Deploy a Docker images registry
Deploying a Docker images registry can be used to get rid of the connection between the Cyberwatch server and the images registry harbor.cyberwatch.fr
hosted and available online.
It can also provide ways to better handle images updates that will be deployed on the Cyberwatch nodes for the application updates.
Several methods exist in order to deploy a working Docker images registry. Two of these are described in the documentation below.
The first one consists in deploying an Harbor registry, the second one explains how to deploy a local Docker registry.
The benefits of using Harbor is that it provides a graphical user interface. It can be used for the images replication and many other features not possible using a local Docker registry.
Deploy the Harbor registry (recommended)
The deployment of a Harbor registry is explained in Harbor’s official documentation
Once the deployment is done, replication rules can be set up to replicate Docker images from the harbor.cyberwatch.fr
registry.
Also refer to the Harbor documentation to configure these elements.
Once everything is in place, configure your Cyberwatch nodes to download their Docker images from the newly deployed registry.
Setting up a local Docker registry (old method)
Prerequisites: docker compose
is necessary to be able to track the download of Docker images.
Create the
docker-compose.yml
file:cat <<EOF > docker-compose.yml version: "3.3" services: registry: restart: always image: registry:2 ports: - 5000:5000 environment: - REGISTRY_HTTP_ADDR=0.0.0.0:5000 - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt - REGISTRY_HTTP_TLS_KEY=/certs/domain.key volumes: - "./docker_registry_certs:/certs" EOF
Run the following command:
mkdir docker_registry_certs openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout docker_registry_certs/domain.key \ -x509 -days 730 -out docker_registry_certs/domain.crt \ -subj "/C=FR/ST=France/L=Paris/O=Cyberwatch/CN=$(hostname)"
Launch the registry container that will be exposed on port 5000:
docker-compose up -d
Login to
harbor.cyberwatch.fr
with provided credentials:docker login harbor.cyberwatch.fr
Create the script that pulls the images from
harbor.cyberwatch.fr
and pushes them to the local registry using the following command:cat <<EOF > pull_push_images.sh #!/bin/bash set -e cyberwatch_registry="harbor.cyberwatch.fr/cbw-on-premise" local_registry="localhost:5000" images=("redis" "nginx" "olympe" "heimdall") for image in "${images[@]}" do echo "Pulling $cyberwatch_registry/$image ..." docker pull "$cyberwatch_registry/$image" echo "Tagging $cyberwatch_registry/$image to $local_registry/$image ..." docker tag "$cyberwatch_registry/$image" "$local_registry/$image" echo "Pushing $local_registry/$image ..." docker push "$local_registry/$image" done EOF
Run the script:
bash pull_push_images.sh
Check the presence of the images on the local registry:
You should obtain a result similar to the one below:
localhost:5000/redis latest bcb761891a54 7 days ago 117MB
localhost:5000/nginx latest 5c5f7451c390 7 days ago 144MB
localhost:5000/heimdall latest 41947ac9b07c 2 weeks ago 630MB
localhost:5000/olympe latest adcd05e87338 2 weeks ago 859MB
Configure a Cyberwatch node to connect to the newly deployed registry
Once the registry is set up, it is necessary to configure the Cyberwatch nodes to download their images from the new registry.
Modify the
CBW_CONTAINER_REGISTRY
variable defined in the/etc/cyberwatch/config.env
in order to define the access to the new registry:CBW_CONTAINER_REGISTRY="IP_REGISTRY:REGISTRY_PORT"
Optional If the registry does not have a valid HTTPS certificate, allow its URL as an insecure registry in the
/etc/docker/daemon.json
file of the Cyberwatch nodes:{ "insecure-registries" : ["IP_REGISTRY:REGISTRY_PORT"] }
Restart docker:
sudo systemctl restart docker
Restart Cyberwatch:
sudo cyberwatch restart