This repository contains everything to run the openSUSE container registry image on a systemd based Linux distribution, preferable openSUSE MicroOS or openSUSE Kubic.
Run setup-container-registry to setup a registry with token based
authentication. Other options e.g. without any authentication are possible,
too. If necessary, this script will create self signed certificates and
install them locally.
systemctl start container-registry will pull and start the
registry. systemctl status container-registry should show a successful
running registry and a command like reg ls localhost should be able to
connect to it.
Now the registry can be used.
Since https is used to communicate with the registry by tools like docker,
podman and cri-o, certificates are required to start the registry. An official
certificate should be preferable requested, but a self signed should work for
the start, too. The certificate needs to be stored in
/etc/registry/certs as registry.crt and registry.key. Different names
are possible, but in this case, /usr/etc/registry/config.yml needs to be
copied to /etc/registry and adjusted. The directory /etc/registry/certs
cannot be changed, else the container with the registry cannot access the
certificates anymore.
With an official certificate it is not necessary to distribute the public CA
key to all machines.
The script create-container-registry-certs creates self signed certificates
for the registry in /etc/registry/certs. It takes as arguments the names
under which the registry should be reachable. If no argument is given,
"localhost" and the local hostname are used. The script makes the CA
certificate known to the local system. On every machine which should connect
to this private registry, the file
/etc/registry/certs/ContainerRegistryCA.crt needs to be copied to
/etc/pki/trust/anchors/ContainerRegistryCA.pem and update-ca-certificates
needs to be called.
The configuration file for the container registry can be found at
/usr/etc/registry/config.yml. If changes should be made, the file needs to
be copied to /etc/registry/config.yml. In this case, the administrator is
responsible to merge distribution made changes in
/usr/etc/registry/config.yml.
The registry needs to be restarted so that the changes can take effect.
More information about the registry configuration can be found
here.
The files /usr/etc/default/container-registry and
/etc/default/container-registry are read by the systemd service
and contains variables to run the registry container. The first file contains
the distribution defaults, the second file is optional and contains the
changes done by the system administrator.
- REGISTRY_IMAGE_PATH describes where the container registry image can be found.
- EXTERNAL_PORT defines the port, under which the registry is reacheable.
- STOARGE_DIR defines the directory, where the images are stored.
Adjust the configuration file /etc/registry/config.yml and add the following
lines to it:
proxy:
remoteurl: https://registry.opensuse.org
This will configure the registry to act as a pull-through cache.