debops.docker_registry default variables
Sections
APT packages
- docker_registry__base_packages
List of APT packages required for Docker Registry service.
docker_registry__base_packages: '{{ ["docker-registry"]
if (not docker_registry__upstream | bool)
else [] }}'
- docker_registry__packages
List of additional APT packages to install with Docker Registry.
docker_registry__packages: []
- docker_registry__version
The version of the installed Docker Registry. This variable is defined automatically by the Ansible local facts and doesn't have to be set manually. You can use this variable in conditional configuration.
docker_registry__version: '{{ ansible_local.docker_registry.version | d("0.0.0") }}'
UNIX environment
- docker_registry__user
Name of the UNIX account which will be used by the Docker Registry service.
docker_registry__user: 'docker-registry'
- docker_registry__group
Name of the UNIX group which will be used as the primary group of the Docker Registry service.
docker_registry__group: 'docker-registry'
- docker_registry__additional_groups
List of additional UNIX groups to which the Docker Registry UNIX account should belong.
docker_registry__additional_groups:
- '{{ ansible_local.redis_server.auth_group | d([]) }}'
- docker_registry__home
Path of the UNIX home directory of the Docker Registry service. This is the
default path used by the Debian docker-registry
APT package.
docker_registry__home: '/var/lib/docker-registry'
- docker_registry__comment
The GECOS field of the Docker Registry UNIX account.
docker_registry__comment: 'Docker Registry'
- docker_registry__shell
The default shell used by the Docker Registry UNIX account.
docker_registry__shell: '/usr/sbin/nologin'
Docker Registry upstream installation
- docker_registry__distribution_release
This variable defines the OS release used to determine if an upstream Docker Registry needs to be installed.
docker_registry__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
- docker_registry__upstream
Enable or disable installation of the docker-registry command from the upstream git repository.
docker_registry__upstream: '{{ True
if (docker_registry__distribution_release in
["stretch", "trusty", "xenial"])
else False }}'
- docker_registry__src
Path where source repositories will be stored.
docker_registry__src: '{{ docker_registry__home + "/src" }}'
- docker_registry__gopath
Path where Go package builds and cache will be stored.
docker_registry__gopath: '{{ docker_registry__home + "/go" }}'
- docker_registry__git_dest
Path where the Docker Registry upstream repository will be checked out.
docker_registry__git_dest: '{{ docker_registry__gopath + "/src/"
+ docker_registry__git_repo.split("://")[1] }}'
- docker_registry__git_dir
Path where the Docker Registry .git/
directory will be stored.
docker_registry__git_dir: '{{ docker_registry__src + "/" + docker_registry__git_repo.split("://")[1] }}'
- docker_registry__git_gpg_key
The fingerprint of the GPG key used to sign Docker Registry upstream releases.
docker_registry__git_gpg_key: '8C7A 111C 2110 5794 B0E8 A27B F58C 5D0A 4405 ACDB'
- docker_registry__git_repo
The URL of the upstream Docker Registry git repository.
docker_registry__git_repo: 'https://github.com/docker/distribution'
- docker_registry__git_version
The branch/tag of the Docker Registry git repository to check out.
docker_registry__git_version: 'v2.7.1'
- docker_registry__binary
The absolute path where the Docker Registry upstream binary will be installed to; alternatively, the path of the Docker Registry binary installed by the APT package.
docker_registry__binary: '{{ "/usr/local/bin/docker-registry"
if docker_registry__upstream | bool
else "/usr/bin/docker-registry" }}'
Web server configuration
- docker_registry__fqdn
The Fully Qualified Domain Name of the Docker Registry service.
docker_registry__fqdn: 'registry.{{ docker_registry__domain }}'
- docker_registry__domain
The DNS domain used as a base for the Docker Registry FQDN address.
docker_registry__domain: '{{ ansible_domain }}'
- docker_registry__backend_port
The TCP port on which the Docker Registry backend service listens for connections.
docker_registry__backend_port: '5070'
- docker_registry__allow
List of IP addresses or CIDR subnets which are allowed to connect to the Docker Registry service by the webserver. If this list is empty, anybody can connect and access the service.
docker_registry__allow: []
- docker_registry__max_upload_size
Specify maximum size of an upload allowed by the webserver. If set to 0
,
the maximum limit is disabled.
docker_registry__max_upload_size: '4G'
- docker_registry__basic_auth
Enable or disable HTTP Basic Authentication in the webserver frontend. If the GitLab Container Registry integration is enabled, the internal HTTP Basic Auth is disabled.
docker_registry__basic_auth: '{{ False
if docker_registry__token_enabled | bool
else True }}'
- docker_registry__basic_auth_realm
The HTTP Basic Auth realm used by Docker Registry service.
docker_registry__basic_auth_realm: 'Docker Registry'
- docker_registry__basic_auth_name
Name of the htpasswd file stored in the
/etc/nginx/private/
directory which contains HTTP Basic Auth
credentials.
docker_registry__basic_auth_name: 'docker-registry'
- docker_registry__basic_auth_users
List of user accounts which will be allowed access to the Docker Registry
service via HTTP Basic Auth. The passwords will be automatically generated by
the debops.nginx role and stored in the secret/
directory on
Ansible Controller. See debops.secret role for more details.
docker_registry__basic_auth_users: '{{ ansible_local.core.admin_users | d([]) }}'
- docker_registry__basic_auth_except_get
If True
then GET requests will not require authentication.
Even with successful authentication, Docker images can only be pushed to a
path that includes the machines hostname thus having some audit chain to the
build server that build the image.
docker_registry__basic_auth_except_get: False
Filesystem storage configuration
- docker_registry__storage_dir
Absolute path of the local filesystem storage directory used by the Docker Registry service.
docker_registry__storage_dir: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/" + docker_registry__user + "/storage" }}'
- docker_registry__storage_mode
The UNIX permissions of the local filesystem storage directory.
docker_registry__storage_mode: '0755'
Redis Server integration
- docker_registry__redis_enabled
Enable or disable support for Redis Server cache.
docker_registry__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool }}'
- docker_registry__redis_host
The FQDN address of the Redis Server instance to use by Docker Registry.
docker_registry__redis_host: '127.0.0.1'
- docker_registry__redis_port
The TCP port of the Redis Server instance which should be used by Docker Registry.
docker_registry__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
- docker_registry__redis_password
The password of the Redis Server instance which should be used by Docker Registry.
docker_registry__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
- docker_registry__redis_db
The Redis Server database ID to use by the Docker Registry.
docker_registry__redis_db: 0
Token-based authentication
The Docker Registry supports token-based authentication, which allows external services to authenticate Docker clients to the Registry.
By default GitLab is used as an authentication service, but other roles that implement the needed Ansible local facts can be used as well. Specify the role name in this variable to use its facts as a data source.
docker_registry__token_provider: 'gitlab'
- docker_registry__token_enabled
Enable or disable support for token-based authentication.
docker_registry__token_enabled: '{{ True
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
(ansible_local[docker_registry__token_provider].registry | d()) | bool)
else False }}'
- docker_registry__token_fqdn
The Fully Qualified Domain Name of the authentication service website. This will be used to redirect HTTP clients that open the main page of Docker Registry to point them to an useful user interface instead.
docker_registry__token_fqdn: '{{ ansible_local[docker_registry__token_provider].fqdn
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].fqdn | d())
else ("code." + docker_registry__domain) }}'
- docker_registry__token_realm_url
The URL of the authentication service API endpoint, passed to the Docker clients. The clients can use this URL to request signed authentication tokens from the authentication service.
docker_registry__token_realm_url: '{{ ansible_local[docker_registry__token_provider].registry_token_realm_url
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_realm_url | d())
else "" }}'
- docker_registry__token_issuer
The authentication service token issuer string, included in the issued tokens. This value needs to be the same in the authentication service configuration file.
docker_registry__token_issuer: '{{ ansible_local[docker_registry__token_provider].registry_token_issuer
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_issuer | d())
else "" }}'
- docker_registry__token_service
Name of the authentication service in Docker Registry, used in the URLs passed to the authentication source API endpoint.
docker_registry__token_service: '{{ ansible_local[docker_registry__token_provider].registry_token_service
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_service | d())
else "" }}'
- docker_registry__token_pki_path
The absolute path to the root of the PKI infrastructure, managed by the debops.pki Ansible role.
docker_registry__token_pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
- docker_registry__token_pki_realm
Name of the PKI realm used by the authentication service to sign the authentication tokens that provide access to the Docker Registry.
docker_registry__token_pki_realm: '{{ ansible_local[docker_registry__token_provider].registry_pki_realm
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_pki_realm | d())
else "domain" }}'
- docker_registry__token_pki_crt
The name of the file in the PKI realm which contains the X.509 certificate.
docker_registry__token_pki_crt: 'default.crt'
- docker_registry__token_certificate
Absolute path of the file which contains the X.509 certificate that can be used by Docker Registry to authenticate the tokens signed by the authentication service, sent by the Docker clients.
docker_registry__token_certificate: '{{ docker_registry__token_pki_path + "/"
+ docker_registry__token_pki_realm + "/"
+ docker_registry__token_pki_crt }}'
Docker Registry configuration
The variables below define configuration of the Docker Registry service. See docker_registry__config for more details.
- docker_registry__config_file
Absolute path of the Docker Registry configuration file.
docker_registry__config_file: '/etc/docker/registry/config.yml'
- docker_registry__original_config
The original configuration of the Docker Registry service. Based on: https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml
docker_registry__original_config:
- name: 'original-config'
config:
version: '0.1'
log:
fields:
service: 'registry'
storage:
cache:
blobdescriptor: 'inmemory'
http:
addr: ':5000'
headers:
'X-Content-Type-Options': [ 'nosniff' ]
health:
storagedriver:
enabled: True
interval: '10s'
threshold: 3
- name: 'original-storage'
config:
storage:
filesystem:
rootdirectory: '/var/lib/registry'
- docker_registry__default_config
Default configuration for Docker Registry defined by the role.
docker_registry__default_config:
- name: 'default-http'
config:
http:
addr: '127.0.0.1:{{ docker_registry__backend_port }}'
- name: 'original-storage'
state: 'absent'
- name: 'default-storage'
config:
storage:
filesystem:
rootdirectory: '{{ docker_registry__storage_dir }}'
delete:
enabled: True
- name: 'default-redis'
state: '{{ "present" if docker_registry__redis_enabled | bool else "absent" }}'
config:
redis:
addr: '{{ docker_registry__redis_host + ":" + docker_registry__redis_port }}'
password: '{{ docker_registry__redis_password }}'
db: '{{ docker_registry__redis_db }}'
storage:
cache:
blobdescriptor: 'redis'
- name: 'default-token'
state: '{{ "present" if docker_registry__token_enabled | bool else "absent" }}'
config:
auth:
token:
realm: '{{ docker_registry__token_realm_url }}'
issuer: '{{ docker_registry__token_issuer }}'
service: '{{ docker_registry__token_service }}'
rootcertbundle: '{{ docker_registry__token_certificate }}'
- docker_registry__config
The Docker Registry configuration defined on all hosts in the Ansible inventory.
docker_registry__config: []
- docker_registry__group_config
The Docker Registry configuration defined on hosts in a specific Ansible inventory group.
docker_registry__group_config: []
- docker_registry__host_config
The Docker Registry configuration defined on specific hosts in the Ansible inventory.
docker_registry__host_config: []
- docker_registry__combined_config
The variable which combines all of the other Docker Registry configuration variables and is used in the configuration template.
docker_registry__combined_config: '{{ docker_registry__original_config
+ docker_registry__default_config
+ docker_registry__config
+ docker_registry__group_config
+ docker_registry__host_config }}'
Garbage collector configuration
- docker_registry__garbage_collector_enabled
Enable or disable support for Docker Registry garbage collector script.
docker_registry__garbage_collector_enabled: True
- docker_registry__garbage_collector_interval
Specify the interval in which the Docker Registry UNIX account will perform
garbage collection using a cron script. Supported intervals:
hourly
, daily
, weekly
, monthly
.
docker_registry__garbage_collector_interval: 'daily'
Configuration for other Ansible roles
- docker_registry__etc_services__dependent_list
Configuration for the debops.etc_services Ansible role.
docker_registry__etc_services__dependent_list:
- name: 'docker-registry'
port: '{{ docker_registry__backend_port }}'
comment: 'Docker Registry'
- docker_registry__keyring__dependent_gpg_keys
Configuration for the debops.keyring Ansible role.
docker_registry__keyring__dependent_gpg_keys:
- user: '{{ docker_registry__user }}'
group: '{{ docker_registry__group }}'
home: '{{ docker_registry__home }}'
id: '{{ docker_registry__git_gpg_key }}'
state: '{{ "present" if docker_registry__upstream | bool else "absent" }}'
- docker_registry__python__dependent_packages3
Configuration for the debops.python Ansible role.
docker_registry__python__dependent_packages3:
- 'python3-yaml'
- docker_registry__python__dependent_packages2
Configuration for the debops.python Ansible role.
docker_registry__python__dependent_packages2:
- 'python-yaml'
- docker_registry__nginx__dependent_maps
Map configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_maps:
- name: 'docker_registry_headers'
map: '$upstream_http_docker_distribution_api_version $docker_distribution_api_version'
mapping: |
'' 'registry/2.0';
state: 'present'
- docker_registry__nginx__dependent_upstreams
Upstream configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_upstreams:
- name: 'docker-registry'
server: '127.0.0.1:{{ docker_registry__backend_port }}'
- docker_registry__nginx__dependent_htpasswd
HTTP Basic Auth password configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_htpasswd:
name: '{{ docker_registry__basic_auth_name }}'
users: '{{ docker_registry__basic_auth_users }}'
- docker_registry__nginx__dependent_servers
Server configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_servers:
- name: '{{ docker_registry__fqdn }}'
filename: 'debops.docker_registry'
allow: '{{ docker_registry__allow }}'
auth_basic: '{{ False
if (docker_registry__basic_auth_except_get | bool)
else (docker_registry__basic_auth | bool) }}'
auth_basic_realm: '{{ docker_registry__basic_auth_realm }}'
auth_basic_name: '{{ docker_registry__basic_auth_name }}'
options: |
client_max_body_size {{ docker_registry__max_upload_size }};
# required to avoid error HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location_list:
- pattern: '/'
options: |
{% if docker_registry__token_enabled | bool %}
return 307 $scheme://{{ docker_registry__token_fqdn }}/;
{% else %}
return 307 /v2/;
{% endif %}
- pattern: '/v2/'
options: | # noqa jinja[spacing]
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
{% if docker_registry__basic_auth_except_get | bool %}
set $auth_basic "{{ docker_registry__basic_auth_realm }}";
if ($request_method ~* "^(GET|HEAD)$") {
set $auth_basic "off";
}
if ($force_authentication) {
set $auth_basic "{{ docker_registry__basic_auth_realm }}";
}
auth_basic $auth_basic;
auth_basic_user_file {{ nginx_private_path + "/" + docker_registry__basic_auth_name }};
set $auth_status "deny";
if ($request_uri ~* "^/v2/([^/]+)/") {
set $user_path $1;
}
if ($remote_user = $user_path) {
set $auth_status "grant";
}
if ($request_method ~* "^(GET|HEAD)$") {
set $auth_status "grant";
}
if ($auth_status != "grant") {
return 401;
}
{% endif %}
# If $docker_distribution_api_version is empty, the header will not be added.
# See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
state: 'present'