2022-01-07 12:50:39 +01:00
---
title: Setting up private docker registry for Compute-to-Data environment
2022-07-03 12:47:26 +02:00
description: >-
Learn how to setup your own docker registry and push images for running
algorithms in a C2D environment.
2022-01-07 12:50:39 +01:00
---
2023-06-27 15:16:54 +02:00
# C2D - Private Docker Registry
2022-01-10 08:13:33 +01:00
2023-06-27 15:16:54 +02:00
The document is intended for a production setup. The tutorial provides the steps to set up a private docker registry on the server for the following scenarios:
2022-01-18 11:34:36 +01:00
2022-07-03 12:47:26 +02:00
* Allow registry access only to the C2D environment.
* Anyone can pull the image from the registry but, only authenticated users will push images to the registry.
2022-01-18 11:34:36 +01:00
2022-07-03 12:47:26 +02:00
### Setup 1: Allow registry access only to the C2D environment
2022-01-18 11:34:36 +01:00
To implement this use case, 1 domain will be required:
2022-01-10 08:13:33 +01:00
2022-07-03 12:47:26 +02:00
* **example.com**: This domain will allow only image pull operations
2022-01-10 08:13:33 +01:00
_Note: Please change the domain names to your application-specific domain names._
2022-07-03 12:47:26 +02:00
#### 1.1 Prerequisites
2022-01-18 11:34:36 +01:00
2023-06-27 15:16:54 +02:00
* A docker environment running on a Linux server.
2022-07-03 12:47:26 +02:00
* Docker compose is installed.
* C2D environment is running.
2023-06-27 15:16:54 +02:00
* The domain names are mapped to the server hosting the registry.
2022-01-18 11:34:36 +01:00
2022-07-03 12:47:26 +02:00
#### 1.2 Generate certificates
2022-01-18 11:34:36 +01:00
```bash
# install certbot: https://certbot.eff.org/
sudo certbot certonly --standalone --cert-name example.com -d example.com
```
2023-06-27 15:16:54 +02:00
_Note: Check the access right of the files/directories where certificates are stored. Usually, they are at `/etc/letsencrypt/` ._
2022-01-18 11:34:36 +01:00
2023-06-27 15:16:54 +02:00
#### 1.3 Generate a password file
2022-01-18 11:34:36 +01:00
Replace content in `<>` with appropriate content.
```bash
docker run \
--entrypoint htpasswd \
httpd:2 -Bbn < username > < password > > < path > /auth/htpasswd
```
2022-07-03 12:47:26 +02:00
#### 1.4 Docker compose template file for registry
2022-01-18 11:34:36 +01:00
2023-06-27 15:16:54 +02:00
Copy the below `yml` content to `docker-compose.yml` file and replace content in `<>` .
2022-01-18 11:34:36 +01:00
```yml
version: '3'
services:
registry:
restart: always
container_name: my-docker-registry
image: registry:2
ports:
- 5050:5000
environment:
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_HTTP_SECRET: < secret >
volumes:
- < path > /data:/var/lib/registry
- < path > /auth:/auth
nginx:
image: nginx:latest
container_name: nginx
volumes:
- < path > /nginx/logs:/app/logs/
- nginx.conf:/etc/nginx/nginx.conf
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- 80:80
- 443:443
depends_on:
- registry
```
2022-07-03 12:47:26 +02:00
#### 1.5 Nginx configuration
2022-01-18 11:34:36 +01:00
Copy the below nginx configuration to a `nginx.conf` file.
2022-07-03 12:47:26 +02:00
```
2022-01-18 11:34:36 +01:00
events {}
http {
access_log /app/logs/access.log;
error_log /app/logs/error.log;
server {
client_max_body_size 4096M;
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
# Allowed request size should be large enough to allow pull operations
client_max_body_size 4096M;
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_connect_timeout 75s;
proxy_pass http://registry-read-only:5000;
}
}
}
```
2023-06-27 15:16:54 +02:00
#### 1.6 Create Kubernetes secret in C2D server
2022-01-18 11:34:36 +01:00
2024-05-04 06:31:26 +02:00
Login into the compute-to-data environment and run the following command with the appropriate credentials:
2022-01-18 11:34:36 +01:00
```bash
kubectl create secret docker-registry regcred --docker-server=example.com --docker-username=< username > --docker-password=< password > --docker-email=< email_id > -n ocean-compute
```
2022-07-03 12:47:26 +02:00
#### 1.7 Update operator-engine configuration
2022-01-18 11:34:36 +01:00
2023-06-27 15:16:54 +02:00
Add `PULL_SECRET` property with value `regcred` in the [operator.yml ](https://github.com/oceanprotocol/operator-engine/blob/main/kubernetes/operator.yml ) file of operator-engine configuration. For more details on operator-engine properties refer to the [operator-engine readme ](https://github.com/oceanprotocol/operator-engine/blob/v4main/README.md ).
2022-01-18 11:34:36 +01:00
Apply updated operator-engine configuration.
```bash
kubectl config set-context --current --namespace ocean-compute
kubectl apply -f operator-engine/kubernetes/operator.yml
```
2023-06-27 15:16:54 +02:00
### Steup 2: Allow anonymous `pull` operations
2022-01-18 11:34:36 +01:00
To implement this use case, 2 domains will be required:
2023-06-27 15:16:54 +02:00
* **example.com**: This domain will only allow image push/pull operations from authenticated users.
2022-07-03 12:47:26 +02:00
* **readonly.example.com**: This domain will allow only image pull operations
2022-01-18 11:34:36 +01:00
_Note: Please change the domain names to your application-specific domain names._
2022-07-03 12:47:26 +02:00
#### 2.1 Prerequisites
2022-01-07 12:56:11 +01:00
2023-06-27 15:16:54 +02:00
* Running docker environment on the Linux server.
2022-07-03 12:47:26 +02:00
* Docker compose is installed.
2023-06-27 15:16:54 +02:00
* 2 domain names are mapped to the same server IP address.
2022-01-07 12:50:39 +01:00
2022-07-03 12:47:26 +02:00
#### 2.2 Generate certificates
2022-01-10 07:39:17 +01:00
```bash
# install certbot: https://certbot.eff.org/
sudo certbot certonly --standalone --cert-name example.com -d example.com
2022-01-18 11:34:36 +01:00
sudo certbot certonly --standalone --cert-name readonly.example.com -d readonly.example.com
2022-01-10 07:39:17 +01:00
```
2022-01-10 08:31:11 +01:00
_Note: Do check the access right of the files/directories where certificates are stored. Usually, they are at `/etc/letsencrypt/` ._
2023-06-27 15:16:54 +02:00
#### 2.3 Generate a password file
2022-01-07 12:50:39 +01:00
Replace content in `<>` with appropriate content.
```bash
docker run \
--entrypoint htpasswd \
httpd:2 -Bbn < username > < password > > < path > /auth/htpasswd
```
2022-07-03 12:47:26 +02:00
#### 2.4 Docker compose template file for registry
2022-01-07 12:50:39 +01:00
2023-06-27 15:16:54 +02:00
Copy the below `yml` content to `docker-compose.yml` file and replace content in `<>` . Here, we will be creating two services of the docker registry so that anyone can `pull` the images from the registry but, only authenticated users can `push` the images.
2022-01-07 12:50:39 +01:00
```yml
version: '3'
services:
registry:
restart: always
container_name: my-docker-registry
image: registry:2
ports:
- 5050:5000
environment:
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_HTTP_SECRET: < secret >
volumes:
- < path > /data:/var/lib/registry
- < path > /auth:/auth
2022-01-10 07:39:17 +01:00
registry-read-only:
restart: always
container_name: my-registry-read-only
image: registry:2
read_only: true
ports:
- 5051:5000
environment:
REGISTRY_HTTP_SECRET: ${REGISTRY_HTTP_SECRET}
volumes:
- < path > /docker-registry/data:/var/lib/registry:ro
depends_on:
- registry
nginx:
image: nginx:latest
container_name: nginx
volumes:
- < path > /nginx/logs:/app/logs/
- nginx.conf:/etc/nginx/nginx.conf
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- 80:80
- 443:443
depends_on:
- registry-read-only
```
2022-07-03 12:47:26 +02:00
#### 2.5 Nginx configuration
2022-01-10 07:39:17 +01:00
2022-01-10 08:38:02 +01:00
Copy the below nginx configuration to a `nginx.conf` file.
2022-07-03 12:47:26 +02:00
```
2022-01-10 07:39:17 +01:00
events {}
http {
access_log /app/logs/access.log;
error_log /app/logs/error.log;
server {
client_max_body_size 4096M;
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
# Allowed request size should be large enough to allow push operations
client_max_body_size 4096M;
listen 443 ssl;
2022-01-18 11:34:36 +01:00
server_name readonly.example.com;
ssl_certificate /etc/letsencrypt/live/readonly.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/readonly.example.com/privkey.pem;
2022-01-10 07:39:17 +01:00
location / {
proxy_connect_timeout 75s;
proxy_pass http://registry:5000;
}
}
server {
# Allowed request size should be large enough to allow pull operations
client_max_body_size 4096M;
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_connect_timeout 75s;
proxy_pass http://registry-read-only:5000;
}
}
}
2022-01-07 12:50:39 +01:00
```
2022-07-03 12:47:26 +02:00
### Start the registry
2022-01-07 12:50:39 +01:00
```bash
docker-compose -f docker-compose.yml up
```
2022-07-03 12:47:26 +02:00
### Working with registry
2022-01-10 08:21:04 +01:00
2022-07-03 12:47:26 +02:00
#### Login to registry
2022-01-07 12:50:39 +01:00
```bash
2022-01-18 11:34:36 +01:00
docker login example.com -u < username > -p < password >
2022-01-07 12:50:39 +01:00
```
2022-07-03 12:47:26 +02:00
#### Build and push an image to the registry
2022-01-07 12:50:39 +01:00
2022-01-10 08:13:33 +01:00
Use the commands below to build an image from a `Dockerfile` and push it to your private registry.
2022-01-07 12:50:39 +01:00
```bash
2022-01-18 11:34:36 +01:00
docker build . -t example.com/my-algo:latest
docker image push example.com/my-algo:latest
2022-01-07 12:50:39 +01:00
```
2022-07-03 12:47:26 +02:00
#### List images in the registry
2022-01-07 12:50:39 +01:00
```bash
2022-01-10 08:13:33 +01:00
curl -X GET -u < username > :< password > https://example.com/v2/_catalog
```
2022-07-03 12:47:26 +02:00
#### Pull an image from the registry
2022-01-07 12:50:39 +01:00
2022-01-10 08:13:33 +01:00
Use the commands below to build an image from a `Dockerfile` and push it to your private registry.
```bash
2022-01-18 11:34:36 +01:00
# requires login
2022-01-10 08:13:33 +01:00
docker image pull example.com/my-algo:latest
2022-01-18 11:34:36 +01:00
# allows anonymous pull if 2nd setup scenario is implemented
docker image pull readonly.example.com/my-algo:latest
2022-01-07 12:50:39 +01:00
```
2022-07-03 12:47:26 +02:00
#### Next step
2022-01-07 12:50:39 +01:00
2023-06-27 15:16:54 +02:00
You can publish an algorithm asset with the metadata containing the registry URL, image, and tag information to enable users to run C2D jobs.
2022-01-10 08:49:57 +01:00
2022-07-03 12:47:26 +02:00
### Further references
2022-01-10 08:13:33 +01:00
2022-07-06 11:41:13 +02:00
* [Setup Compute-to-Data environment ](compute-to-data-minikube.md )
2023-06-29 17:52:01 +02:00
* [Writing algorithms ](../developers//compute-to-data/compute-to-data-algorithms.md )
2022-07-06 11:41:13 +02:00
* [C2D example ](https://github.com/oceanprotocol/ocean.py/blob/main/READMEs/c2d-flow.md )