Docker Trusted Registry (DTR) deep dive

This post is a continuous post of Docker Enterprise edition on CentOS7 usage.
Let's understand the usage of the DTR. How we can integrate it with Docker UCP? How the DTR help us to maintain the docker repository easy way. What benefits we can get with DTR?

As we had already installed docker-ee and UCP deployed on it with swarm cluster on a CentOS7.

What is new in Docker Trusted Registry?

Here I've collected some of the DTR Primary Usage Scenarios

CI/CD with Docker

• Image repository - Centrally located base images
• Simple upgrades - Store individual build images
• Scan and Pull tested images to production

Containers as a Service (CaaS)

• Deploy Jenkins executors or nodes
• Instant-on developer environment
• Selected curated apps from a catalog
• Dynamic composition of micro-services (“PAAS”)

General Features

• Organizations, Teams & Repositories permissions UI
• Search index, API & UI
• Interactive API documentation
• Image deletion from index
• Image garbage collection Experimental
• Docker Content Trust: View Docker Notary signatures in DTR
• Admin & Health UI
• Registry Storage Status
• LDAP/AD Integration
• RBAC API (Admin, R/W, R/O)
• User actions/API audit logs
• Registry v2 API & v2 Image Support
• One-click install/upgrade

Cloud Platform Features 

• Docker Storage drivers for the filesystem, AWS s3, and Microsoft azure 

• Support Tooling 

• Support for Ubuntu, RHEL, CentOS and Windows 10

Docker Trusted Registry DTR Flow

System Requirement for DTR

The RAM requirement is high which is 16 GB size to run the DTR in the production system.
DTR cannot be installed where UCP installed that is not on the Swarm master node. Because the UCP uses default ports 80 and 443 in the master node, where DTR also needs the same ports to run so other nodes are preferable. Hence I'm using node1 to have DTR.

• DTR requires Docker Universal Control Plane UCP to run you need to install UCP on all swarm nodes where you plan to install DTR.

Install Docker Trusted Registry DTR

This is a simple docker container running the command with the latest DTR version to deploy on the docker enterprise engine.

 
#Installing Docker Trusted Registry (DTR)
docker run -it \
 --rm docker/dtr:2.4.12 install \
 --ucp-insecure-tls 

The installation will links to the UCP that we had installed already.
Get the DTR Connected from the UCP console. Go to the 'Admin Settings'

Admin Settings on UCP Console to view Docker Trusted Registry installed

Access the DTR console

Let's login to the DTR console, From the UCP Console, we got that where the DTR installed successfully that URL. Because we have not used trusted certs it will proceed only after accepting the Security Exception in the browser.

docker trusted registry (DTR) login 

Here the user credentials are the same as given for UCP.

DTR Console looks almost similar to UCP console, You can proceed to create the new repository, where the pointer showing!

Extra bite

Where this DTR container is running let's see what all those containers created

docker trusted registry containers list

DTR Backup Notes

When you do backup DTR following will be taken care:

• Configurations are backed up
• Certificate and keys are backed up
• Repository metadata are backed up

User, Orgs, and teams are not backed up with DTR backup.

References

Official Document on DTR
Slide on DTR Features
DTR Back up

User Management on Universal Control Plane (UCP)

This is a quick tutorial on Docker UCP usage for User Management. Docker UCP provides us multiuser management and Role-based user control. which allows us to create and manage users and teams in an organization. Let's take a look over this user management in detail in this post.

First, we create Organization then we associate a couple of teams then after that add users to those teams.

Login to your UCP management console.

Create an Organization on UCP

Click on the 'user management' in the left side pane.

User Management on UCP

Now in the right pane work area, you can click on the 'Create Organization' top right button.

Enter your organization name a single word without any spaces. even though you enter the name in Capitals it will convert into lower case and store it.

Create Organization on UCP

To complete it click on the 'Create' button.
Once Organization is created it will be listed in the work area. Click on the newly created organization it will give us the option to create the teams.

Create a Team on UCP

Let's prepare the list of commonly required teams for any organization. Then, create them so the list as  following teams:

• dev - Development team
• QA - Quality Assurance team
• prod - Production team

Create Team on UCP

Create User

There will be 'admin' User already created by UCP. we can create new users with 'admin' roles or without it. We would like to create a user with 'admin' access and another without 'admin' access role.

Let's explore this user creation process now.

Create User on docker UCP

The same way we can create another user that having the 'Docker EE Admin' role.
After creating users the summary looks as:

Users created on UCP summary

Add Users to Team

Go to the organization that you have already created. select it. Choose the team to which you will add the user. Here I am adding user to 'qa' team.

Add user to organization/team in UCP

I hope you enjoyed this post about user management on UCP for Docker EE


Next, let us explore the Docker Trusted Registry (DTR).

Docker Enterprise Edition installation on CentOS 7 plus UCP Installation

Hello, dear DevOps Enquist, in this post I would like to discuss with you how to install Docker Enterprise Edition on CentOS 7 and plus Universal Control Plane (UCP) running to control the master and workers on three nodes(Virtualboxes). Amazed with the great features that incorporated into the UCP. You could do lot of things from your browser itself. In the last post I've explored about the swarm cluster that time I'd executed everything on CLI, but this time UCP Web UI.

Why we need a Docker Universal Control Plane(UCP)?

To make more production-ready setup we would do this experiment with three CentOS7 nodes. The following picture tells us how powerful UCP in Docker Enterprise Edition is. You can manage services, multiple deployments using stacks, summary and manage docker containers and their images. you can also add/remove nodes and get their status, category. Docker network full control on it. Storage volumes also you can manage from the UCP admin console.

• Ease of use with GUI based management
• High Availability(HA) made simple
• Access Control - organization, team, users manageable
• Monitoring - Overall system can be viewed in a single page
• docker native integration - network capabilities are handled
• Swarm Managed - Swarm master, worker nodes configured
• 3rd party plugins - DTR connects as plugin

Universal Control Plane running on Docker-ee with Swarm cluster

Prerequisites for Docker EE installation

Infrastructure designing will be a crucial part of any environment that you build on the Cloud or on-premises Docker ecosystem. First, let's consider what all goes into the master node.

• Docker-EE installation (docker-ee) requires hub.docker.com signup and download the license 
• Ports 80 and 443 are required to expose for UCP Containers to run.
• Docker Trusted Registry (DTR) only can run other than UCP running node because it also requires same reserved ports 80 and 443
• Download Vagrant as per your system
• Download VirtualBox

Here most importantly think about - what you run on a machine defines how much resources required.

How to install Docker-EE on CentOS 7?

It is a very interesting story, Docker EE installation on CentOS 7 Vagrant boxes
1. Create three centos7 machines master - mstr, node1, node
2 for slaves. 2. Go to the hub.docker.com login with your credentials
The Vagrantfile content is as follows

 
Vagrant.configure(2) do |config|
  config.vm.box = "centos/7"
  config.vm.boot_timeout=600
  config.landrush.enabled = true

  config.vm.define "mstr" do |mstr|
    mstr.vm.host_name = "mstr.devopshunter.com"
    mstr.vm.network "private_network", ip: "192.168.33.100"
    mstr.vm.provider "virtualbox" do |vb|
      vb.cpus = "2"
      vb.memory = "3070"
    end
  end

  config.vm.define "node1" do |node1|
    node1.vm.network "private_network", ip: "192.168.33.110"
    node1.vm.hostname = "node1.devopshunter.com"
    node1.vm.provider "virtualbox" do |vb|
      vb.cpus = "2"
      vb.memory = "1500"
    end
  end
 
  config.vm.define "node2" do |node2|
    node2.vm.network "private_network", ip: "192.168.33.120"
    node2.vm.hostname = "node2.devopshunter.com"
    node2.vm.provider "virtualbox" do |vb|
      vb.cpus = "2"
      vb.memory = "1500"
    end
  end  
end

 
vagrant up
vagrant status

vagrant status for docker-ee installation on CentOS7

 
vagrant ssh-config

Use the PuTTYgen tool to convert the private_key to corresponding .ppk files. In my experiment, mstr.ppk, node1.ppk, node2.ppk files are generated in respective folders where private_key exists.

Now all set to go for connecting the each VM with corresponding IPs that assigned.
In each node you need to run the following commands:

1. Setup the repo for docker-ee

 
export DOCKERURL="https://storebits.docker.com/ee/centos/sub-eb111810-d6d8-4168-ac96-6e553a77381f"
sudo -E sh -c 'echo "$DOCKERURL/centos" > /etc/yum/vars/dockerurl'
cat /etc/yum/vars/dockerurl

2. Install docker dependdencies storage drivers sudo yum install -y yum-utils device-mapper-persistent-data lvm2 3. Add the repo and tell that available at where (i.e., Path)

 
sudo -E yum-config-manager \
    --add-repo \
    "$DOCKERURL/centos/docker-ee.repo"

yum repo update for docker-ee

4. Now all set to install the Docker enterprise edition

 
sudo yum -y install docker-ee
sudo systemctl start docker

docker-ee installation on CentOS7 completed!

Now lets confirming by running hello-world container.

 
docker -v

sudo docker run hello-world

docker-ee installation confirmation with hello-world

If we check the docker info on any node it looks like this.

docker info for the docker-ee

Universal Control Plane (UCP) installation

 
docker container run --rm -it --name ucp \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/ucp:2.2.5 install \
  --host-address 192.168.33.100 \
  --interactive

Enter username and password when it prompts.
admin
# welcome1
We detected the following hostnames/IP addresses for this system [mstr.devopshunter.com 127.0.0.1 172.17.0.1 192.168.33.100]

You may enter additional aliases (SANs) now or press enter to proceed with the above list.
Additional aliases:
INFO[0000] Initializing a new swarm at 192.168.33.100
INFO[0004] Establishing mutual Cluster Root CA with Swarm

This will automatically activate the swarm cluster master.

Login to UCP at https://192.168.33.100:443
UCP Login page

Universal Control Plane login page

After clicking on Signin we will be prompted to use the 'upload license'. It will be available on your docker hub page from where you have got the docker-ee installation url. You can request for new trail license or else you can also go for skip for now option.

Here, I am loading that docker_subscription.lic file, which was already downloaded.

UCP Manager console

Create a Swarm Node and join

Click on the Nodes, which will shows the a manager node already existing. Click on the 'Add Node' button.

UCP Configuring Nodes joining Swarm cluster

The add node wizard page gives us choice to select node type 'Windows/Linux' and Node role as 'Manager' or 'Worker'. here we go with Linux node type and role as 'worker'

The highlighted bottom given docker swarm join command snippet copy the line, paster and run in the node1 and node2. This will take some time to join the swarm cluster. wait for a while and check the Cluster by refreshing.

Added nodes to Swarm cluster

Initially when the nodes joined they have the status as 'Pending' and 'Awaiting', After join completed it looks 'Healthy UCP worker' status in the Details column.

Healthy UCP nodes

I hope you enjoyed this post keep writing your valuable comments. Keep sharing with your techie friends who can appreciate you!