Skip to end of metadata
Go to start of metadata

This documentation is for CSC's private Docker registry for EDEN service and is based on the instructions:  https://hub.docker.com/_/registry/

 

# Update the host's (Centos 7) repos 
sudo yum update

1. Setting up storage 

# Create thin pool from LVM (40GB available, apprx. 30 GB allocated)
# with the next steps: 1) create the lvm device, 2) create the physical volume, 3) create the logical volumes, 4) convert the volumes to a thin-pool
fdisk -c -u /dev/sdb
In fdisk issue the following commands
n p 1 for first and last cylinder press enter, then enter (8e=LVM) t 8e w pvcreate /dev/sdb1
vgcreate docker-vg /dev/sdb1

lvcreate -n docker-pool -L 30G docker-vg -W y

lvcreate -n docker-poolmeta -L 500M docker-vg -W y

lvconvert --type thin-pool --poolmetadata docker-vg/docker-poolmeta docker-vg/docker-pool

 

 

2. Installing Docker Daemon

# Add user docker to group docker
useradd -g docker docker
# Create /etc/sysconfig/docker file and add to the file:
OPTIONS="--storage-driver=devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/docker--vg-docker--pool --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true"

# Create a /etc/systemd/system/docker.service -file and copy the contents of
# /usr/lib/systemd/system/docker.service into it in order to override the rpm-mainainted systemd unit file.
# Then mod the /etc-dir's docker.service-file by adding 1) EnvironmentFile-row and 2) OPTIONS-attribute:

 

 

# Check that docker uses Devicemapper thin pool! 
# If not, it initialises the Docker setup with loopback device.
# In this very case, run
# rm /var/lib/docker -rvf
# and reboot + verify Docker setup! 

3. Installing Docker Registry

# Copy the certificate to /etc/pki/tls/certs and the key to /etc/pki/tls/private
# Then concatenate the Digicert intermediary cert to the host cert!
# (example: cat /home/krhaapal/certs/reg_eden_csc_fi.pem /home/krhaapal/certs/DigiCertCA2.pem > reg.eden.csc.fi.crt)
docker run --entrypoint htpasswd registry:2.3.0 -Bbn USERNAMEHERE PASSWDHERE > htpasswd
# Create an ENV-file for the certificate at /opt/docker-registry/reg.env and fill it with the following data:
REGISTRY_HTTP_SECRET=SomePseudoRandomString
REGISTRY_HTTP_TLS_CERTIFICATE=/etc/ssl/certs/reg_eden_csc_fi_crt
REGISTRY_HTTP_TLS_KEY=/etc/ssl/private/reg.exam.csc.fi.key
REGISTRY_AUTH=htpasswd
REGISTRY_AUTH_HTPASSWD_PATH=/opt/docker-registry/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
# NOTE: execute the following to generate a pseudo-random string for the REGISTRY_HTTP_SECRET option above:
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32
# Now you can try dry-running the Registry. 
# DO MAKE SURE YOU FIRST EDIT THE FOLLOWING COMMAND based on the cert paths!
# For readability the command has been split on several rows: remove the carriage returns before running.

 

 

# Reload SYSTEMCTL
systemctl daemon-reload
# Start registry service
systemctl start docker-registry.service
# Check that Registry service is started
systemctl status docker-registry.service -l

 

# It should give you something like this one (example):
  • No labels