docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial DTR->Docker Trusted Registry 

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
This commit is contained in:
Sven Dowideit 2015-09-09 10:42:04 +10:00
parent 007e0f6295
commit c9e20762d0
19 changed files with 346 additions and 348 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
adminguide.md
View File

@ -13,18 +13,18 @@ weight=3
# Docker Trusted Registry Administrator's Guide
This guide covers tasks and functions an administrator of Docker Trusted Registry
(DTR) will need to know about, such as reporting, logging, system management,
will need to know about, such as reporting, logging, system management,
performance metrics, etc.
For tasks DTR users need to accomplish, such as using DTR to push and pull
For tasks Docker Trusted Registry users need to accomplish, such as pushing and pulling
images, please look at the [User's Guide]({{< relref "userguide.md" >}}).
## Reporting
### Dashboard
![DTR Dashboard</admin/metrics/>](../assets/admin-metrics.png)
![Docker Trusted Registry Dashboard</admin/metrics/>](../assets/admin-metrics.png)
The "DTR Dashboard displays "hardware" resource utilization and network traffic metrics for the DTR host as well as for each of its contained services. The CPU and RAM usage meters at the top indicate overall resource usage for the host, while detailed time-series charts are provided below for each container providing a DTR service.
The "Docker Trusted Registry Dashboard displays "hardware" resource utilization and network traffic metrics for the Docker Trusted Registry host as well as for each of its contained services. The CPU and RAM usage meters at the top indicate overall resource usage for the host, while detailed time-series charts are provided below for each container providing a Docker Trusted Registry service.
In addition, if your registry is using a filesystem storage driver, you will see a usage meter indicating used and available space on the storage volume. Third-party storage back-ends are not supported, so if you are using one, this meter will not be displayed.
@ -39,12 +39,12 @@ service. See below for a
![System Logs page</admin/logs/>](../assets/admin-logs.png)
Click "Logs" in the global nav bar at the top of page to view the logs from your DTR's containers. You will see
log sections on this page for each service in your DTR instance. Older or newer
Click "Logs" in the global nav bar at the top of page to view the logs from your Docker Trusted Registry's containers. You will see
log sections on this page for each service in your Docker Trusted Registry instance. Older or newer
logs can be loaded by scrolling up or down. See below for a
[detailed explanation of the available services](#services).
DTR's log files can be found on the host in `/usr/local/etc/dtr/logs/`. The
Docker Trusted Registry's log files can be found on the host in `/usr/local/etc/dtr/logs/`. The
files are limited to a maximum size of 64mb. They are rotated every two weeks,
when the aggregator sends logs to the collection server, or they are rotated if
a logfile would exceed 64mb without rotation. Log files are named `<component
@ -53,7 +53,7 @@ provides (`manager`, `admin-server`, etc.).
### Usage statistics and crash reports
During normal use, DTR generates usage statistics and crash reports. This
During normal use, Docker Trusted Registry generates usage statistics and crash reports. This
information is collected by Docker, Inc. to help us prioritize features, fix
bugs, and improve our products. Specifically, Docker, Inc. collects the
following information:
@ -61,10 +61,10 @@ following information:
* Error logs
* Crash logs
## Emergency access to DTR
## Emergency access to Docker Trusted Registry
If your authenticated or public access to the DTR web interface has stopped
working, but your DTR admin container is still running, you can add an
If your authenticated or public access to the Docker Trusted Registry web interface has stopped
working, but your Docker Trusted Registry admin container is still running, you can add an
[ambassador container](https://docs.docker.com/articles/ambassador_pattern_linking/)
to get temporary unsecure access to it by running:
@ -74,20 +74,20 @@ to get temporary unsecure access to it by running:
> or have root privileges. Otherwise, you may need to add `sudo` to the example
> command above.
This will give you access on port `9999` on your DTR server - `http://<dtr-host-ip>:9999/admin/`.
This will give you access on port `9999` on your Docker Trusted Registry server - `http://<dtr-host-ip>:9999/admin/`.
### SSH Access to host
As an extra measure of safety, make sure you have SSH access to the DTR host before you start using DTR.
As an extra measure of safety, make sure you have SSH access to the Docker Trusted Registry host before you start using Docker Trusted Registry.
If you are hosting DTR on an EC2 host launched from the AWS Marketplace AMI, note that the user is `ec2-user`:
If you are hosting Docker Trusted Registry on an EC2 host launched from the AWS Marketplace AMI, note that the user is `ec2-user`:
`/path/to/private_key/id_rsa ec2-user@<dtr-dns-entry>`.
## Services
DTR runs several Docker services which are essential to its reliability and
Docker Trusted Registry runs several Docker services which are essential to its reliability and
usability. The following services are included; you can see their details by
viewing the [DTR Dashboard](#dashboard) and [Logs](#logs) pages:
viewing the [Docker Trusted Registry Dashboard](#dashboard) and [Logs](#logs) pages:
* `admin_server`: Used for displaying system health, performing upgrades,
configuring settings, and viewing logs.
@ -98,13 +98,13 @@ other services. Handles log persistence and rotation on disk.
* `image_storage_X`: Stores Docker images using the [Docker Registry HTTP API V2](http://docs.docker.com/registry/spec/api/). Typically,
multiple image storage services are used in order to provide greater uptime and
faster, more efficient resource utilization.
* `postgres`: A database service used to host authentication (LDAP) data and other datasets as needed by DTR.
* `postgres`: A database service used to host authentication (LDAP) data and other datasets as needed by Docker Trusted Registry.
## DTR system management
## Docker Trusted Registry system management
The `docker/trusted-registry` image is used to control the DTR system. This
The `docker/trusted-registry` image is used to control the Docker Trusted Registry system. This
image uses the Docker socket to orchestrate the multiple services that comprise
DTR.
Docker Trusted Registry.
$ sudo bash -c "$(sudo docker run docker/trusted-registry [COMMAND])"
@ -116,23 +116,23 @@ Supported commands are: `install`, `start`, `stop`, `restart`, `pull`, `info`,
### `install`
Install DTR.
Install Docker Trusted Registry.
### `start`
Start DTR containers that are not running.
Start Docker Trusted Registry containers that are not running.
### `stop`
Stop DTR containers that are running.
Stop Docker Trusted Registry containers that are running.
### `restart`
Stop and then start the DTR containers.
Stop and then start the Docker Trusted Registry containers.
### `status`
Display the current running status of only the DTR containers.
Display the current running status of only the Docker Trusted Registry containers.
```
$ sudo bash -c "$(docker run docker/trusted-registry status)"
@ -162,7 +162,7 @@ docker_trusted_registry_auth_server
### `info`
Display the version and info for the Docker daemon, and version and image ID's
of DTR.
of Docker Trusted Registry.
```
@ -240,10 +240,10 @@ and other proprietary information before sending it.
> **Warning:** These diagnostics files may contain secrets that you need to remove
> before passing on - such as raw container log files, Azure storage credentials, or passwords that may be
> sent to non-DTR containers using the `docker run -e PASSWORD=asdf` environment variable
> sent to non-Docker Trusted Registry containers using the `docker run -e PASSWORD=asdf` environment variable
> options.
Stream to STDOUT a zip file containing CSDE and DTR configuration, state, and log
Stream to STDOUT a zip file containing CSDE and Docker Trusted Registry configuration, state, and log
files to help the Docker Enterprise support team:
- your Docker host's `ca-certificates.crt`
@ -251,22 +251,22 @@ files to help the Docker Enterprise support team:
information and log files.
- `dockerEngine/`: the Docker daemon's `info` and `version` output
- `dockerState/`: the Docker daemon's container states, image states, daemon log file, and daemon configuration file
- `dtrlogs/`: the DTR container log files
- `manager/`: the DTR `/usr/local/etc/dtr` DTR configuration directory and DTR manager `info` output. See the [export settings section](#export-settings) for more details.
- `dtrlogs/`: the Docker Trusted Registry container log files
- `manager/`: the Docker Trusted Registry `/usr/local/etc/dtr` configuration directory and manager `info` output. See the [export settings section](#export-settings) for more details.
- `sysinfo/`: Host information
- `errors.txt`: errors and warnings encountered while running diagnostics
### `export-settings`
Export the DTR configuration files for backup or diagnostics use.
Export the Docker Trusted Registry configuration files for backup or diagnostics use.
`$ sudo bash -c "$(docker run docker/trusted-registry export-settings)" > export-settings.tar.gz`
> **Warning:** These diagnostics files may contain secrets that you need to remove
> before passing on - such as Azure storage credentials.
Stream to STDOUT a gzipped tar file containing the DTR configuration files from `/usr/local/etc/dtr/`:
Stream to STDOUT a gzipped tar file containing the Docker Trusted Registry configuration files from `/usr/local/etc/dtr/`:
- `garant.yml`
- `generatedConfigs/nginx.conf`
@ -278,25 +278,24 @@ Stream to STDOUT a gzipped tar file containing the DTR configuration files from
## Client Docker Daemon diagnostics
To debug client Docker daemon communication issues with DTR, we also provide
To debug client Docker daemon communication issues with Docker Trusted Registry, we also provide
a diagnostics tool to be run on the client Docker daemon.
> **Warning:** These diagnostics files may contain secrets that you need to remove
> before passing on - such as raw container log files, Azure storage credentials, or passwords that may be
> sent to non-DTR containers using the `docker run -e PASSWORD=asdf` environment variable
> sent to non-Docker Trusted Registry containers using the `docker run -e PASSWORD=asdf` environment variable
> options.
You can download and run this tool using the following command:
> **Note:** If you supply an administrator username and password, then the
> `diagnostics` tool will also download some logs and configuration data
> from the remote DTR server.
> from the remote Docker Trusted Registry server.
```
$ wget https://dhe.mycompany.com/admin/bin/diagnostics && chmod +x diagnostics
$ sudo ./diagnostics dhe.mycompany.com > enduserDiagnostics.zip
DTR administrator username (provide empty string if there is no admin server authentication):
DTR administrator password (provide empty string if there is no admin server authentication):
DTR administrator password (provide empty string if there is no admin server authentication):
WARN [1.1.0-alpha-001472_g8a9ddb4] Encountered errors running diagnostics errors=[Failed to copy DTR Adminserver's exported settings into ZIP output: "Failed to read next tar header: \"archive/tar: invalid tar header\"" Failed to copy logs from DTR Adminserver into ZIP output: "Failed to read next tar header: \"archive/tar: invalid tar header\"" error running "sestatus": "exit status 127" error running "dmidecode": "exit status 127"]
```
@ -307,19 +306,19 @@ The zip file will contain the following information:
information and log files.
- `dockerEngine/`: the local Docker daemon's `info` and `version` output
- `dockerState/`: the local Docker daemon's container states, image states, log file, and daemon configuration file
- `dtr/`: Remote DTR services information. This directory will only be populated if the user enters a DTR "admin" username and password.
- - `dtr/logs/`: the remote DTR container log files. This directory will only be populated if the user enters a DTR "admin" username and password.
- - `dtr/exportedSettings/`: the DTR manager container's log files and a backup of the `/usr/local/etc/dtr` DTR configuration directory. See the [export settings section](#export-settings) for more details.
- `dtr/`: Remote Docker Trusted Registry services information. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password.
- - `dtr/logs/`: the remote Docker Trusted Registry container log files. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password.
- - `dtr/exportedSettings/`: the Docker Trusted Registry manager container's log files and a backup of the `/usr/local/etc/dtr` Docker Trusted Registry configuration directory. See the [export settings section](#export-settings) for more details.
- `sysinfo/`: local Host information
- `errors.txt`: errors and warnings encountered while running diagnostics
### Starting and stopping DTR
### Starting and stopping Docker Trusted Registry
If you need to stop and/or start DTR (for upgrading, troubleshooting, etc.), use the following commands:
If you need to stop and/or start Docker Trusted Registry (for upgrading, troubleshooting, etc.), use the following commands:
`sudo bash -c "$(docker run docker/trusted-registry stop)"`
`sudo bash -c "$(docker run docker/trusted-registry start)"`
## Next Steps
For information on installing DTR, take a look at the [Installation instructions]({{< relref "docker-trusted-registry/install.md" >}}).
For information on installing Docker Trusted Registry, take a look at the [Installation instructions]({{< relref "docker-trusted-registry/install.md" >}}).

16
api/dtr_1_3_accounts.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR Accounts API"
title = "Docker Trusted Registry Accounts API"
description = "Docker Trusted Registry 1.3 User and Organization Accounts"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 61
@ -151,10 +151,10 @@ There is no user restriction on creating a managed user account, however managed
user accounts start out inactive and the user cannot authenticate until an admin
explicitly activates the account using the activate user API endpoint.
This allows the creation of DTR managed namespace reservations by an external
This allows the creation of Docker Trusted Registry managed namespace reservations by an external
service, which can then activate the account when it's been verified by the external service.
DTR auth settings must be in "Managed" mode.
Docker Trusted Registry auth settings must be in "Managed" mode.
Example Request:
@ -191,7 +191,7 @@ Anyone - no authorization required.
### Create a User Account from LDAP
DTR auth settings must be in "ldap" mode.
Docker Trusted Registry auth settings must be in "ldap" mode.
Example Request:
@ -207,9 +207,9 @@ Content-Type: application/json
}
```
The `name` field is the requested username to use in DTR, while `ldapLogin`
The `name` field is the requested username to use in Docker Trusted Registry, while `ldapLogin`
should be the user's LDAP user login attribute. These need only differ if the
user prefers or if the user's LDAP login name is not compatible with valid DTR
user prefers or if the user's LDAP login name is not compatible with valid Docker Trusted Registry
usernames.
Response:
@ -235,7 +235,7 @@ the client provides a valid LDAP login and password.
### Create an Organization Account
DTR auth settings must be in "Managed" or "ldap" mode.
Docker Trusted Registry auth settings must be in "Managed" or "ldap" mode.
Example Request:
@ -337,7 +337,7 @@ which case the `oldPassword` field may be omitted from the request body).
- *400* invalid input. (can be `password too short`)
- *401* client must be authenticated.
- *404* no such account.
- *404* no such account.
- *200* success.
## Activate a Managed User

8
api/dtr_1_3_design_doc.md
View File

@ -1,6 +1,6 @@
+++
title = "DTR API Design document"
description = "DTR 1.3 API Design document"
title = "Docker Trusted Registry API Design document"
description = "Docker Trusted Registry 1.3 API Design document"
draft = true
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
[menu.main]
@ -46,7 +46,7 @@ No UI. This release will be API only.
### Design
There are two types of accounts: Users and Organizations. We will be creating a
sense of account-owned namespaces in DTR much like in Docker Hub Registry.
sense of account-owned namespaces in Docker Trusted Registry much like in Docker Hub Registry.
Account-owned (non-global) repositories will have two-component names of the
form `namespace/reponame`.
@ -96,7 +96,7 @@ other organizations team to a team within the owning organization.
- Repositories must be explicitly created using the API. A `docker push` will
not create a repository if it does not exist. This prevents a typo from
creating an unwanted repository in Docker Trusted Registry. This policy
will be globally enforced in DTR 1.3.
will be globally enforced in Docker Trusted Registry 1.3.
- Organizations can only be created by system admins. This should prevent the
proliferation of unwanted organization accounts.

2
api/dtr_1_3_repositories.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR Repository API"
title = "Docker Trusted Registry Repository API"
description = "Docker Trusted Registry 1.3 Repository API"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 65

2
api/dtr_1_3_team_repo_access.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR Org Repository API"
title = "Docker Trusted Registry Org Repository API"
description = "Docker Trusted Registry 1.3 Organization owned Repository API"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 68

4
api/dtr_1_3_team_repo_namespace_access.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR Org Namespace API"
title = "Docker Trusted Registry Org Namespace API"
description = "Docker Trusted Registry 1.3 Organization owned Namespace API"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 69
@ -87,7 +87,7 @@ namespace.
- *400* the namespace is not owned by an organization.
- *403* the client is not authorized.
- *404*
- *404*
- *200* success.
## Get a Team's Granted Access to an Organization-Owned Namespace of Repositories

4
api/dtr_1_3_teams.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR User and Org API"
title = "Docker Trusted Registry User and Org API"
description = "Docker Trusted Registry 1.3 User and Organization Accounts API"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 62
@ -9,7 +9,7 @@ parent = "smn_dtrapi"
# Docker Trusted Registry 1.3 Teams
As with Docker HUb, DTR teams of users can only exist within an Organization.
As with Docker HUb, Docker Trusted Registry teams of users can only exist within an Organization.
## List Teams in an Organization

2
api/dtr_1_3_user_repo_access.md
View File

@ -1,5 +1,5 @@
+++
title = "DTR User Repository API"
title = "Docker Trusted Registry User Repository API"
description = "Docker Trusted Registry 1.3 User-Owned Repository Acces"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
weight = 66

4
api/dtr_api.md
View File

@ -9,13 +9,13 @@ parent = "mn_reference"
# Docker Trusted Registry APIs
The DTR Accounts & Reps APIs allow you to integrate Docker Trusted Registry (DTR) with your enterprise's
The Docker Trusted Registry Accounts & Reps APIs allow you to integrate Docker Trusted Registry with your enterprise's
organizational structure by providing fine-grained, role-based access control for your repositories.
The following documents detail the API:
- [DTR Accounts & Repos API: Intro & Overview](/docker-trusted-registry/api/)
- [Docker Trusted Registry Accounts & Repos API: Intro & Overview](/docker-trusted-registry/api/)
- [Accounts API Doc]({{< relref "dtr_1_3_accounts.md" >}})
- [Teams API Doc]({{< relref "dtr_1_3_teams.md" >}})
- [Repositories API Doc]({{< relref "dtr_1_3_repositories.md" >}})

22
api/index.md
View File

@ -1,6 +1,6 @@
+++
title = "DTR Accounts & Repos API: Intro & Overview"
description = "Overview of the structure and design of the DTR Accounts & Repos API"
title = "Docker Trusted Registry Accounts & Repos API: Intro & Overview"
description = "Overview of the structure and design of the Docker Trusted Registry Accounts & Repos API"
keywords = ["API, Docker, index, REST, documentation, Docker Trusted Registry, registry"]
[menu.main]
parent = "smn_dtrapi"
@ -10,11 +10,11 @@ parent = "smn_dtrapi"
## Introduction
The Accounts & Repos API lets you integrate Docker Trusted Registry (DTR) with your enterprise's organizational structure by providing fine-grained, role-based access control for your repositories. Specifically, this API provides:
The Accounts & Repos API lets you integrate Docker Trusted Registry with your enterprise's organizational structure by providing fine-grained, role-based access control for your repositories. Specifically, this API provides:
* An API for account management, including creating an account, listing existing accounts, creating a team within an organization, listing teams in an organization, getting a specific team, listing members of a team, adding and removing members from a team (if using a managed whitelist), or editing LDAP syncing configuration.
* Methods for syncing members of a team in DTR with an LDAP group filter configured by an admin.
* Methods for syncing members of a team in Docker Trusted Registry with an LDAP group filter configured by an admin.
* An API for repository management and access control, including creating a repository, listing repositories for an account, adding collaborators to a repository, setting namespace-level access for teams, etc.
@ -22,7 +22,7 @@ The API is designed so that minimal data migration is required, only schema migr
## Overview
This API defines two types of accounts that can own repositories: Users and Organizations. Account-owned (i.e., non-global) repos define a namespace similar to that of the Docker Hub, with two component names in the form `namespace/reponame`.
This API defines two types of accounts that can own repositories: Users and Organizations. Account-owned (i.e., non-global) repos define a namespace similar to that of the Docker Hub, with two component names in the form `namespace/reponame`.
Repositories can be either public or private. Public repositories can be
read by any account in the system, but can only be written to by accounts granted explicit write access. Private repositories cannot be discovered by
@ -31,14 +31,14 @@ repository.
### User accounts
DTR users can create a repository under their own namespace and can control which other users have read-only, read-write, or admin access to any
Docker Trusted Registry users can create a repository under their own namespace and can control which other users have read-only, read-write, or admin access to any
of their repositories.
User owned repositories can only be accessed by the owner and other
individual user accounts, i.e., you cannot grant access to a user-owned
repository to a team of users in an organization. If a repository requires this level of control, consider moving it within an organization namespace.
When the DTR web admin tool is used to assign users global "read-only",
When the Docker Trusted Registry web admin tool is used to assign users global "read-only",
"read-write", or managed "admin" roles, they will have that access level to all
repositories. You can access and modify these roles with the API, using the
`_global` organization. However, you must have admin access in order to view and
@ -73,8 +73,8 @@ other organizations team to a team within the owning organization.
- Repositories must be explicitly created using the API. A `docker push` will
not create a repository if it does not exist. This prevents a typo from
creating an unwanted repository in DTR. This policy will be globally enforced
in DTR 1.3.
creating an unwanted repository in Docker Trusted Registry. This policy will be globally enforced
in Docker Trusted Registry 1.3.
- Organizations can only be created by system admins. This should prevent the
proliferation of unwanted organization accounts.
@ -96,7 +96,7 @@ other organizations team to a team within the owning organization.
they do not belong. In Docker Trusted Registry, teams will be
visible to the members of the organization, but will not be able to see a
teams's members unless they are also a member of that team.
### Authentication
Clients authenticate API requests by providing Basic Auth credentials (
@ -125,7 +125,7 @@ $ curl --user readuser:password https://dtr.domain.com/api/v0/accounts
}
```
> **Note**: If you are using DTR's automatically generated, self-signed SSL
> **Note**: If you are using Docker Trusted Registry's automatically generated, self-signed SSL
> certificate
> then you'll need to add `--insecure` to the curl examples.

94
configuration.md
View File

@ -10,27 +10,27 @@ weight=10
# Configuring DTR
# Configuring Docker Trusted Registry
## Overview
This page will help you properly configure Docker Trusted Registry (DTR) so it can
This page will help you properly configure Docker Trusted Registry so it can
run in your environment.
Start with DTR loaded in your browser and click "Settings" in the global nav
Start with Docker Trusted Registry loaded in your browser and click "Settings" in the global nav
bar at the top of the page to view configuration options. You'll see menus
organizing the options for configuring:
* General Settings (ports, proxies, etc.)
* Security settings
* Storage settings
* Your DTR license
* Your Docker Trusted Registry license
* Authentication settings
> **Note:**
> Saving changes you've made to settings may restart various services, as follows:
> * General settings: full DTR restart
> * License change: full DTR restart
> * General settings: full Docker Trusted Registry restart
> * License change: full Docker Trusted Registry restart
> * SSL change: Nginx reload
> * Storage config: only registries restart
> * Authentication config: no restart
@ -40,19 +40,19 @@ organizing the options for configuring:
![Domain and Ports page</admin/settings#http>](../assets/admin-settings.png)
* *Domain Name*: **required** defaults to an empty string, the fully qualified domain name assigned to the DTR host.
* *Domain Name*: **required** defaults to an empty string, the fully qualified domain name assigned to the Docker Trusted Registry host.
* *HTTP Port*: defaults to 80, used as the entry point for the image storage service. To see load balancer status, you can query
http://&lt;dtr-host&gt;/load_balancer_status.
* *HTTPS Port*: defaults to 443, used as the secure entry point for the image storage service.
* *HTTP proxy*: defaults to an empty string, proxy server for HTTP requests.
* *HTTPS proxy*: defaults to an empty string, proxy server for HTTPS requests.
* *No proxy*: defaults to an empty string, proxy bypass for HTTP and HTTPS requests.
* *Upgrade checking*: enables or disables automatic checking for DTR software updates.
* *Upgrade checking*: enables or disables automatic checking for Docker Trusted Registry software updates.
> **Note**: If you need DTR to re-generate a self-signed certificate at some
> **Note**: If you need Docker Trusted Registry to re-generate a self-signed certificate at some
> point, you'll need to first delete `/usr/local/etc/dtr/ssl/server.pem`, and
> then restart the DTR containers, either by changing and saving the "Domain Name",
> then restart the Docker Trusted Registry containers, either by changing and saving the "Domain Name",
> or using `bash -c "$(docker run docker/trusted-registry restart)"`.
@ -65,15 +65,15 @@ This cert must be accompanied by its private key, entered below.
* *SSL Private Key*: The hash from the private key associated with the provided
SSL Certificate (as a standard x509 key pair).
In order to run, DTR requires encrypted communications via HTTPS/SSL between (a) the DTR registry and your Docker Engine(s), and (b) between your web browser and the DTR admin server. There are a few options for setting this up:
In order to run, Docker Trusted Registry requires encrypted communications via HTTPS/SSL between (a) the Docker Trusted Registry and your Docker Engine(s), and (b) between your web browser and the Docker Trusted Registry admin server. There are a few options for setting this up:
1. You can use the self-signed certificate DTR generates by default.
1. You can use the self-signed certificate Docker Trusted Registry generates by default.
2. You can generate your own certificates using a public service or your enterprise's infrastructure. See the [Generating SSL certificates](#generating-ssl-certificates) section for the options available.
If you are generating your own certificates, you can install them by following the instructions for
[Adding your own registry certificates to DTR](#adding-your-own-registry-certificates-to-dtr).
[Adding your own registry certificates to Docker Trusted Registry](#adding-your-own-registry-certificates-to-dtr).
On the other hand, if you choose to use the DTR-generated certificates, or the
On the other hand, if you choose to use the Docker Trusted Registry-generated certificates, or the
certificates you generate yourself are not trusted by your client Docker hosts,
you will need to do one of the following:
@ -96,19 +96,19 @@ certificate. If your certificates are generated using a globally trusted
Certificate Authority, you won't need to install them on all of your
client Docker daemons.
3. Use the self-signed registry certificate generated by DTR, and install it
3. Use the self-signed registry certificate generated by Docker Trusted Registry, and install it
onto the client Docker daemon hosts as shown below.
### Adding your own Registry certificates to DTR
### Adding your own Registry certificates to Docker Trusted Registry
Whichever method you use to generate certificates, once you have them
you can set up your DTR server to use them by navigating to the "Settings" page,
you can set up your Docker Trusted Registry server to use them by navigating to the "Settings" page,
going to "Security," and putting the SSL Certificate text (including all
intermediate Certificates, starting with the host) into the
"SSL Certificate" edit box, and the previously generated Private key into
the "SSL Private Key" edit box.
Click the "Save" button, and then wait for the DTR Admin site to restart and
Click the "Save" button, and then wait for the Docker Trusted Registry Admin site to restart and
reload. It should now be using the new certificate.
Once the "Security" page has reloaded, it will show `#` hashes instead of the
@ -123,7 +123,7 @@ registry certificates" step below.
If your certificates do not have a trusted Certificate Authority, you will need
to install them on each client Docker daemon host.
The procedure for installing the DTR certificates on each Linux distribution has
The procedure for installing the Docker Trusted Registry certificates on each Linux distribution has
slightly different steps, as shown below.
You can test this certificate using `curl`:
@ -190,7 +190,7 @@ cat /var/lib/boot2docker/server.pem >> /etc/ssl/certs/ca-certificates.crt
```
Then get the certificate from the new DTR server using:
Then get the certificate from the new Docker Trusted Registry server using:
```
$ openssl s_client -connect dtr.yourdomain.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem
@ -215,7 +215,7 @@ or your certificates do not have a global CA, you can configure your Docker daem
`--insecure-registry host-ip|domain-name`, to your client Docker daemon startup flags.
You'll need to restart the Docker daemon for the change to take effect.
This flag means that the communications between your Docker client and the DTR
This flag means that the communications between your Docker client and the Docker Trusted Registry
Registry server are still encrypted, but the client Docker daemon is not
confirming that the Registry connection is not being hijacked or diverted.
@ -271,7 +271,7 @@ Then restart the Docker daemon with `sudo /etc/init.d/docker restart`.
## Image Storage Configuration
DTR image storage can be configured to use the local filesystem, or a cloud service
Docker Trusted Registry image storage can be configured to use the local filesystem, or a cloud service
such as S3 or Azure.
See the [Registry 2.0 configuration](http://docs.docker.com/registry/configuration/)
@ -289,7 +289,7 @@ You can either use the storage specific input boxes to configure the most common
for local filesystem, S3 or Azure storage backends,
or use the full Yaml configuration file upload to have more detailed control.
You can view the current `storage.yaml` file on your DTR Docker host in the `/usr/local/etc/dtr/`
You can view the current `storage.yaml` file on your Docker Trusted Registry Docker host in the `/usr/local/etc/dtr/`
directory.
### Filesystem settings
@ -325,29 +325,29 @@ by the [Registry 2.0](http://docs.docker.com/registry/configuration/).
## Authentication
The "Authentication" settings lets DTR administrators control access
to the DTR web admin tool and to the DTR Registry.
The "Authentication" settings lets Docker Trusted Registry administrators control access
to the Docker Trusted Registry web admin tool and to the Docker Trusted Registry.
The current authentication methods are `None`, `Managed` and `LDAP`.
> **Note**: if you have issues logging into the DTR admin web interface after changing the authentication
> settings, you may need to use the [emergency access to the DTR admin web interface]({{< relref "adminguide.md#emergency-access-to-dtr" >}}).
> **Note**: if you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication
> settings, you may need to use the [emergency access to the Docker Trusted Registry admin web interface]({{< relref "adminguide.md#emergency-access-to-dtr" >}}).
### No authentication
No authentication means that everyone that can access your DTR web administration
No authentication means that everyone that can access your Docker Trusted Registry web administration
site. This is not recommended for any use other than testing.
### Managed authentication
With `Managed` authentication, the DTR admin can control users' access by setting username/password pairs. The admin can then [use the API](/docker-trusted-registry/api/) to give these users global "admin", "read-write" or "read-only" privileges while assigning them Organization, Team or User repository access.
With `Managed` authentication, the Docker Trusted Registry admin can control users' access by setting username/password pairs. The admin can then [use the API](/docker-trusted-registry/api/) to give these users global "admin", "read-write" or "read-only" privileges while assigning them Organization, Team or User repository access.
The "read-only" role can pull all images from the registry, "read-write" can
push and pull all images, and the "admin" role can push and pull and also access
the web administration UI and metrics dashboard.
When you create users and assign their roles via the API, you do not need
to assign those users roles using the DTR admin web UI.
to assign those users roles using the Docker Trusted Registry admin web UI.
![Managed authentication settings page</admin/settings#auth>](../assets/admin-settings-authentication-basic.png)
@ -358,34 +358,34 @@ to assign those users roles using the DTR admin web UI.
### LDAP authentication
Using LDAP authentication allows you to integrate your DTR registry into your
Using LDAP authentication allows you to integrate your Docker Trusted Registry into your
organization's existing LDAP user and authentication database.
To improve the performance of DTR's Access Control Lists, User and Group
membership data is synced into DTR's database at a configurable *LDAP Sync
Interval*. User passwords are not transferred during syncing; DTR will defer to the LDAP server to validate username/password pairs.
To improve the performance of Docker Trusted Registry's Access Control Lists, User and Group
membership data is synced into Docker Trusted Registry's database at a configurable *LDAP Sync
Interval*. User passwords are not transferred during syncing; Docker Trusted Registry will defer to the LDAP server to validate username/password pairs.
> **Note**: LDAP syncing does not create new user accounts or teams in DTR. It
> **Note**: LDAP syncing does not create new user accounts or teams in Docker Trusted Registry. It
> will only manage existing teams that have been specified to sync with LDAP.
> Use the [DTR APIs](/docker-trusted-registry/api/) to create new users and
> Use the [Docker Trusted Registry APIs](/docker-trusted-registry/api/) to create new users and
> teams from your LDAP server.
You can configure the "userFilter" to select the set of users that are candidates
for each of the "admin", global "read-write", and global "read-only" roles. Unlike "Managed"
authentication, the "admin" role is separate from the registry access roles, so
LDAP users in the "admin" role won't have access to DTR images unless they are
LDAP users in the "admin" role won't have access to Docker Trusted Registry images unless they are
also given the "read-write" or "read-only" role.
Alternativly, you can assign
[Organization, Team or User repository roles using the API](/docker-trusted-registry/api/).
Because connecting to LDAP involves existing infrastructure external to DTR and
Docker, you will need to gather the details required to configure DTR for your
Because connecting to LDAP involves existing infrastructure external to Docker Trusted Registry and
Docker, you will need to gather the details required to configure Docker Trusted Registry for your
organization's particular LDAP implementation.
You can test that you have the correct LDAP server information by connecting to
the LDAP server from inside a Docker container running on the same server as
your DTR:
your Docker Trusted Registry:
> **Note**: if the LDAP server is configured to use *StartTLS*, then you need to
> add `-Z` to the `ldapsearch` command examples below.
@ -419,16 +419,16 @@ confirm which setting you need.
* *User Login Attribute*: **required** defaults to null, user login attribute (e.g., - uid or sAMAccountName)
* *Search User DN*: **required** defaults to null, search user DN (e.g., - domain\username)
* *Search User Password*: **required** defaults to null, search user password
* *LDAP Sync Interval*: **required** defaults to 1h0m0s, sets the interval for DTR to sync with the LDAP db.
* *LDAP Sync Interval*: **required** defaults to 1h0m0s, sets the interval for Docker Trusted Registry to sync with the LDAP db.
* *User Search filters*: allows you to configure LDAP queries to limit the users that have the roles:
* * *User Filter*: This filter is used to select the objects to use as candidates for the role filters
* * *Admin Role Filter*: Combined with the "User Filter" to specify users with the
"Admin" role - permitted to access the DTR web UI
"Admin" role - permitted to access the Docker Trusted Registry web UI
* * *Read-Write Role Filter*: Combined with the "User Filter" to specify users permitted to
push images to, and pull images from DTR
push images to, and pull images from Docker Trusted Registry
* * *Read-Only Role Filter*: Combined with the "User Filter" to specify users permitted to
pull images from DTR
pull images from Docker Trusted Registry
> **Note**: While the "role" filters are optional, keep in mind that if they are
> left empty, all users will get those full privileges. In other words, if the
> "admin" filter is left empty, all users will get admin privileges, if the
@ -437,10 +437,10 @@ confirm which setting you need.
#### Confirm login with current configuration
You can test your current LDAP configuration before saving it by entering a test username and password and then clicking "Try Login". If the login succeeds, your configuration is working.
You can test your current LDAP configuration before saving it by entering a test username and password and then clicking "Try Login". If the login succeeds, your configuration is working.
## Next Steps
For information on getting support for DTR, take a look at the
For information on getting support for Docker Trusted Registry, take a look at the
[Support information]({{< relref "support.md" >}}).

40
index.md
View File

@ -10,57 +10,57 @@ parent="smn_dhe"
# Welcome to Docker Trusted Registry
Docker Trusted Registry (DTR) lets you run and manage your own Docker image
Docker Trusted Registry lets you run and manage your own Docker image
storage service, securely on your own infrastructure behind your company
firewall. This allows you to securely store, push, and pull the images used by
your enterprise to build, ship, and run applications. DTR also provides
your enterprise to build, ship, and run applications. Docker Trusted Registry also provides
monitoring and usage information to help you understand the workloads being
placed on it.
Specifically, DTR provides:
Specifically, Docker Trusted Registry provides:
* An image registry to store, manage, and collaborate on Docker images
* Pluggable storage drivers
* Configuration options to let you run DTR in your particular enterprise
* Configuration options to let you run Docker Trusted Registry in your particular enterprise
environment.
* Easy, transparent upgrades
* Logging, usage and system health metrics
DTR is perfect for:
Docker Trusted Registry is perfect for:
* Providing a secure, on-premise development environment
* Creating a streamlined build pipeline
* Building a consistent, high-performance test/QA environment
* Managing image deployment
DTR is built on [version 2 of the Docker registry](https://github.com/docker/distribution).
Docker Trusted Registry is built on [version 2 of the Docker registry](https://github.com/docker/distribution).
To get your copy of DTR, including a free trial, visit [the Docker Subscription page](https://hub-beta.docker.com/enterprise/). For more information on acquiring DTR, see the [install page](/docker-trusted-registry/install/).
To get your copy of Docker Trusted Registry, including a free trial, visit [the Docker Subscription page](https://hub-beta.docker.com/enterprise/). For more information on acquiring Docker Trusted Registry, see the [install page](/docker-trusted-registry/install/).
> **Important**: DTR must be used with the current version of the commercially
> **Important**: Docker Trusted Registry must be used with the current version of the commercially
> supported Docker Engine. You must install this version of Docker before
> installing DTR. For instructions on accessing and installing commercially
> installing Docker Trusted Registry. For instructions on accessing and installing commercially
> supported Docker Engine, visit the [install page](/docker-trusted-registry/install#download-the-commercially-supported-docker-engine-installation-script).
## Available Documentation
The following documentation for DTR is available:
The following documentation for Docker Trusted Registry is available:
* **Overview** This page.
* [**Quick Start: Basic User Workflow**]({{< relref "quick-start.md" >}}) Go here to learn the
fundamentals of how DTR works and how you can set up a simple, but useful
fundamentals of how Docker Trusted Registry works and how you can set up a simple, but useful
workflow.
* [**User Guide**]({{< relref "userguide.md" >}}) Go here to learn about using DTR from day to
* [**User Guide**]({{< relref "userguide.md" >}}) Go here to learn about using Docker Trusted Registry from day to
day.
* [**Administrator Guide**]({{< relref "adminguide.md" >}}) Go here if you are an administrator
responsible for running and maintaining DTR.
responsible for running and maintaining Docker Trusted Registry.
* [**Installation**](/docker-trusted-registry/install/) Go here for the steps you'll need to install
DTR and get it working.
Docker Trusted Registry and get it working.
* [**Configuration**]({{< relref "configuration.md" >}}) Go here to find out details about
setting up and configuring DTR for your particular environment.
* [**Support**](/docker-trusted-registry/install/) Go here for information on getting support for DTR.
* [**The DTR product page**](https://www.docker.com/docker-trusted-registry).
* [**DTR Use Cases page**](https://www.docker.com/products/use-cases) showing an example CI/CD pipeline.
* [**DTR and Docker tutorials and webinars**](https://www.docker.com/products/resources).
setting up and configuring Docker Trusted Registry for your particular environment.
* [**Support**](/docker-trusted-registry/install/) Go here for information on getting support for Docker Trusted Registry.
* [**The Docker Trusted Registry product page**](https://www.docker.com/docker-trusted-registry).
* [**Docker Trusted Registry Use Cases page**](https://www.docker.com/products/use-cases) showing an example CI/CD pipeline.
* [**Docker Trusted Registry and Docker tutorials and webinars**](https://www.docker.com/products/resources).
Note: DTR requires that you use the commercially supported Docker Engine.
Note: Docker Trusted Registry requires that you use the commercially supported Docker Engine.

134
install.md
View File

@ -13,25 +13,25 @@ weight=4
# Install Docker Trusted Registry
This document describes the process of obtaining, installing, and securing
Docker Trusted Registry (DTR). DTR is installed from Docker containers. Once
Docker Trusted Registry . Docker Trusted Registry is installed from Docker containers. Once
installed, you will need to select a method of securing it. This doc will
explain the options you have for security and help you find the resources needed
to configure it according to your chosen method. More configuration details can
be found in the [DTR Configuration page]({{< relref "configuration.md" >}}).
be found in the [Docker Trusted Registry Configuration page]({{< relref "configuration.md" >}}).
Specifically, installation requires completion of these steps, in order:
1. Acquire a license by purchasing DTR or signing up for a trial license.
1. Acquire a license by purchasing Docker Trusted Registry or signing up for a trial license.
2. Install the commercially supported Docker Engine.
3. Install DTR
4. Add your license to your DTR instance
3. Install Docker Trusted Registry
4. Add your license to your Docker Trusted Registry instance
To get your copy of DTR, including a free trial, visit the [Docker Subscription page](https://hub-beta.docker.com/enterprise/).
To get your copy of Docker Trusted Registry, including a free trial, visit the [Docker Subscription page](https://hub-beta.docker.com/enterprise/).
## Licensing
In order to run DTR, you will need to get a license, either by purchasing
DTR or acquiring a trial license. The license will be associated with your free
In order to run Docker Trusted Registry, you will need to get a license, either by purchasing
Docker Trusted Registry or acquiring a trial license. The license will be associated with your free
Docker Hub account or Docker Hub organization (so if you don't have an account,
you'll need to set one up, which can be done at the same time as your license
request). To get your license, visit the [Docker Subscription page](https://hub-beta.docker.com/enterprise/) and select the edition you would like acquire. After completing a brief registration process, follow the steps to
@ -40,7 +40,7 @@ acquire a license.
Once you've acquired your license, you can view or download it by logging in to
Docker Hub, going to your account settings (gear icon at upper right), and then
selecting ["Licenses"](https://hub-beta.docker.com/account/licenses/) from the
top nav bar.
top nav bar.
The Licenses page will display your currently available licenses. Click the cloud icon to download your desired license. You may need to disable any pop-up blocker installed on your browser in order to complete the download.
@ -48,38 +48,38 @@ You can also download the commercially supported Docker Engine packages from thi
## Prerequisites
DTR runs on the following platforms:
Docker Trusted Registry runs on the following platforms:
* Ubuntu 14.04 LTS
* RHEL 7.0 and 7.1
* CentOS 7.1
DTR 1.3.0 requires the following:
Docker Trusted Registry 1.3.0 requires the following:
* Commercially supported Docker Engine, preferably 1.6.2-cs5 or later, running
on a supported host. (See below for instructions on how to install the
commercially supported Docker Engine.)
> **Note:** In order to remain in compliance with your DTR support agreement,
> **Note:** In order to remain in compliance with your Docker Trusted Registry support agreement,
> you **must** use the current version of commercially supported Docker Engine.
> Running the open source version of Engine is **not** supported.
* Your Docker daemon needs to be listening to the Unix socket (the default) so
that it can be bind-mounted into the DTR management containers, allowing
DTR to manage itself and its updates. For this reason, your DTR host will also
that it can be bind-mounted into the Docker Trusted Registry management containers, allowing
Docker Trusted Registry to manage itself and its updates. For this reason, your Docker Trusted Registry host will also
need internet connectivity so it can access the updates.
* Your host also needs to have TCP ports `80` and `443` available for the DTR
* Your host also needs to have TCP ports `80` and `443` available for the Docker Trusted Registry
container port mapping.
* You will also need the Docker Hub user-name and password used when obtaining
the DTR license (or the user-name of an administrator of the Hub organization
the Docker Trusted Registry license (or the user-name of an administrator of the Hub organization
that obtained an Enterprise license).
## Installing the commercially supported Docker Engine
Since DTR is installed using Docker, the commercially supported Docker Engine
**must be** installed first. This is done with an RPM or DEB package, which you access using a script downloaded from your
Since Docker Trusted Registry is installed using Docker, the commercially supported Docker Engine
**must be** installed first. This is done with an RPM or DEB package, which you access using a script downloaded from your
[Docker Hub Licenses page](https://hub-beta.docker.com/account/licenses/).
### Download the commercially supported Docker Engine installation script
@ -154,7 +154,7 @@ CS Docker Engine 1.6.2cs6 contains fixes issues in 1.6.1,
and customers should upgrade to it immediately.
> **Note**: If you have CS Docker Engine 1.6.0 installed, it must be upgraded;
however, due to compatibility issues, [DTR must be upgraded](#upgrading-docker-trusted-registry)
however, due to compatibility issues, [Docker Trusted Registry must be upgraded](#upgrading-docker-trusted-registry)
first.
The CS Docker Engine installation script set up the RHEL/Ubuntu package repositories,
@ -162,8 +162,8 @@ so upgrading the Engine only requires you to run the update commands on your ser
### CentOS 7.1 & RHEL 7.0/7.1 upgrade
The following commands will stop the running DTR, upgrade CS Docker Engine,
and then start DTR again:
The following commands will stop the running Docker Trusted Registry, upgrade CS Docker Engine,
and then start Docker Trusted Registry again:
```
$ sudo bash -c "$(sudo docker run docker/trusted-registry stop)"
@ -174,8 +174,8 @@ and then start DTR again:
### Ubuntu 14.04 LTS upgrade
The following commands will stop the running DTR, upgrade CS Docker Engine,
and then start DTR again:
The following commands will stop the running Docker Trusted Registry, upgrade CS Docker Engine,
and then start Docker Trusted Registry again:
```
$ sudo bash -c "$(sudo docker run docker/trusted-registry stop)"
@ -185,13 +185,13 @@ and then start DTR again:
## Installing Docker Trusted Registry
Once the commercially supported Docker Engine is installed, you can install DTR
itself. DTR is a self-installing application built and distributed using Docker
Once the commercially supported Docker Engine is installed, you can install Docker Trusted Registry
itself. Docker Trusted Registry is a self-installing application built and distributed using Docker
and the [Docker Hub](https://hub-beta.docker.com/). It is able to restart
and reconfigure itself using the Docker socket that is bind-mounted to its
container.
Start installing DTR by running the "docker/trusted-registry" container:
Start installing Docker Trusted Registry by running the "docker/trusted-registry" container:
```
$ sudo bash -c "$(sudo docker run docker/trusted-registry install)"
@ -201,7 +201,7 @@ Start installing DTR by running the "docker/trusted-registry" container:
> ensure that the Bash script is run with full access to the Docker host.
The command will execute a shell script that creates the needed
directories and then runs Docker to pull DTR's images and run its containers.
directories and then runs Docker to pull Docker Trusted Registry's images and run its containers.
Depending on your internet connection, this process may take several minutes to
complete.
@ -257,102 +257,102 @@ Creating container docker_trusted_registry_log_aggregator with docker daemon uni
Starting container docker_trusted_registry_log_aggregator with docker daemon unix:///var/run/docker.sock
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
963ec2a4b047 docker/trusted-registry-nginx:1.1.0 "nginxWatcher" 5 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp docker_trusted_registry_load_balancer
7eade5529049 docker/trusted-registry-distribution:v2.0.1 "registry /config/st 5 minutes ago Up 5 minutes 5000/tcp docker_trusted_registry_image_storage_0
b968a8a986f9 docker/trusted-registry-distribution:v2.0.1 "registry /config/st 5 minutes ago Up 5 minutes 5000/tcp docker_trusted_registry_image_storage_1
390d9d68a33a docker/trusted-registry-admin-server:1.1.0 "server" 5 minutes ago Up 5 minutes 80/tcp docker_trusted_registry_admin_server
3f8a53dc5f35 docker/trusted-registry-log-aggregator:1.1.0 "log-aggregator" 5 minutes ago Up 5 minutes docker_trusted_registry_log_aggregator
44083421fa16 docker/trusted-registry-garant:1.1.0 "garant /config/gara 5 minutes ago Up 5 minutes docker_trusted_registry_auth_server
c4102adf73dc postgres:9.4.1 "/docker-entrypoint. 5 minutes ago Up 5 minutes 5432/tcp docker_trusted_registry_postgres
963ec2a4b047 docker/trusted-registry-nginx:1.1.0 "nginxWatcher" 5 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp docker_trusted_registry_load_balancer
7eade5529049 docker/trusted-registry-distribution:v2.0.1 "registry /config/st 5 minutes ago Up 5 minutes 5000/tcp docker_trusted_registry_image_storage_0
b968a8a986f9 docker/trusted-registry-distribution:v2.0.1 "registry /config/st 5 minutes ago Up 5 minutes 5000/tcp docker_trusted_registry_image_storage_1
390d9d68a33a docker/trusted-registry-admin-server:1.1.0 "server" 5 minutes ago Up 5 minutes 80/tcp docker_trusted_registry_admin_server
3f8a53dc5f35 docker/trusted-registry-log-aggregator:1.1.0 "log-aggregator" 5 minutes ago Up 5 minutes docker_trusted_registry_log_aggregator
44083421fa16 docker/trusted-registry-garant:1.1.0 "garant /config/gara 5 minutes ago Up 5 minutes docker_trusted_registry_auth_server
c4102adf73dc postgres:9.4.1 "/docker-entrypoint. 5 minutes ago Up 5 minutes 5432/tcp docker_trusted_registry_postgres
```
Once this process completes, you should be able to manage and configure your DTR
Once this process completes, you should be able to manage and configure your Docker Trusted Registry
instance by pointing your browser to `https://<host-ip>/`.
Your browser will warn you that this is an unsafe site, with a self-signed,
untrusted certificate. This is normal and expected; allow this connection
temporarily.
### Setting the DTR Domain Name
### Setting the Docker Trusted Registry Domain Name
The DTR Administrator site will also warn that the "Domain Name" is not set.
The Docker Trusted Registry Administrator site will also warn that the "Domain Name" is not set.
Select "Settings" from the global nav bar at the top of the page, and then set
the "Domain Name" to the full host-name of your DTR server.
Clicking the "Save and Restart DTR Server" button will generate a new certificate, which will be used
by both the DTR Administrator web interface and the DTR Registry server.
the "Domain Name" to the full host-name of your Docker Trusted Registry server.
Clicking the "Save and Restart Docker Trusted Registry Server" button will generate a new certificate, which will be used
by both the Docker Trusted Registry Administrator web interface and the Docker Trusted Registry server.
After the server restarts, you will again need to allow the connection to the untrusted DTR web admin site.
After the server restarts, you will again need to allow the connection to the untrusted Docker Trusted Registry web admin site.
Lastly, you will see a red warning notifying you that this instance of DTR is
Lastly, you will see a red warning notifying you that this instance of Docker Trusted Registry is
unlicensed. You'll correct this in the next step.
### Add your license
The DTR registry services will not start until you add your license.
The Docker Trusted Registry services will not start until you add your license.
To do that, you'll first download your license from the Docker Hub and then
upload it to your DTR web admin server. Follow these steps:
upload it to your Docker Trusted Registry web admin server. Follow these steps:
1. If needed, log back into the [Docker Hub](https://hub.docker.com)
using the user-name you used when obtaining your license. Go to "Settings" (gear icon, top right) to get to your account settings, and then click on "Licenses" in the top nav bar.
2. You'll see a list of available licenses. Click on the download button to
obtain the license file you'd like to use.
![Download DTR license](../assets/docker-hub-org-enterprise-license.png)
![Download Docker Trusted Registry license](../assets/docker-hub-org-enterprise-license.png)
3. Next, go to your DTR instance in your browser, click on "Settings" in the
3. Next, go to your Docker Trusted Registry instance in your browser, click on "Settings" in the
global nav bar and then click "License" in the Settings nav bar. Click the
"Choose File" button, which will open a standard file browser. Locate and
select the license file you downloaded in step 2, above. Approve the
selection to close the dialog.
![http settings page</admin/settings#license>](../assets/admin-settings-license.png)
4. Click the "Save and restart" button, which will quit DTR and then restart
4. Click the "Save and restart" button, which will quit Docker Trusted Registry and then restart
it, applying the new license.
5. Verify the acceptance of the license by confirming that the "Unlicensed copy"
warning is no longer present.
### Securing DTR
### Securing Docker Trusted Registry
Securing DTR is **required**. You will not be able to push or pull from DTR until you secure it.
Securing Docker Trusted Registry is **required**. You will not be able to push or pull from Docker Trusted Registry until you secure it.
There are several options and methods for securing DTR. For more information,
There are several options and methods for securing Docker Trusted Registry. For more information,
see the [configuration documentation]({{< relref "configuration.md#security" >}})
### Using DTR to push and pull images
### Using Docker Trusted Registry to push and pull images
Now that you have DTR configured with a "Domain Name" and have your client
Now that you have Docker Trusted Registry configured with a "Domain Name" and have your client
Docker daemons configured with the required security settings, you can test your
setup by following the instructions for
[Using DTR to Push and pull images]({{< relref "userguide.md" >}}).
[Using Docker Trusted Registry to Push and pull images]({{< relref "userguide.md" >}}).
### DTR web interface and registry authentication
### Docker Trusted Registry web interface and registry authentication
By default, there is no authentication set on either the DTR web admin
interface or the DTR registry. You can restrict access using an in-DTR
configured set of users (and passwords), or you can configure DTR to use LDAP-
By default, there is no authentication set on either the Docker Trusted Registry web admin
interface or the Docker Trusted Registry. You can restrict access using an in-Docker Trusted Registry
configured set of users (and passwords), or you can configure Docker Trusted Registry to use LDAP-
based authentication.
See [DTR Authentication settings]({{< relref "configuration.md#authentication" >}}) for more
See [Docker Trusted Registry Authentication settings]({{< relref "configuration.md#authentication" >}}) for more
details.
## Upgrading Docker Trusted Registry
DTR has been designed to allow on-the-fly software upgrades. Start by
loading the DTR Dashboard in your browser and clicking "Settings" in the global nav bar. Then click "Updates" in the Settings nav bar. You'll see the currently installed version and a message telling you that the version is either current or that there is an update available.
Docker Trusted Registry has been designed to allow on-the-fly software upgrades. Start by
loading the Docker Trusted Registry Dashboard in your browser and clicking "Settings" in the global nav bar. Then click "Updates" in the Settings nav bar. You'll see the currently installed version and a message telling you that the version is either current or that there is an update available.
If there is an update available, you will see the message "System Update
Available" and a button labeled "Update to Version X.XX". Click the button to
start the update process. To update, DTR will pull new DTR container images from
the Docker Hub. If you have not already connected to Docker Hub, DTR will prompt
start the update process. To update, Docker Trusted Registry will pull new Docker Trusted Registry container images from
the Docker Hub. If you have not already connected to Docker Hub, Docker Trusted Registry will prompt
you to log in.
The upgrade process requires a small amount of downtime to complete. To complete
the upgrade, DTR will:
the upgrade, Docker Trusted Registry will:
* Connect to the Docker Hub to pull new container images with the new version of
DTR.
Docker Trusted Registry.
* Deploy those containers
* Shut down the old containers
* Resolve any necessary links/urls.
@ -362,12 +362,12 @@ should complete within a few minutes.
You should now [upgrade CS Docker Engine](#upgrading-the-commercially-supported-docker-engine) if needed.
> **Note**: If Docker engine is upgraded first (DTR 1.1 on CS Docker Engine 1.6.1),
> DTR can still be upgraded from the command line by running:
> **Note**: If Docker engine is upgraded first (Docker Trusted Registry 1.1 on CS Docker Engine 1.6.1),
> Docker Trusted Registry can still be upgraded from the command line by running:
>
> `sudo bash -c "$(sudo docker run docker/trusted-registry:1.1.0 upgrade 1.1.1)"`
## Next Steps
For information on configuring DTR for your environment, take a look at the
For information on configuring Docker Trusted Registry for your environment, take a look at the
[Configuration instructions]({{< relref "configuration.md" >}}).

138
installAWS.md
View File

@ -13,21 +13,21 @@ weight=5
# Installing Docker Trusted Registry in Amazon Web Services (AWS)
This Quick Start Guide gives you a hands-on look at how to install and use the Docker Trusted Registry (DTR) in an Amazon Web Services Virtual Private Cloud (AWS-VPC) environment. Specifically, this guide demonstrates the process of installing DTR via an Amazon Machine Image (AMI), performing basic configuration, and then accessing images on the DTR server from within your AWS VPC.
This Quick Start Guide gives you a hands-on look at how to install and use the Docker Trusted Registry in an Amazon Web Services Virtual Private Cloud (AWS-VPC) environment. Specifically, this guide demonstrates the process of installing Docker Trusted Registry via an Amazon Machine Image (AMI), performing basic configuration, and then accessing images on the Docker Trusted Registry server from within your AWS VPC.
This guide walks you through the following steps:
1. Launch the DTR EC2 Host in AWS
1. Launch the Docker Trusted Registry EC2 Host in AWS
2. Configure the AWS components
3. Connect to the DTR EC2 Host
4. Manage DTR via the web administration interface
3. Connect to the Docker Trusted Registry EC2 Host
4. Manage Docker Trusted Registry via the web administration interface
5. Complete a Docker image workflow (push and pull images)
This guide refers to two major components of a DTR implementation in AWS:
This guide refers to two major components of a Docker Trusted Registry implementation in AWS:
1. The "DTR EC2 Host". This is the Linux VM running in AWS that hosts the containers required to run DTR Registry Service.
1. The "Docker Trusted Registry EC2 Host". This is the Linux VM running in AWS that hosts the containers required to run Docker Trusted Registry Service.
2. The "DTR Registry Service". This is the private Docker Registry service that runs on the DTR EC2 Host.
2. The "Docker Trusted Registry Service". This is the private Docker Registry service that runs on the Docker Trusted Registry EC2 Host.
You should be able to complete this guide in about thirty minutes.
@ -40,35 +40,35 @@ You should be able to complete this guide in about thirty minutes.
To complete this guide, you'll need:
* The Docker Hub user-name and password used to obtain the Docker Subscription licenses
* A DTR license key. Either a purchased license or a trial license will work
* A Docker Trusted Registry license key. Either a purchased license or a trial license will work
* A commercially supported Docker Engine running within AWS
* An AWS account with the ability to launch EC2 instances
* The ability to modify Security Groups and Network ACLs in your AWS VPC
* Familiarity with how to manage resources in an AWS VPC.
* Familiarity with how to manage resources in an AWS VPC.
## Launching the DTR EC2 Host in AWS
## Launching the Docker Trusted Registry EC2 Host in AWS
First, retrieve a copy of the DTR AMI from the AWS Marketplace. Do this by launching a new EC2 instance from your “EC2 Dashboard” by clicking the blue “Launch Instance” button.
First, retrieve a copy of the Docker Trusted Registry AMI from the AWS Marketplace. Do this by launching a new EC2 instance from your “EC2 Dashboard” by clicking the blue “Launch Instance” button.
Choose “AWS Marketplace” from the resulting screen, and type "Docker Trusted Registry" into the “Search AWS Marketplace Products” search box.
> **Note**: Currently, the DTR AMI is only available for Ubuntu 14.04 LTS.
> **Note**: Currently, the Docker Trusted Registry AMI is only available for Ubuntu 14.04 LTS.
Select the DTR AMI you wish to retrieve, and then select the instance-type based on your requirements. Then choose the option “Next: Configure Instance Details”.
Select the Docker Trusted Registry AMI you wish to retrieve, and then select the instance-type based on your requirements. Then choose the option “Next: Configure Instance Details”.
At this point you must configure the DTR EC2 Host according to the requirements of your particular environment. When doing so, consider the following:
At this point you must configure the Docker Trusted Registry EC2 Host according to the requirements of your particular environment. When doing so, consider the following:
* If you want your DTR EC2 Host to be accessible from the internet, you will need to assign it an Elastic IP or a Public IP.
* You may also wish to Tag the DTR instance with meaningful name.
* If you want your Docker Trusted Registry EC2 Host to be accessible from the internet, you will need to assign it an Elastic IP or a Public IP.
* You may also wish to Tag the Docker Trusted Registry instance with meaningful name.
The DTR EC2 Host is managed over SSH, whereas the DTR Registry Service is managed over HTTPS. When launching the AMI for the first time, the wizard will prompt you to create a new “Security Group” with rules that allow SSH, HTTP, and HTTPS already created.
The Docker Trusted Registry EC2 Host is managed over SSH, whereas the Docker Trusted Registry Service is managed over HTTPS. When launching the AMI for the first time, the wizard will prompt you to create a new “Security Group” with rules that allow SSH, HTTP, and HTTPS already created.
> **Note**: Make sure that you are launching your DTR EC2 Host in the correct
> **Note**: Make sure that you are launching your Docker Trusted Registry EC2 Host in the correct
> Region, VPC, and subnet.
Once you are satisfied with your DTR EC2 Host's configuration details, click “Launch”.
Once you are satisfied with your Docker Trusted Registry EC2 Host's configuration details, click “Launch”.
You will now be prompted to associate the DTR EC2 Host with a key pair. If you already have a key pair you would like to use, select it from the drop-down list of available key pairs and check the "Acknowledge" check-box. This will enable the “Launch Instances” button.
You will now be prompted to associate the Docker Trusted Registry EC2 Host with a key pair. If you already have a key pair you would like to use, select it from the drop-down list of available key pairs and check the "Acknowledge" check-box. This will enable the “Launch Instances” button.
If you do not have an existing key pair, choose “Create a new key pair” from the first drop-down list, give the key pair a meaningful name, and click the “Download Key Pair” button. This will enable the “Launch Instances” button.
@ -76,109 +76,109 @@ When creating a new key pair, clicking the “Download Key Pair” button initia
Next, click the “Launch Instances” button.
Your DTR EC2 Host will launch; you can view its status on the “Instances” page of your “EC2 Dashboard”. It may take a minute or two for your DTR EC2 Host to reach the running state.
Your Docker Trusted Registry EC2 Host will launch; you can view its status on the “Instances” page of your “EC2 Dashboard”. It may take a minute or two for your Docker Trusted Registry EC2 Host to reach the running state.
## Configuring AWS Components
Now that you have a DTR EC2 Host up and running, you'll customize it to integrate with your infrastructure.
Now that you have a Docker Trusted Registry EC2 Host up and running, you'll customize it to integrate with your infrastructure.
Start by configuring your AWS VPC to allow SSH and HTTP/HTTPS traffic to your DTR EC2 Host.
Start by configuring your AWS VPC to allow SSH and HTTP/HTTPS traffic to your Docker Trusted Registry EC2 Host.
### Allowing SSH and HTTP/HTTPS access to your DTR instance
### Allowing SSH and HTTP/HTTPS access to your Docker Trusted Registry instance
There are two places where you need to enable SSH and HTTP/HTTPS traffic:
1. All Security Groups associated with your DTR EC2 Host
2. The Network ACL associated with the subnet in which your DTR EC2 Host is running
1. All Security Groups associated with your Docker Trusted Registry EC2 Host
2. The Network ACL associated with the subnet in which your Docker Trusted Registry EC2 Host is running
#### Security Group configuration
> **Note**: If you configured the Security Group associated with your DTR EC2
> **Note**: If you configured the Security Group associated with your Docker Trusted Registry EC2
> Host to allow SSH and HTTP/HTTPS traffic when creating the instance, you can
> skip ahead to the next section and configure the Network ACL.
All Security Groups associated with your DTR instance will need to allow SSH and HTTP/HTTPS traffic.
To ensure this, select your DTR EC2 Host in your “EC2 dashboard” and click “view rules” from the “Description” tab as shown below. Three rules allowing TCP ports 22, 80, and 443 need to be present.
All Security Groups associated with your Docker Trusted Registry instance will need to allow SSH and HTTP/HTTPS traffic.
To ensure this, select your Docker Trusted Registry EC2 Host in your “EC2 dashboard” and click “view rules” from the “Description” tab as shown below. Three rules allowing TCP ports 22, 80, and 443 need to be present.
Any rule with a Source of "0.0.0.0/0" will allow any host from any network to connect over that protocol. This works but is not secure. For improved security, you should specify the IP address, or the network, that your management hosts are on.
#### Network ACL configuration
The Network ACL associated with the subnet where your DTR EC2 Host is running needs to allow inbound SSH and HTTP/HTTPS traffic.
The Network ACL associated with the subnet where your Docker Trusted Registry EC2 Host is running needs to allow inbound SSH and HTTP/HTTPS traffic.
To ensure this, go to your “VPC Dashboard” and select the subnet that your DTR EC2 Host is running in from the list of available subnets. Then select the “Network ACL” tab. Three rules (allowing TCP ports 22, 80, and 443) need to be present in the “Inbound” section. These rules must appear above the default “DENY” rule.
To ensure this, go to your “VPC Dashboard” and select the subnet that your Docker Trusted Registry EC2 Host is running in from the list of available subnets. Then select the “Network ACL” tab. Three rules (allowing TCP ports 22, 80, and 443) need to be present in the “Inbound” section. These rules must appear above the default “DENY” rule.
> **Note**: An ALLOW rule allowing “All Traffic” on “ALL” protocols, on “ALL”
> ports will allow the necessary SSH and HTTP/HTTPS traffic. However, it is more
> secure to create specific rules that only allow specific traffic types.
If you have not given your subnets meaningful names, you may need to obtain the “Subnet ID” in which your DTR EC2 Host is running. Youll find it on the “Instance” pane of the your “EC2 Dashboard”. From here you can select your DTR EC2 Host and obtain its Subnet ID from the “Description” tab. Make a note of the Subnet ID and use it to locate the correct Subnet ID from the “VPC Dashboard”.
If you have not given your subnets meaningful names, you may need to obtain the “Subnet ID” in which your Docker Trusted Registry EC2 Host is running. Youll find it on the “Instance” pane of the your “EC2 Dashboard”. From here you can select your Docker Trusted Registry EC2 Host and obtain its Subnet ID from the “Description” tab. Make a note of the Subnet ID and use it to locate the correct Subnet ID from the “VPC Dashboard”.
You must also make sure that appropriate outbound rules exist in the Network ACL. Commonly, outbound Network ACL rules allow all traffic. However, if your network security policy does not allow this, you will need to create rules that conform to your policy.
## Connecting to the DTR EC2 Host
## Connecting to the Docker Trusted Registry EC2 Host
Now that you have configured Security Group and Network ACL rules, you can connect to the DTR EC2 Host over SSH using the key pair associated with the instance and your “ec2-user” username. Beyond this, the DTR AMI does not require any manual configuration in order to work for this quick start guide, so we won't be discussing further configuration of the DTR EC2 Host.
Now that you have configured Security Group and Network ACL rules, you can connect to the Docker Trusted Registry EC2 Host over SSH using the key pair associated with the instance and your “ec2-user” username. Beyond this, the Docker Trusted Registry AMI does not require any manual configuration in order to work for this quick start guide, so we won't be discussing further configuration of the Docker Trusted Registry EC2 Host.
When connecting to the DTR EC2 Host, you will need its DNS name or IP address. This information can be obtained from the “Description” tab of your DTR EC2 Host in your “EC2 Dashboard”. EC2 instances can have the following IP addresses:
When connecting to the Docker Trusted Registry EC2 Host, you will need its DNS name or IP address. This information can be obtained from the “Description” tab of your Docker Trusted Registry EC2 Host in your “EC2 Dashboard”. EC2 instances can have the following IP addresses:
* Private IP (accessible only from within your AWS VPC, as well as from networks connected to your VPC)
* Public IP (accessible from the internet, but will change when the DTR EC2 Host is rebooted)
* Elastic IP (accessible from the internet and will not change when the DTR EC2 Host is rebooted)
* Public IP (accessible from the internet, but will change when the Docker Trusted Registry EC2 Host is rebooted)
* Elastic IP (accessible from the internet and will not change when the Docker Trusted Registry EC2 Host is rebooted)
If you want to manage your DTR instance from within your AWS VPC, choose the Private DNS or Private IP address.
If you want to manage your Docker Trusted Registry instance from within your AWS VPC, choose the Private DNS or Private IP address.
If you want to manage your DTR instance over the internet, choose its Public DNS, Elastic IP, or Public IP address.
If you want to manage your Docker Trusted Registry instance over the internet, choose its Public DNS, Elastic IP, or Public IP address.
## Managing the DTR Registry Service via the Administration web interface
## Managing the Docker Trusted Registry Service via the Administration web interface
You can now manage the DTR Registry Service via its Administration web interface over HTTPS. To connect, open a web browser and connect to the DNS name or IP address of your DTR EC2 Host.
You can now manage the Docker Trusted Registry Service via its Administration web interface over HTTPS. To connect, open a web browser and connect to the DNS name or IP address of your Docker Trusted Registry EC2 Host.
> **Note**: Connecting to the DTR Registry Service Administration web interface using the default, self-signed certificate will result in a browser warning. This is expected behavior, you can ignore the warning.
> **Note**: Connecting to the Docker Trusted Registry Service Administration web interface using the default, self-signed certificate will result in a browser warning. This is expected behavior, you can ignore the warning.
Be sure to connect using the correct DNS name or IP address. E.g., if connecting from within AWS, use the Private DNS or Private IP. If connecting from over the internet, use the Public DNS, Public IP, or Elastic IP.
> **Note**: By default, traffic to port 80 and 443 of your DTR EC2 Host is
> automatically redirected to the DTR Registry Service Administration web
> **Note**: By default, traffic to port 80 and 443 of your Docker Trusted Registry EC2 Host is
> automatically redirected to the Docker Trusted Registry Service Administration web
> interface.
You can perform most DTR management tasks, including updating DTR, from the DTR Administration web interface. But first, two initial tasks must be completed:
You can perform most Docker Trusted Registry management tasks, including updating Docker Trusted Registry, from the Docker Trusted Registry Administration web interface. But first, two initial tasks must be completed:
1. Configure the Domain Name of your DTR server
2. License your DTR server
1. Configure the Domain Name of your Docker Trusted Registry server
2. License your Docker Trusted Registry server
To configure the Domain Name, click “Settings” > “HTTP”, and enter the DNS name of your DTR server in the text box titled “Domain Name”. In order to use the DTR Registry Service to push and pull Docker images from within AWS, you will want to use the AWS Private DNS name.
To configure the Domain Name, click “Settings” > “HTTP”, and enter the DNS name of your Docker Trusted Registry server in the text box titled “Domain Name”. In order to use the Docker Trusted Registry Service to push and pull Docker images from within AWS, you will want to use the AWS Private DNS name.
After configuring the Domain Name, restart DTR by clicking the “Save and Restart DTR Server” button.
After configuring the Domain Name, restart Docker Trusted Registry by clicking the “Save and Restart Docker Trusted Registry Server” button.
> **Note**: Changing the Domain Name property of your DTR server will generate a
> new self-signed certificate that is used by the DTR Administration web
> interface and the DTR server. Therefore, you will receive another certificate
> warning the first time you connect to the DTR Administration web interface
> **Note**: Changing the Domain Name property of your Docker Trusted Registry server will generate a
> new self-signed certificate that is used by the Docker Trusted Registry Administration web
> interface and the Docker Trusted Registry server. Therefore, you will receive another certificate
> warning the first time you connect to the Docker Trusted Registry Administration web interface
> after changing its Domain Name. This is expected behavior, you can ignore the > warning.
To license your DTR Registry Service, click “Settings” > “License” and then click “Upload License”. Your license will normally be available for download from your Docker Hub account under “Settings” > “Enterprise Licenses”.
To license your Docker Trusted Registry Service, click “Settings” > “License” and then click “Upload License”. Your license will normally be available for download from your Docker Hub account under “Settings” > “Enterprise Licenses”.
Once your license is uploaded, restart DTR by clicking the “Save and Restart DTR Server” button. This completes the basic configuration of DTR. You can now start using it as an image Registry.
Once your license is uploaded, restart Docker Trusted Registry by clicking the “Save and Restart Docker Trusted Registry Server” button. This completes the basic configuration of Docker Trusted Registry. You can now start using it as an image Registry.
## Docker Image Workflow
This section will walk you through the process of pushing and pulling images to and from your DTR server from another EC2 instance within your AWS VPC, from a peer VPC, or from a remote location connected via VPN. As such, this guide will use the Private DNS name of the DTR EC2 Host when tagging and pushing the image.
This section will walk you through the process of pushing and pulling images to and from your Docker Trusted Registry server from another EC2 instance within your AWS VPC, from a peer VPC, or from a remote location connected via VPN. As such, this guide will use the Private DNS name of the Docker Trusted Registry EC2 Host when tagging and pushing the image.
To complete this section you will need two EC2 instances:
1. The DTR EC2 Host you have already built and configured
1. The Docker Trusted Registry EC2 Host you have already built and configured
2. A Docker client EC2 instance running commercially supported versions of [Docker Engine](https://www.docker.com/compatibility-maintenance) with at least one image stored locally.
The instructions in this section of the guide will assume the Docker client has a local Docker image called "jenkins", and that the DTR Registry Service has the following DNS name "ip-10-0-0-117.us-west-2.compute.internal". Your image name and DNS name for your DTR Registry Service will be different, so you will need to replace these values with the appropriate values for your environment.
The instructions in this section of the guide will assume the Docker client has a local Docker image called "jenkins", and that the Docker Trusted Registry Service has the following DNS name "ip-10-0-0-117.us-west-2.compute.internal". Your image name and DNS name for your Docker Trusted Registry Service will be different, so you will need to replace these values with the appropriate values for your environment.
> **Note**: Push and pull traffic to a DTR Registry Service is encrypted using
> SSL certificates. By default, DTR installs with a self-signed certificate
> **Note**: Push and pull traffic to a Docker Trusted Registry Service is encrypted using
> SSL certificates. By default, Docker Trusted Registry installs with a self-signed certificate
> which you will need to either: (a) configure your Docker hosts to trust, or
> (b) configure your Docker hosts to ignore by using the `--insecure-registry`
> flag. Alternatively, you can generate and use your own SSL certificates.
> flag. Alternatively, you can generate and use your own SSL certificates.
### Pushing an image to DTR Registry Service
### Pushing an image to Docker Trusted Registry Service
From the command line of the Docker client, run the following:
@ -191,7 +191,7 @@ docker images
> **Note**: Depending on your configuration, you may need to prefix your Docker commands with `sudo`.
You will now tag the local Jenkins image to associate it with a repo in your newly built DTR server. To do this, type the following:
You will now tag the local Jenkins image to associate it with a repo in your newly built Docker Trusted Registry server. To do this, type the following:
`docker tag jenkins ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img`
This will tag a version of the local Jenkins image so that it can be stored in the "ip-10-0-0-117.us-2.compute.internal" registry in a repository called "ci-infrastructure" with the name "jnkns-img".
@ -206,7 +206,7 @@ ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img latest
```
Now that the image is tagged, it can be pushed to DTR with the following command:
Now that the image is tagged, it can be pushed to Docker Trusted Registry with the following command:
```
@ -224,15 +224,15 @@ Digest: sha256:1bf8c96ca484290178064e448ea69a55caa52f53ea7e279ff66f5c66625aff43
```
From the “System Health" page of the DTR Administration web interface, you can view stats from your DTR Registry Service, including network throughput. The image below shows spikes in network throughput (related to the image_storage_1 image store) generated while the image was being pushed.
From the “System Health" page of the Docker Trusted Registry Administration web interface, you can view stats from your Docker Trusted Registry Service, including network throughput. The image below shows spikes in network throughput (related to the image_storage_1 image store) generated while the image was being pushed.
Your tagged image is now stored in the DTR Registry.
Your tagged image is now stored in the Docker Trusted Registry.
### Pulling an image from your DTR Registry Service
### Pulling an image from your Docker Trusted Registry Service
Now that your image is stored in your DTR Registry, you can pull that image from any supported Docker host that has access to the Registry.
Now that your image is stored in your Docker Trusted Registry, you can pull that image from any supported Docker host that has access to the Registry.
From a Docker Host that has access to the DTR server, run the following to pull the image locally:
From a Docker Host that has access to the Docker Trusted Registry server, run the following to pull the image locally:
```
docker pull ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img

26
prior-release-notes.md
View File

@ -12,38 +12,38 @@ weight=101
# Release Notes
## Docker Trusted Registry (DTR)
## Docker Trusted Registry
### DTR 1.1.0
### Docker Trusted Registry 1.1.0
(23 June 2015)
This release of DTR (formerly DHE) adds major integration with the AWS and Azure marketplaces, giving customers a smoother installation path. DTR 1.1 also adds finer-grained permissions and improvements and additions to the UI and logging. Bugs in LDAP/AD integration have also been remediated, improving the stability and usability of DTR. See below for specifics.
This release of Docker Trusted Registry (formerly DHE) adds major integration with the AWS and Azure marketplaces, giving customers a smoother installation path. Docker Trusted Registry 1.1 also adds finer-grained permissions and improvements and additions to the UI and logging. Bugs in LDAP/AD integration have also been remediated, improving the stability and usability of Docker Trusted Registry. See below for specifics.
#### New Features
* New, more granular, [roles for users]({{< relref "configuration.md#authentication" >}}). DTR users can now be assigned different levels of access (admin, r/w, r/o) to the repositories. **Important:** Existing DTR users should make sure to see the note [below](#dhe-1-0-upgrade-warning) regarding migrating users before upgrading.
* New, more granular, [roles for users]({{< relref "configuration.md#authentication" >}}). Docker Trusted Registry users can now be assigned different levels of access (admin, r/w, r/o) to the repositories. **Important:** Existing Docker Trusted Registry users should make sure to see the note [below](#dhe-1-0-upgrade-warning) regarding migrating users before upgrading.
* A new storage status indicator for storage space. The dashboard now shows used and available storage space for supported storage drivers.
* A new [diagnostics tool]({{< relref "adminguide.md#client-docker-daemon-diagnostics" >}}) gathers and bundles DTR logs, system information, container information, and other configuration settings for use by Docker support or as a backup.
* A new [diagnostics tool]({{< relref "adminguide.md#client-docker-daemon-diagnostics" >}}) gathers and bundles Docker Trusted Registry logs, system information, container information, and other configuration settings for use by Docker support or as a backup.
* Performance and reliability improvements to the S3 storage backend.
* DTR images are now available on the Amazon AWS and Microsoft Azure marketplaces.
* Docker Trusted Registry images are now available on the Amazon AWS and Microsoft Azure marketplaces.
#### Fixes
The following notable issues have been remediated:
* Fixed an issue that caused DTR logins to fail if some LDAP servers were unreachable.
* Fixed a resource leak in DTR storage.
* Fixed an issue that caused Docker Trusted Registry logins to fail if some LDAP servers were unreachable.
* Fixed a resource leak in Docker Trusted Registry storage.
#### DHE 1.0 Upgrade Warning
Customers who are currently using DHE 1.0 **must** follow the [upgrading instructions](https://forums.docker.com/t/upgrading-docker-hub-enterprise-to-docker-trusted-registry/1925) in our support Knowledge Base. These instructions will show you how to modify existing authentication data and storage volume settings to move to DTR. Note that automatic upgrading has been disabled for DHE users because of these issues.
Customers who are currently using DHE 1.0 **must** follow the [upgrading instructions](https://forums.docker.com/t/upgrading-docker-hub-enterprise-to-docker-trusted-registry/1925) in our support Knowledge Base. These instructions will show you how to modify existing authentication data and storage volume settings to move to Docker Trusted Registry. Note that automatic upgrading has been disabled for DHE users because of these issues.
### DTR 1.0.1
### Docker Trusted Registry 1.0.1
(11 May 2015)
- Addresses compatibility issue with 1.6.1 CS Docker Engine
### DTR 1.0.0
### Docker Trusted Registry 1.0.0
(23 Apr 2015)
- First release
@ -139,8 +139,8 @@ This parameter cannot be passed to the `docker build` command.
#### **Upgrade notes**
When upgrading, make sure you stop DTR first, perform the Engine upgrade, and
then restart DTR.
When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
then restart Docker Trusted Registry.
If you are running with SELinux enabled, previous Docker Engine releases allowed
you to bind-mount additional volumes or files inside the container as follows:

49
quick-start.md
View File

@ -16,16 +16,16 @@ weight=1
## Overview
This Quick Start Guide will give you a hands-on look at the basics of using
Docker Trusted Registry (DTR), Dockers on-premise image storage application.
This guide will walk you through using DTR to complete a typical, and critical,
Docker Trusted Registry, Docker's on-premise image storage application.
This guide will walk you through using Docker Trusted Registry to complete a typical, and critical,
part of building a development pipeline: setting up a Jenkins instance. Once you
complete the task, you should have a good idea of how DTR works and how it might
complete the task, you should have a good idea of how Docker Trusted Registry works and how it might
be useful to you.
Specifically, this guide demonstrates the process of retrieving the
[official Docker image for Jenkins](https://registry.hub.docker.com/_/jenkins/),
customizing it to suit your needs, and then hosting it on your private instance
of DTR located inside your enterprises firewalled environment. Your developers
of Docker Trusted Registry located inside your enterprises firewalled environment. Your developers
will then be able to retrieve the custom Jenkins image in order to use it to
build CI/CD infrastructure for their projects, no matter the platform they're
working from, be it a laptop, a VM, or a cloud provider.
@ -34,19 +34,18 @@ The guide will walk you through the following steps:
1. Pulling the official Jenkins image from the public Docker Hub
2. Customizing the Jenkins image to suit your needs
3. Pushing the customized image to DTR
4. Pulling the customized image from DTR
3. Pushing the customized image to Docker Trusted Registry
4. Pulling the customized image from Docker Trusted Registry
4. Launching a container from the custom image
5. Using the new Jenkins container
You should be able to complete this guide in about thirty minutes.
> **Note:** This guide assumes you have installed a working instance of DTR
> **Note:** This guide assumes you have installed a working instance of Docker Trusted Registry
> reachable at dtr.yourdomain.com. If you need help installing and configuring
> DTR, please consult the
> Docker Trusted Registry, please consult the
[installation instructions]({{< relref "docker-trusted-registry/install.md" >}}).
## Pulling the official Jenkins image
> **Note:** This guide assumes you are familiar with basic Docker concepts such
@ -102,7 +101,7 @@ image, you need to:
All of the above files need to be in the same directory as the Dockerfile you
will create in the next step.
1. Create a build directory called `build`, and change to that new directory:
1. Create a build directory called `build`, and change to that new directory:
$ mkdir build && cd build
@ -120,7 +119,7 @@ line:
> access to existing keys. If you don't have access, or can't generate keys
> yourself, feel free to skip the steps involving them and HTTPS config. The
> guide will still walk you through building a custom Jenkins image and pushing
> and pulling that image using DTR.
> and pulling that image using Docker Trusted Registry.
### Creating a Dockerfile
@ -189,8 +188,8 @@ Please note the use of the `-t` flag in the `docker build` command above. The
`-t` flag lets you tag an image so it can be pushed to a custom repository. In
the example above, the new image is tagged so it can be pushed to the
`ci-infrastructure` repository within the `dtr.yourdomain.com` registry (your
local DTR instance). This will be important when you need to `push` the
customized image to DTR later.
local Docker Trusted Registry instance). This will be important when you need to `push` the
customized image to Docker Trusted Registry later.
A `docker images` command will now show the custom image alongside the Jenkins
image pulled earlier:
@ -202,7 +201,7 @@ image pulled earlier:
## Pushing to Docker Trusted Registry
> **Note**: If your DTR instance has authentication enabled, you will need to
> **Note**: If your Docker Trusted Registry instance has authentication enabled, you will need to
> use your command line to `docker login <dtr-hostname>` (e.g., `docker login
> dtr.yourdomain.com`).
>
@ -222,7 +221,7 @@ image pulled earlier:
> ?scope=repository%3Ahello-world%3Apull%2Cpush&service=dtr.yourdomain.com
> request failed with status: 401 Unauthorized
Now that youve created the custom image, it can be pushed to DTR using the
Now that youve created the custom image, it can be pushed to Docker Trusted Registry using the
[`docker push` command](https://docs.docker.com/reference/commandline/push):
$ docker push dtr.yourdomain.com/ci-infrastructure/jnkns-img
@ -233,18 +232,18 @@ Now that youve created the custom image, it can be pushed to DTR using the
492ed3875e3e: Image successfully pushed
fc0ab3008d40: Image successfully pushed
You can view the traffic throughput from the custom image being pushed, by selecting `Network` from the `Load Balancer` tile on the DTR Dashboard:
You can view the traffic throughput from the custom image being pushed, by selecting `Network` from the `Load Balancer` tile on the Docker Trusted Registry Dashboard:
![](http://i.imgur.com/8KlHj9u.png)
![DTR console push throughput](../assets/console-push.png)
![Docker Trusted Registry console push throughput](../assets/console-push.png)
Once the image is successfully pushed, it can be downloaded, or pulled, by any
Docker host that has access to DTR.
Docker host that has access to Docker Trusted Registry.
## Pulling from Docker Trusted Registry
To pull the `jnkns-img` image from DTR, run the
To pull the `jnkns-img` image from Docker Trusted Registry, run the
[`docker pull`](https://docs.docker.com/reference/commandline/pull)
command from any Docker Host that has access to your DTR instance:
command from any Docker Host that has access to your Docker Trusted Registry instance:
$ docker pull dtr.yourdomain.com/ci-infrastructure/jnkns-img
latest: Pulling from dtr.yourdomain.com/ci-infrastructure/jnkns-img
@ -257,9 +256,9 @@ command from any Docker Host that has access to your DTR instance:
dtr.yourdomain.com/ci-infrastructure/jnkns-img:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Status: Downloaded newer image for dtr.yourdomain.com/ci-infrastructure/jnkns-img:latest
You can view the traffic throughput from the custom image being pulled on the DTR Dashboard.
You can view the traffic throughput from the custom image being pulled on the Docker Trusted Registry Dashboard.
Now that the `jnkns-img` image has been pulled locally from DTR, you can view it
Now that the `jnkns-img` image has been pulled locally from Docker Trusted Registry, you can view it
in the output of the `docker images` command:
$ docker images
@ -268,7 +267,7 @@ in the output of the `docker images` command:
## Launching a custom Jenkins container
Now that youve successfully pulled the customized Jenkins image from DTR, you
Now that youve successfully pulled the customized Jenkins image from Docker Trusted Registry, you
can create a container from it with the
[`docker run` command](https://docs.docker.com/reference/commandline/run):
@ -326,10 +325,10 @@ showing that Jenkins is not available on its default port 8080 over HTTP.
This demonstration shows your Jenkins image has been configured correctly for
HTTPS access, your new plugin was added and is ready for use, and HTTP access
has been disabled. At this point, any member of your team can use `docker pull`
to access the image from your DTR instance, allowing them to access a
to access the image from your Docker Trusted Registry instance, allowing them to access a
configured, secured Jenkins instance that can run on any infrastructure.
## Next Steps
For more information on using DTR, take a look at the
For more information on using Docker Trusted Registry, take a look at the
[User's Guide]({{< relref "userguide.md" >}}).

24
release-notes.md
View File

@ -14,25 +14,25 @@ weight=100
## Prior Versions
These notes refer to the current and immediately prior releases of Docker Trusted Registry (DTR) and the commercially supported Docker Engine. For notes on older versions of these, see the [prior release notes archive]({{< relref "prior-release-notes.md" >}}).
These notes refer to the current and immediately prior releases of Docker Trusted Registry and the commercially supported Docker Engine. For notes on older versions of these, see the [prior release notes archive]({{< relref "prior-release-notes.md" >}}).
## Docker Trusted Registry (DTR)
## Docker Trusted Registry
### DTR 1.3.1
### Docker Trusted Registry 1.3.1
(31 August 2015)
This release corrects the following issues in DTR 1.3.0
This release corrects the following issues in Docker Trusted Registry 1.3.0
* The dashboard page was calculating incorrect stats.
* LDAP group sync failed to handle paginated results for extremely large groups.
* The repo delete endpoint returned incorrect error codes under certain conditions.
### DTR 1.3.0
### Docker Trusted Registry 1.3.0
(26 August 2015)
This release addresses a few bugs and issues in DTR 1.2.0 and introduces some new features and functionality, including:
This release addresses a few bugs and issues in Docker Trusted Registry 1.2.0 and introduces some new features and functionality, including:
* A completely new user-interface for the Admin application brings DTR in line with other Docker products and provides greater ease-of-use.
* A completely new user-interface for the Admin application brings Docker Trusted Registry in line with other Docker products and provides greater ease-of-use.
* A new Accounts & Repos API provides new fine-grained role-based access control down to the per-repo level. See the [API's documentation](/docker-trusted-registry/api/) for more information.
@ -40,12 +40,12 @@ This release addresses a few bugs and issues in DTR 1.2.0 and introduces some ne
* Multiple security improvements and bug fixes.
### DTR 1.2.0
### Docker Trusted Registry 1.2.0
(23 July 2015)
This release adds CentOS support and addresses a few bugs and issues in DTR 1.1.0:
This release adds CentOS support and addresses a few bugs and issues in Docker Trusted Registry 1.1.0:
* Fixes an issue where for certain configurations of DTR, proxy configuration settings and variables were not being passed to all DTR containers and thus were not being respected.
* Fixes an issue where for certain configurations of Docker Trusted Registry, proxy configuration settings and variables were not being passed to all Docker Trusted Registry containers and thus were not being respected.
* Documentation links in the UI now point to correct docs.
* Generated support info bundles have been scrubbed to remove highly sensitive data.
* Certifies support for CentOS 7.1.
@ -144,8 +144,8 @@ This parameter cannot be passed to the `docker build` command.
#### **Upgrade notes**
When upgrading, make sure you stop DTR first, perform the Engine upgrade, and
then restart DTR.
When upgrading, make sure you stop Docker Trusted Registry first, perform the Engine upgrade, and
then restart Docker Trusted Registry.
If you are running with SELinux enabled, previous Docker Engine releases allowed
you to bind-mount additional volumes or files inside the container as follows:

4
support.md
View File

@ -14,8 +14,8 @@ weight=99
## How to get support
Purchasing a DTR License or Commercial Support subscription means your questions
and issues about DTR will receive prioritized support.
Purchasing a Docker Trusted Registry License or Commercial Support subscription means your questions
and issues about Docker Trusted Registry will receive prioritized support.
You can file a ticket through [email](mailto:support@docker.com) from your
company email address, or visit our [support site](https://support.docker.com).
In either case, you'll need to verify your email address, and then you can

36
userguide.md
View File

@ -13,28 +13,28 @@ weight=2
# Docker Trusted Registry User's Guide
This guide covers tasks and functions a user of Docker Trusted Registry (DTR) will
need to know about, such as pushing or pulling images, etc. For tasks DTR
administrators need to accomplish, such as configuring or monitoring DTR, please
This guide covers tasks and functions a user of Docker Trusted Registry will
need to know about, such as pushing or pulling images, etc. For tasks Docker Trusted Registry
administrators need to accomplish, such as configuring or monitoring Docker Trusted Registry, please
visit the [Administrator's Guide]({{< relref "adminguide.md" >}}).
## Overview
The primary use case for DTR users is to push and pull images to and from the
DTR image storage service. For example, you might pull an Official Image for
The primary use case for Docker Trusted Registry users is to push and pull images to and from the
Docker Trusted Registry image storage service. For example, you might pull an Official Image for
Ubuntu from the Docker Hub, customize it with configuration settings for your
infrastructure and then push it to your DTR image storage for other developers
infrastructure and then push it to your Docker Trusted Registry image storage for other developers
to pull and use for their development environments.
Pushing and pulling images with DTR works very much like any other Docker
Pushing and pulling images with Docker Trusted Registry works very much like any other Docker
registry: you use the `docker pull` command to retrieve images and the `docker
push` command to add an image to a DTR repository. To learn more about Docker
push` command to add an image to a Docker Trusted Registry repository. To learn more about Docker
images, see
[User Guide: Working with Docker Images](https://docs.docker.com/userguide/dockerimages/). For a step-by-step
example of the entire process, see the
[Quick Start: Basic Workflow Guide]({{< relref "quick-start.md" >}}).
> **Note**: If your DTR instance has authentication enabled, you will need to
> **Note**: If your Docker Trusted Registry instance has authentication enabled, you will need to
>use your command line to `docker login <dtr-hostname>` (e.g., `docker login
> dtr.yourdomain.com`).
>
@ -56,23 +56,23 @@ example of the entire process, see the
## Pushing Images
You push an image up to a DTR repository by using the
You push an image up to a Docker Trusted Registry repository by using the
[`docker push` command](https://docs.docker.com/reference/commandline/push).
You can add a `tag` to your image so that you can more easily identify it
amongst other variants and so that it refers to your DTR server.
amongst other variants and so that it refers to your Docker Trusted Registry server.
$ docker tag hello-world:latest dtr.yourdomain.com/yourusername/hello-mine:latest
The command labels a `hello-world:latest` image using a new tag in the
`[REGISTRYHOST/][USERNAME/]NAME[:TAG]` format. The `REGISTRYHOST` in this
case is your DTR server, `dtr.yourdomain.com`, and the `USERNAME` is
case is your Docker Trusted Registry server, `dtr.yourdomain.com`, and the `USERNAME` is
`yourusername`. Lastly, the image tag is set to `hello-mine:latest`.
Once an image is tagged, you can push it to DTR with:
Once an image is tagged, you can push it to Docker Trusted Registry with:
$ docker push dtr.yourdomain.com/yourusername/hello-mine:latest
> **Note**: If the Docker daemon on which you are running `docker push` doesn't
> have the right certificates set up, you will get an error similar to:
>
@ -93,7 +93,7 @@ You can retrieve an image with the
or you can retrieve an image and run Docker to build the container with the
[`docker run`command](https://docs.docker.com/reference/commandline/run).
To retrieve an image from DTR and then run Docker to build the container, add
To retrieve an image from Docker Trusted Registry and then run Docker to build the container, add
the needed info to `docker run`:
$ docker run dtr.yourdomain.com/yourusername/hello-mine
@ -114,14 +114,14 @@ If you run `docker images` after this you'll see a `hello-mine` image.
dtr.yourdomain.com/yourusername/hello-mine latest e45a5af57b00 3 months ago 910 B
To pull an image without building the container, use `docker pull` and specify
your DTR registry by adding it to the command:
your Docker Trusted Registry by adding it to the command:
$ docker pull dtr.yourdomain.com/yourusername/hello-mine
## Next Steps
For information on administering DTR, take a look at the
For information on administering Docker Trusted Registry, take a look at the
[Administrator's Guide]({{< relref "adminguide.md" >}}).
@ -131,4 +131,4 @@ For information on administering DTR, take a look at the
* but that multiple tags in one repo are pushed if you don't specify the `:tag` (ie, `imagename` does not always mean `imagename:latest`)
* show what happens for non-latest, and when there are more than one tag in a repo
* explain the fully-qualified repo/image name
* explain how to remove an image from DTR -->
* explain how to remove an image from Docker Trusted Registry -->