You will learn how to configure Ops Manager to access Docker registries such as Docker Hub, by using either a root certificate authority (CA) certificate or by adding its IP address to an allowlist. It also explains how to configure Ops Manager to access Docker registries through a proxy.
Docker registries store Docker container images. Ops Manager uses these images to create the Docker containers that it runs apps in.
Ops Manager can only access Docker registries if an operator has enabled Docker support with the cf enable-feature-flag diego_docker
command, as described in the Enable Docker section of the Using Docker in TAS for VMs topic.
With Docker enabled, developers can push an app with a Docker image using the Cloud Foundry Command Line Interface (cf CLI). For more information, see Deploying an App with Docker.
If you provide your root CA certificate in the Ops Manager configuration:
In the Ops Manager Installation Dashboard, click the BOSH Director tile.
Click Security.
In the Trusted Certificates field, paste one or more root CA certificates. The Docker registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.
Click Save.
Select one of the following:
After configuration, BOSH propagates your CA certificate to all application containers in your deployment. You can then push and pull images from your Docker registries.
If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.
Important Using an allow list skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker registry in the No proxy field described in Configure Ops Manager to Access Proxies for Docker Registries.
To configure an IP address allow list with the IP address of your Docker registry:
Go to the Ops Manager Installation Dashboard.
Click the VMware Tanzu Application Service for VMs (TAS for VMs) tile.
Select App Containers.
Select Allow SSH access to app containers to enable app containers to accept SSH connections. If you use a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for the space where the app is deployed. Operators can grant those privileges in Apps Manager or using the cf CLI.
For Private Docker insecure registry allow list, provide the hostname or IP address and port that point to your private Docker registry. For example, enter 198.51.100.1:80
or mydockerregistry.com:80
. Enter multiple entries in a comma-delimited sequence. SSL validation is ignored for private Docker image registries secured with self-signed certificates at these locations.
Under Docker images disk cleanup scheduling on Diego Cell VMs, choose one of the options listed below. For more information about these options, see Configuring Docker Images Disk-Cleanup Scheduling.
Click Save.
Do one of the following:
After configuration, TAS for VMs allows Docker images to pass through the specified IP address without checking certificates.
If you have proxies already set up for Docker registries, you should configure Ops Manager to access your Docker registries through a proxy.
To configure Ops Manager to access a Docker registry through a proxy:
On the Installation Dashboard, go to Username; then click Settings, followed by Proxy Settings.
On the Update Proxy Settings pane, complete one of the following fields:
Enter multiple IP addresses as a comma-separated list.
Click Update.
Return to the Ops Manager dashboard, click Review Pending Changes, and click Apply Changes.