As of 21.09.2016 Docker registry has been replaced by GitLab integrated docker registry:

https://cern.service-now.com/service-portal/view-outage.do?n=OTG0032967

https://cern.service-now.com/service-portal/view-outage.do?&n=OTG0032978

docker.cern.ch will shutdown on 01.11.2016

Please DO NOT create new repostories, redirect requesters to GitLab

work in progress...

Docker Registry Pilot uses Docker Distribution software installed behind authn/authz apache virtual hosts.

At present only operations supported are adding and removing access to private repositories, as requested by e-mail to docker-admins@cernNOSPAMPLEASE.ch (see: http://docker.cern.ch/howtopr).

User Documentation

All documentation accessible at: http://docker.cern.ch/ -> Documentation

Configuration

All configuration is puppet managed, see in manifests/files/templates for it-puppet-hostgroup-linuxsupport.

• /etc/cluster/cluster.conf - RHHA cluster services configuration.
• /etc/httpd/conf.d/{lxsoft-docker,lxsoft-mirror-docker}.conf - main httpd configuration.
• /etc/docker-registry2/{config,config-mirror.yml} - docker distribution configuration.
• /mnt/data2/docker/auth/docker-docker-basic-auth - htpasswd file containing docker:docker credentials

plus per repository authz config files managed by dockermgr - see below.

• /mnt/data2/docker/auth/authz-registry2.rw.conf
• /mnt/data2/docker/auth/authz-registry2.ro.conf
• /mnt/data2/docker/www/config/authz-registry2
• /mnt/data2/docker/etc/userdata.conf

other files/directories:

• /mnt/data2/docker/www/ - docker.cern.ch web site
• /mnt/data2/docker/registry2 - docker image storage for private registry (do NOT manipulate the content)
• /mnt/data2/docker/registry2-mirror - docker image storage for mirror registry (do NOT manipulate the content)

logfiles:

• in /mnt/data2/docker/logs (logrotate missing for now!)

cluster services

• service:lxsoft - runs httpd virtual hosts docker.cern.ch and mirror-docker.cern.ch of lxsoft.cern.ch uses external IPs =lxsoft.cern.ch, can be running on any cluster member, shared with sshd2 allowing ssh access to lxsoft.cern.ch
• service:docker - runs /etc/init.d/docker-registry2 (private registry) and /etc/init.d/docker-registry2-mirror (mirror registry). Can be running on any cluster member, uses internal IPs lxsoftint02.cern.ch.

Adding/Removing users/e-groups

Login as build@lxsoft and run /usr/sbin/dockermgr

Add repositories:

• dockermgr add loginid:loginid[:loginid] - to add user repository (always use loginid for repository name!)
• dockermgr add reponame:e-group[:e-group] - to add group repository (always use - in reponame, specify short e-group name)

Second, optional, e-group/loginid in commands above is to be used for private repositories: where pull access requires authentication. This can be same e-group/loginid as for push access but needs to be defined.

dockermgr will reload httpd automatically to take into account changed access rules.

Naming convention: Always request repository name containing a dash (-) for repositories owned by e-groups, to avoid future namespace clashes with usernames !

Note: There is NO checking if user/e-group exists !

After adding user/group repository please send e-mail to requester:

You should be able to store your images at:

docker.cern.ch/<LOGINID/REPONAME>/{:}

please review the documentation at:

http://docker.cern.ch/ -> Documentation

for information on howto push docker images to this

repository.

(this should be automated soon)

Remove repositories:

• dockermgr del loginid:loginid
• dockermgr del reponame:e-group

dockermgr will reload httpd automatically to take into account changed access rules.

Note: This does not remove repository data at present: only push access to repositories !

Change ownership of repository:

• dockermgr cho loginid:loginid
• dockermgr cho reponame:e-group

Change between public and restricted repo types:

Not implemented as of now: use del then add (this does not affect stored data)

JaroslawPolok - 2016-06-27