Tag Archives: vgcreate

Docker Private Registry on Nutanix

While still investigating the various Docker storage options, I would like to save my Docker images/containers locally. To that end I need to set up a Docker Private Registry on my Nutanix virtualisation platform. Docker Hub provides a registry image ready for download that lets you have a private on-premise registry ready in a few commands. However, we want to be able scale our registry and use the availability features provided by the Acropolis management interfaces. For example, take advantage of things like redundant vDisks (RF2), snapshots and clones to take copies of the registry, and the ability to migrate the registry between hosts. In which case, the first thing to consider is how to persist the registry data volume on the Docker host VM. To this end I created a LVM stripe volume on top of mirrored vDisks as follows :

Add 6 x 100GB Nutanix VDisks to guest OS...

[2:0:1:0] disk NUTANIX VDISK 0 /dev/sdb
[2:0:2:0] disk NUTANIX VDISK 0 /dev/sdc
[2:0:3:0] disk NUTANIX VDISK 0 /dev/sdd
[2:0:4:0] disk NUTANIX VDISK 0 /dev/sde
[2:0:5:0] disk NUTANIX VDISK 0 /dev/sdf
[2:0:6:0] disk NUTANIX VDISK 0 /dev/sdg

# pvcreate /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg
 Physical volume "/dev/sdb" successfully created
 Physical volume "/dev/sdc" successfully created
 Physical volume "/dev/sdd" successfully created
 Physical volume "/dev/sde" successfully created
 Physical volume "/dev/sdf" successfully created
 Physical volume "/dev/sdg" successfully created

# vgcreate registry /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg
 Volume group "registry" successfully created

# lvcreate -i 6 -l 100%VG -n registry registry
 Using default stripesize 64.00 KiB.
 Logical volume "registry" created.

# mkfs.xfs /dev/mapper/registry-registry

# mkdir -p /data/registry

# grep registry /etc/fstab
# Docker registry volume
/dev/mapper/registry-registry /data/registry xfs defaults 0 0

The following command starts the registry with the newly created persistent storage:

docker run -d -p 5000:5000 --restart=always --name nx-registry \
-v /data/registry/:/var/lib/registry registry:2

This means I can now pull and push images to and from my private registry…

# docker pull couchbase
Using default tag: latest
latest: Pulling from library/couchbase
b45376f323f5: Pull complete
23c388b926b6: Pull complete
10f1b5844a9c: Pull complete
2a7a952931ec: Pull complete
fc38f156c0ea: Pull complete
815f08b3c781: Pull complete
d9b2222c39b4: Pull complete
1a8da511d01b: Pull complete
5f37b8bdc5a6: Pull complete
18165b90fefa: Pull complete
e8a83a5448df: Pull complete
5537747ea12f: Pull complete
30852bbad62b: Pull complete
dd8c5611343d: Pull complete
45abdd57689a: Pull complete
Digest: sha256:d6c6841c9ff7f00edc42c97a8023f013267924e040f1a1610d3638aa7d2fe9c2
Status: Downloaded newer image for couchbase:latest

# docker tag couchbase localhost:5000/couchbase

[root@fed22-docker-registry ~]# docker push localhost:5000/couchbase
The push refers to a repository [localhost:5000/couchbase] (len: 1)
45abdd57689a: Image successfully pushed
dd8c5611343d: Image already exists
30852bbad62b: Image already exists
5537747ea12f: Image already exists
e8a83a5448df: Image successfully pushed
18165b90fefa: Image successfully pushed
5f37b8bdc5a6: Image successfully pushed
1a8da511d01b: Image successfully pushed
d9b2222c39b4: Image already exists
815f08b3c781: Image successfully pushed
fc38f156c0ea: Image already exists
2a7a952931ec: Image already exists
10f1b5844a9c: Image successfully pushed
23c388b926b6: Image successfully pushed
b45376f323f5: Image successfully pushed
latest: digest: sha256:36294aaf1bd29addb44bba2f28996aef8305435ee84b909c5149fd267548578c size: 32163

# docker pull localhost:5000/couchbase

On the Docker VM host itself....
# pwd
/data/registry/docker/registry/v2/repositories
# ls
couchbase nginx redis

This is fine if I only ever want to pull and push images from this local Docker host, but I may want to pull/push images to/from remote Docker clients. However, to do that securely would need a domain name that DNS would resolve to my registry host and a CA certificate. All of which costs me money, and for my lab system it’s a bit of a non-starter. So I am using self signed certificates and that means I need to configure each of my Docker clients with the created certificate.

Here’s a suggested self-signed certificate cli – make sure you use a FQDN and not an IP address for your CN entry, when creating the cert. For this to subsequently work you may, like me, need to create a dummy FQDN in the /etc/hosts file on each Docker VM host :

# mkdir -p /data/certs
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/certs/domain.key -x509 \
-days 365 -out /data/certs/domain.crt

cat /etc/hosts - needs to be added on every Docker VM
10.68.64.156 registry.nutanix.com

It’s then a case of copying the cert to my remote Docker clients. The default location on each Docker client host is /etc/docker/certs.d/registry.nutanix.com:5000 – on some Linux distro’s (Fedora?) you will need to create the directory structure below /etc/docker

/etc/docker/certs.d/registry.nutanix.com:5000/domain.crt

Make sure that you always restart the Docker daemon on each host so that any config or cert changes get picked up

systemctl stop docker
systemctl daemon-reload
systemctl start docker

Now that we have TSL configured, we can look at setting up some basic authentication. Steps are …

mkdir /data/auth
docker run --entrypoint htpasswd registry:2 -Bbn ray ********** > /data/auth/htpasswd

This should allow me as user ray to login to the registry and run docker pulls/pushes etc

docker-client# docker login registry.nutanix.com:5000
Username: ray
Password: **********
Email: ray@nutanix.com
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

docker-client# docker pull registry.nutanix.com:5000/couchbase
docker-client# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
10.68.64.156:5000/couchbase latest c10532c5c520 2 weeks ago 372 MB

Now that the Docker command line needed to start our registry with persistent volumes, TLS, basic authentication etc, has begun to grow. It’s probably advisable to consider using Docker Compose. We can install it quite quickly as follows (see Docker docs for other install methods):

# curl -L https://github.com/docker/compose/releases/download/1.5.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose

# chmod +x /usr/local/bin/docker-compose

My docker-compose.yml file now looks like:

# cat docker-compose.yml
registry:
 restart: always
 image: registry:2
 ports:
 - 5000:5000
 environment:
 REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
 REGISTRY_HTTP_TLS_KEY: /certs/domain.key
 REGISTRY_AUTH: htpasswd
 REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
 REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
 volumes:
 - /data/registry:/var/lib/registry
 - /data/certs:/certs
 - /data/auth:/auth

and we can start the registry by running …

docker-compose up -d

So that’s it, a private on-premise registry backed by local storage in the guise of the Acropolis Distributed Storage Fabric (DSF). No need for any local Redis caching that you might consider for cloud backed storage etc. Next steps for me are to take a snapshot of my new registry VM and maybe even migrate it to another host. Other things to consider might be improved authentication (using nginx?) perhaps. In future posts I intend to outline how an ecosystem of cloud aware apps like CouchDB etc are spun up in matter of minutes, I am also keen to look at how to use Docker persistent volumes in the monitoring of logs, etc.

Additional Info

http://docs.docker.com/registry/deploying/

https://docs.docker.com/compose/install/

http://docs.docker.com/registry/insecure/

https://docs.docker.com/engine/userguide/dockervolumes/

Configuring Docker Storage on Nutanix

I have recently been looking at how best to deploy a container ecosystem on my Nutanix XCP environment. At present I can run a number of containers in a virtual machine (VM). This will give me the required networking, persistent storage and the ability to migrate between hosts. Something that containers are only just becoming capable of in many cases. So that I can scale out my container deployment within my Docker host VM, I am going to have to consider increasing the available space within /var/lib/docker. By default, if you provide no additional storage/disk for your Docker install, loopback files get created to store your containers/images. This configuration is not particularly performant, so it’s not supported for production. You can see below how the default setup looks…

# docker info
Containers: 0
Images: 0
Storage Driver: devicemapper
 Pool Name: docker-253:1-33883287-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 1.821 GB
 Data Space Total: 107.4 GB
 Data Space Available: 50.2 GB
 Metadata Space Used: 1.479 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.93 (2015-01-30)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-201.fc22.x86_64
Operating System: Fedora 22 (Twenty Two)
CPUs: 1
Total Memory: 993.5 MiB
Name: docker-client
ID: VHCA:JO3X:IRF5:44RG:CFZ6:WETN:YBJ2:6IL5:BNDT:FK32:KH6E:UZED

Configuring Docker Storage Options

Looking at the various methods we can use to provide dedicated block storage for Docker containers. With the Devicemapper storage driver Docker automatically creates a base thin device, this is two block devices, one for data and one for metadata. The thin device is automatically formatted with an empty filesystem on creation. This device is the base of all docker images and containers. All base images are snapshots of this device and those images are then in turn used as snapshots for other images and eventually containers. This is the Docker supported production setup. Also, by using LVM based devices as the underlying storage you are then accessing them as raw devices and no longer go through the VFS layer.

Devicemapper : direct-lvm

To begin, create two LVM devices, one for container data and another to hold metadata. By default the loopback method creates a storage pool with 100GB of space. In this example I am creating a 200G LVM volume for data and a 5G metadata volume. I prefer separate volumes where possible for performance reasons. We start by hot-adding the required Nutanix vDisks to the virtual machine (docker-directlvm) guest OS (Fedora22)

<acropolis> vm.disk_create docker-directlvm create_size=200g container=DEFAULT-CTR
DiskCreate: complete
<acropolis> vm.disk_create docker-directlvm create_size=10g container=DEFAULT-CTR
DiskCreate: complete

[root@docker-directlvm ~]# lsscsi 
 
[2:0:1:0] disk NUTANIX VDISK 0 /dev/sdb 
[2:0:2:0] disk NUTANIX VDISK 0 /dev/sdc

The next step is to create the individual LVM volumes

# pvcreate /dev/sdb /dev/sdc
# vgcreate direct-lvm /dev/sdb /dev/sdc

# lvcreate --wipesignatures y -n data direct-lvm -l 95%VG
# lvcreate --wipesignatures y -n metadata direct-lvm -l 5%VG

If setting up a new metadata pool need to zero the first 4k to indicate empty metadata:
# dd if=/dev/zero of=/dev/direct-lvm/metadata bs=1M count=1

For sizing the metadata volume above, the rule of thumb seems to be 0.1% of the data volume. This is somewhat anecdotal, so size with a little headroom perhaps? Next, start the Docker daemon using the required options in the file /etc/sysconfig/docker-storage.

DOCKER_STORAGE_OPTIONS="--storage-opt dm.datadev=/dev/direct-lvm/data --storage-opt \
dm.metadatadev=/dev/direct-lvm/metadata --storage-opt dm.fs=xfs"

You can then verify that the requested underlying storage is in use, with the docker info command

# docker info
Containers: 5
Images: 2
Storage Driver: devicemapper
 Pool Name: docker-253:1-33883287-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: xfs
 Data file: /dev/direct-lvm/data
 Metadata file: /dev/direct-lvm/metadata
 Data Space Used: 10.8 GB
 Data Space Total: 199.5 GB
 Data Space Available: 188.7 GB
 Metadata Space Used: 7.078 MB
 Metadata Space Total: 10.5 GB
 Metadata Space Available: 10.49 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Library Version: 1.02.93 (2015-01-30)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-201.fc22.x86_64
Operating System: Fedora 22 (Twenty Two)
CPUs: 1
Total Memory: 993.5 MiB
Name: docker-directlvm
ID: VHCA:JO3X:IRF5:44RG:CFZ6:WETN:YBJ2:6IL5:BNDT:FK32:KH6E:UZED

All well and good so far, but the storage options to expose data and metadata locations namely dm.datadev and dm.metadatadev have been deprecated in favour of a preferred model, which is to have a thin pool reserved outside of Docker and passed to the daemon via the dm.thinpooldev storage option. There’s a helper script in some Linux distros called /etc/sysconfig/docker-storage-setup. This does all the heavy lifting, you just need to supply a device and, or a volume group name.

Devicemapper: Thinpool

Once again start by creating the virtual device – a Nutanix vDisk – and adding it to the virtual machine guest OS

<acropolis> vm.disk_create docker-thinp create_size=200g container=DEFAULT-CTR
DiskCreate: complete

[root@localhost sysconfig]# lsscsi
[0:0:0:0] cd/dvd QEMU QEMU DVD-ROM 1.5. /dev/sr0
[2:0:0:0] disk NUTANIX VDISK 0 /dev/sda
[2:0:1:0] disk NUTANIX VDISK 0 /dev/sdd

Edit the file /etc/sysconfig/docker-storage-setup as follows:

root@localhost sysconfig]# cat /etc/sysconfig/docker-storage-setup
# Edit this file to override any configuration options specified in
# /usr/lib/docker-storage-setup/docker-storage-setup.
#
# For more details refer to "man docker-storage-setup"
DEVS=/dev/sdd
VG=docker

Then run the storage helper script:

[root@docker-thinp ~]# pvcreate /dev/sdd
 Physical volume "/dev/sdd" successfully created

[root@docker-thinp ~]# vgcreate docker /dev/sdd 
 Volume group "docker" successfully created 

[root@docker-thinp ~]# docker-storage-setup 
Rounding up size to full physical extent 192.00 MiB 
Logical volume "docker-poolmeta" created. 
Wiping xfs signature on /dev/docker/docker-pool. 
Logical volume "docker-pool" created. 
WARNING: Converting logical volume docker/docker-pool and docker/docker-poolmeta to pool's data and metadata volumes. 
THIS WILL DESTROY CONTENT OF LOGICAL VOLUME (filesystem etc.) 
Converted docker/docker-pool to thin pool. 
Logical volume "docker-pool" changed.

You can then verify the underlying storage being used in the usual way

[root@docker-thinp ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sdd 8:48 0 186.3G 0 disk
├─docker-docker--pool_tmeta 253:5 0 192M 0 lvm
│ └─docker-docker--pool 253:7 0 74.4G 0 lvm
└─docker-docker--pool_tdata 253:6 0 74.4G 0 lvm
 └─docker-docker--pool 253:7 0 74.4G 0 lvm


[root@docker-thinp ~]# docker info
Containers: 0
Images: 0
Storage Driver: devicemapper
 Pool Name: docker-docker--pool
 Pool Blocksize: 524.3 kB
 Backing Filesystem: xfs
 Data file:
 Metadata file:
 Data Space Used: 62.39 MB
 Data Space Total: 79.92 GB
 Data Space Available: 79.86 GB
 Metadata Space Used: 90.11 kB
 Metadata Space Total: 201.3 MB
 Metadata Space Available: 201.2 MB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Library Version: 1.02.93 (2015-01-30)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-201.fc22.x86_64
Operating System: Fedora 22 (Twenty Two)
CPUs: 1
Total Memory: 993.5 MiB
Name: docker-thinp
ID: VHCA:JO3X:IRF5:44RG:CFZ6:WETN:YBJ2:6IL5:BNDT:FK32:KH6E:UZED

On completion this will have created the correct entries in /etc/sysconfig/docker-storage

[root@docker-thinp ~]# cat /etc/sysconfig/docker-storage
DOCKER_STORAGE_OPTIONS=--storage-driver devicemapper --storage-opt dm.fs=xfs \
 --storage-opt dm.thinpooldev=/dev/mapper/docker-docker--pool

and runtime looks like...

[root@docker-thinp ~]# ps -ef | grep docker
root 8988 1 0 16:13 ? 00:00:11 /usr/bin/docker daemon --selinux-enabled
--storage-driver devicemapper --storage-opt dm.fs=xfs 
--storage-opt dm.thinpooldev=/dev/mapper/docker-docker--pool

Bear in mind that when you are changing the underlying docker storage driver or storage options similar to the examples described above. Then, typically, the following destructive command sequence is run (be sure to backup any important data before running the following ….

$ sudo systemctl stop docker
$ sudo rm -rf /var/lib/docker 

post changes 

$ systemctl daemon-reload
$ systemctl start docker

Additional Info

http://developerblog.redhat.com/2014/09/30/overview-storage-scalability-docker/

https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/

http://docs.docker.com/engine/reference/commandline/daemon/#storage-driver-options

Ray's Virtual Exchange

Virtualising Webscale Apps

Tag Archives: vgcreate

Configuring Docker Storage on Nutanix

Configuring Docker Storage Options

Devicemapper : direct-lvm

Devicemapper: Thinpool

Additional Info

Like this:

Additional Info

Like this:

Configuring Docker Storage Options

Devicemapper : direct-lvm

Devicemapper: Thinpool

Additional Info

Share this:

Like this: