{{tag>Brouillon Docker Redis}}

= Notes Dépôt Docker - Docker Registry

Voir :
* [[Scan de vulnérabilité pour les images de conteneurs]]

== Registry (comme JFrog Artifactory)

* [[https://goharbor.io|Harbor]] (cncf.io)
* Gitlab registry
* [[http://port.us.org/|Portus]]



== Public registry

Voir :
  * https://argocd-image-updater.readthedocs.io/en/stable/configuration/registries/


== Configuration

Voir :
* https://forum.ansible.com/t/running-a-local-container-registry-for-execution-environments/206

Voir aussi : 
* https://portainer.io/

Source :
* https://docs.docker.com/registry/

** Brouillon, insecure registry**


=== Client

Voir :
  * ''/etc/containers/registries.conf'' et ''~/.config/containers/registries.conf''
  * https://docs.podman.io/en/v2.2.1/markdown/podman-search.1.html

''/etc/systemd/system/docker.service.d/http-proxy.conf''
<code ini>
[Service]
# Environment="HTTP_PROXY=http://192.168.56.1:3128/" "HTTPS_PROXY=http://192.168.56.1:3128/" "NO_PROXY=localhost,127.0.0.0/8,192.168.0.0/16,registry.local"
Environment="http_proxy=http://192.168.56.1:3128/" "https_proxy=http://192.168.56.1:3128/" "NO_PROXY=localhost,127.0.0.0/8,192.168.0.0/16,registry.local"
</code>

<code bash>
systemctl daemon-reload
systemctl restart docker
</code>

Vérif
<code bash>
systemctl show --property=Environment docker
</code>

''/etc/hosts''
<code ->
192.168.205.18 docker-1
</code>

API
<code bash>
curl -X GET -u <user>:<pass> https://myregistry:5000/v2/_catalog
curl -X GET -u <user>:<pass> https://myregistry:5000/v2/ubuntu/tags/list
</code>


==== SSL/TLS

<code bash>
sudo mkdir -p /etc/docker/certs.d/registry.local:5000
</code>

Puis déposer le fichier **ca.crt** dans ce dossier.

Autre solution 

''/etc/docker/daemon.json''
<code javascript>
{
    "log-level":        "error",
    "insecure-registries" : ["docker-1.local"],
    "proxies": {
      "http-proxy": "http://192.168.1.100:3128",
      "https-proxy": "https://192.168.1.100:3128",
      "no-proxy": "*.local,127.0.0.0/8"
  }
}
</code>

Old \\
Ne semble plus marcher. \\
Avant nous pouvions spécifier un numéro de port au registry Docker.

''/etc/docker/daemon.json''
<code javascript>
{
          "insecure-registries" : ["docker-1:5000"]
}
</code>


=== Seveur registry

<code bash>
mkdir docker-registry
cd docker-registry

mkdir certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt

chmod a+r certs/domain.*
sudo mv certs /certs
</code>

** Be sure to use the name myregistrydomain.com as a CN **


''docker-compose.yml''
<code yaml>
version: '3'
services:
  registry:
    image: "registry:2"
    ports:
     - "5000:5000"
    environment:
     - REGISTRY_HTTP_ADDR=0.0.0.0:5000
     - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
     - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
     - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
     - REGISTRY_STORAGE_DELETE_ENABLED=true
    volumes:
     - "/certs:/certs"
     - "/data:/data"

</code>

''docker-compose.yml''
<code yaml>
version: '3'
services:
  redis:
    image: redis
    restart: always
  registry:
    image: "registry:2"
    restart: always
    ports:
     - "5000:5000"
    environment:
     - REGISTRY_HTTP_ADDR=0.0.0.0:5000
     - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
     - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
     - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
     - REGISTRY_HTTP_SECRET=secret
     - REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR=redis
     - REGISTRY_REDIS_ADDR=redis:6379
     - REGISTRY_STORAGE_DELETE_ENABLED=true
    volumes:
     - "/certs:/certs"
     - "/data:/data"
  registry-ui:
    image: konradkleine/docker-registry-frontend:v2
    restart: always
    ports:
     - "80:80"
    environment:
      VIRTUAL_HOST: '*, https://*'
      ENV_DOCKER_REGISTRY_HOST: 'registry'
      ENV_DOCKER_REGISTRY_PORT: 5000
      ENV_DOCKER_REGISTRY_USE_SSL: 1
</code>

<code bash>
docker-compose up
</code>


== Utilisation

Pull & Push
<code bash>
docker pull debian:stretch
docker tag debian:stretch localhost:5000/debian:stretch
docker push localhost:5000/debian:stretch
</code>

Build & Push
<code bash>
docker build -t plop . plop registry.local:5000/project/image:tag
docker push registry.local:5000/project/image:tag
</code>

Auth
<code bash>
docker login registry.local:5000 -u user -p P@sssw0rd
</code>

=== Delete

Voir :
* https://github.com/docker/distribution/blob/master/docs/spec/api.md
* https://stackoverflow.com/questions/25436742/how-to-delete-images-from-a-private-docker-registry
* https://lumao.eu/post/gitlab-private-registry-docker/
* https://blog.eleven-labs.com/fr/mise-en-place-docker-registry-privee/


Afficher les information détaillées sur notre image taguée.
<code bash>
docker inspect registry.local:5000/hello-world:latest
</code>


Voir & effacer les versions taguées
<code ->
$ docker image ls registry.local:5000/*
REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE
registry.local:5000/my-hello-world4   latest              fce289e99eb9        13 months ago       1.84kB
$ docker image rm registry.local:5000/my-hello-world4
Untagged: registry.local:5000/my-hello-world4:latest
Untagged: registry.local:5000/my-hello-world4@sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
</code>

Effacer les fichiers sur le dépôt
<code bash>
sudo rm ./docker/registry/v2/repositories/my-hello-world -rf
sudo rm ./docker/registry/v2/repositories/my-hello-world4 ./docker/registry/v2/blobs/sha256/fc/fce289e99eb9* -rf
</code>
 
<code ->
$ curl -k https://registry.local:5000/v2/_catalog
{"repositories":["hello-world"]}
$ curl -k https://registry.local:5000/v2/hello-world/tags/list
{"name":"hello-world","tags":["latest"]}
</code>

<code ->
$ curl -k -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://registry.local:5000/v2/hello-world/manifests/latest
< content-length: 524                                                         
<                                                                                                                  
{                                                           
   "schemaVersion": 2,                          
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {                                      
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1510,                                  
      "digest": "sha256:fce289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e"
   },                                               
   "layers": [                                                       
      {                                                     
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 977,                                                                                                                                                                                  "digest": "sha256:1b930d010525941c1d56ec53b97bd057a67ae1865eebf042686d2a2d18271ced"                                                 
      }
   ]
* Curl_http_done: called premature == 0
</code>

<code bash>
curl -k -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE https://registry.local:5000/v2/hello-world/manifests/sha256:fce289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e
</code>

Pour vraiment libérer l'espace \\
Lancer à l’intérieur du conteneur 
<code bash>
bin/registry garbage-collect /etc/docker/registry/config.yml
</code>


== Client

Voir : 
  * ''podman search''
  * ''crane'' (asdf)
  * skopeo

https://blog.stephane-robert.info/docs/conteneurs/outils/crane/


~~~bash
skopeo inspect docker://tomsquest/docker-radicale | jq
~~~

=== Pb 

==== Error "server gave HTTP response to HTTPS client"

<code bash>
podman exec -ti kind-control-plane /bin/bash
ctr -n k8s.io image pull --plain-http=true registry.test.svc.cluster.local:5000/awx-ee-gts-it:2.19.3-2-1
</code>