Docker images from the harbor.cyberwatch.fr
registry.
Also refer to the Harbor documentation to configure these elements.
Once everything is in place, configure your Cyberwatch nodes to download their Docker images from the newly deployed registry.
Setting up a local Docker registry (old method)
Prerequisites: docker compose
is necessary to be able to track the download of Docker images.
Create the
docker-compose.yml
file:cat <<EOF > docker-compose.yml version: "3.3" services: registry: restart: always image: registry:2 ports: - 5000:5000 environment: - REGISTRY_HTTP_ADDR=0.0.0.0:5000 - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt - REGISTRY_HTTP_TLS_KEY=/certs/domain.key volumes: - "./docker_registry_certs:/certs" EOF
Run the following command:
mkdir docker_registry_certs openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout docker_registry_certs/domain.key \ -x509 -days 730 -out docker_registry_certs/domain.crt \ -subj "/C=FR/ST=France/L=Paris/O=Cyberwatch/CN=$(hostname)"
Launch the registry container that will be exposed on port 5000:
docker-compose up -d
Create the script that pulls the images from
harbor.cyberwatch.fr
and pushes them to the local registry using the following command:cat <<EOF > pull_push_images.sh #!/bin/bash set -e cyberwatch_registry="harbor.cyberwatch.fr/cbw-on-premise" local_registry="localhost:5000" images=("mariadb:stable" "redis" "nginx" "third_parties" "olympe:stable" "repos" "elasticsearch-oss" "kibana-oss" "heimdall") for image in \${images[*]} do docker pull "\$cyberwatch_registry/\$image" docker tag "\$cyberwatch_registry/\$image" "\$local_registry/\$image" docker push "\$local_registry/\$image" done EOF
Run the script:
bash pull_push_images.sh
Check the presence of the images on the local registry. You should obtain a result similar to the one below:
localhost:5000/third_parties latest 8a46b44fc8ee 12 hours ago 883MB localhost:5000/redis latest bcb761891a54 7 days ago 117MB localhost:5000/nginx latest 5c5f7451c390 7 days ago 144MB localhost:5000/mariadb stable e33bfe8524dc 7 days ago 400MB localhost:5000/heimdall latest 41947ac9b07c 2 weeks ago 630MB localhost:5000/elasticsearch-oss latest 002a4935f8f3 2 weeks ago 1.29GB localhost:5000/kibana-oss latest 4d3a08e3a3b4 2 weeks ago 711MB localhost:5000/olympe stable adcd05e87338 2 weeks ago 859MB localhost:5000/repos latest 91bc4f226f1c 3 months ago 41.8MB
Configure a Cyberwatch node to connect to the newly deployed registry
Once the registry is set up, it is necessary to configure the Cyberwatch nodes to download their images from the new registry.
Modify the
CBW_CONTAINER_REGISTRY
variable defined in the/etc/cyberwatch/config.env
in order to define the access to the new registry:CBW_CONTAINER_REGISTRY="IP_REGISTRY:REGISTRY_PORT"
Optional If the registry does not have a valid HTTPS certificate, allow its URL as an insecure registry in the
/etc/docker/daemon.json
file of the Cyberwatch nodes:{ "insecure-registries" : ["IP_REGISTRY:REGISTRY_PORT"] }
Restart docker:
sudo systemctl restart docker
Restart Cyberwatch:
sudo cyberwatch restart