Using Private Registry Servers with vSphere Integrated Containers Engine
If your development environment includes private registry servers for container images, you or the vSphere administrator must correctly configure virtual container hosts (VCHs) to allow them to connect to the private registry servers.
You can use vSphere Integrated Containers Engine with either secure or insecure private registry servers.
Secure Private Registry Servers
If the private registry server is configured with TLS, the VCH must be able to validate the registry's certificate. If the registry's server certificate was signed by a custom CA, you must provide that CA to the VCH by using the --registry-ca option. If the registry server has a certificate signed by a public CA then it should function without any additional configuration.
For information about how to configure a VCH to use private registry server CA certificates, see the section on --registry-ca in VCH Deployment Options in vSphere Integrated Containers Engine Installation.
Insecure Private Registry Servers
If you set up a private registry that does not use certificates, you or the vSphere administrator must deploy the VCH with the vic-machine create --insecure-registry option. Setting the insecure-registry option on a VCH informs that VCH that it is authorized to pull images from the designated insecure private registry server.
If you authorize a VCH to connect to an insecure private registry server, the VCH attempts to access the registry server via HTTP if access via HTTPS fails. VCHs always use HTTPS when connecting to registry servers for which you have not authorized insecure access. Insecure private registries are not recommended in production environments.
For information about how to use the vic-machine create --insecure-registry option, see the section on insecure-registry in VCH Deployment Options in vSphere Integrated Containers Engine Installation.
Pull a Container Image from a Private Registry Server
To pull a container image from a private registry server, run the following Docker command.
docker -H vch_address:2376 --tls pull registry_server_address/path/to/image/image_name:image_version
If the private registry server listens for connections on a specific port, include the port number in the registry server URL.
docker -H vch_address:2376 --tls pull registry_server_address:port_number/path/to/image/image_name:image_version
These commands will only work in the following circumstances:
- The private registry server at registry_server_address is secured by CA certificates, and you or the vSphere administrator passed the appropriate certificates to the VCH during deployment by using the
--registry-caoption. - The private registry server at registry_server_address is not secured by certificates, and you or the vSphere administrator authorized access to this registry server by using the
--insecure-registryoption during VCH deployment.
NOTE: In the examples, the Docker commands specify --tls. This is to specify that the connection between the Docker client and the VCH is secured by TLS. The level of security of the connection between the Docker client and the VCH is completely independent from the level of security of the connection between the VCH and the private registry server. The connection to the private registry server can be insecure when the connection between the client and the VCH is secure, and the reverse.