sharenet/registry

Docker Registry Configuration

This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.

Files

• nginx.conf: nginx configuration for HTTPS and authentication
• docker-registry.service: Systemd service file for Docker Registry v2
• README.md: This documentation file

Architecture

The registry setup uses:

• Docker Registry: Basic registry for storing Docker images
• nginx: Reverse proxy with automatic HTTPS and authentication
• Environment Variables: For authentication credentials and registry configuration
• Service User: The registry and nginx services run as the existing CI_SERVICE_USER (not a separate registry user)

Authentication Model

• Pulls: Unauthenticated (public read access)
  • /v2/*/blobs/* - Download image layers
  • /v2/*/manifests/* - Download image manifests
  • /v2/_catalog - List repositories
  • /v2/*/tags/list - List image tags
• Pushes: Require authentication with registry-user credentials
  • /v2/*/blobs/uploads/* - Upload image layers
  • /v2/*/manifests/* (PUT/POST/PATCH/DELETE) - Upload/update manifests

Security Features

• URL-based access control: Different paths require different authentication levels
• Method-based restrictions: Push operations require authentication
• Path validation: Prevents method spoofing by validating both URL patterns and HTTP methods
• Security headers: X-Content-Type-Options, X-Frame-Options for additional protection
• Rootless Podman: All state stored outside home directory for complete isolation

Configuration

The setup is configured through:

1. nginx.conf: Handles HTTPS and authentication
2. registry-pod.yaml: Kubernetes-style pod definition for Podman
3. docker-registry.service: Systemd service with rootless Podman configuration
4. User/Permissions: All files and services are owned and run by CI_SERVICE_USER for consistency and security

Podman Configuration

The registry uses rootless Podman with all state stored outside the user's home directory:

• PODMAN_ROOT: /var/tmp/podman-%u/root - Container storage
• PODMAN_RUNROOT: /run/user/%u/podman-run - Runtime state
• PODMAN_TMPDIR: /var/tmp/podman-%u/tmp - Temporary files
• XDG_DATA_HOME: /var/tmp/podman-%u/xdg-data - Data directory
• XDG_CONFIG_HOME: /var/tmp/podman-%u/xdg-config - Configuration

This ensures complete isolation from the user's home directory while maintaining rootless security.

Usage

The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by CI_SERVICE_USER.

Security Features

Container Security

• Rootless operation: Containers run as non-root user (UID 1000)
• Capability dropping: All Linux capabilities are dropped
• Privilege escalation: Disabled via allowPrivilegeEscalation=false
• Read-only filesystem: Root filesystem is read-only with tmpfs for /tmp
• Image deletion disabled: REGISTRY_STORAGE_DELETE_ENABLED=false

Network Security

• TLS 1.2/1.3 only: Modern cipher suites with HSTS headers
• Rate limiting: 10 requests/second for reads, 5 requests/second for writes
• Client size limits: 2GB max body size for large image uploads
• Internal registry: Registry listens only internally, proxied via nginx
• Port restrictions: Only ports 443 and 4443 exposed

Resource Management

• CPU limits: 1000m for registry, 500m for nginx
• Memory limits: 1Gi for registry, 512Mi for nginx
• File descriptors: Proper ulimits configuration

Authentication & Authorization

• Basic auth: htpasswd-based authentication for write operations
• Policy enforcement: containers-policy.json for image signature verification
• Volume security: Read-only mounts where possible with nosuid,nodev,noexec

Data Protection

• FHS compliance: Proper directory structure and permissions
• Credential isolation: htpasswd file stored separately with 600 permissions
• Log management: Structured logging with proper volume mounts