Q&A: Running Docker in Production

November 11, 2015 By Derek Weeks

10 minute read time

On October 29, Sonatype hosted a discussion about the upcoming release of Nexus 3. This release will provide support for Docker images as a private Docker registry. A full recording of discussion is available on YouTube.

https://www.youtube.com/watch?v=qlsGHSFJ2ss

While we covered Q&A during the webinar, there were many questions that we did not get to answer during the recording. We have listed many of the questions not addressed in the sessions with Jeffry Hesse and Chris Riley here, including:

  • Nexus 3 General Availability
  • Requirements for Docker Support
  • Milestone 6 Release Plans
  • Migrations
  • Security and Governance
  • Configurations

 

Nexus Repository Manager OSS v3 (General Availability)

Q: When is the official release date for Nexus 3?

A: Certain aspects of the platform are ready now and we have been supporting the community already in its usage. Docker support is perhaps the best example, with Docker v2 format support arrived in the Milestone 6 release. npm fits this category as well. That said, there are elements that still require more work such as migrating an existing install from version 2.x to 3.x - which isn’t applicable in the case of Docker.

The final production release will be available in Q1’2016. That said, starting with Milestone 6, Docker is now ready for production use in Nexus 3. There is no reason for anyone to wait for the final production release, as this part of the solution is in very good shape. It’s time to roll Milestone 6 into production.

If you are a licensed user of Sonatype products, you can reach us for Docker support through your normal channels. For all others, we will handle Nexus OSS support questions as usual through support@sonatype.com and other common community forums as we have done for years.

The major focus now is on the upgrade from the version 2.x install base. With several million users, the most important aspect is getting it right, and delivering on the quality that the Nexus OSS user base has come to expect.

 

Screen Shot 2015-11-10 at 10.46.11 AM

Requirements for Docker Support

Q: Is this an additional license for those already using Nexus as a Maven repo?

A: No, support for Docker images is free and will be included as a part of the base functionality of Nexus Repository Manager OSS v3.

 

Q: Is Nexus Repository Manager OSS 3.x a must have requirement to host Docker containers?

A: Yes. To host Docker images you need to use Nexus Repository Manager OSS v3.

 

Q: That looks really good. Will it require anything other than additional disk space over the existing Nexus release?

A: Nexus 3 requires Java 8 which is a change compared to Nexus 2. Consider there to be no other major changes. For setting up a Docker repository you’d likely want to place the blobstore (where the repo saves to disc) on a large volume, images are quite a bit larger than most artifacts stored in Nexus previously.

 

Nexus Repository Manager OSS v3 (Milestone 6)

Q: Which version Docker Registry API are you using for this demo?

A: We showed the v1 format capability. v2 format capability is now available with Nexus 3 Milestone 6.

 

Q: What version of Nexus do I need? I just downloaded during the demo and I don’t see the features.

A: Nexus 3 Milestone 5 contains Docker v1 format capability. More info here: http://www.sonatype.org/nexus/2015/09/21/please-containerize-your-excitement-nexus-3-milestone-5-release/

Milestone 6 is available. Please take a moment to download Milestone 6 and install it. That Milestone contains v2 format capabilities.

 

Migrations

Q: When moving from Nexus OSS version 2 to version 3, is there anything that would cause us to have a lot of work in performing the move? (e.g., breaking changes between the two)

A: To better answer this question I’d have to know more about your current Nexus Repository Manager v2 setup. Feel free to follow up directly with me, I’d love to be of help :)

Q: We maintain multiple docker registries inside same organization, What's your process to migrate images from one registry from another?

A: If this question is in regard to migrating from v1 to v2, we are testing the docker migrate tool and will share our results. This tool is available here: https://github.com/docker/migrator and is provided by Docker to do what you describe. In theory once we verify this, you’d specify your current Docker v1 registry and then input Nexus 3 Milestone 6 as your v2 registry.

If this question is about migrating in general please feel free to follow up directly with me.

Configurations

Q: Do you always have to use the full IP and port of the registry or is there a way to use short names?

A: No. You can setup a hostname such as nexus.yourcompany.com and point it at the nexus install. You could then use nexus.yourcompany.com:18082 for example instead of the full IP. On a linux environment, you may use localhost as well if you are running Nexus locally. This is more complicated on OS X since the docker-machine is used to setup a vm to run the Docker engine.

Screen Shot 2015-11-10 at 10.45.08 AM

Security / Governance

Q: Also can you limit users to not being able to pull from Docker Hub?

A: Yes. Within Nexus itself if you setup a proxy of the Docker Hub you could limit access via Roles and Permissions. Outside of Nexus functionality, I imagine your organization could prevent outbound requests to the Docker Hub via your firewall or rule set applied to local machines.

 

Q: Is Sonatype planning to provide any security related features for containers?

A: On November 10, Sonatype and Twistlock announced a strategic partnership to improve security for Docker and other container technologies. More details on this announcement can be found here.

Screen Shot 2015-11-10 at 10.21.10 AM

Other Capabilities

Q: You showed a lot the use of docker search command in your demo. This command is not yet part of Docker Registry API V2, how Sonatype/Nexus plan to deal with that?

A: What we’ve done so far is build the v2 format support so that it will fall back to v1 endpoints so search continues to work as we viewed this as very useful functionality. Once the v2 format supports search we will likely revisit this, of course.

 

Q: Pulling and pushing docker images -- is there a graphical interface?

A: I am personally unaware of one, I believe all the Docker tooling is currently on the command line. We see many DevOps and Continuous Delivery practices automating the pulling and pushing of Docker images. Because of this, a graphical user interface is not the highest priority requirement.

 

Q: When you pull and image does it check for newer images in the upstream repositories every time?

A: The logic that Nexus 3 follows is:

    • If an image is requested and is not in Nexus, it will check the upstream repository for it. If available upstream, it will download this image and cache it locally within Nexus.
    • If the image is requested and not available in the upstream and Nexus, it will cache the fact the image is missing (Not Found Cache) and not recheck until a period of time has passed.
    • If the image is cached locally on Nexus and the image age is beyond the maximum artifact age, it will reach out to the upstream to see if there is a new version. If there isn’t it will use the locally cached version still.

The values that control both caches can be configured in a Docker proxy repo and they are Maximum artifact age, and Not found cache TTL:

Screen Shot 2015-11-11 at 10.45.27 AM

 

Q: Do you have HA implemented ?

A: The details of this are not being made publically available at this time other than to say Nexus 3 is going to support HA. You are going to love what we have planned here.

 

Q: We typically purge old candidates that were not tagged for going forward in the QA pipeline towards production. Any support for purging docker images? Somewhat like snapshot purging for maven?

A: Yes. As mentioned in the webinar, we created a Scheduled Task called “Purge Unused Components and Assets” that will do this for Proxy repositories.

Hosted repositories will take a different approach, as Docker images can be shared by other images and we want to ensure the functionality will address this need without causing administrative or operational headaches.

There is a ticket in the Nexus Repo Manager JIRA that relates to this if you’d like to follow along: https://issues.sonatype.org/browse/NEXUS-9293

 

Q: Does Nexus support Windows Container Images?

A: Yes. Nexus will accept any image as long as it’s pushed using the Docker command line tool. Information on managing Windows Container Images with Docker can be found here: https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/manage_docker

 

Q: Will staging functionality be available like the one you have for Maven, Staging and Promotion workflow?

A: We are revisiting Staging to reimagine what it looks like in the future, which includes looking at how it applies to other formats. Bit too early to fully answer the question but I we think you will like what we have planned.

 

Q: Will Nexus support the 'smart-proxy' feature for the docker images?

A: We are also revisiting the smart-proxy. We believe there is an even better way to deliver this feature in Nexus 3. More news on this will be forthcoming.
Please take a moment to read the release notes and download Milestone 6. If you have further questions that we did not address here, feel free to email us and we’ll make sure to respond quickly.

Tags: Google Container Registry, HA, Nexus vs. Artifactory, Nexus 3, Docker, Private Docker Registry, Nexus Repository, containers, High Availability

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.