Installing private docker registry for off-line use
This is in preparation for installing off-line Elastic Cloud Enterprise.
References
Preparation
This setup requires 3 servers
- Server A: internet connected where we'll gather our source docker images
- Server B: Off-line, where we'll host our Docker private registry
- Server C: Off-line, where we'll pull from our Server B's registry
We assume that you have local repo that is available to download Docker software.
Setup
On all three servers
- (Optional) If you don't have RHEL subscription, you'll need to add CentOS-extras
- Create this file: /etc/yum.repos.d/centos.repo
- Add this content to it:
[CentOS-extras] name=CentOS-7-Extras mirrorlist=http://mirrorlist.centos.org/?release=7&arch=$basearch&repo=extras&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/ gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
- Disable SELINUX (if you don't disable, you have to permit Docker to register port)
- Go to this file: /etc/selinux/config
- Update this line:
SELINUX=permissive
- (Optional) Disable IPTABLES - you can also just open up ports for Docker use
chkconfig iptables off service iptables stop
- Install Docker from Repo
yum install docker
- Enable Docker service
sudo systemctl enable docker.service - Start Docker Services
sudo systemctl start docker.service
- To check status
sudo systemctl status docker.service
On Server A (with internet connection)
- Pull down necessary images
docker pull registry-1.docker.io/distribution/registry:2.0 docker pull docker.elastic.co/cloud-enterprise/elastic-cloud-enterprise:1.1.4 docker pull docker.elastic.co/cloud-assets/elasticsearch:6.3.0-0 docker pull docker.elastic.co/cloud-assets/kibana:6.3.0-0
- Save all the images to current directory
docker save -o registry2.docker registry-1.docker.io/distribution/registry:2.0 docker save -o ece_1.1.4.docker docker.elastic.co/cloud-enterprise/elastic-cloud-enterprise:1.1.4 docker save -o es_6.3 docker.elastic.co/cloud-assets/elasticsearch:6.3.0-0 docker save -o kibana_6.3.docker docker.elastic.co/cloud-assets/kibana:6.3.0-0
- If you've made any error, you can delete images via this command you can provide individual image ID or clear all
docker rmi $(docker images -a -q)
- You can list all images via this command
docker images
- Transfer these .docker files to Server B
On Server B (without internet connection)
- Load all the .docker files
docker load -i registry2.docker docker load -i ece_1.1.4.docker docker load -i es_6.3.docker docker load -i kibana_6.3.docker
- Create Self-Signed Cert
- Prepare Cert Configure file
- Create a new file: /etc/ssl/mycert.conf
- Paste this content and update according to your situation
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.net DNS.2 = company.net IP.1 = 10.10.10.10
- Go to /etc/ssl and run this command
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.private -out mycert.cert -config mycert.conf -extensions 'v3_req' - Move these 2 new files (private and cert) into cert sub-folder (/etc/ssl/certs)
- Start the registry
1 2 3 4 5 6 7 8 9
sudo docker run -d \ --restart=always \ --name registry \ -v /etc/ssl/certs:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/mycert.cert \ -e REGISTRY_HTTP_TLS_KEY=/certs/mycert.private \ -p 443:443 \ registry:2
- Line 3: Name of this new registry
- Line 4: associates /etc/ssl/certs of host to the Docker container
- Few helpful commands
- Status of Registry
sudo docker ps -a
- Stop Registry
sudo docker container stop registry
- Delete Registry
sudo docker rm CONTAINER_ID
- Tag all the available images
docker tag docker.elastic.co/cloud-enterprise/elastic-cloud-enterprise:1.1.4 10.10.10.10:443/cloud-enterprise/elastic-cloud-enterprise:1.1.4 docker tag docker.elastic.co/cloud-assets/elasticsearch:6.3.0-0 10.10.10.10:443/cloud-assets/elasticsearch:6.3.0-0 docker tag docker.elastic.co/cloud-assets/kibana:6.3.0-0 10.10.10.10:443/cloud-assets/kibana:6.3.0-0
- Push the tagged images
docker push 10.10.10.10:443/cloud-enterprise/elastic-cloud-enterprise:1.1.4 docker push 10.10.10.10:443/cloud-assets/elasticsearch:6.3.0-0 docker push 10.10.10.10:443/cloud-assets/kibana:6.3.0-0
On Server C: Non-internet, non private registry
- Create a new folder under /etc/docker/certs.d/ use the same name as the host:port of Server B
mkdir /etc/docker/certs.d/10.10.10.10:443
- Copy mycert.cert from Server B (step 4 above) to directory and call it ca.crt
- Pull from Private Registry
docker pull 10.10.10.10:443/cloud-enterprise/elastic-cloud-enterprise:1.1.4
- Result
605ce1bd3f31: Pull complete 8319863bba65: Pull complete
- API Calls: you can also do this to interact with Private Registry
- Look up all available images
https://10.10.10.10/v2/_catalog Output { "repositories":[ "cloud-assets/elasticsearch", "cloud-assets/kibana", "cloud-enterprise/elastic-cloud-enterprise"] }
- Get details on an image
https://10.10.10.10/v2/cloud-assets/kibana/tags/list Output { "name":"cloud-assets/kibana", "tags":["6.3.0-0"] }
No comments:
Post a Comment