Skip to main content

Docker Private Registry Setup (Manual - Without any automation scripts like trow)


Pre-requisites:
>> k8s cluster setup with 1 Master and 2 Worker Nodes.
>> docker is install in all the nodes.
>> static ips for each nodes.

Add the blow entries in the /etc/hosts file of all the nodes.

10.0.1.13 registryserver.mydomain.com
10.0.1.12 registryclient01.mydomain.com
10.0.1.14 registryclient02.mydomain.com

Then in the Registry server node, issue the below command:

Install Docker Registry
#######################

Before starting, you will need a Docker private Registry on registry-server instance. First, download the registry image from the Docker Hub using the following command:

# docker pull registry:2

Once the registry image downloaded, you will need to generate a self-signed certificate for securing Docker Registry. Because, Docker node uses a secure connection over TLS to upload or download images to or from the private registry.

Go to the registry-server and run the following command to generate certificate:

# mkdir /etc/certs
# cd /etc/certs

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

You will need to copy generated ca.crt certificate to all registry client system for trusting this certificate.

root@dn1:~# cd /etc/docker/certs.d/
root@dn1:/etc/docker/certs.d# mkdir registryserver.mydomain.com:5000/
root@dn1:/etc/docker/certs.d/registryserver.mydomain.com:5000# ls -l
total 4
-rw-r--r-- 1 root root 2114 Nov  7 03:12 ca.crt

root@dn2:~# cd /etc/docker/certs.d/
root@dn2:/etc/docker/certs.d# mkdir registryserver.mydomain.com:5000/
root@dn2:/etc/docker/certs.d/registryserver.mydomain.com:5000# ls -l
total 4
-rw-r--r-- 1 root root 2114 Nov  7 03:12 ca.crt


Now, start Docker registry container with certificate information by running the following command in Registry Server:

docker run -d -p 5000:5000 --restart=always --name DockerRegistry-V2 -v /etc/certs:/etc/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/etc/certs/ca.key registry:2

Now give the below command for checking:

# docker ps | grep registry
76f2a44b7256        registry:2             "/entrypoint.sh /etc…"   3 hours ago         Up 3 hours          0.0.0.0:5000->5000/tcp   DockerRegistry-V2

After this you need to copy the ca.crt file from /etc/certs to /etc/docker/certs.d/registryserver.mydomain.com:5000/ directory.

Then reload the docker service in all the nodes:
# cp /etc/certs/ca.crt      /etc/docker/certs.d/registryserver.mydomain.com:5000/
root@namenode:~# systemctl reload docker
root@dn1:~# systemctl reload docker
root@dn2:~# systemctl reload docker


Now create your own docker image , if it is java application and you have the .jar file & Dockerfile:

cd to the jar file and Dockerfile location.

# sudo docker build --build-arg JAR_FILE=path-to-jar-file/jarfilename.jar .


# sudo docker images
REPOSITORY        TAG       IMAGE ID            CREATED             SIZE
<none>          <none>               57ca77bff947        2 hours ago         307MB

# sudo docker tag 57ca77bff947 registryserver.mydomain.com:5000/myclientimage:v1

root@namenode:~# docker images
REPOSITORY     TAG             IMAGE ID            CREATED             SIZE
registryserver.mydomain.com:5000/myclientimage   v1                  57ca77bff947        3 hours ago         307MB


# sudo docker push registryserver.mydomain.com:5000/myclientimage:v1

# docker pull registryserver.mydomain.com:5000/myclientimage:v1

Now do the pull command from all the registry client servers, and it should work:

# Now create a k8s container using this private registry repository :


# kubectl run my-app --image=registryserver.mydomain.com:5000/myclientimage:v1 --port=8080

root@namenode:~# kubectl get deploy
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
my-app             1/1     1            1           167m


If you get connection refused error while pushing the image to the repository, you have to check the below sections for errors:

root@namenode:/var/lib/docker/containers#

cd to your containerid , then logs will be there.

For kubernetes logs:
#################

cd /var/log/containers/
tail -f kube-controller-manager-namenode.log




Comments

Popular posts from this blog

K8s External Secrets integration between AWS EKS and Secrets Manager(SM) using IAM Role.

What is K8s External Secrets and how it will make your life easier? Before saying about External Secrets we will say about k8s secrets and how it will work. In k8s secrets we will create key value pairs of the secrets and set this as either pod env variables or mount them as volumes to pods. For more details about k8s secrets you can check my blog http://jinojoseph.blogspot.com/2020/08/k8s-secrets-explained.html   So in this case if developers wants to change the ENV variables , then we have to edit the k8s manifest yaml file, then we have to apply the new files to the deployment. This is a tiresome process and also chances of applying to the wrong context is high if you have multiple k8s clusters for dev / stage and Prod deployments. So in-order to make this easy , we can add all the secrets that is needed in the deployment, in the AWS Secret Manager and with the help of External secrets we can fetch and create those secrets in the k8s cluster. So what is K8s external Secret? It i...

Password reset too simplistic/systematic issue

Some time when we try to reset the password of our user in linux it will show as simple and systematic as below: BAD PASSWORD: it is too simplistic/systematic no matter how hard password you give it will show the same. Solution: ######### Check if your password is Ok with the below command, jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic Now Create a password with the below command : jino@ndz~$ echo $(tr -dc '[:graph:]' 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K; You can see that this password will be ok with the cracklib-check. jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK Thats all, Thanks.

Setting /etc/hosts entries during the initial deployment of an Application using k8s yaml file

Some times we have to enter specific hosts file entries to the container running inside the POD of a kubernetes deployment during the initial deployment stage itself. If these entries are not in place, the application env variables mentioned in the yaml file , as hostnames , will not resolve to the IP address and the application will not start properly. So to make sure the /etc/hosts file entries are already there after the spin up of the POD you can add the below entries in your yaml file. cat > api-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: spec:   template:     metadata:     spec:       volumes:       containers:       - image: registryserver.jinojoseph.com:5000/jinojosephimage:v1.13         lifecycle:           postStart:             exec:               command:...