Reorganize registry deployment guide #3485
Conversation
|
PTAL @friism |
| docker run -d -p 5000:5000 --restart=always --name registry registry:2 | ||
| ## Run a local registry | ||
|
|
||
| Use a command like the following to start the registry container: |
There was a problem hiding this comment.
We should point out that the example here is just for testing / trying out, because;
- it's insecure (there's no TLS, nor authentication in place, and the port is published, so anyone has access to your registry)
- there's no volume used, so images are stored on the container's filesystem; removing the container removes all your images
| In Docker 17.06 and higher, you can configure the Docker daemon to allow | ||
| pushing non-distributable layers to private registries, in this scenario. | ||
| **This is only useful in air-gapped set-ups in the presence of |
There was a problem hiding this comment.
Strictly speaking, this is also useful in bandwidth-constrained setups, or setups where one wants to not be dependent on fetching the base layers from MS servers. I have no quarrel with the current formulation though.
registry/deploying.md
Outdated
| > **Warning**: Non-distributable artifacts typically have restrictions on | ||
| > how and where they can be distributed and shared. Only use this feature | ||
| > to push artifacts to private registries and ensure that you are in | ||
| > compliance with > any terms that cover redistributing non-distributable |
|
Addressed feedback. |
| Mac; for example: `sudo ifconfig lo0 alias 10.200.10.1/24`, and make sure that | ||
| your service is listening on this address or `0.0.0.0` (ie not `127.0.0.1`). | ||
| Then containers can connect to this address. | ||
| The Mac has a changing IP address (or none if you have no network access). From |
There was a problem hiding this comment.
This should probably be clarified to OSX, so it is not confused with MAC Address.
| 5. Initialize or join the swarm. | ||
| ## Use a separate interface for control and data traffic |
There was a problem hiding this comment.
Is this related to registry deployment?
registry/deploying.md
Outdated
| By default, your registry data is persisted as a | ||
| [docker volume](/engine/tutorials/dockervolumes.md) on the host filesystem. | ||
| Just as any other container, you can use a bind mount instead. The following |
There was a problem hiding this comment.
"a bind mount or volume instead"
There was a problem hiding this comment.
I don't think so. Line 134 already says it defaults to using a volume.
registry/deploying.md
Outdated
| ### Customize the storage back-end | ||
| You should usually consider using [another storage backend](./storage-drivers/index.md) instead of the local filesystem. Use the [storage configuration options](./configuration.md#storage) to configure an alternate storage backend. | ||
| Instead of the local filesystem, you can use a different storage back-end by |
There was a problem hiding this comment.
You might want to compare this to usage of a volume.
registry/deploying.md
Outdated
|
|
||
| ```bash | ||
| $ docker run -d \ | ||
| -p 5000:5000 \ |
There was a problem hiding this comment.
Can we do this example without port 5000? The section above makes that promise then the example breaks that promise. ;)
| ### Use an insecure registry (testing only) | ||
|
|
||
| While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md). | ||
| It is possible to use a self-signed certificate, or to use our registry |
There was a problem hiding this comment.
You can still setup verification with a self-signed certificate that isn't used for testing.
registry/deploying.md
Outdated
|
|
||
| > **Warning**: | ||
| > You **cannot** use authentication with an insecure registry. You have to [configure TLS first](deploying.md#running-a-domain-registry) for this to work. | ||
| > You **cannot** use authentication with an insecure registry. You must |
There was a problem hiding this comment.
...with authentication schemes that send credentials as clear text.
Also add information about pushing non-distributable layers to private registries
|
@stevvooe the first two bits of feedback you had were for unrelated changes that just indicated this patch needed a rebase. Maybe @londoncalling can make note of them to be changed elsewhere. |
|
Addressed feedback and added a service example that uses secrets to store the TLS certificate material. |
|
LGTM, merging into |
* Reorganize registry deployment guide Also add information about pushing non-distributable layers to private registries Also add an example of running a registry as a swarm service
* Reorganize registry deployment guide Also add information about pushing non-distributable layers to private registries Also add an example of running a registry as a swarm service
* Reorganize registry deployment guide Also add information about pushing non-distributable layers to private registries Also add an example of running a registry as a swarm service
* Reorganize registry deployment guide Also add information about pushing non-distributable layers to private registries Also add an example of running a registry as a swarm service
4 participants
Proposed changes
Rewrites and reorganization
Also add information about pushing non-distributable layers
into a private registry
Fixes #3433
Unreleased project version (optional)
Docker 17.06
PTAL @stevvooe @dmcgowan @thaJeztah @cpuguy83