Docker private repository journey

Docker Journey
Baby steps to greatness…

1.        Install private Docker repository (Nexus 3)
2.        Create self signed certificate because our signatures rock
3.        Configure nexus for https connections (required by Docker)
4.        Export self signed certificate
5.        Import and Install certificate on Docker client
6.        Setup nexus repository
7.        Push images to nexus J



…Call JMP if you get stuck :)


 Nexus Repository Manager


Download the nexus repository manager for preferred OS, for this killer tutorial I’ll be deploying to Ubuntu but deploying to Windows should be similar

·         Ubuntu download: nexus-3.0.0-03-unix.tar.gz
·         Windows download: nexus-3.0.0-03-win64.zip


Extract the tar file to desired location (in my case ~/alchemy/nexus/) using the command:
            tar –xvzf nexus-3.0.0-03-unix.tar.gz

Setup the service:
Create a symbolic link to the nexus script in the init.d folder:
sudo ln -s $NEXUS_HOME/bin/nexus /etc/init.d/nexus
            cd /etc/init.d
                   sudo update-rc.d nexus defaults
                   sudo service nexus start
(before running start we need to configure some https stuffs)
         
 Create a self signed certificate (because our signatures rock)

We’re going to use the keytool application to generate some dodgy certificates, in order to use the keytool you will need to install java, this can be done by using the apt-get install openjdk-8-jdk command if your systems doesn’t already have java
To generate the certificate run the following command, the command will create a keystore.jks file in the same folder from where you ran the command:

keytool -genkeypair -keystore keystore.jks -storepass Password1 -keypass Password1 -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=10.9.222.43, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:scmbdirectory.com,IP:10.9.222.43" -ext "BC=ca:true"

Copy the certificate created to the folder /etc/ssl/keystore.jks

Configure Nexus

Two configuration changes need to happen to get nexus to support https (which is required by Docker and is better in general)
·         Update $NEXUS_HOME/etc/org.sonatype.nexus.cfg
Add ${karaf.etc}/jetty-https.xml to the end of the nexus-args, don’t forget to separate with a comma ie.
nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml,${karaf.etc}/jetty-https.xml
Add application-port-ssl=8443
·         Update jetty-https.xml file
Update the certificate details under the sslContextFactory tag to look like the following
    
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
 <Set name="KeyStorePath">/etc/ssl/keystore.jks</Set>
 <Set name="KeyStorePassword">Password1</Set>
 <Set name="KeyManagerPassword">Password1</Set>
 <Set name="TrustStorePath">/etc/ssl/keystore.jks</Set>
 <Set name="TrustStorePassword">Password1</Set>
 <Set name="EndpointIdentificationAlgorithm"></Set>
 <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
 <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
 <Set name="ExcludeCipherSuites">
 <Array type="String">
 <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
 <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
 <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
 <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
 <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
 <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
 <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
 </Array>
 </Set>
 </New> 


Export certificate

We need to export the certificate to be able to import it into the ubuntu certificate store, client (unsigned certificates) are saved as .cert while signed certificates are saved as .crt
Run the command below from the machine that will be pushing or pulling images from Nexus

sudo keytool -printcert -sslserver nexushost:port –rfc (change nexushost to the ip or host name of the server and port to the https port of nexus)
Save the output to the file ~/docker.cert

Import and Install certificate

Create the directory structure /etc/docker/certs.d/nexushost
Copy the certificate exported above into the folder you just created.
Run the following command to import the certificate:
sudo update-ca-certificates
You may now start the nexus service using:
Sudo service nexus start

Import and Install certificate

Login to the nexus admin page using the url https://nexushome:8443 at this point https should be working.
Go to the https://nexushome:8443/#admin/repository/repositories to configure a docker repository
There are thre types of docker repositories that can be created when clicking on the “create new” button:
·         Docker (group) Used to link multiple repositories
·         Docker (hosted) Used to host your own private repository
·         Docker (proxy) Used to link external Docker repositories like Docker-Hub

Docker (host)
Configure as below, the https port needs to be unique, docker uses unique ports to identify repositories.

Docker (proxy)
Configure as below, the https port needs to be unique, docker uses unique ports to identify repositories.
Docker (Group)
Configure as below, remember to add Docker repositories to the group at the bottom



 Push Docker image to nexus

This is the part we’ve all been waiting for, pushing a Docker image you just created to the nexus repo.
First step will be to tag a build
To view which images are available run the following command:
sudo docker images
result:
REPOSITORY                              TAG                 IMAGE ID            CREATED             SIZE
jboss-eap                               6.4                 175002fddb71        44 hours ago        2.221 GB
alchemy-eap-6.4                         1.0                 70119eab606c        5 weeks ago         2.724 GB
ubuntu                                  wily                b5e09e0cd052        9 weeks ago         136.1 MB

sudo docker login nexushome:port/jboss-eap:6.4
sudo docker tag  175002fddb71  nexushome:port/jboss-eap:6.4
sudo docker push nexushome:port/jboss-eap:6.4

And that’s all there is to it J


Share on Google Plus

About J@$E

Developer of stuffs ...
    Blogger Comment

0 comments:

Post a Comment