Add the Registry Certificate to a Custom dch-photon Image
The recommended method of passing the vSphere Integrated Containers Registry CA certificate to dch-photon is to create a custom dch-photon image that includes the certificate. You can then push the image to the vSphere Integrated Containers Registry and verify that it works by deploying it to a virtual container host (VCH).
By creating a custom image, you can deploy multiple instances of dch-photon that have the correct registry certificate, without having to manually copy the certificate into each dch-photon container VM.
Prerequisites
- You have a known user account that has at least the Developer role in the
default-projectin vSphere Integrated Containers Management Portal. - You have an instance of Docker Engine running on your local sytem.
- You installed the CA certificate for vSphere Integrated Containers Registry in your local Docker client. For information about how to install the registry certificate in a Docker client, see Install the vSphere Integrated Containers Registry Certificate.
- You have access to a VCH that the vSphere administrator configured so that it can connect to the registry to pull the
dch-photonimage. The VCH must also have a volume store nameddefault. For information about how deploy a VCH that is suitable for use withdch-photon, see the Deploy a Virtual Container Host with a Volume Store and vSphere Integrated Containers Registry Access in vSphere Integrated Containers for vSphere Administrators. - For simplicity, this example uses a VCH that was deployed with the
--no-tlsverifyoption. If your VCH implements TLS verification of clients, you must import the VCH certificates into your Docker client and adapt the Docker commands accordingly. For information about how to connect a Docker client to a VCH that uses full TLS authentication, see Connecting to the VCH.
Procedure
Log in to vSphere Integrated Containers Registry from your local Docker client.
docker login registry_address
Pull the
dch-photonimage into the image cache in your local Docker client.vSphere Integrated Containers 1.4.x supports
dch-photonversion 1.13.docker pull registry_address/default-project/dch-photon:1.13
Make a new folder and copy the vSphere Integrated Containers Registry certificate into it.
In the new folder, create a
Dockerfilewith the following format:FROM registry_address/default-project/dch-photon:1.13 COPY ca.crt /etc/docker/certs.d/registry_address/ca.crt
In the same folder, build the Dockerfile as a new image and give it a meaningful new tag.
docker build -t registry_address/default-project/dch-photon:1.13-cert .
Push the new image into vSphere Integrated Containers Registry.
docker push registry_address/default-project/dch-photon:1.13-cert
(Optional) Log in to vSphere Integrated Containers Registry from the VCH.
If you use the same Docker client as in the preceding steps it is already authenticated with the registry. In this case, you do not need to log in again when you run commands against the VCH. If you use a different Docker client to run commands against the VCH, or you logged out, you must log in to the registry.
docker -H vch_address:2376 --tls login registry_address
Pull the image from vSphere Integrated Containers Registry into the VCH and run it with the name
build-slave.This example runs
dch-photonbehind a port mapping, that exposes the HTTP port (2375) of thedch-photoninstance on port 12375 of the VCH. You can also deploydch-photonon a container network.docker -H vch_address:2376 --tls run --name build-slave -d -p 12375:2375 registry_address/default-project/dch-photon:1.13-cert
Result
- You have a custom
dch-photonimage in your vSphere Integrated Containers Registry that contains the correct certificate so that it can build, pull, and push images to and from that registry. - You deployed a
dch-photoncontainer VM namedbuild-slavefrom that image, that exposes Docker Engine on port 12375 of your VCH.
What to Do Next
To test the dch-photon Docker Engine, see Build, Push, and Pull an Image with dch-photon.