Advanced dch-photon Deployment

You do not need to specify any options when you use docker run to deploy dch-photon container VMs for use with vSphere Integrated Containers Registry. However, you can optionally specify dch-photon options in the docker run command to run dch-photon with TLS authentication.

You can also specify dch-photon options to connect dch-photon container VMs to registries other than vSphere Integrated Containers Registry.

dch-photon Options

You can specify the following options when you deploy dch-photon container VMs:

  • -insecure-registry: Enable insecure registry communication. Set this option multiple times to create a list of registries to which dch-photon applies no security considerations. You cannot use this option when connecting to vSphere Integrated Containers Registry.
  • -local: Do not bind the Docker API to external interfaces. Set this option to prevent the Docker API endpoint from binding to the external interface. Docker Engine only listens on /var/run/docker.sock.
  • -storage: Sets the Docker storage driver that Docker Engine uses. By default, the storage driver is overlay2, which is the recommended driver when running Docker Engine as a container VM.

  • -tls: Use TLS authentication for all connections. Implied by -tlsverify. This option enables secure communication with no verification of the remote end. To use custom certificates, copy them into the /certs folder in the dch-photon container. Certificates are generated automatically in /certs if you do not provide them.

    • Server certificate: /certs/docker.crt
    • Key for the server certificate: /certs/docker.key

  • -tlsverify: Use TLS and authentication for all connections and verify the remote end. To use custom certificates, copy them into the /certs folder in the dch-photon container. Certificates are generated automatically in /certs if you do not provide them.

    • Server certificate: /certs/docker.crt
    • Key for the server certificate: /certs/docker.key
    • CA certificate: /certs/ca.crt
    • CA key: /certs/ca-key.pem
    • Client certificate: /certs/docker-client.crt
    • Client key: /certs/docker-client.key
  • vic-ip: Set the IP address of the virtual container host for use in automatic certificate generation when running dch-photon containers behind a port mapping.

Using dch-photon with TLS Authentication

To configure the same certificate-based authentication for a dch-photon as you have for your VCH endpoint, you specify the -tls or -tlsverify option when you run the dch-photon the container VM. You then copy the appropriate certificates into the dch-photon container VM.

With Remote Verification

  1. Create a dch-photon container without starting it.

    This example runs dch-photon behind a port mapping and specifies the -tlsverify option.

    docker create -p 12376:2376 --name dch-photon-tlsverify registry_address/default-project/dch-photon:1.13 -tlsverify

  2. Copy the certificates into the dch-photon container.

     docker cp cert_folder/ca.pem dch-photon-tlsverify:/certs/ca.crt
     docker cp cert_folder/server-cert.pem dch-photon-tlsverify:/certs/docker.crt
     docker cp cert_folder/server-key.pem dch-photon-tlsverify:/certs/docker.key

  3. Start the dch-photon container.
    docker start dch-photon-tlsverify
  4. Connect to the dch-photon container.
    docker -H vch_adress:12376 --tlsverify info

Without Remote Verification

  1. Create a dch-photon container without starting it.

    This example runs dch-photon behind a port mapping and specifies the -tls option.

    docker create -p 12376:2376 --name dch-photon-tls registry_address/default-project/dch-photon:1.13 -tls

  2. Copy the certificates into the dch-photon container.

     docker cp cert_folder/server-cert.pem dch-photon-tls:/certs/docker.crt
     docker cp cert_folder/server-key.pem dch-photon-tls:/certs/docker.key

  3. Start the dch-photon container.
    docker start dch-photon-tls
  4. Connect to the dch-photon container.
    docker -H vch_adress:12376 --tls info

With Automatically Generated Certificates

To generate certificates automatically, specify either -tls or -tlsverify. If the dch-photon container runs behind a port mapping, specify the address of the VCH in the -vic-ip option. This address is used during certificate generation.

docker run -p 12376:2376 --name dinv-build -v mycerts:/certs vmware/dch-photon -tlsverify -vic-ip vch_adress

You can then use docker cp to copy the automatically generated certificates to your local Docker client.

results matching ""

    No results matching ""