Differences

This shows you the differences between two versions of the page.

--- services:docker-mirror [2020/06/02 14:26]
djgalloway created
+++ services:docker-mirror [2021/01/20 15:50] (current)
djgalloway [Renewing the SSL certiciate]
@@ Line 4: / Line 4: @@
 I was originally going to create an Ansible playbook to set this up but it was easy enough it wasn't worth the time.
+https://docs.docker.com/registry/recipes/mirror/
 ===== Setup Commands =====
-<pre>
+<code>
 ## On reesi001
 ceph auth add client.containers mds 'allow rw path=/containers' mon 'allow r' osd 'allow rw pool=data'
@@ Line 23: / Line 25: @@
 docker run -it --rm --entrypoint cat registry:2 /etc/docker/registry/config.yml > /lrc/config.yml
 # Used example from https://www.cloudkb.net/configure-docker-local-registry-proxy-cache/
-docker run -d --restart=always -p 5000:5000 --name registry-mirror -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml
-</pre>
+# Then used parts of https://medium.com/@ifeanyiigili/how-to-setup-a-private-docker-registry-with-a-self-sign-certificate-43a7407a1613
+mkdir /lrc/certs
+openssl req  -newkey rsa:4096 -nodes -sha256 -keyout /lrc/certs/domain.key -x509 -days 3650 -addext "subjectAltName = DNS:docker-mirror.front.sepia.ceph.com" -out /lrc/certs/domain.crt
+docker run -d --restart=always -p 5000:5000 --name registry-mirror -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/lib/registry/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/var/lib/registry/certs/domain.key -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml
+</code>
 Super simple.
 ===== Using the mirror =====
-<pre>
+<code>
 # Example using grafana
 podman pull --tls-verify=false docker-mirror.front.sepia.ceph.com:5000/grafana/grafana
-</pre>
+</code>
+Or you can also now just run the [[https://github.com/ceph/ceph-cm-ansible/tree/master/roles/container-host|container-host role]] which will configure ''podman'' and/or ''docker'' to use our mirror for docker.io.
+===== Admin Tasks =====
+==== Renewing the SSL certiciate ====
+The first time I created the cert, I accidentally left the date out so the cert was only good for a month.  The second cert is good for 10 years.
+  - ''%%root@docker-mirror:~# openssl req  -newkey rsa:4096 -nodes -sha256 -keyout /lrc/certs/domain.key -x509 -days 3650 -addext "subjectAltName = DNS:docker-mirror.front.sepia.ceph.com" -out /lrc/certs/domain.crt%%''
+  - Copy the contents of ''/lrc/certs/domain.crt'' and update ''container_mirror_cert'' in https://github.com/ceph/ceph-sepia-secrets/blob/master/ansible/inventory/group_vars/all.yml
+  - Run ''ansible-playbook container-host.yml'' against the appropriate hosts.
+  - ''%%root@docker-mirror:~# docker stop registry-mirror; docker rm registry-mirror; docker run -d --restart=always -p 5000:5000 --name registry-mirror -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/lib/registry/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/var/lib/registry/certs/domain.key -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml; docker logs -f registry-mirror%%''
+===== Other Notes =====
+The mirror logs in to dockerhub using my personal API key.  I just have a personal account but docker-mirror was getting rate-limited when anonymous.
+<code>
+root@docker-mirror:~# cat /lrc/config.yml
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+   storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+proxy:
+  remoteurl: https://registry-1.docker.io
+  username: XXXXX
+  password: XXXXX
+</code>

Sepia Lab Wiki

User Tools

Site Tools

Differences

Page Tools