Using a Private Docker Registry
First images need to be put into the private registry. There are a variety of ways this can be done, and depends on the type of private registry being used, and where the registry is located, whether it has access to the internet, etc.
The Brainspace 7 installer provides a tool to help with sync’ing images from Amazon ECR to a private registry of your choice. If you have your own mechanism for transferring images from Amazon ECR to your private registry you can skip the next section and go directly to “Using the Private Docker Registry”.
Sync Images
The process of syncing images must be done on a machine that has access to both the Amazon ECR registries as well as the private registry. If no such machine exists, then you’ll need to follow the instructions in Appendix A: Brainspace 7.0 Air-Gapped Environment Install Guide.
In addition, the machine must have the AWS CLI installed as well as Docker. The machine could be a laptop or a server running in the cloud, it doesn’t matter as long as it satisfies the criteria mentioned above.
Run the ./install.sh script and select the option “Sync Images.”
You will see the following screen which explains the setup that has to be done prior to syncing images between registries.
As explained in the screen above, you must create the following repositories in the private registry, prior to running the sync-images option, if you are using a Docker Registry such as Artifactory or Docker Hub. If using Artifactory, for example, this can be done using the Artifactory UI. In the administration panel select “Add Repositories” and add 2 local Docker repositories with the names: ‘brainspace’ and ‘bitnami’.
If you are running a local Docker Registry using the standard Docker ‘registry’ image, the repositories mentioned above will be created automatically when the images are uploaded. Nothing manual must be done.
After selecting ‘Yes’ to proceed, you will need to enter the hostname/IP address and port (optional) that will be used to access the Docker Registry:
If you haven’t already authenticated with Amazon ECR and saved the ECR credentials you will be asked to enter ECR creds. If your private Docker Registry requires authentication, you will be asked to enter creds for the private registry as well:
After entering the creds for Amazon ECR and the private registry, the process of downloading the images from ECR and uploading images to the private registry begins. This process could take a fair amount of time since the Brainspace images are quite large, but you should see progress indicators as the script downloads and uploads each image.
Sync Images Automated Approach
If an automated approach to syncing images between Amazon ECR and the private registry is preferred, the sync-images.sh script can be called directly:
./sync-images -r <Docker Registry hostname and ‘:’ and port (optional)>
It is assumed that you have already authenticated with Amazon ECR.
Using the Private Docker Registry
After images have been populated in the private registry, you will then need to configure the private registry during the Brainspace 7 install. Run the install.sh script on the application host and when presented with the Docker Container Registry Options, choose “Private Docker Registry”.
You will then be prompted for the hostname/IP address and port (optional) that will be used to access the private registry, both for the Docker images that come from Docker Hub like Postgres and RabbitMQ, and for the Brainspace application images that come from Reveal’s ECR repositories. If all images are intended to come from the private registry, enter the same hostname & port information for both:
Next you will be asked whether the private registry requires authentication.
Note
Only username/password authentication is supported in the installer. If another authentication mechanism is used, then select <No> here and ensure that you’ve already authenticated with the private registry prior to running the install UI.
After entering the private registry credentials, proceed with the installation.
Note
If the private Docker Registry is configured without SSL (http) or is using a self-signed certificate, you will need to configure the Docker daemon on each host to allow insecure-registries.
On Ubuntu, this means adding the following to the Docker daemon config file at: /etc/docker/daemon.json
{ insecure-registries: [ "<Registry Hostname/IP>:<PORT>" ] }
And then restart the Docker service:
systemctl restart docker