docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1299 from carolfh/jira1753config 

performed the following: closed jira 1753, updated graphics, removed …
This commit is contained in:
moxiegirl 2016-01-20 17:30:07 -08:00
parent 1afe76bc9f 6e3d9bc4f2
commit 20a71f706c
6 changed files with 136 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/admin-settings-authentication-basic.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 137 KiB

After

Width:  |  Height:  |  Size: 107 KiB

BIN
assets/admin-settings-authentication-ldap.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 169 KiB

After

Width:  |  Height:  |  Size: 130 KiB

BIN
assets/admin-settings-security.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 128 KiB

After

Width:  |  Height:  |  Size: 94 KiB

BIN
assets/admin-settings-storage.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 92 KiB

BIN
assets/admin-settings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 58 KiB

265
configuration.md
View File

@ -8,14 +8,15 @@ weight=5
+++ +++
# Configuring Docker Trusted Registry # Configure Docker Trusted Registry
Use this documentation to configure Docker Trusted Registry so it can When you first install Docker Trusted Registry, you need to configure it. Use
run in your environment. this documentation to configure your settings so it can run in your environment.
## Overview ## Overview
To start, navigate to the Trusted Registry user interface (UI) > Settings to view configuration options. Configuring is grouped by the following: To start, navigate to the Trusted Registry user interface (UI) > Settings, to
view configuration options. Configuring is grouped by the following:
* General Settings (for example, ports and proxies) * General Settings (for example, ports and proxies)
* Security settings * Security settings
@ -26,78 +27,73 @@ To start, navigate to the Trusted Registry user interface (UI) > Settings to vie
* Updates * Updates
* Docker daemon (this is set from the Trusted Registry CLI and not the UI) * Docker daemon (this is set from the Trusted Registry CLI and not the UI)
>**Note**:
>Saving changes you've made to settings will restart various services, as follows: Saving changes you've made to settings will restart various services, as follows:
>
* General settings: full Docker Trusted Registry restart * General settings: full Docker Trusted Registry restart
* License change: full Docker Trusted Registry restart * License change: full Docker Trusted Registry restart
* SSL change: Nginx reload * SSL change: Nginx reload
* Storage config: only registries restart * Storage config: only registries restart
* Authentication config: no restart * Authentication config: no restart
## General Settings ## General settings
![Domain and Ports page</admin/settings#http>](assets/admin-settings.png) ![Domain and Ports page</admin/settings#http>](assets/admin-settings.png)
Each setting on this page is explained in the Docker Trusted Registry UI. Each setting on this page is explained in the Docker Trusted Registry UI.
* *Domain Name*: **required** defaults to an empty string, the fully qualified domain name assigned to the Docker Trusted Registry host. * *Domain Name*: **required**. By default it is an empty string. It is the fully qualified domain name assigned to the Docker Trusted Registry host.
* *HTTP Port*: defaults to 80, used as the entry point for the image storage service. To see load balancer status, you can query * *HTTP Port*: defaults to 80 and is used as the entry point for the image storage service. To see load balancer status, you can query
http://&lt;dtr-host&gt;/load_balancer_status. http://&lt;dtr-host&gt;/load_balancer_status.
* *HTTPS Port*: defaults to 443, used as the secure entry point for the image storage service. * *HTTPS Port*: defaults to 443, used as the secure entry point for the image storage service.
* *HTTP proxy*: defaults to an empty string, proxy server for HTTP requests. * *HTTP proxy*: defaults to an empty string, proxy server for HTTP requests.
* *HTTPS proxy*: defaults to an empty string, proxy server for HTTPS requests. * *HTTPS proxy*: defaults to an empty string, proxy server for HTTPS requests.
* *No proxy*: defaults to an empty string, proxy bypass for HTTP and HTTPS requests. * *No proxy*: defaults to an empty string, proxy bypass for HTTP and HTTPS requests.
* *Upgrade checking*: enables or disables automatic checking for Docker Trusted Registry software updates. * *Upgrade checking*: enables or disables automatic checking for the Trusted Registry software updates.
> **Note**: If you need Docker Trusted Registry to re-generate a self-signed certificate at some If you need the Trusted Registry to re-generate a self-signed certificate at
> point, you can change the domain name. Whenever the domain name does not match the current certificate, some point, you can change the domain name. Whenever the domain name does not
> a new self-signed certificate will be generated for the new domain. This also works with IP addresses. match the current certificate, a new self-signed certificate is generated
for the new domain. This also works with IP addresses.
### Notary configuration ### Configure Notary
> *Note:* Docker Trusted Registry's integration of Docker Notary is an experimental feature. The use of a Notary server with Trusted Registry is not officially supported. > **Note**: The Trusted Registry's integration of Docker Notary is an experimental feature. The use of a Notary server with Trusted Registry is not officially supported.
To use Docker Notary, you must deploy your own Notary server and then integrate To use Docker Notary, first deploy your own Notary server and then integrate
with your Trusted Registry through the Settings page. Then, you'll need to with your Trusted Registry through the Settings page. Then, you'll need to
configure your Docker clients to use turst. Docker Trusted Registry proxies configure your Docker clients to use trust. The Trusted Registry proxies
requests to Notary, so you don't need to explicitly trust Notary's certificate requests to Notary, so you don't need to explicitly trust Notary's certificate
from the docker client. from the docker client.
Once you enable Notary integration and configure your Docker clients, your Once you enable Notary integration and configure your Docker clients, your
organization can push and pull trusted images. After pushing images in this organization can push and pull trusted images. After pushing images in this
configuration to Trusted Registry, you can see which image tags were signed by configuration to the Trusted Registry, you can see which image tags were signed
viewing the appropriate repositories through Trusted Registry's web interface. by viewing the appropriate repositories through Trusted Registry's web
interface.
To deploy a Notary server follow the instructions at [Deploying To deploy a Notary server follow the instructions at [Deploying
Notary](/engine/security/trust/deploying_notary.md). You can deploy a Notary Notary](/engine/security/trust/deploying_notary.md). You can deploy a Notary
server on the same machine as Docker Trusted Registry. If you do this, you can server on the same machine as the Trusted Registry. If you do this, you can
connect to the Notary server directly using the IP address of the `docker0` connect to the Notary server directly using the IP address of the `docker0`
interface. The interface's address is typically `172.17.42.1`. Read more about interface. The interface's address is typically `172.17.42.1`. Read more about
[Docker Networking](/engine/userguide/networking/index.md) to learn more about the [Docker Networking](/engine/userguide/networking/index.md) to learn about the
`docker0` interface. You can also connect using the machine's external IP `docker0` interface. You can also connect using the machine's external IP
address and port combination provided you expose the proper port. address and port combination provided you expose the proper port.
Once you've deployed your Notary server, do the following: Once you've deployed your Notary server, do the following:
1. Return to Trusted Registry in your browser and configure the following 1. Return to the Trusted Registry in your browser and configure the following
options: options:
* *Notary Server*: This is the domain name or IP address where you deployed the Notary server. * *Notary Server*: This is the domain name or IP address where you deployed the Notary server.
* *Notary Verify TLS*: This is off by default and you should verify that your connection to Notary works with this turned off * *Notary Verify TLS*: This is off by default and you should verify that your connection to Notary works with this turned off before trying to enable it. If Notary's certificate is signed by a public Certificate Authority, you can turn this on and it should work given that the domain name (or IP) matches the one in the certificate.
before trying to enable it. If Notary's certificate is signed by a public Certificate Authority you can turn this
on and it should work given that the domain name (or IP) matches the one in the certificate.
* *Notary TLS Root CA*: If you don't use a publicly signed certificate but still want to have a secure connection between * *Notary TLS Root CA*: If you don't use a publicly signed certificate but still want to have a secure connection between
Docker Trusted Registry and Notary, put the root Certificate Authority's certificate here. You can also use a self signed certificate here. the Trusted Registry and Notary, then put the root Certificate Authority's certificate in this field. You can also use a self signed certificate at this location.
2. Once you've configured the Notary settings, save them. 2. Once you've configured the Notary settings, save them. After you save, the Trusted Registry tries to connect to Notary to confirm that the address is correct. It configures itself as a reverse proxy to the Notary server to make it easier for clients to automatically use the correct Notary server.
After you save the settings, Trusted Registry tries to connect to Notary to
confirm that the address is correct. It configures itself as a reverse proxy
to the Notary server to make it easier for clients to automatically use the
correct Notary server.
3. Configure your Docker client to use content trust operations. 3. Configure your Docker client to use content trust operations.
@ -125,7 +121,7 @@ This cert must be accompanied by its private key, entered below.
* *SSL Private Key*: The hash from the private key associated with the provided * *SSL Private Key*: The hash from the private key associated with the provided
SSL Certificate (as a standard x509 key pair). SSL Certificate (as a standard x509 key pair).
In order to run, Docker Trusted Registry requires encrypted communications via HTTPS/SSL between (a) the Docker Trusted Registry and your Docker Engine(s), and (b) between your web browser and the Docker Trusted Registry admin server. There are a few options for setting this up: In order to run, the Trusted Registry requires encrypted communications through HTTPS/SSL between (a) the Trusted Registry and your Docker Engine(s), and (b) between your web browser and the Trusted Registry admin server. There are a few options for setting this up:
1. You can use the self-signed certificate Docker Trusted Registry generates by default. 1. You can use the self-signed certificate Docker Trusted Registry generates by default.
2. You can generate your own certificates using a public service or your enterprise's infrastructure. See the [Generating SSL certificates](#generating-ssl-certificates) section for the options available. 2. You can generate your own certificates using a public service or your enterprise's infrastructure. See the [Generating SSL certificates](#generating-ssl-certificates) section for the options available.
@ -137,11 +133,11 @@ However, if you choose to use the Trusted Registry-generated certificates, or
the certificates you generate yourself are not trusted by your client Docker the certificates you generate yourself are not trusted by your client Docker
hosts, you will need to do one of the following: hosts, you will need to do one of the following:
* [Install](#installing-registry-certificates-on-client-docker-daemons) a registry certificate on all of your client Docker daemons * [Install](#installing-registry-certificates-on-client-docker-daemons) a registry certificate on all of your client Docker daemons, or
* Set your [client Docker daemons](#if-you-can-t-install-the-certificates) to run with an unconfirmed connection to the registry. * Set your [client Docker daemons](#if-you-can-t-install-the-certificates) to run with an unconfirmed connection to the registry.
### Generating SSL certificates ### Generate SSL certificates
There are three basic approaches to generating certificates: There are three basic approaches to generating certificates:
@ -160,31 +156,30 @@ client Docker daemons.
Registry, and install it onto the client Docker daemon hosts as seen in the Registry, and install it onto the client Docker daemon hosts as seen in the
following section. following section.
### Adding your own Registry certificates to Docker Trusted Registry ### Add your own registry certificates
Whichever method you use to generate certificates, once you have them you can Whichever method you use to generate certificates, once you have them you can
set up your Docker Trusted Registry server to use them by navigating to the set up your Trusted Registry server to use them.
"Settings" page, going to "Security," and putting the SSL Certificate text
1. Navigate to Settings > Security, and put the SSL Certificate text
(including all intermediate Certificates, starting with the host) into the "SSL (including all intermediate Certificates, starting with the host) into the "SSL
Certificate" edit box, and the previously generated Private key into the "SSL Certificate" edit box, and the previously generated Private key into the "SSL
Private Key" edit box. Private Key" edit box.
Click Save, and then wait for the Docker Trusted Registry Admin site to restart 2. Click Save, and then wait for the Trusted Registry Admin site to restart
and reload. It should now be using the new certificate. and reload. It should now be using the new certificate. Once the Security page has reloaded, it displays `#` hashes instead of the
certificate text you pasted.
Once the "Security" page has reloaded, it shows `#` hashes instead of the
certificate text you pasted in.
If your certificate is signed by a chain of Certificate Authorities that are If your certificate is signed by a chain of Certificate Authorities that are
already trusted by your Docker daemon servers, you can skip the following already trusted by your Docker daemon servers, you can skip the following
"Installing registry certificates" step. "Install registry certificates" step.
### Installing Registry certificates on client Docker daemons ### Install registry certificates on client Docker daemons
If your certificates do not have a trusted Certificate Authority, you will need If your certificates do not have a trusted Certificate Authority, you will need
to install them on each client Docker daemon host. to install them on each client Docker daemon host.
The procedure for installing the Docker Trusted Registry certificates on each The procedure for installing the Trusted Registry certificates on each
Linux distribution has slightly different steps. Linux distribution has slightly different steps.
You can test this certificate using `curl`: You can test this certificate using `curl`:
@ -192,24 +187,27 @@ You can test this certificate using `curl`:
``` ```
$ curl https://dtr.yourdomain.com/v2/ $ curl https://dtr.yourdomain.com/v2/
curl: (60) SSL certificate problem: self signed certificate curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html ```
For details see: http://curl.haxx.se/docs/sslcerts.html
Curl performs SSL certificate verification by default, using a "bundle" of
Certificate Authority (CA) public keys (CA certs). If the default bundle file
isn't adequate, you can specify an alternate file using the `--cacert` option.
If this HTTPS server uses a certificate signed by a CA represented in the
bundle, the certificate verification probably failed due to a problem with the
certificate. For example, it might be expired, or the name might not match the
domain name in the URL.
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option. the -k (or --insecure) option.
```
$ curl --cacert /usr/local/etc/dtr/ssl/server.pem https://dtr.yourdomain.com/v2/ $ curl --cacert /usr/local/etc/dtr/ssl/server.pem https://dtr.yourdomain.com/v2/
{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]} {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
``` ```
Continue by following the steps corresponding to your chosen OS. Continue by following the steps corresponding to your chosen OS. Run the following commands on the Trusted Registry host.
#### Ubuntu/Debian #### Ubuntu/Debian
@ -239,10 +237,8 @@ You'll need to make some persistent changes using `bootsync.sh` in your
Boot2Docker-based virtual machine (as documented in [local customization](https://github.com/boot2docker/boot2docker/blob/master/doc/FAQ.md#local-customisation-with-persistent-partition)). To do this: Boot2Docker-based virtual machine (as documented in [local customization](https://github.com/boot2docker/boot2docker/blob/master/doc/FAQ.md#local-customisation-with-persistent-partition)). To do this:
1. `docker-machine ssh dev` to enter the VM 1. `docker-machine ssh dev` to enter the VM
2. `vi /var/lib/boot2docker/bootsync.sh` (create it if it doesn't exist, or edit it if it does) 2. `vi /var/lib/boot2docker/bootsync.sh` creates it if it doesn't exist, or edit it if it does.
3. Install the CA cert (or the auto-generated cert) by adding the following code to your `/var/lib/boot2docker/bootsync.sh`:
Install the CA cert (or the auto-generated cert) by adding the following to
your `/var/lib/boot2docker/bootsync.sh`:
``` ```
#!/bin/sh #!/bin/sh
@ -250,18 +246,16 @@ your `/var/lib/boot2docker/bootsync.sh`:
cat /var/lib/boot2docker/server.pem >> /etc/ssl/certs/ca-certificates.crt cat /var/lib/boot2docker/server.pem >> /etc/ssl/certs/ca-certificates.crt
``` ```
4. Next get the certificate from the new Docker Trusted Registry server using:
Then get the certificate from the new Docker Trusted Registry server using:
``` ```
$ openssl s_client -connect dtr.yourdomain.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem $ openssl s_client -connect dtr.yourdomain.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem
``` ```
If your certificate chain is complicated, you may want to use the changes in If your certificate chain is complicated, you can use the changes in [Pull request 807](https://github.com/boot2docker/boot2docker/pull/807/files)
[Pull request 807](https://github.com/boot2docker/boot2docker/pull/807/files)
Now you can either reboot your virtual machine, or run the following to 5. Either reboot your virtual machine, or run the following commands to
install the server certificate, and then restart the Docker daemon. install the server certificate. Restart the Docker daemon.
``` ```
$ sudo chmod 755 /var/lib/boot2docker/bootsync.sh $ sudo chmod 755 /var/lib/boot2docker/bootsync.sh
@ -271,24 +265,24 @@ $ sudo /etc/init.d/docker restart`.
### If you can't install the certificates ### If you can't install the certificates
If for some reason you can't install the certificate chain on a client Docker host, If for some reason you can't install the certificate chain on a client Docker
or your certificates do not have a global CA, you can configure your Docker daemon to run in "insecure" mode. This is done by adding an extra flag, host, or your certificates do not have a global CA, you can configure your
`--insecure-registry host-ip|domain-name`, to your client Docker daemon startup flags. Docker daemon to run in "insecure" mode. This is done by adding an extra flag,
You'll need to restart the Docker daemon for the change to take effect. `--insecure-registry host-ip|domain-name`, to your client Docker daemon startup
flags. You'll need to restart the Docker daemon for the change to take effect.
This flag means that the communications between your Docker client and the Docker Trusted Registry This flag means that the communications between your Docker client and the Trusted Registry server are still encrypted, but the client Docker daemon is not
Registry server are still encrypted, but the client Docker daemon is not
confirming that the Registry connection is not being hijacked or diverted. confirming that the Registry connection is not being hijacked or diverted.
> **Note**: If you enter a "Domain Name" into the "Security" settings, it needs If you enter a "Domain Name" into the Security settings, it needs to be DNS
> to be DNS resolvable on any client Docker daemons that are running in resolvable on any client daemons that are running in `insecure-registry`
> "insecure-registry" mode. mode.
To set the flag, follow the directions below for your operating system. To set the flag, perform the following directions for your operating system.
#### Ubuntu #### Ubuntu
On Ubuntu 14.04 LTS, you customize the Docker daemon configuration with the On Ubuntu 14.04 LTS, customize the Docker daemon configuration with the
`/etc/defaults/docker` file. `/etc/defaults/docker` file.
Open or create the `/etc/defaults/docker` file, and add the Open or create the `/etc/defaults/docker` file, and add the
@ -303,7 +297,7 @@ Then restart the Docker daemon with `sudo service docker restart`.
#### RHEL/Centos #### RHEL/Centos
On RHEL/Centos, you customize the Docker daemon configuration with the On RHEL/Centos, customize the Docker daemon configuration with the
`/etc/sysconfig/docker` file. `/etc/sysconfig/docker` file.
Open or create the `/etc/sysconfig/docker` file, and add the Open or create the `/etc/sysconfig/docker` file, and add the
@ -318,8 +312,8 @@ Then restart the Docker daemon with `sudo service docker restart`.
### Docker Machine and Boot2Docker ### Docker Machine and Boot2Docker
In your Boot2Docker-based virtual machine, you customize the Docker daemon configuration with the In your Boot2Docker-based virtual machine, customize the Docker daemon
`/var/lib/boot2docker/profile` file. configuration with the `/var/lib/boot2docker/profile` file.
Open or create the `/var/lib/boot2docker/profile` file, and add an `EXTRA_ARGS` Open or create the `/var/lib/boot2docker/profile` file, and add an `EXTRA_ARGS`
setting as follows: setting as follows:
@ -330,34 +324,27 @@ EXTRA_ARGS="--insecure-registry dtr.yourdomain.com"
Then restart the Docker daemon with `sudo /etc/init.d/docker restart`. Then restart the Docker daemon with `sudo /etc/init.d/docker restart`.
## Image Storage Configuration ## Configure your image storage
Docker Trusted Registry image storage can be configured to use the local filesystem, or a cloud service Docker Trusted Registry image storage can be configured to use the default local
such as S3 or Azure. filesystem, or a cloud service such as S3 or Azure.
To set up storage settings, navigate to the Trusted Registry dashboard > Settings > Storage. To set up storage settings, navigate to the Trusted Registry dashboard > Settings > Storage.
See the [Registry configuration](http://docs.docker.com/registry/configuration/) See the [Registry configuration](http://docs.docker.com/registry/configuration/)
documentation for the full options specific to each driver. documentation for the full options specific to each driver. Storage drivers can
Storage drivers can be added or customized through the [Docker Registry storage driver be added or customized through the [Docker Registry storage driver
API](http://docs.docker.com/registry/storagedrivers/#storage-driver-api). API](http://docs.docker.com/registry/storagedrivers/#storage-driver-api).
![Storage settings page</admin/settings#storage>](assets/admin-settings-storage.png) ![Storage settings page</admin/settings#storage>](assets/admin-settings-storage.png)
After you select the image storage method you would like to use from the After you select your preferred image storage method from the drop-down menu
drop-down menu near the top of the page, the UI changes to reflect the near the top of the page, the UI changes to reflect the configuration settings
configuration settings appropriate to the selected method. You can either use appropriate to the selected method. You can either use the storage specific
the storage specific input boxes to configure the most common settngs for local input boxes to configure the most common settings for local filesystem, S3, or
filesystem, S3, or Azure storage backends, or use the full Yaml configuration Azure storage backends, or use the full Yaml configuration file upload to have
file upload to have more detailed control. more detailed control. Changing your storage backend requires you to restart the
Trusted Registry.
You can either use the storage specific input boxes to configure the most common
settngs for local filesystem, S3, or Azure storage backends, or use the full
Yaml configuration file upload to have more detailed control.
**Note**: Changing your storage backend requires you to restart the Trusted Registry.
You can view the current `storage.yaml` file on your Docker Trusted Registry You can view the current `storage.yaml` file on your Docker Trusted Registry
Docker host in the `/usr/local/etc/dtr/` directory. Docker host in the `/usr/local/etc/dtr/` directory.
@ -365,14 +352,15 @@ Docker host in the `/usr/local/etc/dtr/` directory.
### Filesystem settings ### Filesystem settings
The [filesystem storage backend](/registry/configuration.md#filesystem) The [filesystem storage backend](/registry/configuration.md#filesystem)
has only one setting - the "Storage directory", the subdirectory of `/var/local/dtr/image-storage` has only one setting, the "Storage directory", the subdirectory of
in which all registry files are stored. `/var/local/dtr/image-storage` in which all registry files are stored. The
The default value of `/local` means the files are stored in `/var/local/dtr/image-storage/local`. default value of `/local` means the files are stored in
`/var/local/dtr/image-storage/local`.
### S3 settings ### S3 settings
The [S3 storage backend](/registry/configuration.md#s3) page allows you to set the If you select the [S3 storage backend](/registry/configuration.md#s3), then you
"AWS region", "Bucket name", "Access Key", and "Secret Key". need to set "AWS region", "Bucket name", "Access Key", and "Secret Key".
### Azure settings ### Azure settings
@ -391,37 +379,34 @@ If the previous Quick setup options are not sufficient to configure your
Registry options, you can upload a YAML file. The schema of this file is Registry options, you can upload a YAML file. The schema of this file is
identical to that used by the [Registry](http://docs.docker.com/registry/configuration/). identical to that used by the [Registry](http://docs.docker.com/registry/configuration/).
If you are using the file system driver to provide local image storage, you If you are using the file system driver to provide local image storage, you need
will need to specify a root directory which will get mounted as a sub-path of to specify a root directory which gets mounted as a sub-path of
`/var/local/dtr/image-storage`. The default value of this root directory is `/var/local/dtr/image-storage`. The default value of this root directory is
`/local`, so the full path to it is `/var/local/dtr/image-storage/local`. `/local`, so the full path to it is `/var/local/dtr/image-storage/local`.
## Authentication ## Authentication
Use the "Authentication" settings to control access to the Docker Trusted Use the Authentication settings to control access to the Trusted Registry web
Registry web admin tool and to the Docker Trusted Registry. admin tool and to the Trusted Registry.
The current authentication methods are `None`, `Managed` and `LDAP`. The current authentication methods are `None`, `Managed` and `LDAP`.
> **Note**: if you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication If you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication settings, you may need to use the [emergency access to the Docker Trusted Registry admin web interface](adminguide.md#emergency-access-to-dtr).
> settings, you may need to use the [emergency access to the Docker Trusted Registry admin web interface](adminguide.md#emergency-access-to-dtr).
### No authentication ### No authentication
No authentication means that everyone that can access your Docker Trusted No or `None` authentication means that everyone can access your Trusted Registry
Registry web administration site. This is not recommended for any use other than web administration site. This is the default setting when you first install the
testing. Trusted Registry. One of your first configuration tasks is to switch your
authentication to either managed or LDAP so you can create the Trusted Registry
administrator. Until you do so, you can't create repos nor push or pull images.
### Managed authentication ### Managed authentication
With `Managed` authentication, the Docker Trusted Registry admin can control users' access by setting username/password pairs. The admin can then [use the API](http://docs.docker.com/apidocs/v1.3.3/) to give these users global "admin", "read-write" or "read-only" privileges while assigning them Organization, Team or User repository access. With `Managed` authentication, the Trusted Registry admin can manually control users' access by setting username/password pairs. The admin can then [use the API](http://docs.docker.com/apidocs/v1.3.3/) to give these users global "admin", "read-write" or "read-only" privileges while assigning them Organization, Team, or User repository access. The admin can also set privileges though the UI.
The "read-only" role can pull all images from the registry, "read-write" can
push and pull all images, and the "admin" role can push and pull and also access
the web administration UI and metrics dashboard.
When you create users and assign their roles through the API, you do not need When you create users and assign their roles through the API, you do not need
to assign those users roles using the Docker Trusted Registry admin UI. to assign those users roles using the Trusted Registry admin UI.
* Choose the appropriate button to add one user, or to upload a CSV file containing username, password pairs, and selection boxes for "admin", * Choose the appropriate button to add one user, or to upload a CSV file containing username, password pairs, and selection boxes for "admin",
"read-write", and "read-only" roles. "read-write", and "read-only" roles.
@ -430,41 +415,35 @@ to assign those users roles using the Docker Trusted Registry admin UI.
### LDAP authentication ### LDAP authentication
Using LDAP authentication allows you to integrate your Docker Trusted Registry into your Use LDAP authentication to integrate your Trusted Registry into your
organization's existing LDAP user and authentication database. organization's existing LDAP user and authentication database.
To improve the performance of Docker Trusted Registry's Access Control Lists, To improve the performance of the Trusted Registry's Access Control Lists,
User and Group membership data is synced into Docker Trusted Registry's database User and Group membership data is synced into Docker Trusted Registry's database
at a configurable *LDAP Sync Interval*. User passwords are not transferred at a configurable *LDAP Sync Interval*. User passwords are not transferred
during syncing. The Trusted Registry defers to the LDAP server to validate during syncing. The Trusted Registry defers to the LDAP server to validate
username/password pairs. username/password pairs.
> **Note**: LDAP syncing creates new users that that do not already exist in the Trusted Registry. Any existing users that are not found by the LDAP sync are marked as inactive. LDAP syncing creates new users that that do not already exist in the Trusted Registry. Any existing users that are not found by the LDAP sync are marked as inactive. You can also sync team membership with the LDAP group. This is performed after you have finished configuring your settings.
You can also sync team membership with the LDAP group. This is performed after you have finished configuring your settings. Because connecting to LDAP involves existing infrastructure external to the
Trusted Registry and Docker, you need to gather the details required to
Because connecting to LDAP involves existing infrastructure external to Docker Trusted Registry and Docker, you need to gather the details required to configure Docker Trusted Registry for your organization's particular LDAP implementation. configure the Trusted Registry for your organization's particular LDAP
implementation.
You can test that you have the correct LDAP server information by connecting to You can test that you have the correct LDAP server information by connecting to
the LDAP server from inside a Docker container running on the same server as the LDAP server from inside a Docker container running on the same server as
your Docker Trusted Registry: your Docker Trusted Registry:
> **Note**: if the LDAP server is configured to use *StartTLS*, then you need to If the LDAP server is configured to use *StartTLS*, then you need to
> add `-Z` to the `ldapsearch` command examples below. add `-Z` to the `ldapsearch` following command example.
``` ```
docker run --rm -it svendowideit/ldapsearch -h <LDAP Server hostname> -b <User Base DN> -D <Search User DN> -w <Search User Password> docker run --rm -it svendowideit/ldapsearch -h <LDAP Server hostname> -b <User Base DN> -D <Search User DN> -w <Search User Password>
``` ```
Or if the LDAP server is set up to allow anonymous access (which means your The result of this query should be a (very) long list. If you get an
*Search User DN* and *Search User Password* settings will remain empty): authentication error, then the details you have are not sufficient. Contact
```
docker run --rm -it svendowideit/ldapsearch -h <LDAP Server hostname> -b <User Base DN> -x
```
The result of these queries should be a (very) long list - if you get an
authentication error, then the details you have are not sufficient - contact
your organization's LDAP team. your organization's LDAP team.
The *User Login Attribute* key setting must match the field used in the LDAP The *User Login Attribute* key setting must match the field used in the LDAP
@ -494,8 +473,8 @@ of the group member objects.
##### Confirm login with current configuration ##### Confirm login with current configuration
You can test your current LDAP configuration before saving it by entering a test Test your current LDAP configuration before saving it by entering a test
username and password and then clicking "Try Login". If the login succeeds, your username and password. Click Try Login. If the login succeeds, your
configuration is working. configuration is working.
## Docker daemon logs ## Docker daemon logs
@ -506,6 +485,10 @@ Both the Trusted Registry and the Docker daemon collect and store log messages.
To learn about Trusted Registry logs, view the [Logs tab](adminguide.md) in the admin guide documentation. To learn about Trusted Registry logs, view the [Logs tab](adminguide.md) in the admin guide documentation.
## Next Steps ## See also
For information on getting support for Docker Trusted Registry, go to [Support information](support.md). * To use Docker Trusted Registry, see the [User guide](userguide.md).
* View [admin tasks](adminguide.md).
* To upgrade, see the [Upgrade guide](install/upgrade.md).
* To see previous changes and fixes, refer to the [release notes](release-notes.md).
* For information on getting support for Docker Trusted Registry, go to [Support information](support.md).