Getting Started with Artifactory as a Docker Registry

Overview

There are three main ways you can use Docker with Artifactory and this document describes how to get started with each one.

Please review the brief summary below to decide which is the best way for you to use Docker with Artifactory.

Artifactory SaaS

The easiest way to start using Docker with Artifactory is through anArtifactory SaaSaccount.

In this mode, since Artifactory is a hosted service, you do not need to set up a reverse proxy and can create your Docker repositories and start pushing and pulling Docker images.

For more details, please refer toGetting Started with Artifactory SaaS.

Using Docker Compose - 1 Minute Setup

Artifactory can be run in a Docker container preconfigered as a Docker registry.

For more details, please refer toUsing Docker Compose - 1 Minute Setup.

Artifactory On-Prem

You can setup your on-prem installation of Artifactory Pro to work with Docker.

The Docker client requires a different hostname for each registry. Artifactory supports this whether you are using a reverse proxy or not.

For more details, please refer toGetting Started with Artifactory Pro On-Prem.

Page Contents

Integration Benefits

JFrog Artifactory and Docker Registries

Getting Started with Artifactory SaaS

Using Docker repositories withArtifactory SaaSis quick and easy to use.

Since, with Artifactory SaaS, you are using Artifactory as a hosted service, there is no need to configure Artifactory with a reverse proxy.

The example at the end of this section shows a complete process of creating a Docker repository, logging in, pulling an image and pushing an image.

Using Docker Client with Artifactory SaaS

To use the Docker client with one of your Artifactory SaaS Docker repositories, you can use the native Docker client to login to each Docker repository, pull, and push images as shown in the following example:

Login to your repository use the following command with your Artifactory SaaS credentials
```
docker login ${server-name}-{repo-name}.jfrog.io
```

Pull an image using the following command

docker pull ${server-name}-{repo-name}.jfrog.io/

To push an image, first tag it and then use the push command

docker tag  ${server-name}-{repo-name}.jfrog.io/ docker push ${server-name}-{repo-name}.jfrog.io/

Test Your Setup

您可以测试您的设置与这个例子的屁股umes you are using an Artifactory SaaS server named "acme".

The scenario it demonstrates is:

Pulling the "hello-world" Docker image
Logging into your virtual Docker repository
Retagging the "hello-world" image, and then pushing it into your virtual Docker repository

Start by creating avirtual Docker repositorycalleddockerv2-virtual.

Pull the "hello-world" image
```
docker pull hello-world
```

Login to repository dockerv2-virtual

docker login acme-dockerv2-virtual.jfrog.io

Tag the "hello-world" image

docker tag hello-world acme-dockerv2-virtual.jfrog.io/hello-world

Push the tagged "hello-world" image to dockerv2-virtual
```
docker push acme-dockerv2-virtual.jfrog.io/hello-world
```

Using Docker Compose - 1 Minute Setup

Artifactory may easily be installed as a Docker registry running in Docker. This is the easiest way to use Artifactory as a Docker registry on-premises. The installation spins up the following three containers:

Artifactory Pro
NGINX proxy that uses a self-signed certificate and is configured for access using the sub-domain method
A Postgres database

To spin up this installation run the following command:

curl -L 'https://bintray.com/api/v1/content/jfrog/run/art-compose/$latest/art-compose?bt_package=art-compose' | sudo bash

Complete the Setup

To complete the setup, invoke theonboarding wizardbyrunning Artifactory in your browser athttp:///artifactory.

Activate Artifactory with your license key. If you do not have a license you can get aFree Trial License.
You may set the Admin password or skip to accept the default
If necessary, configure your network proxy or just skip this step (you mayconfigure a proxy serverat any time later)
AtCreate Repositories,selectDockerand continue to complete the wizard

Sub-domains method

We use this method so you will not need to change the reverse proxy configuration for each new Docker repository created.

Finally, follow the steps below:

You need to add the following to your DNS or/etc/hostsfile:

 docker-local.artifactory docker-remote.artifactory docker-virtual.artifactory docker.artifactory artifactory

Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in theDocker documentation. Alternatively, you can configure the Docker client to work with an insecure registry by adding the following line to your/etc/default/dockerfile (you may need to create the file if it does not already exist):
```
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry docker-local.artifactory --insecure-registry docker-remote.artifactory --insecure-registry docker-virtual.artifactory --insecure-registry docker.artifactory"
```
Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine).

Test Your Setup

You can test your setup with this example .

The scenario it demonstrates is:

Pulling the "hello-world" Docker image
Logging into your virtual Docker repository
Retagging the "hello-world" image, and the pushing it into your virtual Docker repository

The Artifactory Docker registry is already configured with a virtual repository calleddocker.artifactory.

Pull the "hello-world" image
```
docker pull hello-world
```
Login to repository "docker.artifactory"
```
docker login docker.artifactory
```

Tag the "hello-world" image

docker tag hello-world docker.artifactory/hello-world

Push the tagged "hello-world" image to docker.artifactory
```
docker push docker.artifactory/hello-world
```

Getting Started with Artifactory Pro On-Prem

The Docker client has the following two limitations:

You cannot use a context path when providing the registry path (e.glocalhost:8081/artifactoryis not valid)
Docker will only send basic HTTP authentication when working against an HTTPS host

Artifactory offers solutions to these limitations allowing you to create and use any number of Docker registries.

Using a reverse proxy
When used, a reverse proxy, maps Docker commands to one of the multiple Docker registries in Artifactory
Without a reverse proxy
From version 5.8, Artifactory supports using Docker without the use of a reverse proxy allowing you to create and use multiple Docker registries in Artifactory out-of-the-box.

Using a Reverse Proxy

When using Artifactory with a reverse proxy, you need to map Docker commands to Docker registries in Artifactory using either thesubdomain methodor theports method.

Testing or evaluating?

If you are currently only testing or evaluating using Artifactory with Docker, we recommendrunning Artifactory as a Docker containerwhich is easily installed and comes with a proxy server and Docker registries pre-configured out-of-the-box. You can be up and running in minutes.

反向代理来做cker

With the ports method, a port number is mapped to each Artifactory Docker registry. While this is an easy way to get started, you will need to modify your reverse proxy configuration and add a new mapping for each new Docker registry you define in Artifactory. In addition, firewalls and other restrictions by your IT department may restrict port numbers making the ports method not feasible.

With the subdomain method, you only need to configure your reverse proxy once, and from then on, the mapping from Docker commands to Docker registries in Artifactory is dynamic and requires no further modification of your reverse proxy configuration.

We recommend to use the subdomain method since it will require one time effort.

The Subdomain Method

Getting started with Docker and your on-prem Artifactory Pro installation using the subdomain method involves four basic steps:

Configuring Artifactory
Configuring your reverse proxy
Configuring your Docker client
Testing your setup

Configuring Artifactory

To configure Artifactory and your reverse proxy using the subdomain method, carry out the following steps:

Make sure Artifactory isup and running, and isactivated with a valid license.
Create yourvirtual Docker repository(as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository nameddocker-virtual.
Make sure you have a reverse proxy server up and running.
Obtain awildcardSSL certificate or use a wildcard self-signed certificate. ( To create a self-signed certificate, you can followthese instructions for Ubuntu).

Make sure your certificate matches theArtifactory hostnameused in your reverse proxy configuration. In our example below we will useart.local.

Configuring your reverse proxy

Artifactory's can generate your complete reverse proxy configuration file for supported servers.

Go toReverse Proxy Configuration Generatorand fill in the fields in according to how your reverse proxy is set up while making sure to:

Use the correctArtifactory hostnamein thePublic Server Namefield (in our example this will beart.local)
SelectSubdomainas theReverse Proxy Methodunder码头工人反向代理设置

NGINX
Copy the code snippet generated by theconfiguration generatorinto yourartifactory-nginx.conffile, and place it in your/etc/nginx/sites-availabledirectory.
Create the following symbolic link.

sudo ln -s /etc/nginx/sites-available/artifactory-nginx.conf /etc/nginx/sites-enabled/artifactory-nginx.conf

Apache HTTPD

Copy the code snippet generated by theconfiguration generatorinto yourartifactory-apache.conffile and place it in you/etc/apache2/sites-availabledirectory.

Create the following symbolic link:

sudo ln -s /etc/apache2/sites-available/artifactory-apache.conf /etc/apache2/sites-enabled/artifactory-apache.conf

Configuring Your Docker Client

To configure your Docker client, carry out the following steps

Add the following to your DNS or to the client's/etc/hostsfile:
```
 docker-virtual.art.local
```
Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in theDocker documentation. Alternatively, you can configure the Docker client to work with an insecure registry as described in theDocker documentation.
Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine).

Test Your Setup

To verify your reverse proxy is configured correctly, run the following command making sure that the return code is 200:

curl -I -k -v https:///api/system/ping

Run the following commands to ensure your proxy configuration is functional and can communicate with Artifactory:

Pull the "hello-world" image
```
docker pull hello-world
```
Login to repository docker-virtual
```
docker login docker-virtual.art.local
```

Tag the "hello-world" image

docker tag hello-world docker-virtual.art.local/hello-world

Push the tagged "hello-world" image to docker-virtual
```
docker push docker-virtual.art.local/hello-world
```

端口的方法

Getting started with Docker and your on-prem Artifactory Pro installation using the ports method involves two basic steps:

Configuring Artifactory and your reverse proxy.
Configuring your Docker client.

Configuring Artifactory and Your Reverse Proxy

To configure Artifactory and your reverse proxy using the ports method, carry out the following steps:

Make sure Artifactory isup and running, and isactivated with a valid license.
Create yourvirtual Docker repository(as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository nameddocker-virtual.
Make sure you have a reverse proxy server up and running.
Obtain an SSL certificate or use a Self-Signed certificate that can be generated following this example.

Make sure your certificate matches theArtifactory hostnameused in your reverse proxy configuration. In our example below we will useart.local.

Configure your reverse proxy. Artifactory'sReverse Proxy Configuration Generatorcan generate your complete reverse proxy configuration file for supported servers. All you need to do is fill in the fields in according to how your reverse proxy is set up while making sure to:

Use the correctArtifactory hostnamein thePublic Server Namefield
SelectPortsas theReverse Proxy Methodunder码头工人反向代理设置.In the example below, we will use port5001to bind repositorydocker-virtual.

NGINX

For Artifactory to work with Docker, the preferred web server isNGINX v1.3.9and above.
First, you need to create a self-signed certificate for NGINXas described here for Ubuntu.
Then use Artifactory'sReverse Proxy Configuration Generatorto generate the configuration code snippet for you.
Copy the code snippet into yourartifactory-nginx.conffile and place it in your/etc/nginx/sites-availabledirectory.
Finally, create the following symbolic link:

sudo ln -s /etc/nginx/sites-available/artifactory-nginx.conf /etc/nginx/sites-enabled/artifactory-nginx.conf

Apache HTTPD

Install Apache HTTP server as a reverse proxyand then install therequired modules.

Create the following symbolic link:

sudo ln -s /etc/apache2/mods-available/slotmem_shm.load /etc/apache2/mods-enabled/slotmem_shm.load

Similarly, create corresponding symbolic links for:

headers
proxy_balancer
proxy_load
proxy_http
proxy_connect
proxy_html
rewrite.load
ssl.load
lbmethod_byrequests.load

Then use Artifactory'sReverse Proxy Configuration Generatorto generate the configuration code snippet for you.
Copy the code snippet into yourartifactory.conffile and place it in your/etc/apache2/sites-availabledirectory.

HAProxy

First, you need to create a self-signed certificate for HAProxyas described here for Ubuntu.

Then, copy the code snippet below into your/etc/haproxy/haproxy.cfgfile. After editing the file as described in the snippet, you can test your configuration using the following command:

haproxy -f /etc/haproxy/haproxy.cfg -c

HAProxy v1.5 Configuration

# haproxy服务器配置# # 1.0版本tory # --------------------------------------------------------------------------- # Features enabled by this configuration # HA configuration # port 80, 443 Artifactory GUI/API # # This uses ports to distinguish artifactory docker repositories # port 443 docker-virtual (v2) docker v1 is redirected to docker-dev-local. # port 5001 docker-prod-local (v1); docker-prod-local2 (v2) # port 5002 docker-dev-local (v1); docker-dev-local2 (v2) # # Edit this file with required information enclosed in <...> # 1. certificate and key # 2. artifactory-host # 3 replace the port numbers if needed # ---------------------------------------------------------------------------- global log 127.0.0.1 local0 chroot /var/lib/haproxy maxconn 4096 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 stats socket /run/haproxy/admin.sock mode 660 level admin defaults log global mode http option httplog option dontlognull option redispatch option forwardfor option http-server-close maxconn 4000 timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend normal bind *:80 bind *:443 ssl crt  mode http option forwardfor reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-virtual/v2\2 reqadd X-Forwarded-Proto:\ https if { ssl_fc } option forwardfor header X-Real-IP default_backend normal # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerhub bind *:5000 ssl crt  mode http option forwardfor option forwardfor header X-Real-IP reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-remote/v2\2 reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend normal # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerprod bind *:5001 ssl crt  mode http option forwardfor option forwardfor header X-Real-IP reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-prod-local/v1\2 reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-prod-local2/v2\2 reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend normal # if only need to access the docker-dev-local2 then skip this section. Docker-virtual can be configured to deploy to docker-dev-local2 frontend dockerdev bind *:5002 ssl crt  mode http option forwardfor option forwardfor header X-Real-IP reqirep ^([^\ :]*)\ /v1(.*$) \1\ /artifactory/api/docker/docker-dev-local/v1\2 reqirep ^([^\ :]*)\ /v2(.*$) \1\ /artifactory/api/docker/docker-dev-local2/v2\2 reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend normal # Artifactory Non HA Configuration # i.e server artifactory 198.168.1.206:8081 # backend normal mode http server  : # # Artifactory HA Configuration # Using default failover interval - rise = 2; fall =3 3; interval - 2 seconds # backend normal # mode http # balance roundrobin # option httpchk OPTIONS / # option forwardfor # option http-server-close # appsession JSESSIONID len 52 timeout 3h # server  : # server  :

Configuring Your Docker Client

To configure your Docker client, carry out the following steps

Add the following to your DNS or to the client's/etc/hostsfile:
```
 art.local
```
Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in theDocker documentation. Alternatively, you can configure the Docker client to work with an insecure registry by adding the following line to your/etc/default/dockerfile (you may need to create the file if it does not already exist):
```
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry art.local:5001"
```
Restart your Docker engine.

Test Your Setup

To verify your reverse proxy is configured correctly, run the following command:

// Make sure the following results in return code 200 curl -I -k -v https:///api/system/ping

Run the following commands to ensure your proxy configuration is functional and can communicate with Artifactory. In this example, we will pull down a Docker image, tag it and then deploy it to our ourdocker-virtualrepository that is bound toport 5001:

// Pull the "hello-world" image docker pull hello-world // Login to repository docker-virtual docker login art-local:5001 // Tag the "hello-world" image docker tag hello-world art-local:5001/hello-world // Push the tagged "hello-world" image to docker-virtual docker push art-local:5001/hello-world

Testing With a Self-signed Certificate

Since the certificate is self-signed, you need to import it to your Docker certificate trust store as described in theDocker documentation. Alternatively, you can configure the Docker client to work with an insecure registry as described in theDocker documentation.
Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine).
Running$docker infowill list the Insecure registries that have been applied under the Insecure Registries entry.
Use the steps above to interact with the Artifactory Docker Registry

Without a Reverse Proxy

Previously, Artifactory supported the Ports and Subdomain methods described above when using a reverse proxy. Fromversion 5.8.Artifactory introduces a new method referred to as the "Repository Path" method since it uses the the Docker repository path prefix () to access a specific Artifactory Docker registry from the Docker client. Note that you may still have a reverse proxy configured for Artifactory for other reasons, however when configured to use Repository Path method, requests to Docker registries in Artifactory will be handled by Artifactory's embedded Tomcat instead of the reverse proxy.

Docker API v2 required

You can only use the Repository Path method with Artifactory Docker registries configured for Docker API v2.

Sub-domain method is recommended for production

We recommend usingtheSub-domain methodforArtifactory Docker registries in production systems because this method allows you to add wildcard SSL certificates on the reverse proxy for secure access to theDocker registry.

While you can add SSL certificates at the Tomcat level, this is not a recommended practice because the process of validation against the certificate is very resource intensive on memory and CPU.

The Repository Path method is more suitable when secure access is not required.

Configuring Artifactory

To configure Artifactory to use the Repository Path method, carry out the following steps:

Make sure Artifactory isup and running, and isactivated with a valid license.
Create yourvirtual Docker repository(as well as a local and remote Docker repository that it should aggregate). In our example below we will use a repository nameddocker-virtual.
Go to theHTTP Settingsscreen from theAdminmodule underConfiguration | HTTP Settings.
In theDocker Settingspanel, selectRepository Pathas the Docker Access Method.
In theReverse Proxy Settingspanel selectEmbedded Tomcatas theServer Provider (which indicates you're not using a reverse proxy).

You must use Embedded Tomcat

You can only use Artifactory as a Docker registry without a reverse proxy by using the internal embedded Tomcat

Configuring Your Docker Client

Using the Repository Path method, you can work with Artifactory as a Docker registry without a reverse proxy on an insecure connection (i.e. only HTTP is supported, not HTTPS).You need to configure the Docker client to work with an insecure registryas described in theDocker documentation.

Restart your Docker daemon/engine to apply the insecure registry flag (if self-signed certificate is imported, you do not need to restart the Docker daemon/engine). Running$docker infowill list the Insecure registries that have been applied under the Insecure Registries entry.

Test Your Setup

Don't use localhost or 127.0.0.1 or "/artifactory"

Due to a limitation in the Docker client, you cannot access an Artifactory Docker registry as localhost or 127.0.0.1. If you need to access a local installation of Artifactory, make sure to specify its full IP address.

In addition, when specifying Artifactory's URL, you should omit the "/artifactory" suffix normally used.

For example, if your local machine's IP address is 10.1.16.114, then you must specify your Artifactory URL ashttp://10.1.16.114:8081(usinghttp://localhost:8081will not work).

The code snippets below assume you have a virtual Docker repository nameddocker-virtualin an Artifactory installation at IP 10.1.16.114.

First, you should verify that your Docker client can access Artifactory by run the following command. Making sure that the return code is 200:

curl - i - k - v http://10.1.16.114:8081/artifactory/api/system/ping

Now you can proceed to test your Docker registry.

Login to Artifactory as your Docker registry

docker login -u admin -p password 10.1.16.114:8081

Pull the "hello-world" image from thedocker-virtualrepository

docker pull 10.1.16.114:8081/docker-virtual/hello-world:latest

Tag a Docker image

docker tag 10.1.16.114:8081/docker-virtual/hello-world:latest 10.1.16.114:8081/docker-virtual/

Push the tagged image todocker-virtual

docker push 10.1.16.114:8081/docker-virtual/