Create NFS datastore in VMware Web Client

ESXi can access a designated NFS volume, mount the volume, and use it for its storage needs. You can use NFS volumes to store and boot virtual machines in the same way that you use VMFS datastores.

ESXi supports the following shared storage capabilities on NFS volumes:

  • vMotion
  • VMware DRS and HA
  • ISO image CD-ROMs to virtual machines
  • Virtual Machine snapshots

ESXi does not impose any limits on the NFS datastore size.

Create NFS datastore on your VMware vCenter

  • Login your Web Client
  • Click “Hosts and Clusters” under vCenter
  • Click -> your host -> Datastores – > “New Datastores

  • Select NFS on “Type” -> Click Next
  • Select NFS Version (NFS 3) -> Click Next
  • Update your Datastore Name, Folder location and Server details -> Click Next
  • Finish

If you want refresh your datastore and make sure you connected with NFS storage.

Mount NFS Datastore to Multiple Hosts

Starting from vSphere 6.0 VMware introduced really handy feature to mount NFS Datastore to additional hosts directly from Web Client. It will be very useful to use vMotion and other above feature when you add multiple hosts.

Steps to add multiple hosts in existing NFS datastore.

  • Choose datastore which you would like to add to additional Hosts
  • Right Click or Click Actions

  • Click “Mount Datastore to Additional Hosts
  • Select the hosts that you want to mount the datastore on.
  • Click  Ok

It will mount automatically to all the additional ESXi host. NFS 3 and NFS 4.1, ESXi supports the AUTH_SYS security, also NFS 3 with ESXi does not provide multipathing support. When you create an NFS datastore, make sure all the security and Network connections.

 

Nginx Basic auth for private registry pull and push

When I was looking for a way to tell the Nginx to let all GET requests through the separate user list and all other requests (e.g. POST, PUT, etc) should be authenticated via the different user lists. This Nginx configuration allows restricting access via different methods to separate users.

This is very useful for the private docker registries, where you want every member of your team to be able to fetch Docker images, but only some users example admin, super admin to push new images to the registry.

Example:

  • User write team can use GET, POST, PUT, DELETE and everything else.
  • User read team can only use GET and HEAD.
  • Anonymous users are denied access entirely.

nginx-basic-auth-with-registry

Nginx-basic-auth-with-registry

We can use limit_except to configure this setup in Nginx.

Limits allowed HTTP methods inside a location.

Syntax: limit_except method ... { ... }

The method parameter can be one of the following: GET, HEAD, POST, PUT, DELETE, MKCOL, COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, or PATCH. Allowing the GET method makes the HEAD method also allowed.

Configure the Nginx authentication for the docker private registry pull user accounts and push user accounts using limit_except.

create docker pull users auth file.

# htpasswd -c /etc/nginx/.htpasswd_read read
update you password

read:$apr1$3WGzD7n7$nqa0h1K.8B/T7H23d64vM0

create docker pull/Push users auth file.

# htpasswd -c /etc/nginx/.htpasswd_write write
update you password

write:$apr1$3WGzD7n7$nqa0h1K.8B/T7H23d64vM0

Add these settings on your nginx config v2 location for the docker registry v2 setup. see the example of how to set up a private Docker registry with Nginx.

# vi nginx.conf

location /v2/ {
auth_basic "read";
auth_basic_user_file /etc/nginx/.htpasswd_read;
limit_except GET {
auth_basic "write";
auth_basic_user_file /etc/nginx/.htpasswd_write;
}
proxy_pass http://docker-registry;
}

 

Now you can test docker registry pull and push using your read, write users.

 

 

Configure docker local Registry Proxy Cache

If you are running multiple servers with Docker daemon and each daemon goes out to the internet and fetches an image it doesn’t have locally, from the Docker repository or your private Docker registry. This will take extra internet traffic from your servers and resources. To avoid this extra bandwidth and servers loads, you can configure docker local registry Proxy Cache mirror and point all the server docker daemons to pull images.

It is possible to set-up a local docker registry which acts as a cache for already pulled images. If the image is not cached, the proxy will pull the image from the public Docker registry and stores it locally before handing it back to you, On subsequent requests, registry mirror is able to serve the image from its own storage to the required clients.

Docker Registry Proxy Cache Mirror

Docker Registry Proxy Cache Mirror

How to configure a Registry as a pull-through cache

The easiest way to run a registry as a pull through cache is to run the official Registry image and specify the proxy. remoteurl within /etc/docker/registry/config.yml as per the instruction.

Download the config.yml file.

docker run -it --rm --entrypoint cat registry:2 /etc/docker/registry/config.yml > /var/lib/registry/config.yml

To configure a Registry to run as a pull through cache, the addition of a proxy section is required to the config file config.yml.

proxy:
remoteurl: https://registry-1.docker.io
username: [username]
password: [password]

The ‘username’ and ‘password’ settings are optional.

The proxy structure allows a registry to be configured as a pull-through cache to Docker Hub.

# vi  /var/lib/registry/config.yml

##Example configuration file.

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
   storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io

Start your registry proxy cache container

# docker run -d --restart=always -p 5000:5000 --name registry-mirror -v /var/lib/registry:/var/lib/registry registry:2 /var/lib/registry/config.yml

Verify your registry proxy cache is up and running on your server.

[[email protected] ~]# curl localhost:5000/v2/_catalog
{"repositories":[]}

Configure the Docker daemon with registry mirror

Login your remote docker server.

Either pass the –registry-mirror option when starting dockerd manually, or edit /etc/docker/daemon.json and add the registry-mirrors key and value, to make the change persistent.

{
"registry-mirrors": ["http://<registry-mirror-host>:5000"]
}

Save the file and reload Docker for the change to take effect.

Or, you can configure the Docker daemon with the –registry-mirror startup parameter:

# dockerd --registry-mirror=http://registry-mirror-host:5000

For our Docker version 1.12.5, we added registry mirror on /etc/sysconfig/docker

# vi /etc/sysconfig/docker

add “–registry-mirror=http://registry-mirror-host:5000” on OPTIONS.

OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --registry-mirror=http://registry-mirror-host:5000'
# systemctl daemon-reload
# systemctl restart docker.service
Test your docker registry proxy cache

Pull an image from Docker Hub you currently do not have stored locally. For example, ubuntu:latest image

# docker pull ubuntu

registry-proxy-mirror

registry-proxy-mirror

Check the catalog to verify that the image.

# curl registry-mirror-host:5000/v2/_catalog
{"repositories":["library/ubuntu","library/wordpress"]}