Using the latest version?
JFrog Container Registry Guide


Skip to end of metadata
Go to start of metadata

Overview

There are two ways of setting up JFrog Container Registry as a Docker Registry.

  • Cloud: The easiest way to start using Docker with JFrog Container Registry is through a Cloud account. In this mode, since JFrog Container Registry is a hosted service, you do not need to set up a reverse proxy and can create your Docker repositories and start pushing and pulling Docker images.
  • On-Prem: For more details, please refer to Get Started with the On-Prem Version.
Page Contents

 

Integration benefits

Getting Started with JFrog Container Registry Cloud

Using Docker repositories with the Cloud Version is quick and easy to use. 

Since, with JFrog Container Registry Cloud, you are using JFrog Container Registry as a hosted service, there is no need to configure JFrog Container Registry with a reverse proxy.

The example at the end of this section shows a complete process of creating a Docker repository, logging in, pulling an image and pushing an image.

Using Docker Client with JFrog Container Registry Cloud

To use the Docker client with one of your JFrog Container Registry Cloud Docker repositories, you can use the native Docker client to login to each Docker repository, pull, and push images as shown in the following example:

  • Login to your repository use the following command with your JFrog Container Registry Cloud credentials.

    docker login ${server-name}-{repo-name}.jfrog.io
  • Pull an image using the following command

    docker pull ${server-name}-{repo-name}.jfrog.io/<image name>
  • To push an image, first tag it and then use the push command

    docker tag <image name> ${server-name}-{repo-name}.jfrog.io/<image name>
    docker push ${server-name}-{repo-name}.jfrog.io/<image name>

Test Your Setup

You can test your setup with this example that assumes you are using an JFrog Container Registry Cloud server named "acme".

The scenario it demonstrates is:

  • Pulling the "hello-world" Docker image
  • Logging into your virtual Docker repository
  • Retagging the "hello-world" image, and then pushing it into your virtual Docker repository

Start by creating a virtual Docker repository called dockerv2-virtual

  • Pull the "hello-world" image

    docker pull hello-world
  • Login to repository dockerv2-virtual

    docker login acme-dockerv2-virtual.jfrog.io
  • Tag the "hello-world" image

    docker tag hello-world acme-dockerv2-virtual.jfrog.io/hello-world
  • Push the tagged "hello-world" image to dockerv2-virtual

    docker push acme-dockerv2-virtual.jfrog.io/hello-world

Getting Started with JFrog Container Registry On-Prem

The Docker client has the following two limitations:

  1. You cannot use a context path when providing the registry path (e.g localhost:8081/artifactory is not valid)
  2. Docker will only send basic HTTP authentication when working against an HTTPS host

JFrog Container Registry offers solutions to these limitations allowing you to create and use any number of Docker registries.

  • Using a reverse proxy
    When used, a reverse proxy, maps Docker commands to one of the multiple Docker registries in JFrog Container Registry
  • Without a reverse proxy
    JFrog Container Registry supports using Docker without the use of a reverse proxy allowing you to create and use multiple Docker registries in JFrog Container Registry out-of-the-box. 

Using a Reverse Proxy

When using JFrog Container Registry with a reverse proxy, you need to map Docker commands to Docker registries in JFrog Container Registry using either the subdomain method or the ports method

Testing or evaluating?

 If you are currently only testing or evaluating using JFrog Container Registry with Docker, we recommend running JFrog Container Registry as a Docker container which is easily installed and comes with a proxy server and Docker registries pre-configured out-of-the-box. You can be up and running in minutes.

Reverse Proxy for Docker

With the ports method, a port number is mapped to each JFrog Container Registry Docker registry. While this is an easy way to get started, you will need to modify your reverse proxy configuration and add a new mapping for each new Docker registry you define in JFrog Container Registry. In addition, firewalls and other restrictions by your IT department may restrict port numbers making the ports method not feasible. 

With the subdomain method, you only need to configure your reverse proxy once, and from then on, the mapping from Docker commands to Docker registries in JFrog Container Registry is dynamic and requires no further modification of your reverse proxy configuration.

We recommend to use the subdomain method since it will require one time effort.

The Subdomain Method

Getting started with  Docker and your on-prem JFrog Container Registry installation using the subdomain method involves four basic steps:

  1. Configuring JFrog Container Registry 

  2. Configuring your reverse proxy

  3. Configuring your Docker client

  4. Testing your setup 

Configuring JFrog Container Registry

To configure JFrog Container Registry and your reverse proxy using the subdomain method, carry out the following steps:

  1. Make sure JFrog Container Registry is up and running
  2. Create your virtual Docker repository (as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository named docker-virtual
  3. Make sure you have a reverse proxy server up and running.
Configuring your reverse proxy

JFrog Container Registry's can generate your complete reverse proxy configuration file for supported servers.

Go to Reverse Proxy Configuration Generator and fill in the fields in according to how your reverse proxy is set up while making sure to:

  1. Use the correct JFrog Container Registry hostname in the Public Server Name field (in our example this will be art.local).
  2. Select Subdomain as the Reverse Proxy Method under Docker Reverse Proxy Settings.  

NGINX
Copy the code snippet generated by the configuration generator into your artifactory-nginx.conf file, and place it in your /etc/nginx/sites-available directory.
Create the following symbolic link.

sudo ln -s /etc/nginx/sites-available/artifactory-nginx.conf /etc/nginx/sites-enabled/artifactory-nginx.conf

Apache HTTPD

Copy the code snippet generated by the configuration generator into your artifactory-apache.conf file and place it in you /etc/apache2/sites-available directory. 

Create the following symbolic link:

sudo ln -s /etc/apache2/sites-available/artifactory-apache.conf /etc/apache2/sites-enabled/artifactory-apache.conf
Configuring Your Docker Client 

To configure your Docker client, carry out the following steps 

  1. Add the following to your DNS or to the client's /etc/hosts file:

    <ip-address> docker-virtual.art.local 
  2. Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in the  Docker documentation. Alternatively, you can configure the Docker client to work with an insecure registry as described in the Docker documentation.


  3. Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine).

Test Your Setup

To verify your reverse proxy is configured correctly, run the following command making sure that the return code is 200:

curl -I -k -v https://<artifactory url>/api/system/ping

Run the following commands to ensure your proxy configuration is functional and can communicate with JFrog Container Registry:

  • Pull the "hello-world" image

    docker pull hello-world
  • Login to repository docker-virtual

    docker login docker-virtual.art.local
  • Tag the "hello-world" image

    docker tag hello-world docker-virtual.art.local/hello-world
  • Push the tagged "hello-world" image to docker-virtual

    docker push docker-virtual.art.local/hello-world

The Ports Method

Getting started with  Docker and your on-prem JFrog Container Registry installation using the ports method involves two basic steps:

  1. Configuring JFrog Container Registry and your reverse proxy. 

  2. Configuring your Docker client.

Configuring JFrog Container Registry and Your Reverse Proxy

To configure JFrog Container Registry and your reverse proxy using the ports method, carry out the following steps:

  1. Make sure JFrog Container Registry is up and running
  2. Create your virtual Docker repository (as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository named docker-virtual.
  3. Make sure you have a reverse proxy server up and running.
  4. Obtain an SSL certificate or use a Self-Signed certificate that can be generated following this example. 

    Make sure your certificate matches the JFrog Container Registry hostname used in your reverse proxy configuration. In our example below we will use art.local.

  5. Configure your reverse proxy. JFrog Container Registry's Reverse Proxy Configuration Generator can generate your complete reverse proxy configuration file for supported servers. All you need to do is fill in the fields in according to how your reverse proxy is set up while making sure to:
    1. Use the correct JFrog Container Registry hostname in the Public Server Name field 
    2. Select Ports as the Reverse Proxy Method under Docker Reverse Proxy SettingsIn the example below, we will use port 5001 to bind repository docker-virtual.
    NGINX

    For JFrog Container Registry to work with Docker, the preferred web server is NGINX v1.3.9 and above. 
    First, you need to create a self-signed certificate for NGINX  as described here for Ubuntu.
    Then use JFrog Container Registry's Reverse Proxy Configuration Generator to generate the configuration code snippet for you.
    Copy the code snippet into your artifactory-nginx.conf file and place it in your /etc/nginx/sites-available directory.
    Finally, create the following symbolic link:

    sudo ln -s /etc/nginx/sites-available/artifactory-nginx.conf /etc/nginx/sites-enabled/artifactory-nginx.conf

    Apache HTTPD

    Install Apache HTTP server as a reverse proxy and then install the  required modules.

    Create the following symbolic link:

    sudo ln -s /etc/apache2/mods-available/slotmem_shm.load /etc/apache2/mods-enabled/slotmem_shm.load

    Similarly, create corresponding symbolic links for: 

    • headers
    • proxy_balancer
    • proxy_load
    • proxy_http
    • proxy_connect
    • proxy_html
    • rewrite.load
    • ssl.load
    • lbmethod_byrequests.load

    Then use JFrog Container Registry's Reverse Proxy Configuration Generator to generate the configuration code snippet for you.
    Copy the code snippet into your artifactory.conf file and place it in your /etc/apache2/sites-available directory.
    HAProxy
    First, you need to create a self-signed certificate for HAProxy  as described here for Ubuntu.

    Then, copy the code snippet below into your /etc/haproxy/haproxy.cfg file. After editing the file as described in the snippet, you can test your configuration using the following command:

    haproxy -f /etc/haproxy/haproxy.cfg -c
    HAProxy v1.5 Configuration
    # haproxy server configuration
    # version 1.0
    # History
    # ---------------------------------------------------------------------------
    # Features enabled by this configuration
    # HA configuration
    # port 80, 443  Artifactory GUI/API
    #
    # This uses ports to distinguish artifactory docker repositories
    # port 443  docker-virtual (v2) docker v1 is redirected to docker-dev-local.
    # port 5001 docker-prod-local (v1); docker-prod-local2 (v2)
    # port 5002 docker-dev-local (v1); docker-dev-local2 (v2)
    #
    # Edit this file with required information enclosed in <...>
    # 1. certificate and key
    # 2. artifactory-host
    # 3  replace the port numbers if needed
    # ----------------------------------------------------------------------------
    global
            log 127.0.0.1   local0
            chroot /var/lib/haproxy
            maxconn 4096
            user haproxy
            group haproxy
            daemon
            tune.ssl.default-dh-param 2048
            stats socket /run/haproxy/admin.sock mode 660 level admin
    defaults
            log     global
            mode    http
            option  httplog
            option  dontlognull
            option  redispatch
            option  forwardfor
            option  http-server-close
            maxconn 4000
            timeout connect 5000
            timeout client 50000
            timeout server 50000
            errorfile 400 /etc/haproxy/errors/400.http
            errorfile 403 /etc/haproxy/errors/403.http
            errorfile 408 /etc/haproxy/errors/408.http
            errorfile 500 /etc/haproxy/errors/500.http
            errorfile 502 /etc/haproxy/errors/502.http
            errorfile 503 /etc/haproxy/errors/503.http
            errorfile 504 /etc/haproxy/errors/504.http 
    frontend normal
             bind *:80
             bind *:443 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-virtual/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             option forwardfor header X-Real-IP
             default_backend normal
    
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerhub
             bind *:5000 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
             reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-remote/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
    
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerprod
             bind *:5001 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
    	     reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-prod-local/v1\2
    	     reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-prod-local2/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
     
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerdev
             bind *:5002 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
    	     reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-dev-local/v1\2
    	     reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-dev-local2/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
     
    # Artifactory Non HA Configuration
    # i.e server artifactory 198.168.1.206:8081
    #
    backend normal 
             mode http
             server <artifactory-host> <artifactory-host ip address>:<artifactory-host port>
     
    #
    # Artifactory HA Configuration
    # Using default failover interval - rise = 2; fall =3 3; interval - 2 seconds
    # backend normal
    #        mode http
    #        balance roundrobin
    #        option httpchk OPTIONS /
    #        option forwardfor
    #        option http-server-close
    #        appsession JSESSIONID len 52 timeout 3h
    #        server <artifactory-host-ha1> <artifactory-host ip address>:<artifactory-host port> 
    # 		 server <artifactory-host-ha2> <artifactory-host ip address>:<artifactory-host port>
Configuring Your Docker Client 

To configure your Docker client, carry out the following steps 

  1.  Add the following to your DNS or to the client's /etc/hosts file: 

    <ip-address> art.local 
  2. Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in the  Docker documentation. Alternatively, you can configure the Docker client to work with an insecure registry by adding the following line to your /etc/default/docker file (you may need to create the file if it does not already exist):

    DOCKER_OPTS="$DOCKER_OPTS --insecure-registry art.local:5001"
  3. Restart your Docker engine.

Test Your Setup

To verify your reverse proxy is configured correctly, run the following command:

// Make sure the following results in return code 200
curl -I -k -v https://<artifactory url>/api/system/ping

Run the following commands to ensure your proxy configuration is functional and can communicate with JFrog Container Registry. In this example, we will pull down a Docker image, tag it and then deploy it to our our docker-virtual repository that is bound to port 5001:

// Pull the "hello-world" image
docker pull hello-world
 
// Login to repository docker-virtual
docker login art-local:5001
 
// Tag the "hello-world" image
docker tag hello-world art-local:5001/hello-world
 
// Push the tagged "hello-world" image to docker-virtual
docker push art-local:5001/hello-world
Testing With a Self-signed Certificate
  1. Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in the  Docker documentation. Alternatively, you can configure the Docker client to work with an insecure registry as described in the  Docker documentation.

  2. Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine). 
    Running $docker info will list the Insecure registries that have been applied under the Insecure Registries entry.

  3. Use the steps above to interact with the JFrog Container Registry Docker Registry

Without a Reverse Proxy

JFrog Container Registry introduces a new method referred to as the "Repository Path" method since it uses the the Docker repository path prefix (<REPOSITORY_KEY/IMAGE>) to access a specific JFrog Container Registry Docker registry from the Docker client. Note that you may still have a reverse proxy configured for JFrog Container Registry for other reasons, however when configured to use Repository Path method, requests to Docker registries in JFrog Container Registry will be handled by JFrog Container Registry's embedded Tomcat instead of the reverse proxy.

Docker API v2 required

You can only use the Repository Path method with JFrog Container Registry Docker registries configured for Docker API v2. 

Sub-domain method is recommended for production

We recommend using the Sub-domain method for JFrog Container Registry Docker registries in production systems because this method allows you to add wildcard SSL certificates on the reverse proxy for secure access to the Docker registry
While you can add SSL certificates at the Tomcat level, this is not a recommended practice because the process of validation against the certificate is very resource intensive on memory and CPU. 
The Repository Path method is more suitable when secure access is not required. 

Configuring JFrog Container Registry

To configure JFrog Container Registry to use the Repository Path method, carry out the following steps:

  1. Make sure JFrog Container Registry is up and running

  2. Create your virtual Docker repository (as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository named docker-virtual
  3. Go to the HTTP Settings screen from the Admin module under Configuration | HTTP Settings. 
    In the Docker Settings panel, select Repository Path as the Docker Access Method.
    In the Reverse Proxy Settings panel select Embedded Tomcat as the Server Provider (which indicates you're not using a reverse proxy). 

    You must use Embedded Tomcat

     You can only use JFrog Container Registry as a Docker registry without a reverse proxy by using the internal embedded Tomcat


    Repository Path Method

Configuring Your Docker Client 

Using the Repository Path method, you can work with JFrog Container Registry as a Docker registry without a reverse proxy on an insecure connection (i.e. only HTTP is supported, not HTTPS). You need to configure the Docker client to work with an insecure registry as described in the Docker documentation.

Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine). Running $docker info will list the Insecure registries that have been applied under the Insecure Registries entry. 

Test Your Setup 

Don't use localhost or 127.0.0.1 or "/artifactory"

Due to a limitation in the Docker client, you cannot access an JFrog Container Registry Docker registry as localhost or 127.0.0.1. If you need to access a local installation of JFrog Container Registry, make sure to specify its full IP address.

In addition, when specifying JFrog Container Registry's URL, you should omit the "/artifactory" suffix normally used.

For example, if your local machine's IP address is 10.1.16.114, then you must specify your JFrog Container Registry URL as http://10.1.16.114:8081 (using http://localhost:8081 will not work).

The code snippets below assume you have a virtual Docker repository named docker-virtual in an JFrog Container Registry installation at IP 10.1.16.114.

First, you should verify that your Docker client can access JFrog Container Registry by run the following command. Making sure that the return code is 200:

curl -I -k -v http://10.1.16.114:8081/artifactory/api/system/ping

Now you can proceed to test your Docker registry.

  • Login to JFrog Container Registry as your Docker registry

    docker login -u admin -p password 10.1.16.114:8081
  • Pull the "hello-world" image from the docker-virtual repository

    docker pull 10.1.16.114:8081/docker-virtual/hello-world:latest
  • Tag a Docker image

    docker tag 10.1.16.114:8081/docker-virtual/hello-world:latest 10.1.16.114:8081/docker-virtual/<tag_name>
  • Push the tagged image to docker-virtual

    docker push 10.1.16.114:8081/docker-virtual/<tag_name>
  • No labels