From 596533b9fbccbb14bc3986e1884a7f7e35024dcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E6=B3=8A=E6=98=8E518370910136?=
 <bomingzh@sjtu.edu.cn>
Date: Sun, 16 Feb 2025 20:25:32 +0800
Subject: [PATCH] Add Setup private docker registry & docker_auth on
 `data-server`

---
 ... %26 docker_auth on %60data-server%60.-.md | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 Setup private docker registry %26 docker_auth on %60data-server%60.-.md

diff --git a/Setup private docker registry %26 docker_auth on %60data-server%60.-.md b/Setup private docker registry %26 docker_auth on %60data-server%60.-.md
new file mode 100644
index 0000000..78b825b
--- /dev/null
+++ b/Setup private docker registry %26 docker_auth on %60data-server%60.-.md	
@@ -0,0 +1,76 @@
+We use `focs.ji.sjtu.edu.cn:5000` for our private [registry](https://hub.docker.com/_/registry) and `focs.ji.sjtu.edu.cn:5001` for [docker_auth](https://github.com/cesanta/docker_auth) to provide authentication. Port 5000 and 5001 on `data-server` are forwarded to focs.ji.sjtu.edu.cn and they are only accessible within the campus network.
+
+`docker_auth` lets login admins have permission to push to the registry, and anyone to pull from it. We need to `docker login focs.ji.sjtu.edu.cn` on `joj-dev` since it pushes to the registry from gitea actions.
+
+To run `registry`:
+
+```
+$ cat /opt/docker-configs/registry/config.yml
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+  tls:
+    certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
+    key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem"
+auth:
+  token:
+    realm: "https://focs.ji.sjtu.edu.cn:5001/auth"
+    service: "Docker registry"
+    issuer: "Acme auth server"
+    rootcertbundle: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+$ docker run -d   --restart=always   --name registry-auth -v /etc/letsencrypt/:/certs   -v registry-data:/var/lib/registry -v /opt/docker-configs/registry/config.yml:/etc/docker/registry/config.yml   -p 5000:5000   registry:2.8.3
+```
+
+To run `docker_auth`:
+
+```
+$ cat /opt/docker-configs/docker_auth/auth_config.yml
+# A simple example. See reference.yml for explanation of all options.
+#
+#  auth:
+#    token:
+#      realm: "https://127.0.0.1:5001/auth"
+#      service: "Docker registry"
+#      issuer: "Acme auth server"
+#      rootcertbundle: "/path/to/server.pem"
+
+server:
+  addr: ":5001"
+  certificate: "/certs/live/focs.ji.sjtu.edu.cn/fullchain.pem"
+  key: "/certs/live/focs.ji.sjtu.edu.cn/privkey.pem"
+
+token:
+  issuer: "Acme auth server"  # Must match issuer in the Registry config.
+  expiration: 900
+
+users:
+  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
+  "admin":
+    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
+  "": {}  # Allow anonymous (no "docker login") access.
+
+acl:
+  - match: { account: "admin" }
+    actions: ["*"]
+    comment: "Admin has full access to everything."
+  - match: { account: "" }
+    actions: ["pull"]
+    comment: "Anonymous users can pull any image."
+  # Access is denied by default.
+$ docker run -d   --restart=always   --name docker_auth -v /etc/letsencrypt/:/certs -p 5001:5001     -v /opt/docker-configs/docker_auth:/config:ro     -v /var/log/docker_auth:/logs     cesanta/docker_auth:1 --v=2 --alsologtostderr /config/auth_config.yml
+```
\ No newline at end of file