You can configure Operations Manager to access Docker registries such as Docker Hub, by using either a root certificate authority (CA) certificate or by adding its IP address to an allowlist. It also explains how to configure Operations Manager to access Docker registries through a proxy.

Docker registries store Docker container images. Operations Manager uses these images to create the Docker containers that it runs apps in.

Prerequisite: Enable Docker support

Operations Manager can only access Docker registries if you have activated Docker support with the cf enable-feature-flag diego_docker command, as described in the Enable Docker section of the Using Docker in TAS for VMs topic.

With Docker activated, developers can push an app with a Docker image using the Cloud Foundry Command Line Interface (cf CLI). For more information, see Deploying an App with Docker.

Use a CA certificate

If you provide your root CA certificate in the Tanzu Operations Manager configuration:

  1. In the Tanzu Operations Manager Installation Dashboard, click the BOSH Director tile.

  2. Click Security.

    Security pane of Tanzu Operations Manager Director shows Trusted Certificates in the text area.

  3. In the Trusted Certificates field, paste one or more root CA certificates. The Docker registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.

  4. Click Save.

  5. Select one of the following:

    • If you are configuring Tanzu Operations Manager for the first time, return to your specific IaaS installation instructions (AWS, Azure, GCP, OpenStack, vSphere) to continue the installation process.
    • If you are editing an existing Tanzu Operations Manager installation, return to the Tanzu Operations Manager Installation Dashboard, click Review Pending Changes, and click Apply Changes.

After configuration, BOSH propagates your CA certificate to all application containers in your deployment. You can then push and pull images from your Docker registries.

Use an IP address allow List

If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.

Using an allow list skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker registry in the No proxy field described in Configure Operations Manager to Access Proxies for Docker Registries.

To configure an IP address allow list with the IP address of your Docker registry:

  1. Go to the Tanzu Operations Manager Installation Dashboard.

  2. Click the VMware Tanzu Application Service for VMs (TAS for VMs) tile.

  3. Select App Containers.

  4. Select Allow SSH access to app containers to activate app containers to accept SSH connections. If you use a load balancer, you must open port 2222 on your load balancer to activate SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for the space where the app is deployed. Operators can grant those privileges in Apps Manager or using the cf CLI. If you select this option, it allows SSH access across your entire TAS for VMs deployment.

  5. For Docker registry allow list, provide the hostnames or IP addresses and ports of Docker registries in which TAS for VMs can run app instances. Enter hostnames or IP addresses and ports as a comma-separated list. SSL validation is ignored for Docker image registries secured with self-signed certificates at these locations.

  6. Under Diego Cell disk cleanup scheduling, select one of the following options listed. For more information about these options, see Configuring Docker Images Disk-Cleanup Scheduling.

    • Never clean up disk space
    • Routinely clean up disk space
    • Clean up disk space once threshold is reached. If you choose this option, enter the amount of disk space limit the Diego Cell must reach before disk cleanup initiates under Reserved disk space for other jobs.

  7. Click Save.

  8. Do one of the following:

    • If you are configuring Tanzu Operations Manager for the first time, return to your specific IaaS installation instructions (AWS, Azure, GCP, OpenStack, vSphere) to continue the installation process.
    • If you are editing an existing TAS for VMs installation, return to the Tanzu Operations Manager Installation Dashboard, click Review Pending Changes, and click Apply Changes.

After configuration, TAS for VMs allows Docker images to pass through the specified IP address without checking certificates.

Configure Operations Manager to access proxies for Docker registries

If you have proxies already set up for Docker registries, you should configure Operations Manager to access your Docker registries through a proxy.

To configure Operations Manager to access a Docker registry through a proxy:

  1. On the Installation Dashboard, go to Username; then click Settings, followed by Proxy Settings.

  2. On the Update Proxy Settings pane, complete one of the following fields:

    • HTTP proxy: If you have an HTTP proxy server for your Docker registry, enter its IP address.
    • HTTPS proxy: If you have an HTTPS proxy server for your Docker registry, enter its IP address.
    • No proxy: If you do not use a proxy server, enter the IP address for the Docker registry. This field might already contain proxy settings for the BOSH Director.

    Enter multiple IP addresses as a comma-separated list.

  3. Click Update.

  4. Return to the Tanzu Operations Manager dashboard, click Review Pending Changes, and click Apply Changes.

check-circle-line exclamation-circle-line close-line
Scroll to top icon