forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-registry.html.md.erb
82 lines (50 loc) · 4.67 KB
/
docker-registry.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
title: Using Docker Registries
owner: Ops Manager
---
<strong><%= modified_date %></strong>
This topic describes how to configure your Docker registries, such as Docker Hub, with Pivotal Cloud Foundry (PCF).
To use Docker registries, you must choose either to submit your root certificate authority (CA) certificate or provide the IP address for your Docker registry.
PCF does not support using Docker registries that require user credentials.
**Prerequisite**: Ensure that you have enabled Docker support in PCF with the `cf enable-feature-flag diego_docker` command, as described in the [Using Docker in Cloud Foundry](../adminguide/docker.html) topic.
## <a id='ops-man'></a> Use a CA Certificate
If you provide your root CA certificate in the Ops Manager configuration, follow this procedure:
1. In the **PCF Ops Manager Installation Dashboard**, click the **Ops Manager Director** tile.
1. Click **Security**.
<%= image_tag("images/docker-registry-ops-man.png") %>
1. In the **Trusted Certificates** field paste one or more root CA certificates.
The Docker registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.
1. Click **Save**.
1. If you are:
- Configuring Ops Manager Installation for the first time, return to your specific IAAS configuration to continue the installation process.
- Modifying an existing Ops Manager installation, return to the **PCF Ops Manager Installation Dashboard** and click **Apply Changes**.
After configuration, BOSH propagates this CA certificate to all application containers in your deployment.
You can then push and pull images from your Docker registries.
## <a id='ert'></a> Use an IP Address Whitelist
If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.
<p class="note"><strong>Note</strong>: Using a whitelist skips SSL validation.
If you want to enforce SSL validation, enter the IP address of the Docker registry in the <strong>No proxy</strong> field described <a href='#proxy'>below</a>.
1. Navigate to the PCF Operations Manager **Installation Dashboard**.
1. Click the **Pivotal Elastic Runtime** tile, and navigate to the **Application Containers** tab.
<%= image_tag("images/docker-registry-ert.png") %>
1. Select **Enable Custom Buildpacks** to enable custom-built application runtime buildpacks.
1. Select **Allow SSH access to app containers** to enable app containers to accept SSH connections. If you are using a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for that app's space. Operators can grant those privileges in Apps Manager or via the cf CLI.
1. For **Private Docker Insecure Registry Whitelist**, provide the hostname or IP address and port that point to your private Docker registry. For example, enter `198.51.100.1:80` or `mydockerregistry.com:80`. Enter multiple entries in a comma-delimited sequence. SSL validation is ignored for private Docker image registries secured with self-signed certificates at these locations.
1. Under **Docker Images Disk-Cleanup Scheduling on Cell VMs**, choose one of the following:
* **Never Cleanup Cell Disk-space**
* **Routinely Cleanup Cell Disk-space**
* **Cleanup disk-space once threshold is reached**: If you choose this option, enter the amount of disk space the Cell must reach before disk cleanup initiates under **Threshold of Disk-Used (MB)**.
1. Click **Save**.
1. If you are:
- Configuring Elastic Runtime for the first time, return to your specific IaaS configuration to continue the installation process.
- Modifying an existing Elastic Runtime installation, return to the PCF Ops Manager Installation Dashboard and click **Apply Changes**.
After configuration, Elastic Runtime allows Docker images to come through the specified IP address without checking certificates.
## <a id='proxy'></a>Set Proxies for Docker Registries
1. On the Installation Dashboard, navigate to USERNAME > **Settings** > **Proxy Settings**.
<%= image_tag("install-dash-settings.png") %>
2. On the **Update Proxy Settings** pane, complete one of the following fields:
+ **Http proxy**: If you have an HTTP proxy server for your Docker registry, enter its IP address.
+ **Https proxy**: If you have an HTTPS proxy server for your Docker registry, enter its IP address.
+ **No proxy**: If you do not use a proxy server, enter the IP address for the Docker registry. This field may already contain proxy settings for the BOSH Director. Enter multiple IP addresses as a comma-separated list.
<%= image_tag("update-proxy-settings.png") %>
3. Click **Update**.