Deploy a Docker images registry

Deploying a Docker images registry can be used to get rid of the connection between the Cyberwatch server and the images registry harbor.cyberwatch.fr hosted and available online.

It can also provide ways to better handle images updates that will be deployed on the Cyberwatch nodes for the application updates.

Several methods exist in order to deploy a working Docker images registry. Two of these are described in the documentation below.

The first one consists in deploying an Harbor registry, the second one explains how to deploy a local Docker registry.

The benefits of using Harbor is that it provides a graphical user interface. It can be used for the images replication and many other features not possible using a local Docker registry.

The deployment of a Harbor registry is explained in Harbor’s official documentation

Once the deployment is done, replication rules can be set up to replicate Docker images from the harbor.cyberwatch.fr registry.

Also refer to the Harbor documentation to configure these elements.

Once everything is in place, configure your Cyberwatch nodes to download their Docker images from the newly deployed registry.

Setting up a local Docker registry (old method)

Prerequisites: docker compose is necessary to be able to track the download of Docker images.

  1. Create the docker-compose.yml file:

    cat <<EOF > docker-compose.yml
    version: "3.3"
    services:
      registry:
        restart: always
        image: registry:2
        ports:
          - 5000:5000
        environment:
          - REGISTRY_HTTP_ADDR=0.0.0.0:5000
          - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
          - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
        volumes:
          - "./docker_registry_certs:/certs"
    EOF
    
  2. Run the following command:

    mkdir docker_registry_certs
    openssl req \
      -newkey rsa:4096 -nodes -sha256 -keyout docker_registry_certs/domain.key \
      -x509 -days 730 -out docker_registry_certs/domain.crt \
      -subj "/C=FR/ST=France/L=Paris/O=Cyberwatch/CN=$(hostname)"
    
  3. Launch the registry container that will be exposed on port 5000:

    docker-compose up -d
    
  4. Login to harbor.cyberwatch.fr with provided credentials:

    docker login harbor.cyberwatch.fr
    
  5. Create the script that pulls the images from harbor.cyberwatch.fr and pushes them to the local registry using the following command:

    cat <<EOF > pull_push_images.sh
    #!/bin/bash
    set -e
    cyberwatch_registry="harbor.cyberwatch.fr/cbw-on-premise"
    local_registry="localhost:5000"
    images=("redis" "nginx" "olympe" "heimdall")
    for image in "${images[@]}"
    do
       echo "Pulling $cyberwatch_registry/$image ..."
       docker pull "$cyberwatch_registry/$image"
       echo "Tagging $cyberwatch_registry/$image to $local_registry/$image ..."
       docker tag "$cyberwatch_registry/$image" "$local_registry/$image"
       echo "Pushing $local_registry/$image ..."
       docker push "$local_registry/$image"
    done
    EOF
    
  6. Run the script:

    bash pull_push_images.sh
    
  7. Check the presence of the images on the local registry:

You should obtain a result similar to the one below:

   localhost:5000/redis                                             latest    bcb761891a54   7 days ago          117MB
   localhost:5000/nginx                                             latest    5c5f7451c390   7 days ago          144MB
   localhost:5000/heimdall                                          latest    41947ac9b07c   2 weeks ago         630MB
   localhost:5000/olympe                                            latest    adcd05e87338   2 weeks ago         859MB

Configure a Cyberwatch node to connect to the newly deployed registry

Once the registry is set up, it is necessary to configure the Cyberwatch nodes to download their images from the new registry.

  1. Modify the CBW_CONTAINER_REGISTRY variable defined in the /etc/cyberwatch/config.env in order to define the access to the new registry:

    CBW_CONTAINER_REGISTRY="IP_REGISTRY:REGISTRY_PORT"
    
  2. Optional If the registry does not have a valid HTTPS certificate, allow its URL as an insecure registry in the /etc/docker/daemon.json file of the Cyberwatch nodes:

    {
      "insecure-registries" : ["IP_REGISTRY:REGISTRY_PORT"]
    }
    
  3. Restart docker:

    sudo systemctl restart docker
    
  4. Restart Cyberwatch:

    sudo cyberwatch restart
    

Back to top