01Mar
Deploying Containers Private OCI Registry Adrian Png Insum
By: Adrian Png On: March 1, 2019 In: Cloud Comments: 0

Docker is a popular software delivery platform that packages and runs applications in “containers”. These containers have the necessary software dependencies pre-installed, run within an isolated operating system environment, and can be deployed on any host system where the Docker Engine can run.

Typically, developers “pull” images from a Docker registry. This installs a local copy that is then used to create containers from. Everyone has access to Docker Hub, a public registry. Some organizations run their own private registries, mostly for the purpose of managing intellectual property. Oracle for example, runs a private registry at https://container-registry.oracle.com. With an Oracle Account, users are able to accept software agreements and pull images with Oracle software (e.g. Oracle Database Server Enterprise Edition) installed. The registry software itself is also available freely as a Docker image.

As an Oracle Cloud Infrastructure (OCI) customer, you have access to the Container Registry service for use internally. The Oracle Cloud Infrastructure Registry (OCIR) is Docker Registry v2 compliant and subscribers only pay for network and storage used for transferring and storing images. There are no additional overheads like spinning up a new Compute instance with Docker engine installed, just to set one up. One less resource that OCI Administrators have to micromanage.

Internally, we are exploring the use of the registry, to provide all our Oracle Application Express (APEX) developers, easy access to various combinations of Oracle REST Data Services (ORDS) and APEX for development and testing purposes.

Developers are encourage to work with Docker images and build their own APEX stacks, but as administrators, we want to minimise the amount of time developers spend on non-development work. One suggestion was to provide pre-build images that have the APEX stack all set up and ready-to-use (RTU). It should be as easy as running a single command:

$ docker run -d --name mypersonal-oxar -p 8080:8080 -p 1521:1521 \
> iad.ocir.io/ourtenant/oxar-rtu:0.0.1

Console Access to Registry

The Registry can be accessed via the OCI console by navigating the menus, found under “Developer Services” > “Registry (OCIR)”.

In here, administrators can create, view and delete existing repositories. Repositories can be either private or public. For private repositories, users, groups and policies will be required to manage access. Users will also be required to create an Auth Token.

Users, Groups, and Policies

Create Groups

Group Name Description
CONREG_DEV Group of users who create images for the organization.
CONREG_USER Group of users who consume these images.

Create Users

Username Group Description
dockerdev CONREG_DEV A Docker developer
dockeruser CONREG_USER A developer wanting to use images from the Container Registry

Create Policy

Policy Name Statement Description
ContainerRegistryAccess Allow group CONREG_DEV to use repos in tenancy Users in group CONREG_DEV have permission to pull and push images.
Allow group CONREG_DEV to manage repos in tenancy where ANY {request.permission = ‘REPOSITORY_CREATE’, request.permission = ‘REPOSITORY_UPDATE’} Users in group CONREG_DEV can create a repository if it doesn’t already exist.
Allow group CONREG_USER to read repos in tenancy Users in group CONREG_USER can only pull images from the registry.

 

The OCI documentation explains and list other common policies that can be used.

Using Docker with OCIR

After the users are created and assigned to the appropriate Groups, they must login to the OCI console and generate an Auth Token, before they can access the registry using the Docker CLI. Using the Auth Token, users login with the command:

$ docker login iad.ocir.io
Username: ourtenant/dockerdev
Password:Login Succeeded

Repositories are created and available in specific regions. The server address is based on the region that the repository was created in. Use this table to determine what the “Region Code” should be for your repository. For this example, the repository is located in the Ashburn Data Centre.

Credentials are stored as a hash on the local workstation either in $HOME/.docker/config.json or through a credential store helper.

$ cat ~/.docker/config.json
{
        "auths": {
                "iad.ocir.io": {
                        "auth": "**********"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.03.1-ol (linux)"
        }
}

To log out, simply run the command:

docker logout iad.ocir.io

Pushing Images to the Registry

Login as the user with rights to push images to the Registry. In this example, the username is dockerdev, assigned to group CONREG_DEV.

Assume that we have the following images on the local workstation.

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
oxar                latest              4f2981a7af0a        5 days ago          9.67GB
oracledb            latest              5170b9d54001        6 days ago          9.68GB
oraclelinux         7-slim              c3d869388183        5 weeks ago         117MB

Prepare/tag the image to be pushed to the registry.

$ docker tag oxar iad.ocir.io/ourtenant/oxar:0.0.1

Once the image has been tagged, we can push it to the registry. This might take a while depending on the image size and network speeds.

$ docker push iad.ocir.io/ourtenant/oxar:0.0.1

Go back into the OCI Console and check the Registry. Make sure also that you have selected the correct region. The new image should be listed on the Registry page.

From Container to Registry

Suppose we had a container that we wish to preserve and reuse as an image.

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                    PORTS                                                                    NAMES
a386ad30dff1        oxar                "/bin/sh -c 'exec $O…"   6 days ago          Up 11 minutes (healthy)   0.0.0.0:1521->1521/tcp, 0.0.0.0:5500->5500/tcp, 0.0.0.0:8080->8080/tcp   oxar

Commit the target container oxar using the remote tag.

$ docker commit oxar iad.ocir.io/ourtenant/oxar-rtu:0.0.1

Then push the image to the registry.

$ docker push iad.ocir.io/ourtenant/oxar-rtu:0.0.1

Using Images

With the RTU image iad.ocir.io/ourtenant/oxar-rtu:0.0.1, login as a user with pull-rights and execute the Docker command:

$ docker run -d --name mypersonal-oxar -p 8080:8080 -p 1521:1521 \
> iad.ocir.io/ourtenant/oxar-rtu:0.0.1

This should pull (if not already available on the local workstation) from the repository, create and then run a container using that image.

Leave reply:

Your email address will not be published. Required fields are marked *