Using Private Registries With the Torizon Platform
One of the most famous container registries - Docker Hub - allows people to host a single private container image with the free tier. As you may want to protect your application's intellectual property, you might want to use a private registry yourself: either Docker Hub with a paid tier, an alternative such as AWS or Azure container registries, or even a self-hosted registry.
It is straightforward to manually run a container hosted in a private registry: you'll be prompted for credentials or use the
docker login command. With TorizonCore, due to the unattended deployment of credentials to hundreds or thousands of devices, you must somehow deploy the credentials in a scalable way. It will allow TorizonCore Builder Tool to Pre-provision Docker Containers onto a TorizonCore image, and Torizon OTA to update your application.
The following prerequisites are required to follow along with these instructions.
- A host machine with TorizonCore Builder installed.
credentials.zipfile downloaded from your account on the Torizon OTA dashboard.
- A container image stored in a private registry. (Docker provides a single private registry for free per user)
- A device with TorizonCore that has been provisioned to the Torizon OTA dashboard.
To install TorizonCore Builder, follow the instructions below, in order.
Create and enter a working directory where your customization will be stored:
$ mkdir ~/tcbworkdir
$ cd ~/tcbworkdir
Use the setup script named tcb-env-setup.sh, available on the Toradex Github, to setup TorizonCore Builder:
$ wget https://raw.githubusercontent.com/toradex/tcb-env-setup/master/tcb-env-setup.sh
$ source tcb-env-setup.sh
For advanced usage, run
source tcb-env-setup.sh -h, or see the project README.
If using Windows, you must pass extra parameters to the script when using the following commands:
ostree serve: consult the ostree serve reference.
The setup script installs a bash completion script for TorizonCore Builder, making it possible to autocomplete commands and parameters by just pressing the TAB key.
Verify that the command
torizoncore-builder is available:
$ torizoncore-builder --help
Evaluation: Enabling a Single Device
This only applies to container updates via OTA. If you want to pull/access a private registry outside of the context of Torizon OTA then just perform a normal
For quick tests and development you can set up just a single device for private registry access. On your TorizonCore device enter the following command:
# sudo docker --config /etc/docker login
Once prompted, enter the username and password for your private registry. If successful, this will create a
config.json file in
/etc/docker on the device. This file contains authentication information that is used by Docker if needed. TorizonCore and Torizon OTA are configured so that any container update that is pushed to the device will look for the
config.json file in this location, if needed.
Moving on, once you've entered the above command this specific device should be good to go. From the "Torizon OTA Dashboard" you can schedule a container update for this device.
Fore more information on setting up a container update please see the "Updating Containers with Torizon OTA" lesson of our Quickstart Guide. If you want to learn more, read the article Torizon OTA Web Interface.
Development and Production: Enabling Multiple Devices
Later on in development or during early production you'll most likely be working with multiple devices. It would be very tedious to need to
docker login, and add credentials to each device individually.
Creating a Custom TorizonCore Image With Docker Credentials
Before continuing make sure you have TorizonCore Builder installed on your development machine, as pointed out in this article's Prerequisites section.
First, start with a single TorizonCore device and use
docker login like before:
# sudo docker --config /etc/docker login
We're going to use TorizonCore Builder to capture these credentials and create a customized TorizonCore image. Since the
config.json file is located in
/etc we can easily isolate the changes and create a new image.
How to do this is described in the article Capturing Changes in the Configuration of a Board on TorizonCore.
To summarize the steps you'll need to follow from the article above:
- unpack a base TorizonCore Easy Installer image.
- isolate the
- union the changes to merge them onto the base image.
- deploy the changes to create a new Easy Installer image.
By the end of this process, you'll have a new Toradex Easy Installer that you can then flash to multiple boards. Any board you flash with this image will have the
config.json file with your credentials information in
Now you can push a container update to all of your boards and they should be able to access your private registry.
Using Torizon OTA to Update the Credentials
It may be the case your devices are already deployed or you want to update the credentials on those devices. For this case, we will leverage Torizon OTA.
First of all, go through all the steps in the previous section as they are all required here. Also, make sure you have your
credentials.zip file from the "Torizon OTA Dashboard" ready.
Once you have your custom TorizonCore image with Docker credentials, you can go ahead and push it to Torizon OTA. Full details on the steps can be found in our article Signing and Pushing TorizonCore Images to Torizon OTA.
To summarize the steps:
- unpack a base TorizonCore Easy Installer image
- isolate the
- union the changes to merge them onto the base image
- push the changes to your Torizon OTA account using your
As you can see the steps are very similar to the previous section. But, instead of a
deploy as the last step, we instead
push the changes to Torizon OTA.
Once done you'll have a custom package on the "Torizon OTA Dashboard" with your credentials baked in. Then, you must do the following:
- Update with your custom TorizonCore Package first. This will add/update the credentials to all your devices.
- Update with your custom container update. This will cause all of your devices to update their containers and access any private registry with your newly updated credentials if needed.