If you are looking to setup an on-premise docker environment on PowerPC servers running RHEL LE, then this guide should be of some help.
There are two basic components required for an on-prem docker environment – docker engine and private docker registry.
While there are commercial on-prem options for docker registry like docker trusted registry , artifactory etc, in this article we’ll deploy our own registry using the opensource docker registry code.
Let us now jump to the actual setup instructions.
Step-1 Setup docker engine on RHEL 7.1 LE
There are currently two options for getting docker on RHEL 7.1 LE. Download a pre-built docker binary for RHEL 7.1 LE by following the instructions mentioned here. Or, build docker from source on RHEL 7.1 LE.
The primary toolchain for building Go programs on Power platform is GCC-GO. This is available starting GCC version 5 onwards. While GCC 5 is not shipped by default with RHEL 7.1 LE, one can download the IBM Advance Toolchain (AT) package to get the pre-built binaries or build GCC from source.
We’ll take the easy approach of downloading the IBM AT package and using the pre-built binaries.
Here is a script to install AT 9.0 on RHEL 7.1 LE
#!/bin/bash cat </etc/yum.repos.d/at9_0.repo [at9.0] name=Advance Toolchain Unicamp FTP baseurl=ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7 failovermethod=priority enabled=1 gpgcheck=1 gpgkey=ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7/gpg-pubkey-6976a827-5164221b EOF yum install -y advance-toolchain-at9.0-runtime \ advance-toolchain-at9.0-devel \ advance-toolchain-at9.0-perf \ advance-toolchain-at9.0-mcore-libs echo "export PATH=/opt/at9.0/bin:/opt/at9.0/sbin:$PATH" >> /etc/profile.d/at9.sh source /etc/profile.d/at9.sh /opt/at9.0/sbin/ldconfig
Once the Go toolchain is installed, the next step is to build docker. As of this writing, the latest upstream docker doesn’t build as-is on RHEL 7.1 LE due to some work-in-progress patches related to libseccomp. Some minor changes are required for building docker. To make it easier for anyone to build docker on RHEL LE, I have automated the entire process. The patches required are in my github tree and can be viewed here.
Here is a sample script to automate the process.
#!/bin/bash #Script to build docker on RHEL 7 LE (ppc64le) platforms using Advanced Toolchain #Ensure AT9.0 is installed and PATH set appropriately #Accepts one optional parameter [build_dir] dir=${1} BUILD_DIR=${dir:-/docker_bld_ppc64} SRC='https://github.com/docker/docker.git' COMMIT_ID=611dbd8957581fa451a4103259100a5e2d115b8c #Install required dependencies yum groupinstall -y "Development Tools" yum install -y patch sqlite-devel wget git btrfs-progs-devel device-mapper-devel #Cleanup existing build and install directories rm -fr ${BUILD_DIR} #Create temp dir for building mkdir -p ${BUILD_DIR} #Set GOPATH GO_BASE_PATH="${BUILD_DIR}/go/src/github.com/docker/" mkdir -p ${GO_BASE_PATH} export AUTO_GOPATH=1 #Download docker source cd ${GO_BASE_PATH} git clone ${SRC} cd docker git checkout -b ppc64le ${COMMIT_ID} #Patch and build the docker source on RHEL 7.1 LE curl https://github.com/bpradipt/docker/commit/567c796fba113bca56b4ebf82be93d813e21f0f2.patch | patch -p1 sed -i.bkp 's/-ldl/-ldl -lpthread -lsystemd-journal/g' hack/make/gccgo ./hack/make.sh dyngccgo mv ./hack/make/gccgo.bkp ./hack/make/gccgo
On successful build, the docker binary will be available under bundles/latest/dyngccgo/
You can build static binary as well.
All the scripts used in this article can be downloaded from my github tree.
Step-2: Build and run latest V2 registry on RHEL 7.1 LE.
Do this on a RHEL7.1 LE system which will act as the registry server and have sufficient storage to keep all the images.
Following script helps build the registry code on RHEL 7.1 LE.
#!/bin/bash #Script to build registry on Power #Requires Go compiler to be available in the PATH #build_registry.sh [dynamic|static] build_type=${1} BUILD_TYPE=${build_type:-dynamic} SRC="https://github.com/docker/distribution.git" COMMIT_ID=ece8e132bf6585815fdd00990f6215122c58fb3f CUR_DIR=`pwd` INSTALL_DIR="${CUR_DIR}/go.bld" BIN_DIR="${CUR_DIR}/go.bld/bin" mkdir -p ${BIN_DIR} GOPATH_BASE="${INSTALL_DIR}/src/github.com/docker" mkdir -p ${GOPATH_BASE} cd ${GOPATH_BASE} git clone ${SRC} cd distribution git checkout -q ${COMMIT_ID} export GOPATH="${GOPATH_BASE}/distribution/Godeps/_workspace:${INSTALL_DIR}:${GOPATH}" if [ "${BUILD_TYPE}" == "static" ] then BUILDFLAGS="-static -lnetgo" else BUILDFLAGS="" fi go build -gccgoflags "${BUILDFLAGS}" -o ${BIN_DIR}/registry ./cmd/registry #To use the registry you need to copy the file cmd/registry/config-example.yml as config.yml, edit it as appropriate and run it #./registry ./config.yml cp ./cmd/registry/config-example.yml ${BIN_DIR}/config.yml
The registry binary and configuration file will be under ~/go.bld/bin.
Step-3: Run the registry
The default storage location for images is /var/lib/registry and the default port is 5000. If you plan to change any of these options, edit the config.yml as appropriate.
#mkdir -p /var/lib/registry #cd ~/go.bld/bin #./registry ./config.yml
This will start the registry server on port 5000
Configure docker daemon to use the new registry. You need to use the ‘insecure-registry’ option while starting the daemon. For example if the IP of the registry server is 192.168.122.20, then the command will be:
docker -d --insecure-registry 192.168.122.20:5000
(Optional) Securing the registry using TLS
Detailed instructions are available in the official registry documentation here.
#mkdir /certs #openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -x509 -days 365 -out /certs/domain.crt Generating a 4096 bit RSA private key ..........................................................................................++ ...........++ writing new private key to '/certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Karnataka Locality Name (eg, city) []:Bangalore Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Own Startup Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:rhel71ledockreg1 Email Address []:admin@myownstartup.com
Start the registry specifying the location of the certificate and the key
# REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt REGISTRY_HTTP_TLS_KEY=/certs/domain.key /registry ./config.yml
On the docker host do this
# mkdir -p /etc/docker/certs.d/rhel71ledockreg1:5001/ # cp domain.crt /etc/docker/certs.d/rhel71ledockreg1:5001/ca.crt # cp domain.crt /etc/pki/ca-trust/source/anchors/rhel71ledockreg1.crt # update-ca-trust # service docker restart
If you are looking to setup a secure TLS enabled private registry with HTTP authentication, then please have a look at the following article for instructions.