A Docker registry is a stateless, server-side application. You can use registries in Containers for vRealize Automation to store and distribute Docker images.

To configure a registry, you need to provide its address, a custom registry name, and optionally credentials. The address must start with HTTP or HTTPS to designate whether the registry is secured or unsecured. If the connection type is not provided, HTTPS is used by default.

Note:

For HTTP you must declare port 80; for HTTPS you must declare port 443. If no port is specified, the Docker engine expects port 5000, which can result in broken connections.

Note:

It is recommended you do not use HTTP registries because HTTP is considered insecure. If you want to use HTTP, you must modify the DOCKER_OPTS property on each host as follows:

DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000".

For more information, see the Docker documentation at https://docs.docker.com/registry/insecure/.

Containers can interact with both Docker Registry HTTP API V1 and V2 in the following manner:

V1 over HTTP (unsecured, plain HTTP registry)

You can freely search this kind of registry, but you must manually configure each Docker host with the --insecure-registry flag to provision containers based on images from insecure registries. You must restart the Docker daemon after setting the property.

V1 over HTTPS

Use behind a reverse proxy, such as NGINX. The standard implementation is available through open source at https://github.com/docker/docker-registry.

V2 over HTTPS

The standard implementation is open sourced at https://github.com/docker/distribution.

V2 over HTTPS with basic authentication

The standard implementation is open sourced at https://github.com/docker/distribution.

V2 over HTTPS with authentication through a central service

You can run a Docker registry in standalone mode, in which there are no authorization checks. Supported third-party registries are JFrog Artifactory and Harbor. Docker Hub is enabled by default for all tenants and is not present in the registry list, but it can be disabled with a system property.

Note:

Docker does not normally interact with secure registries configured with certificates signed by unknown authority. The container service handles this case by automatically uploading untrusted certificates to all docker hosts and enabling the hosts to connect to these registries. If a certificate cannot be uploaded to a given host, the host is automatically disabled.