2022-07-11 14:54:49 -05:00
# zot [![build-test](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml/badge.svg?branch=main)](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml) [![codecov.io](http://codecov.io/github/project-zot/zot/coverage.svg?branch=main)](http://codecov.io/github/project-zot/zot?branch=main) [![Conformance Results](https://github.com/project-zot/zot/workflows/conformance/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3Aconformance) [![CodeQL](https://github.com/project-zot/zot/workflows/CodeQL/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3ACodeQL) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5425/badge)](https://bestpractices.coreinfrastructure.org/projects/5425)
2019-06-20 18:36:40 -05:00
2022-01-28 21:21:58 -05:00
**zot**: a production-ready vendor-neutral OCI image registry - images stored in [OCI image format ](https://github.com/opencontainers/image-spec ), [distribution specification ](https://github.com/opencontainers/distribution-spec ) on-the-wire, that's it!
2019-06-20 18:36:40 -05:00
2021-12-03 22:50:58 -05:00
https://zotregistry.io
2020-12-16 20:49:41 -05:00
2022-01-28 21:21:58 -05:00
[```docker pull ghcr.io/project-zot/zot-linux-amd64:latest``` ](https://github.com/project-zot/zot/pkgs/container/zot )
2021-06-26 02:48:28 -05:00
2022-01-28 21:21:58 -05:00
[```docker run -p 5000:5000 ghcr.io/project-zot/zot-linux-amd64:latest``` ](https://github.com/project-zot/zot/pkgs/container/zot )
2021-06-25 12:21:29 -05:00
2022-01-28 21:21:58 -05:00
**Check the [package repository ](https://github.com/orgs/project-zot/packages?repo_name=zot ) for your os/arch**
2022-04-27 01:00:20 -05:00
The following document refers on the **core dist-spec** , see also the [zot-specific extensions spec ](pkg/extensions/README.md )
2022-01-28 21:21:58 -05:00
## [**Why zot?**](COMPARISON.md)
## What's new?
2022-09-15 21:14:57 -05:00
* Support content range for pull requests
2022-04-27 01:00:20 -05:00
* Selectively add extensions on top of minimal build
2022-01-28 21:21:58 -05:00
* Supports container image signatures - [cosign ](https://github.com/sigstore/cosign ) and [notation ](https://github.com/notaryproject/notation )
* Multi-arch support
2022-03-02 13:10:06 -05:00
* Clustering support
2022-06-24 08:08:47 -05:00
* Image linting support
2021-09-23 14:35:06 -05:00
2022-04-11 03:14:03 -05:00
## [Demos](demos/README.md)
2020-12-16 20:49:41 -05:00
# Features
2021-01-27 20:36:33 -05:00
* Conforms to [OCI distribution spec ](https://github.com/opencontainers/distribution-spec ) APIs
2021-06-09 16:29:15 -05:00
* Clear separation between core dist-spec and zot-specific extensions
* ```make binary-minimal``` builds a dist-spec-only zot
* ```make binary``` builds a zot with all extensions enabled
2022-01-28 21:21:58 -05:00
**Check [released binaries](https://github.com/project-zot/zot/releases) for your os/arch**
2020-10-29 11:39:00 -05:00
* Uses [OCI image layout ](https://github.com/opencontainers/image-spec/blob/master/image-layout.md ) for image storage
2021-04-29 11:36:21 -05:00
* Can serve any OCI image layout as a registry
2021-10-29 21:10:55 -05:00
* Supports container image signatures - [cosign ](https://github.com/sigstore/cosign ) and [notation ](https://github.com/notaryproject/notation )
2020-05-19 18:53:05 -05:00
* Supports [helm charts ](https://helm.sh/docs/topics/registries/ )
2021-08-31 01:30:41 -05:00
* Behavior controlled via [configuration ](./examples/README.md )
2022-01-28 21:21:58 -05:00
* Supports multi-arch
| OS | Arch | Use Case |
| --- | --- | --- |
| linux | amd64 | Intel-based Linux platforms |
| linux | arm64 | ARM servers and Raspberry PI4 |
| darwin | amd64 | Intel-based Macs |
| darwin | arm64 | ARM-based Macs |
2021-08-20 16:08:41 -05:00
* Supports image deletion by tag
2020-01-16 17:44:25 -05:00
* Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
2020-09-24 12:14:41 -05:00
* Compatible with ecosystem tools such as [skopeo ](#skopeo ) and [cri-o ](#cri-o )
2020-07-06 17:44:32 -05:00
* [Vulnerability scanning of images ](#Scanning-images-for-known-vulnerabilities )
2019-06-20 18:36:40 -05:00
* TLS support
2020-02-17 16:57:15 -05:00
* Authentication via:
* TLS mutual authentication
* HTTP *Basic* (local _htpasswd_ and LDAP)
* HTTP *Bearer* token
2021-08-31 01:30:41 -05:00
* Supports Identity-Based Access Control
2021-05-13 13:59:12 -05:00
* Supports live modifications on the config file while zot is running (Authorization config only)
2019-08-28 17:16:11 -05:00
* Doesn't require _root_ privileges
2020-02-17 16:57:15 -05:00
* Storage optimizations:
* Automatic garbage collection of orphaned blobs
* Layer deduplication using hard links when content is identical
2021-04-05 19:40:33 -05:00
* Serve [multiple storage paths (and backends) ](./examples/config-multiple.json ) using a single zot server
2021-12-03 22:50:58 -05:00
* Pull and synchronize from other dist-spec conformant registries [sync ](#sync )
2022-01-21 15:30:09 -05:00
* Supports ratelimiting including per HTTP method
2022-01-28 21:21:58 -05:00
* [Metrics ](#metrics ) with Prometheus
2019-08-15 11:34:54 -05:00
* Swagger based documentation
2020-09-24 12:14:41 -05:00
* Single binary for _all_ the above features
2022-01-28 21:21:58 -05:00
* [zli ](https://github.com/project-zot/zot/tree/main/cmd/zli ): [command-line client support ](#cli )
* Also, [zb ](https://github.com/project-zot/zot/tree/main/cmd/zb ): [a benchmarking tool ](#benchmarking ) for dist-spec conformant registries
2019-10-07 15:26:19 -05:00
* Released under Apache 2.0 License
2021-10-15 10:05:00 -05:00
* Using a node exporter in case of dist-spec-only zot
2021-12-03 22:50:58 -05:00
* ```go get -u github.com/project-zot/zot/cmd/zot```
2019-10-07 15:26:19 -05:00
# Presentations
2022-09-20 17:31:59 -05:00
* [OCI Weekly Discussion - Oct 2, 2019 ](https://github.com/opencontainers/.github/blob/master/meeting-notes/oci-weekly-notes-2019-mar-2020-mar.md#october-2-2019 )
2019-06-26 16:28:34 -05:00
2019-12-11 17:11:52 -05:00
# Build and install binary (using host's toolchain)
```
2021-12-03 22:50:58 -05:00
go get -u github.com/project-zot/zot/cmd/zot
2019-12-11 17:11:52 -05:00
```
# Full CI/CD Build
2019-08-14 14:35:51 -05:00
* Build inside a container (preferred)
```
make binary-container
```
2021-12-03 22:50:58 -05:00
* Alternatively, build inside a container using [stacker ](https://github.com/project-stacker/stacker ) (preferred)
2019-08-14 18:26:25 -05:00
```
make binary-stacker
```
2019-08-14 14:35:51 -05:00
* Build using host's toolchain
```
make
```
2022-04-27 01:00:20 -05:00
* Build zot with specified extensions
```
make binary EXTENSIONS=extension1,extension2,extension3
# e.g. make binary EXTENSIONS=sync,search,metrics,scrub
```
2019-08-14 14:35:51 -05:00
Build artifacts are in bin/
2019-10-09 13:50:10 -05:00
# Serving
2020-01-24 12:54:38 -05:00
2019-10-09 13:50:10 -05:00
```
2019-08-28 17:16:11 -05:00
bin/zot serve _config-file_
2019-10-09 13:50:10 -05:00
```
2019-08-28 17:16:11 -05:00
Examples of config files are available in [examples/ ](examples/ ) dir.
2020-01-24 12:54:38 -05:00
# Container Image
The [Dockerfile ](./Dockerfile ) in this repo can be used to build a container image
that runs _zot_ .
2020-01-27 10:44:07 -05:00
To build the image with ref `zot:latest` :
2020-01-24 12:54:38 -05:00
```
make image
```
Then run the image with your preferred container runtime:
```
# with podman
2020-01-27 10:47:08 -05:00
podman run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest
2020-01-24 12:54:38 -05:00
# with docker
2020-01-27 10:47:08 -05:00
docker run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest
2020-01-24 12:54:38 -05:00
```
2020-01-27 10:44:07 -05:00
This will run a registry at http://localhost:5000, storing content at `./registry`
(bind mounted to `/var/lib/registry` in the container). By default, auth is disabled.
2020-01-24 12:54:38 -05:00
If you wish use custom configuration settings, you can override
the YAML config file located at `/etc/zot/config.yml` :
```
# Example: using a local file "custom-config.yml" that
2020-01-27 10:44:07 -05:00
# listens on port 8080 and uses /tmp/zot for storage root
2020-01-24 12:54:38 -05:00
podman run --rm -p 8080:8080 \
-v $(pwd)/custom-config.yml:/etc/zot/config.yml \
-v $(pwd)/registry:/tmp/zot \
zot:latest
```
2020-06-16 20:52:40 -05:00
# CLI
2022-01-28 21:21:58 -05:00
## Building `zli`
You can interact with the zot registry server using the `zli` binary.
```console
$ make cli
```
will produce `bin/zli` binary.
2020-06-16 20:52:40 -05:00
## Adding a zot server URL
To add a zot server URL with an alias "remote-zot":
```console
2022-01-28 21:21:58 -05:00
$ zli config add remote-zot https://server-example:8080
2020-06-16 20:52:40 -05:00
```
List all configured URLs with their aliases:
```console
2022-01-28 21:21:58 -05:00
$ zli config -l
2020-06-16 20:52:40 -05:00
remote-zot https://server-example:8080
local http://localhost:8080
```
2020-07-06 17:44:32 -05:00
## Listing images
You can list all images from a server by using its alias specified [in this step ](#adding-a-zot-server-url ):
2020-06-16 20:52:40 -05:00
```console
2022-01-28 21:21:58 -05:00
$ zli images remote-zot
2020-06-16 20:52:40 -05:00
IMAGE NAME TAG DIGEST SIZE
postgres 9.6.18-alpine ef27f3e1 14.4MB
postgres 9.5-alpine 264450a7 14.4MB
busybox latest 414aeb86 707.8KB
```
Or filter the list by an image name:
```console
2022-01-28 21:21:58 -05:00
$ zli images remote-zot -n busybox
2020-06-16 20:52:40 -05:00
IMAGE NAME TAG DIGEST SIZE
busybox latest 414aeb86 707.8KB
```
2020-07-06 17:44:32 -05:00
## Scanning images for known vulnerabilities
You can fetch CVE (Common Vulnerabilities and Exposures) info for images hosted on zot
- Get all images affected by a CVE
```console
2022-01-28 21:21:58 -05:00
$ zli cve remote-zot -i CVE-2017-9935
2020-07-06 17:44:32 -05:00
IMAGE NAME TAG DIGEST SIZE
c3/openjdk-dev commit-5be4d92 ac3762e2 335MB
```
- Get all CVEs for an image
```console
2022-01-28 21:21:58 -05:00
$ zli cve remote-zot -I c3/openjdk-dev:0.3.19
2020-07-06 17:44:32 -05:00
ID SEVERITY TITLE
CVE-2015-8540 LOW libpng: underflow read in png_check_keyword()
CVE-2017-16826 LOW binutils: Invalid memory access in the coff_s...
```
- Get detailed json output
```console
2022-01-28 21:21:58 -05:00
$ zli cve remote-zot -I c3/openjdk-dev:0.3.19 -o json
2020-07-06 17:44:32 -05:00
{
"Tag": "0.3.19",
"CVEList": [
{
"Id": "CVE-2019-17006",
"Severity": "MEDIUM",
"Title": "nss: Check length of inputs for cryptographic primitives",
"Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.",
"PackageList": [
{
"Name": "nss",
"InstalledVersion": "3.44.0-7.el7_7",
"FixedVersion": "Not Specified"
},
{
"Name": "nss-sysinit",
"InstalledVersion": "3.44.0-7.el7_7",
"FixedVersion": "Not Specified"
},
{
"Name": "nss-tools",
"InstalledVersion": "3.44.0-7.el7_7",
"FixedVersion": "Not Specified"
}
]
},
```
- Get all images in a specific repo affected by a CVE
```console
2022-01-28 21:21:58 -05:00
$ zli cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935
2020-07-06 17:44:32 -05:00
IMAGE NAME TAG DIGEST SIZE
c3/openjdk-dev commit-2674e8a 71046748 338MB
c3/openjdk-dev commit-bd5cc94 0ab7fc76
```
- Get all images of a specific repo where a CVE is fixed
```console
2022-01-28 21:21:58 -05:00
$ zli cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935 --fixed
2020-07-06 17:44:32 -05:00
IMAGE NAME TAG DIGEST SIZE
c3/openjdk-dev commit-2674e8a-squashfs b545b8ba 321MB
c3/openjdk-dev commit-d5024ec-squashfs cd45f8cf 321MB
```
2020-06-16 20:52:40 -05:00
2022-01-28 21:21:58 -05:00
# Sync (pull-based mirroring)
2021-06-08 15:11:18 -05:00
Periodically pull and synchronize images between zot registries.
The synchronization is achieved by copying all the images found at source to destination.
To use it see [sync-config ](examples/config-sync.json )
Supports:
- TLS verification
- Prefix filtering (can contain multiple repos, eg repo1/repoX/repoZ)
- Tags regex filtering
- Tags semver compliance filtering (the 'v' prefix is optional)
- BASIC auth
2022-01-28 21:21:58 -05:00
- Image signatures
# Benchmarking
You can benchmark a zot registry or any other dist-spec conformant registry with `zb` .
## Building `zb``
```console
$ make bench
```
will produce `bin/zb` binary.
## Running `zb`
```console
$ zb -c 10 -n 1000 http://localhost:8080
Registry URL: http://localhost:8080
Concurrency Level: 2
Total requests: 100
Working dir:
============
Test name: Get Catalog
Time taken for tests: 45.397205ms
Complete requests: 100
Failed requests: 0
Requests per second: 2202.7788
2xx responses: 100
min: 402.259µs
max: 3.295887ms
p50: 855.045µs
p75: 971.709µs
p90: 1.127389ms
p99: 3.295887ms
============
Test name: Push Monolith 1MB
Time taken for tests: 952.336383ms
Complete requests: 100
Failed requests: 0
Requests per second: 105.00491
2xx responses: 100
min: 11.125673ms
max: 26.375356ms
p50: 18.917253ms
p75: 21.753441ms
p90: 24.02137ms
p99: 26.375356ms
...
```
2021-06-08 15:11:18 -05:00
2019-08-28 17:16:11 -05:00
# Ecosystem
2020-01-07 16:14:10 -05:00
2019-08-28 17:16:11 -05:00
## skopeo
[skopeo ](https://github.com/containers/skopeo ) is a tool to work with remote
image repositories.
2020-09-24 12:14:41 -05:00
* Pull Images
2019-08-28 17:16:11 -05:00
```
2020-09-24 12:14:41 -05:00
skopeo copy docker://< zot-server:port > /repo:tag docker://< another-server:port > /repo:tag
```
2019-08-28 17:16:11 -05:00
2020-09-24 12:14:41 -05:00
* Push Images
2019-08-28 17:16:11 -05:00
2020-09-24 12:14:41 -05:00
```
skopeo copy --format=oci docker://< another-server:port > /repo:tag docker://< zot-server:port > /repo:tag
2019-08-28 17:16:11 -05:00
```
## cri-o
[cri-o ](https://github.com/cri-o/cri-o ) is a OCI-based Kubernetes container
runtime interface.
2020-09-24 12:14:41 -05:00
Works with "docker://" transport which is the default.
2019-08-14 14:35:51 -05:00
2021-10-15 10:05:00 -05:00
# Metrics
Can be used for both dist-spec-only zot & the zot with all extensions enabled
## Node Exporter
The dist-spec-only zot exposes internal metrics into a Prometheus format through a node exporter.
The configuration of node exporter contains connection details for the zot server it is intend to scrape metrics from. See a [configuration example ](./examples/metrics/exporter/config-minimal.json ). The metrics are automatically enabled in the zot server on first scrape from the Node Exporter (no extra configuration option is needed). Similarly, the metrics are automatically disabled when Node Exporter did not perform any scrapings in a while.
```
2022-01-17 09:36:13 -05:00
bin/zxp config _config-file_
2021-10-15 10:05:00 -05:00
```
## Enable Metrics
In the zot with all extensions case see [configuration example ](./examples/config-metrics.json ) for enabling metrics
2022-06-24 08:08:47 -05:00
## Image linting
# Mandatory Annotations
When pushing an image, if the mandatory annotations option is enabled, linter will verify if the mandatory annotations list present in the config is also found in the manifest's annotations list. If there are any missing annotations, the push will not take place.
2022-03-02 13:10:06 -05:00
## Clustering
zot supports clustering by using multiple stateless zot with shared s3 storage and a haproxy (with sticky session) in front of them.
- haproxy [configuration example ](./examples/cluster/haproxy.cfg )
- zot s3 [configuration example ](./examples/config-s3.json )
2020-12-15 14:19:58 -05:00
# Contributing
We encourage and support an active, healthy community of contributors.
2020-12-21 22:03:28 -05:00
* Details are in the [code of conduct ](CODE_OF_CONDUCT.md )
2021-01-07 21:14:59 -05:00
* Details to get started on code development are in
[contributing ](CONTRIBUTING.md ) document.