11

Has anyone tried using environment variables to override configuration options in the registry, say if you have to use s3 bucket as the storage for example. I read the doc and it says (https://docs.docker.com/registry/configuration/):

Overriding configuration options
Environment variables may be used to override configuration parameters other than 
version. To override a configuration option, create an environment variable named 
REGISTRY_variable_ where variable is the name of the configuration option.

e.g

REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/tmp/registry/test

will set the storage root directory to /tmp/registry/test

So I tried this command, but it does not seem to have any effect when I start the registry:

docker run -it -v /var/log/docker-registry:/var/log -p 5000:5000 \
-e REGISTRY_STORAGE_S3_ACCESSKEY=****************** \
-e REGISTRY_STORAGE_S3_SECRETKEY=****************** \
-e REGISTRY_STORAGE_S3_BUCKET=itmcc-docker-registry-backend \
-e REGISTRY_STORAGE_S3_REGION=us-east-1 \
registry:2.0

In the logs I see the regular output as if it does not take the env variables into account and try to connect to S3:

INFO[0000] endpoint local-8082 disabled, skipping        environment=development instance.id=025c9fcd-2ec1-4d5f-82ec-d3246d54cdb5 service=registry version=v2.0.0
INFO[0000] endpoint local-8083 disabled, skipping        environment=development instance.id=025c9fcd-2ec1-4d5f-82ec-d3246d54cdb5 service=registry version=v2.0.0
INFO[0000] using inmemory layerinfo cache                environment=development instance.id=025c9fcd-2ec1-4d5f-82ec-d3246d54cdb5 service=registry version=v2.0.0
INFO[0000] listening on :5000                            environment=development instance.id=025c9fcd-2ec1-4d5f-82ec-d3246d54cdb5 service=registry version=v2.0.0
INFO[0000] Starting upload purge in 42m0s                environment=development instance.id=025c9fcd-2ec1-4d5f-82ec-d3246d54cdb5 service=registry version=v2.0.0
INFO[0000] debug server listening localhost:5001

PS: If I use an IAM role with my ec2, it seems redundant to pass in the access and secret key to docker registry container, can docker utilize the IAM role yet, has anyone tried that?

Edit: After I run container and the exec command to see output of env:

root@0a349294f792:/go/src/github.com/docker/distribution# env
REGISTRY_STORAGE_S3_SECRETKEY=*************************
DISTRIBUTION_DIR=/go/src/github.com/docker/distribution
GOLANG_VERSION=1.4.2
HOSTNAME=0a349294f792
REGISTRY_STORAGE_S3_BUCKET=itmcc-docker-registry-backend
PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/go/src/github.com/docker/distribution
REGISTRY_STORAGE_S3_REGION=us-east-1
SHLVL=1
HOME=/root
GOPATH=/go/src/github.com/docker/distribution/Godeps/_workspace:/go
REGISTRY_STORAGE_S3_ACCESSKEY=*************************
_=/usr/bin/env
root@0a349294f792:/go/src/github.com/docker/distribution#
alexfvolk
  • 1,810
  • 4
  • 20
  • 40
  • Can you please `docker exec -it myContainer /bin/bash` (or whatever your container name is) and dump the contents of `env` here? I am able to inject AWS S3 credentials via environment variables. – L0j1k May 11 '15 at 22:35
  • Please see OP under "Edit" (last section) – alexfvolk May 11 '15 at 23:16

3 Answers3

18

The complete command that works for me from a docker run command is:

docker run -d -p 5000:5000 \
-e "REGISTRY_STORAGE=s3" \
-e "REGISTRY_STORAGE_S3_REGION=us-east-1"\
-e "REGISTRY_STORAGE_S3_BUCKET=******"\ 
-e "REGISTRY_STORAGE_S3_ACCESSKEY=******"\ 
-e "REGISTRY_STORAGE_S3_SECRETKEY=******"\ 
registry:2

Note the addition of the REGISTRY_STORAGE=s3 environment variable.

They hint at this in the registry docs:

Note: If an environment variable changes a map value into a string, such as replacing the storage driver type with REGISTRY_STORAGE=filesystem, then all sub-fields will be erased. As such, specifying the storage type in the environment will remove all parameters related to the old storage configuration.

Dan Esparza
  • 28,047
  • 29
  • 99
  • 127
  • 3
    On AWS EC2, you can omit the access and secret keys if you assign your EC2 instance an IAM role. – Ted Zlatanov Aug 04 '15 at 18:46
  • 1
    Good tip, @TedZlatanov! Also -- I should mention to anyone reading -- you can (and should) use a new IAM user for this. If using IAM you can still use access keys and secret keys -- but it's good to know there are use cases where you can omit them! – Dan Esparza Aug 04 '15 at 23:52
7

Try adding -e REGISTRY_STORAGE=s3 into your docker run command. This overwrites default filesystem configurations by empty.

Detail: https://github.com/docker/distribution/blob/master/docs/configuration.md > Override configuration options > Note

Hirokazu Nishioka
  • 71
  • 1
3

I am loading the accesskey and secretkey via environment variables in my docker run command. However, I am specifying my bucket name and region in the config file, and in the process of looking for solutions to your problem, it appears that you must specify the region and bucket name in the config file. Any time I try to specify these in environment variables in my docker run command, I get errors and the container doesn't start. I suggest loading this information via the config file (and dropping those flags in your docker run command), and specifying your accesskey and secretkey via environment variables like you are. I've spend a bit of time digging through the source for information about why this doesn't work the way we think it should, but didn't come across anything really helpful. I think it must be something that AWS S3 doesn't like, but I didn't get far trying to shed light on that since it works for me in the above configuration. Good luck!

PS: In regards to your IAM access, there are some comments in the source that might help give you an idea of what to expect.

L0j1k
  • 12,255
  • 7
  • 53
  • 65
  • 1
    Just to confirm - when you say specify the name in the config file, that means I have to build the image from the dockerfile? On another note - I tried to just change config options and build the dockerfile. I only needed to add region and bucketname and left the access and secret key blank because I attached an IAM role with access to the bucket. I'm guessing the process is still a bit in the early stages for reg 2.0 since you have to build the image just to specify different config options – alexfvolk May 11 '15 at 23:46
  • To be honest, I would download the [distribution repo](https://github.com/docker/distribution) and build your own registry image from the provided Dockerfile in the root of the project. This is what's recommended anyways. But importantly, it lets you add a volume to the resultant container in which you can place your config.yml file. This is what I've done to get the registry running (since using the stock v2 registry image was a headache for me for config reasons). I hope I haven't been too confusing with this suggestion! – L0j1k May 11 '15 at 23:51
  • And yeah, totally, v2 registry is brand-spanking-new. As you probably already know, its API is pretty bare versus v1, but I've had much fewer problems with v2 already than I did trying to get v1 registry to work. – L0j1k May 11 '15 at 23:52
  • 1
    So to be clear, I am changing the `CMD` line of the Dockerfile to `CMD ["/registry/config.yml"]`, and then I am adding `-v /var/docker/docker-registry/config:/registry` to the `docker run` command. Then I am putting my `config.yml` file in the `/var/docker/docker-registry/config` directory, where the v2 registry will read from when starting after you build your v2 registry container from the new, modified Dockerfile. Let me know if that is confusing. – L0j1k May 11 '15 at 23:58
  • 1
    Thank you for going into more detail L0j1k, that definitely seems like a better approach then building from the Dockerfile, at least for purposes of automation. – alexfvolk May 12 '15 at 16:21
  • 1
    I guess I still have to build the Dockerfile, but actually I just read about m ounting a single file, that way you don't have to replace the Dockerfile CMD since I figured you didn't want to overwrite other files in that directory. https://docs.docker.com/userguide/dockervolumes/ (Mount a Host File as a Data Volume) – alexfvolk May 12 '15 at 19:45
  • Yeah, absolutely! Mount it that way if you prefer. I have done it my way because it's just my habit to do it this way. If it suits you to mount the config.yml file that way, go for it. – L0j1k May 12 '15 at 19:47