mash-playbook/docs/services/docker-registry.md
2023-03-19 10:04:19 +02:00

3.4 KiB

Docker Registry

Docker Registry is a container image distribution registry developed by Docker Inc.

This playbook supports installing a container image registry which is:

  • completely public, when it comes to pulling images
  • IP-restricted, when it comes to pushing images

Authentication is not supported.

Dependencies

This service requires the following other services:

Configuration

To enable this service, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# docker-registry                                                      #
#                                                                      #
########################################################################

docker_registry_enabled: true

docker_registry_hostname: registry.example.com

# Uncomment the line below if you'd like to allow for image deletion.
# docker_registry_storage_delete_enabled: true

# Only whitelisted IPs will be able to perform DELETE, PATCH, POST, PUT requests against the registry.
# All other IP addresses get read-only (GET, HEAD) access.
docker_registry_private_services_whitelisted_ip_ranges:
  - 1.2.3.4/32
  - 4.3.2.1/32

########################################################################
#                                                                      #
# /docker-registry                                                     #
#                                                                      #
########################################################################

In the example configuration above, we configure the service to be hosted at https://registry.example.com.

Usage

After installation, you should be able to:

  • pull images from your registry from any IP address
  • push images to your registry from the whitelisted IP addresses (docker_registry_private_services_whitelisted_ip_ranges)

With custom Traefik configuration (hint: see docker_registry_container_labels_traefik_rule_* variables in the docker-registry role), you may be able to add additional restrictions.

To test pushing images, try the following:

docker pull docker.io/alpine:3.17.2
docker tag docker.io/alpine:3.17.2 registry.example.com/alpine:3.17.2
docker push registry.example.com/alpine:3.17.2

To test pulling images, try the following:

# Clean up from before
docker rmi registry.example.com/alpine:3.17.2

docker pull registry.example.com/alpine:3.17.2

The base URL (e.g. https://registry.example.com) serves an empty (blank) page. To browse your registry's images via a web interface, you may need another piece of software, like Docker Registry Browser.