JOJ/runner-images
20
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: Setup private docker registry & docker_auth on `data-server`
Pages
Prepare base image for the private registry Setup private docker registry & docker_auth on `data-server`
4 Setup private docker registry & docker_auth on `data-server`
张泊明518370910136 edited this page 2025-02-24 10:16:18 +08:00

We use focs.ji.sjtu.edu.cn:5000 for our private registry and focs.ji.sjtu.edu.cn:5001 for docker_auth to provide authentication. Port 5000 and 5001 on data-server are forwarded to focs.ji.sjtu.edu.cn and they are only accessible within the campus network.

docker_auth lets login admins have permission to push to the registry, and anyone to pull from it. We need to docker login focs.ji.sjtu.edu.cn on joj-dev since it pushes to the registry from gitea actions.

To run registry:

$ cat /opt/docker-configs/registry/config.yml
version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
  tls:
    certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
    key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem"
auth:
  token:
    realm: "https://focs.ji.sjtu.edu.cn:5001/auth"
    service: "Docker registry"
    issuer: "Acme auth server"
    rootcertbundle: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
$ docker run -d   --restart=always   --name registry -v /etc/letsencrypt/:/certs   -v registry-data:/var/lib/registry -v /opt/docker-configs/registry/config.yml:/etc/docker/registry/config.yml   -p 5000:5000   registry:2.8.3

To run docker_auth:

$ cat /opt/docker-configs/docker_auth/auth_config.yml
# A simple example. See reference.yml for explanation of all options.
#
#  auth:
#    token:
#      realm: "https://127.0.0.1:5001/auth"
#      service: "Docker registry"
#      issuer: "Acme auth server"
#      rootcertbundle: "/path/to/server.pem"

server:
  addr: ":5001"
  certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
  key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem"

token:
  issuer: "Acme auth server"  # Must match issuer in the Registry config.
  expiration: 900

users:
  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
  "admin":
    password: "$2y$12$DD6nNmOff6zIlc0tf6UIOOlU0ignzYpPS9vgaNTqbxfM0k5Ud6s4W"  # check .p file in this dir
  "": {}  # Allow anonymous (no "docker login") access.

acl:
  - match: { account: "admin" }
    actions: ["*"]
    comment: "Admin has full access to everything."
  - match: { account: "" }
    actions: ["pull"]
    comment: "Anonymous users can pull any image."
  # Access is denied by default.
$ docker run -d   --restart=always   --name docker_auth -v /etc/letsencrypt/:/certs -p 5001:5001     -v /opt/docker-configs/docker_auth:/config:ro     -v /var/log/docker_auth:/logs     cesanta/docker_auth:1 --v=2 --alsologtostderr /config/auth_config.yml