Getting started¶
Example inventory¶
To install Docker Registry on a host, you need to add it to the
[debops_service_docker_registry]
Ansible inventory group:
[debops_all_hosts]
hostname
[debops_service_redis_server]
hostname
[debops_service_docker_registry]
hostname
The support for Redis Server is optional, and not required on the same host.
The debops.docker_registry role is designed to integrate well with the debops.gitlab role, to provide backend support for the GitLab Container Registry service. See the role documentation for more details.
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.docker_registry
role:
---
- name: Manage Docker Registry
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_docker_registry' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring',
'role::nginx', 'role::docker_registry' ]
keyring__dependent_apt_keys:
- '{{ nginx__keyring__dependent_apt_keys }}'
keyring__dependent_gpg_keys:
- '{{ docker_registry__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ golang__apt_preferences__dependent_list | d([]) }}'
- '{{ nginx__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ docker_registry__etc_services__dependent_list }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::docker_registry' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
- '{{ docker_registry__python__dependent_packages3 }}'
- '{{ nginx__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- '{{ docker_registry__python__dependent_packages2 }}'
- '{{ nginx__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ nginx__ferm__dependent_rules }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_maps:
- '{{ docker_registry__nginx__dependent_maps }}'
nginx__dependent_upstreams:
- '{{ docker_registry__nginx__dependent_upstreams }}'
nginx__dependent_htpasswd:
- '{{ docker_registry__nginx__dependent_htpasswd }}'
nginx__dependent_servers:
- '{{ docker_registry__nginx__dependent_servers }}'
- role: golang
tags: [ 'role::golang', 'skip::golang' ]
when: docker_registry__upstream|bool
- role: docker_registry
tags: [ 'role::docker_registry', 'skip::docker_registry' ]
Authentication¶
docker_registry__basic_auth_except_get
allows an easy yet auditable
write access control to the registry. To use it, set the variable to True
.
Additionally, you need to define the hosts or networks to require authentication for.
This is basically a workaround because the Docker Server first does a GET
request and if it goes though, it will not provide authentication. But we
always allow read only requests without authentication so we need to force
authentication like this:
nginx__custom_config:
- name: 'geo_force_authentication'
custom: |
## This is not security related. It just triggers Docker that it may authenticate itself.
geo $force_authentication {
default 0;
2001:db8:2342::/64 1;
}
Then define the users which should be created and allowed write access:
docker_registry__basic_auth_users:
- 'build-docker-debian-base-image'
Refer to debops.secret for details.
You can then use docker login docker-registry.example.net to login. This step is manually for now.
Ansible tags¶
You can use Ansible --tags
or --skip-tags
parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
role::docker_registry
- Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
Other resources¶
List of other useful resources related to the debops.docker_registry
Ansible role:
- Docker Registry configuration documentation
- GitLab Container Registry documentation