Docker registry on Centos 7

2016-11-02

1. Create logical volumes for direct-lvm production mode

Assume that we have 40 GByte block device named as /dev/sdb with one full-size Linux partition on it.

Official Device Mapper storage driver guide recommends to use thin pools now. Use these commands to create thin-provisioned logical volumes:

pvcreate /dev/sdb1                 # Create physical volume
vgcreate docker /dev/sdb1          # Create volume group and add this physical volume to it
# Create logical volumes
lvcreate --wipesignatures y -n data docker -l 40%VG
lvcreate --wipesignatures y -n registry docker -l 40%VG
lvcreate --wipesignatures y -n metadata docker -l 2%VG
# Convert data volume to thin pool's data volume
lvconvert -y --zero n -c 512K --thinpool docker/data --poolmetadata docker/metadata
# Set thin pool autoextend features
cat > /etc/lvm/profile/docker-data.profile
activation {
        thin_pool_autoextend_threshold = 80
        thin_pool_autoextend_percent = 20
}
lvchange --metadataprofile docker-data docker/data
# Check thin pool volume (must be monitored) 
lvs -o+seg_monitor
  LV       VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert Monitor
  root     centos -wi-ao---- 117,19g
  swap     centos -wi-ao----   1,95g
  data     docker twi-a-t---  16,00g             0,00   0,01                             monitored
  registry docker -wi-a-----  16,00g

Or if you do not trust thin pools use more traditional (but deprecated in Docker) way:

pvcreate /dev/sdb1                 # Create physical volume
vgcreate docker /dev/sdb1          # Create volume group and add this physical volume to it
lvcreate -L 2G -n metadata docker  # Create logical volume for Docker metadata
lvcreate -L 15G -n data docker     # Create logical volume for Docker data (layers, containers etc)
lvcreate -L 15G -n registry docker # Create logical volume for Docker Registry data

Mount volume for Docker registry:

mkfs.xfs /dev/docker/registry
echo "/dev/docker/registry /var/lib/docker-registry    xfs     defaults        1 3" >> /etc/fstab 
mount -a

Check:

lsblk
NAME                             MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda                                8:0    0   120G  0 disk
├─sda1                             8:1    0   876M  0 part /boot
└─sda2                             8:2    0 119,1G  0 part
  ├─centos-swap                  253:0    0     2G  0 lvm  [SWAP]
  └─centos-root                  253:1    0 117,2G  0 lvm  /
sdb                                8:16   0    40G  0 disk
└─sdb1                             8:17   0    40G  0 part
  ├─docker-metadata              253:2    0     2G  0 lvm
  │ └─docker-253:1-23762136-pool 253:5    0    15G  0 dm
  ├─docker-data                  253:3    0    15G  0 lvm
  │ └─docker-253:1-23762136-pool 253:5    0    15G  0 dm
  └─docker-registry              253:4    0    15G  0 lvm  /var/lib/docker-registry

2. Configure Docker daemon

Create systemd drop-in file:

mkdir -p /etc/systemd/system/docker.service.d
cat > /etc/systemd/system/docker.service.d/env.conf 
[Service]
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=
ExecStart=/usr/bin/dockerd $OPTIONS $DOCKER_NETWORK_OPTIONS $DOCKER_STORAGE_OPTIONS

Specify Docker configuration:

cat > /etc/sysconfig/docker 
OPTIONS='--iptables=false'
DOCKER_NETWORK_OPTIONS=''
DOCKER_STORAGE_OPTIONS='--storage-driver=devicemapper --storage-opt dm.datadev=/dev/docker/data --storage-opt dm.metadatadev=/dev/docker/metadata'

Check:

systemctl daemon-reload
systemctl show docker | grep EnvironmentFile
EnvironmentFile=/etc/sysconfig/docker (ignore_errors=yes)

And run:

systemctl enable docker
systemctl restart docker

Check again:

docker info | grep data
 Data file: /dev/docker/data
 Metadata file: /dev/docker/metadata
 Metadata Space Used: 639 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB

3. Obtain SSL certificate from Let’s Encrypt

It’s can be done by different ways, see Let’s Encrypt with lego and Nginx for one of these.

Assume that certificate and key was obtained and stored in /etc/pki/tls/lego/certificates directory.

4. Run Docker registry container as systemd unit

Create systemd unit:

cat > /etc/systemd/system/docker-registry.service
[Unit]
Description=Docker registry container
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStartPre=/usr/bin/docker create -p 5000:5000 -v /var/lib/docker-registry:/var/lib/registry -v /etc/pki/tls/lego/certificates:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/example.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/example.org.key --name registry registry:2
ExecStart=/usr/bin/docker start -a registry
ExecStop=/usr/bin/docker stop -t 5 registry
ExecStopPost=/usr/bin/docker rm registry

[Install]
WantedBy=multi-user.target

5. Permit access to Docker registry only from trusted networks

firewall-cmd --zone=trusted --add-port=5000/tcp --permanent
firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent
firewall-cmd --reload

Since Docker daemon was launched with --iptables=false option, Docker registry port may be accessed from trusted networks only.

Links:

Pavel Derendyaev notes

Docker registry on Centos 7