Deploy a Docker images registry

Deploying a Docker images registry can be used to get rid of the connection between the Cyberwatch server and the images registry harbor.cyberwatch.fr hosted and available online.

It can also provide ways to better handle images updates that will be deployed on the Cyberwatch nodes for the application updates.

Several methods exist in order to deploy a working Docker images registry. Two of these are described in the documentation below.

The first one consists in deploying an Harbor registry, the second one explains how to deploy a local Docker registry.

The benefits of using Harbor is that it provides a graphical user interface. It can be used for the images replication and many other features not possible using a local Docker registry.

The deployment of a Harbor registry is explained in Harbor’s official documentation

Once the deployment is done, replication rules can be set up to replicate Docker images from the harbor.cyberwatch.fr registry.

Also refer to the Harbor documentation to configure these elements.

Once everything is in place, configure your Cyberwatch nodes to download their Docker images from the newly deployed registry.

Setting up a local Docker registry (old method)

Prerequisites: docker compose is necessary to be able to track the download of Docker images.

  1. Create the docker-compose.yml file:

    cat <<EOF > docker-compose.yml
    version: "3.3"
    services:
      registry:
        restart: always
        image: registry:2
        ports:
          - 5000:5000
        environment:
          - REGISTRY_HTTP_ADDR=0.0.0.0:5000
          - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
          - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
        volumes:
          - "./docker_registry_certs:/certs"
    EOF
    
  2. Run the following command:

    mkdir docker_registry_certs
    openssl req \
      -newkey rsa:4096 -nodes -sha256 -keyout docker_registry_certs/domain.key \
      -x509 -days 730 -out docker_registry_certs/domain.crt \
      -subj "/C=FR/ST=France/L=Paris/O=Cyberwatch/CN=$(hostname)"
    
  3. Launch the registry container that will be exposed on port 5000:

    docker-compose up -d
    
  4. Create the script that pulls the images from harbor.cyberwatch.fr and pushes them to the local registry using the following command:

    cat <<EOF > pull_push_images.sh
    #!/bin/bash
    set -e
    cyberwatch_registry="harbor.cyberwatch.fr/cbw-on-premise"
    local_registry="localhost:5000"
    images=("mariadb:stable" "redis" "nginx" "third_parties" "olympe:stable" "repos" "elasticsearch-oss" "kibana-oss" "heimdall")
    for image in \${images[*]}
    do
      docker pull "\$cyberwatch_registry/\$image"
      docker tag "\$cyberwatch_registry/\$image" "\$local_registry/\$image"
      docker push "\$local_registry/\$image"
    done
    EOF
    
  5. Run the script:

    bash pull_push_images.sh
    
  6. Check the presence of the images on the local registry. You should obtain a result similar to the one below:

    localhost:5000/third_parties                                     latest    8a46b44fc8ee   12 hours ago        883MB
    localhost:5000/redis                                             latest    bcb761891a54   7 days ago          117MB
    localhost:5000/nginx                                             latest    5c5f7451c390   7 days ago          144MB
    localhost:5000/mariadb                                           stable    e33bfe8524dc   7 days ago          400MB
    localhost:5000/heimdall                                          latest    41947ac9b07c   2 weeks ago         630MB
    localhost:5000/elasticsearch-oss                                 latest    002a4935f8f3   2 weeks ago         1.29GB
    localhost:5000/kibana-oss                                        latest    4d3a08e3a3b4   2 weeks ago         711MB
    localhost:5000/olympe                                            stable    adcd05e87338   2 weeks ago         859MB
    localhost:5000/repos                                             latest    91bc4f226f1c   3 months ago        41.8MB
    

Configure a Cyberwatch node to connect to the newly deployed registry

Once the registry is set up, it is necessary to configure the Cyberwatch nodes to download their images from the new registry.

  1. Modify the CBW_CONTAINER_REGISTRY variable defined in the /etc/cyberwatch/config.env in order to define the access to the new registry:

    CBW_CONTAINER_REGISTRY="IP_REGISTRY:REGISTRY_PORT"
    
  2. Optional If the registry does not have a valid HTTPS certificate, allow its URL as an insecure registry in the /etc/docker/daemon.json file of the Cyberwatch nodes:

    {
      "insecure-registries" : ["IP_REGISTRY:REGISTRY_PORT"]
    }
    
  3. Restart docker:

    sudo systemctl restart docker
    
  4. Restart Cyberwatch:

    sudo cyberwatch restart