Cloud Pak for Business Automation

 View Only

How to set up the private registry if you are preparing an airgap environment

By PING MEI posted Sun December 26, 2021 09:49 PM

  

If you install CP4BA production deployment by airgap, a private image registry must be used to store all images in your local environment. You can follow the steps below to deploy simple registry server. It needs to be accessible from OCP nodes. The local environment is Redhat and docker as example.

 

1. Prepare the certificate

You can obtain a certificate from a certificate authority (CA). Create a certs directory in your local environment and copy the .crt and .key files from the CA into the certs directory.

 

This is an example to create a self-signed certificate for testing, and all certificates are created under certs/ by running the following command. 

$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -x509 -days 3000 -out /certs/domain.crt -subj "/CN=<hostname>" -addext "subjectAltName = DNS:<hostname>"

 
2. Basic authentication

The simplest way to achieve access restriction is through basic authentication. This example uses native basic authentication using htpasswd to store the secrets.

Create a password file with one entry for the user <user_local_environment>, with password <password_local_environment>.

$ mkdir auth

 

$ docker run \

  --entrypoint htpasswd \

  httpd:2 -Bbn <user_local_environment> <password_local_environment> > auth/htpasswd

 

3. Deploy the registry server, directing it to use the TLS certificate. This command bind-mounts the certs/ directory into the container at /certs/, and sets environment variables that tell the container where to find the domain.crt and domain.key file. The registry runs on port 443, the default HTTPS port. And basic authentication.

 

Example by running the following command:

 

docker run -d \

  --restart=always \

  --name registry \
  -v "$(pwd)"/auth:/auth \

  -e "REGISTRY_AUTH=htpasswd" \

  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \

  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \

  -v "$(pwd)"/certs:/certs \

  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \

  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \

  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \

  -p 443:443 \

  registry:2

 

4. Add insecure registry to docker

You can use the command below to add insecure registry to docker, if the file daemon.json does not exist, you can add it.

sudo vi /etc/docker/daemon.json

{

   "insecure-registries":["<hostname_local_environment:443>","<hostname_local_environment>"]

}

 

After that, restart the docker by the command sudo systemctl restart docker to validate

 
Now the simple docker registry is ready for using, you can test it by docker pull/tag/push.

1 comment
42 views

Permalink

Comments

Tue May 16, 2023 11:27 PM

@PING MEI , is this 'docker image registry'? 
does it support the following? 

- Supports Docker Manifest V2, Schema 2.

- Supports multi-architecture images.

- Is accessible from both the host and your OpenShift Container Platform cluster nodes.

- Has the username and password of a user who can write to the target registry from the host.

- Has the username and password of a user who can read from the target registry that is on the OpenShift cluster nodes.
- Allows path separators in the image name.