docs: add hugo website (#4101)

This commit is contained in:
Milos Gajdos 2023-10-12 17:08:54 +01:00 committed by GitHub
commit ebba01efea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
303 changed files with 3915 additions and 1574 deletions

59
.github/workflows/docs.yml vendored Normal file
View file

@ -0,0 +1,59 @@
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
branches:
- main
paths:
- docs/**
workflow_dispatch:
jobs:
# Build job
build:
runs-on: ubuntu-latest
permissions:
contents: read
# Build the site and upload artifacts using actions/upload-pages-artifact
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build docs
uses: docker/bake-action@v3
with:
files: |
docker-bake.hcl
targets: docs-export
set: |
*.cache-from=type=gha,scope=docs
*.cache-to=type=gha,scope=docs,mode=max
- name: Upload Pages artifact
uses: actions/upload-pages-artifact@v2
with:
path: ./build/docs
# Deploy job
deploy:
# Add a dependency to the build job
needs: build
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
permissions:
pages: write # to deploy to Pages
id-token: write # to verify the deployment originates from an appropriate source
# Deploy to the github-pages environment
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
# Specify runner + deployment step
runs-on: ubuntu-latest
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v2 # or the latest "vX.X.X" version tag for this action

5
.gitignore vendored
View file

@ -38,3 +38,8 @@ bin/*
.idea/* .idea/*
tests/miniodata tests/miniodata
# Docs
**/.hugo_build.lock
docs/resources
docs/public

View file

@ -7,7 +7,7 @@ This is useful if you intend to actively work on the registry.
### Alternatives ### Alternatives
Most people should use the [official Registry docker image](https://hub.docker.com/r/library/registry/). Most people should use prebuilt images, for example, the [Registry docker image](https://hub.docker.com/r/library/registry/) provided by Docker.
People looking for advanced operational use cases might consider rolling their own image with a custom Dockerfile inheriting `FROM registry:2`. People looking for advanced operational use cases might consider rolling their own image with a custom Dockerfile inheriting `FROM registry:2`.

View file

@ -94,7 +94,7 @@ performance must not be discussed on the pull request.
## How are decisions made? ## How are decisions made?
Docker distribution is an open-source project with an open design philosophy. CNCF distribution is an open-source project with an open design philosophy.
This means that the repository is the source of truth for EVERY aspect of the This means that the repository is the source of truth for EVERY aspect of the
project, including its philosophy, design, road map, and APIs. *If it's part of project, including its philosophy, design, road map, and APIs. *If it's part of
the project, it's in the repo. If it's in the repo, it's part of the project.* the project, it's in the repo. If it's in the repo, it's part of the project.*

View file

@ -13,7 +13,7 @@
The toolset to pack, ship, store, and deliver content. The toolset to pack, ship, store, and deliver content.
This repository's main product is the Open Source Registry implementation This repository's main product is the Open Source Registry implementation
for storing and distributing container images using the for storing and distributing container images and other content using the
[OCI Distribution Specification](https://github.com/opencontainers/distribution-spec). [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec).
The goal of this project is to provide a simple, secure, and scalable base The goal of this project is to provide a simple, secure, and scalable base
for building a large scale registry solution or running a simple private registry. for building a large scale registry solution or running a simple private registry.

2
doc.go
View file

@ -1,6 +1,6 @@
// Package distribution will define the interfaces for the components of // Package distribution will define the interfaces for the components of
// docker distribution. The goal is to allow users to reliably package, ship // docker distribution. The goal is to allow users to reliably package, ship
// and store content related to docker images. // and store content related to container images.
// //
// This is currently a work in progress. More details are available in the // This is currently a work in progress. More details are available in the
// README.md. // README.md.

View file

@ -94,3 +94,26 @@ target "image-all" {
"linux/s390x" "linux/s390x"
] ]
} }
target "_common_docs" {
dockerfile = "./dockerfiles/docs.Dockerfile"
}
target "docs-export" {
inherits = ["_common_docs"]
target = "out"
output = ["type=local,dest=build/docs"]
}
target "docs-image" {
inherits = ["_common_docs"]
target = "server"
output = ["type=docker"]
tags = ["registry-docs:local"]
}
target "docs-test" {
inherits = ["_common_docs"]
target = "test"
output = ["type=cacheonly"]
}

View file

@ -0,0 +1,35 @@
# syntax=docker/dockerfile:1
ARG GO_VERSION=1.20.8
ARG ALPINE_VERSION=3.18
FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
RUN apk add --no-cache git
FROM base AS hugo
ARG HUGO_VERSION=0.119.0
RUN --mount=type=cache,target=/go/mod/pkg \
go install github.com/gohugoio/hugo@v${HUGO_VERSION}
FROM base AS build-base
COPY --from=hugo $GOPATH/bin/hugo /bin/hugo
WORKDIR /src
FROM build-base AS build
RUN --mount=type=bind,rw,source=docs,target=. \
hugo --gc --minify --destination /out
FROM build-base AS server
COPY docs .
ENTRYPOINT [ "hugo", "server", "--bind", "0.0.0.0" ]
EXPOSE 1313
FROM scratch AS out
COPY --from=build /out /
FROM wjdp/htmltest:v0.17.0 AS test
WORKDIR /test
COPY --from=build /out ./public
ADD docs/.htmltest.yml .htmltest.yml
RUN --mount=type=cache,target=tmp/.htmltest \
htmltest

9
docs/.htmltest.yml Normal file
View file

@ -0,0 +1,9 @@
DirectoryPath: "public"
EnforceHTTPS: true
CheckDoctype: true
CheckExternal: true
IgnoreAltMissing: true
IgnoreAltEmpty: true
IgnoreEmptyHref: true
IgnoreInternalEmptyHash: true
IgnoreDirectoryMissingTrailingSlash: true

77
docs/content/_index.md Normal file
View file

@ -0,0 +1,77 @@
---
description: High-level overview of the Registry
keywords: registry, on-prem, images, tags, repository, distribution
title: Distribution Registry
---
## What it is
The Registry is a stateless, highly scalable server side application that stores
and lets you distribute container images and other content. The Registry is open-source, under the
permissive [Apache license](https://en.wikipedia.org/wiki/Apache_License).
## Why use it
You should use the Registry if you want to:
* tightly control where your images are being stored
* fully own your images distribution pipeline
* integrate image storage and distribution tightly into your in-house development workflow
## Alternatives
Users looking for a zero maintenance, ready-to-go solution are encouraged to
use one of the existing registry services. Many of these provide support and security
scanning, and are free for public repositories. For example:
- [Docker Hub](https://hub.docker.com)
- [Quay.io](https://quay.io/)
- [GitHub Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry)
Cloud infrastructure providers such as [AWS](https://aws.amazon.com/ecr/), [Azure](https://azure.microsoft.com/products/container-registry/), [Google Cloud](https://cloud.google.com/artifact-registry) and [IBM Cloud](https://www.ibm.com/products/container-registry) also have container registry services available at a cost.
## Compatibility
The distribution registry implements the [OCI Distribution Spec](https://github.com/opencontainers/distribution-spec) version 1.0.1.
## Basic commands
Start your registry
```sh
docker run -d -p 5000:5000 --name registry registry:2
```
Pull (or build) some image from the hub
```sh
docker pull ubuntu
```
Tag the image so that it points to your registry
```sh
docker image tag ubuntu localhost:5000/myfirstimage
```
Push it
```sh
docker push localhost:5000/myfirstimage
```
Pull it back
```sh
docker pull localhost:5000/myfirstimage
```
Now stop your registry and remove all data
```sh
docker container stop registry && docker container rm -v registry
```
## Next
You should now read the [detailed introduction about the registry](about),
or jump directly to [deployment instructions](about/deploying).

View file

@ -4,12 +4,12 @@ keywords: registry, on-prem, images, tags, repository, distribution, use cases,
title: About Registry title: About Registry
--- ---
A registry is a storage and content delivery system, holding named Docker A registry is a storage and content delivery system, holding named container
images, available in different tagged versions. images and other content, available in different tagged versions.
> Example: the image `distribution/registry`, with tags `2.0` and `2.1`. > Example: the image `distribution/registry`, with tags `2.0` and `2.1`.
Users interact with a registry by using docker push and pull commands. Users interact with a registry by pushing and pulling images.
> Example: `docker pull registry-1.docker.io/distribution/registry:2.1`. > Example: `docker pull registry-1.docker.io/distribution/registry:2.1`.
@ -27,7 +27,7 @@ The Registry GitHub repository includes additional information about advanced
authentication and authorization methods. Only very large or public deployments authentication and authorization methods. Only very large or public deployments
are expected to extend the Registry in this way. are expected to extend the Registry in this way.
Finally, the Registry ships with a robust [notification system](notifications.md), Finally, the Registry ships with a robust [notification system](notifications),
calling webhooks in response to activity, and both extensive logging and reporting, calling webhooks in response to activity, and both extensive logging and reporting,
mostly useful for large installations that want to collect metrics. mostly useful for large installations that want to collect metrics.
@ -35,11 +35,11 @@ mostly useful for large installations that want to collect metrics.
Image names as used in typical docker commands reflect their origin: Image names as used in typical docker commands reflect their origin:
* `docker pull ubuntu` instructs docker to pull an image named `ubuntu` from the official Docker Hub. This is simply a shortcut for the longer `docker pull docker.io/library/ubuntu` command * `docker pull ubuntu` instructs docker to pull an image named `ubuntu` from Docker Hub. This is simply a shortcut for the longer `docker pull docker.io/library/ubuntu` command
* `docker pull myregistrydomain:port/foo/bar` instructs docker to contact the registry located at `myregistrydomain:port` to find the image `foo/bar` * `docker pull myregistrydomain:port/foo/bar` instructs docker to contact the registry located at `myregistrydomain:port` to find the image `foo/bar`
You can find out more about the various Docker commands dealing with images in You can find out more about the various Docker commands dealing with images in
the [official Docker engine documentation](../engine/reference/commandline/cli.md). the [Docker engine documentation](https://docs.docker.com/engine/reference/commandline/cli/).
## Use cases ## Use cases
@ -70,4 +70,4 @@ golang are certainly useful as well for advanced operations or hacking.
## Next ## Next
Dive into [deploying your registry](deploying.md) Dive into [deploying your registry](deploying)

View file

@ -1,5 +1,5 @@
--- ---
published: false draft: true
--- ---
# Architecture # Architecture

View file

@ -5,13 +5,14 @@ title: Registry compatibility
--- ---
## Synopsis ## Synopsis
If a manifest is pulled by _digest_ from a registry 2.3 with Docker Engine 1.9 If a manifest is pulled by _digest_ from a registry 2.3 with Docker Engine 1.9
and older, and the manifest was pushed with Docker Engine 1.10, a security check and older, and the manifest was pushed with Docker Engine 1.10, a security check
causes the Engine to receive a manifest it cannot use and the pull fails. causes the Engine to receive a manifest it cannot use and the pull fails.
## Registry manifest support ## Registry manifest support
Historically, the registry has supported a [single manifest type](./spec/manifest-v2-1.md) Historically, the registry has supported a single manifest type
known as _Schema 1_. known as _Schema 1_.
With the move toward multiple architecture images, the distribution project With the move toward multiple architecture images, the distribution project
@ -23,7 +24,6 @@ preserve compatibility with older versions of Docker Engine.
This conversion has some implications for pulling manifests by digest and this This conversion has some implications for pulling manifests by digest and this
document enumerates these implications. document enumerates these implications.
## Content Addressable Storage (CAS) ## Content Addressable Storage (CAS)
Manifests are stored and retrieved in the registry by keying off a digest Manifests are stored and retrieved in the registry by keying off a digest
@ -42,7 +42,6 @@ attempts to send a _Schema 2_ manifest, falling back to sending a
Schema 1 type manifest when it detects that the registry does not Schema 1 type manifest when it detects that the registry does not
support the new version. support the new version.
## Registry v2.3 ## Registry v2.3
### Manifest push with Docker 1.10 ### Manifest push with Docker 1.10
@ -75,4 +74,3 @@ registry persists to disk.
When the manifest is pulled by digest or tag with any Docker version, a When the manifest is pulled by digest or tag with any Docker version, a
_Schema 1_ manifest is returned. _Schema 1_ manifest is returned.

View file

@ -10,7 +10,7 @@ before moving your systems to production.
## Override specific configuration options ## Override specific configuration options
In a typical setup where you run your Registry from the official image, you can In a typical setup where you run your registry as a container, you can
specify a configuration variable from the environment by passing `-e` arguments specify a configuration variable from the environment by passing `-e` arguments
to your `docker run` stanza or from within a Dockerfile using the `ENV` to your `docker run` stanza or from within a Dockerfile using the `ENV`
instruction. instruction.
@ -20,7 +20,7 @@ To override a configuration option, create an environment variable named
and the `_` (underscore) represents indention levels. For example, you can and the `_` (underscore) represents indention levels. For example, you can
configure the `rootdirectory` of the `filesystem` storage backend: configure the `rootdirectory` of the `filesystem` storage backend:
```none ```yaml
storage: storage:
filesystem: filesystem:
rootdirectory: /var/lib/registry rootdirectory: /var/lib/registry
@ -28,7 +28,7 @@ storage:
To override this value, set an environment variable like this: To override this value, set an environment variable like this:
```none ```sh
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/somewhere REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/somewhere
``` ```
@ -64,7 +64,7 @@ These are all configuration options for the registry. Some options in the list
are mutually exclusive. Read the detailed reference information about each are mutually exclusive. Read the detailed reference information about each
option before finalizing your configuration. option before finalizing your configuration.
```none ```yaml
version: 0.1 version: 0.1
log: log:
accesslog: accesslog:
@ -293,7 +293,7 @@ the children marked **required**.
## `version` ## `version`
```none ```yaml
version: 0.1 version: 0.1
``` ```
@ -307,7 +307,7 @@ The `log` subsection configures the behavior of the logging system. The logging
system outputs everything to stderr. You can adjust the granularity and format system outputs everything to stderr. You can adjust the granularity and format
with this configuration section. with this configuration section.
```none ```yaml
log: log:
accesslog: accesslog:
disabled: true disabled: true
@ -326,7 +326,7 @@ log:
### `accesslog` ### `accesslog`
```none ```yaml
accesslog: accesslog:
disabled: true disabled: true
``` ```
@ -338,7 +338,7 @@ Access logging can be disabled by setting the boolean flag `disabled` to `true`.
## `hooks` ## `hooks`
```none ```yaml
hooks: hooks:
- type: mail - type: mail
levels: levels:
@ -362,7 +362,7 @@ Refer to `loglevel` to configure the level of messages printed.
> **DEPRECATED:** Please use [log](#log) instead. > **DEPRECATED:** Please use [log](#log) instead.
```none ```yaml
loglevel: debug loglevel: debug
``` ```
@ -371,7 +371,7 @@ Permitted values are `error`, `warn`, `info` and `debug`. The default is
## `storage` ## `storage`
```none ```yaml
storage: storage:
filesystem: filesystem:
rootdirectory: /var/lib/registry rootdirectory: /var/lib/registry
@ -436,15 +436,15 @@ returns an error. You can choose any of these backend storage drivers:
| Storage driver | Description | | Storage driver | Description |
|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |---------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `filesystem` | Uses the local disk to store registry files. It is ideal for development and may be appropriate for some small-scale production applications. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/filesystem.md). | | `filesystem` | Uses the local disk to store registry files. It is ideal for development and may be appropriate for some small-scale production applications. See the [driver's reference documentation](/storage-drivers/filesystem). |
| `azure` | Uses Microsoft Azure Blob Storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/azure.md). | | `azure` | Uses Microsoft Azure Blob Storage. See the [driver's reference documentation](/storage-drivers/azure). |
| `gcs` | Uses Google Cloud Storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/gcs.md). | | `gcs` | Uses Google Cloud Storage. See the [driver's reference documentation](/storage-drivers/gcs). |
| `s3` | Uses Amazon Simple Storage Service (S3) and compatible Storage Services. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/s3.md). | | `s3` | Uses Amazon Simple Storage Service (S3) and compatible Storage Services. See the [driver's reference documentation](/storage-drivers/s3). |
For testing only, you can use the [`inmemory` storage For testing only, you can use the [`inmemory` storage
driver](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/inmemory.md). driver](/storage-drivers/inmemory).
If you would like to run a registry from volatile memory, use the If you would like to run a registry from volatile memory, use the
[`filesystem` driver](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/filesystem.md) [`filesystem` driver](/storage-drivers/filesystem)
on a ramdisk. on a ramdisk.
If you are deploying a registry on Windows, a Windows volume mounted from the If you are deploying a registry on Windows, a Windows volume mounted from the
@ -453,7 +453,7 @@ data-store. If you do use a Windows volume, the length of the `PATH` to
the mount point must be within the `MAX_PATH` limits (typically 255 characters), the mount point must be within the `MAX_PATH` limits (typically 255 characters),
or this error will occur: or this error will occur:
```none ```text
mkdir /XXX protocol error and your registry will not function properly. mkdir /XXX protocol error and your registry will not function properly.
``` ```
@ -496,7 +496,7 @@ Use the `delete` structure to enable the deletion of image blobs and manifests
by digest. It defaults to false, but it can be enabled by writing the following by digest. It defaults to false, but it can be enabled by writing the following
on the configuration file: on the configuration file:
```none ```yaml
delete: delete:
enabled: true enabled: true
``` ```
@ -531,14 +531,14 @@ instance is aggressively caching.
To disable redirects, add a single flag `disable`, set to `true` To disable redirects, add a single flag `disable`, set to `true`
under the `redirect` section: under the `redirect` section:
```none ```yaml
redirect: redirect:
disable: true disable: true
``` ```
## `auth` ## `auth`
```none ```yaml
auth: auth:
silly: silly:
realm: silly-realm realm: silly-realm
@ -593,7 +593,7 @@ security.
For more information about Token based authentication configuration, see the For more information about Token based authentication configuration, see the
[specification](spec/auth/token.md). [specification](/spec/auth/token).
### `htpasswd` ### `htpasswd`
@ -601,7 +601,7 @@ The _htpasswd_ authentication backed allows you to configure basic
authentication using an authentication using an
[Apache htpasswd file](https://httpd.apache.org/docs/2.4/programs/htpasswd.html). [Apache htpasswd file](https://httpd.apache.org/docs/2.4/programs/htpasswd.html).
The only supported password format is The only supported password format is
[`bcrypt`](http://en.wikipedia.org/wiki/Bcrypt). Entries with other hash types [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt). Entries with other hash types
are ignored. The `htpasswd` file is loaded once, at startup. If the file is are ignored. The `htpasswd` file is loaded once, at startup. If the file is
invalid, the registry will display an error and will not start. invalid, the registry will display an error and will not start.
@ -629,7 +629,7 @@ object it is wrapping. For instance, a registry middleware must implement the
This is an example configuration of the `cloudfront` middleware, a storage This is an example configuration of the `cloudfront` middleware, a storage
middleware: middleware:
```none ```yaml
middleware: middleware:
registry: registry:
- name: ARegistryMiddleware - name: ARegistryMiddleware
@ -694,7 +694,7 @@ location of a proxy for the layer stored by the S3 storage driver.
## `http` ## `http`
```none ```yaml
http: http:
addr: localhost:5000 addr: localhost:5000
net: tcp net: tcp
@ -834,7 +834,7 @@ to access proxy statistics. These statistics are exposed at `/debug/vars` in JSO
#### `prometheus` #### `prometheus`
```none ```yaml
prometheus: prometheus:
enabled: true enabled: true
path: /metrics path: /metrics
@ -879,7 +879,7 @@ settings for the registry.
## `notifications` ## `notifications`
```none ```yaml
notifications: notifications:
events: events:
includereferences: true includereferences: true
@ -937,7 +937,7 @@ The `events` structure configures the information provided in event notification
## `redis` ## `redis`
```none ```yaml
redis: redis:
addr: localhost:6379 addr: localhost:6379
password: asecret password: asecret
@ -974,7 +974,7 @@ registry does not set an expiration value on keys.
### `pool` ### `pool`
```none ```yaml
pool: pool:
maxidle: 16 maxidle: 16
maxactive: 64 maxactive: 64
@ -991,7 +991,7 @@ Use these settings to configure the behavior of the Redis connection pool.
### `tls` ### `tls`
```none ```yaml
tls: tls:
enabled: false enabled: false
``` ```
@ -1005,7 +1005,7 @@ Use these settings to configure Redis TLS.
## `health` ## `health`
```none ```yaml
health: health:
storagedriver: storagedriver:
enabled: true enabled: true
@ -1090,7 +1090,7 @@ attempt fails, the health check will fail.
## `proxy` ## `proxy`
``` ```yaml
proxy: proxy:
remoteurl: https://registry-1.docker.io remoteurl: https://registry-1.docker.io
username: [username] username: [username]
@ -1099,8 +1099,8 @@ proxy:
``` ```
The `proxy` structure allows a registry to be configured as a pull-through cache The `proxy` structure allows a registry to be configured as a pull-through cache
to Docker Hub. See to Docker Hub. See
[mirror](https://github.com/docker/docker.github.io/tree/master/registry/recipes/mirror.md) [mirror](/recipes/mirror)
for more information. Pushing to a registry configured as a pull-through cache for more information. Pushing to a registry configured as a pull-through cache
is unsupported. is unsupported.
@ -1120,7 +1120,7 @@ username (such as `batman`) and the password for that username.
## `validation` ## `validation`
```none ```yaml
validation: validation:
manifests: manifests:
urls: urls:
@ -1151,15 +1151,15 @@ If `allow` is unset, pushing a manifest containing URLs fails.
If `allow` is set, pushing a manifest succeeds only if all URLs match If `allow` is set, pushing a manifest succeeds only if all URLs match
one of the `allow` regular expressions **and** one of the following holds: one of the `allow` regular expressions **and** one of the following holds:
1. `deny` is unset. 1. `deny` is unset.
2. `deny` is set but no URLs within the manifest match any of the `deny` regular 2. `deny` is set but no URLs within the manifest match any of the `deny` regular
expressions. expressions.
## Example: Development configuration ## Example: Development configuration
You can use this simple example for local development: You can use this simple example for local development:
```none ```yaml
version: 0.1 version: 0.1
log: log:
level: debug level: debug
@ -1183,10 +1183,9 @@ See
for another simple configuration. Both examples are generally useful for local for another simple configuration. Both examples are generally useful for local
development. development.
## Example: Middleware configuration ## Example: Middleware configuration
This example configures [Amazon Cloudfront](http://aws.amazon.com/cloudfront/) This example configures [Amazon Cloudfront](https://aws.amazon.com/cloudfront/)
as the storage middleware in a registry. Middleware allows the registry to serve as the storage middleware in a registry. Middleware allows the registry to serve
layers via a content delivery network (CDN). This reduces requests to the layers via a content delivery network (CDN). This reduces requests to the
storage layer. storage layer.
@ -1195,7 +1194,7 @@ Cloudfront requires the S3 storage driver.
This is the configuration expressed in YAML: This is the configuration expressed in YAML:
```none ```yaml
middleware: middleware:
storage: storage:
- name: cloudfront - name: cloudfront
@ -1210,6 +1209,8 @@ middleware:
See the configuration reference for [Cloudfront](#cloudfront) for more See the configuration reference for [Cloudfront](#cloudfront) for more
information about configuration options. information about configuration options.
> **Note**: Cloudfront keys exist separately from other AWS keys. See {{< hint type=note >}}
> [the documentation on AWS credentials](http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) Cloudfront keys exist separately from other AWS keys. See
> for more information. [the documentation on AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
for more information.
{{< /hint >}}

View file

@ -9,7 +9,7 @@ A registry is an instance of the `registry` image, and runs within Docker.
This topic provides basic information about deploying and configuring a This topic provides basic information about deploying and configuring a
registry. For an exhaustive list of configuration options, see the registry. For an exhaustive list of configuration options, see the
[configuration reference](configuration.md). [configuration reference](../configuration).
If you have an air-gapped datacenter, see If you have an air-gapped datacenter, see
[Considerations for air-gapped registries](#considerations-for-air-gapped-registries). [Considerations for air-gapped registries](#considerations-for-air-gapped-registries).
@ -27,7 +27,7 @@ The registry is now ready to use.
> **Warning**: These first few examples show registry configurations that are > **Warning**: These first few examples show registry configurations that are
> only appropriate for testing. A production-ready registry must be protected by > only appropriate for testing. A production-ready registry must be protected by
> TLS and should ideally use an access-control mechanism. Keep reading and then > TLS and should ideally use an access-control mechanism. Keep reading and then
> continue to the [configuration guide](configuration.md) to deploy a > continue to the [configuration guide](../configuration) to deploy a
> production-ready registry. > production-ready registry.
## Copy an image from Docker Hub to your registry ## Copy an image from Docker Hub to your registry
@ -38,40 +38,40 @@ as `my-ubuntu`, then pushes it to the local registry. Finally, the
`ubuntu:16.04` and `my-ubuntu` images are deleted locally and the `ubuntu:16.04` and `my-ubuntu` images are deleted locally and the
`my-ubuntu` image is pulled from the local registry. `my-ubuntu` image is pulled from the local registry.
1. Pull the `ubuntu:16.04` image from Docker Hub. 1. Pull the `ubuntu:16.04` image from Docker Hub.
```console ```console
$ docker pull ubuntu:16.04 $ docker pull ubuntu:16.04
``` ```
2. Tag the image as `localhost:5000/my-ubuntu`. This creates an additional tag 2. Tag the image as `localhost:5000/my-ubuntu`. This creates an additional tag
for the existing image. When the first part of the tag is a hostname and for the existing image. When the first part of the tag is a hostname and
port, Docker interprets this as the location of a registry, when pushing. port, Docker interprets this as the location of a registry, when pushing.
```console ```console
$ docker tag ubuntu:16.04 localhost:5000/my-ubuntu $ docker tag ubuntu:16.04 localhost:5000/my-ubuntu
``` ```
3. Push the image to the local registry running at `localhost:5000`: 3. Push the image to the local registry running at `localhost:5000`:
```console ```console
$ docker push localhost:5000/my-ubuntu $ docker push localhost:5000/my-ubuntu
``` ```
4. Remove the locally-cached `ubuntu:16.04` and `localhost:5000/my-ubuntu` 4. Remove the locally-cached `ubuntu:16.04` and `localhost:5000/my-ubuntu`
images, so that you can test pulling the image from your registry. This images, so that you can test pulling the image from your registry. This
does not remove the `localhost:5000/my-ubuntu` image from your registry. does not remove the `localhost:5000/my-ubuntu` image from your registry.
```console ```console
$ docker image remove ubuntu:16.04 $ docker image remove ubuntu:16.04
$ docker image remove localhost:5000/my-ubuntu $ docker image remove localhost:5000/my-ubuntu
``` ```
5. Pull the `localhost:5000/my-ubuntu` image from your local registry. 5. Pull the `localhost:5000/my-ubuntu` image from your local registry.
```console ```console
$ docker pull localhost:5000/my-ubuntu $ docker pull localhost:5000/my-ubuntu
``` ```
## Stop a local registry ## Stop a local registry
@ -94,7 +94,7 @@ To configure the container, you can pass additional or modified options to the
`docker run` command. `docker run` command.
The following sections provide basic guidelines for configuring your registry. The following sections provide basic guidelines for configuring your registry.
For more details, see the [registry configuration reference](configuration.md). For more details, see the [registry configuration reference](../configuration).
### Start the registry automatically ### Start the registry automatically
@ -144,7 +144,7 @@ $ docker run -d \
### Customize the storage location ### Customize the storage location
By default, your registry data is persisted as a [docker volume](../storage/volumes.md) By default, your registry data is persisted as a [docker volume](https://docs.docker.com/storage/volumes)
on the host filesystem. If you want to store your registry contents at a specific on the host filesystem. If you want to store your registry contents at a specific
location on your host filesystem, such as if you have an SSD or SAN mounted into location on your host filesystem, such as if you have an SSD or SAN mounted into
a particular directory, you might decide to use a bind mount instead. A bind mount a particular directory, you might decide to use a bind mount instead. A bind mount
@ -166,8 +166,8 @@ $ docker run -d \
By default, the registry stores its data on the local filesystem, whether you By default, the registry stores its data on the local filesystem, whether you
use a bind mount or a volume. You can store the registry data in an Amazon S3 use a bind mount or a volume. You can store the registry data in an Amazon S3
bucket, Google Cloud Platform, or on another storage back-end by using bucket, Google Cloud Platform, or on another storage back-end by using
[storage drivers](./storage-drivers/index.md). For more information, see [storage drivers](/storage-drivers). For more information, see
[storage configuration options](./configuration.md#storage). [storage configuration options](../configuration#storage).
## Run an externally-accessible registry ## Run an externally-accessible registry
@ -190,48 +190,48 @@ These examples assume the following:
If you have been issued an _intermediate_ certificate instead, see If you have been issued an _intermediate_ certificate instead, see
[use an intermediate certificate](#use-an-intermediate-certificate). [use an intermediate certificate](#use-an-intermediate-certificate).
1. Create a `certs` directory. 1. Create a `certs` directory.
```console ```console
$ mkdir -p certs $ mkdir -p certs
``` ```
Copy the `.crt` and `.key` files from the CA into the `certs` directory. Copy the `.crt` and `.key` files from the CA into the `certs` directory.
The following steps assume that the files are named `domain.crt` and The following steps assume that the files are named `domain.crt` and
`domain.key`. `domain.key`.
2. Stop the registry if it is currently running. 2. Stop the registry if it is currently running.
```console ```console
$ docker container stop registry $ docker container stop registry
``` ```
3. Restart the registry, directing it to use the TLS certificate. This command 3. Restart the registry, directing it to use the TLS certificate. This command
bind-mounts the `certs/` directory into the container at `/certs/`, and sets bind-mounts the `certs/` directory into the container at `/certs/`, and sets
environment variables that tell the container where to find the `domain.crt` environment variables that tell the container where to find the `domain.crt`
and `domain.key` file. The registry runs on port 443, the default HTTPS port. and `domain.key` file. The registry runs on port 443, the default HTTPS port.
```console ```console
$ docker run -d \ $ docker run -d \
--restart=always \ --restart=always \
--name registry \ --name registry \
-v "$(pwd)"/certs:/certs \ -v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \ -p 443:443 \
registry:2 registry:2
``` ```
4. Docker clients can now pull from and push to your registry using its 4. Docker clients can now pull from and push to your registry using its
external address. The following commands demonstrate this: external address. The following commands demonstrate this:
```console ```console
$ docker pull ubuntu:16.04 $ docker pull ubuntu:16.04
$ docker tag ubuntu:16.04 myregistry.domain.com/my-ubuntu $ docker tag ubuntu:16.04 myregistry.domain.com/my-ubuntu
$ docker push myregistry.domain.com/my-ubuntu $ docker push myregistry.domain.com/my-ubuntu
$ docker pull myregistry.domain.com/my-ubuntu $ docker pull myregistry.domain.com/my-ubuntu
``` ```
#### Use an intermediate certificate #### Use an intermediate certificate
@ -252,23 +252,23 @@ The registry supports using Let's Encrypt to automatically obtain a
browser-trusted certificate. For more information on Let's Encrypt, see browser-trusted certificate. For more information on Let's Encrypt, see
[https://letsencrypt.org/how-it-works/](https://letsencrypt.org/how-it-works/) [https://letsencrypt.org/how-it-works/](https://letsencrypt.org/how-it-works/)
and the relevant section of the and the relevant section of the
[registry configuration](configuration.md#letsencrypt). [registry configuration](../configuration#letsencrypt).
### Use an insecure registry (testing only) ### Use an insecure registry (testing only)
It is possible to use a self-signed certificate, or to use our registry It is possible to use a self-signed certificate, or to use our registry
insecurely. Unless you have set up verification for your self-signed insecurely. Unless you have set up verification for your self-signed
certificate, this is for testing only. See [run an insecure registry](insecure.md). certificate, this is for testing only. See [run an insecure registry](../insecure).
## Run the registry as a service ## Run the registry as a service
[Swarm services](../engine/swarm/services.md) provide several advantages over [Swarm services](https://docs.docker.com/engine/swarm/services) provide several advantages over
standalone containers. They use a declarative model, which means that you define standalone containers. They use a declarative model, which means that you define
the desired state and Docker works to keep your service in that state. Services the desired state and Docker works to keep your service in that state. Services
provide automatic load balancing scaling, and the ability to control the provide automatic load balancing scaling, and the ability to control the
distribution of your service, among other advantages. Services also allow you to distribution of your service, among other advantages. Services also allow you to
store sensitive data such as TLS certificates in store sensitive data such as TLS certificates in
[secrets](../engine/swarm/secrets.md). [secrets](https://docs.docker.com/engine/swarm/secrets).
The storage back-end you use determines whether you use a fully scaled service The storage back-end you use determines whether you use a fully scaled service
or a service with either only a single node or a node constraint. or a service with either only a single node or a node constraint.
@ -342,9 +342,9 @@ The most important aspect is that a load balanced cluster of registries must
share the same resources. For the current version of the registry, this means share the same resources. For the current version of the registry, this means
the following must be the same: the following must be the same:
- Storage Driver - Storage Driver
- HTTP Secret - HTTP Secret
- Redis Cache (if configured) - Redis Cache (if configured)
Differences in any of the above cause problems serving requests. Differences in any of the above cause problems serving requests.
As an example, if you're using the filesystem driver, all registry instances As an example, if you're using the filesystem driver, all registry instances
@ -393,87 +393,89 @@ The simplest way to achieve access restriction is through basic authentication
This example uses native basic authentication using `htpasswd` to store the This example uses native basic authentication using `htpasswd` to store the
secrets. secrets.
> **Warning**: {{< hint type=warning >}}
> You **cannot** use authentication with authentication schemes that send You **cannot** use authentication with authentication schemes that send
> credentials as clear text. You must credentials as clear text. You must
> [configure TLS first](deploying.md#run-an-externally-accessible-registry) for [configure TLS first](#run-an-externally-accessible-registry) for
> authentication to work. authentication to work.
{:.warning} {{< /hint >}}
> **Warning** {{< hint type=warning >}}
> The official registry image **only** supports htpasswd credentials in The distribution registry **only** supports htpasswd credentials in
> bcrypt format, so if you omit the `-B` option when generating the credential bcrypt format, so if you omit the `-B` option when generating the credential
> using htpasswd, all authentication attempts will fail. using htpasswd, all authentication attempts will fail.
{:.warning} {{< /hint >}}
1. Create a password file with one entry for the user `testuser`, with password 1. Create a password file with one entry for the user `testuser`, with password
`testpassword`: `testpassword`:
```console ```console
$ mkdir auth $ mkdir auth
$ docker run \ $ docker run \
--entrypoint htpasswd \ --entrypoint htpasswd \
httpd:2 -Bbn testuser testpassword > auth/htpasswd httpd:2 -Bbn testuser testpassword > auth/htpasswd
``` ```
On Windows, make sure the output file is correctly encoded: On Windows, make sure the output file is correctly encoded:
```powershell ```powershell
docker run --rm --entrypoint htpasswd httpd:2 -Bbn testuser testpassword | Set-Content -Encoding ASCII auth/htpasswd docker run --rm --entrypoint htpasswd httpd:2 -Bbn testuser testpassword | Set-Content -Encoding ASCII auth/htpasswd
``` ```
2. Stop the registry. 2. Stop the registry.
```console ```console
$ docker container stop registry $ docker container stop registry
``` ```
3. Start the registry with basic authentication. 3. Start the registry with basic authentication.
```console ```console
$ docker run -d \ $ docker run -d \
-p 5000:5000 \ -p 5000:5000 \
--restart=always \ --restart=always \
--name registry \ --name registry \
-v "$(pwd)"/auth:/auth \ -v "$(pwd)"/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v "$(pwd)"/certs:/certs \ -v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2 registry:2
``` ```
4. Try to pull an image from the registry, or push an image to the registry. 4. Try to pull an image from the registry, or push an image to the registry.
These commands fail. These commands fail.
5. Log in to the registry. 5. Log in to the registry.
```console ```console
$ docker login myregistrydomain.com:5000 $ docker login myregistrydomain.com:5000
``` ```
Provide the username and password from the first step. Provide the username and password from the first step.
Test that you can now pull an image from the registry or push an image to Test that you can now pull an image from the registry or push an image to
the registry. the registry.
> **X509 errors**: X509 errors usually indicate that you are attempting to use {{< hint type=note title="X509 errors" >}}
> a self-signed certificate without configuring the Docker daemon correctly. X509 errors usually indicate that you are attempting to use
> See [run an insecure registry](insecure.md). a self-signed certificate without configuring the Docker daemon correctly.
See [run an insecure registry](../insecure).
{{< /hint >}}
### More advanced authentication ### More advanced authentication
You may want to leverage more advanced basic auth implementations by using a You may want to leverage more advanced basic auth implementations by using a
proxy in front of the registry. See the [recipes list](recipes/index.md). proxy in front of the registry. See the [recipes list](/recipes/).
The registry also supports delegated authentication which redirects users to a The registry also supports delegated authentication which redirects users to a
specific trusted token server. This approach is more complicated to set up, and specific trusted token server. This approach is more complicated to set up, and
only makes sense if you need to fully configure ACLs and need more control over only makes sense if you need to fully configure ACLs and need more control over
the registry's integration into your global authorization and authentication the registry's integration into your global authorization and authentication
systems. Refer to the following [background information](spec/auth/token.md) and systems. Refer to the following [background information](/spec/auth/token) and
[configuration information here](configuration.md#auth). [configuration information here](../configuration#auth).
This approach requires you to implement your own authentication system or This approach requires you to implement your own authentication system or
leverage a third-party implementation. leverage a third-party implementation.
@ -537,41 +539,42 @@ following:
You are responsible for ensuring that you are in compliance with the terms of You are responsible for ensuring that you are in compliance with the terms of
use for non-distributable layers. use for non-distributable layers.
1. Edit the `daemon.json` file, which is located in `/etc/docker/` on Linux 1. Edit the `daemon.json` file, which is located in `/etc/docker/` on Linux
hosts and `C:\ProgramData\docker\config\daemon.json` on Windows Server. hosts and `C:\ProgramData\docker\config\daemon.json` on Windows Server.
Assuming the file was previously empty, add the following contents: Assuming the file was previously empty, add the following contents:
```json ```json
{ {
"allow-nondistributable-artifacts": ["myregistrydomain.com:5000"] "allow-nondistributable-artifacts": ["myregistrydomain.com:5000"]
} }
``` ```
The value is an array of registry addresses, separated by commas. The value is an array of registry addresses, separated by commas.
Save and exit the file. Save and exit the file.
2. Restart Docker. 2. Restart Docker.
3. Restart the registry if it does not start automatically. 3. Restart the registry if it does not start automatically.
4. When you push images to the registries in the list, their 4. When you push images to the registries in the list, their
non-distributable layers are pushed to the registry. non-distributable layers are pushed to the registry.
> **Warning**: Non-distributable artifacts typically have restrictions on
> how and where they can be distributed and shared. Only use this feature
> to push artifacts to private registries and ensure that you are in
> compliance with any terms that cover redistributing non-distributable
> artifacts.
{{< hint type=warning >}}
Non-distributable artifacts typically have restrictions on
how and where they can be distributed and shared. Only use this feature
to push artifacts to private registries and ensure that you are in
compliance with any terms that cover redistributing non-distributable
artifacts.
{{< /hint >}}
## Next steps ## Next steps
More specific and advanced information is available in the following sections: More specific and advanced information is available in the following sections:
- [Configuration reference](configuration.md) - [Configuration reference](../configuration)
- [Working with notifications](notifications.md) - [Working with notifications](../notifications)
- [Advanced "recipes"](recipes/index.md) - [Advanced "recipes"](/recipes)
- [Registry API](spec/api.md) - [Registry API](/spec/api)
- [Storage driver model](storage-drivers/index.md) - [Storage driver model](/storage-drivers)
- [Token authentication](spec/auth/token.md) - [Token authentication](/spec/auth/token)

View file

@ -9,7 +9,7 @@ This document describes what this command does and how and why it should be used
## About garbage collection ## About garbage collection
In the context of the Docker registry, garbage collection is the process of In the context of the registry, garbage collection is the process of
removing blobs from the filesystem when they are no longer referenced by a removing blobs from the filesystem when they are no longer referenced by a
manifest. Blobs can include both layers and manifests. manifest. Blobs can include both layers and manifests.
@ -21,15 +21,15 @@ that certain layers no longer exist on the filesystem.
Filesystem layers are stored by their content address in the Registry. This Filesystem layers are stored by their content address in the Registry. This
has many advantages, one of which is that data is stored once and referred to by manifests. has many advantages, one of which is that data is stored once and referred to by manifests.
See [here](compatibility.md#content-addressable-storage-cas) for more details. See [here](../compatibility#content-addressable-storage-cas) for more details.
Layers are therefore shared amongst manifests; each manifest maintains a reference Layers are therefore shared amongst manifests; each manifest maintains a reference
to the layer. As long as a layer is referenced by one manifest, it cannot be garbage to the layer. As long as a layer is referenced by one manifest, it cannot be garbage
collected. collected.
Manifests and layers can be `deleted` with the registry API (refer to the API Manifests and layers can be `deleted` with the registry API (refer to the API
documentation [here](spec/api.md#deleting-a-layer) and documentation [here](/spec/api#deleting-a-layer) and
[here](spec/api.md#deleting-an-image) for details). This API removes references [here](/spec/api#deleting-an-image) for details). This API removes references
to the target and makes them eligible for garbage collection. It also makes them to the target and makes them eligible for garbage collection. It also makes them
unable to be read via the API. unable to be read via the API.

View file

@ -1,5 +1,5 @@
--- ---
published: false draft: true
--- ---
# Glossary # Glossary
@ -17,7 +17,7 @@ This page contains definitions for distribution related terms.
<dt id="image"><h4>Image</h4></dt> <dt id="image"><h4>Image</h4></dt>
<dd> <dd>
<blockquote>An image is a named set of immutable data from which a Docker container can be created.</blockquote> <blockquote>An image is a named set of immutable data from which a container can be created.</blockquote>
<p> <p>
An image is represented by a json file called a <a href="#manifest">manifest</a>, and is conceptually a set of <a href="#layer">layers</a>. An image is represented by a json file called a <a href="#manifest">manifest</a>, and is conceptually a set of <a href="#layer">layers</a>.
@ -45,7 +45,7 @@ This page contains definitions for distribution related terms.
</dd> </dd>
<dt id="registry"><h4>Registry</h4></dt> <dt id="registry"><h4>Registry</h4></dt>
<dd><blockquote>A registry is a service that let you store and deliver <a href="#images">images</a>.</blockquote> <dd><blockquote>A registry is a service that let you store and deliver <a href="#images">images</a> and other content.</blockquote>
</dd> </dd>
<dt id="registry"><h4>Repository</h4></dt> <dt id="registry"><h4>Repository</h4></dt>

View file

@ -10,5 +10,3 @@ If you want to report a bug:
- be sure to first read about [how to contribute](https://github.com/distribution/distribution/blob/master/CONTRIBUTING.md). - be sure to first read about [how to contribute](https://github.com/distribution/distribution/blob/master/CONTRIBUTING.md).
- you can then do so on the [GitHub project bugtracker](https://github.com/distribution/distribution/issues). - you can then do so on the [GitHub project bugtracker](https://github.com/distribution/distribution/issues).
You can also find out more about the Docker's project [Getting Help resources](../opensource/ways.md).

View file

@ -11,96 +11,96 @@ involves security trade-offs and additional configuration steps.
## Deploy a plain HTTP registry ## Deploy a plain HTTP registry
> **Warning**: {{< hint type=warning >}}
> It's not possible to use an insecure registry with basic authentication. It's not possible to use an insecure registry with basic authentication.
{:.warning} {{< /hint >}}
This procedure configures Docker to entirely disregard security for your This procedure configures Docker to entirely disregard security for your
registry. This is **very** insecure and is not recommended. It exposes your registry. This is **very** insecure and is not recommended. It exposes your
registry to trivial man-in-the-middle (MITM) attacks. Only use this solution for registry to trivial man-in-the-middle (MITM) attacks. Only use this solution for
isolated testing or in a tightly controlled, air-gapped environment. isolated testing or in a tightly controlled, air-gapped environment.
1. Edit the `daemon.json` file, whose default location is 1. Edit the `daemon.json` file, whose default location is
`/etc/docker/daemon.json` on Linux or `/etc/docker/daemon.json` on Linux or
`C:\ProgramData\docker\config\daemon.json` on Windows Server. If you use `C:\ProgramData\docker\config\daemon.json` on Windows Server. If you use
Docker Desktop for Mac or Docker Desktop for Windows, click the Docker icon, choose Docker Desktop for Mac or Docker Desktop for Windows, click the Docker icon, choose
**Preferences** (Mac) or **Settings** (Windows), and choose **Docker Engine**. **Preferences** (Mac) or **Settings** (Windows), and choose **Docker Engine**.
If the `daemon.json` file does not exist, create it. Assuming there are no If the `daemon.json` file does not exist, create it. Assuming there are no
other settings in the file, it should have the following contents: other settings in the file, it should have the following contents:
```json ```json
{ {
"insecure-registries" : ["myregistrydomain.com:5000"] "insecure-registries" : ["myregistrydomain.com:5000"]
} }
``` ```
Substitute the address of your insecure registry for the one in the example. Substitute the address of your insecure registry for the one in the example.
With insecure registries enabled, Docker goes through the following steps: With insecure registries enabled, Docker goes through the following steps:
- First, try using HTTPS. - First, try using HTTPS.
- If HTTPS is available but the certificate is invalid, ignore the error
about the certificate. - If HTTPS is available but the certificate is invalid, ignore the error
- If HTTPS is not available, fall back to HTTP. about the certificate.
- If HTTPS is not available, fall back to HTTP.
2. Restart Docker for the changes to take effect. 2. Restart Docker for the changes to take effect.
Repeat these steps on every Engine host that wants to access your registry. Repeat these steps on every Engine host that wants to access your registry.
## Use self-signed certificates ## Use self-signed certificates
> **Warning**: {{< hint type=warning >}}
> Using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below) Using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below)
{:.warning} {{< /hint >}}
This is more secure than the insecure registry solution. This is more secure than the insecure registry solution.
1. Generate your own certificate: 1. Generate your own certificate:
```console ```console
$ mkdir -p certs $ mkdir -p certs
$ openssl req \ $ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-addext "subjectAltName = DNS:myregistry.domain.com" \ -addext "subjectAltName = DNS:myregistry.domain.com" \
-x509 -days 365 -out certs/domain.crt -x509 -days 365 -out certs/domain.crt
``` ```
Be sure to use the name `myregistry.domain.com` as a CN. Be sure to use the name `myregistry.domain.com` as a CN.
2. Use the result to [start your registry with TLS enabled](./deploying.md#get-a-certificate). 2. Use the result to [start your registry with TLS enabled](../deploying#get-a-certificate).
3. Instruct every Docker daemon to trust that certificate. The way to do this 3. Instruct every Docker daemon to trust that certificate. The way to do this
depends on your OS. depends on your OS.
- **Linux**: Copy the `domain.crt` file to - **Linux**: Copy the `domain.crt` file to
`/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` on every Docker `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` on every Docker
host. You do not need to restart Docker. host. You do not need to restart Docker.
- **Windows Server**: - **Windows Server**:
1. Open Windows Explorer, right-click the `domain.crt` 1. Open Windows Explorer, right-click the `domain.crt`
file, and choose Install certificate. When prompted, select the following file, and choose Install certificate. When prompted, select the following
options: options:
| Store location | local machine | | Store location | local machine |
| Place all certificates in the following store | selected | | Place all certificates in the following store | selected |
2. Click **Browser** and select **Trusted Root Certificate Authorities**. 2. Click **Browser** and select **Trusted Root Certificate Authorities**.
3. Click **Finish**. Restart Docker. 3. Click **Finish**. Restart Docker.
- **Docker Desktop for Mac**: Follow the instructions in - **Docker Desktop for Mac**: Follow the instructions in
[Adding custom CA certificates](../desktop/mac/index.md#add-tls-certificates){: target="_blank" rel="noopener" class="_"}. [Adding custom CA certificates](https://docs.docker.com/desktop/mac/#add-tls-certificates).
Restart Docker. Restart Docker.
- **Docker Desktop for Windows**: Follow the instructions in - **Docker Desktop for Windows**: Follow the instructions in
[Adding custom CA certificates](../desktop/windows/index.md#adding-tls-certificates){: target="_blank" rel="noopener" class="_"}. [Adding custom CA certificates](https://docs.docker.com/desktop/windows/#adding-tls-certificates).
Restart Docker. Restart Docker.
## Troubleshoot insecure registry ## Troubleshoot insecure registry

View file

@ -8,9 +8,9 @@ The Registry supports sending webhook notifications in response to events
happening within the registry. Notifications are sent in response to manifest happening within the registry. Notifications are sent in response to manifest
pushes and pulls and layer pushes and pulls. These actions are serialized into pushes and pulls and layer pushes and pulls. These actions are serialized into
events. The events are queued into a registry-internal broadcast system which events. The events are queued into a registry-internal broadcast system which
queues and dispatches events to [_Endpoints_](notifications.md#endpoints). queues and dispatches events to [_Endpoints_](#endpoints).
![Workflow of registry notifications](images/notifications.png) ![Workflow of registry notifications](/images/notifications.png)
## Endpoints ## Endpoints
@ -45,7 +45,7 @@ The above would configure the registry with an endpoint to send events to
5 failures happen consecutively, the registry backs off for 1 second before 5 failures happen consecutively, the registry backs off for 1 second before
trying again. trying again.
For details on the fields, see the [configuration documentation](configuration.md#notifications). For details on the fields, see the [configuration documentation](../configuration/#notifications).
A properly configured endpoint should lead to a log message from the registry A properly configured endpoint should lead to a log message from the registry
upon startup: upon startup:

View file

@ -9,7 +9,7 @@ These recipes are not useful for most standard set-ups.
## Requirements ## Requirements
Before following these steps, work through the [deployment guide](../deploying.md). Before following these steps, work through the [deployment guide](../about/deploying).
At this point, it's assumed that: At this point, it's assumed that:
@ -21,8 +21,8 @@ At this point, it's assumed that:
## The List ## The List
* [using Apache as an authenticating proxy](apache.md) * [using Apache as an authenticating proxy](apache)
* [using Nginx as an authenticating proxy](nginx.md) * [using Nginx as an authenticating proxy](nginx)
* [running a Registry on macOS](osx-setup-guide.md) * [running a Registry on macOS](osx-setup-guide)
* [mirror the Docker Hub](mirror.md) * [mirror the Docker Hub](mirror)
* [start registry via systemd](systemd.md) * [start registry via systemd](systemd)

View file

@ -12,7 +12,7 @@ Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO
### Alternatives ### Alternatives
If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth). If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](/about/deploying#native-basic-auth).
### Solution ### Solution
@ -30,13 +30,13 @@ Furthermore, introducing an extra http layer in your communication pipeline adds
## Setting things up ## Setting things up
Read again [the requirements](index.md#requirements). Read again [the requirements](../#requirements).
Ready? Ready?
Run the following script: Run the following script:
``` ```sh
mkdir -p auth mkdir -p auth
mkdir -p data mkdir -p data
@ -191,19 +191,27 @@ EOF
Now, start your stack: Now, start your stack:
docker-compose up -d ```console
$ docker-compose up -d
```
Log in with a "push" authorized user (using `testuserpush` and `testpasswordpush`), then tag and push your first image: Log in with a "push" authorized user (using `testuserpush` and `testpasswordpush`), then tag and push your first image:
docker login myregistrydomain.com:5043 ```console
docker tag ubuntu myregistrydomain.com:5043/test $ docker login myregistrydomain.com:5043
docker push myregistrydomain.com:5043/test $ docker tag ubuntu myregistrydomain.com:5043/test
$ docker push myregistrydomain.com:5043/test
```
Now, log in with a "pull-only" user (using `testuser` and `testpassword`), then pull back the image: Now, log in with a "pull-only" user (using `testuser` and `testpassword`), then pull back the image:
docker login myregistrydomain.com:5043 ```console
docker pull myregistrydomain.com:5043/test $ docker login myregistrydomain.com:5043
$ docker pull myregistrydomain.com:5043/test
```
Verify that the "pull-only" can NOT push: Verify that the "pull-only" can NOT push:
docker push myregistrydomain.com:5043/test ```console
$ docker push myregistrydomain.com:5043/test
```

View file

@ -2,22 +2,16 @@
description: Setting-up a local mirror for Docker Hub images description: Setting-up a local mirror for Docker Hub images
keywords: registry, on-prem, images, tags, repository, distribution, mirror, Hub, recipe, advanced keywords: registry, on-prem, images, tags, repository, distribution, mirror, Hub, recipe, advanced
title: Registry as a pull through cache title: Registry as a pull through cache
redirect_from:
- /engine/admin/registry_mirror/
--- ---
## Use-case ## Use-case
If you have multiple instances of Docker running in your environment, such as If you have multiple consumers of containers running in your environment, such as
multiple physical or virtual machines all running Docker, each daemon goes out multiple physical or virtual machines using containers, or a Kubernetes cluster,
to the internet and fetches an image it doesn't have locally, from the Docker each cunsumer fetches an images it doesn't have locally, from the external registry.
repository. You can run a local registry mirror and point all your daemons You can run a local registry mirror and point all your consumers
there, to avoid this extra internet traffic. there, to avoid this extra internet traffic.
> **Note**
>
> Docker Official Images are an intellectual property of Docker.
### Alternatives ### Alternatives
Alternatively, if the set of images you are using is well delimited, you can Alternatively, if the set of images you are using is well delimited, you can
@ -88,7 +82,8 @@ but this property does not hold true for a registry cache cluster.
> **Note** > **Note**
> >
> Service accounts included in the Team plan are limited to 5,000 pulls per day. See [Service Accounts](/docker-hub/service-accounts/) for more details. > Service accounts included in the Team plan are limited to 5,000 pulls per day.
> See [Service Accounts](https://docs.docker.com/docker-hub/service-accounts/) for more details.
### Configure the cache ### Configure the cache
@ -113,12 +108,12 @@ proxy:
> **Warning**: For the scheduler to clean up old entries, `delete` must > **Warning**: For the scheduler to clean up old entries, `delete` must
> be enabled in the registry configuration. See > be enabled in the registry configuration. See
> [Registry Configuration](../configuration.md) for more details. > [Registry Configuration](/about/configuration) for more details.
### Configure the Docker daemon ### Configure the Docker daemon
Either pass the `--registry-mirror` option when starting `dockerd` manually, Either pass the `--registry-mirror` option when starting `dockerd` manually,
or edit [`/etc/docker/daemon.json`](../../engine/reference/commandline/dockerd.md#daemon-configuration-file) or edit [`/etc/docker/daemon.json`](https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file)
and add the `registry-mirrors` key and value, to make the change persistent. and add the `registry-mirrors` key and value, to make the change persistent.
```json ```json

View file

@ -0,0 +1,207 @@
---
description: Restricting access to your registry using a nginx proxy
keywords: registry, on-prem, images, tags, repository, distribution, nginx, proxy, authentication, TLS, recipe, advanced
title: Authenticate proxy with nginx
---
## Use-case
People already relying on a nginx proxy to authenticate their users to other
services might want to leverage it and have Registry communications tunneled
through the same pipeline.
Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO
mechanism fronting their internal http portal.
### Alternatives
If you just want authentication for your registry, and are happy maintaining
users access separately, you should really consider sticking with the native
[basic auth registry feature](/about/deploying#native-basic-auth).
### Solution
With the method presented here, you implement basic authentication for docker
engines in a reverse proxy that sits in front of your registry.
While we use a simple htpasswd file as an example, any other nginx
authentication backend should be fairly easy to implement once you are done with
the example.
We also implement push restriction (to a limited user group) for the sake of the
example. Again, you should modify this to fit your mileage.
### Gotchas
While this model gives you the ability to use whatever authentication backend
you want through the secondary authentication mechanism implemented inside your
proxy, it also requires that you move TLS termination from the Registry to the
proxy itself.
> **Note**: It is not recommended to bind your registry to `localhost:5000` without
> authentication. This creates a potential loophole in your registry security.
> As a result, anyone who can log on to the server where your registry is running
> can push images without authentication.
Furthermore, introducing an extra http layer in your communication pipeline
makes it more complex to deploy, maintain, and debug. Make sure the extra
complexity is required.
For instance, Amazon's Elastic Load Balancer (ELB) in HTTPS mode already sets
the following client header:
```none
X-Real-IP
X-Forwarded-For
X-Forwarded-Proto
```
So if you have an Nginx instance sitting behind it, remove these lines from the
example config below:
```none
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
```
Otherwise Nginx resets the ELB's values, and the requests are not routed
properly. For more information, see
[#970](https://github.com/distribution/distribution/issues/970).
## Setting things up
Review the [requirements](../#requirements), then follow these steps.
1. Create the required directories
```console
$ mkdir -p auth data
```
2. Create the main nginx configuration. Paste this code block into a new file called `auth/nginx.conf`:
```conf
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name myregistrydomain.com;
# SSL
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
## If $docker_distribution_api_version is empty, the header is not added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
}
```
3. Create a password file `auth/nginx.htpasswd` for "testuser" and "testpassword".
```console
$ docker run --rm --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/nginx.htpasswd
```
> **Note**: If you do not want to use `bcrypt`, you can omit the `-B` parameter.
4. Copy your certificate files to the `auth/` directory.
```console
$ cp domain.crt auth
$ cp domain.key auth
```
5. Create the compose file. Paste the following YAML into a new file called `docker-compose.yml`.
```yaml
version: "3"
services:
nginx:
# Note : Only nginx:alpine supports bcrypt.
# If you don't need to use bcrypt, you can use a different tag.
# Ref. https://github.com/nginxinc/docker-nginx/issues/29
image: "nginx:alpine"
ports:
- 5043:443
depends_on:
- registry
volumes:
- ./auth:/etc/nginx/conf.d
- ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
registry:
image: registry:2
volumes:
- ./data:/var/lib/registry
```
## Starting and stopping
Now, start your stack:
```consonle
$ docker-compose up -d
```
Login with a "push" authorized user (using `testuser` and `testpassword`), then
tag and push your first image:
```console
$ docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
$ docker tag ubuntu myregistrydomain.com:5043/test
$ docker push myregistrydomain.com:5043/test
$ docker pull myregistrydomain.com:5043/test
```

View file

@ -26,49 +26,65 @@ If you know, safely skip to the next section.
If you don't, the TLDR is: If you don't, the TLDR is:
bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer) ```console
source ~/.gvm/scripts/gvm $ bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer)
gvm install go1.4.2 $ source ~/.gvm/scripts/gvm
gvm use go1.4.2 $ gvm install go1.4.2
$ gvm use go1.4.2
```
If you want to understand, you should read [How to Write Go Code](https://golang.org/doc/code.html). If you want to understand, you should read [How to Write Go Code](https://golang.org/doc/code.html).
## Checkout the source tree ## Checkout the source tree
mkdir -p $GOPATH/src/github.com/distribution ```console
git clone https://github.com/distribution/distribution.git $GOPATH/src/github.com/distribution/distribution $ mkdir -p $GOPATH/src/github.com/distribution
cd $GOPATH/src/github.com/distribution/distribution $ git clone https://github.com/distribution/distribution.git $GOPATH/src/github.com/distribution/distribution
$ cd $GOPATH/src/github.com/distribution/distribution
```
## Build the binary ## Build the binary
GOPATH=$(PWD)/Godeps/_workspace:$GOPATH make binaries ```console
sudo mkdir -p /usr/local/libexec $ GOPATH=$(PWD)/Godeps/_workspace:$GOPATH make binaries
sudo cp bin/registry /usr/local/libexec/registry $ sudo mkdir -p /usr/local/libexec
$ sudo cp bin/registry /usr/local/libexec/registry
```
## Setup ## Setup
Copy the registry configuration file in place: Copy the registry configuration file in place:
mkdir /Users/Shared/Registry ```console
cp docs/osx/config.yml /Users/Shared/Registry/config.yml $ mkdir /Users/Shared/Registry
$ cp docs/osx/config.yml /Users/Shared/Registry/config.yml
```
## Run the registry under launchd ## Run the registry under launchd
Copy the registry plist into place: Copy the registry plist into place:
plutil -lint docs/recipes/osx/com.docker.registry.plist ```console
cp docs/recipes/osx/com.docker.registry.plist ~/Library/LaunchAgents/ $ plutil -lint docs/recipes/osx/com.docker.registry.plist
chmod 644 ~/Library/LaunchAgents/com.docker.registry.plist $ cp docs/recipes/osx/com.docker.registry.plist ~/Library/LaunchAgents/
$ chmod 644 ~/Library/LaunchAgents/com.docker.registry.plist
```
Start the registry: Start the registry:
launchctl load ~/Library/LaunchAgents/com.docker.registry.plist ```console
$ launchctl load ~/Library/LaunchAgents/com.docker.registry.plist
```
### Restart the registry service ### Restart the registry service
launchctl stop com.docker.registry ```console
launchctl start com.docker.registry $ launchctl stop com.docker.registry
$ launchctl start com.docker.registry
```
### Unload the registry service ### Unload the registry service
launchctl unload ~/Library/LaunchAgents/com.docker.registry.plist ```console
$ launchctl unload ~/Library/LaunchAgents/com.docker.registry.plist
```

View file

@ -7,8 +7,9 @@ title: Start registry via systemd
## Use-case ## Use-case
Using systemd to manage containers can make service discovery and maintenance easier Using systemd to manage containers can make service discovery and maintenance easier
by managining all services in the same way. Additionally, when using Podman, systemd by managing all services in the same way. Additionally, when using Podman, systemd
can start the registry with socket-activation, providing additional security options: can start the registry with socket-activation, providing additional security options:
* Run as non-root and expose on a low-numbered socket (< 1024) * Run as non-root and expose on a low-numbered socket (< 1024)
* Run with `--network=none` * Run with `--network=none`
@ -18,9 +19,10 @@ When deploying the registry via Docker, a simple service file can be used to man
the registry: the registry:
registry.service registry.service
```
```ini
[Unit] [Unit]
Description=Docker registry Description=Distribution registry
After=docker.service After=docker.service
Requires=docker.service Requires=docker.service
@ -40,7 +42,7 @@ WantedBy=multi-user.target
In this case, the registry will store images in the named-volume `registry`. In this case, the registry will store images in the named-volume `registry`.
Note that the container is destroyed on restart instead of using `--rm` or Note that the container is destroyed on restart instead of using `--rm` or
destroy on stop. This is done to make accessing `docker logs ...` easier in destroy on stop. This is done to make accessing `docker logs ...` easier in
the case of issues. the case of issues.
### Podman ### Podman
@ -50,7 +52,7 @@ socket-activation of containers.
#### Create service file #### Create service file
``` ```sh
podman create --name registry --network=none -v registry:/var/lib/registry registry:2 podman create --name registry --network=none -v registry:/var/lib/registry registry:2
podman generate systemd --name --new registry > registry.service podman generate systemd --name --new registry > registry.service
``` ```
@ -58,9 +60,10 @@ podman generate systemd --name --new registry > registry.service
#### Create socket file #### Create socket file
registry.socket registry.socket
```
```ini
[Unit] [Unit]
Description=container registry Description=Distribution registry
[Socket] [Socket]
ListenStream=5000 ListenStream=5000
@ -71,7 +74,7 @@ WantedBy=sockets.target
### Installation ### Installation
Installation can be either rootful or rootless. For Docker, rootless configurations Installation can be either rootful or rootless. For Docker, rootless configurations
often include additional setup steps that are beyond the scope of this recipe, whereas often include additional setup steps that are beyond the scope of this recipe, whereas
for Podman, rootless containers generally work out of the box. for Podman, rootless containers generally work out of the box.

View file

@ -0,0 +1,12 @@
---
title: "Reference Overview"
description: "Explains registry JSON objects"
keywords: registry, service, images, repository, json
---
# Docker Registry Reference
* [HTTP API V2](api)
* [Storage Driver](/storage-drivers/)
* [Token Authentication Specification](auth/token)
* [Token Authentication Implementation](auth/jwt)

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
title: "HTTP API V2" title: "HTTP API V2"
description: "Specification for the Registry API." description: "Specification for the Registry API."
keywords: registry, on-prem, images, tags, repository, distribution, api, advanced keywords: registry, on-prem, images, tags, repository, distribution, api, advanced
redirect_from: aliases:
- /reference/api/registry_api/ - /reference/api/registry_api/
--- ---

View file

@ -0,0 +1,12 @@
---
title: "Distribution Registry Token Authentication"
description: "Distribution Registry v2 authentication schema"
keywords: registry, on-prem, images, tags, repository, distribution, authentication, advanced
---
# Distribution Registry v2 authentication
See the [Token Authentication Specification](token),
[Token Authentication Implementation](jwt),
[Token Scope Documentation](scope),
[OAuth2 Token Authentication](oauth) for more information.

View file

@ -1,10 +1,10 @@
--- ---
title: "Token Authentication Implementation" title: "Token Authentication Implementation"
description: "Describe the reference implementation of the Docker Registry v2 authentication schema" description: "Describe the reference implementation of the Distribution Registry v2 authentication schema"
keywords: registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced keywords: registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced
--- ---
# Docker Registry v2 Bearer token specification # Distribution Registry v2 Bearer token specification
This specification covers the `distribution/distribution` implementation of the This specification covers the `distribution/distribution` implementation of the
v2 Registry's authentication schema. Specifically, it describes the JSON v2 Registry's authentication schema. Specifically, it describes the JSON

View file

@ -1,10 +1,10 @@
--- ---
title: "Oauth2 Token Authentication" title: "Oauth2 Token Authentication"
description: "Specifies the Docker Registry v2 authentication" description: "Specifies the Distribution Registry v2 authentication"
keywords: registry, on-prem, images, tags, repository, distribution, oauth2, advanced keywords: registry, on-prem, images, tags, repository, distribution, oauth2, advanced
--- ---
# Docker Registry v2 authentication using OAuth2 # Distribution Registry v2 authentication using OAuth2
This document describes support for the OAuth2 protocol within the authorization This document describes support for the OAuth2 protocol within the authorization
server. [RFC6749](https://tools.ietf.org/html/rfc6749) should be used as a server. [RFC6749](https://tools.ietf.org/html/rfc6749) should be used as a
@ -12,7 +12,7 @@ reference for the protocol and HTTP endpoints described here.
**Note**: Not all token servers implement oauth2. If the request to the endpoint **Note**: Not all token servers implement oauth2. If the request to the endpoint
returns `404` using the HTTP `POST` method, refer to returns `404` using the HTTP `POST` method, refer to
[Token Documentation](token.md) for using the HTTP `GET` method supported by all [Token Documentation](../token) for using the HTTP `GET` method supported by all
token servers. token servers.
## Refresh token format ## Refresh token format
@ -161,7 +161,7 @@ Content-Type: application/x-www-form-urlencoded
#### Example getting refresh token #### Example getting refresh token
``` ```none
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: auth.docker.io Host: auth.docker.io
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
@ -176,7 +176,7 @@ Content-Type: application/json
#### Example refreshing an Access Token #### Example refreshing an Access Token
``` ```none
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: auth.docker.io Host: auth.docker.io
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded

View file

@ -4,7 +4,7 @@ description: "Describes the scope and access fields used for registry authorizat
keywords: registry, on-prem, images, tags, repository, distribution, advanced, access, scope keywords: registry, on-prem, images, tags, repository, distribution, advanced, access, scope
--- ---
# Docker Registry Token Scope and Access # Distribution Registry Token Scope and Access
Tokens used by the registry are always restricted what resources they may Tokens used by the registry are always restricted what resources they may
be used to access, where those resources may be accessed, and what actions be used to access, where those resources may be accessed, and what actions
@ -41,10 +41,11 @@ is authorized for a specific resource.
#### Resource Class #### Resource Class
> [!WARNING] {{< hint type=warning >}}
> Resource Class is deprecated and ignored. Resource Class is deprecated and ignored.
> `repository` and `repository(plugin)` are considered equal when authorizing a token. `repository` and `repository(plugin)` are considered equal when authorizing a token.
> Authorization services should no longer return scopes with a resource class. Authorization services should no longer return scopes with a resource class.
{{< /hint >}}
The resource type might have a resource class which further classifies the The resource type might have a resource class which further classifies the
the resource name within the resource type. A class is not required and the resource name within the resource type. A class is not required and
@ -108,11 +109,13 @@ Full reference grammar is defined
[here](https://pkg.go.dev/github.com/distribution/distribution/reference). Currently [here](https://pkg.go.dev/github.com/distribution/distribution/reference). Currently
the scope name grammar is a subset of the reference grammar. the scope name grammar is a subset of the reference grammar.
> **NOTE:** that the `resourcename` may contain one `:` due to a possible port {{< hint type=note >}}
> number in the hostname component of the `resourcename`, so a naive Note that the `resourcename` may contain one `:` due to a possible port
> implementation that interprets the first three `:`-delimited tokens of a number in the hostname component of the `resourcename`, so a naive
> `scope` to be the `resourcetype`, `resourcename`, and a list of `action` implementation that interprets the first three `:`-delimited tokens of a
> would be insufficient. `scope` to be the `resourcetype`, `resourcename`, and a list of `action`
would be insufficient.
{{< /hint >}}
## Resource Provider Use ## Resource Provider Use
@ -141,7 +144,7 @@ Each JWT access token may only have a single subject and audience but multiple
resource scopes. The subject and audience are put into standard JWT fields resource scopes. The subject and audience are put into standard JWT fields
`sub` and `aud`. The resource scope is put into the `access` field. The `sub` and `aud`. The resource scope is put into the `access` field. The
structure of the access field can be seen in the structure of the access field can be seen in the
[jwt documentation](jwt.md). [jwt documentation](../jwt).
## Refresh Tokens ## Refresh Tokens

View file

@ -1,14 +1,14 @@
--- ---
title: "Token Authentication Specification" title: "Token Authentication Specification"
description: "Specifies the Docker Registry v2 authentication" description: "Specifies the Distribution Registry v2 authentication"
keywords: registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced keywords: registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced
--- ---
# Docker Registry v2 authentication via central service # Distribution Registry v2 authentication via central service
This document outlines the v2 Docker registry authentication scheme: This document outlines the v2 Distribution registry authentication scheme:
![v2 registry auth](../images/v2-registry-auth.png) ![v2 registry auth](/images/v2-registry-auth.png)
1. Attempt to begin a push/pull operation with the registry. 1. Attempt to begin a push/pull operation with the registry.
2. If the registry requires authorization it will return a `401 Unauthorized` 2. If the registry requires authorization it will return a `401 Unauthorized`
@ -27,9 +27,9 @@ This document outlines the v2 Docker registry authentication scheme:
- Registry clients which can understand and respond to token auth challenges - Registry clients which can understand and respond to token auth challenges
returned by the resource server. returned by the resource server.
- An authorization server capable of managing access controls to their - An authorization server capable of managing access controls to their
resources hosted by any given service (such as repositories in a Docker resources hosted by any given service (such as repositories in a Distribution
Registry). Registry).
- A Docker Registry capable of trusting the authorization server to sign tokens - A Distribution Registry capable of trusting the authorization server to sign tokens
which clients can use for authorization and the ability to verify these which clients can use for authorization and the ability to verify these
tokens for single use or for use during a sufficiently short period of time. tokens for single use or for use during a sufficiently short period of time.
@ -39,11 +39,8 @@ The described server is meant to serve as a standalone access control manager
for resources hosted by other services which wish to authenticate and manage for resources hosted by other services which wish to authenticate and manage
authorizations using a separate access control manager. authorizations using a separate access control manager.
A service like this is used by the official Docker Registry to authenticate A service like this is used by public and private registries to authenticate
clients and verify their authorization to Docker image repositories. clients and verify their authorization to image repositories.
As of Docker 1.6, the registry client within the Docker Engine has been updated
to handle such an authorization workflow.
## How to authenticate ## How to authenticate
@ -191,7 +188,7 @@ https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba
The token server should first attempt to authenticate the client using any The token server should first attempt to authenticate the client using any
authentication credentials provided with the request. From Docker 1.11 the authentication credentials provided with the request. From Docker 1.11 the
Docker engine supports both Basic Authentication and [OAuth2](oauth.md) for Docker engine supports both Basic Authentication and [OAuth2](../oauth) for
getting tokens. Docker 1.10 and before, the registry client in the Docker Engine getting tokens. Docker 1.10 and before, the registry client in the Docker Engine
only supports Basic Authentication. If an attempt to authenticate to the token only supports Basic Authentication. If an attempt to authenticate to the token
server fails, the token server should return a `401 Unauthorized` response server fails, the token server should return a `401 Unauthorized` response

View file

@ -1,10 +1,9 @@
--- ---
title: Update deprecated schema image manifest version 2, v1 images title: Image manifest version 2, schema 1
description: Update deprecated schema v1 iamges description: Update deprecated schema v1 images
keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
--- ---
## Image manifest version 2, schema 1
With the release of image manifest version 2, schema 2, image manifest version With the release of image manifest version 2, schema 2, image manifest version
2, schema 1 has been deprecated. This could lead to compatibility and 2, schema 1 has been deprecated. This could lead to compatibility and
vulnerability issues in images that haven't been updated to image manifest vulnerability issues in images that haven't been updated to image manifest
@ -17,7 +16,7 @@ associated with the deprecated image manifest that will block your image from
running successfully. A list of possible methods to help update your image is running successfully. A list of possible methods to help update your image is
also included below. also included below.
### Update to image manifest version 2, schema 2 ## Update to image manifest version 2, schema 2
One way to upgrade an image from image manifest version 2, schema 1 to One way to upgrade an image from image manifest version 2, schema 1 to
schema 2 is to `docker pull` the image and then `docker push` the image with a schema 2 is to `docker pull` the image and then `docker push` the image with a
@ -29,8 +28,7 @@ manifest format, but does not update the contents within the image. Images
using manifest version 2, schema 1 may contain unpatched vulnerabilities. We using manifest version 2, schema 1 may contain unpatched vulnerabilities. We
recommend looking for an alternative image or rebuilding it. recommend looking for an alternative image or rebuilding it.
## Update FROM statement
### Update FROM statement
You can rebuild the image by updating the `FROM` statement in your You can rebuild the image by updating the `FROM` statement in your
`Dockerfile`. If your image manifest is out-of-date, there is a chance the `Dockerfile`. If your image manifest is out-of-date, there is a chance the

View file

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

View file

@ -1,14 +1,14 @@
--- ---
published: false draft: true
--- ---
# Distribution API Implementations # Distribution API Implementations
This is a list of known implementations of the Distribution API spec. This is a list of known implementations of the Distribution API spec.
## [Docker Distribution Registry](https://github.com/distribution/distribution) ## [CNCF Distribution Registry](https://github.com/distribution/distribution)
Docker distribution is the reference implementation of the distribution API CNCF distribution is the reference implementation of the distribution API
specification. It aims to fully implement the entire specification. specification. It aims to fully implement the entire specification.
### Releases ### Releases

View file

@ -1,15 +1,15 @@
--- ---
published: false draft: true
title: "Docker Distribution JSON Canonicalization" title: "CNCF Distribution JSON Canonicalization"
description: "Explains registry JSON objects" description: "Explains registry JSON objects"
keywords: ["registry, service, images, repository, json"] keywords: ["registry, service, images, repository, json"]
--- ---
# Docker Distribution JSON Canonicalization # CNCF Distribution JSON Canonicalization
To provide consistent content hashing of JSON objects throughout Docker To provide consistent content hashing of JSON objects throughout CNCF
Distribution APIs, the specification defines a canonical JSON format. Adopting Distribution APIs, the specification defines a canonical JSON format. Adopting
such a canonicalization also aids in caching JSON responses. such a canonicalization also aids in caching JSON responses.

View file

@ -1,5 +1,5 @@
--- ---
title: "Image Manifest V 2, Schema 2 " title: "Image Manifest V 2, Schema 2"
description: "image manifest for the Registry." description: "image manifest for the Registry."
keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
--- ---
@ -10,7 +10,7 @@ This document outlines the format of the V2 image manifest, schema version 2.
The original (and provisional) image manifest for V2 (schema 1), was introduced The original (and provisional) image manifest for V2 (schema 1), was introduced
in the Docker daemon in the [v1.3.0 in the Docker daemon in the [v1.3.0
release](https://github.com/docker/docker/commit/9f482a66ab37ec396ac61ed0c00d59122ac07453) release](https://github.com/docker/docker/commit/9f482a66ab37ec396ac61ed0c00d59122ac07453)
and is specified in the [schema 1 manifest definition](manifest-v2-1.md) and is now deprecated.
This second schema version has two primary goals. The first is to allow This second schema version has two primary goals. The first is to allow
multi-architecture images, through a "fat manifest" which references image multi-architecture images, through a "fat manifest" which references image
@ -71,7 +71,7 @@ image manifest based on the Content-Type returned in the HTTP response.
- **`digest`** *string* - **`digest`** *string*
The digest of the content, as defined by the The digest of the content, as defined by the
[Registry V2 HTTP API Specificiation](api.md#digest-parameter). [Registry V2 HTTP API Specificiation](../api#digest-parameter).
- **`platform`** *object* - **`platform`** *object*
@ -113,7 +113,8 @@ image manifest based on the Content-Type returned in the HTTP response.
## Example Manifest List ## Example Manifest List
*Example showing a simple manifest list pointing to image manifests for two platforms:* Example showing a simple manifest list pointing to image manifests for two platforms:
```json ```json
{ {
"schemaVersion": 2, "schemaVersion": 2,
@ -186,7 +187,7 @@ image. It's the direct replacement for the schema-1 manifest.
- **`digest`** *string* - **`digest`** *string*
The digest of the content, as defined by the The digest of the content, as defined by the
[Registry V2 HTTP API Specificiation](api.md#digest-parameter). [Registry V2 HTTP API Specificiation](../api#digest-parameter).
- **`layers`** *array* - **`layers`** *array*
@ -212,7 +213,7 @@ image. It's the direct replacement for the schema-1 manifest.
- **`digest`** *string* - **`digest`** *string*
The digest of the content, as defined by the The digest of the content, as defined by the
[Registry V2 HTTP API Specificiation](api.md#digest-parameter). [Registry V2 HTTP API Specificiation](../api#digest-parameter).
- **`urls`** *array* - **`urls`** *array*
@ -222,7 +223,8 @@ image. It's the direct replacement for the schema-1 manifest.
## Example Image Manifest ## Example Image Manifest
*Example showing an image manifest:* Example showing an image manifest:
```json ```json
{ {
"schemaVersion": 2, "schemaVersion": 2,

View file

@ -1,8 +1,6 @@
--- ---
description: Explains how to use storage drivers description: Explains how to use storage drivers
keywords: registry, on-prem, images, tags, repository, distribution, storage drivers, advanced keywords: registry, on-prem, images, tags, repository, distribution, storage drivers, advanced
redirect_from:
- /registry/storagedrivers/
title: Registry storage driver title: Registry storage driver
--- ---
@ -12,11 +10,11 @@ This document describes the registry storage driver model, implementation, and e
This storage driver package comes bundled with several drivers: This storage driver package comes bundled with several drivers:
- [inmemory](inmemory.md): A temporary storage driver using a local inmemory map. This exists solely for reference and testing. - [inmemory](inmemory): A temporary storage driver using a local inmemory map. This exists solely for reference and testing.
- [filesystem](filesystem.md): A local storage driver configured to use a directory tree in the local filesystem. - [filesystem](filesystem): A local storage driver configured to use a directory tree in the local filesystem.
- [s3](s3.md): A driver storing objects in an Amazon Simple Storage Service (S3) bucket. - [s3](s3): A driver storing objects in an Amazon Simple Storage Service (S3) bucket.
- [azure](azure.md): A driver storing objects in [Microsoft Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/). - [azure](azure): A driver storing objects in [Microsoft Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/).
- [gcs](gcs.md): A driver storing objects in a [Google Cloud Storage](https://cloud.google.com/storage/) bucket. - [gcs](gcs): A driver storing objects in a [Google Cloud Storage](https://cloud.google.com/storage/) bucket.
- oss: *NO LONGER SUPPORTED* - oss: *NO LONGER SUPPORTED*
- swift: *NO LONGER SUPPORTED* - swift: *NO LONGER SUPPORTED*
@ -41,16 +39,17 @@ with a driver name and parameters map. If no such storage driver can be found,
## Driver contribution ## Driver contribution
New storage drivers are not currently being accepted. New storage drivers are not currently being accepted.
See https://github.com/distribution/distribution/issues/3988 for discussion. See <https://github.com/distribution/distribution/issues/3988> for discussion.
There are forks of this repo that implement custom storage drivers. There are forks of this repo that implement custom storage drivers.
These are not supported by the OCI distribution project. These are not supported by the OCI distribution project.
The known forks are: The known forks are:
- Storj DCS: https://github.com/storj/docker-registry
- HuaweiCloud OBS: https://github.com/setoru/distribution/tree/obs - Storj DCS: <https://github.com/storj/docker-registry>
- us3: https://github.com/lambertxiao/distribution/tree/main - HuaweiCloud OBS: <https://github.com/setoru/distribution/tree/obs>
- Baidu BOS: https://github.com/dolfly/distribution/tree/bos - us3: <https://github.com/lambertxiao/distribution/tree/main>
- HDFS: https://github.com/haosdent/distribution/tree/master - Baidu BOS: <https://github.com/dolfly/distribution/tree/bos>
- HDFS: <https://github.com/haosdent/distribution/tree/master>
### Writing new storage drivers ### Writing new storage drivers

View file

@ -15,5 +15,6 @@ An implementation of the `storagedriver.StorageDriver` interface which uses Goog
| `rootdirectory` | no | The root directory tree in which all registry files are stored. Defaults to the empty string (bucket root). If a prefix is used, the path `bucketname/<prefix>` has to be pre-created before starting the registry. The prefix is applied to all Google Cloud Storage keys to allow you to segment data in your bucket if necessary.| | `rootdirectory` | no | The root directory tree in which all registry files are stored. Defaults to the empty string (bucket root). If a prefix is used, the path `bucketname/<prefix>` has to be pre-created before starting the registry. The prefix is applied to all Google Cloud Storage keys to allow you to segment data in your bucket if necessary.|
| `chunksize` | no (default 5242880) | This is the chunk size used for uploading large blobs, must be a multiple of 256*1024. | | `chunksize` | no (default 5242880) | This is the chunk size used for uploading large blobs, must be a multiple of 256*1024. |
**Note:** Instead of a key file you can use [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials). {{< hint type=note >}}
Instead of a key file you can use [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials).
{{< /hint >}}

View file

@ -7,9 +7,11 @@ title: In-memory storage driver (testing only)
For purely tests purposes, you can use the `inmemory` storage driver. This For purely tests purposes, you can use the `inmemory` storage driver. This
driver is an implementation of the `storagedriver.StorageDriver` interface which driver is an implementation of the `storagedriver.StorageDriver` interface which
uses local memory for object storage. If you would like to run a registry from uses local memory for object storage. If you would like to run a registry from
volatile memory, use the [`filesystem` driver](filesystem.md) on a ramdisk. volatile memory, use the [`filesystem` driver](../filesystem) on a ramdisk.
**IMPORTANT**: This storage driver *does not* persist data across runs. This is why it is only suitable for testing. *Never* use this driver in production. {{< hint type=important >}}
This storage driver *does not* persist data across runs. This is why it is only suitable for testing. *Never* use this driver in production.
{{< /hint >}}
## Parameters ## Parameters

View file

@ -11,8 +11,8 @@ Amazon S3 or S3 compatible services for object storage.
| Parameter | Required | Description | | Parameter | Required | Description |
|:--------------|:---------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |:--------------|:---------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `accesskey` | no | Your AWS Access Key. If you use [IAM roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), omit to fetch temporary credentials from IAM. | | `accesskey` | no | Your AWS Access Key. If you use [IAM roles](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), omit to fetch temporary credentials from IAM. |
| `secretkey` | no | Your AWS Secret Key. If you use [IAM roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), omit to fetch temporary credentials from IAM. | | `secretkey` | no | Your AWS Secret Key. If you use [IAM roles](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), omit to fetch temporary credentials from IAM. |
| `region` | yes | The AWS region in which your bucket exists. | | `region` | yes | The AWS region in which your bucket exists. |
| `regionendpoint` | no | Endpoint for S3 compatible storage services (Minio, etc). | | `regionendpoint` | no | Endpoint for S3 compatible storage services (Minio, etc). |
| `forcepathstyle` | no | To enable path-style addressing when the value is set to `true`. The default is `true`. | | `forcepathstyle` | no | To enable path-style addressing when the value is set to `true`. The default is `true`. |
@ -30,10 +30,10 @@ Amazon S3 or S3 compatible services for object storage.
> **Note** You can provide empty strings for your access and secret keys to run the driver > **Note** You can provide empty strings for your access and secret keys to run the driver
> on an ec2 instance and handles authentication with the instance's credentials. If you > on an ec2 instance and handles authentication with the instance's credentials. If you
> use [IAM roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), > use [IAM roles](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html),
> omit these keys to fetch temporary credentials from IAM. > omit these keys to fetch temporary credentials from IAM.
`region`: The name of the aws region in which you would like to store objects (for example `us-east-1`). For a list of regions, see [Regions, Availability Zones, and Local Zones](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html). `region`: The name of the aws region in which you would like to store objects (for example `us-east-1`). For a list of regions, see [Regions, Availability Zones, and Local Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).
`regionendpoint`: (optional) Endpoint URL for S3 compatible APIs. This should not be provided when using Amazon S3. `regionendpoint`: (optional) Endpoint URL for S3 compatible APIs. This should not be provided when using Amazon S3.
@ -55,7 +55,7 @@ Amazon S3 or S3 compatible services for object storage.
`storageclass`: (optional) The storage class applied to each registry file. Defaults to STANDARD. Valid options are STANDARD and REDUCED_REDUNDANCY. `storageclass`: (optional) The storage class applied to each registry file. Defaults to STANDARD. Valid options are STANDARD and REDUCED_REDUNDANCY.
`objectacl`: (optional) The canned object ACL to be applied to each registry object. Defaults to `private`. If you are using a bucket owned by another AWS account, it is recommended that you set this to `bucket-owner-full-control` so that the bucket owner can access your objects. Other valid options are available in the [AWS S3 documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl). `objectacl`: (optional) The canned object ACL to be applied to each registry object. Defaults to `private`. If you are using a bucket owned by another AWS account, it is recommended that you set this to `bucket-owner-full-control` so that the bucket owner can access your objects. Other valid options are available in the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl).
`loglevel`: (optional) Valid values are: `off` (default), `debug`, `debugwithsigning`, `debugwithhttpbody`, `debugwithrequestretries`, `debugwithrequesterrors` and `debugwitheventstreambody`. See the [AWS SDK for Go API reference](https://docs.aws.amazon.com/sdk-for-go/api/aws/#LogLevelType) for details. `loglevel`: (optional) Valid values are: `off` (default), `debug`, `debugwithsigning`, `debugwithhttpbody`, `debugwithrequestretries`, `debugwithrequesterrors` and `debugwitheventstreambody`. See the [AWS SDK for Go API reference](https://docs.aws.amazon.com/sdk-for-go/api/aws/#LogLevelType) for details.
@ -91,7 +91,7 @@ The following AWS policy is required by the registry for push and pull. Make sur
} }
``` ```
See [the S3 policy documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) for more details. See [the S3 policy documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) for more details.
# CloudFront as Middleware with S3 backend # CloudFront as Middleware with S3 backend
@ -112,7 +112,7 @@ to see whether you need CloudFront or S3 Transfer Acceleration.
If you are unfamiliar with creating a CloudFront distribution, see [Getting If you are unfamiliar with creating a CloudFront distribution, see [Getting
Started with Started with
Cloudfront](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html). Cloudfront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html).
Defaults can be kept in most areas except: Defaults can be kept in most areas except:
@ -162,4 +162,4 @@ middleware:
A CloudFront key-pair is required for all AWS accounts needing access to your A CloudFront key-pair is required for all AWS accounts needing access to your
CloudFront distribution. You must have access to your AWS account's root credentials to create the required Cloudfront keypair. For information, see [Creating CloudFront Key CloudFront distribution. You must have access to your AWS account's root credentials to create the required Cloudfront keypair. For information, see [Creating CloudFront Key
Pairs](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs). Pairs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs).

View file

@ -0,0 +1,6 @@
---
header:
- name: GitHub
ref: https://github.com/distribution/distribution/
icon: gdoc_github
external: true

View file

@ -1,20 +0,0 @@
---
description: describes deprecated functionality
keywords: registry, manifest, images, signatures, repository, distribution, digest
title: Docker Registry deprecation
---
This document details functionality or components which are deprecated within
the registry.
### v2.5.0
The signature store has been removed from the registry. Since `v2.4.0` it has
been possible to configure the registry to generate manifest signatures rather
than load them from storage. In this version of the registry this becomes
the default behavior. Signatures which are attached to manifests on put are
not stored in the registry. This does not alter the functional behavior of
the registry.
Old signatures blobs can be removed from the registry storage by running the
garbage-collect subcommand.

9
docs/go.mod Normal file
View file

@ -0,0 +1,9 @@
module github.com/distribution/distribution/docs
go 1.21.1
require (
github.com/google/docsy v0.7.1 // indirect
github.com/imfing/hextra v0.5.0 // indirect
github.com/thegeeklab/hugo-geekdoc v0.41.2 // indirect
)

9
docs/go.sum Normal file
View file

@ -0,0 +1,9 @@
github.com/FortAwesome/Font-Awesome v0.0.0-20230327165841-0698449d50f2/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo=
github.com/google/docsy v0.7.1 h1:DUriA7Nr3lJjNi9Ulev1SfiG1sUYmvyDeU4nTp7uDxY=
github.com/google/docsy v0.7.1/go.mod h1:JCmE+c+izhE0Rvzv3y+AzHhz1KdwlA9Oj5YBMklJcfc=
github.com/google/docsy/dependencies v0.7.1/go.mod h1:gihhs5gmgeO+wuoay4FwOzob+jYJVyQbNaQOh788lD4=
github.com/imfing/hextra v0.5.0 h1:uVUmtqx7UivuA6oCVSKkaM/YGcLuIA9P8j8mmCDg4hU=
github.com/imfing/hextra v0.5.0/go.mod h1:cEfel3lU/bSx7lTE/+uuR4GJaphyOyiwNR3PTqFTXpI=
github.com/thegeeklab/hugo-geekdoc v0.41.2 h1:U6TvFfO3TVoCvirpLFXMO/sE5qHavZ18N22tUtiTwBo=
github.com/thegeeklab/hugo-geekdoc v0.41.2/go.mod h1:XEAtAuJ3nRMshRupMW1xPZ7EVMleS87rmr+RklRamRY=
github.com/twbs/bootstrap v5.2.3+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=

19
docs/hugo.yaml Normal file
View file

@ -0,0 +1,19 @@
baseURL: /
languageCode: en-us
title: CNCF Distribution
theme: hugo-geekdoc
pluralizeListTitles: false
enableRobotsTXT: true
taxonomies: [tags]
minify:
disableHTML: true
# Geekdoc required configuration
pygmentsUseClasses: true
pygmentsCodeFences: true
disablePathToLower: true
params:
geekdocRepo: "https://github.com/distribution/distribution"
geekdocEditPath: edit/main/docs

View file

@ -1,63 +0,0 @@
---
description: High-level overview of the Registry
keywords: registry, on-prem, images, tags, repository, distribution
redirect_from:
- /registry/overview/
title: Docker Registry
---
## What it is
The Registry is a stateless, highly scalable server side application that stores
and lets you distribute Docker images. The Registry is open-source, under the
permissive [Apache license](https://en.wikipedia.org/wiki/Apache_License).
## Why use it
You should use the Registry if you want to:
* tightly control where your images are being stored
* fully own your images distribution pipeline
* integrate image storage and distribution tightly into your in-house development workflow
## Alternatives
Users looking for a zero maintenance, ready-to-go solution are encouraged to
head-over to the [Docker Hub](https://hub.docker.com), which provides a
free-to-use, hosted Registry, plus additional features (organization accounts,
automated builds, and more).
## Requirements
The Registry is compatible with Docker engine **version 1.6.0 or higher**.
## Basic commands
Start your registry
docker run -d -p 5000:5000 --name registry registry:2
Pull (or build) some image from the hub
docker pull ubuntu
Tag the image so that it points to your registry
docker image tag ubuntu localhost:5000/myfirstimage
Push it
docker push localhost:5000/myfirstimage
Pull it back
docker pull localhost:5000/myfirstimage
Now stop your registry and remove all data
docker container stop registry && docker container rm -v registry
## Next
You should now read the [detailed introduction about the registry](introduction.md),
or jump directly to [deployment instructions](deploying.md).

View file

@ -1,205 +0,0 @@
---
description: Restricting access to your registry using a nginx proxy
keywords: registry, on-prem, images, tags, repository, distribution, nginx, proxy, authentication, TLS, recipe, advanced
title: Authenticate proxy with nginx
redirect_from:
- /registry/nginx/
---
## Use-case
People already relying on a nginx proxy to authenticate their users to other
services might want to leverage it and have Registry communications tunneled
through the same pipeline.
Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO
mechanism fronting their internal http portal.
### Alternatives
If you just want authentication for your registry, and are happy maintaining
users access separately, you should really consider sticking with the native
[basic auth registry feature](../deploying.md#native-basic-auth).
### Solution
With the method presented here, you implement basic authentication for docker
engines in a reverse proxy that sits in front of your registry.
While we use a simple htpasswd file as an example, any other nginx
authentication backend should be fairly easy to implement once you are done with
the example.
We also implement push restriction (to a limited user group) for the sake of the
example. Again, you should modify this to fit your mileage.
### Gotchas
While this model gives you the ability to use whatever authentication backend
you want through the secondary authentication mechanism implemented inside your
proxy, it also requires that you move TLS termination from the Registry to the
proxy itself.
> **Note**: It is not recommended to bind your registry to `localhost:5000` without
> authentication. This creates a potential loophole in your registry security.
> As a result, anyone who can log on to the server where your registry is running
> can push images without authentication.
Furthermore, introducing an extra http layer in your communication pipeline
makes it more complex to deploy, maintain, and debug. Make sure the extra
complexity is required.
For instance, Amazon's Elastic Load Balancer (ELB) in HTTPS mode already sets
the following client header:
```
X-Real-IP
X-Forwarded-For
X-Forwarded-Proto
```
So if you have an Nginx instance sitting behind it, remove these lines from the
example config below:
```none
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
```
Otherwise Nginx resets the ELB's values, and the requests are not routed
properly. For more information, see
[#970](https://github.com/distribution/distribution/issues/970).
## Setting things up
Review the [requirements](index.md#requirements), then follow these steps.
1. Create the required directories
```console
$ mkdir -p auth data
```
2. Create the main nginx configuration. Paste this code block into a new file called `auth/nginx.conf`:
```conf
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name myregistrydomain.com;
# SSL
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
## If $docker_distribution_api_version is empty, the header is not added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
}
```
3. Create a password file `auth/nginx.htpasswd` for "testuser" and "testpassword".
```console
$ docker run --rm --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/nginx.htpasswd
```
> **Note**: If you do not want to use `bcrypt`, you can omit the `-B` parameter.
4. Copy your certificate files to the `auth/` directory.
```console
$ cp domain.crt auth
$ cp domain.key auth
```
5. Create the compose file. Paste the following YAML into a new file called `docker-compose.yml`.
```yaml
version: "3"
services:
nginx:
# Note : Only nginx:alpine supports bcrypt.
# If you don't need to use bcrypt, you can use a different tag.
# Ref. https://github.com/nginxinc/docker-nginx/issues/29
image: "nginx:alpine"
ports:
- 5043:443
depends_on:
- registry
volumes:
- ./auth:/etc/nginx/conf.d
- ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
registry:
image: registry:2
volumes:
- ./data:/var/lib/registry
```
## Starting and stopping
Now, start your stack:
docker-compose up -d
Login with a "push" authorized user (using `testuser` and `testpassword`), then
tag and push your first image:
docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
docker tag ubuntu myregistrydomain.com:5043/test
docker push myregistrydomain.com:5043/test
docker pull myregistrydomain.com:5043/test

View file

@ -1,12 +0,0 @@
---
title: "Docker Registry Token Authentication"
description: "Docker Registry v2 authentication schema"
keywords: registry, on-prem, images, tags, repository, distribution, authentication, advanced
---
# Docker Registry v2 authentication
See the [Token Authentication Specification](token.md),
[Token Authentication Implementation](jwt.md),
[Token Scope Documentation](scope.md),
[OAuth2 Token Authentication](oauth.md) for more information.

View file

@ -1,12 +0,0 @@
---
title: "Reference Overview"
description: "Explains registry JSON objects"
keywords: registry, service, images, repository, json
---
# Docker Registry Reference
* [HTTP API V2](api.md)
* [Storage Driver](https://docs.docker.com/registry/storage-drivers/)
* [Token Authentication Specification](auth/token.md)
* [Token Authentication Implementation](auth/jwt.md)

View file

@ -1,7 +0,0 @@
---
title: "Reference"
description: "Explains registry JSON objects"
keywords: registry, service, images, repository, json
type: "menu"
identifier: "smn_registry_ref"
---

1
docs/static/brand.svg vendored Normal file

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 7.8 KiB

50
docs/static/custom.css vendored Normal file
View file

@ -0,0 +1,50 @@
/* Global customization */
:root {
--code-max-height: 60rem;
}
/* Light mode theming */
:root,
:root[color-theme="light"] {
--header-background: #203554;
--header-font-color: #ffffff;
--footer-background: #203554;
--footer-font-color: #ffffff;
--footer-link-color: rgb(110, 168, 212);
--footer-link-color-visited: rgb(186, 142, 240);
}
@media (prefers-color-scheme: light) {
:root {
--header-background: #203554;
--header-font-color: #ffffff;
--footer-background: #203554;
--footer-font-color: #ffffff;
--footer-link-color: rgb(110, 168, 212);
--footer-link-color-visited: rgb(186, 142, 240);
}
}
/* Dark mode theming */
:root[color-theme="dark"] {
--header-background: #203554;
--header-font-color: #ffffff;
--footer-background: #203554;
--footer-font-color: #ffffff;
--footer-link-color: rgb(110, 168, 212);
--footer-link-color-visited: rgb(186, 142, 240);
}
@media (prefers-color-scheme: dark) {
:root {
--header-background: #203554;
--header-font-color: #ffffff;
--footer-background: #203554;
--footer-font-color: #ffffff;
--footer-link-color: rgb(110, 168, 212);
--footer-link-color-visited: rgb(186, 142, 240);
}
}

BIN
docs/static/favicon/favicon-16x16.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 991 B

BIN
docs/static/favicon/favicon-32x32.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
docs/static/favicon/favicon.svg vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

View file

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

View file

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 31 KiB

View file

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

View file

@ -0,0 +1,3 @@
https://github.com/thegeeklab/.+/edit/main/.*
https://unsplash.com.*
https://www.color-hex.com.*

21
docs/themes/hugo-geekdoc/LICENSE vendored Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

46
docs/themes/hugo-geekdoc/README.md vendored Normal file
View file

@ -0,0 +1,46 @@
# Geekdoc
[![Build Status](https://ci.thegeeklab.de/api/badges/thegeeklab/hugo-geekdoc/status.svg)](https://ci.thegeeklab.de/repos/thegeeklab/hugo-geekdoc)
[![Hugo Version](https://img.shields.io/badge/hugo-0.112-blue.svg)](https://gohugo.io)
[![GitHub release](https://img.shields.io/github/v/release/thegeeklab/hugo-geekdoc)](https://github.com/thegeeklab/hugo-geekdoc/releases/latest)
[![GitHub contributors](https://img.shields.io/github/contributors/thegeeklab/hugo-geekdoc)](https://github.com/thegeeklab/hugo-geekdoc/graphs/contributors)
[![License: MIT](https://img.shields.io/github/license/thegeeklab/hugo-geekdoc)](https://github.com/thegeeklab/hugo-geekdoc/blob/main/LICENSE)
Geekdoc is a simple Hugo theme for documentations. It is intentionally designed as a fast and lean theme and may not fit the requirements of complex projects. If a more feature-complete theme is required there are a lot of good alternatives out there. You can find a demo and the full documentation at [https://geekdocs.de](https://geekdocs.de).
![Desktop and mobile preview](https://raw.githubusercontent.com/thegeeklab/hugo-geekdoc/main/images/readme.png)
## Build and release process
This theme is subject to a CI driven build and release process common for software development. During the release build, all necessary assets are automatically built by [webpack](https://webpack.js.org/) and bundled in a release tarball. You can download the latest release from the GitHub [release page](https://github.com/thegeeklab/hugo-geekdoc/releases).
Due to the fact that `webpack` and `npm scripts` are used as pre-processors, the theme cannot be used from the main branch by default. If you want to use the theme from a cloned branch instead of a release tarball you'll need to install `webpack` locally and run the build script once to create all required assets.
```shell
# install required packages from package.json
npm install
# run the build script to build required assets
npm run build
# build release tarball
npm run pack
```
See the [Getting Started Guide](https://geekdocs.de/usage/getting-started/) for details about the different setup options.
## Contributors
Special thanks to all [contributors](https://github.com/thegeeklab/hugo-geekdoc/graphs/contributors). If you would like to contribute, please see the [instructions](https://github.com/thegeeklab/hugo-geekdoc/blob/main/CONTRIBUTING.md).
Geekdoc is inspired and partially based on the [hugo-book](https://github.com/alex-shpak/hugo-book) theme, thanks [Alex Shpak](https://github.com/alex-shpak/) for your work.
## License
This project is licensed under the MIT License - see the [LICENSE](https://github.com/thegeeklab/hugo-geekdoc/blob/main/LICENSE) file for details.
The used SVG icons and generated icon fonts are licensed under the license of the respective icon pack:
- Font Awesome: [CC BY 4.0 License](https://github.com/FortAwesome/Font-Awesome#license)
- IcoMoon Free Pack: [GPL/CC BY 4.0](https://icomoon.io/#icons-icomoon)
- Material Icons: [Apache License 2.0](https://github.com/google/material-design-icons/blob/main/LICENSE)

1
docs/themes/hugo-geekdoc/VERSION vendored Normal file
View file

@ -0,0 +1 @@
v0.41.2

View file

@ -0,0 +1,7 @@
---
title: "{{ .Name | humanize | title }}"
weight: 1
# geekdocFlatSection: false
# geekdocToc: 6
# geekdocHidden: false
---

View file

@ -0,0 +1,4 @@
---
title: "{{ replace .Name "-" " " | title }}"
date: {{ .Date }}
---

View file

@ -0,0 +1,8 @@
{{- $searchDataFile := printf "search/%s.data.json" .Language.Lang -}}
{{- $searchData := resources.Get "search/data.json" | resources.ExecuteAsTemplate $searchDataFile . | resources.Minify -}}
{
"dataFile": {{ $searchData.RelPermalink | jsonify }},
"indexConfig": {{ .Site.Params.geekdocSearchConfig | jsonify }},
"showParent": {{ if .Site.Params.geekdocSearchShowParent }}true{{ else }}false{{ end }},
"showDescription": {{ if .Site.Params.geekdocSearchshowDescription }}true{{ else }}false{{ end }}
}

View file

@ -0,0 +1,13 @@
[
{{ range $index, $page := (where .Site.Pages "Params.geekdocProtected" "ne" true) }}
{{ if ne $index 0 }},{{ end }}
{
"id": {{ $index }},
"href": "{{ $page.RelPermalink }}",
"title": {{ (partial "utils/title" $page) | jsonify }},
"parent": {{ with $page.Parent }}{{ (partial "utils/title" .) | jsonify }}{{ else }}""{{ end }},
"content": {{ $page.Plain | jsonify }},
"description": {{ $page.Summary | plainify | jsonify }}
}
{{ end }}
]

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 22 KiB

View file

@ -0,0 +1,158 @@
{
"main.js": {
"src": "js/main-924a1933.bundle.min.js",
"integrity": "sha512-0QF6awwW0WbBo491yytmULiHrc9gx94bloJ9MSXIvdJh3YHWw7CWyeX2YXu0rzOQefJp4jW/I6ZjUDYpNVFhdA=="
},
"colortheme.js": {
"src": "js/colortheme-d3e4d351.bundle.min.js",
"integrity": "sha512-HpQogL/VeKqG/v1qYOfJOgFUzBnQvW4yO4tAJO+54IiwbLbB9feROdeaYf7dpO6o5tSHsSZhaYLhtLMRlEgpJQ=="
},
"mermaid.js": {
"src": "js/mermaid-19cc0b12.bundle.min.js",
"integrity": "sha512-EP8Ggw4/AoLCR9N2U4AOherShR6hKWYpKaC0Q/LwKR5wjH8x5Z0v0VL0S5x67X3AWUvR2aMO0IOc0Bo1xu4qmQ=="
},
"katex.js": {
"src": "js/katex-373b7f53.bundle.min.js",
"integrity": "sha512-k7PGb4UsYurOXnDJtwuPOhS6OgcI7PVrCZZT3h79JVH8KEcNzzsmzoAWMOaTeIFP79JnpYtZhaBBwEMNk4MlFw=="
},
"search.js": {
"src": "js/search-9719be99.bundle.min.js",
"integrity": "sha512-/7NZxFUEbalC/8RKDgfAsHFDI42/Ydp33uJmCLckZgnO+kuz9LrTfmPFfVJxPJ31StMxa3MTQ5Jq049CmNK4pw=="
},
"js/637-687440a7.chunk.min.js": {
"src": "js/637-687440a7.chunk.min.js",
"integrity": "sha512-fWyOGUUaxBiYIZoJ2R1FPhLRt/cC9prL1bsVuETWBjT1QpS6ebmmzMaYnKBPOpw56VqdlErWJuWe2GGxYJq3gA=="
},
"js/116-831698f6.chunk.min.js": {
"src": "js/116-831698f6.chunk.min.js",
"integrity": "sha512-ecC9DggU9rDmnERLt6l5lXnDir+fYAXDhA8r+o+LCML/C64QPvq3Uea+oNwN00hXbXa1f5c/tjICeJZyXu9Dqg=="
},
"js/425-a8288851.chunk.min.js": {
"src": "js/425-a8288851.chunk.min.js",
"integrity": "sha512-JcFSthlEXIsUdEtbQlAQp71m1GMurzdmPZN+J2/PTyMGgv/QBN8OX8TZQVouAPMY3rMirjB9gxhyNyxCZ0/IUQ=="
},
"js/869-1a62f06a.chunk.min.js": {
"src": "js/869-1a62f06a.chunk.min.js",
"integrity": "sha512-9GtubjugiKpB6oP+I13znOYnCGzMWkywSjO7PC/cTZ8BfK4amSwC6i+vCKVCnTrhpoUtFtzybF0d+dDsOqpO/g=="
},
"js/626-ec18a767.chunk.min.js": {
"src": "js/626-ec18a767.chunk.min.js",
"integrity": "sha512-plFEM+MV7s8fGxmB4fXdkDYK2URbdL7D0r0eKSsdBW+Z3PvfQOaW7OuoA5oUpGBZyd2wN1zpxTwqHC3WPbluLA=="
},
"js/305-02bced6e.chunk.min.js": {
"src": "js/305-02bced6e.chunk.min.js",
"integrity": "sha512-omqkH+cRXCbA6ax452pYFTBvqT895kBCycglJaYQxoB646IPcz2IHiIIWhWsEU7eVy4cy7eA+dQ4tgWG+JbGOQ=="
},
"js/86-841830e3.chunk.min.js": {
"src": "js/86-841830e3.chunk.min.js",
"integrity": "sha512-j4o/ljne580vctbO1z6GWwVFvaC3m6VpLTnyWIvE9Dd3PURujWHnWReNLclxcnlt5PK9Ohv4W8q3aEOKfUdJkw=="
},
"js/554-980b1ae9.chunk.min.js": {
"src": "js/554-980b1ae9.chunk.min.js",
"integrity": "sha512-9oVYpFOErj3ttWPhB/FvJwhijnezxV2mOKoTAT5+S1QQVAsSACgxnxG1VtjvyuSyCn0HD7l1dS054fP0yxQ9Dg=="
},
"js/693-2124948a.chunk.min.js": {
"src": "js/693-2124948a.chunk.min.js",
"integrity": "sha512-Ko3GXiQtfF28e9Omm4ypj+p+ykT5Uc1s8PxodgWV+N9h68t+QnTLJ3PghxWW3YqCrTyMkqpg+U3hkyFxotqnBA=="
},
"js/875-0cc44212.chunk.min.js": {
"src": "js/875-0cc44212.chunk.min.js",
"integrity": "sha512-600TvjSLQ2arsupduQSwNsOZIdp2xUnLsqUL0n9gVxdkvdFCYANyjORkO/a0knUzzNGv3oZqE9dqtEJSY7hLJw=="
},
"js/69-06c8b62f.chunk.min.js": {
"src": "js/69-06c8b62f.chunk.min.js",
"integrity": "sha512-UDuWdgHzd+HSXjzw8xnjYxxZOw2zJXWrL1Zo7oadh7n6TpxFAGDunn6EDYf2KFmcjVcC4QlqJrdWtoJVcUwr/w=="
},
"js/841-54550e4a.chunk.min.js": {
"src": "js/841-54550e4a.chunk.min.js",
"integrity": "sha512-aI+ntywFR8QzYpRGYsSGxqanSDnuXDuLAJA1Gbt5gFajjUxIBJV8qjgTLA7FIwp2icE4bqGGqxiNVA1iHTOSIA=="
},
"js/770-c8f14079.chunk.min.js": {
"src": "js/770-c8f14079.chunk.min.js",
"integrity": "sha512-DIFMhxj0xWxZzYBrVJbKhdM9pgk6sldGU7ZwItTZOHRRUnZ6t9szP06NTyj+u8yGZsdYNs2pZ8BE11z73IE70w=="
},
"js/411-d351386b.chunk.min.js": {
"src": "js/411-d351386b.chunk.min.js",
"integrity": "sha512-9o8/PabGB1IvJ1gotEkTK1PVxl0Dlx2fgWnOlZW1e9PEKDJJA678o3YMjmxurllubPC0i4XOkvvAvY1UUc5V4A=="
},
"js/31-228682ad.chunk.min.js": {
"src": "js/31-228682ad.chunk.min.js",
"integrity": "sha512-ipfn94AWwvQA5I4ybx5fe+VJSKT27ltpG0srqabFrj0IYIZ3RCFctWNqllDGhCIuVMgbiNHCjinxdA8NpaiPPw=="
},
"js/206-99fce408.chunk.min.js": {
"src": "js/206-99fce408.chunk.min.js",
"integrity": "sha512-sVuoOJUKhvA96dAxr0ZO7x5xmz25WE9Khnp+SB4F5vWL+J+dAvE2SXZ8irLWhS5u32tRjOjCeFZhyXpI47PlGQ=="
},
"js/284-e80fd0b5.chunk.min.js": {
"src": "js/284-e80fd0b5.chunk.min.js",
"integrity": "sha512-dwNdk1Jto6A4Ht/60GMUMarGkFKRTWiqxh+gM3YqjL7b2N/y0xut6op5EESN0gyfQL7xk4pgFowyMyS0rJPcRw=="
},
"js/764-e8ff889e.chunk.min.js": {
"src": "js/764-e8ff889e.chunk.min.js",
"integrity": "sha512-S94wRBs5tuMiknLYIobCoDPvnEquE9hmtjlw2m/yYAJJRaiTlCpl/neWfGoW3Eroz9uWdfrJta5piUSf3ggGVA=="
},
"js/366-23e20231.chunk.min.js": {
"src": "js/366-23e20231.chunk.min.js",
"integrity": "sha512-ZdFzJKlkluOGBZbidVvAFoh/4EK1z5q0kCYzWpXxof3aNUkIEawQhqHwnyEluGqNTZK3WCipT9UifauPLli6Dg=="
},
"js/68-408c048c.chunk.min.js": {
"src": "js/68-408c048c.chunk.min.js",
"integrity": "sha512-2x0FedDuG88J3visHLYeCd7iys7rXnCes0gAZ3ROc5hiKPgbYZBDW4sCUe9MhUC5YpWa3C0gLWqXW+hG2zLZew=="
},
"js/254-84661edf.chunk.min.js": {
"src": "js/254-84661edf.chunk.min.js",
"integrity": "sha512-JPsK+gAw8vXehHfD4LWUaCx3rW7NaPDXxSwnpQURaFKWUVIxDzKr3mFv3r4mfSyY67qIAVOx2b4NvAzhuZs34Q=="
},
"js/791-515d9e3a.chunk.min.js": {
"src": "js/791-515d9e3a.chunk.min.js",
"integrity": "sha512-5AetU1QSQjqq3J5BHmkLLshpfFzrCsprDszxddeMdk9peRN0Q+vu0pCMGzONBm7y/2IrZoSg4soEO0zVcPLc9w=="
},
"js/771-942a62df.chunk.min.js": {
"src": "js/771-942a62df.chunk.min.js",
"integrity": "sha512-8WfA8U1Udlfa6uWAYbdNKJzjlJ91qZ0ZhC+ldKdhghUgilxqA6UmZxHFKGRDQydjOFDk828O28XVmZU2IEvckA=="
},
"js/27-3c59de1a.chunk.min.js": {
"src": "js/27-3c59de1a.chunk.min.js",
"integrity": "sha512-dBBUvtlEcEY4UQSXNBpanCV1oMlEDMH4vHvACVUzG0c2Mbb9RHM8sTNSLnu+RvHvUCInCO3LbbUm3Cp2Re0eVg=="
},
"js/580-fabed2ac.chunk.min.js": {
"src": "js/580-fabed2ac.chunk.min.js",
"integrity": "sha512-L70er+tQ1Sy3yLwOKjGWDlqOtBGykeQO2F3EQzaiMgSb1qBKlrYYK7XnbI5w0qYtvYDvPmE1aflHAlrDMB6Njg=="
},
"js/644-a3e6d7ca.chunk.min.js": {
"src": "js/644-a3e6d7ca.chunk.min.js",
"integrity": "sha512-Qnwma/kO7a1x3UQXPSvKog3gI4S0H1zBy1MaQRDqpBLSEONhSdzr5gVwIqORF0sBPXAA5pPcGzHhkn83rqBviw=="
},
"js/320-1804d5a1.chunk.min.js": {
"src": "js/320-1804d5a1.chunk.min.js",
"integrity": "sha512-Srm5Oc13M8J2BystZLBh0VQqzsZnmuO5pi1/oSlmF8vp7poUUnMrnBf1QfrmsYIbFhYP7waiAm3X0s/IdTsJ6Q=="
},
"js/281-18063325.chunk.min.js": {
"src": "js/281-18063325.chunk.min.js",
"integrity": "sha512-YYPVu/iwpjYksSAqpWi1fqS29eLndA/TgC7dcSWuOe74+MKrBiGKSMbNzwUpTEV44KOKm6qZCnqjPnxReJuq5w=="
},
"js/990-52a18bdc.chunk.min.js": {
"src": "js/990-52a18bdc.chunk.min.js",
"integrity": "sha512-EuVHE1vNrU9XWjPOiLMBKKDTePuW4jYhguSruI3j2/J6mB3LQB8vSe6kKRQuHGRKYmX3gY2sDdAgFtCsCjm4vQ=="
},
"main.scss": {
"src": "main-252d384c.min.css",
"integrity": "sha512-WiV7BVk76Yp0EACJrwdWDk7+WNa+Jyiupi9aCKFrzZyiKkXk7BH+PL2IJcuDQpCMtMBFJEgen2fpKu9ExjjrUQ=="
},
"katex.css": {
"src": "katex-1799419e.min.css",
"integrity": "sha512-8rRve7ln2pKSPM7cASxirv/36DFCvY36b7sI40mS49nwsEPHsagrGiPzz1l24cpIQ9OvwfNAZmhoqjQLIrCTUg=="
},
"mobile.scss": {
"src": "mobile-79ddc617.min.css",
"integrity": "sha512-dzw2wMOouDwhSgstQKLbXD/vIqS48Ttc2IV6DeG7yam9yvKUuChJVaworzL8s2UoGMX4x2jEm50PjFJE4R4QWw=="
},
"print.scss": {
"src": "print-735ccc12.min.css",
"integrity": "sha512-c28KLNtBnKDW1+/bNWFhwuGBLw9octTXA2wnuaS2qlvpNFL0DytCapui9VM4YYkZg6e9TVp5LyuRQc2lTougDw=="
},
"custom.css": {
"src": "custom.css",
"integrity": "sha512-1kALo+zc1L2u1rvyxPIew+ZDPWhnIA1Ei2rib3eHHbskQW+EMxfI9Ayyva4aV+YRrHvH0zFxvPSFIuZ3mfsbRA=="
}
}

53
docs/themes/hugo-geekdoc/i18n/cs.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Upravit stránku
nav_navigation: Navigace
nav_tags: Tagy
nav_more: Více
nav_top: Zpět nahoru
form_placeholder_search: Vyhledat
error_page_title: Ztracen? Nic se neděje
error_message_title: Ztracen?
error_message_code: Error 404
error_message_text: >
Vypadá to že stránka, kterou hledáte, neexistuje. Nemějte obavy, můžete
se vrátit zpět na <a class="gdoc-error__link" href="{{ . }}">domovskou stránku</a>.
button_toggle_dark: Přepnout tmavý/světlý/automatický režim
button_nav_open: Otevřít navigaci
button_nav_close: Zavřít navigaci
button_menu_open: Otevřít lištu nabídky
button_menu_close: Zavřít lištu nabídky
button_homepage: Zpět na domovskou stránku
title_anchor_prefix: "Odkaz na:"
posts_read_more: Přečíst celý příspěvek
posts_read_time:
one: "Doba čtení: 1 minuta"
other: "Doba čtení: {{ . }} minut(y)"
posts_update_prefix: Naposledy upraveno
posts_count:
one: "Jeden příspěvek"
other: "Příspěvků: {{ . }}"
posts_tagged_with: Všechny příspěvky označeny '{{ . }}'
footer_build_with: >
Vytvořeno za pomocí <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> a
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Právní upozornění
footer_privacy_policy: Zásady ochrany soukromí
footer_content_license_prefix: >
Obsah licencovaný pod
language_switch_no_tranlation_prefix: "Stránka není přeložena:"
propertylist_required: povinné
propertylist_optional: volitené
propertylist_default: výchozí
pagination_page_prev: předchozí
pagination_page_next: další
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/de.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Seite bearbeiten
nav_navigation: Navigation
nav_tags: Tags
nav_more: Weitere
nav_top: Nach oben
form_placeholder_search: Suchen
error_page_title: Verlaufen? Keine Sorge
error_message_title: Verlaufen?
error_message_code: Fehler 404
error_message_text: >
Wir können die Seite nach der Du gesucht hast leider nicht finden. Keine Sorge,
wir bringen Dich zurück zur <a class="gdoc-error__link" href="{{ . }}">Startseite</a>.
button_toggle_dark: Wechsel zwischen Dunkel/Hell/Auto Modus
button_nav_open: Navigation öffnen
button_nav_close: Navigation schließen
button_menu_open: Menüband öffnen
button_menu_close: Menüband schließen
button_homepage: Zurück zur Startseite
title_anchor_prefix: "Link zu:"
posts_read_more: Ganzen Artikel lesen
posts_read_time:
one: "Eine Minute Lesedauer"
other: "{{ . }} Minuten Lesedauer"
posts_update_prefix: Aktualisiert am
posts_count:
one: "Ein Artikel"
other: "{{ . }} Artikel"
posts_tagged_with: Alle Artikel mit dem Tag '{{ . }}'
footer_build_with: >
Entwickelt mit <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> und
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Impressum
footer_privacy_policy: Datenschutzerklärung
footer_content_license_prefix: >
Inhalt lizensiert unter
language_switch_no_tranlation_prefix: "Seite nicht übersetzt:"
propertylist_required: erforderlich
propertylist_optional: optional
propertylist_default: Standardwert
pagination_page_prev: vorher
pagination_page_next: weiter
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/en.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Edit page
nav_navigation: Navigation
nav_tags: Tags
nav_more: More
nav_top: Back to top
form_placeholder_search: Search
error_page_title: Lost? Don't worry
error_message_title: Lost?
error_message_code: Error 404
error_message_text: >
Seems like what you are looking for can't be found. Don't worry, we can
bring you back to the <a class="gdoc-error__link" href="{{ . }}">homepage</a>.
button_toggle_dark: Toggle Dark/Light/Auto mode
button_nav_open: Open Navigation
button_nav_close: Close Navigation
button_menu_open: Open Menu Bar
button_menu_close: Close Menu Bar
button_homepage: Back to homepage
title_anchor_prefix: "Anchor to:"
posts_read_more: Read full post
posts_read_time:
one: "One minute to read"
other: "{{ . }} minutes to read"
posts_update_prefix: Updated on
posts_count:
one: "One post"
other: "{{ . }} posts"
posts_tagged_with: All posts tagged with '{{ . }}'
footer_build_with: >
Built with <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> and
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Legal Notice
footer_privacy_policy: Privacy Policy
footer_content_license_prefix: >
Content licensed under
language_switch_no_tranlation_prefix: "Page not translated:"
propertylist_required: required
propertylist_optional: optional
propertylist_default: default
pagination_page_prev: prev
pagination_page_next: next
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/es.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Editar página
nav_navigation: Navegación
nav_tags: Etiquetas
nav_more: Más
nav_top: Inicio de la página
form_placeholder_search: Buscar
error_page_title: Perdido? No te preocupes
error_message_title: Perdido?
error_message_code: Error 404
error_message_text: >
Al parecer, lo que estás buscando no pudo ser encontrado. No te preocupes, podemos
llevarte de vuelta al <a class="gdoc-error__link" href="{{ . }}">inicio</a>.
button_toggle_dark: Cambiar el modo Oscuro/Claro/Auto
button_nav_open: Abrir la Navegación
button_nav_close: Cerrar la Navegación
button_menu_open: Abrir el Menú Bar
button_menu_close: Cerrar el Menú Bar
button_homepage: Volver al Inicio
title_anchor_prefix: "Anclado a:"
posts_read_more: Lee la publicación completa
posts_read_time:
one: "Un minuto para leer"
other: "{{ . }} minutos para leer"
posts_update_prefix: Actualizado en
posts_count:
one: "Una publicación"
other: "{{ . }} publicaciones"
posts_tagged_with: Todas las publicaciones etiquetadas con '{{ . }}'
footer_build_with: >
Creado con <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> y
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Aviso Legal
footer_privacy_policy: Política de Privacidad
footer_content_license_prefix: >
Contenido licenciado con
language_switch_no_tranlation_prefix: "Página no traducida:"
propertylist_required: requerido
propertylist_optional: opcional
propertylist_default: estándar
pagination_page_prev: previo
pagination_page_next: siguiente
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/it.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Modifica la pagina
nav_navigation: Navigazione
nav_tags: Etichette
nav_more: Altro
nav_top: Torna su
form_placeholder_search: Cerca
error_page_title: Perso? Non ti preoccupare
error_message_title: Perso?
error_message_code: Errore 404
error_message_text: >
Sembra che non sia possibile trovare quello che stavi cercando. Non ti preoccupare,
possiamo riportarti alla <a class="gdoc-error__link" href="{{ . }}">pagina iniziale</a>.
button_toggle_dark: Seleziona il tema Chiaro/Scuro/Automatico
button_nav_open: Apri la Navigazione
button_nav_close: Chiudi la Navigazione
button_menu_open: Apri la Barra del Menu
button_menu_close: Chiudi la Barra del Menu
button_homepage: Torna alla pagina iniziale
title_anchor_prefix: "Ancora a:"
posts_read_more: Leggi tutto il post
posts_read_time:
one: "Tempo di lettura: un minuto"
other: "Tempo di lettura: {{ . }} minuti"
posts_update_prefix: Aggiornato il
posts_count:
one: "Un post"
other: "{{ . }} post"
posts_tagged_with: Tutti i post etichettati con '{{ . }}'
footer_build_with: >
Realizzato con <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> e
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Avviso Legale
footer_privacy_policy: Politica sulla Privacy
footer_content_license_prefix: >
Contenuto sotto licenza
language_switch_no_tranlation_prefix: "Pagina non tradotta:"
propertylist_required: richiesto
propertylist_optional: opzionale
propertylist_default: valore predefinito
pagination_page_prev: precedente
pagination_page_next: prossimo
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/ja.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: ページの編集
nav_navigation: ナビゲーション
nav_tags: タグ
nav_more: さらに
nav_top: トップへ戻る
form_placeholder_search: 検索
error_page_title: お困りですか?ご心配なく
error_message_title: お困りですか?
error_message_code: 404 エラー
error_message_text: >
お探しのものが見つからないようです。<a class="gdoc-error__link" href="{{ . }}">トップページ</a>
へ戻ることができるので、ご安心ください。
button_toggle_dark: モードの切替 ダーク/ライト/自動
button_nav_open: ナビゲーションを開く
button_nav_close: ナビゲーションを閉じる
button_menu_open: メニューバーを開く
button_menu_close: メニューバーを閉じる
button_homepage: トップページへ戻る
title_anchor_prefix: "アンカー先:"
posts_read_more: 全投稿を閲覧
posts_read_time:
one: "読むのに 1 分かかります"
other: "読むのに要する時間 {{ . }} (分)"
posts_update_prefix: 更新時刻
posts_count:
one: "一件の投稿"
other: "{{ . }} 件の投稿"
posts_tagged_with: "'{{ . }}'のタグが付いた記事全部"
footer_build_with: >
<a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> でビルドしています。
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: 法的な告知事項
footer_privacy_policy: プライバシーポリシー
footer_content_license_prefix: >
提供するコンテンツのライセンス
language_switch_no_tranlation_prefix: "未翻訳のページ:"
propertylist_required: 必須
propertylist_optional: 任意
propertylist_default: 既定値
pagination_page_prev:
pagination_page_next:
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

53
docs/themes/hugo-geekdoc/i18n/nl.yaml vendored Normal file
View file

@ -0,0 +1,53 @@
---
edit_page: Wijzig pagina
nav_navigation: Navigatie
nav_tags: Markering
nav_more: Meer
nav_top: Terug naar boven
form_placeholder_search: Zoek
error_page_title: Verdwaald? Geen probleem
error_message_title: Verdwaald?
error_message_code: Error 404
error_message_text: >
Het lijkt er op dat wat je zoekt niet gevonden kan worden. Geen probleem,
we kunnen je terug naar de <a class="gdoc-error__link" href="{{ . }}">startpagina</a> brengen.
button_toggle_dark: Wijzig Donker/Licht/Auto weergave
button_nav_open: Open navigatie
button_nav_close: Sluit navigatie
button_menu_open: Open menubalk
button_menu_close: Sluit menubalk
button_homepage: Terug naar startpagina
title_anchor_prefix: "Link naar:"
posts_read_more: Lees volledige bericht
posts_read_time:
one: "Een minuut leestijd"
other: "{{ . }} minuten leestijd"
posts_update_prefix: Bijgewerkt op
posts_count:
one: "Een bericht"
other: "{{ . }} berichten"
posts_tagged_with: Alle berichten gemarkeerd met '{{ . }}'
footer_build_with: >
Gebouwd met <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a> en
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg>
footer_legal_notice: Juridische mededeling
footer_privacy_policy: Privacybeleid
footer_content_license_prefix: >
Inhoud gelicenseerd onder
language_switch_no_tranlation_prefix: "Pagina niet vertaald:"
propertylist_required: verplicht
propertylist_optional: optioneel
propertylist_default: standaard
pagination_page_prev: vorige
pagination_page_next: volgende
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

View file

@ -0,0 +1,53 @@
---
edit_page: 编辑页面
nav_navigation: 导航
nav_tags: 标签
nav_more: 更多
nav_top: 回到顶部
form_placeholder_search: 搜索
error_page_title: 迷路了? 不用担心
error_message_title: 迷路了?
error_message_code: 错误 404
error_message_text: >
好像找不到你要找的东西。 别担心,我们可以
带您回到<a class="gdoc-error__link" href="{{ . }}">主页</a>。
button_toggle_dark: 切换暗/亮/自动模式
button_nav_open: 打开导航
button_nav_close: 关闭导航
button_menu_open: 打开菜单栏
button_menu_close: 关闭菜单栏
button_homepage: 返回首页
title_anchor_prefix: "锚定到:"
posts_read_more: 阅读全文
posts_read_time:
one: "一分钟阅读时间"
other: "{{ . }} 分钟阅读时间"
posts_update_prefix: 更新时间
posts_count:
one: 一篇文章
other: "{{ . }} 个帖子"
posts_tagged_with: 所有带有“{{ . }}”标签的帖子。
footer_build_with: >
基于 <a href="https://gohugo.io/" class="gdoc-footer__link">Hugo</a>
<svg class="gdoc-icon gdoc_heart"><use xlink:href="#gdoc_heart"></use></svg> 制作
footer_legal_notice: "法律声明"
footer_privacy_policy: "隐私政策"
footer_content_license_prefix: >
内容许可证
language_switch_no_tranlation_prefix: "页面未翻译:"
propertylist_required: 需要
propertylist_optional: 可选
propertylist_default: 默认值
pagination_page_prev: 以前
pagination_page_next: 下一个
pagination_page_state: "{{ .PageNumber }}/{{ .TotalPages }}"

Binary file not shown.

After

Width:  |  Height:  |  Size: 201 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 297 KiB

BIN
docs/themes/hugo-geekdoc/images/tn.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 127 KiB

View file

@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="{{ .Site.Language.Lang }}">
<head>
{{ partial "head/meta" . }}
<title>{{ i18n "error_page_title" }}</title>
{{ partial "head/favicons" . }}
{{ partial "head/others" . }}
</head>
<body>
{{ partial "svg-icon-symbols" . }}
<div class="wrapper">
<input type="checkbox" class="hidden" id="menu-header-control" />
{{ partial "site-header" (dict "Root" . "MenuEnabled" false) }}
<main class="gdoc-error flex-even">
<div class="flex align-center justify-center">
<div class="gdoc-error__icon">
<svg class="gdoc-icon gdoc_cloud_off"><use xlink:href="#gdoc_cloud_off"></use></svg>
</div>
<div class="gdoc-error__message">
<div class="gdoc-error__line gdoc-error__title">{{ i18n "error_message_title" }}</div>
<div class="gdoc-error__line gdoc-error__code">{{ i18n "error_message_code" }}</div>
<div class="gdoc-error__line gdoc-error__help">
{{ i18n "error_message_text" .Site.BaseURL | safeHTML }}
</div>
</div>
</div>
</main>
{{ partial "site-footer" . }}
</div>
</body>
</html>

View file

@ -0,0 +1,11 @@
<!-- prettier-ignore-start -->
{{ if not (.Page.Scratch.Get "mermaid") }}
<!-- Include mermaid only first time -->
<script defer src="{{ index (index .Page.Site.Data.assets "mermaid.js") "src" | relURL }}"></script>
{{ .Page.Scratch.Set "mermaid" true }}
{{ end }}
<!-- prettier-ignore-end -->
<pre class="gdoc-mermaid mermaid text-center">
{{- .Inner -}}
</pre>

View file

@ -0,0 +1,27 @@
{{- $showAnchor := (and (default true .Page.Params.geekdocAnchor) (default true .Page.Site.Params.geekdocAnchor)) -}}
<!-- prettier-ignore-start -->
{{- if $showAnchor -}}
<div class="flex align-center gdoc-page__anchorwrap">
<h{{ .Level }} id="{{ .Anchor | safeURL }}" {{- with .Attributes.class }}
class="{{ . }}"
{{- end }}
>
{{ .Text | safeHTML }}
</h{{ .Level }}>
<a data-clipboard-text="{{ .Page.Permalink }}#{{ .Anchor | safeURL }}" class="gdoc-page__anchor clip flex align-center" title="{{ i18n "title_anchor_prefix" }} {{ .Text | safeHTML }}" aria-label="{{ i18n "title_anchor_prefix" }} {{ .Text | safeHTML }}" href="#{{ .Anchor | safeURL }}">
<svg class="gdoc-icon gdoc_link"><use xlink:href="#gdoc_link"></use></svg>
</a>
</div>
{{- else -}}
<div class="gdoc-page__anchorwrap">
<h{{ .Level }} id="{{ .Anchor | safeURL }}" {{- with .Attributes.class }}
class="{{ . }}"
{{- end }}
>
{{ .Text | safeHTML }}
</h{{ .Level }}>
</div>
{{- end -}}
<!-- prettier-ignore-end -->

View file

@ -0,0 +1,6 @@
<img
src="{{ .Destination | safeURL }}"
alt="{{ .Text }}"
{{ with .Title }}title="{{ . }}"{{ end }}
/>
{{- /* Drop trailing newlines */ -}}

View file

@ -0,0 +1,14 @@
{{- $raw := or (hasPrefix .Text "<img") (hasPrefix .Text "<figure") -}}
{{- $code := hasPrefix .Text "<code" -}}
<a
class="gdoc-markdown__link{{ if $raw -}}
--raw
{{- else if $code -}}
--code
{{- end }}"
href="{{ .Destination | safeURL }}"
{{- with .Title }}{{ printf "title=\"%s\"" . | safeHTMLAttr }}{{- end }}
>
{{- .Text | safeHTML -}}
</a>
{{- /* Drop trailing newlines */ -}}

View file

@ -0,0 +1,60 @@
<!DOCTYPE html>
<html
lang="{{ .Site.Language.Lang }}"
class="color-toggle-hidden"
{{ if default false .Site.Params.geekdocDarkModeCode }}code-theme="dark"{{ end }}
>
<head>
{{ partial "head/meta" . }}
<title>
{{- if eq .Kind "home" -}}
{{ .Site.Title }}
{{- else -}}
{{ printf "%s | %s" (partial "utils/title" .) .Site.Title }}
{{- end -}}
</title>
{{ partial "head/favicons" . }}
{{ partial "head/rel-me" . }}
{{ partial "head/microformats" . }}
{{ partial "head/others" . }}
{{ partial "head/custom" . }}
</head>
<body itemscope itemtype="https://schema.org/WebPage">
{{ partial "svg-icon-symbols" . }}
<div
class="wrapper {{ if default false .Site.Params.geekdocDarkModeDim }}dark-mode-dim{{ end }}"
>
<input type="checkbox" class="hidden" id="menu-control" />
<input type="checkbox" class="hidden" id="menu-header-control" />
{{ $navEnabled := default true .Page.Params.geekdocNav }}
{{ partial "site-header" (dict "Root" . "MenuEnabled" $navEnabled) }}
<main class="container flex flex-even">
{{ if $navEnabled }}
<aside class="gdoc-nav">
{{ partial "menu" . }}
</aside>
{{ end }}
<div class="gdoc-page">
{{ template "main" . }}
<div class="gdoc-page__footer flex flex-wrap justify-between">
{{ partial "menu-nextprev" . }}
</div>
</div>
</main>
{{ partial "site-footer" . }}
</div>
{{ partial "foot" . }}
</body>
</html>

View file

@ -0,0 +1,11 @@
{{ define "main" }}
{{ partial "page-header" . }}
<article
class="gdoc-markdown gdoc-markdown__align--{{ default "left" (.Page.Params.geekdocAlign | lower) }}"
>
<h1>{{ partial "utils/title" . }}</h1>
{{ partial "utils/content" . }}
</article>
{{ end }}

View file

@ -0,0 +1,11 @@
{{ define "main" }}
{{ partial "page-header" . }}
<article
class="gdoc-markdown gdoc-markdown__align--{{ default "left" (.Page.Params.geekdocAlign | lower) }}"
>
<h1>{{ partial "utils/title" . }}</h1>
{{ partial "utils/content" . }}
</article>
{{ end }}

View file

@ -0,0 +1,49 @@
{{ define "main" }}
{{ range .Paginator.Pages }}
<article class="gdoc-post">
<header class="gdoc-post__header">
<h1 class="gdoc-post__title">
<a href="{{ .RelPermalink }}">{{ partial "utils/title" . }}</a>
</h1>
</header>
<section class="gdoc-markdown">
{{ .Summary }}
</section>
<div class="gdoc-post__readmore">
{{ if .Truncated }}
<a
class="flex-inline align-center fake-link"
title="{{ i18n "posts_read_more" }}"
href="{{ .RelPermalink }}"
>
{{ i18n "posts_read_more" }}
<i class="gdoc-icon">gdoc_arrow_right_alt</i>
</a>
{{ end }}
</div>
<footer class="gdoc-post__footer">
<div class="flex flex-wrap align-center gdoc-post__meta">
{{ partial "posts/metadata.html" . }}
</div>
</footer>
</article>
{{ end }}
{{ partial "pagination.html" . }}
{{ end }}
{{ define "post-tag" }}
<span class="gdoc-post__tag">
<span class="gdoc-button">
<a
class="gdoc-button__link"
href="{{ .page.RelPermalink }}"
title="{{ i18n "posts_tagged_with" .name }}"
>
{{ .name }}
</a>
</span>
</span>
{{ end }}

View file

@ -0,0 +1,32 @@
{{ define "main" }}
{{ range .Paginator.Pages.ByTitle }}
<article class="gdoc-post">
<header class="gdoc-post__header">
<h1 class="gdoc-post__title">
<a href="{{ .RelPermalink }}">{{ partial "utils/title" . }}</a>
</h1>
</header>
<footer class="gdoc-post__meta flex align-center">
<span class="flex align-center no-wrap">
{{ $pageCount := len .Pages }}
<svg class="gdoc-icon gdoc_tag"><use xlink:href="#gdoc_tag"></use></svg>
<span class="gdoc-post__tag">
{{ i18n "posts_count" $pageCount }}
</span>
</span>
<span class="flex align-center no-wrap">
<svg class="gdoc-icon gdoc_star"><use xlink:href="#gdoc_star"></use></svg>
<span>
{{ $latet := index .Pages.ByDate 0 }}
{{ with $latet }}
<a href="{{ .RelPermalink }}">{{ partial "utils/title" . }}</a>
{{ end }}
</span>
</span>
</footer>
</article>
{{ end }}
{{ partial "pagination.html" . }}
{{ end }}

View file

@ -0,0 +1,6 @@
{{ if default true .Site.Params.geekdocSearch }}
<script defer src="{{ index (index .Site.Data.assets "search.js") "src" | relURL }}"></script>
{{- $searchConfigFile := printf "search/%s.config.json" .Language.Lang -}}
{{- $searchConfig := resources.Get "search/config.json" | resources.ExecuteAsTemplate $searchConfigFile . | resources.Minify -}}
{{- $searchConfig.Publish -}}
{{ end }}

View file

@ -0,0 +1 @@
<!-- You can add custom elements to the page header here. -->

View file

@ -0,0 +1,13 @@
<link rel="icon" type="image/svg+xml" href="{{ "favicon/favicon.svg" | relURL }}" />
<link
rel="icon"
type="image/png"
sizes="32x32"
href="{{ "favicon/favicon-32x32.png" | relURL }}"
/>
<link
rel="icon"
type="image/png"
sizes="16x16"
href="{{ "favicon/favicon-16x16.png" | relURL }}"
/>

Some files were not shown because too many files have changed in this diff Show more