The Ports Method for Docker

JFrog Artifactory Documentation

ft:sourceType
Paligo

Getting started with Docker and your self-hosted Artifactory Pro installation using the ports method involves two basic steps:

Configure Artifactory and Your Reverse Proxy

To configure Artifactory and your reverse proxy using the ports method, carry out the following steps:

  1. Make sure Artifactory is up and running, and is activated with a valid license.Installing Artifactory

  2. Create your Virtual Docker Registry (as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository named docker-virtual.

  3. Make sure you have a reverse proxy server up and running.

  4. Obtain an SSL certificate or use a Self-Signed certificate that can be generated following this example.

    Note

    Make sure your certificate matches the Artifactory hostname used in your reverse proxy configuration. In our example below we will use art.local.

  5. Configure your reverse proxy. Artifactory's Reverse Proxy Configuration Generator can generate your complete reverse proxy configuration file for supported servers. All you need to do is fill in the fields in according to how your reverse proxy is set up while making sure to:

    1. Use the correct Artifactory hostname in the Public Server Name field

    2. Select Ports as the Reverse Proxy Method under Docker Reverse Proxy Settings. In the example below, we will use port 5001 to bind repository docker-virtual .

    NGINX

    For Artifactory to work with Docker, the preferred web server is NGINX v1.3.9 and above. First, you need to create a self-signed certificate for NGINX as described here for Ubuntu. Then use Artifactory's Reverse Proxy Configuration Generator to generate the configuration code snippet for you. Copy the code snippet into your artifactory-nginx.conf file and place it in your /etc/nginx/sites-available directory. Finally, create the following symbolic link:

    sudo ln -s /etc/nginx/sites-available/artifactory-nginx.conf /etc/nginx/sites-enabled/artifactory-nginx.conf
    Apache HTTPD

    Install Apache HTTP server as a reverse proxy and then install the required modules. Create the following symbolic link:

    sudo ln -s /etc/apache2/mods-available/slotmem_shm.load /etc/apache2/mods-enabled/slotmem_shm.load

    Similarly, create corresponding symbolic links for:

    • headers

    • proxy_balancer

    • proxy_load

    • proxy_http

    • proxy_connect

    • proxy_html

    • rewrite.load

    • ssl.load

    • lbmethod_byrequests.load

    Then use Artifactory's Reverse Proxy Configuration Generator to generate the configuration code snippet for you.

    Copy the code snippet into your artifactory.conf file and place it in your /etc/apache2/sites-available directory.

    HAProxy

    First, you need to create a self-signed certificate for HAProxy as described here for Ubuntu. Then, copy the code snippet below into your /etc/haproxy/haproxy.cfg file. After editing the file as described in the snippet, you can test your configuration using the following command:

    haproxy -f /etc/haproxy/haproxy.cfg -c

    HAProxy v1.5 Configuration Expand source

    # haproxy server configuration
    # version 1.0
    # History
    # ---------------------------------------------------------------------------
    # Features enabled by this configuration
    # HA configuration
    # port 80, 443  Artifactory GUI/API
    #
    # This uses ports to distinguish artifactory docker repositories
    # port 443  docker-virtual (v2) docker v1 is redirected to docker-dev-local.
    # port 5001 docker-prod-local (v1); docker-prod-local2 (v2)
    # port 5002 docker-dev-local (v1); docker-dev-local2 (v2)
    #
    # Edit this file with required information enclosed in <...>
    # 1. certificate and key
    # 2. artifactory-host
    # 3  replace the port numbers if needed
    # ----------------------------------------------------------------------------
    global
            log 127.0.0.1   local0
            chroot /var/lib/haproxy
            maxconn 4096
            user haproxy
            group haproxy
            daemon
            tune.ssl.default-dh-param 2048
            stats socket /run/haproxy/admin.sock mode 660 level admin
    defaults
            log     global
            mode    http
            option  httplog
            option  dontlognull
            option  redispatch
            option  forwardfor
            option  http-server-close
            maxconn 4000
            timeout connect 5000
            timeout client 50000
            timeout server 50000
            errorfile 400 /etc/haproxy/errors/400.http
            errorfile 403 /etc/haproxy/errors/403.http
            errorfile 408 /etc/haproxy/errors/408.http
            errorfile 500 /etc/haproxy/errors/500.http
            errorfile 502 /etc/haproxy/errors/502.http
            errorfile 503 /etc/haproxy/errors/503.http
            errorfile 504 /etc/haproxy/errors/504.http 
    frontend normal
             bind *:80
             bind *:443 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-virtual/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             option forwardfor header X-Real-IP
             default_backend normal
    
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerhub
             bind *:5000 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
             reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-remote/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
    
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerprod
             bind *:5001 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
                 reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-prod-local/v1\2
                 reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-prod-local2/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
     
    # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerdev
             bind *:5002 ssl crt </etc/ssl/certs/server.bundle.pem>
             mode http
             option forwardfor
             option forwardfor header X-Real-IP
                 reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-dev-local/v1\2
                 reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-dev-local2/v2\2
             reqadd X-Forwarded-Proto:\ https if { ssl_fc }
             default_backend normal
     
    # Artifactory Non HA Configuration
    # i.e server artifactory 198.168.1.206:8082
    #
    backend normal 
             mode http
             server <artifactory-host> <artifactory-host ip address>:<artifactory-host port>
     
    #
    # Artifactory HA Configuration
    # Using default failover interval - rise = 2; fall =3 3; interval - 2 seconds
    # backend normal
    #        mode http
    #        balance roundrobin
    #        option httpchk OPTIONS /
    #        option forwardfor
    #        option http-server-close
    #        appsession JSESSIONID len 52 timeout 3h
    #        server <artifactory-host-ha1> <artifactory-host ip address>:<artifactory-host port> 
    #                server <artifactory-host-ha2> <artifactory-host ip address>:<artifactory-host port>
Configure Your Docker Client

To configure your Docker client, carry out the following steps

  1. Add the following to your DNS or to the client's /etc/hosts file:

    <ip-address> art.local 
  2. Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in the Docker documentation. Alternatively, you can configure the Docker client to work with an insecure registry by adding the following line to your /etc/default/docker file (you may need to create the file if it does not already exist):

    DOCKER_OPTS="$DOCKER_OPTS --insecure-registry art.local:5001"
  3. Restart your Docker engine.

Test Your Setup

To verify your reverse proxy is configured correctly, run the following command:

// Make sure the following results in return code 200
curl -I -k -v https://<artifactory url>/api/system/ping

Run the following commands to ensure your proxy configuration is functional and can communicate with Artifactory. In this example, we will pull down a Docker image, tag it and then deploy it to our docker-virtual repository that is bound to port 5001:

// Pull the "hello-world" image
docker pull hello-world
 
// Login to repository docker-virtual
docker login art-local:5001
 
// Tag the "hello-world" image
docker tag hello-world art-local:5001/hello-world
 
// Push the tagged "hello-world" image to docker-virtual
docker push art-local:5001/hello-world
Test With a Self-signed Certificate
  1. Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in the Docker documentation. Alternatively, you can configure the Docker client to work with an insecure registry as described in the Docker documentation.

  2. Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine).

    Running $docker info will list the Insecure registries that have been applied under the Insecure Registries entry.

  3. Use the steps above to interact with the Artifactory Docker Registry