I had the task to find a way to store centrally docker containers of enterprise applications. The following constraints had to be met:
– the containers should be used for QA and training by people who do not need to know the details of deploying complicated enterprise application environments. Docker-compose files will be used to start several containers that are part of each enterprise environment.
– the solution should allow user access control and role based control
– the solution should be able to offer a GUI where a user can see what docker images are available to be pulled from the repository
– the solution should be able to offer a repository for docker compose files, test scripts text files, manuals associated with specific environments etc.
All of the above constraints were solved by deploying a Nexus Repository Manager OSS version 3 from Sonatype.
– a centrally accessible CentOS virtual machine in the company cloud.
– Nexus OSS 3.1 configured with https only access.
– A docker repository for the docker images
– A raw maven repository for the docker-compose files and other text files (this will be covered in another post).
STEP 1: Install Nexus Repository Manager OSS
Download the latest version of Nexus OSS from Sonatype
Decompress the downloaded binaries
#tar -xzvf nexus-3.1.0-04-unix.tar.gz
As a result two new directories will be created
nexus-3.1.0-04 and sonatype-work.
The first directory will contain all the configuration files, the second directory the binary data and the repositories storage.
STEP 2: Configure Nexus https
A very important remark is that NEXUS contains inside a Jetty application server. This means that we do not need an external web server like apache, jetty offers the web server functionality.
First activate https in “nexus-3.1.0-04/etc/nexus-default.properties” by adding to it:
– a new line “application-port-ssl=8443”
– extra nexus-args “${jetty.etc}/jetty-https.xml”
# Jetty section
application-port=8081
application-port-ssl=8443
application-host=0.0.0.0
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml
nexus-context-path=/
# Nexus section
nexus-edition=nexus-pro-edition
nexus-features=\
nexus-pro-feature
The above will tell NEXUS GUI to bind to port 8443 for https and will activate the jetty https configuration.
Configure https in jetty:
– copy a keystore containing the ssl certificate of the site to “nexus-3.1.0-04/etc/ssl/keystore.jks”.
– make sure the certificate has the alias “jetty” and has the property “subjectAltName” set to the IP address of the server. This is very important because is used by the docker clients to validate the certificate.
– add the keystore configurations to the “nexus-3.1.0-04/etc/jetty/jetty-https.xml”. The ssl-ContextFactory section should look like:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="KeyStorePassword">password</Set> <Set name="KeyManagerPassword">password</Set> <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="TrustStorePassword">password</Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> </Array> </Set> </New>
STEP 3: Check Java installation
Make sure you have Java JDK installed. The recommended version is Java JDK 1.8
STEP 4: Start Nexus and login to Nexus GUI
To start Nexus you can do it in two ways.
1. Start Nexus with the run parameter. This is very useful when debugging configurations because the log will be dumped at the console. To stop nexus you just have to Ctrl-C in the terminal.
# nexus run
2. Another way is to use the start and stop parameters. In this case the log will be dumped under “…/sonatype-work/nexus3/log/”
To start:
# nexus start
To stop:
# nexus stop
To access the Nexus GUI just go to https://your_ip_address:8443
Login with user admin default password admin123.
STEP 5: Create a docker repository
Login to the Nexus GUI with the admin user.
Select the “Server administration and configuration” menu (the wheel from the top) and go to Repositories
Choose “Create Repository” and then docker(hosted).
Configure repository as shown:
As a result a new secure docker repository accessible at port 5555 is created.
STEP 6: Create user role
Go to Security-> Roles menu and choose Create Role (docker-role)
Add a name role and under Privileges move from available to given the priviledge “nx-repository-view-docker-My-docker-*”. This will give access to any user having this role to the docker registry to pull and push images.
STEP 7: Create a Nexus user
Go to Security – > Users and choose Create User. Add a username and all the required data.
Make sure to make the Status “Active”.
From the list of available roles grant to the user the following roles: “nx-anonymous” and “docker-role”.
Note that if instead you want an additional administrator you have to grant the roles “nx-admin” and “docker-role”.
At this point the created user can connect to the Nexus GUI or can pull/push images to docker repository
STEP 8: Configure docker client
There is still an additional step to be able to pull/push images to docker repository from a client machine. We have to set up the security credentials because our docker repository is a secure one.
On the client machine create a directory:
# mkdir /etc/docker/certs.d/your_ip_address\:5555
Under that directory copy the CA certificate of the certification authority that signed the server ssl certificate.
# cp nexus.crt /etc/docker/certs.d/your_ip_address\:5555/ca.crt
Very important to use PEM format for the CA certificate and use the extension .crt. If not docker client will not be able to read the CA certificate.
STEP 9: Push an image to the repository
To push an image to the repository we have to login first:
# docker login your_ip_address:5555
Enter the user and password created in Nexus GUI.
Tag an image from the local machine for the repository
# docker tag my_local_image your_ip_address:5555/my_local_image
Push the image to the repository:
# docker push your_ip_address:5555/my_local_image
STEP 10: Pull an image from the repository
To pull an image from the repository we have to login first:
# docker login your_ip_address:5555
Enter the user and password created in Nexus GUI.
Pull the image from the repository:
# docker pull your_ip_address:5555/my_remote_image
[paypal_donation_button]