curl -fsSLO https://go.dev/dl/go1.17.8.linux-armv6l.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.17.8.linux-armv6l.tar.gz
rm -f go1.17.8.linux-armv6l.tar.gz
cat <<'EOF' | tee -a ~/.profile > /dev/null
if [ -d "$HOME/go/bin" ] ; then
PATH="$HOME/go/bin:$PATH"
fi
if [ -d "/usr/local/go/bin" ] ; then
PATH="$PATH:/usr/local/go/bin"
fi
EOF
source ~/.profilego get github.com/distribution/distribution/cmd/registry
go get github.com/distribution/distribution/cmd/digestCheck or set custom region name, for example eu-home-1
Create new bucket, for example registry
Create new user, for example registry
Assign IAM policy to registry user (full access to one specific bucket)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::registry"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::registry/*"
]
}
]
}Create working directory
mkdir ~/registry
cd ~/registryCreate required TLS certficates
mkcert -cert-file registry.pem -key-file registry-key.pem 192.168.1.100 docker-registry registry
mkcert -CAROOT
cp ~/.local/share/mkcert/rootCA.pem ./ca.pemCheck CA trust store (optional)
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i 'mkcert'Create new registry.yaml file
version: 0.1
log:
formatter: text
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
s3:
accesskey: registry # replace with user access key
secretkey: registry # replace with user secret key
region: eu-home-1 # replace with region
regionendpoint: https://192.168.1.100:9000 # replace with minio api endpoint
bucket: registry # replace with bucket name
delete:
enabled: true
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
http:
addr: :5000
secret: registry # generate your own secret
draintimeout: 60s
tls:
certificate: registry.pem # change path to certificate
key: registry-key.pem # change path to key
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3Replace s3 in the config above with filesystem If no S3 storage needed
storage:
filesystem:
rootdirectory: /var/lib/registryEnable proxy if needed
proxy:
remoteurl: https://registry-1.docker.io
username: [username]
password: [password]
registry serve registry.yamlCreate working directory
sudo mkdir -p /opt/registry
sudo cp ~/go/bin/registry /opt/registry
sudo cp ca.pem /opt/registry
sudo cp registry.pem /opt/registry
sudo cp registry-key.pem /opt/registry
sudo cp registry.yaml /opt/registrycat <<'EOF' | sudo tee /etc/systemd/system/docker-registry.service > /dev/null
[Unit]
Description=Docker Registry
After=syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
[Service]
Type=simple
EnvironmentFile=-/etc/default/docker-registry
ExecStart=/opt/registry/registry serve registry.yaml
ExecReload=/bin/kill -s HUP $MAINPID
LimitMEMLOCK=infinity
Restart=always
RestartSec=5
WorkingDirectory=/opt/registry
[Install]
WantedBy=multi-user.target
EOFFeel free to harden it as you wish
sudo systemctl daemon-reload
sudo systemctl enable docker-registry.service
sudo systemctl start docker-registry.service
sudo systemctl status docker-registry.serviceAdd to /etc/docker/daemon.json file
{
"registry-mirrors": ["https://192.168.1.100:5000"]
}Pushing to a registry configured as a pull-through cache is unsupported.
ref. https://docs.docker.com/registry/configuration/#proxy
Workarounds:
- another docker registry without proxy configured
- temporarily disable proxy configuration
Docker Registry Configuration Reference