Configuring authentication for the Docker CLI

To access the private image registry from outside your IBM® Cloud Private cluster, set up authentication from your computer to the cluster.

Required user type or access level: Cluster administrator or team administrator

Before you begin

1. You must install Docker on your computer. For more information, see Install Docker .

2. If you have Docker proxy enabled on your node complete the following steps.

   1. Add <cluster_CA_domain>:8500 to the NO_PROXY list. Where <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation.

       sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf
      

      The update resembles the following code.

       [Service]
        Environment="HTTP_PROXY=http://1.2.3.4:3128" "HTTPS_PROXY=http://1.2.3.4:3128"  "NO_PROXY=localhost,127.0.0.1,<cluster_CA_domain>:8500"
      

   2. Restart the Docker service.

       sudo systemctl daemon-reload
       sudo systemctl restart docker
      

For the Linux operating system

1. On the system that hosts the Docker image, add the following line to the /etc/hosts file.

   <Cluster Master Host> <cluster_CA_domain>
   

   Where, <Cluster Master Host> is defined in Master endpoint.

2. On your computer, create a directory to store the Docker registry certificate.

   mkdir /etc/docker/certs.d/<cluster_CA_domain>:8500/
   

3. From the client machine (Linux® operating system) secure a copy of the registry certificate from the master node of your IBM Cloud Private cluster. The <user> in the following command is the user who has sudo permissions.

   scp <user>@<cluster_CA_domain>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt /etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

4. On the client computer, restart the Docker service by running the following command:

   service docker restart
   

5. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

For the macOS operating system

1. On the client computer, add the following line to the /etc/hosts file:

   <Cluster Master Host> <cluster_CA_domain>
   

   Where, <Cluster Master Host> is defined in Master endpoint.

2. From the client machine (macOS) secure a copy of the registry certificate from the master node of your IBM Cloud Private cluster.

   mkdir -p ~/.docker/certs.d/<cluster_CA_domain>\:8500
   scp root@<cluster_CA_domain>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt ~/.docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

3. From the client computer, add the certificate to the keychain.

   sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.docker/certs.d/<cluster_CA_domain>\:8500/ca.crt
   

4. On the client computer, restart the Docker service.

5. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

For the Windows operating system

1. On the Windows™system that hosts the Docker image, add the following line to the %SystemRoot%\System32\drivers\etc\hosts file.

   <Cluster Master Host> <cluster_CA_domain>
   

   Where, <Cluster Master Host> is defined in Master endpoint.

2. Add your Docker registry certificate by completing the following steps:

   1. Select Start > Administrative Tools > Manage Computer Certificates.

   2. Right-click Trusted Root Certification Authorities, and select All tasks > Import.

   3. Navigate to find and select your .crt file.

   4. Complete the wizard to configure the certificate. The defaults are often acceptable.

   5. Restart Docker for Windows to apply the changes.

3. From the master node of your IBM Cloud Private cluster, secure a copy of the registry certificate to the computer.

   scp /etc/docker/certs.d/<cluster_CA_domain>\:8500/ca.crt \
   root@<client_node>:/etc/docker/certs.d/<cluster_CA_domain>\:8500/
   

4. Log in to your private image registry by running the following command:

   docker login <cluster_CA_domain>:8500
   

Boot2Docker for Windows

1. On your computer, run the following command to create a boot2docker directory to run Docker containers:

   mkdir /var/lib/boot2docker/certs
   

2. Convert your certifications to .pem format. Copy your certifications in to yourboot2docker. Run the following commands: to convert your certification:

   openssl x509 -inform der -in certificate.cer -out certificate.pem
   

   cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
   

3. Create a empty file for your certificates. Creating an empty file allows your certificates to be copied in to the correct directory. Run the following command:

   touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh
   

4. With your text editor, run the following command to access your file:

   vi /var/lib/boot2docker/bootlocal.sh
   

5. Save your file by running the following command:

   mkdir -p /etc/docker/certs.d && cp certs/certificate.pem /etc/docker/certs.d
   

6. Restart your computer. Run the following command:

   docker-machine restart default