LATEST VERSION: 1.9 - CHANGELOG
Pivotal Cloud Foundry v1.7

Using Docker Trusted Registries

Page last updated:

This topic describes how to configure your Docker Trusted Registries with Pivotal Cloud Foundry (PCF). To use private registries, you must choose either to submit your root certificate authority (CA) certificate or provide the IP address for your private Docker Trusted Registry.

Prerequisite: Ensure that you have enabled Docker support in PCF with the cf enable-feature-flag diego_docker command, as described in the Using Docker in Cloud Foundry topic.

Using a CA Certificate

If you provide your root CA certificate in the Ops Manager configuration, follow this procedure:

  1. In the PCF Ops Manager Installation Dashboard, click the Ops Manager Director tile.

  2. Click Security.

    Docker registry ops man

  3. In the Trusted Certificates field paste one or more root CA certificates. The Docker Trusted Registry does not use the CA certificate itself but uses a certificate that is signed by the CA certificate.

  4. Click Save.

  5. If you are:

    • Configuring Ops Manager Installation for the first time, return to your specific IAAS configuration to continue the installation process.
    • Modifying an existing Ops Manager installation, return to the PCF Ops Manager Installation Dashboard and click Apply Changes.

After configuration, BOSH propagates this CA certificate to all application containers in your deployment. You can then push and pull images from your Docker Trusted Registries.

Using an IP Address Whitelist

If you choose not to provide a CA certificate, you must provide the IP address of your trusted Docker registry:

  1. Navigate to the PCF Operations Manager Installation Dashboard.

  2. Click the Pivotal Elastic Runtime tile, and navigate to the Application Containers tab.

    Docker registry ert

  3. Select Enable Custom Buildpacks to enable custom-built application runtime buildpacks.

  4. Select Allow SSH access to app containers to enable app containers to accept SSH connections. If you are using a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. In order to open an SSH connection to an app, a user must have Space Developer privileges for that app’s space. Operators can grant those privileges in Apps Manager or via the cf CLI.

  5. For Private Docker Insecure Registry Whitelist, provide the hostname/IP address and port that point to your Docker Registry. For example, enter 198.51.100.1:80 or mydockerregistry.com:80. Enter multiple entries in a comma-delimited sequence. SSL validation will be ignored for private Docker image registries secured with self-signed certificates at these locations.

  6. Under Docker Images Disk-Cleanup Scheduling on Cell VMs, choose one of the following:

    • Never Cleanup Cell Disk-space
    • Routinely Cleanup Cell Disk-space
    • Cleanup disk-space once threshold is reached: If you choose this option, enter the amount of disk space the Cell must reach before disk cleanup initiates under Threshold of Disk-Used (MB).
  7. Click Save.

  8. If you are:

    • Configuring Elastic Runtime for the first time, return to your specific IaaS configuration to continue the installation process.
    • Modifying an existing Elastic Runtime installation, return to the PCF Ops Manager Installation Dashboard and click Apply Changes.

After configuration, Elastic Runtime allows Docker images to come through the specified IP address without checking certificates.

Was this helpful?
What can we do to improve?
View the source for this page in GitHub