podman-based systemd container registry

00-README.md

Stand-alone Container Registry

• Complete 01-prerequisites.md
• Copy pod-registry.service to /etc/systemd/system/poc-registry.service
• chmod 664 to /etc/systemd/system/poc-registry.service
• systemctl daemon-reload
• podman pull docker.io/library/registry:2
• systemctl enable --now poc-registry
• systemctl status poc-registry
• Update pull-secret to have access to local registry 02-create-pull-secret.md

01-prerequisites.md

Containerized local Container Registry Server

The following instructions use /opt/registry for the locations of the volumes of the container registry.

1. Create folders for registry

   mkdir -p /opt/registry/{auth,certs,data}
   

2. Generate self-signed certificate

   cd /opt/registry/certs
   openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
   

3. Generate username and password (must use bcrpt formated passwords)

   htpasswd -bBc /opt/registry/auth/htpasswd dummy dummy
   

   NOTE: If htpasswd not available install HTTP tools yum -y install httpd-tools

4. Install and run the poc-registry.service:

   cp poc-registry.service /etc/systemd/system/poc-registry.service
   
   podman pull registry:2
   
   systemctl daemon-reload
   
   systemctl start poc-registry
   systemctl status poc-registry
   systemctl enable poc-registry
   

5. (if needed) Add port 5000 to the internal and public zone

   firewall-cmd --add-port=5000/tcp --zone=internal --permanent
   firewall-cmd --add-port=5000/tcp --zone=public   --permanent
   firewall-cmd --reload
   

6. Verify whether the docker registry is up using the curl command

   curl -u dummy:dummy -k https://bastion.example.com:5000/v2/_catalog
   
   # NOTE: It should list an empty repository
   

02-create-pull-secret.md

Create pull secret for new registry

1. Download the pull-secret.json or retrieve it from the existing cluster

# To retrieve from cluster
oc -n openshift-config get secret pull-secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d | jq . > pull-secret.json

2. Add credential information of local registry into the pull-secret.json file

# Example user and password
# NOTE: use the '-n' to generate a valid encrypted password
echo -n "dummy:dummy" | base64 -w0
ZHVtbXk6ZHVtbXk=

# Edit pull-secret.json
vi pull-secret.json

  ...
  "auths": {
    "registry.example.com:5000": {
       "auth": "ZHVtbXk6ZHVtbXk=",
       "email": "[email protected]"
    },
    ...

# (Alternative) Create a pull-secret.json or ~/.docker/config.json
# with the following information
{
    "auths": {
      "registry.example.com:5000": {
         "auth": "ZHVtbXk6ZHVtbXk=",
         "email": "[email protected]"
        }
    }
}

3. Test the registry is operational

#####################################
# Test login to the registry
#####################################

$ podman login bastion.example.com:5000
Username: dummy
Password:
Login Succeeded!

#####################################
# Test pushing a container image
#####################################

# Get an image
$ podman pull registry.access.redhat.com/ubi8/ubi-minimal
Trying to pull registry.access.redhat.com/ubi8/ubi-minimal...Getting image source signatures
Copying blob sha256:ed6b7e8623ef8ca893d44d01fc88999684cc0209bc48cd71c6b5a696ed1d60f5
 32.50 MB / ? [-------------------------------------------------=----------] 3s
Copying blob sha256:5b86d995ed7f224d4e810d76a4a7a87702338f37abbd7df916f99e1549e1f68d
 1.41 KB / ? [-----------------------------------------=-------------------] 0s
Copying config sha256:3bfa511b67f82778ace94aaedb7da39d353f33eabc9ae24abad47805b6cef9c3
 4.28 KB / 4.28 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
3bfa511b67f82778ace94aaedb7da39d353f33eabc9ae24abad47805b6cef9c3

# Tag image with local registry
$ podman tag registry.access.redhat.com/ubi8/ubi-minimal:latest bastion.example.com:5000/ubi8/ubi-minimal:latest

# Push image to local registry
$ podman push bastion.example.com:5000/ubi8/ubi-minimal:latest
Getting image source signatures
Copying blob sha256:62373019ab2eec9b927fd44c87720cd05f675888d11903581e60edeec3d985c2
 87.44 MB / 87.44 MB [=====================================================] 10s
Copying blob sha256:44d5dd834e48e686666301fbc4478baecb1e68ec5eb289b80c096f78da30977d
 20.00 KB / 20.00 KB [======================================================] 0s
Copying config sha256:3bfa511b67f82778ace94aaedb7da39d353f33eabc9ae24abad47805b6cef9c3
 4.28 KB / 4.28 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures

03-install-pull-secret-and-ca.md

Install updated pull-secret and CA

Update pull-secrets

• Extract pull-secret.json from running cluster

oc -n openshift-config get secret pull-secret \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 -d > pull-secret.json 

• Update pull-secret using 02-create-pull-secret.md
• Delete old pull-secret from cluster

oc delete -n openshift-config secret pull-secret

• Create new cluster level pull-secret from pull-secret.json

oc create -n openshift-config secret generic pull-secret \
    --from-file=.dockerconfigjson=pull-secret.json \
    --type=kubernetes.io/dockerconfigjson

Update Trusted Certificates

• Create ConfigMap with Additional Trusted Certificates

# For each CA file, ensure the key in the ConfigMap is the 
# hostname:port of the registry in the hostname[..port] format
oc create configmap registry-ca -n openshift-config \
--from-file=registry.example.com..5000=/opt/registry/certs/domain.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt

See Setting Up Trusted CA for more info

• Update cluster trusted CA to include ConfigMap

oc patch image.config.openshift.io/cluster  --type=merge \
--patch '{"spec":{"additionalTrustedCA":{"name":"registry-ca"}}}'

(optional) Make CA trusted by Linux machine

Make CA trusted by client Linux machine

• Copy certificate to CA Trust

cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/registry.example.com.crt

• Update CA Trust on Linux machine

update-ca-trust 

pod-registry.service

#
# Copy (chmod 664) to /etc/systemd/system/poc-registry.service
#
# systemctl daemon-reload
# systemctl start poc-registry
# systemctl status poc-registry
# systemctl enable poc-registry
#

[Unit]
Description=OpenShift POC Container Registry
After=network.target syslog.target

[Service]
Type=simple
TimeoutStartSec=5m
ExecStartPre=-/usr/bin/podman rm "poc-registry"

ExecStart=/usr/bin/podman run   --name poc-registry -p 5000:5000 \
                                -v /opt/registry/data:/var/lib/registry:z \
                                -v /opt/registry/auth:/auth:z \
                                -e "REGISTRY_AUTH=htpasswd" \
                                -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
                                -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
                                -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
                                -v /opt/registry/certs:/certs:z \
                                -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
                                -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
                                docker.io/library/registry:2

ExecReload=-/usr/bin/podman stop "poc-registry"
ExecReload=-/usr/bin/podman rm "poc-registry"
ExecStop=-/usr/bin/podman stop "poc-registry"
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target