Search by Tags

Using Private Registries With the Torizon Platform

 

Article updated at 29 Sep 2021
Compare with Revision

Subscribe for this article updates

Select the version of your OS from the tabs below. If you don't know the version you are using, run the command cat /etc/os-release or cat /etc/issue on the board.



Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.

Torizon 5.2.0

Introduction

One of the most famous container registries - Docker Hub - allows people to host a single private container image with the free tier. As you may want to protect your application's intellectual property, you might want to use a private registry yourself: either Docker Hub with a paid tier, an alternative such as AWS or Azure container registries, or even a self-hosted registry.

It is straightforward to manually run a container hosted in a private registry: you'll be prompted for credentials or use the docker login command. With TorizonCore, due to the unattended deployment of credentials to hundreds or thousands of devices, you must somehow deploy the credentials in a scalable way. It will allow TorizonCore Builder Tool to Pre-provision Docker Containers onto a TorizonCore image, and Torizon OTA to update your application.

In this article, to achieve the goal of deploying private registry credentials to your devices, we'll leverage the flexibility of the TorizonCore Builder Tool and Torizon OTA.

Prerequisites

The following prerequisites are required to follow along with these instructions.

To install TorizonCore Builder, follow the instructions below, in order.

Create and enter a working directory where your customization will be stored:

$ mkdir ~/tcbworkdir
$ cd ~/tcbworkdir

Use the setup script named tcb-env-setup.sh, available on the Toradex Github, to setup TorizonCore Builder:

$ wget https://raw.githubusercontent.com/toradex/tcb-env-setup/master/tcb-env-setup.sh
$ source tcb-env-setup.sh

Verify that the command torizoncore-builder is available:

$ torizoncore-builder --help

Warning: Make sure to: (1) source the script, (2) every time you open a new terminal, (3) inside the working directory you have previously created. Otherwise, it will not work as intended and, most importantly, the torizoncore-builder alias will not be created properly.

Evaluation: Enabling a Single Device

Note: This only applies to container updates via OTA. If you want to pull/access a private registry outside of the context of Torizon OTA then just perform a normal docker login.

For quick tests and development you can set up just a single device for private registry access. On your TorizonCore device enter the following command:

# sudo docker --config /etc/docker login

Once prompted, enter the username and password for your private registry. If successful, this will create a config.json file in /etc/docker on the device. This file contains authentication information that is used by Docker if needed. TorizonCore and Torizon OTA are configured so that any container update that is pushed to the device will look for the config.json file in this location, if needed.

Moving on, once you've entered the above command this specific device should be good to go. From the "Torizon OTA Dashboard" you can schedule a container update for this device.

Fore more information on setting up a container update please see the "Updating Containers with Torizon OTA" lesson of our Quickstart Guide. If you want to learn more, read the article Torizon OTA Web Interface.

Development and Production: Enabling Multiple Devices

Later on in development or during early production you'll most likely be working with multiple devices. It would be very tedious to need to docker login, and add credentials to each device individually.

We'll resolve this by using the TorizonCore Builder Tool, and Torizon OTA.

Creating a Custom TorizonCore Image With Docker Credentials

Warning: Before continuing make sure you have TorizonCore Builder installed on your development machine, as pointed out in this article's Prerequisites section.

First, start with a single TorizonCore device and use docker login like before:

# sudo docker --config /etc/docker login

We're going to use TorizonCore Builder to capture these credentials and create a customized TorizonCore image. Since the config.json file is located in /etc we can easily isolate the changes and create a new image.

How to do this is described in the article Capturing Changes in the Configuration of a Board on TorizonCore.

To summarize the steps you'll need to follow from the article above:

  1. unpack a base TorizonCore Easy Installer image.
  2. isolate the config.json file in /etc/.
  3. union the changes to merge them onto the base image.
  4. deploy the changes to create a new Easy Installer image.

By the end of this process, you'll have a new Toradex Easy Installer that you can then flash to multiple boards. Any board you flash with this image will have the config.json file with your credentials information in /etc/docker.

Now you can push a container update to all of your boards and they should be able to access your private registry.

Using Torizon OTA to Update the Credentials

It may be the case your devices are already deployed or you want to update the credentials on those devices. For this case, we will leverage Torizon OTA.

First of all, go through all the steps in the previous section as they are all required here. Also, make sure you have your credentials.zip file from the "Torizon OTA Dashboard" ready.

Once you have your custom TorizonCore image with Docker credentials, you can go ahead and push it to Torizon OTA. Full details on the steps can be found in our article Signing and Pushing TorizonCore Images to Torizon OTA.

To summarize the steps:

  1. unpack a base TorizonCore Easy Installer image
  2. isolate the config.json file in /etc/
  3. union the changes to merge them onto the base image
  4. push the changes to your Torizon OTA account using your credentials.zip

As you can see the steps are very similar to the previous section. But, instead of a deploy as the last step, we instead push the changes to Torizon OTA.

Once done you'll have a custom package on the "Torizon OTA Dashboard" with your credentials baked in. Then, you must do the following:

  1. Update with your custom TorizonCore Package first. This will add/update the credentials to all your devices.
  2. Update with your custom container update. This will cause all of your devices to update their containers and access any private registry with your newly updated credentials if needed.