Atomic Registry managed by systemd
sudo atomic install projectatomic/atomic-registry-install <hostname>
Start system services
sudo systemctl start atomic-registry-master.service
Setup the registry. This script creates the oauth client so the web console can connect. It also configures the registry service account so it can connect to the API master.
sudo /var/run/setup-atomic-registry.sh <hostname>
Until the registry is secured with TLS certificates, configure client docker daemon to --insecure-registry and restart.
/etc/sysconfig/docker sudo systemctl restart docker.service
Optional post-install configuration:
- configure authentication provider. NOTE: by default ANY username and password will authenticate users.
- configure storage
- mount local storage /var/lib/atomic-registry/registry or
- configure cloud storage in /etc/atomic-registry/registry/config.yml
- add TLS certificates to services (see below)
Uninstall but retain data in /var/lib/atomic-registry. This will remove all configuration changes, etc. You can run install steps again and existing data will be available in the new deployment configuration.
sudo atomic install projectatomic/atomic-registry-install
Uninstall and remove data in /var/lib/atomic-registry. This will remove all images and the datastore. This will completely clean up the environment.
sudo atomic install projectatomic/atomic-registry-install --remove-data
|Service and container name||Role||Configuration||Data||Port|
|atomic-registry-master||auth, datastore, API||General config, incl auth: /etc/atomic-registry/master/master-config.yaml, Log level: /etc/sysconfig/atomic-registry-master||datastore: /var/lib/atomic-registry/etcd||8443|
|atomic-registry||docker registry||/etc/sysconfig/atomic-registry, /etc/atomic-registry/registry/config.yml||images: /var/lib/atomic-registry/registry||5000|
|atomic-registry-console||web console||/etc/sysconfig/atomic-registry-console||none (stateless)||9090|
- Edit appropriate configuration file(s) on host
Restart service via systemd
sudo systemctl restart <service_name>
As a microservice application the three services may theoretically be updated independently. However, it is strongly recommended that the services be updated together to ensure you are deploying a tested configuration.
Pull the updated images
sudo docker pull openshift/origin sudo docker pull openshift/origin-docker-registry sudo docker pull cockpit/kubernetes
Restart the services
sudo systemctl restart atomic-registry-console sudo systemctl restart atomic-registry-master sudo systemctl restart atomic-registry
Data persistence and backup
The data that should be persisted is the configuration, image data and the registry database. These are mounted on the host. See Service table above for specific paths.
Secure Registry endpoint
Here we create a self-signed certificate so docker clients can connect using TLS. While other tools like openssl may be used to create certificates, the master API provides a tool that may also be used.
sudo docker exec -it atomic-registry-master bash
oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='<hostname(s)>' --cert=registry.crt --key=registry.key
sudo cp /etc/atomic-registry/master/registry.* /etc/atomic-registry/registry/
sudo chown -R 1001:root /etc/atomic-registry/registry/
/etc/sysconfig/atomic-registry, uncomment environment variables REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY.
sudo systemctl restart atomic-registry
Serving the certificate for docker clients
If you're creating a self-signed certificate key pair you want to make the public CA certificate available to end-users so they don't have to put docker into insecure mode.
/etc/atomic-registry/master/master-config.yamland add the following extension.
assetConfig: ... extensions: - name: certs sourceDirectory: /etc/atomic-registry/master/site
sudo cp /etc/atomic-registry/master/ca.crt /etc/atomic-registry/master/site/
sudo systemctl restart atomic-registry-master
Clients may then save this cert into their docker client and restart the docker daemon
curl --insecure -O https://<registry_hostname>:8443/console/extensions/certs/ca.crt sudo cp ca.crt /etc/docker/certs.d/<registry_hostname>:5000/. sudo systemctl restart docker.service
Has anyone come across the 'authentication failed' error when initially logging in?
The commands in the uninstall section should be changed to "atomic uninstall" it currently says "atomic install"