docker in artifactory

10 Mar 2015

This just a rough draft of notes so that I know what I did when 6 months pass and I forgot how the Docker registry was set up.

Docker does not work with artifactory out of the box, instead it needs to be tricked a little bit. Basically, docker expects that every registry has SSL and artifactory does not do that.

There are two components, 1) setting up the SSL proxy, and 2) setting up the client registry.

Setting Up the SSL Proxy

The artifactory documentation describes setting up everything pretty easily. The only extra step was having a command to copy/paste for creating a self-signed SSL key, like this:

mkdir /etc/nginx/docker-artifactory
cd /etc/nginx/docker-artifactory
openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days 36500

Then I do the nginx.conf:

server {
  listen 443;
  server_name docker.artifactory.rb;
  ssl on;
  ssl_certificate     docker-artifactory/cert.pem;
  ssl_certificate_key docker-artifactory/key.pem;
  error_log /var/log/nginx/docker.artifactory.rb.error.log;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Original-URI $request_uri;
  proxy_read_timeout 900;
  client_max_body_size 0;
  chunked_transfer_encoding on;
  location / {
    proxy_pass http://ares:8081/artifactory/api/docker/ixl-docker-local/;
  }
}

As well as adding a DNS entry for docker.artifactory.rb.

Having those available for the rest of the instructions was helpful.

Note: If we have an actual CA signed key for SSL, the most painful parts of client configuration will not be necessary.

See the documentation for more details.

Setting Up the Client Registry

Had to first set up Docker to use an insecure registry.

sudo systemctl edit --full docker

Needed to add to the end of my ExecStart line in the Docker unit file:

--insecure-registry docker.artifactory.rb

So it looked like:

ExecStart=/usr/bin/docker -d -H fd:// --insecure-registry docker.artifactory.rb

This is enough to use docker pull and download images from artifactory.

Setting Up Client Push

There is a little extra you’ll need to set up if you want to push images to the registry.

Artifactory provides a little interface you can use with curl to get a piece of JSON that you’ll include in your ~/.dockercfg.

curl --insecure -u username:password "https://docker.artifactory.rb/v1/auth"

If you already have a ~/.dockercfg, then you’ll need to manually integrate the output of curl with your current config. Since it is just JSON and we’re all engineers, I have faith this present no insurmountable challenges.

One thing to note is that now when you want to push/pull images from Artifactory, you MUST prefix the image name with the registry domain. In my particular case, it is docker.artifactory.rb.

So, for instance, I wanted to upload the redis image to artifactory.

First, I looked for its image ID in the output of docker images, then I retagged it correctly:

docker tag 868be653dea3 docker.artifactory.rb/redis:latest

Now I can upload it:

docker push docker.artifactory.rb/redis:latest

To pull an image from artifactory, it looks the same:

docker pull docker.artifactory.rb/redis:latest

See the documentation for more details.