From 8bbaa715f69111c56f09a6f6a036ca91199b5846 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 17:43:16 -0400
Subject: [PATCH] Improve security #13

---
 Docker_Registry_Install_Guide.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index c8d2b82..2520f4b 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -151,7 +151,7 @@ ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tm
   --read-only --tmpfs /tmp:size=64m --cap-drop=ALL --security-opt=no-new-privileges \
   -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
   -e REGISTRY_STORAGE_DELETE_ENABLED=false \
-  -v /var/lib/registry:/var/lib/registry:z \
+  -v /var/lib/registry:/var/lib/registry:U,z \
   docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
 ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry
 Restart=on-failure
@@ -230,6 +230,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
   ssl_verify_depth 2;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;
+  ssl_session_tickets off;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_request_buffering off;
@@ -390,6 +391,8 @@ COSIGN_VERSION=v2.2.4
 COSIGN_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
 COSIGN_SHA256="<REPLACE_WITH_OFFICIAL_SHA256>"
 
+**⚠️ IMPORTANT:** Replace `<REPLACE_WITH_OFFICIAL_SHA256>` with the official release SHA256 before running.
+
 curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
 echo "${COSIGN_SHA256}  /usr/local/bin/cosign" | sha256sum -c -
 chmod +x /usr/local/bin/cosign
@@ -464,6 +467,10 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub
 **Best practice:** pull/deploy by **digest**, not tag. Example:
 `podman pull REGISTRY_HOST/namespace/image@sha256:<digest>`
 
+**Security hardening notes:**
+- `:U` flag: ID-maps the host directory into the container's user namespace to avoid permission drift and tighten isolation.
+- `ssl_session_tickets off`: Avoids long-lived TLS ticket key reuse unless you manage ticket key rotation.
+
 ## Security Model
 
 This setup implements a multi-layered security approach:
@@ -481,6 +488,9 @@ This setup implements a multi-layered security approach:
 # Start as the service user
 sudo -u CI_SERVICE_USER sh -lc 'systemctl --user daemon-reload && systemctl --user enable --now registry.service'
 sudo systemctl enable --now registry-proxy.service
+
+# One-time: ensure host dir ownership matches rootless ID map
+sudo -u CI_SERVICE_USER podman unshare chown -R 100000:100000 /var/lib/registry
 ```
 
 ## Step 5: Verify Installation