devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security #14
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 17:47:12 -04:00
parent 8bbaa715f6
commit 7b1e38fb95
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
Docker_Registry_Install_Guide.md
View file

@ -221,6 +221,7 @@ http {
limit_req_zone $binary_remote_addr zone=reg_read:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=reg_read:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=reg_write:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=reg_write:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn_zone $binary_remote_addr zone=perip:10m;
# Note: Tune these limits based on your expected load. Adjust if CI bursts cause 429s.
client_max_body_size 2g; client_max_body_size 2g;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
@ -231,6 +232,8 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_request_buffering off; proxy_request_buffering off;
@ -276,7 +279,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
limit_req zone=reg_write burst=10; limit_req zone=reg_write burst=10;
limit_conn perip 20; limit_conn perip 20;
proxy_pass http://reg; proxy_pass http://reg;
proxy_set_header Host $host; proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Docker-Distribution-Api-Version "registry/2.0" always; add_header Docker-Distribution-Api-Version "registry/2.0" always;
@ -397,6 +400,9 @@ curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c - echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c -
chmod +x /usr/local/bin/cosign chmod +x /usr/local/bin/cosign
# Verify installation
cosign version --json
# Generate Cosign key pair (or use keyless OIDC in CI) # Generate Cosign key pair (or use keyless OIDC in CI)
cosign generate-key-pair cosign generate-key-pair
@ -470,6 +476,7 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub
**Security hardening notes:** **Security hardening notes:**
- `:U` flag: ID-maps the host directory into the container's user namespace to avoid permission drift and tighten isolation. - `:U` flag: ID-maps the host directory into the container's user namespace to avoid permission drift and tighten isolation.
- `ssl_session_tickets off`: Avoids long-lived TLS ticket key reuse unless you manage ticket key rotation. - `ssl_session_tickets off`: Avoids long-lived TLS ticket key reuse unless you manage ticket key rotation.
- **Client policy enforcement**: The registry doesn't enforce signatures—clients do. Ensure `containers-policy.json` (with `sigstoreSigned` for `REGISTRY_HOST` and reject for `docker.io`) is deployed on every *pulling* host.
## Security Model ## Security Model