sharenet/registry/README.md

# Docker Registry Configuration

This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.

## Files


- **`nginx.conf`**: nginx configuration for HTTPS and authentication
- **`docker-registry.service`**: Systemd service file for Docker Registry v2
- **`README.md`**: This documentation file

## Architecture

The registry setup uses:
- **Docker Registry**: Basic registry for storing Docker images
- **nginx**: Reverse proxy with automatic HTTPS and authentication
- **Environment Variables**: For authentication credentials and registry configuration
- **Service User**: The registry and nginx services run as the existing `CI_SERVICE_USER` (not a separate registry user)

## Authentication Model

- **Pulls**: Unauthenticated (public read access)
  - `/v2/*/blobs/*` - Download image layers
  - `/v2/*/manifests/*` - Download image manifests
  - `/v2/_catalog` - List repositories
  - `/v2/*/tags/list` - List image tags
- **Pushes**: Require authentication with `registry-user` credentials
  - `/v2/*/blobs/uploads/*` - Upload image layers
  - `/v2/*/manifests/*` (PUT/POST/PATCH/DELETE) - Upload/update manifests

## Security Features

- **URL-based access control**: Different paths require different authentication levels
- **Method-based restrictions**: Push operations require authentication
- **Path validation**: Prevents method spoofing by validating both URL patterns and HTTP methods
- **Security headers**: X-Content-Type-Options, X-Frame-Options for additional protection

## Configuration

The setup is configured through:
1. **Environment Variables**: Stored in `.env` file (created during setup) for authentication
2. **Docker Compose Environment**: Registry configuration via environment variables
3. **nginx.conf**: Handles HTTPS and authentication
4. **Docker Compose**: Orchestrates the registry and nginx services
5. **Systemd Service**: Manages the Docker Registry service lifecycle
6. **User/Permissions**: All files and services are owned and run by `CI_SERVICE_USER` for consistency and security

## Usage

The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by `CI_SERVICE_USER`.

## Security Features

### Container Security
- **Rootless operation**: Containers run as non-root user (UID 1000)
- **Capability dropping**: All Linux capabilities are dropped
- **Privilege escalation**: Disabled via allowPrivilegeEscalation=false
- **Read-only filesystem**: Root filesystem is read-only with tmpfs for /tmp
- **Image deletion disabled**: REGISTRY_STORAGE_DELETE_ENABLED=false

### Network Security
- **TLS 1.2/1.3 only**: Modern cipher suites with HSTS headers
- **Rate limiting**: 10 requests/second for reads, 5 requests/second for writes
- **Client size limits**: 2GB max body size for large image uploads
- **Internal registry**: Registry listens only internally, proxied via nginx
- **Port restrictions**: Only ports 443 and 4443 exposed

### Resource Management
- **CPU limits**: 1000m for registry, 500m for nginx
- **Memory limits**: 1Gi for registry, 512Mi for nginx
- **File descriptors**: Proper ulimits configuration

### Authentication & Authorization
- **Basic auth**: htpasswd-based authentication for write operations
- **Policy enforcement**: containers-policy.json for image signature verification
- **Volume security**: Read-only mounts where possible with nosuid,nodev,noexec

### Data Protection
- **FHS compliance**: Proper directory structure and permissions
- **Credential isolation**: htpasswd file stored separately with 600 permissions
- **Log management**: Structured logging with proper volume mounts