mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)

distribution-spec helm kubernetes oci oci-distribution opencontainers zot

Find a file

Ramkumar Chinchani 50cfcbf34a dco: add workflow for DCO check Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>		2021-10-14 10:36:16 -07:00
.github/workflows	dco: add workflow for DCO check	2021-10-14 10:36:16 -07:00
cmd/zot	build: remove bazel	2020-12-21 15:30:13 -08:00
docs	docs: improve docs coverage	2021-10-14 09:22:34 -07:00
errors	search: added graphql api to return repository list with latest tag	2021-09-27 14:36:20 -07:00
examples	doc: add initial documentation for configuration options	2021-08-31 17:26:22 -07:00
pkg	search: update trivy	2021-10-13 16:37:31 -07:00
test/scripts	.gitignore: ignore generated test artifacts	2019-12-13 14:44:10 -08:00
.gitignore	.gitignore: add .vscode/	2020-06-09 17:18:30 -04:00
CODE_OF_CONDUCT.md	doc: add a CODE_OF_CONDUCT.md	2020-12-15 11:20:45 -08:00
codecov.yml	build: increase wait timeout for travis bazel build process	2020-10-27 19:30:06 -07:00
COMPARISON.md	Update COMPARISON.md	2021-09-28 16:51:59 -07:00
CONTRIBUTING.md	docs: add a CONTRIBUTING.md	2021-01-08 20:55:22 -08:00
Dockerfile	build: fix docker build	2020-11-19 11:41:21 -08:00
Dockerfile-conformance	go.mod: update deps to address dependabot alerts	2021-09-23 13:59:26 -07:00
Dockerfile-minimal	ci/cd: build a "minimal" container image	2021-07-01 10:07:08 -07:00
go.mod	search: update trivy	2021-10-13 16:37:31 -07:00
go.sum	search: update trivy	2021-10-13 16:37:31 -07:00
golangcilint.yaml	go.mod: update modules	2021-08-25 11:51:23 -07:00
LICENSE	Initial commit	2019-06-21 14:40:59 -07:00
MAINTAINERS.md	doc: update current project maintainer list	2020-12-10 17:36:22 -08:00
Makefile	TLS certs in CLI client	2021-08-16 23:42:21 -07:00
README.md	Update README.md	2021-09-23 12:35:39 -07:00
stacker.yaml	build: fix stacker build	2020-11-19 11:41:21 -08:00
THIRD-PARTY-LICENSES.md	doc: add third-party software deps list	2020-12-03 14:10:32 -08:00
zot.go	zot: initial commit	2019-06-21 15:29:19 -07:00

README.md

zot

zot is a vendor-neutral OCI image registry server purely based on OCI Distribution Specification.

https://anuvu.github.io/zot/

docker pull ghcr.io/anuvu/zot:latest

docker run -p 5000:5000 ghcr.io/anuvu/zot:latest

Why zot?

Features

Conforms to OCI distribution spec APIs
Clear separation between core dist-spec and zot-specific extensions
- make binary-minimal builds a dist-spec-only zot
- make binary builds a zot with all extensions enabled
Uses OCI image layout for image storage
- Can serve any OCI image layout as a registry
Supports helm charts
Behavior controlled via configuration
Supports image deletion by tag
Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
Compatible with ecosystem tools such as skopeo and cri-o
Vulnerability scanning of images
Command-line client support
TLS support
Authentication via:
- TLS mutual authentication
- HTTP Basic (local htpasswd and LDAP)
- HTTP Bearer token
Supports Identity-Based Access Control
Supports live modifications on the config file while zot is running (Authorization config only)
Doesn't require root privileges
Storage optimizations:
- Automatic garbage collection of orphaned blobs
- Layer deduplication using hard links when content is identical
Serve multiple storage paths (and backends) using a single zot server
Swagger based documentation
Single binary for all the above features
Released under Apache 2.0 License
go get -u github.com/anuvu/zot/cmd/zot

Presentations

OCI Weekly Discussion - Oct 2, 2019

Build and install binary (using host's toolchain)

go get -u github.com/anuvu/zot/cmd/zot

Full CI/CD Build

Build inside a container (preferred)

make binary-container

Alternatively, build inside a container using stacker (preferred)

make binary-stacker

Build using host's toolchain

make

Build artifacts are in bin/

Serving

bin/zot serve _config-file_

Examples of config files are available in examples/ dir.

Container Image

The Dockerfile in this repo can be used to build a container image that runs zot.

To build the image with ref zot:latest:

make image

Then run the image with your preferred container runtime:

# with podman
podman run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

# with docker
docker run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

This will run a registry at http://localhost:5000, storing content at ./registry (bind mounted to /var/lib/registry in the container). By default, auth is disabled.

If you wish use custom configuration settings, you can override the YAML config file located at /etc/zot/config.yml:

# Example: using a local file "custom-config.yml" that
# listens on port 8080 and uses /tmp/zot for storage root
podman run --rm -p 8080:8080 \
  -v $(pwd)/custom-config.yml:/etc/zot/config.yml \
  -v $(pwd)/registry:/tmp/zot \
  zot:latest

CLI

The same zot binary can be used for interacting with any zot server instances.

Adding a zot server URL

To add a zot server URL with an alias "remote-zot":

$ zot config add remote-zot https://server-example:8080

List all configured URLs with their aliases:

$ zot config -l
remote-zot https://server-example:8080
local      http://localhost:8080

Listing images

You can list all images from a server by using its alias specified in this step:

$ zot images remote-zot
IMAGE NAME                        TAG                       DIGEST    SIZE
postgres                          9.6.18-alpine             ef27f3e1  14.4MB
postgres                          9.5-alpine                264450a7  14.4MB
busybox                           latest                    414aeb86  707.8KB

Or filter the list by an image name:

$ zot images remote-zot -n busybox
IMAGE NAME                        TAG                       DIGEST    SIZE
busybox                           latest                    414aeb86  707.8KB

Scanning images for known vulnerabilities

You can fetch CVE (Common Vulnerabilities and Exposures) info for images hosted on zot

Get all images affected by a CVE

$ zot cve remote-zot -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-5be4d92            ac3762e2  335MB

Get all CVEs for an image

$ zot cve remote-zot -I c3/openjdk-dev:0.3.19
ID                SEVERITY  TITLE
CVE-2015-8540     LOW       libpng: underflow read in png_check_keyword()
CVE-2017-16826    LOW       binutils: Invalid memory access in the coff_s...

Get detailed json output

$ zot cve remote-zot -I c3/openjdk-dev:0.3.19 -o json
{
  "Tag": "0.3.19",
  "CVEList": [
    {
      "Id": "CVE-2019-17006",
      "Severity": "MEDIUM",
      "Title": "nss: Check length of inputs for cryptographic primitives",
      "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.",
      "PackageList": [
        {
          "Name": "nss",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-sysinit",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-tools",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        }
      ]
    },

Get all images in a specific repo affected by a CVE

$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a            71046748  338MB
c3/openjdk-dev                    commit-bd5cc94            0ab7fc76

Get all images of a specific repo where a CVE is fixed

$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935 --fixed
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a-squashfs   b545b8ba  321MB
c3/openjdk-dev                    commit-d5024ec-squashfs   cd45f8cf  321MB

Ecosystem

skopeo

skopeo is a tool to work with remote image repositories.

Pull Images

skopeo copy docker://<zot-server:port>/repo:tag docker://<another-server:port>/repo:tag

Push Images

skopeo copy --format=oci docker://<another-server:port>/repo:tag docker://<zot-server:port>/repo:tag

cri-o

cri-o is a OCI-based Kubernetes container runtime interface.

Works with "docker://" transport which is the default.

Caveats

go 1.12+
The OCI distribution spec is still WIP, and we try to keep up

Contributing

We encourage and support an active, healthy community of contributors.

Details are in the code of conduct
Details to get started on code development are in contributing document.