From 68fcf80217e32cb025fc48381118fa98f29429eb Mon Sep 17 00:00:00 2001 From: continuist Date: Sun, 24 Aug 2025 14:32:29 -0400 Subject: [PATCH] Improve security further #3 --- Docker_Registry_Install_Guide.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md index 2dfc8e4..1b39eb5 100644 --- a/Docker_Registry_Install_Guide.md +++ b/Docker_Registry_Install_Guide.md @@ -100,10 +100,10 @@ sudo chown -R root:root /etc/registry/certs sudo chmod 750 /etc/registry/certs/private sudo chmod 755 /etc/registry/certs/{clients,ca,requests} -# Create registry data directory -sudo mkdir -p /var/lib/registry/data +# Create registry data directory (systemd-managed) +sudo mkdir -p /var/lib/registry sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry -sudo chmod 750 /var/lib/registry /var/lib/registry/data +sudo chmod 750 /var/lib/registry # Create log directory for nginx proxy sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy @@ -127,13 +127,14 @@ Environment=PODMAN_RUNROOT=/run/user/%U/podman-run Environment=PODMAN_TMPDIR=/var/tmp/podman-%U/tmp Environment=XDG_DATA_HOME=/var/tmp/podman-%U/xdg-data Environment=XDG_CONFIG_HOME=/var/tmp/podman-%U/xdg-config +StateDirectory=registry ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file \ run --rm --name registry \ -p 127.0.0.1:5000:5000 \ --read-only --tmpfs /tmp:size=64m --cap-drop=ALL --security-opt=no-new-privileges \ -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ -e REGISTRY_STORAGE_DELETE_ENABLED=false \ - -v /var/lib/registry/data:/var/lib/registry:z \ + -v /var/lib/registry:/var/lib/registry:z \ docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry Restart=on-failure @@ -176,9 +177,8 @@ ProtectHostname=yes LockPersonality=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -IPAddressDeny=any -IPAddressAllow=127.0.0.1/8 ::1 LimitNOFILE=65536 +ExecStartPre=/usr/sbin/nginx -t -c /etc/registry/nginx.conf ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf Restart=on-failure