As of 21.09.2016 Docker registry has been replaced by GitLab integrated docker registry:
docker.cern.ch will shutdown on 01.11.2016
Please DO NOT create new repostories, redirect requesters to GitLab
work in progress...
Docker Registry Pilot uses Docker Distribution software installed behind authn/authz apache virtual hosts.
At present only operations supported are adding and removing access to private repositories, as
requested by e-mail to
docker-admins@cernNOSPAMPLEASE.ch (see:
http://docker.cern.ch/howtopr).
User Documentation
All documentation accessible at:
http://docker.cern.ch/
-> Documentation
Configuration
All configuration is puppet managed, see in manifests/files/templates for
it-puppet-hostgroup-linuxsupport
.
-
/etc/cluster/cluster.conf
- RHHA cluster services configuration.
-
/etc/httpd/conf.d/{lxsoft-docker,lxsoft-mirror-docker}.conf
- main httpd configuration.
-
/etc/docker-registry2/{config,config-mirror.yml}
- docker distribution configuration.
-
/mnt/data2/docker/auth/docker-docker-basic-auth
- htpasswd file containing docker:docker
credentials
plus per repository authz config files managed by
dockermgr
- see below.
-
/mnt/data2/docker/auth/authz-registry2.rw.conf
-
/mnt/data2/docker/auth/authz-registry2.ro.conf
-
/mnt/data2/docker/www/config/authz-registry2
-
/mnt/data2/docker/etc/userdata.conf
other files/directories:
-
/mnt/data2/docker/www/
- docker.cern.ch
web site
-
/mnt/data2/docker/registry2
- docker image storage for private registry (do NOT manipulate the content)
-
/mnt/data2/docker/registry2-mirror
- docker image storage for mirror registry (do NOT manipulate the content)
logfiles:
- in
/mnt/data2/docker/logs
(logrotate missing for now!)
cluster services
-
service:lxsoft
- runs httpd virtual hosts docker.cern.ch
and mirror-docker.cern.ch
of lxsoft.cern.ch uses external IPs =lxsoft.cern.ch
, can be running on any cluster member, shared with sshd2
allowing ssh access to lxsoft.cern.ch
-
service:docker
- runs /etc/init.d/docker-registry2
(private registry) and /etc/init.d/docker-registry2-mirror
(mirror registry). Can be running on any cluster member, uses internal IPs lxsoftint02.cern.ch
.
Adding/Removing users/e-groups
Login as
build@lxsoft
and run
/usr/sbin/dockermgr
Add repositories:
-
dockermgr add loginid:loginid[:loginid]
- to add user repository (always use loginid for repository name!)
-
dockermgr add reponame:e-group[:e-group]
- to add group repository (always use -
in reponame, specify short e-group name)
Second, optional, e-group/loginid in commands above is to be used for
private repositories: where pull access requires authentication. This can be same
e-group/loginid as for push access but needs to be defined.
dockermgr
will reload httpd automatically to take into account
changed access rules.
Naming convention: Always request repository name containing a dash (
-
) for
repositories owned by e-groups, to avoid future namespace clashes with usernames !
Note: There is
NO checking if user/e-group exists !
After adding user/group repository please send e-mail to requester:
You should be able to store your images at:
docker.cern.ch/<LOGINID/REPONAME>/
{:}
please review the documentation at:
http://docker.cern.ch/ -> Documentation
for information on howto push docker images to this
repository.
(this should be automated soon)
Remove repositories:
-
dockermgr del loginid:loginid
-
dockermgr del reponame:e-group
dockermgr
will reload httpd automatically to take into account
changed access rules.
Note: This does not remove repository data at present: only
push access to repositories !
Change ownership of repository:
-
dockermgr cho loginid:loginid
-
dockermgr cho reponame:e-group
Change between public and restricted repo types:
Not implemented as of now: use del then add (this does not
affect stored data)
JaroslawPolok - 2016-06-27