Simple Docker v2 registry auth server in Go
Go
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
api
auth
commands
docker/images
token
utils
vagrant/conf
.gitignore
.rubocop.yml
.travis.yml
README.md
Vagrantfile
main.go

README.md

Build Status

Garita

Small Docker v2 registry auth server in Go.

It exists mostly as a project to learn Go, the Vagrant Docker provider, and to understand the protocol Portus implements.

Features

  • Authentication is only supported using htpasswd files
  • Once authenticated, it provides push and pull access to the /$user namespace

Garita is inspired in Portus, which is a full featured auth server and registry index.

Running

Garita uses HTTPS by default. If you want to run over plain http (eg. for development purposes) you need to pass the option -http. Then you don't need to supply --tlscert and --tlskey options.

garita --key path/to/server.key --htpasswd path/to/htpasswd --tlskey path/to/server.key --tlscert path/to/server.crt

You can pass a configuration file in toml format with -c or --config. Any other configuration from the command line overrides the configuration file.

At the same time you need to configure the registry

auth:
  token:
    realm: https://garita.yourdomain.com/v2/token
    service: registry.yourdomain.com
    issuer: garita.yourdomain.com
    rootcertbundle: /path/to/server.crt

If you use a self signed certificate, add the CA certificate to the system trusted anchors on the docker daemon host or add the certificate to:

/etc/docker/certs.d/<garita host>/ca.crt

Development Environment

The environment creates 3 containers:

  • a Docker daemon (dockerd, dockerd.test.lan)
  • a Registry (registry, registry.test.lan)
  • garita (garita, garita.test.lan)

While the images are based on opensuse:13.2, the dockerd container requires a host kernel with overlayfs support. (eg. openSUSE Tumbleweed or another distribution supporting overlayfs). The dockerd container is already privileged but I don't want to mess with the loop devices of the host.

Running

  • Compile
go install github.com/dmacvicar/garita
  • Start the environment
vagrant up --no-parallel
  • Everytime you rebuild
vagrant reload garita
  • To see the logs
vagrant docker-logs -f garita

Run docker against the docker daemon running inside the container

docker -H tcp://localhost:23750 images

The typical testcase, pull busybox, tag it, and push it to the registry

docker -H tcp://localhost:23750 pull busybox
docker -H tcp://localhost:23750 tag busybox registry.test.lan/duncan/busybox
docker login registry.test.lan
docker -H tcp://localhost:23750 push registry.test.lan/duncan/busybox

Bugs

The specification does not go into every detail. If I missed something please open an issue.

Authors

License

  • Garita is licensed under the Apache 2.0 license.