0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-30 22:34:13 -05:00
zot/examples
Ramkumar Chinchani c8779d9e87 doc: add initial documentation for configuration options
We have built a long list of features and the documentation for users is
only available under examples/

Add a examples/README.md to further explain various configuration
options.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-08-31 17:26:22 -07:00
..
config-bearer-auth.json Add support for bearer/token auth 2020-01-27 12:42:23 -06:00
config-conformance.json conformance: align with upstream conformance tests 2020-04-16 16:01:53 -07:00
config-cve.json Add an 'enable' flag in the server configuration to enable gql-based searches 2021-06-24 12:15:25 -07:00
config-example.json logs: add an audit log for API calls with unit tests 2021-06-24 10:53:27 -07:00
config-example.yaml logs: add an audit log for API calls with unit tests 2021-06-24 10:53:27 -07:00
config-minimal.json Add identity-based access control, closes #51 2021-08-30 13:56:27 -07:00
config-multiple-cve.json Add an 'enable' flag in the server configuration to enable gql-based searches 2021-06-24 12:15:25 -07:00
config-multiple.json config: support multiple storage locations 2021-05-21 10:18:28 -07:00
config-policy.json Add identity-based access control, closes #51 2021-08-30 13:56:27 -07:00
config-test.json compliance: be compliant with dist-spec compliance tests 2020-01-16 11:28:23 -08:00
README.md doc: add initial documentation for configuration options 2021-08-31 17:26:22 -07:00
zot.service systemd: add a systemd service example file 2020-06-25 17:50:30 -07:00

The behavior of zot registry is controlled via its configuration file, which can either be a JSON (used in details below) or YAML file.

zot serve <config-file>

A candidate configuration file can be verified via:

zot verify <config-file>

Examples of working configurations for various use cases are available here

Configuration Parameters

Network

Configure network params with:

"http": {

Configure address and port to listen on with:

        "address": "127.0.0.1",
        "port": "5000",

Additionally, TLS configuration can be specified with:

        "tls": {
            "cert":"test/data/server.cert",
            "key":"test/data/server.key"
        },

The registry can be deployed as a read-only service with:

        "ReadOnly": false
    },

Storage

Configure storage with:

"storage": {

Configure storage root directory with:

        "rootDirectory": "/tmp/zot",

Often, container images have shared layers and blobs and for filesystems that support hard links, inline deduplication can be enabled with:

        "dedupe": true,

When an image is deleted (either by tag or reference), orphaned blobs can lead to wasted storage, and background garbage collection can be enabled with:

        "gc": true,

It is also possible to store and serve images from multiple filesystems with their own repository paths, dedupe and garbage collection settings with:

        "subPaths": {
            "/a": {
                "rootDirectory": "/tmp/zot1",
                "dedupe": true,
                "gc": true
            },
            "/b": {
                "rootDirectory": "/tmp/zot2",
                "dedupe": true
            },
            "/c": {
                "rootDirectory": "/tmp/zot3",
                "dedupe": false
            }
        }
    },

Authentication

TLS mutual authentication and passphrase-based authentication are supported.

TLS Mutual Authentication

Apart from the server cert and key specified under network configuration, specifying the cacert field enables TLS mutual authentication:

"http": {
    "tls": {
      "cert":"test/data/server.cert",
      "key":"test/data/server.key",
      "cacert":"test/data/cacert.cert"
    },

Passphrase Authentication

Local authentication is supported via htpasswd file with:

  "http": {
    "auth": {
      "htpasswd": {
        "path": "test/data/htpasswd"
      },

LDAP authentication can be configured with:

  "http": {
    "auth": {
      "ldap": {
        "address":"ldap.example.org",
        "port":389,
        "startTLS":false,
        "baseDN":"ou=Users,dc=example,dc=org",
        "userAttribute":"uid",
        "bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
        "bindPassword":"ldap-searcher-password",
        "skipVerify":false,
        "subtreeSearch":true
      },

NOTE: When both htpasswd and LDAP configuration are specified, LDAP authentication is given preference.

OAuth2 authentication (client credentials grant type) support via Bearer Token configured with:

  "http": {
    "auth": {
      "bearer": {
        "realm": "https://auth.myreg.io/auth/token",
        "service": "myauth",
        "cert": "/etc/zot/auth.crt"
      }

Authentication Failures

Should authentication fail, to prevent automated attacks, a delayed response can be configured with:

  "http": {
    "auth": {
      "failDelay": 5

Identity-based Authorization

Allowing actions on one or more repository paths can be tied to user identities. An additional per-repository default policy can be specified for identities not in the whitelist. Furthermore, a global admin policy can also be specified which can override per-repository policies.

"accessControl": {
    "repos1/repo": {
        "policies": [
        {
            "users": ["alice", "bob"],
            "actions": ["create", "read", "update", "delete"]
        },
        {
            "users": ["mallory"],
            "actions": ["create", "read"]
        }
        ],
        "defaultPolicy": ["read"]
    },
    "repos2/repo": {
        "policies": [
        {
            "users": ["bob"],
            "actions": ["read", "create"]
        },
        {
            "users": ["mallory"],
            "actions": ["create", "read"]
        }
        ],
        "defaultPolicy": ["read"]
    },
    "adminPolicy": {
        "users": ["admin"],
        "actions": ["read", "create", "update", "delete"]
    }
}

Logging

Enable and configure logging with:

"log":{

Set log level with:

    "level":"debug",

Set output file (default is stdout) with:

    "output":"/tmp/zot.log",

Enable audit logs and set output file with:

    "audit": "/tmp/zot-audit.log"
  }