Using Docker Desktop and Artifactory for Enterprise Container Management

As the prevalence of containers continues to expand, managing the push and pull of containers without an enterprise-grade container registry is unwieldy. Many companies utilize JFrog Artifactory as a Docker and Helm registry, but also utilize Docker Desktop strategically to manage their container services.

The goal of this blog is to show you how to configure Docker Desktop to work with JFrog Artifactory as your Docker registry to manage the push and pull of container images across your company’s many repository types (such as local, remote and virtual), and how Artifactory in conjunction with Docker Desktop gives users fine-grained control over the movement of containers across their portfolio.

Before You Begin

To get started, you’ll need to ensure you have the following already set up for this guide to work properly:

• An active Docker Desktop account through your company
• An active trial or subscription to the JFrog Platform

Linking Docker Desktop and JFrog

Containers are king, and every company wants to know what’s heading full steam ahead towards production. To get started on your Docker Desktop and JFrog Software Supply Chain Platform journey, we’ll assume that Artifactory is your chosen container registry. You’ve perhaps also standardized on Docker Desktop and want to use it as the control plane for the movement of containers in your organization.

To do so, you’ll want to be sure you’re configured properly to allow access to Artifactory in the Docker Desktop services.

The Registry Management feature in Docker Desktop helps to ensure that only permitted repos and repository types (like Artifactory local, remote or virtual repos) are appropriately accessible to be managed by Docker Desktop, and you have applied all permissions according to your company’s access rules.

It’s of course best practice to not allow unfettered access to your repos and container images, so let’s first make sure we have Artifactory set to connect to your selected Docker Desktop services:

First, let’s configure Artifactory as an allowed registry in Docker Hub (instructions also found in the official documentation). Note that the Registry Management feature can manage both cloud and on-prem JFrog Artifactory instances.

1. Sign in to your Docker Hub account as an organization owner.
2. Select an organization and then navigate to the Settings tab on the Organizations page and select Registry Access.
3. Toggle on “Registry Access Management to begin to set the permissions for your Artifactory registry.
4. To add Artifactory to your list, select “Add” and enter your registry details in the applicable fields, then select “Create.”
5. Verify that Artifactory appears in your registry list and select “Save & Apply.”
6. You can verify that your changes are saved in the “Activity tab.” Note that you can add unlimited registries.

Applying Access Universally

Next, let’s suppose that you want to be sure all your developers using Artifactory can’t mistakenly access certain repos or certain pipelines. You’ll have to apply access rules across your org in Docker Desktop. Company IT departments can apply these settings to everyone in your organization, or individual developers can configure this manually, depending on your business rules and operational preferences (as seen in the official docs).

Configure registry.json to enforce sign-in
By default, members of your organization can use Docker Desktop on their machines without signing in to any Docker account. To ensure that a user signs in to a Docker account that is a member of your organization and that the organization’s settings apply to the user’s session, you can use a registry.json file.

The registry.json file is a configuration file that allows administrators to specify the Docker organization the user must belong to and ensure that your settings apply to the user’s session and can therefore access registries like Artifactory with your company’s rules in place. The Docker Desktop installer can the registry.json this file on the users’ machines as part of the installation process.

After a registry.json file is configured on a user’s machine, Docker Desktop prompts the user to sign in. If a user doesn’t sign in, or tries to sign in using a different organization, other than the organization listed in the registry.json file, they will be denied access to Docker Desktop.

Deploying a registry.json file and forcing users to authenticate is highly recommended but not required. Forced authentication has the following benefits:

• Allows administrators to configure features such as Image Access Management which allows team members to:
  • Only have access to Trusted Content on Docker Hub
  • Pull only from the specified categories of images
• Authenticated users of Artifactory have unlimited pulls from Docker Hub and do not have to worry about rate limits
• Block users from accessing Docker Desktop until they are added to a specific organization

Create a registry.json file
Before creating a registry.json file, ensure that the user is a member of at least one organization in Docker Hub. If the registry.json file matches at least one organization the user is a member of, they can sign in to Docker Desktop and access all their organizations.

Based on your operating system, you must create a registry.json file at the following locations and make sure the file can’t be edited by the user:

• Windows /ProgramData/DockerDesktop/registry.json
• Mac /Library/Application Support/com.docker.docker/registry.json
• Linux /usr/share/docker-desktop/registry/registry.json

The registry.json file must contain the following contents, where myorg is replaced with your organization’s name. The file contents are case-sensitive and you must use lowercase letters for your organization’s name.

{
"allowedOrgs": ["myorg"]
}

In Docker Hub, you can now download the registry.json file for your organization or copy the specific commands to create the file for your organization. To download the file or copy the commands from Docker Hub:

• Log in to Docker Hub as an organization owner.
• Go to Organizations > Your Organization > Settings.
• Select Enforce Sign-in and continue with the on-screen instructions for Windows, Mac, or Linux.

Note: For other methods of creating the registry.json file for your org based on your operating system, please see the Docker Desktop documentation.

Testing Docker and Artifactory

Now you of course need to be sure everything is working properly and your developers can’t access things they shouldn’t (and thereby expose the business), and that they should be able to access all the registries they need.

Verify your global changes

After you’ve created the registry.json file and deployed it onto the users’ machines, you can verify whether the access changes have taken effect by asking users to start Docker Desktop to access Artifactory.

If the configuration is successful, Docker Desktop will prompt the user to authenticate using the organization credentials on start. If the user fails to authenticate, they will see an error message, and they will be denied access to Docker Desktop and in this case cannot access Artifactory as their registry.

Give it a test

A quick way to ensure you’re configured correctly is for developers to attempt to access a repository that is not in the allow list that’s been created. If the system won’t allow access to it, you know you did it right! If developers are able to access a non-listed repository, please double-check the steps above to ensure all settings are correct.

You’re done!

If you’re successful in your setup, your developers and admins should see a screen like this, indicating access to both Docker Hub and chosen JFrog Artifactory repos. Now you can use Docker Desktop features to control your registries smoothly, as well as take advantage of unlimited Docker Hub pulls for JFrog customers.

Why Artifactory?

The most common way to manage and organize your Docker images is with a Docker registry. After all, you need reliable, secure, consistent and efficient access to your Docker images, and also to share them between teams efficiently from a single, centralized location. With Artifactory, you can set up local, remote and virtual Docker Registries in minutes, and utilize Federated Repositories to bi-directionally mirror artifacts and metadata across multisite environments. It’s a powerful way to multiply the value of Artifactory and Docker Desktop to keep your teams in sync, efficient and scaling to infinity.

Talk Back

Have feedback on Docker Desktop or JFrog Artifactory? Let us know by contacting support@jfrog.com.