Registry

Link to section 'Accessing the Anvil Composable Registry' of 'Registry' Accessing the Anvil Composable Registry

The Anvil registry uses Harbor, an open source registry to manage containers and artifacts, it can be accessed at the following URL: https://registry.anvil.rcac.purdue.edu

Link to section 'Using the Anvil Registry Docker Hub Cache' of 'Registry' Using the Anvil Registry Docker Hub Cache

It’s advised that you use the Docker Hub cache within Anvil to pull images for deployments. There’s a limit to how many images Docker hub will allow to be pulled in a 24 hour period which Anvil reaches depending on user activity. This means if you’re trying to deploy a workload, or have a currently deployed workload that needs migrated, restarted, or upgraded, there’s a chance it will fail.

To bypass this, use the Anvil cache url registry.anvil.rcac.purdue.edu/docker-hub-cache/ in your image names

For example if you’re wanting to pull a notebook from jupyterhub’s Docker Hub repo e.g jupyter/tensorflow-notebook:latest Pulling it from the Anvil cache would look like this registry.anvil.rcac.purdue.edu/docker-hub-cache/jupyter/tensorflow-notebook:latest

Link to section 'Using OIDC from the Docker or Helm CLI' of 'Registry' Using OIDC from the Docker or Helm CLI

After you have authenticated via OIDC and logged into the Harbor interface for the first time, you can use the Docker or Helm CLI to access Harbor.

The Docker and Helm CLIs cannot handle redirection for OIDC, so Harbor provides a CLI secret for use when logging in from Docker or Helm.

Log in to Harbor with an OIDC user account.
Click your username at the top of the screen and select User Profile.
Click the clipboard icon to copy the CLI secret associated with your account.
Optionally click the … icon in your user profile to display buttons for automatically generating or manually creating a new CLI secret.
- A user can only have one CLI secret, so when a new secret is generated or create, the old one becomes invalid.
If you generated a new CLI secret, click the clipboard icon to copy it.

You can now use your CLI secret as the password when logging in to Harbor from the Docker or Helm CLI.

docker login -u <username> -p <cli secret> registry.anvil.rcac.purdue.edu

Note: The CLI secret is associated with the OIDC ID token. Harbor will try to refresh the token, so the CLI secret will be valid after the ID token expires. However, if the OIDC Provider does not provide a refresh token or the refresh fails, the CLI secret becomes invalid. In this case, log out and log back in to Harbor via your OIDC provider so that Harbor can get a new ID token. The CLI secret will then work again.

Link to section 'Creating a harbor Registry' of 'Registry' Creating a harbor Registry

Using a browser login to https://registry.anvil.rcac.purdue.edu with your ACCESS account username and password
From the main page click create project, this will act as your registry
Fill in a name and select whether you want the project to be public or private
Click ok to create and finalize

Link to section 'Tagging and Pushing Images to Your Harbor Registry' of 'Registry' Tagging and Pushing Images to Your Harbor Registry

Tag your image
$ docker tag my-image:tag registry.anvil.rcac.purdue.edu/project-registry/my-image:tag
login to the Anvil registry via command line
$ docker login registry.anvil.rcac.purdue.edu
Push your image to your project registry
$ docker push registry.anvil.rcac.purdue.edu/project-registry/my-image:tag

Link to section 'Creating a Robot Account for a Private Registry' of 'Registry' Creating a Robot Account for a Private Registry

A robot account and token can be used to authenticate to your registry in place of having to supply or store your private credentials on multi-tenant cloud environments like Rancher/Anvil.

Navigate to your project after logging into https://registry.anvil.rcac.purdue.edu
Navigate to the Robot Accounts tab and click New Robot Account
Fill out the form
- Name your robot account
- Select account expiration if any, select never to make permanent
- Customize what permissions you wish the account to have
- Click Add
Copy your information
- Your robot’s account name will be something longer than what you specified, since this is a multi-tenant registry, harbor does this to avoid unrelated project owners creating a similarly named robot account
- Export your token as JSON or copy it to a clipboard

Note Harbor does not store account tokens, once you exit this page your token will be unrecoverable

Link to section 'Adding Your Private Registry to Rancher' of 'Registry' Adding Your Private Registry to Rancher

From your project navigate to Resources > secrets
Navigate to the Registry Credentials tab and click Add Registry
Fill out the form
- Give a name to the Registry secret (this is an arbitrary name)
- Select whether or not the registry will be available to all or a single namespace
- Select address as “custom” and provide “registry.anvil.rcac.purdue.edu”
- Enter your robot account’s long name eg. robot$my-registry+robot as the Username
- Enter your robot account’s token as the password
- Click Save

Link to section 'External Harbor Documentation' of 'Registry' External Harbor Documentation

Working with Projects.
Working With Images.
You can learn more about the Harbor project on the official website: https://goharbor.io/