For local development, or a team that wishes to keep their images off of the public Docker registry, a private registry may be useful. This can be hosted on your own server or local machine. See the Docker docs here for information on setting this up. A registry on localhost may greatly speed up iterative development in environments where the network is constrained.
To set up your fn service with authentication for any registry, you must
provide fn with DOCKER_AUTH env var:
DOCKER_AUTH='{"auths":{"http://my.registry.com:80":{"auth":"yourauthbase64here"}}}'
You may provide multiple auths in this way, it's also possible to run the fn
docker container with a volume mounted ~/docker/config.json or use a local
version of fn against your locally configured dockerd.
This is where the FN_REGISTRY environment variable or --registry setting comes into play.
This determines where your images will be pushed to or deployed from. It can follow one of the following schemes:
-
myuser->docker.io/myuser/<image>:<tag>. Used for interacting with the official docker registry. -
somedomain.com->somedomain.com/<image>:<tag>. A custom registry hosted at the given domain. The image is not nested under a path. -
somedomain.com:port->somedomain.com:port/<image>:<tag>. A custom registry hosted at the given port. (Useful for insecure http registries running on port 80/5000). -
somedomain.com[port?]/path->somedomain.com[port?]/path/<image>:<tag>. The image will be nested under the given path. This path can be more than one element.
If your registry is not hosted over https, your Docker daemon must be configured to treat the registry as http only.
In most installations this will require adding the <hostname>:<port> to the insecure_registries configuration for the Docker daemon. See here for more details and troubleshooting. Docker-for-Mac will require changing a setting in the UI.
Starting a registry:2 container:
$ docker run -d -p 5000:5000 --name registry registry:2
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c18ac6172e0d registry:2 "/entrypoint.sh /e..." 2 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registryGiven a function called "dummy":
$ ls ./dummy
func.go func.yaml
$ cat ./dummy/func.yaml
version: 0.0.1
runtime: go
entrypoint: ./func
format: httpUpload it to your registry (notice the use of --registry):
$ fn deploy --app myapp --registry localhost:5000/some/path
Deploying dummy to app: myapp at path: /dummy
Bumped to version 0.0.2
Building image localhost:5000/some/path/dummy:0.0.2 ..
Pushing localhost:5000/some/path/dummy:0.0.2 to docker registry...The push refers to a repository [localhost:5000/some/path/dummy]
5fcef0dbce8b: Pushed
ce4a1aad8bd7: Pushed
88229188f6e3: Pushed
d82c387bddae: Pushed
0.0.2: digest: sha256:369e158767c89357142f4f394618838b04865af7ab6afc183b38b5f46a0ece3f size: 1155
Updating route /dummy using image localhost:5000/some/path/dummy:0.0.2...Now you can use the route and function named "dummy" as normal.
Pushing images to registries that require authentication (like Dockerhub) will require the use of docker login from your developer machine. This will be as similar for your private registry if you have authentication enabled.
For pulling images you may also require your Docker daemon to be authenticated. This also needs to be done via docker login but the official documentation demonstrates useful alternatives for automating credential usage via a config file or external credential providers which is suggested for larger fleets of machines.