How to use private docker registry with Zun

Zun by default pull container images from Docker Hub. However, it is possible to configure Zun to pull images from a private registry.

This document provides an example to deploy and configure a docker registry for Zun. For a comprehensive guide about deploying a docker registry, see here

Deploy Private Docker Registry

A straightforward approach to install a private docker registry is to deploy it as a Zun container:

$ openstack appcontainer create \
    --restart always \
    --expose-port 443 \
    --name registry \
    --environment REGISTRY_HTTP_ADDR=0.0.0.0:443 \
    --environment REGISTRY_HTTP_TLS_CERTIFICATE=/domain.crt \
    --environment REGISTRY_HTTP_TLS_KEY=/domain.key \
    registry:2

Note

Depending on the configuration of your tenant network, you might need to make sure the container is accessible from other tenants of your cloud. For example, you might need to associate a floating IP to the container.

In order to make your registry accessible to external hosts, you must use a TLS certificate (issued by a certificate issuer) or create self-signed certificates. This document shows you how to generate and use self-signed certificates:

$ mkdir -p certs
$ cat > certs/domain.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[req_distinguished_name]
CN = zunregistry.com
[req_ext]
subjectAltName = IP:172.24.4.49
EOF
$ openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
    -x509 -days 365 -out certs/domain.crt -config certs/domain.conf

Note

Replace zunregistry.com with the domain name of your registry.

Note

Replace 172.24.4.49 with the IP address of your registry.

Note

You need to make sure the domain name (i.e. zunregistry.com) will be resolved to the IP address (i.e. 172.24.4.49). For example, you might need to edit /etc/hosts accordingly.

Copy the certificates to registry:

$ openstack appcontainer cp certs/domain.key registry:/
$ openstack appcontainer cp certs/domain.crt registry:/

Configure docker daemon to accept the certificates:

# mkdir -p /etc/docker/certs.d/zunregistry.com
# cp certs/domain.crt /etc/docker/certs.d/zunregistry.com/ca.crt

Note

Replace zunregistry.com with the domain name of your registry.

Note

Perform this steps in every compute nodes.

Start the registry:

$ openstack appcontainer start registry

Verify the registry is working:

$ docker pull ubuntu:16.04
$ docker tag ubuntu:16.04 zunregistry.com/my-ubuntu
$ docker push zunregistry.com/my-ubuntu
$ openstack appcontainer run --interactive zunregistry.com/my-ubuntu /bin/bash

Note

Replace zunregistry.com with the domain name of your registry.