diff --git a/Setup private docker registry %26 docker_auth on %60data-server%60.-.md b/Setup private docker registry %26 docker_auth on %60data-server%60.-.md new file mode 100644 index 0000000..78b825b --- /dev/null +++ b/Setup private docker registry %26 docker_auth on %60data-server%60.-.md @@ -0,0 +1,76 @@ +We use `focs.ji.sjtu.edu.cn:5000` for our private [registry](https://hub.docker.com/_/registry) and `focs.ji.sjtu.edu.cn:5001` for [docker_auth](https://github.com/cesanta/docker_auth) to provide authentication. Port 5000 and 5001 on `data-server` are forwarded to focs.ji.sjtu.edu.cn and they are only accessible within the campus network. + +`docker_auth` lets login admins have permission to push to the registry, and anyone to pull from it. We need to `docker login focs.ji.sjtu.edu.cn` on `joj-dev` since it pushes to the registry from gitea actions. + +To run `registry`: + +``` +$ cat /opt/docker-configs/registry/config.yml +version: 0.1 +log: + fields: + service: registry +storage: + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /var/lib/registry +http: + addr: :5000 + headers: + X-Content-Type-Options: [nosniff] + tls: + certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem" + key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem" +auth: + token: + realm: "https://focs.ji.sjtu.edu.cn:5001/auth" + service: "Docker registry" + issuer: "Acme auth server" + rootcertbundle: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem" +health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 +$ docker run -d --restart=always --name registry-auth -v /etc/letsencrypt/:/certs -v registry-data:/var/lib/registry -v /opt/docker-configs/registry/config.yml:/etc/docker/registry/config.yml -p 5000:5000 registry:2.8.3 +``` + +To run `docker_auth`: + +``` +$ cat /opt/docker-configs/docker_auth/auth_config.yml +# A simple example. See reference.yml for explanation of all options. +# +# auth: +# token: +# realm: "https://127.0.0.1:5001/auth" +# service: "Docker registry" +# issuer: "Acme auth server" +# rootcertbundle: "/path/to/server.pem" + +server: + addr: ":5001" + certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem" + key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem" + +token: + issuer: "Acme auth server" # Must match issuer in the Registry config. + expiration: 900 + +users: + # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate. + "admin": + password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin + "": {} # Allow anonymous (no "docker login") access. + +acl: + - match: { account: "admin" } + actions: ["*"] + comment: "Admin has full access to everything." + - match: { account: "" } + actions: ["pull"] + comment: "Anonymous users can pull any image." + # Access is denied by default. +$ docker run -d --restart=always --name docker_auth -v /etc/letsencrypt/:/certs -p 5001:5001 -v /opt/docker-configs/docker_auth:/config:ro -v /var/log/docker_auth:/logs cesanta/docker_auth:1 --v=2 --alsologtostderr /config/auth_config.yml +``` \ No newline at end of file