Re: Running Docker private images on CF
Eric Malm <emalm@...>
Hi, Dharmi,
In order to run private docker images (that is, ones that require
user/password/email authentication with the registry), you'll have to stage
them into the optional diego-docker-cache deployed alongside Diego. The
BOSH release is located at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release. If
you've already deployed Diego using the spiff-based manifest-generation
templates in diego-release, the deployment for this release should be
similar. If you deploy the caching registry release without TLS enabled or
enabled but with a self-signed certificate, Diego should then be configured
with the URL "docker-registry.service.cf.internal:8080" supplied in the
diego.garden-linux.insecure_docker_registry_list property, and
diego.stager.insecure_docker_registry set to 'true', as you can see in
https://github.com/cloudfoundry-incubator/diego-docker-cache-release/blob/develop/stubs-for-diego-release/bosh-lite-property-overrides.yml
.
Once that release is deployed, you can follow the instructions at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release#caching-docker-image-with-diego
to stage your image into the cache, which should be as simple as setting
the DIEGO_DOCKER_CACHE env var to 'true' on your app before staging it.
When you start the app, Diego will then instruct Garden to pull the image
from the internal caching registry rather than from the remote registry you
staged it from. This has the added benefit of ensuring that you're always
running exactly the Docker image you staged, rather than something that may
have changed in the remote registry.
Thanks,
Eric, CF Runtime Diego PM
toggle quoted message
Show quoted text
In order to run private docker images (that is, ones that require
user/password/email authentication with the registry), you'll have to stage
them into the optional diego-docker-cache deployed alongside Diego. The
BOSH release is located at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release. If
you've already deployed Diego using the spiff-based manifest-generation
templates in diego-release, the deployment for this release should be
similar. If you deploy the caching registry release without TLS enabled or
enabled but with a self-signed certificate, Diego should then be configured
with the URL "docker-registry.service.cf.internal:8080" supplied in the
diego.garden-linux.insecure_docker_registry_list property, and
diego.stager.insecure_docker_registry set to 'true', as you can see in
https://github.com/cloudfoundry-incubator/diego-docker-cache-release/blob/develop/stubs-for-diego-release/bosh-lite-property-overrides.yml
.
Once that release is deployed, you can follow the instructions at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release#caching-docker-image-with-diego
to stage your image into the cache, which should be as simple as setting
the DIEGO_DOCKER_CACHE env var to 'true' on your app before staging it.
When you start the app, Diego will then instruct Garden to pull the image
from the internal caching registry rather than from the remote registry you
staged it from. This has the added benefit of ensuring that you're always
running exactly the Docker image you staged, rather than something that may
have changed in the remote registry.
Thanks,
Eric, CF Runtime Diego PM
On Tue, Aug 11, 2015 at 9:32 AM, dharmi <dharmi(a)gmail.com> wrote:
We have CF v214 with Diego deployed on AWS.
I am able to successfully create apps from Docker public repo, as per the
apidocs <http://apidocs.cloudfoundry.org/214/apps/creating_an_app.html> ,
but, while creating apps from the Docker private repos, I see the below
error from 'cf logs' when starting the app.
[API/0] OUT Updated app with guid bcb8f363-xyz
({"route"=>"5af6948b-xyz"})
[API/0] OUT Updated app with guid bcb8f363-xyz ({"state"=>"STARTED"})
[STG/0] OUT Creating container
[STG/0] OUT Successfully created container
[STG/0] OUT Staging...
[STG/0] OUT Staging process started ...
[STG/0] ERR Staging process failed: Exit trace for group:
[STG/0] ERR builder exited with error: failed to fetch metadata from
[:dockerid/go-app] with tag [latest] and insecure registries [] due to HTTP
code: 404
[STG/0] OUT Exit status 2
[STG/0] ERR Staging Failed: Exited with status 2
[API/0] ERR Failed to stage application: staging failed
cf curl command for reference.
cf curl /v2/apps -X POST -H "Content-Type: application/json" -H
"Authorization: bearer *accessToken*" -d '
{"name": "myapp",
"space_guid": "71b22eba-xyz",
"docker_image": ":dockerid/go-app",
"diego": true,
"docker_credentials_json":
{"docker_login_server": "https://index.docker.io/v1/",
"docker_user": ":dockerid",
"docker_password": ":dockerpwd",
"docker_email": ":email"
}
}'
Looking at the apidocs, the 'Example value' for 'docker_credentials_json'
indicates a Hash value
(#<RspecApiDocumentation::Views::HtmlExample:0x0000000bb883e0>), but
looking
inside the code, we found the below JSON format.
let(:docker_credentials) do
{
docker_login_server: login_server,
docker_user: user,
docker_password: password,
docker_email: email
}
Pls correct me if I am missing something.
Thanks,
Dharmi
--
View this message in context:
http://cf-dev.70369.x6.nabble.com/Running-Docker-private-images-on-CF-tp1148.html
Sent from the CF Dev mailing list archive at Nabble.com.