0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
Find a file
Shivam Mishra af30c06aff api: use blob cache path while making hard link
previously mount blob will look for blob that is provided in http request and try to hard link that path
but ideally we should look for path from our cache and do the hard link of that particular path.
this commit does the same.
2021-06-30 01:42:21 -07:00
.github/workflows Migrate builds from travis to github actions 2021-06-29 13:58:39 -07:00
cmd/zot build: remove bazel 2020-12-21 15:30:13 -08:00
docs build: remove bazel 2020-12-21 15:30:13 -08:00
errors config: support multiple storage locations 2021-05-21 10:18:28 -07:00
examples Add an 'enable' flag in the server configuration to enable gql-based searches 2021-06-24 12:15:25 -07:00
pkg api: use blob cache path while making hard link 2021-06-30 01:42:21 -07:00
test/scripts .gitignore: ignore generated test artifacts 2019-12-13 14:44:10 -08:00
.gitignore .gitignore: add .vscode/ 2020-06-09 17:18:30 -04:00
CODE_OF_CONDUCT.md doc: add a CODE_OF_CONDUCT.md 2020-12-15 11:20:45 -08:00
codecov.yml build: increase wait timeout for travis bazel build process 2020-10-27 19:30:06 -07:00
CONTRIBUTING.md docs: add a CONTRIBUTING.md 2021-01-08 20:55:22 -08:00
Dockerfile build: fix docker build 2020-11-19 11:41:21 -08:00
Dockerfile-conformance conformance: fix http status code for cross-repository mounting 2021-01-29 09:35:15 -08:00
go.mod Migrate builds from travis to github actions 2021-06-29 13:58:39 -07:00
go.sum Migrate builds from travis to github actions 2021-06-29 13:58:39 -07:00
golangcilint.yaml build: remove bazel files 2021-05-04 13:44:45 -07:00
LICENSE Initial commit 2019-06-21 14:40:59 -07:00
MAINTAINERS.md doc: update current project maintainer list 2020-12-10 17:36:22 -08:00
Makefile build: remove bazel files 2021-05-04 13:44:45 -07:00
README.md Migrate builds from travis to github actions 2021-06-29 13:58:39 -07:00
stacker.yaml build: fix stacker build 2020-11-19 11:41:21 -08:00
THIRD-PARTY-LICENSES.md doc: add third-party software deps list 2020-12-03 14:10:32 -08:00
zot.go zot: initial commit 2019-06-21 15:29:19 -07:00

zot build-test codecov.io Conformance Results

zot is a vendor-neutral OCI image registry server purely based on OCI Distribution Specification.

https://anuvu.github.io/zot/

docker pull ghcr.io/anuvu/zot:latest

docker run -p 5000:5000 ghcr.io/anuvu/zot:latest

Features

  • Conforms to OCI distribution spec APIs
  • Clear separation between core dist-spec and zot-specific extensions
    • make binary-minimal builds a dist-spec-only zot
    • make binary builds a zot with all extensions enabled
  • Uses OCI image layout for image storage
    • Can serve any OCI image layout as a registry
  • Supports helm charts
  • Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
  • Compatible with ecosystem tools such as skopeo and cri-o
  • Vulnerability scanning of images
  • Command-line client support
  • TLS support
  • Authentication via:
    • TLS mutual authentication
    • HTTP Basic (local htpasswd and LDAP)
    • HTTP Bearer token
  • Doesn't require root privileges
  • Storage optimizations:
    • Automatic garbage collection of orphaned blobs
    • Layer deduplication using hard links when content is identical
  • Serve multiple storage paths (and backends) using a single zot server
  • Swagger based documentation
  • Single binary for all the above features
  • Released under Apache 2.0 License
  • go get -u github.com/anuvu/zot/cmd/zot

Presentations

Build and install binary (using host's toolchain)

go get -u github.com/anuvu/zot/cmd/zot

Full CI/CD Build

  • Build inside a container (preferred)
make binary-container
  • Alternatively, build inside a container using stacker (preferred)
make binary-stacker
  • Build using host's toolchain
make

Build artifacts are in bin/

Serving

bin/zot serve _config-file_

Examples of config files are available in examples/ dir.

Container Image

The Dockerfile in this repo can be used to build a container image that runs zot.

To build the image with ref zot:latest:

make image

Then run the image with your preferred container runtime:

# with podman
podman run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

# with docker
docker run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

This will run a registry at http://localhost:5000, storing content at ./registry (bind mounted to /var/lib/registry in the container). By default, auth is disabled.

If you wish use custom configuration settings, you can override the YAML config file located at /etc/zot/config.yml:

# Example: using a local file "custom-config.yml" that
# listens on port 8080 and uses /tmp/zot for storage root
podman run --rm -p 8080:8080 \
  -v $(pwd)/custom-config.yml:/etc/zot/config.yml \
  -v $(pwd)/registry:/tmp/zot \
  zot:latest

CLI

The same zot binary can be used for interacting with any zot server instances.

Adding a zot server URL

To add a zot server URL with an alias "remote-zot":

$ zot config add remote-zot https://server-example:8080

List all configured URLs with their aliases:

$ zot config -l
remote-zot https://server-example:8080
local      http://localhost:8080

Listing images

You can list all images from a server by using its alias specified in this step:

$ zot images remote-zot
IMAGE NAME                        TAG                       DIGEST    SIZE
postgres                          9.6.18-alpine             ef27f3e1  14.4MB
postgres                          9.5-alpine                264450a7  14.4MB
busybox                           latest                    414aeb86  707.8KB

Or filter the list by an image name:

$ zot images remote-zot -n busybox
IMAGE NAME                        TAG                       DIGEST    SIZE
busybox                           latest                    414aeb86  707.8KB

Scanning images for known vulnerabilities

You can fetch CVE (Common Vulnerabilities and Exposures) info for images hosted on zot

  • Get all images affected by a CVE
$ zot cve remote-zot -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-5be4d92            ac3762e2  335MB
  • Get all CVEs for an image
$ zot cve remote-zot -I c3/openjdk-dev:0.3.19
ID                SEVERITY  TITLE
CVE-2015-8540     LOW       libpng: underflow read in png_check_keyword()
CVE-2017-16826    LOW       binutils: Invalid memory access in the coff_s...
  • Get detailed json output
$ zot cve remote-zot -I c3/openjdk-dev:0.3.19 -o json
{
  "Tag": "0.3.19",
  "CVEList": [
    {
      "Id": "CVE-2019-17006",
      "Severity": "MEDIUM",
      "Title": "nss: Check length of inputs for cryptographic primitives",
      "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.",
      "PackageList": [
        {
          "Name": "nss",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-sysinit",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-tools",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        }
      ]
    },
  • Get all images in a specific repo affected by a CVE
$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a            71046748  338MB
c3/openjdk-dev                    commit-bd5cc94            0ab7fc76  
  • Get all images of a specific repo where a CVE is fixed
$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935 --fixed
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a-squashfs   b545b8ba  321MB
c3/openjdk-dev                    commit-d5024ec-squashfs   cd45f8cf  321MB

Ecosystem

skopeo

skopeo is a tool to work with remote image repositories.

  • Pull Images
skopeo copy docker://<zot-server:port>/repo:tag docker://<another-server:port>/repo:tag
  • Push Images
skopeo copy --format=oci docker://<another-server:port>/repo:tag docker://<zot-server:port>/repo:tag

cri-o

cri-o is a OCI-based Kubernetes container runtime interface.

Works with "docker://" transport which is the default.

Caveats

  • go 1.12+
  • The OCI distribution spec is still WIP, and we try to keep up

Contributing

We encourage and support an active, healthy community of contributors.