You will learn how to configure Operations Manager to access Docker registries such as Docker Hub, by using either a root certificate authority (CA) certificate or by adding its IP address to an allowlist. It also explains how to configure Operations Manager to access Docker registries through a proxy.
Docker registries store Docker container images. Operations Manager uses these images to create the Docker containers that it runs apps in.
Operations Manager can only access Docker registries if an operator has enabled Docker support with the cf enable-feature-flag diego_docker
command, as described in the Enable Docker section of the Using Docker in TAS for VMs topic.
With Docker enabled, developers can push an app with a Docker image using the Cloud Foundry Command Line Interface (cf CLI). For more information, see Deploying an App with Docker.
If you provide your root CA certificate in the Tanzu Operations Manager configuration:
In the Tanzu Operations Manager Installation Dashboard, click the BOSH Director tile.
Click Security.
In the Trusted Certificates field, paste one or more root CA certificates. The Docker registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.
Click Save.
Select one of the following:
After configuration, BOSH propagates your CA certificate to all application containers in your deployment. You can then push and pull images from your Docker registries.
If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.
Important Using an allow list skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker registry in the No proxy field described in Configure Operations Manager to Access Proxies for Docker Registries.
To configure an IP address allow list with the IP address of your Docker registry:
Go to the Tanzu Operations Manager Installation Dashboard.
Click the VMware Tanzu Application Service for VMs (TAS for VMs) tile.
Select App Containers.
Select Allow SSH access to app containers to activate app containers to accept SSH connections. If you use a load balancer, you must open port 2222 on your load balancer to activate SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for the space where the app is deployed. Operators can grant those privileges in Apps Manager or using the cf CLI. Note that selecting this option allows SSH access across your entire TAS for VMs deployment.
For Docker registry allow list, provide the hostnames or IP addresses and ports of Docker registries in which TAS for VMs can run app instances. Enter hostnames or IP addresses and ports as a comma-separated list. SSL validation is ignored for Docker image registries secured with self-signed certificates at these locations.
Under Diego Cell disk cleanup scheduling, select one of the following options. For more information about these options, see Configuring Docker Images Disk-Cleanup Scheduling.
Click Save.
Do one of the following:
After configuration, TAS for VMs allows Docker images to pass through the specified IP address without checking certificates.
If you have proxies already set up for Docker registries, you should configure Operations Manager to access your Docker registries through a proxy.
To configure Operations Manager to access a Docker registry through a proxy:
On the Installation Dashboard, go to Username; then click Settings, followed by Proxy Settings.
On the Update Proxy Settings pane, complete one of the following fields:
Enter multiple IP addresses as a comma-separated list.
Click Update.
Return to the Tanzu Operations Manager dashboard, click Review Pending Changes, and click Apply Changes.