Getting started
Example inventory
To install Docker Registry on a host, you need to add it to the
[debops_service_docker_registry]
Ansible inventory group:
[debops_all_hosts]
hostname
[debops_service_redis_server]
hostname
[debops_service_docker_registry]
hostname
The support for Redis Server is optional, and not required on the same host.
The debops.docker_registry role is designed to integrate well with the debops.gitlab role, to provide backend support for the GitLab Container Registry service. See the role documentation for more details.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.docker_registry
role:
---
- name: Manage Docker Registry
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_docker_registry' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring',
'role::nginx', 'role::docker_registry' ]
keyring__dependent_apt_keys:
- '{{ nginx__keyring__dependent_apt_keys }}'
keyring__dependent_gpg_keys:
- '{{ docker_registry__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ golang__apt_preferences__dependent_list | d([]) }}'
- '{{ nginx__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ docker_registry__etc_services__dependent_list }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::docker_registry' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
- '{{ docker_registry__python__dependent_packages3 }}'
- '{{ nginx__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- '{{ docker_registry__python__dependent_packages2 }}'
- '{{ nginx__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ nginx__ferm__dependent_rules }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_maps:
- '{{ docker_registry__nginx__dependent_maps }}'
nginx__dependent_upstreams:
- '{{ docker_registry__nginx__dependent_upstreams }}'
nginx__dependent_htpasswd:
- '{{ docker_registry__nginx__dependent_htpasswd }}'
nginx__dependent_servers:
- '{{ docker_registry__nginx__dependent_servers }}'
- role: golang
tags: [ 'role::golang', 'skip::golang' ]
when: docker_registry__upstream|bool
- role: docker_registry
tags: [ 'role::docker_registry', 'skip::docker_registry' ]
Authentication
docker_registry__basic_auth_except_get
allows an easy yet auditable
write access control to the registry. To use it, set the variable to True
.
Additionally, you need to define the hosts or networks to require authentication for.
This is basically a workaround because the Docker Server first does a GET
request and if it goes though, it will not provide authentication. But we
always allow read only requests without authentication so we need to force
authentication like this:
nginx__custom_config:
- name: 'geo_force_authentication'
custom: |
## This is not security related. It just triggers Docker that it may authenticate itself.
geo $force_authentication {
default 0;
2001:db8:2342::/64 1;
}
Then define the users which should be created and allowed write access:
docker_registry__basic_auth_users:
- 'build-docker-debian-base-image'
Refer to debops.secret for details.
You can then use docker login docker-registry.example.net to login. This step is manually for now.
Other resources
List of other useful resources related to the debops.docker_registry
Ansible role:
Docker Registry configuration documentation
GitLab Container Registry documentation