forked from TrueCloudLab/distribution
Converges titles to imperative-form, front-matter based, and sentence-case (#438)
Multiple title fixes, consistency fixes, convergence into metadata-based titles.
This commit is contained in:
parent
f864c74d0d
commit
908a1f14f5
33 changed files with 193 additions and 288 deletions
|
@ -2,15 +2,9 @@
|
||||||
description: describes get by digest pitfall
|
description: describes get by digest pitfall
|
||||||
keywords:
|
keywords:
|
||||||
- registry, manifest, images, tags, repository, distribution, digest
|
- registry, manifest, images, tags, repository, distribution, digest
|
||||||
menu:
|
title: Registry compatibility
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 9
|
|
||||||
title: Compatibility
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Registry Compatibility
|
|
||||||
|
|
||||||
## Synopsis
|
## Synopsis
|
||||||
*If a manifest is pulled by _digest_ from a registry 2.3 with Docker Engine 1.9
|
*If a manifest is pulled by _digest_ from a registry 2.3 with Docker Engine 1.9
|
||||||
and older, and the manifest was pushed with Docker Engine 1.10, a security check
|
and older, and the manifest was pushed with Docker Engine 1.10, a security check
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Explains how to configure a registry
|
description: Explains how to configure a registry
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, configuration
|
- registry, on-prem, images, tags, repository, distribution, configuration
|
||||||
menu:
|
title: Registry configuration reference
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 4
|
|
||||||
title: Configuring a registry
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Registry Configuration Reference
|
|
||||||
|
|
||||||
The Registry configuration is based on a YAML file, detailed below. While it comes with sane default values out of the box, you are heavily encouraged to review it exhaustively before moving your systems to production.
|
The Registry configuration is based on a YAML file, detailed below. While it comes with sane default values out of the box, you are heavily encouraged to review it exhaustively before moving your systems to production.
|
||||||
|
|
||||||
## Override specific configuration options
|
## Override specific configuration options
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Explains how to deploy a registry
|
description: Explains how to deploy a registry
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, deployment
|
- registry, on-prem, images, tags, repository, distribution, deployment
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 3
|
|
||||||
title: Deploying a registry server
|
title: Deploying a registry server
|
||||||
---
|
---
|
||||||
|
|
||||||
# Deploying a registry server
|
|
||||||
|
|
||||||
You need to [install Docker version 1.6.0 or newer](/engine/installation/index.md).
|
You need to [install Docker version 1.6.0 or newer](/engine/installation/index.md).
|
||||||
|
|
||||||
## Running on localhost
|
## Running on localhost
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: describes deprecated functionality
|
description: describes deprecated functionality
|
||||||
keywords:
|
keywords:
|
||||||
- registry, manifest, images, signatures, repository, distribution, digest
|
- registry, manifest, images, signatures, repository, distribution, digest
|
||||||
menu:
|
title: Docker Registry deprecation
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 8
|
|
||||||
title: Deprecated Features
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry Deprecation
|
|
||||||
|
|
||||||
This document details functionality or components which are deprecated within
|
This document details functionality or components which are deprecated within
|
||||||
the registry.
|
the registry.
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: High level discussion of garbage collection
|
description: High level discussion of garbage collection
|
||||||
keywords:
|
keywords:
|
||||||
- registry, garbage, images, tags, repository, distribution
|
- registry, garbage, images, tags, repository, distribution
|
||||||
menu:
|
title: Garbage collection
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 4
|
|
||||||
title: Garbage Collection
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Garbage Collection
|
|
||||||
|
|
||||||
As of v2.4.0 a garbage collector command is included within the registry binary.
|
As of v2.4.0 a garbage collector command is included within the registry binary.
|
||||||
This document describes what this command does and how and why it should be used.
|
This document describes what this command does and how and why it should be used.
|
||||||
|
|
||||||
|
@ -134,4 +128,3 @@ blob eligible for deletion: sha256:87192bdbe00f8f2a62527f36bb4c7c7f4eaf9307e4b87
|
||||||
blob eligible for deletion: sha256:b549a9959a664038fc35c155a95742cf12297672ca0ae35735ec027d55bf4e97
|
blob eligible for deletion: sha256:b549a9959a664038fc35c155a95742cf12297672ca0ae35735ec027d55bf4e97
|
||||||
blob eligible for deletion: sha256:f251d679a7c61455f06d793e43c06786d7766c88b8c24edf242b2c08e3c3f599
|
blob eligible for deletion: sha256:f251d679a7c61455f06d793e43c06786d7766c88b8c24edf242b2c08e3c3f599
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Getting help with the Registry
|
description: Getting help with the Registry
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, help, 101, TL;DR
|
- registry, on-prem, images, tags, repository, distribution, help, 101, TL;DR
|
||||||
menu:
|
title: Get help
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 9
|
|
||||||
title: Getting help
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Getting help
|
|
||||||
|
|
||||||
If you need help, or just want to chat, you can reach us:
|
If you need help, or just want to chat, you can reach us:
|
||||||
|
|
||||||
- on irc: `#docker-distribution` on freenode
|
- on irc: `#docker-distribution` on freenode
|
||||||
|
|
|
@ -4,19 +4,14 @@ aliases:
|
||||||
description: High-level overview of the Registry
|
description: High-level overview of the Registry
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution
|
- registry, on-prem, images, tags, repository, distribution
|
||||||
menu:
|
title: Docker Registry
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 1
|
|
||||||
title: Registry Overview
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry
|
|
||||||
|
|
||||||
## What it is
|
## What it is
|
||||||
|
|
||||||
The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images.
|
The Registry is a stateless, highly scalable server side application that stores
|
||||||
The Registry is open-source, under the permissive [Apache license](http://en.wikipedia.org/wiki/Apache_License).
|
and lets you distribute Docker images. The Registry is open-source, under the
|
||||||
|
permissive [Apache license](http://en.wikipedia.org/wiki/Apache_License).
|
||||||
|
|
||||||
## Why use it
|
## Why use it
|
||||||
|
|
||||||
|
@ -28,14 +23,19 @@ You should use the Registry if you want to:
|
||||||
|
|
||||||
## Alternatives
|
## Alternatives
|
||||||
|
|
||||||
Users looking for a zero maintenance, ready-to-go solution are encouraged to head-over to the [Docker Hub](https://hub.docker.com), which provides a free-to-use, hosted Registry, plus additional features (organization accounts, automated builds, and more).
|
Users looking for a zero maintenance, ready-to-go solution are encouraged to
|
||||||
|
head-over to the [Docker Hub](https://hub.docker.com), which provides a
|
||||||
|
free-to-use, hosted Registry, plus additional features (organization accounts,
|
||||||
|
automated builds, and more).
|
||||||
|
|
||||||
Users looking for a commercially supported version of the Registry should look into [Docker Trusted Registry](/docker-trusted-registry/overview/).
|
Users looking for a commercially supported version of the Registry should look
|
||||||
|
into [Docker Trusted Registry](/docker-trusted-registry/overview/).
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
The Registry is compatible with Docker engine **version 1.6.0 or higher**.
|
The Registry is compatible with Docker engine **version 1.6.0 or higher**. If
|
||||||
If you really need to work with older Docker versions, you should look into the [old python registry](https://github.com/docker/docker-registry).
|
you really need to work with older Docker versions, you should look into the
|
||||||
|
[old python registry](https://github.com/docker/docker-registry).
|
||||||
|
|
||||||
## TL;DR
|
## TL;DR
|
||||||
|
|
||||||
|
@ -65,4 +65,6 @@ Now stop your registry and remove all data
|
||||||
|
|
||||||
## Next
|
## Next
|
||||||
|
|
||||||
You should now read the [detailed introduction about the registry](introduction.md), or jump directly to [deployment instructions](deploying.md).
|
You should now read the [detailed introduction about the
|
||||||
|
registry](introduction.md), or jump directly to [deployment
|
||||||
|
instructions](deploying.md).
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Deploying a Registry in an insecure fashion
|
description: Deploying a Registry in an insecure fashion
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, insecure
|
- registry, on-prem, images, tags, repository, distribution, insecure
|
||||||
menu:
|
title: Test an insecure registry
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 5
|
|
||||||
title: Testing an insecure registry
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Insecure Registry
|
|
||||||
|
|
||||||
While it's highly recommended to secure your registry using a TLS certificate
|
While it's highly recommended to secure your registry using a TLS certificate
|
||||||
issued by a known CA, you may alternatively decide to use self-signed
|
issued by a known CA, you may alternatively decide to use self-signed
|
||||||
certificates, or even use your registry over plain http.
|
certificates, or even use your registry over plain http.
|
||||||
|
|
|
@ -2,16 +2,11 @@
|
||||||
description: Explains what the Registry is, basic use cases and requirements
|
description: Explains what the Registry is, basic use cases and requirements
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, use cases, requirements
|
- registry, on-prem, images, tags, repository, distribution, use cases, requirements
|
||||||
menu:
|
title: About Registry
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 2
|
|
||||||
title: Understanding the Registry
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Understanding the Registry
|
A registry is a storage and content delivery system, holding named Docker
|
||||||
|
images, available in different tagged versions.
|
||||||
A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.
|
|
||||||
|
|
||||||
> Example: the image `distribution/registry`, with tags `2.0` and `2.1`.
|
> Example: the image `distribution/registry`, with tags `2.0` and `2.1`.
|
||||||
|
|
||||||
|
@ -19,13 +14,24 @@ Users interact with a registry by using docker push and pull commands.
|
||||||
|
|
||||||
> Example: `docker pull registry-1.docker.io/distribution/registry:2.1`.
|
> Example: `docker pull registry-1.docker.io/distribution/registry:2.1`.
|
||||||
|
|
||||||
Storage itself is delegated to drivers. The default storage driver is the local posix filesystem, which is suitable for development or small deployments. Additional cloud-based storage drivers like S3, Microsoft Azure, OpenStack Swift and Aliyun OSS are also supported. People looking into using other storage backends may do so by writing their own driver implementing the [Storage API](storage-drivers/index.md).
|
Storage itself is delegated to drivers. The default storage driver is the local
|
||||||
|
posix filesystem, which is suitable for development or small deployments.
|
||||||
|
Additional cloud-based storage drivers like S3, Microsoft Azure, OpenStack Swift
|
||||||
|
and Aliyun OSS are also supported. People looking into using other storage
|
||||||
|
backends may do so by writing their own driver implementing the [Storage
|
||||||
|
API](storage-drivers/index.md).
|
||||||
|
|
||||||
Since securing access to your hosted images is paramount, the Registry natively supports TLS and basic authentication.
|
Since securing access to your hosted images is paramount, the Registry natively
|
||||||
|
supports TLS and basic authentication.
|
||||||
|
|
||||||
The Registry GitHub repository includes additional information about advanced authentication and authorization methods. Only very large or public deployments are expected to extend the Registry in this way.
|
The Registry GitHub repository includes additional information about advanced
|
||||||
|
authentication and authorization methods. Only very large or public deployments
|
||||||
|
are expected to extend the Registry in this way.
|
||||||
|
|
||||||
Finally, the Registry ships with a robust [notification system](notifications.md), calling webhooks in response to activity, and both extensive logging and reporting, mostly useful for large installations that want to collect metrics.
|
Finally, the Registry ships with a robust [notification
|
||||||
|
system](notifications.md), calling webhooks in response to activity, and both
|
||||||
|
extensive logging and reporting, mostly useful for large installations that want
|
||||||
|
to collect metrics.
|
||||||
|
|
||||||
## Understanding image naming
|
## Understanding image naming
|
||||||
|
|
||||||
|
@ -34,21 +40,36 @@ Image names as used in typical docker commands reflect their origin:
|
||||||
* `docker pull ubuntu` instructs docker to pull an image named `ubuntu` from the official Docker Hub. This is simply a shortcut for the longer `docker pull docker.io/library/ubuntu` command
|
* `docker pull ubuntu` instructs docker to pull an image named `ubuntu` from the official Docker Hub. This is simply a shortcut for the longer `docker pull docker.io/library/ubuntu` command
|
||||||
* `docker pull myregistrydomain:port/foo/bar` instructs docker to contact the registry located at `myregistrydomain:port` to find the image `foo/bar`
|
* `docker pull myregistrydomain:port/foo/bar` instructs docker to contact the registry located at `myregistrydomain:port` to find the image `foo/bar`
|
||||||
|
|
||||||
You can find out more about the various Docker commands dealing with images in the [official Docker engine documentation](/engine/reference/commandline/cli.md).
|
You can find out more about the various Docker commands dealing with images in
|
||||||
|
the [official Docker engine
|
||||||
|
documentation](/engine/reference/commandline/cli.md).
|
||||||
|
|
||||||
## Use cases
|
## Use cases
|
||||||
|
|
||||||
Running your own Registry is a great solution to integrate with and complement your CI/CD system. In a typical workflow, a commit to your source revision control system would trigger a build on your CI system, which would then push a new image to your Registry if the build is successful. A notification from the Registry would then trigger a deployment on a staging environment, or notify other systems that a new image is available.
|
Running your own Registry is a great solution to integrate with and complement
|
||||||
|
your CI/CD system. In a typical workflow, a commit to your source revision
|
||||||
|
control system would trigger a build on your CI system, which would then push a
|
||||||
|
new image to your Registry if the build is successful. A notification from the
|
||||||
|
Registry would then trigger a deployment on a staging environment, or notify
|
||||||
|
other systems that a new image is available.
|
||||||
|
|
||||||
It's also an essential component if you want to quickly deploy a new image over a large cluster of machines.
|
It's also an essential component if you want to quickly deploy a new image over
|
||||||
|
a large cluster of machines.
|
||||||
|
|
||||||
Finally, it's the best way to distribute images inside an isolated network.
|
Finally, it's the best way to distribute images inside an isolated network.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
You absolutely need to be familiar with Docker, specifically with regard to pushing and pulling images. You must understand the difference between the daemon and the cli, and at least grasp basic concepts about networking.
|
You absolutely need to be familiar with Docker, specifically with regard to
|
||||||
|
pushing and pulling images. You must understand the difference between the
|
||||||
|
daemon and the cli, and at least grasp basic concepts about networking.
|
||||||
|
|
||||||
Also, while just starting a registry is fairly easy, operating it in a production environment requires operational skills, just like any other service. You are expected to be familiar with systems availability and scalability, logging and log processing, systems monitoring, and security 101. Strong understanding of http and overall network communications, plus familiarity with golang are certainly useful as well for advanced operations or hacking.
|
Also, while just starting a registry is fairly easy, operating it in a
|
||||||
|
production environment requires operational skills, just like any other service.
|
||||||
|
You are expected to be familiar with systems availability and scalability,
|
||||||
|
logging and log processing, systems monitoring, and security 101. Strong
|
||||||
|
understanding of http and overall network communications, plus familiarity with
|
||||||
|
golang are certainly useful as well for advanced operations or hacking.
|
||||||
|
|
||||||
## Next
|
## Next
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Explains how to work with registry notifications
|
description: Explains how to work with registry notifications
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, notifications, advanced
|
- registry, on-prem, images, tags, repository, distribution, notifications, advanced
|
||||||
menu:
|
title: Work with notifications
|
||||||
main:
|
|
||||||
parent: smn_registry
|
|
||||||
weight: 5
|
|
||||||
title: Working with notifications
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Notifications
|
|
||||||
|
|
||||||
The Registry supports sending webhook notifications in response to events
|
The Registry supports sending webhook notifications in response to events
|
||||||
happening within the registry. Notifications are sent in response to manifest
|
happening within the registry. Notifications are sent in response to manifest
|
||||||
pushes and pulls and layer pushes and pulls. These actions are serialized into
|
pushes and pulls and layer pushes and pulls. These actions are serialized into
|
||||||
|
|
|
@ -1,16 +1,10 @@
|
||||||
---
|
---
|
||||||
description: Restricting access to your registry using an apache proxy
|
description: Restricting access to your registry using an apache proxy
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, authentication, proxy,
|
- registry, on-prem, images, tags, repository, distribution, authentication, proxy, apache, httpd, TLS, recipe, advanced
|
||||||
apache, httpd, TLS, recipe, advanced
|
title: Authenticate proxy with apache
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_recipes
|
|
||||||
title: Authenticating proxy with apache
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Authenticating proxy with apache
|
|
||||||
|
|
||||||
## Use-case
|
## Use-case
|
||||||
|
|
||||||
People already relying on an apache proxy to authenticate their users to other services might want to leverage it and have Registry communications tunneled through the same pipeline.
|
People already relying on an apache proxy to authenticate their users to other services might want to leverage it and have Registry communications tunneled through the same pipeline.
|
||||||
|
@ -19,7 +13,7 @@ Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO
|
||||||
|
|
||||||
### Alternatives
|
### Alternatives
|
||||||
|
|
||||||
If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth).
|
If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth).
|
||||||
|
|
||||||
### Solution
|
### Solution
|
||||||
|
|
||||||
|
@ -27,7 +21,7 @@ With the method presented here, you implement basic authentication for docker en
|
||||||
|
|
||||||
While we use a simple htpasswd file as an example, any other apache authentication backend should be fairly easy to implement once you are done with the example.
|
While we use a simple htpasswd file as an example, any other apache authentication backend should be fairly easy to implement once you are done with the example.
|
||||||
|
|
||||||
We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
|
We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
|
||||||
|
|
||||||
### Gotchas
|
### Gotchas
|
||||||
|
|
||||||
|
@ -200,7 +194,7 @@ Now, start your stack:
|
||||||
|
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
|
|
||||||
Login with a "push" authorized user (using `testuserpush` and `testpasswordpush`), then tag and push your first image:
|
Login with a "push" authorized user (using `testuserpush` and `testpasswordpush`), then tag and push your first image:
|
||||||
|
|
||||||
docker login myregistrydomain.com:5043
|
docker login myregistrydomain.com:5043
|
||||||
docker tag ubuntu myregistrydomain.com:5043/test
|
docker tag ubuntu myregistrydomain.com:5043/test
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Fun stuff to do with your registry
|
description: Fun stuff to do with your registry
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, recipes, advanced
|
- registry, on-prem, images, tags, repository, distribution, recipes, advanced
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_recipes
|
|
||||||
weight: -10
|
|
||||||
title: Recipes Overview
|
title: Recipes Overview
|
||||||
---
|
---
|
||||||
|
|
||||||
# Recipes
|
|
||||||
|
|
||||||
You will find here a list of "recipes", end-to-end scenarios for exotic or otherwise advanced use-cases.
|
You will find here a list of "recipes", end-to-end scenarios for exotic or otherwise advanced use-cases.
|
||||||
|
|
||||||
Most users are not expected to have a use for these.
|
Most users are not expected to have a use for these.
|
||||||
|
|
|
@ -1,59 +1,76 @@
|
||||||
---
|
---
|
||||||
description: Setting-up a local mirror for Docker Hub images
|
description: Setting-up a local mirror for Docker Hub images
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, mirror, Hub, recipe,
|
- registry, on-prem, images, tags, repository, distribution, mirror, Hub, recipe, advanced
|
||||||
advanced
|
title: Registry as a pull through cache
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_recipes
|
|
||||||
title: Mirroring Docker Hub
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Registry as a pull through cache
|
|
||||||
|
|
||||||
## Use-case
|
## Use-case
|
||||||
|
|
||||||
If you have multiple instances of Docker running in your environment (e.g., multiple physical or virtual machines, all running the Docker daemon), each time one of them requires an image that it doesn’t have it will go out to the internet and fetch it from the public Docker registry. By running a local registry mirror, you can keep most of the redundant image fetch traffic on your local network.
|
If you have multiple instances of Docker running in your environment (e.g.,
|
||||||
|
multiple physical or virtual machines, all running the Docker daemon), each time
|
||||||
|
one of them requires an image that it doesn’t have it will go out to the
|
||||||
|
internet and fetch it from the public Docker registry. By running a local
|
||||||
|
registry mirror, you can keep most of the redundant image fetch traffic on your
|
||||||
|
local network.
|
||||||
|
|
||||||
### Alternatives
|
### Alternatives
|
||||||
|
|
||||||
Alternatively, if the set of images you are using is well delimited, you can simply pull them manually and push them to a simple, local, private registry.
|
Alternatively, if the set of images you are using is well delimited, you can
|
||||||
|
simply pull them manually and push them to a simple, local, private registry.
|
||||||
|
|
||||||
Furthermore, if your images are all built in-house, not using the Hub at all and relying entirely on your local registry is the simplest scenario.
|
Furthermore, if your images are all built in-house, not using the Hub at all and
|
||||||
|
relying entirely on your local registry is the simplest scenario.
|
||||||
|
|
||||||
### Gotcha
|
### Gotcha
|
||||||
|
|
||||||
It's currently not possible to mirror another private registry. Only the central Hub can be mirrored.
|
It's currently not possible to mirror another private registry. Only the central
|
||||||
|
Hub can be mirrored.
|
||||||
|
|
||||||
### Solution
|
### Solution
|
||||||
|
|
||||||
The Registry can be configured as a pull through cache. In this mode a Registry responds to all normal docker pull requests but stores all content locally.
|
The Registry can be configured as a pull through cache. In this mode a Registry
|
||||||
|
responds to all normal docker pull requests but stores all content locally.
|
||||||
|
|
||||||
## How does it work?
|
## How does it work?
|
||||||
|
|
||||||
The first time you request an image from your local registry mirror, it pulls the image from the public Docker registry and stores it locally before handing it back to you. On subsequent requests, the local registry mirror is able to serve the image from its own storage.
|
The first time you request an image from your local registry mirror, it pulls
|
||||||
|
the image from the public Docker registry and stores it locally before handing
|
||||||
|
it back to you. On subsequent requests, the local registry mirror is able to
|
||||||
|
serve the image from its own storage.
|
||||||
|
|
||||||
### What if the content changes on the Hub?
|
### What if the content changes on the Hub?
|
||||||
|
|
||||||
When a pull is attempted with a tag, the Registry will check the remote to ensure if it has the latest version of the requested content. If it doesn't it will fetch the latest content and cache it.
|
When a pull is attempted with a tag, the Registry will check the remote to
|
||||||
|
ensure if it has the latest version of the requested content. If it doesn't it
|
||||||
|
will fetch the latest content and cache it.
|
||||||
|
|
||||||
### What about my disk?
|
### What about my disk?
|
||||||
|
|
||||||
In environments with high churn rates, stale data can build up in the cache. When running as a pull through cache the Registry will periodically remove old content to save disk space. Subsequent requests for removed content will cause a remote fetch and local re-caching.
|
In environments with high churn rates, stale data can build up in the cache.
|
||||||
|
When running as a pull through cache the Registry will periodically remove old
|
||||||
|
content to save disk space. Subsequent requests for removed content will cause a
|
||||||
|
remote fetch and local re-caching.
|
||||||
|
|
||||||
To ensure best performance and guarantee correctness the Registry cache should be configured to use the `filesystem` driver for storage.
|
To ensure best performance and guarantee correctness the Registry cache should
|
||||||
|
be configured to use the `filesystem` driver for storage.
|
||||||
|
|
||||||
## Running a Registry as a pull through cache
|
## Running a Registry as a pull through cache
|
||||||
|
|
||||||
The easiest way to run a registry as a pull through cache is to run the official Registry image.
|
The easiest way to run a registry as a pull through cache is to run the official
|
||||||
|
Registry image.
|
||||||
|
|
||||||
Multiple registry caches can be deployed over the same back-end. A single registry cache will ensure that concurrent requests do not pull duplicate data, but this property will not hold true for a registry cache cluster.
|
Multiple registry caches can be deployed over the same back-end. A single
|
||||||
|
registry cache will ensure that concurrent requests do not pull duplicate data,
|
||||||
|
but this property will not hold true for a registry cache cluster.
|
||||||
|
|
||||||
### Configuring the cache
|
### Configuring the cache
|
||||||
|
|
||||||
To configure a Registry to run as a pull through cache, the addition of a `proxy` section is required to the config file.
|
To configure a Registry to run as a pull through cache, the addition of a
|
||||||
|
`proxy` section is required to the config file.
|
||||||
|
|
||||||
In order to access private images on the Docker Hub, a username and password can be supplied.
|
In order to access private images on the Docker Hub, a username and password can
|
||||||
|
be supplied.
|
||||||
|
|
||||||
proxy:
|
proxy:
|
||||||
remoteurl: https://registry-1.docker.io
|
remoteurl: https://registry-1.docker.io
|
||||||
|
@ -66,7 +83,8 @@ In order to access private images on the Docker Hub, a username and password can
|
||||||
|
|
||||||
### Configuring the Docker daemon
|
### Configuring the Docker daemon
|
||||||
|
|
||||||
You will need to pass the `--registry-mirror` option to your Docker daemon on startup:
|
You will need to pass the `--registry-mirror` option to your Docker daemon on
|
||||||
|
startup:
|
||||||
|
|
||||||
docker --registry-mirror=https://<my-docker-mirror-host> daemon
|
docker --registry-mirror=https://<my-docker-mirror-host> daemon
|
||||||
|
|
||||||
|
@ -74,4 +92,6 @@ For example, if your mirror is serving on `http://10.0.0.2:5000`, you would run:
|
||||||
|
|
||||||
docker --registry-mirror=https://10.0.0.2:5000 daemon
|
docker --registry-mirror=https://10.0.0.2:5000 daemon
|
||||||
|
|
||||||
NOTE: Depending on your local host setup, you may be able to add the `--registry-mirror` option to the `DOCKER_OPTS` variable in `/etc/default/docker`.
|
> NOTE: Depending on your local host setup, you may be able to add the
|
||||||
|
`--registry-mirror` option to the `DOCKER_OPTS` variable in
|
||||||
|
`/etc/default/docker`.
|
||||||
|
|
|
@ -1,42 +1,50 @@
|
||||||
---
|
---
|
||||||
description: Restricting access to your registry using a nginx proxy
|
description: Restricting access to your registry using a nginx proxy
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, nginx, proxy, authentication,
|
- registry, on-prem, images, tags, repository, distribution, nginx, proxy, authentication, TLS, recipe, advanced
|
||||||
TLS, recipe, advanced
|
title: Authenticate proxy with nginx
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_recipes
|
|
||||||
title: Authenticating proxy with nginx
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Authenticating proxy with nginx
|
|
||||||
|
|
||||||
|
|
||||||
## Use-case
|
## Use-case
|
||||||
|
|
||||||
People already relying on a nginx proxy to authenticate their users to other services might want to leverage it and have Registry communications tunneled through the same pipeline.
|
People already relying on a nginx proxy to authenticate their users to other
|
||||||
|
services might want to leverage it and have Registry communications tunneled
|
||||||
|
through the same pipeline.
|
||||||
|
|
||||||
Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO mechanism fronting their internal http portal.
|
Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO
|
||||||
|
mechanism fronting their internal http portal.
|
||||||
|
|
||||||
### Alternatives
|
### Alternatives
|
||||||
|
|
||||||
If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native [basic auth registry feature](../deploying.md#native-basic-auth).
|
If you just want authentication for your registry, and are happy maintaining
|
||||||
|
users access separately, you should really consider sticking with the native
|
||||||
|
[basic auth registry feature](../deploying.md#native-basic-auth).
|
||||||
|
|
||||||
### Solution
|
### Solution
|
||||||
|
|
||||||
With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.
|
With the method presented here, you implement basic authentication for docker
|
||||||
|
engines in a reverse proxy that sits in front of your registry.
|
||||||
|
|
||||||
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.
|
While we use a simple htpasswd file as an example, any other nginx
|
||||||
|
authentication backend should be fairly easy to implement once you are done with
|
||||||
|
the example.
|
||||||
|
|
||||||
We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
|
We also implement push restriction (to a limited user group) for the sake of the
|
||||||
|
example. Again, you should modify this to fit your mileage.
|
||||||
|
|
||||||
### Gotchas
|
### Gotchas
|
||||||
|
|
||||||
While this model gives you the ability to use whatever authentication backend you want through the secondary authentication mechanism implemented inside your proxy, it also requires that you move TLS termination from the Registry to the proxy itself.
|
While this model gives you the ability to use whatever authentication backend
|
||||||
|
you want through the secondary authentication mechanism implemented inside your
|
||||||
|
proxy, it also requires that you move TLS termination from the Registry to the
|
||||||
|
proxy itself.
|
||||||
|
|
||||||
Furthermore, introducing an extra http layer in your communication pipeline will make it more complex to deploy, maintain, and debug, and will possibly create issues. Make sure the extra complexity is required.
|
Furthermore, introducing an extra http layer in your communication pipeline will
|
||||||
|
make it more complex to deploy, maintain, and debug, and will possibly create
|
||||||
|
issues. Make sure the extra complexity is required.
|
||||||
|
|
||||||
For instance, Amazon's Elastic Load Balancer (ELB) in HTTPS mode already sets the following client header:
|
For instance, Amazon's Elastic Load Balancer (ELB) in HTTPS mode already sets
|
||||||
|
the following client header:
|
||||||
|
|
||||||
```
|
```
|
||||||
X-Real-IP
|
X-Real-IP
|
||||||
|
@ -44,7 +52,8 @@ X-Forwarded-For
|
||||||
X-Forwarded-Proto
|
X-Forwarded-Proto
|
||||||
```
|
```
|
||||||
|
|
||||||
So if you have an nginx sitting behind it, should remove these lines from the example config below:
|
So if you have an nginx sitting behind it, should remove these lines from the
|
||||||
|
example config below:
|
||||||
|
|
||||||
```
|
```
|
||||||
X-Real-IP $remote_addr; # pass on real client's IP
|
X-Real-IP $remote_addr; # pass on real client's IP
|
||||||
|
@ -52,7 +61,9 @@ X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
X-Forwarded-Proto $scheme;
|
X-Forwarded-Proto $scheme;
|
||||||
```
|
```
|
||||||
|
|
||||||
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).
|
Otherwise nginx will reset the ELB's values, and the requests will not be routed
|
||||||
|
properly. For more information, see
|
||||||
|
[#970](https://github.com/docker/distribution/issues/970).
|
||||||
|
|
||||||
## Setting things up
|
## Setting things up
|
||||||
|
|
||||||
|
@ -183,7 +194,8 @@ Now, start your stack:
|
||||||
|
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
|
|
||||||
Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image:
|
Login with a "push" authorized user (using `testuser` and `testpassword`), then
|
||||||
|
tag and push your first image:
|
||||||
|
|
||||||
docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
|
docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
|
||||||
docker tag ubuntu myregistrydomain.com:5043/test
|
docker tag ubuntu myregistrydomain.com:5043/test
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Explains how to run a registry on macOS
|
description: Explains how to run a registry on macOS
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, macOS, recipe, advanced
|
- registry, on-prem, images, tags, repository, distribution, macOS, recipe, advanced
|
||||||
menu:
|
title: macOS Setup Guide
|
||||||
main:
|
|
||||||
parent: smn_recipes
|
|
||||||
title: Running on macOS
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# macOS Setup Guide
|
|
||||||
|
|
||||||
## Use-case
|
## Use-case
|
||||||
|
|
||||||
This is useful if you intend to run a registry server natively on macOS.
|
This is useful if you intend to run a registry server natively on macOS.
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Specification for the Registry API.
|
description: Specification for the Registry API.
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, api, advanced
|
- registry, on-prem, images, tags, repository, distribution, api, advanced
|
||||||
menu:
|
title: Docker Registry HTTP API V2
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
title: HTTP API V2
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry HTTP API V2
|
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
The _Docker Registry HTTP API_ is the protocol to facilitate distribution of
|
The _Docker Registry HTTP API_ is the protocol to facilitate distribution of
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Docker Registry v2 authentication schema
|
description: Docker Registry v2 authentication schema
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, authentication, advanced
|
- registry, on-prem, images, tags, repository, distribution, authentication, advanced
|
||||||
menu:
|
title: Docker Registry v2 authentication
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 100
|
|
||||||
title: Docker Registry Token Authentication
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry v2 authentication
|
|
||||||
|
|
||||||
See the [Token Authentication Specification](token.md),
|
See the [Token Authentication Specification](token.md),
|
||||||
[Token Authentication Implementation](jwt.md),
|
[Token Authentication Implementation](jwt.md),
|
||||||
[Token Scope Documentation](scope.md),
|
[Token Scope Documentation](scope.md),
|
||||||
|
|
|
@ -1,17 +1,10 @@
|
||||||
---
|
---
|
||||||
description: Describe the reference implementation of the Docker Registry v2 authentication
|
description: Describe the reference implementation of the Docker Registry v2 authentication schema
|
||||||
schema
|
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced
|
- registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced
|
||||||
menu:
|
title: Docker Registry v2 Bearer token specification
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 101
|
|
||||||
title: Token Authentication Implementation
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry v2 Bearer token specification
|
|
||||||
|
|
||||||
This specification covers the `docker/distribution` implementation of the
|
This specification covers the `docker/distribution` implementation of the
|
||||||
v2 Registry's authentication schema. Specifically, it describes the JSON
|
v2 Registry's authentication schema. Specifically, it describes the JSON
|
||||||
Web Token schema that `docker/distribution` has adopted to implement the
|
Web Token schema that `docker/distribution` has adopted to implement the
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Specifies the Docker Registry v2 authentication
|
description: Specifies the Docker Registry v2 authentication
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, oauth2, advanced
|
- registry, on-prem, images, tags, repository, distribution, oauth2, advanced
|
||||||
menu:
|
title: Docker Registry v2 authentication using OAuth2
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 102
|
|
||||||
title: Oauth2 Token Authentication
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry v2 authentication using OAuth2
|
|
||||||
|
|
||||||
This document describes support for the OAuth2 protocol within the authorization
|
This document describes support for the OAuth2 protocol within the authorization
|
||||||
server. [RFC6749](https://tools.ietf.org/html/rfc6749) should be used as a
|
server. [RFC6749](https://tools.ietf.org/html/rfc6749) should be used as a
|
||||||
reference for the protocol and HTTP endpoints described here.
|
reference for the protocol and HTTP endpoints described here.
|
||||||
|
@ -188,4 +182,3 @@ Content-Type: application/json
|
||||||
|
|
||||||
{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5":"expires_in":900,"scope":"repository:samalba/my-app:pull,repository:samalba/my-app:push"}
|
{"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5":"expires_in":900,"scope":"repository:samalba/my-app:pull,repository:samalba/my-app:push"}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -1,17 +1,10 @@
|
||||||
---
|
---
|
||||||
description: Describes the scope and access fields used for registry authorization
|
description: Describes the scope and access fields used for registry authorization tokens
|
||||||
tokens
|
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, advanced, access, scope
|
- registry, on-prem, images, tags, repository, distribution, advanced, access, scope
|
||||||
menu:
|
title: Docker Registry token scope and access
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 103
|
|
||||||
title: Token Scope Documentation
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry Token Scope and Access
|
|
||||||
|
|
||||||
Tokens used by the registry are always restricted what resources they may
|
Tokens used by the registry are always restricted what resources they may
|
||||||
be used to access, where those resources may be accessed, and what actions
|
be used to access, where those resources may be accessed, and what actions
|
||||||
may be done on those resources. Tokens always have the context of a user which
|
may be done on those resources. Tokens always have the context of a user which
|
||||||
|
@ -141,4 +134,3 @@ done by fetching an access token using the refresh token. Since the refresh
|
||||||
token is not scoped to specific resources for an audience, extra care should
|
token is not scoped to specific resources for an audience, extra care should
|
||||||
be taken to only use the refresh token to negotiate new access tokens directly
|
be taken to only use the refresh token to negotiate new access tokens directly
|
||||||
with the authorization server, and never with a resource provider.
|
with the authorization server, and never with a resource provider.
|
||||||
|
|
||||||
|
|
|
@ -1,17 +1,10 @@
|
||||||
---
|
---
|
||||||
description: Specifies the Docker Registry v2 authentication
|
description: Specifies the Docker Registry v2 authentication
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, Bearer authentication,
|
- registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced
|
||||||
advanced
|
title: Docker Registry v2 authentication via central service
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: 104
|
|
||||||
title: Token Authentication Specification
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry v2 authentication via central service
|
|
||||||
|
|
||||||
This document outlines the v2 Docker registry authentication scheme:
|
This document outlines the v2 Docker registry authentication scheme:
|
||||||
|
|
||||||
![v2 registry auth](../../images/v2-registry-auth.png)
|
![v2 registry auth](../../images/v2-registry-auth.png)
|
||||||
|
@ -26,7 +19,7 @@ This document outlines the v2 Docker registry authentication scheme:
|
||||||
5. The client retries the original request with the Bearer token embedded in
|
5. The client retries the original request with the Bearer token embedded in
|
||||||
the request's Authorization header.
|
the request's Authorization header.
|
||||||
6. The Registry authorizes the client by validating the Bearer token and the
|
6. The Registry authorizes the client by validating the Bearer token and the
|
||||||
claim set embedded within it and begins the push/pull session as usual.
|
claim set embedded within it and begins the push/pull session as usual.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
|
@ -82,7 +75,8 @@ Note the HTTP Response Header indicating the auth challenge:
|
||||||
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:samalba/my-app:pull,push"
|
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:samalba/my-app:pull,push"
|
||||||
```
|
```
|
||||||
|
|
||||||
This format is documented in [Section 3 of RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750#section-3)
|
This format is documented in [Section 3 of RFC 6750: The OAuth 2.0 Authorization
|
||||||
|
Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750#section-3)
|
||||||
|
|
||||||
This challenge indicates that the registry requires a token issued by the
|
This challenge indicates that the registry requires a token issued by the
|
||||||
specified token server and that the request the client is attempting will
|
specified token server and that the request the client is attempting will
|
||||||
|
@ -162,7 +156,7 @@ Defines getting a bearer and refresh token using the token endpoint.
|
||||||
<code>expires_in</code>
|
<code>expires_in</code>
|
||||||
</dt>
|
</dt>
|
||||||
<dd>
|
<dd>
|
||||||
(Optional) The duration in seconds since the token was issued that it
|
(Optional) The duration in seconds since the token was issued that it
|
||||||
will remain valid. When omitted, this defaults to 60 seconds. For
|
will remain valid. When omitted, this defaults to 60 seconds. For
|
||||||
compatibility with older clients, a token should never be returned with
|
compatibility with older clients, a token should never be returned with
|
||||||
less than 60 seconds to live.
|
less than 60 seconds to live.
|
||||||
|
@ -253,4 +247,5 @@ token placed in the HTTP `Authorization` header like so:
|
||||||
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw
|
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkJWM0Q6MkFWWjpVQjVaOktJQVA6SU5QTDo1RU42Ok40SjQ6Nk1XTzpEUktFOkJWUUs6M0ZKTDpQT1RMIn0.eyJpc3MiOiJhdXRoLmRvY2tlci5jb20iLCJzdWIiOiJCQ0NZOk9VNlo6UUVKNTpXTjJDOjJBVkM6WTdZRDpBM0xZOjQ1VVc6NE9HRDpLQUxMOkNOSjU6NUlVTCIsImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5jb20iLCJleHAiOjE0MTUzODczMTUsIm5iZiI6MTQxNTM4NzAxNSwiaWF0IjoxNDE1Mzg3MDE1LCJqdGkiOiJ0WUpDTzFjNmNueXk3a0FuMGM3cktQZ2JWMUgxYkZ3cyIsInNjb3BlIjoiamxoYXduOnJlcG9zaXRvcnk6c2FtYWxiYS9teS1hcHA6cHVzaCxwdWxsIGpsaGF3bjpuYW1lc3BhY2U6c2FtYWxiYTpwdWxsIn0.Y3zZSwaZPqy4y9oRBVRImZyv3m_S9XDHF1tWwN7mL52C_IiA73SJkWVNsvNqpJIn5h7A2F8biv_S2ppQ1lgkbw
|
||||||
```
|
```
|
||||||
|
|
||||||
This is also described in [Section 2.1 of RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750#section-2.1)
|
This is also described in [Section 2.1 of RFC 6750: The OAuth 2.0 Authorization
|
||||||
|
Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750#section-2.1)
|
||||||
|
|
|
@ -2,15 +2,9 @@
|
||||||
description: Explains registry JSON objects
|
description: Explains registry JSON objects
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, images, repository, json
|
- registry, service, images, repository, json
|
||||||
menu:
|
title: Docker Registry Reference
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
weight: -1
|
|
||||||
title: Reference Overview
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry Reference
|
|
||||||
|
|
||||||
* [HTTP API V2](api.md)
|
* [HTTP API V2](api.md)
|
||||||
* [Storage Driver](../storage-drivers/index.md)
|
* [Storage Driver](../storage-drivers/index.md)
|
||||||
* [Token Authentication Specification](auth/token.md)
|
* [Token Authentication Specification](auth/token.md)
|
||||||
|
|
|
@ -3,14 +3,9 @@ description: Explains registry JSON objects
|
||||||
published: false
|
published: false
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, images, repository, json
|
- registry, service, images, repository, json
|
||||||
menu:
|
title: Docker Distribution JSON canonicalization
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
title: Docker Distribution JSON Canonicalization
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Distribution JSON Canonicalization
|
|
||||||
|
|
||||||
To provide consistent content hashing of JSON objects throughout Docker
|
To provide consistent content hashing of JSON objects throughout Docker
|
||||||
Distribution APIs, the specification defines a canonical JSON format. Adopting
|
Distribution APIs, the specification defines a canonical JSON format. Adopting
|
||||||
such a canonicalization also aids in caching JSON responses.
|
such a canonicalization also aids in caching JSON responses.
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: image manifest for the Registry.
|
description: image manifest for the Registry.
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
|
- registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
|
||||||
menu:
|
title: Image manifest V2, schema 1
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
title: 'Image Manifest V 2, Schema 1 '
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Image Manifest Version 2, Schema 1
|
|
||||||
|
|
||||||
This document outlines the format of of the V2 image manifest. The image
|
This document outlines the format of of the V2 image manifest. The image
|
||||||
manifest described herein was introduced in the Docker daemon in the [v1.3.0
|
manifest described herein was introduced in the Docker daemon in the [v1.3.0
|
||||||
release](https://github.com/docker/docker/commit/9f482a66ab37ec396ac61ed0c00d59122ac07453).
|
release](https://github.com/docker/docker/commit/9f482a66ab37ec396ac61ed0c00d59122ac07453).
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: image manifest for the Registry.
|
description: image manifest for the Registry.
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
|
- registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
|
||||||
menu:
|
title: Image manifest V2, schema 2
|
||||||
main:
|
|
||||||
parent: smn_registry_ref
|
|
||||||
title: 'Image Manifest V 2, Schema 2 '
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Image Manifest Version 2, Schema 2
|
|
||||||
|
|
||||||
This document outlines the format of of the V2 image manifest, schema version 2.
|
This document outlines the format of of the V2 image manifest, schema version 2.
|
||||||
The original (and provisional) image manifest for V2 (schema 1), was introduced
|
The original (and provisional) image manifest for V2 (schema 1), was introduced
|
||||||
in the Docker daemon in the [v1.3.0
|
in the Docker daemon in the [v1.3.0
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Explains how to use the Azure storage drivers
|
description: Explains how to use the Azure storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, azure
|
- registry, service, driver, images, storage, azure
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: Microsoft Azure storage driver
|
title: Microsoft Azure storage driver
|
||||||
---
|
---
|
||||||
|
|
||||||
# Microsoft Azure storage driver
|
|
||||||
|
|
||||||
An implementation of the `storagedriver.StorageDriver` interface which uses [Microsoft Azure Blob Storage](http://azure.microsoft.com/en-us/services/storage/) for object storage.
|
An implementation of the `storagedriver.StorageDriver` interface which uses [Microsoft Azure Blob Storage](http://azure.microsoft.com/en-us/services/storage/) for object storage.
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Explains how to use the filesystem storage drivers
|
description: Explains how to use the filesystem storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, filesystem
|
- registry, service, driver, images, storage, filesystem
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: Filesystem storage driver
|
title: Filesystem storage driver
|
||||||
---
|
---
|
||||||
|
|
||||||
# Filesystem storage driver
|
|
||||||
|
|
||||||
An implementation of the `storagedriver.StorageDriver` interface which uses the local filesystem.
|
An implementation of the `storagedriver.StorageDriver` interface which uses the local filesystem.
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Explains how to use the Google Cloud Storage drivers
|
description: Explains how to use the Google Cloud Storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, gcs, google, cloud
|
- registry, service, driver, images, storage, gcs, google, cloud
|
||||||
menu:
|
title: Google Cloud Storage driver
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: GCS storage driver
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Google Cloud Storage driver
|
|
||||||
|
|
||||||
An implementation of the `storagedriver.StorageDriver` interface which uses Google Cloud for object storage.
|
An implementation of the `storagedriver.StorageDriver` interface which uses Google Cloud for object storage.
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
|
@ -4,16 +4,9 @@ aliases:
|
||||||
description: Explains how to use storage drivers
|
description: Explains how to use storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, on-prem, images, tags, repository, distribution, storage drivers, advanced
|
- registry, on-prem, images, tags, repository, distribution, storage drivers, advanced
|
||||||
menu:
|
title: Docker Registry storage driver
|
||||||
main:
|
|
||||||
identifier: storage_index
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
weight: -1
|
|
||||||
title: Storage Driver overview
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Docker Registry Storage Driver
|
|
||||||
|
|
||||||
This document describes the registry storage driver model, implementation, and explains how to contribute new storage drivers.
|
This document describes the registry storage driver model, implementation, and explains how to contribute new storage drivers.
|
||||||
|
|
||||||
## Provided Drivers
|
## Provided Drivers
|
||||||
|
|
|
@ -2,14 +2,9 @@
|
||||||
description: Explains how to use the in-memory storage drivers
|
description: Explains how to use the in-memory storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, in-memory
|
- registry, service, driver, images, storage, in-memory
|
||||||
menu:
|
title: In-memory storage driver (testing only)
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: In-memory storage driver
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# In-memory storage driver (Testing Only)
|
|
||||||
|
|
||||||
For purely tests purposes, you can use the `inmemory` storage driver. This
|
For purely tests purposes, you can use the `inmemory` storage driver. This
|
||||||
driver is an implementation of the `storagedriver.StorageDriver` interface which
|
driver is an implementation of the `storagedriver.StorageDriver` interface which
|
||||||
uses local memory for object storage. If you would like to run a registry from
|
uses local memory for object storage. If you would like to run a registry from
|
||||||
|
|
|
@ -2,15 +2,11 @@
|
||||||
description: Explains how to use the Aliyun OSS storage driver
|
description: Explains how to use the Aliyun OSS storage driver
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, OSS, aliyun
|
- registry, service, driver, images, storage, OSS, aliyun
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: Aliyun OSS storage driver
|
title: Aliyun OSS storage driver
|
||||||
---
|
---
|
||||||
|
|
||||||
# Aliyun OSS storage driver
|
An implementation of the `storagedriver.StorageDriver` interface which uses
|
||||||
|
[Aliyun OSS](http://www.aliyun.com/product/oss) for object storage.
|
||||||
An implementation of the `storagedriver.StorageDriver` interface which uses [Aliyun OSS](http://www.aliyun.com/product/oss) for object storage.
|
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,11 @@
|
||||||
description: Explains how to use the S3 storage drivers
|
description: Explains how to use the S3 storage drivers
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, S3
|
- registry, service, driver, images, storage, S3
|
||||||
menu:
|
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: S3 storage driver
|
title: S3 storage driver
|
||||||
---
|
---
|
||||||
|
|
||||||
# S3 storage driver
|
An implementation of the `storagedriver.StorageDriver` interface which uses
|
||||||
|
Amazon S3 or S3 compatible services for object storage.
|
||||||
An implementation of the `storagedriver.StorageDriver` interface which uses Amazon S3 or S3 compatible services for object storage.
|
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
||||||
|
@ -221,17 +217,25 @@ The following IAM permissions are required by the registry for push and pull. S
|
||||||
|
|
||||||
## Use Case
|
## Use Case
|
||||||
|
|
||||||
Adding CloudFront as a middleware for your S3 backed registry can dramatically improve pull times. Your registry will have the ability to retrieve your images from edge servers, rather than the geographically limited location of your S3 bucket. The farther your registry is from your bucket, the more improvements you will see. See [Amazon CloudFront](https://aws.amazon.com/cloudfront/details/).
|
Adding CloudFront as a middleware for your S3 backed registry can dramatically
|
||||||
|
improve pull times. Your registry will have the ability to retrieve your images
|
||||||
|
from edge servers, rather than the geographically limited location of your S3
|
||||||
|
bucket. The farther your registry is from your bucket, the more improvements you
|
||||||
|
will see. See [Amazon CloudFront](https://aws.amazon.com/cloudfront/details/).
|
||||||
|
|
||||||
## Configuring CloudFront for Distribution
|
## Configuring CloudFront for Distribution
|
||||||
|
|
||||||
If you are unfamiliar with creating a CloudFront distribution, see [Getting Started with Cloudfront](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html).
|
If you are unfamiliar with creating a CloudFront distribution, see [Getting
|
||||||
|
Started with
|
||||||
|
Cloudfront](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html).
|
||||||
|
|
||||||
Defaults can be kept in most areas except:
|
Defaults can be kept in most areas except:
|
||||||
|
|
||||||
### Origin:
|
### Origin:
|
||||||
|
|
||||||
The CloudFront distribution must be created such that the `Origin Path` is set to the directory level of the root "docker" key in S3. If your registry exists on the root of the bucket, this path should be left blank.
|
The CloudFront distribution must be created such that the `Origin Path` is set
|
||||||
|
to the directory level of the root "docker" key in S3. If your registry exists
|
||||||
|
on the root of the bucket, this path should be left blank.
|
||||||
|
|
||||||
### Behaviors:
|
### Behaviors:
|
||||||
|
|
||||||
|
@ -243,7 +247,9 @@ The CloudFront distribution must be created such that the `Origin Path` is set t
|
||||||
|
|
||||||
## Registry configuration
|
## Registry configuration
|
||||||
|
|
||||||
Here the `middleware` option is used. It is still important to keep the `storage` option as CloudFront will only handle `pull` actions; `push` actions are still directly written to S3.
|
Here the `middleware` option is used. It is still important to keep the
|
||||||
|
`storage` option as CloudFront will only handle `pull` actions; `push` actions
|
||||||
|
are still directly written to S3.
|
||||||
|
|
||||||
The following example shows what you will need at minimum:
|
The following example shows what you will need at minimum:
|
||||||
|
|
||||||
|
@ -265,4 +271,6 @@ middleware:
|
||||||
|
|
||||||
## CloudFront Key-Pair
|
## CloudFront Key-Pair
|
||||||
|
|
||||||
A CloudFront key-pair is required for all AWS accounts needing access to your CloudFront distribution. For information, please see [Creating CloudFront Key Pairs](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs).
|
A CloudFront key-pair is required for all AWS accounts needing access to your
|
||||||
|
CloudFront distribution. For information, please see [Creating CloudFront Key
|
||||||
|
Pairs](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs).
|
||||||
|
|
|
@ -2,15 +2,12 @@
|
||||||
description: Explains how to use the OpenStack swift storage driver
|
description: Explains how to use the OpenStack swift storage driver
|
||||||
keywords:
|
keywords:
|
||||||
- registry, service, driver, images, storage, swift
|
- registry, service, driver, images, storage, swift
|
||||||
menu:
|
title: OpenStack Swift storage driver
|
||||||
main:
|
|
||||||
parent: smn_storagedrivers
|
|
||||||
title: Swift storage driver
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# OpenStack Swift storage driver
|
An implementation of the `storagedriver.StorageDriver` interface that uses
|
||||||
|
[OpenStack Swift](http://docs.openstack.org/developer/swift/) for object
|
||||||
An implementation of the `storagedriver.StorageDriver` interface that uses [OpenStack Swift](http://docs.openstack.org/developer/swift/) for object storage.
|
storage.
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
||||||
|
@ -210,8 +207,9 @@ An implementation of the `storagedriver.StorageDriver` interface that uses [Open
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
The features supported by the Swift server are queried by requesting the `/info` URL on the server. In case the administrator
|
The features supported by the Swift server are queried by requesting the `/info`
|
||||||
disabled that feature, the configuration file can specify the following optional parameters :
|
URL on the server. In case the administrator disabled that feature, the
|
||||||
|
configuration file can specify the following optional parameters :
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
|
|
Loading…
Reference in a new issue