What is it

Docker images are usually rtrieved from an image registry. The artefact repository Nexus (stack are-nexus) is able to act as such a registry.

Unfortunately this is not as straightforward as one might think because the Docker Registry protocol cannot deal with URL paths - a Docker registry image path must consist of the host's FQDN and the image name (separated by a slash), e.g. docker.msg.team/postgres. This is not compatible with ProjectServer's reverse proxy pattern because it requires the software stack's name to always be part of the URL. To be able to contact the Docker registry through the reverse proxy we therefore need a "second way", i.e. a special processing by the reverse proxy . This works by accessing the Docker registry through an individual DNS name. A request to this DNS name will trigger a specific rule set in the reverse proxy which causes the request to get forwarded to the Docker image registry port of the Nexus stack.

Prerequisites

• Establish a second DNS entry to your ProjectServer host (recommendation: extend your hostname by "-docker", e.g. if your PS4 host is named ps.unit.msg.team then call your second hostname ps-docker.unit.msg.team). This DNS entry must point to the IP address through which you wish to access the Docker registry, i.e. if you want it to be accessible from the Internet the DNS entry must point to the external IP-address.
• If you want to have the Docker registry accessible from the Internet additionally provide a SSL certificate. This is either a specific certificate for the Docker registry's hostname or a wildcard  certificate which covers all hostnames suffixed with your PS4 hostname (e.g. *.ps.unit.msg.team).

In a public cloud these ressources are usually obtained from the cloud provider, in case of msg.CLoud contact ZI.

How to achieve it

• if Nexus is already installed then deinstall it: docker-stack uninstall are-nexus (Note: This does not destroy your current Nexus configuration nor the repository contents.)
• configure the following Nexus parameter: docker-stack configure params are-nexus DOCKER_STACK_XTR_GATEWAY="FQDN:are-nexus.proxy:9000" (for "FQDN" use the new hostname you have in DNS for the Docker registry)
• install Nexus: docker-stack install are-nexus (note that Nexus takes about two minutes until it is available after such a "cold start")
• choose the protocol
  • If you want to access the registry through HTTPS provide a SSL certificate issued for the FQDN. See this HowTo for instruction how to accomplish that.
  • If you want to acces sthe registry through HTTP you have to inform your docker client about an "insecure registry" (for Docker modify /etc/docker/daemon.json as detailed here). Also provide the port there even if you use the default port 80.
• in Nexus create a new repository:
  • Select one of these types:
    • docker (hosted) for a private repository for your own images
    • docker (proxy) for a repository pointing to some other Docker registry (like Docker Hib)
    • docker (group) to provide a group repository which combines both an own repository with a fallback to another repository (a "hosted" repository can be promoted to a "group" repository later).
  • Select an appropriate name.
  • Create an endpoint on port 9000 for the HTTP protocol. (This is true ven if you access the registry through HTTPS and is not security critical because it just affexts the communication between Reverse Proxy and Nexus which takes place on an internal network not interceptable from the outside.) The following screenshot shows a sample setup:

To identify an image in this Docker registry use FQDN/repositoryname/imagename