This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
services:docker-mirror [2020/06/02 14:26] djgalloway created |
services:docker-mirror [2021/01/20 15:50] (current) djgalloway [Renewing the SSL certiciate] |
||
---|---|---|---|
Line 4: | Line 4: | ||
I was originally going to create an Ansible playbook to set this up but it was easy enough it wasn't worth the time. | I was originally going to create an Ansible playbook to set this up but it was easy enough it wasn't worth the time. | ||
+ | |||
+ | https://docs.docker.com/registry/recipes/mirror/ | ||
===== Setup Commands ===== | ===== Setup Commands ===== | ||
- | <pre> | + | <code> |
## On reesi001 | ## On reesi001 | ||
ceph auth add client.containers mds 'allow rw path=/containers' mon 'allow r' osd 'allow rw pool=data' | ceph auth add client.containers mds 'allow rw path=/containers' mon 'allow r' osd 'allow rw pool=data' | ||
Line 23: | Line 25: | ||
docker run -it --rm --entrypoint cat registry:2 /etc/docker/registry/config.yml > /lrc/config.yml | docker run -it --rm --entrypoint cat registry:2 /etc/docker/registry/config.yml > /lrc/config.yml | ||
# Used example from https://www.cloudkb.net/configure-docker-local-registry-proxy-cache/ | # Used example from https://www.cloudkb.net/configure-docker-local-registry-proxy-cache/ | ||
- | docker run -d --restart=always -p 5000:5000 --name registry-mirror -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml | + | |
- | </pre> | + | # Then used parts of https://medium.com/@ifeanyiigili/how-to-setup-a-private-docker-registry-with-a-self-sign-certificate-43a7407a1613 |
+ | mkdir /lrc/certs | ||
+ | openssl req -newkey rsa:4096 -nodes -sha256 -keyout /lrc/certs/domain.key -x509 -days 3650 -addext "subjectAltName = DNS:docker-mirror.front.sepia.ceph.com" -out /lrc/certs/domain.crt | ||
+ | |||
+ | docker run -d --restart=always -p 5000:5000 --name registry-mirror -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/lib/registry/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/var/lib/registry/certs/domain.key -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml | ||
+ | </code> | ||
Super simple. | Super simple. | ||
===== Using the mirror ===== | ===== Using the mirror ===== | ||
- | <pre> | + | <code> |
# Example using grafana | # Example using grafana | ||
podman pull --tls-verify=false docker-mirror.front.sepia.ceph.com:5000/grafana/grafana | podman pull --tls-verify=false docker-mirror.front.sepia.ceph.com:5000/grafana/grafana | ||
- | </pre> | + | </code> |
+ | |||
+ | Or you can also now just run the [[https://github.com/ceph/ceph-cm-ansible/tree/master/roles/container-host|container-host role]] which will configure ''podman'' and/or ''docker'' to use our mirror for docker.io. | ||
+ | |||
+ | ===== Admin Tasks ===== | ||
+ | ==== Renewing the SSL certiciate ==== | ||
+ | The first time I created the cert, I accidentally left the date out so the cert was only good for a month. The second cert is good for 10 years. | ||
+ | |||
+ | - ''%%root@docker-mirror:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /lrc/certs/domain.key -x509 -days 3650 -addext "subjectAltName = DNS:docker-mirror.front.sepia.ceph.com" -out /lrc/certs/domain.crt%%'' | ||
+ | - Copy the contents of ''/lrc/certs/domain.crt'' and update ''container_mirror_cert'' in https://github.com/ceph/ceph-sepia-secrets/blob/master/ansible/inventory/group_vars/all.yml | ||
+ | - Run ''ansible-playbook container-host.yml'' against the appropriate hosts. | ||
+ | - ''%%root@docker-mirror:~# docker stop registry-mirror; docker rm registry-mirror; docker run -d --restart=always -p 5000:5000 --name registry-mirror -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/lib/registry/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/var/lib/registry/certs/domain.key -v /lrc:/var/lib/registry registry:2 /var/lib/registry/config.yml; docker logs -f registry-mirror%%'' | ||
+ | |||
+ | ===== Other Notes ===== | ||
+ | The mirror logs in to dockerhub using my personal API key. I just have a personal account but docker-mirror was getting rate-limited when anonymous. | ||
+ | |||
+ | <code> | ||
+ | root@docker-mirror:~# cat /lrc/config.yml | ||
+ | version: 0.1 | ||
+ | log: | ||
+ | fields: | ||
+ | service: registry | ||
+ | storage: | ||
+ | cache: | ||
+ | blobdescriptor: inmemory | ||
+ | filesystem: | ||
+ | rootdirectory: /var/lib/registry | ||
+ | http: | ||
+ | addr: :5000 | ||
+ | headers: | ||
+ | X-Content-Type-Options: [nosniff] | ||
+ | health: | ||
+ | storagedriver: | ||
+ | enabled: true | ||
+ | interval: 10s | ||
+ | threshold: 3 | ||
+ | proxy: | ||
+ | remoteurl: https://registry-1.docker.io | ||
+ | username: XXXXX | ||
+ | password: XXXXX | ||
+ | </code> |