LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.9

Using Docker Trusted Registries

Page last updated:

This topic describes how to configure your Docker Trusted Registries, such as Docker Hub, with Pivotal Cloud Foundry (PCF). Docker Trusted Registries are private Docker Registries that have a valid SSL certificate. To use Docker Trusted Registries, you must choose either to submit your root certificate authority (CA) certificate or provide the IP address for your Docker Trusted Registry.

Prerequisite: Ensure that you have enabled Docker support in PCF with the cf enable-feature-flag diego_docker command, as described in the Using Docker in Cloud Foundry topic.

Use a CA Certificate

If you provide your root CA certificate in the Ops Manager configuration, follow this procedure:

  1. In the PCF Ops Manager Installation Dashboard, click the Ops Manager Director tile.

  2. Click Security.

    Docker registry ops man

  3. In the Trusted Certificates field paste one or more root CA certificates. The Docker Trusted Registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.

  4. Click Save.

  5. If you are:

    • Configuring Ops Manager Installation for the first time, return to your specific IAAS configuration to continue the installation process.
    • Modifying an existing Ops Manager installation, return to the PCF Ops Manager Installation Dashboard and click Apply Changes.

After configuration, BOSH propagates this CA certificate to all application containers in your deployment. You can then push and pull images from your Docker Trusted Registries.

Use an IP Address Whitelist

If you choose not to provide a CA certificate, you must provide the IP address of your Docker Trusted Registry.

Note: Using a whitelist skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker Trusted Registry in the No proxy field described below.

  1. Navigate to the PCF Operations Manager Installation Dashboard.

  2. Click the Pivotal Elastic Runtime tile, and navigate to the Application Containers tab.

    Docker registry ert

  3. Select Enable Custom Buildpacks to enable custom-built application runtime buildpacks.

  4. Select Allow SSH access to app containers to enable app containers to accept SSH connections. If you are using a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for that app’s space. Operators can grant those privileges in Apps Manager or via the cf CLI.

  5. For Private Docker Insecure Registry Whitelist, provide the hostname or IP address and port that point to your Docker Trusted Registry. For example, enter 198.51.100.1:80 or mydockerregistry.com:80. Enter multiple entries in a comma-delimited sequence. SSL validation is ignored for private Docker image registries secured with self-signed certificates at these locations.

  6. Under Docker Images Disk-Cleanup Scheduling on Cell VMs, choose one of the following:

    • Never Cleanup Cell Disk-space
    • Routinely Cleanup Cell Disk-space
    • Cleanup disk-space once threshold is reached: If you choose this option, enter the amount of disk space the Cell must reach before disk cleanup initiates under Threshold of Disk-Used (MB).
  7. Click Save.

  8. If you are:

    • Configuring Elastic Runtime for the first time, return to your specific IaaS configuration to continue the installation process.
    • Modifying an existing Elastic Runtime installation, return to the PCF Ops Manager Installation Dashboard and click Apply Changes.

After configuration, Elastic Runtime allows Docker images to come through the specified IP address without checking certificates.

Set Proxies for Docker Trusted Registries

  1. On the Installation Dashboard, navigate to USERNAME > Settings > Proxy Settings.

    Install dash settings

  2. On the Update Proxy Settings pane, complete one of the following fields:

    • Http proxy: If you have an HTTP proxy server for your Docker Trusted Registry, enter its IP address.
    • Https proxy: If you have an HTTPS proxy server for your Docker Trusted Registry, enter its IP address.
    • No proxy: If you do not use a proxy server, enter the IP address for the Docker Trusted Registry. This field may already contain proxy settings for the BOSH Director. Enter multiple IP addresses as a comma-separated list.

    Update proxy settings

  3. Click Update.

Create a pull request or raise an issue on the source for this page in GitHub