Docker is a popular software delivery platform that packages and runs applications in “containers”. Docker containers have the necessary software dependencies pre-installed, run within an isolated operating system environment, and can be deployed on any host system where the Docker Engine can run.
Typically, developers “pull” images from a Docker registry. This installs a local copy that is then used to create containers from. Everyone has access to Docker Hub, a public registry. Some organizations run their own private registries, mostly for the purpose of managing intellectual property. Oracle for example, runs a private registry at https://container-registry.oracle.com. With an Oracle Account, users are able to accept software agreements and pull images with Oracle software (e.g. Oracle Database Server Enterprise Edition) installed. The registry software itself is also available freely as a Docker image.
As an Oracle Cloud Infrastructure (OCI) customer, you have access to the Container Registry service for use internally. The Oracle Cloud Infrastructure Registry (OCIR) is Docker Registry v2 compliant and subscribers only pay for network and storage used for transferring and storing images. There are no additional overheads like spinning up a new Compute instance with Docker engine installed, just to set one up. One less resource that OCI Administrators have to micromanage.
Internally, we are exploring the use of the registry, to provide all our Oracle Application Express (APEX) developers, easy access to various combinations of Oracle REST Data Services (ORDS) and APEX for development and testing purposes.
Developers are encourage to work with Docker images and build their own APEX stacks, but as administrators, we want to minimise the amount of time developers spend on non-development work. One suggestion was to provide pre-build images that have the APEX stack all set up and ready-to-use (RTU). It should be as easy as running a single command:
$ docker run -d --name mypersonal-oxar -p 8080:8080 -p 1521:1521 \
> iad.ocir.io/ourtenant/oxar-rtu:0.0.1
Console Access to Registry
The Registry can be accessed via the OCI console by navigating the menus, found under “Developer Services” > “Registry (OCIR)”.
In here, administrators can create, view and delete existing repositories. Repositories can be either private or public. For private repositories, users, groups and policies will be required to manage access. Users will also be required to create an Auth Token.
Users, Groups, and Policies
Create Groups
Group Name | Description |
CONREG_DEV | Group of users who create images for the organization. |
CONREG_USER | Group of users who consume these images. |
Create Users
Username | Group | Description |
dockerdev | CONREG_DEV | A Docker developer |
dockeruser | CONREG_USER | A developer wanting to use images from the Container Registry |
Create Policy
Policy Name | Statement | Description |
ContainerRegistryAccess | Allow group CONREG_DEV to use repos in tenancy | Users in group CONREG_DEV have permission to pull and push images. |
Allow group CONREG_DEV to manage repos in tenancy where ANY {request.permission = ‘REPOSITORY_CREATE’, request.permission = ‘REPOSITORY_UPDATE’} | Users in group CONREG_DEV can create a repository if it doesn’t already exist. | |
Allow group CONREG_USER to read repos in tenancy | Users in group CONREG_USER can only pull images from the registry. |
The OCI documentation explains and list other common policies that can be used.
Using Docker with OCIR
After the users are created and assigned to the appropriate Groups, they must login to the OCI console and generate an Auth Token, before they can access the registry using the Docker CLI. Using the Auth Token, users login with the command:
$ docker login iad.ocir.io
Username: ourtenant/dockerdev
Password:Login Succeeded
Repositories are created and available in specific regions. The server address is based on the region that the repository was created in. Use this table to determine what the “Region Code” should be for your repository. For this example, the repository is located in the Ashburn Data Centre.
Credentials are stored as a hash on the local workstation either in $HOME/.docker/config.json or through a credential store helper.
$ cat ~/.docker/config.json
{
"auths": {
"iad.ocir.io": {
"auth": "**********"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ol (linux)"
}
}
To log out, simply run the command:
docker logout iad.ocir.io
Pushing Images to the Registry
Login as the user with rights to push images to the Registry. In this example, the username is dockerdev, assigned to group CONREG_DEV.
Assume that we have the following images on the local workstation.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
oxar latest 4f2981a7af0a 5 days ago 9.67GB
oracledb latest 5170b9d54001 6 days ago 9.68GB
oraclelinux 7-slim c3d869388183 5 weeks ago 117MB
Prepare/tag the image to be pushed to the registry.
$ docker tag oxar iad.ocir.io/ourtenant/oxar:0.0.1
Once the image has been tagged, we can push it to the registry. This might take a while depending on the image size and network speeds.
$ docker push iad.ocir.io/ourtenant/oxar:0.0.1
Go back into the OCI Console and check the Registry. Make sure also that you have selected the correct region. The new image should be listed on the Registry page.
From Container to Registry
Suppose we had a container that we wish to preserve and reuse as an image.
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a386ad30dff1 oxar "/bin/sh -c 'exec $O…" 6 days ago Up 11 minutes (healthy) 0.0.0.0:1521->1521/tcp, 0.0.0.0:5500->5500/tcp, 0.0.0.0:8080->8080/tcp oxar
Commit the target container oxar using the remote tag.
$ docker commit oxar iad.ocir.io/ourtenant/oxar-rtu:0.0.1
Then push the image to the registry.
$ docker push iad.ocir.io/ourtenant/oxar-rtu:0.0.1
Using Images
With the RTU image iad.ocir.io/ourtenant/oxar-rtu:0.0.1, login as a user with pull-rights and execute the Docker command:
$ docker run -d --name mypersonal-oxar -p 8080:8080 -p 1521:1521 \
> iad.ocir.io/ourtenant/oxar-rtu:0.0.1
This should pull (if not already available on the local workstation) from the repository, create and then run a container using that image.
Find out more about Docker Containers and OCI: Contact Us!