From 7d8c9397583bc8f160a3b98109d10ec9946a9a92 Mon Sep 17 00:00:00 2001 From: Korbs Date: Mon, 9 Dec 2024 22:20:46 -0500 Subject: [PATCH] :rocket: Init --- README.md | 101 +++++++++++++++++++++++++++++++++++++++++++- config.json | 102 +++++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 11 +++++ 3 files changed, 212 insertions(+), 2 deletions(-) create mode 100644 config.json create mode 100644 docker-compose.yml diff --git a/README.md b/README.md index 9902455..2aad014 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,100 @@ -# zot-docker-setup +# Zot Docker Setup -Straight-forward setup for Zot in Docker. Steps are also included how to use it as a Docker registry. \ No newline at end of file +Setup Zot in Docker + +This is mostly how SudoVanilla's Docker registry is setup. + +> I'm still new to Zot, so some information below could be inaccurate and some important information could be missing too. + +## Configuration + +### Address and Port + +Zot will need to bind itself to an address and port. + +- `address` - `192.168.0.0` (Use Local IP) +- `port` - `2000` + +Example above would bind `http://192.168.0.0:2000` + +### Access Control + +The already provided configuration is setup to allow guest users to view any images that is available on your Zot registry, with one user(you) being able to view, create, delete, and update images. + +Make sure you give yourself access to other permissions, the email you plan to use should be set to `users` under the `*` policies under `accessControl`. + +### OpenID Connect (Optional) + +To setup OpenID Connect, configure the `openid` portion of the `config.json` file. + + - `name` - Name that appears on login button (Sign in with `name`) + - `issuer` - `https://sso.whatever.org/odic` + - Don't use the provider configuration endpoint, use the issuer endpoint + - `clientid` - Client or App ID + - `clientsecret` - Client or App secret + - `scopes` - Permissions to give Zot that it can access. + +Your Zot redirect URL will look like this: +``` +// Path +/zot/auth/callback/oidc + +// Full URL example +https://zot.whatever.org/zot/auth/callback/oidc +``` + +> The endpoint will use your `externalUrl` as the assumed redirect URL, make it is set correctly for your setup. + +> If you don't plan to use this, remove the `openid` portion from the `config.json` file. + +### Htpasswd (Optional) + +If you plan to provide a login via email and password, you'll need to create an account with the `htpasswd` command and create the account you'll use. + +Create an account: +```bash +htpasswd -bnB MyUsername MyPassword > ./htpasswd +``` + +> If you don't plan to use this, remove the `htpasswd` line from the `config.json` file. + +## Usage +### Building Docker Image + +You can build a Docker image as you normally would. + +```bash +docker build -t your-image . +``` + +### Pushing Docker Image + +Zot seems to be setup to accept OCI images, not the Docker format, so using `docker push` won't work. You can use `skopeo` to push, after you save the Docker image as a tar. + +Before we proceed, make to login into your Zot registry: +``` +skopeo login zot.whatever.org +``` +> If you used OpenID Connect to create an account. Use your email as the `username` and crete an API Token as the `password`. + +Run `docker save` to convert the existing image to a `.tar` format: +```bash +docker save -o your-image.tar your-image +``` + +Then, push it to your Zot registry: +```bash +skopeo copy tarball:./your-image.tar docker://zot.whatever.org/your-image +``` + +The `/your-image` part in the `skopeo copy` command can be whatever. `/whatever/your-image` also works. + +**Try it Out** + +Let's try pushing an existing image from Docker Hub to your Zot registry, we'll use Bun's image in this example. + +```bash +docker pull oven/bun +docker save -o bun.tar oven/bun +skopeo copy tarball:./bun.tar docker://zot.whatever.org/oven/bun +``` \ No newline at end of file diff --git a/config.json b/config.json new file mode 100644 index 0000000..0f6efe0 --- /dev/null +++ b/config.json @@ -0,0 +1,102 @@ +{ + "distSpecVersion": "1.0.1", + "storage": { + "dedupe": true, + "gc": true, + "gcDelay": "1h", + "gcInterval": "6h", + "rootDirectory": "/var/lib/registry" + }, + "http": { + "address": "192.168.0.0", + "port": "2000", + "externalUrl": "https://zot.whatever.org", + "realm": "zot", + "auth": { + "htpasswd": { + "path": "/etc/zot/htpasswd" + }, + "openid": { + "providers": { + "oidc": { + "name": "Company SSO or whatever", + "issuer": "https://sso.whatever.org/oidc", + "clientid": "CLIENT_ID", + "clientsecret": "CLIENT_SECRET", + "keypath": "", + "scopes": [ + "openid", + "profile", + "email" + ] + } + } + }, + "failDelay": 1 + }, + "accessControl": { + "repositories": { + "*": { + "policies": [ + { + "users": [ + "your-email@whatever.org" + ], + "actions": [ + "read", + "create", + "update", + "delete" + ] + } + ], + "defaultPolicy": [ + "read" + ], + "anonymousPolicy": [ + "read" + ] + } + } + } + }, + "log": { + "level": "debug", + "output": "/var/log/zot/zot.log", + "audit": "/var/log/zot/zot-audit.log" + }, + "extensions": { + "ui": { + "enable": true + }, + "search": { + "enable": true, + "cve": { + "updateInterval": "24h" + } + }, + "sync": { + "enable": false, + "registries": [ + { + "urls": [ + "https://mirror.gcr.io/library" + ], + "onDemand": true, + "maxRetries": 3, + "retryDelay": "5m", + "pollInterval": "6h" + }, + { + "urls": [ + "https://docker.io/library" + ], + "onDemand": true + } + ] + }, + "scrub": { + "interval": "24h" + } + } +} \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f4d88f6 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,11 @@ +services: + zot: + image: ghcr.io/project-zot/zot:latest + network_mode: host # Configure the ports in the "config.json" file. + stdin_open: true + tty: true + volumes: + - ./config.json:/etc/zot/config.json + - ./htpasswd:/etc/zot/htpasswd + - ./zot:/var/lib/registry # Generated + - ./logs:/var/log/zot/ # Generated \ No newline at end of file