Registry

In this section, we will explain how to deploy a small, self-hosted registry using a Podman container. For production environments, we strongly recommend utilizing a more reliable solution such as Quay, Nexus, or Artifactory.

1. As a privileged user, please access the ${HOME} directory and proceed to create the following script provided below. The script will make certain assumptions, including the registry name based on the hypervisor hostname, as well as the necessary credentials and user access:

2. registry.sh

   #!/usr/bin/env bash
   
   set -euo pipefail
   
   PRIMARY_NIC=$(ls -1 /sys/class/net | grep -v podman | head -1)
   export PATH=/root/bin:$PATH
   export PULL_SECRET="/root/baremetal/hub/openshift_pull.json"
   
   if [[ ! -f $PULL_SECRET ]];then
     echo "Pull Secret not found, exiting..."
     exit 1
   fi
   
   dnf -y install podman httpd httpd-tools jq skopeo libseccomp-devel
   export IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1)
   REGISTRY_NAME=registry.$(hostname --long)
   REGISTRY_USER=dummy
   REGISTRY_PASSWORD=dummy
   KEY=$(echo -n $REGISTRY_USER:$REGISTRY_PASSWORD | base64)
   echo "{\"auths\": {\"$REGISTRY_NAME:5000\": {\"auth\": \"$KEY\", \"email\": \"sample-email@domain.ltd\"}}}" > /root/disconnected_pull.json
   mv ${PULL_SECRET} /root/openshift_pull.json.old
   jq ".auths += {\"$REGISTRY_NAME:5000\": {\"auth\": \"$KEY\",\"email\": \"sample-email@domain.ltd\"}}" < /root/openshift_pull.json.old > $PULL_SECRET
   mkdir -p /opt/registry/{auth,certs,data,conf}
   cat <<EOF > /opt/registry/conf/config.yml
   version: 0.1
   log:
     fields:
       service: registry
   storage:
     cache:
       blobdescriptor: inmemory
     filesystem:
       rootdirectory: /var/lib/registry
     delete:
       enabled: true
   http:
     addr: :5000
     headers:
       X-Content-Type-Options: [nosniff]
   health:
     storagedriver:
       enabled: true
       interval: 10s
       threshold: 3
   compatibility:
     schema1:
       enabled: true
   EOF
   openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/domain.key -x509 -days 3650 -out /opt/registry/certs/domain.crt -subj "/C=US/ST=Madrid/L=San Bernardo/O=Karmalabs/OU=Guitar/CN=$REGISTRY_NAME" -addext "subjectAltName=DNS:$REGISTRY_NAME"
   cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
   update-ca-trust extract
   htpasswd -bBc /opt/registry/auth/htpasswd $REGISTRY_USER $REGISTRY_PASSWORD
   podman create --name registry --net host --security-opt label=disable --replace -v /opt/registry/data:/var/lib/registry:z -v /opt/registry/auth:/auth:z -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /opt/registry/certs:/certs:z -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key docker.io/library/registry:latest
   [ "$?" == "0" ] || !!
   systemctl enable --now registry
   

3. Kindly modify the location of the PULL_SECRET to point to the correct location.

4. Please adjust the permissions by adding the execution flag as follows: chmod u+x ${HOME}/registry.sh
5. You can execute the script without any parameters using the following command ${HOME}/registry.sh

After executing the script ${HOME}/registry.sh, the server should now be up and running. If the script has been properly configured and executed without errors, it should have started the server as intended.

It will utilize a systemd service for management purposes. So, if you ever need to manage it, you can employ systemctl status/start/stop registry.

The root folder for the registry is situated at /opt/registry, and it's structured as follows:

• certs holds the TLS certificates.
• auth keeps the credentials.
• data contains the registry images.
• conf will hold the registry configuration.