Using Docker Registries

Page last updated:

This topic describes how to configure Pivotal Cloud Foundry (PCF) to access Docker registries such as Docker Hub, by using either a root certificate authority (CA) certificate or by adding its IP address to a whitelist. It also explains how to configure PCF to access Docker registries through a proxy.

Docker registries store Docker container images. PCF uses these images to create the Docker containers that it runs apps in.

Prerequisite: Enable Docker Support

PCF can only access Docker registries if an operator has enabled Docker support with the cf enable-feature-flag diego_docker command, as described in the Using Docker in Cloud Foundry topic.

With Docker enabled, developers can push an app with a Docker image using the Cloud Foundry Command Line Interface (cf CLI). For more information, see the Deploy an App with Docker topic.

Use a CA Certificate

If you provide your root CA certificate in the Ops Manager configuration, follow this procedure:

  1. In the Ops Manager Installation Dashboard, click the Ops Manager Director tile.

  2. Click Security.

    Docker registry ops man

  3. In the Trusted Certificates field, paste one or more root CA certificates. The Docker registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.

  4. Click Save.

  5. Choose one of the following:

    • If you are configuring Ops Manager for the first time, return to your specific IaaS installation instructions (AWS, Azure, GCP, OpenStack, vSphere) to continue the installation process.
    • If you are modifying an existing Ops Manager installation, return to the Ops Manager Installation Dashboard and click Apply Changes.

After configuration, BOSH propagates your CA certificate to all application containers in your deployment. You can then push and pull images from your Docker registries.

Use an IP Address Whitelist

If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.

Note: Using a whitelist skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker registry in the No proxy field described below.

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Pivotal Elastic Runtime tile, and navigate to the Application Containers tab. Docker registry ert

  3. Select Enable Custom Buildpacks to enable custom-built application runtime buildpacks.

  4. Select Allow SSH access to app containers to enable app containers to accept SSH connections. If you use a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for the space where the app is deployed. Operators can grant those privileges in Apps Manager or using the cf CLI.

  5. For Private Docker Insecure Registry Whitelist, provide the hostname or IP address and port that point to your private Docker registry. For example, enter 198.51.100.1:80 or mydockerregistry.com:80. Enter multiple entries in a comma-delimited sequence. SSL validation is ignored for private Docker image registries secured with self-signed certificates at these locations.

  6. Under Docker Images Disk-Cleanup Scheduling on Cell VMs, choose one of the options listed below. For more information about these options, see Configuring Docker Images Disk-Cleanup Scheduling.

    • Never clean up Cell disk-space
    • Routinely clean up Cell disk-space
    • Clean up disk-space once threshold is reached. If you choose this option, enter the amount of disk space limit the Cell must reach before disk cleanup initiates under Threshold of Disk-Used (MB).

  7. Click Save.

  8. Choose one of the following:

    • If you are configuring Elastic Runtime for the first time, return to your specific IaaS installation instructions (AWS, Azure, GCP, OpenStack, vSphere) to continue the installation process.
    • If you are modifying an existing Elastic Runtime installation, return to the Ops Manager Installation Dashboard and click Apply Changes.

After configuration, Elastic Runtime allows Docker images to pass through the specified IP address without checking certificates.

Set Proxies for Docker Registries

To configure PCF to access a Docker registry through a proxy, do the following:

  1. On the Installation Dashboard, navigate to USERNAME > Settings > Proxy Settings. Install dash settings

  2. On the Update Proxy Settings pane, complete one of the following fields:

    • HTTP proxy: If you have an HTTP proxy server for your Docker registry, enter its IP address.
    • HTTPS proxy: If you have an HTTPS proxy server for your Docker registry, enter its IP address.
    • No proxy: If you do not use a proxy server, enter the IP address for the Docker registry. This field may already contain proxy settings for the BOSH Director.

    Enter multiple IP addresses as a comma-separated list.

    Update proxy settings

  3. Click Update.

Create a pull request or raise an issue on the source for this page in GitHub