Docker Trusted Registry(DTR)

Installation and Replication

To Install Docker Trusted Registry(DTR), we need to install Universal
Control Plane (UCP), since DTR runs on a UCP.

Further to install UCP, Docker CS Engine of 1.10 or above is required.

Installing Docker CS Engine 1.10:

* Adding Docker public key for CS packages

$ sudo rpm --import "https://sks-keyservers.net/pks/lookup?

op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e".

* Installing yum-utils
$ sudo yum install -y yum-utils

*Adding the docker Repository

$sudo yum-config-manager --add-repo
https://packages.docker.com/1.10/yum/repo/main/centos/7

* Installing docker CS Engine

$sudo yum install docker-engine

* Enabling the docker daemon service and starting it

$ sudo systemctl enable docker.service
$ sudo systemctl start docker.service

Note: After installing the Docker flush the iptables, so that all the required
ports for installing UCP are opened.

$iptables -F
Installing Universal Control Plane (UCP)

* After installing the docker, UCP can be installed by using the

"docker/ucp" Image, which can be pulled from the Docker Hub.

This Image has the commands to run,configure, and backup UCP.

By using "docker/ucp install" we can install the UCP.

$docker run --rm -it --name ucp \

-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp install -i \
--host-address 10.108.118.214.

* Once the installation is completed we can check the UCP web

application is running.

https://10.108.118.214.

Note: Once installing the UCP restart the docker service at this point.
Installing Docker Trusted Registry (DTR)

* Docker UCP secures the ucp cluster with role-based access control, so
that only authorized users can perform changes to the cluster.
So, when running docker commands on a UCP node, you need to
authenticate request using client certificates. These certificates can be
imported from the UCP Client Bundle.
* To download a client certificate bundle, log into UCP, and navigate to
your profile page.

* We can get the certificates used by UCP by:

$curl -k https://10.108.118.214/ca > ucp-ca.pem

Since UCP considers DTR as a node, first add a DTR node in UCP and
then install the DTR(in the DTR server)
Adding the UCP Node:
Navigate to "Nodes" in UCP web application and click "ADD Node",
which gives a command to join the DTR node with UCP
Run the above join command in the server which we need to install DTR
(before running the DTR install Command)

$curl -k https://10.108.118.214/ca > ucp-ca.pem

$docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock

docker/ucp join \ --admin-username admin \ --interactive \ --url
https://10.108.118.214 \ --fingerprint
87:85:3E:42:A9:85:2F:96:B0:2F:FA:86:A8:C9:0A:B4:89:12:1B:67:89:52:0A:28:7
9:D7:F0:23:B0:18:71:3F
Note:At this point restart the docker service.
* After successfully runnig the join command we can see the node which
we need to join to ucp under the NODES section of ucp web application.

* After adding the node in ucp we can install DTR using DTR Install
Command
$docker run -it --rm \ docker/dtr install \
--ucp-url https://10.108.118.214 \
--ucp-node dtrsb1.sdo.marriott.com \
--dtr-external-url 10.108.118.211 \
--ucp-username admin --ucp-password Work42ls \
--ucp-ca "$(cat ucp-ca.pem)"
* Once the DTR installation is done successfully, DTR application will be
listed in applications section of UCP with a replica ID.

We can access DTR through it's IP or hostname (https://10.108.118.211)

At this point Installation of DTR is completed.

Docker Trusted Registry Replication:

* To set up DTR for high availability, we can add more replicas to DTR
cluster. Adding more replicas allows to load-balance requests across all
replicas, and keep DTR working if a replica fails.

As a replica is nothing but a copy of the DTR (Node-1), as similar to the

DTR-1 we need to create a new node in ucp and then join the New DTR
Replica (Node-2) to the existing one using the docker/dtr join command.
curl -k https://10.108.118.214/ca > ucp-ca.pem

$docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock

docker/ucp join \ --admin-username admin \ --interactive \ --url
https://10.108.118.214 \ --fingerprint
87:85:3E:42:A9:85:2F:96:B0:2F:FA:86:A8:C9:0A:B4:89:12:1B:67:89:52:0A:28:7
9:D7:F0:23:B0:18:71:3F

Note:At this point restart the docker service.

* After adding the node in ucp we can Join theDTR replica to the already
existing DTR using DTR join Command
docker run -it --rm \
docker/dtr join \
--ucp-url https://10.108.118.214 \
--ucp-node dtrsb2.sdo.marriott.com \
--existing-replica-id 6ca6c7e27bb0 \
--ucp-username admin --ucp-password Work42ls \
--ucp-ca "$(cat ucp-ca.pem)"

* Once the Relica is joined successfully, DTR Replica will be listed in

applications section of UCP with a new replica ID.

We can access DTR Relica through it's IP or hostname

(https://10.108.118.211) which indeed points out to DTR Node-1
At this point one DTR Replica is created.

In the similar way many number of DTR Replica's can be added to the
Cluster.