devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security #13
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 17:43:16 -04:00
parent e76baeeb2f
commit 8bbaa715f6
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Docker_Registry_Install_Guide.md
View file

@ -151,7 +151,7 @@ ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tm
--read-only --tmpfs /tmp:size=64m --cap-drop=ALL --security-opt=no-new-privileges \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_STORAGE_DELETE_ENABLED=false \
-v /var/lib/registry:/var/lib/registry:z \
-v /var/lib/registry:/var/lib/registry:U,z \
docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry
Restart=on-failure
@ -230,6 +230,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_verify_depth 2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_request_buffering off;
@ -390,6 +391,8 @@ COSIGN_VERSION=v2.2.4
COSIGN_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
COSIGN_SHA256="<REPLACE_WITH_OFFICIAL_SHA256>"
**⚠️ IMPORTANT:** Replace `<REPLACE_WITH_OFFICIAL_SHA256>` with the official release SHA256 before running.
curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c -
chmod +x /usr/local/bin/cosign
@ -464,6 +467,10 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub
**Best practice:** pull/deploy by **digest**, not tag. Example:
`podman pull REGISTRY_HOST/namespace/image@sha256:<digest>`
**Security hardening notes:**
- `:U` flag: ID-maps the host directory into the container's user namespace to avoid permission drift and tighten isolation.
- `ssl_session_tickets off`: Avoids long-lived TLS ticket key reuse unless you manage ticket key rotation.
## Security Model
This setup implements a multi-layered security approach:
@ -481,6 +488,9 @@ This setup implements a multi-layered security approach:
# Start as the service user
sudo -u CI_SERVICE_USER sh -lc 'systemctl --user daemon-reload && systemctl --user enable --now registry.service'
sudo systemctl enable --now registry-proxy.service
# One-time: ensure host dir ownership matches rootless ID map
sudo -u CI_SERVICE_USER podman unshare chown -R 100000:100000 /var/lib/registry
```
## Step 5: Verify Installation