Skip to content

Commit c8779d9

Browse files
Ramkumar Chinchanirchincha
authored andcommitted
doc: add initial documentation for configuration options
We have built a long list of features and the documentation for users is only available under examples/ Add a examples/README.md to further explain various configuration options. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
1 parent 609d85d commit c8779d9

2 files changed

Lines changed: 248 additions & 14 deletions

File tree

README.md

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ https://anuvu.github.io/zot/
1717
* Uses [OCI image layout](https://github.com/opencontainers/image-spec/blob/master/image-layout.md) for image storage
1818
* Can serve any OCI image layout as a registry
1919
* Supports [helm charts](https://helm.sh/docs/topics/registries/)
20+
* Behavior controlled via [configuration](./examples/README.md)
2021
* Supports image deletion by tag
2122
* Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
2223
* Compatible with ecosystem tools such as [skopeo](#skopeo) and [cri-o](#cri-o)
@@ -27,7 +28,7 @@ https://anuvu.github.io/zot/
2728
* TLS mutual authentication
2829
* HTTP *Basic* (local _htpasswd_ and LDAP)
2930
* HTTP *Bearer* token
30-
* [Authorization](#Authorization) Supports Identity-Based Access Control: [Configuration](./examples/config-policy.json)
31+
* Supports Identity-Based Access Control
3132
* Supports live modifications on the config file while zot is running (Authorization config only)
3233
* Doesn't require _root_ privileges
3334
* Storage optimizations:
@@ -224,15 +225,6 @@ c3/openjdk-dev commit-2674e8a-squashfs b545b8ba 321MB
224225
c3/openjdk-dev commit-d5024ec-squashfs cd45f8cf 321MB
225226
```
226227

227-
## Authorization
228-
229-
zot follows the next logic for deciding who has rights on what resource:
230-
1) First it checks the requested resource in "repositories" as specified in configuration
231-
2) Searches in all policies for the user who requested the resource
232-
3) If found, applies the policy, otherwise it falls back to the default policy for that repository
233-
4) If not found, it falls back to the adminPolicy
234-
235-
236228
# Ecosystem
237229

238230

examples/README.md

Lines changed: 246 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,247 @@
1-
You can check a configuration file validity by running the verify command:
21

3-
```console
4-
$ zot verify /path/to/config
5-
```
2+
The behavior of _zot_ registry is controlled via its configuration file, which
3+
can either be a JSON (used in details below) or YAML file.
4+
5+
```
6+
zot serve <config-file>
7+
8+
```
9+
10+
A candidate configuration file can be verified via:
11+
12+
```
13+
zot verify <config-file>
14+
15+
```
16+
17+
Examples of working configurations for various use cases are available [here](../examples/)
18+
19+
# Configuration Parameters
20+
21+
* [Network](#network)
22+
* [Storage](#storage)
23+
* [Authentication](#authentication)
24+
* [Identity-based Authorization](#identity-based-authorization)
25+
* [Logging](#logging)
26+
27+
28+
## Network
29+
30+
Configure network params with:
31+
```
32+
"http": {
33+
```
34+
35+
Configure address and port to listen on with:
36+
```
37+
"address": "127.0.0.1",
38+
"port": "5000",
39+
```
40+
41+
Additionally, TLS configuration can be specified with:
42+
43+
```
44+
"tls": {
45+
"cert":"test/data/server.cert",
46+
"key":"test/data/server.key"
47+
},
48+
```
49+
50+
The registry can be deployed as a read-only service with:
51+
52+
```
53+
"ReadOnly": false
54+
},
55+
```
56+
57+
## Storage
58+
59+
Configure storage with:
60+
61+
```
62+
"storage": {
63+
```
64+
65+
Configure storage root directory with:
66+
67+
```
68+
"rootDirectory": "/tmp/zot",
69+
```
70+
71+
Often, container images have shared layers and blobs and for filesystems that
72+
support hard links, inline deduplication can be enabled with:
73+
74+
```
75+
"dedupe": true,
76+
```
77+
78+
When an image is deleted (either by tag or reference), orphaned blobs can lead
79+
to wasted storage, and background garbage collection can be enabled with:
80+
81+
```
82+
"gc": true,
83+
```
84+
85+
It is also possible to store and serve images from multiple filesystems with
86+
their own repository paths, dedupe and garbage collection settings with:
87+
88+
```
89+
"subPaths": {
90+
"/a": {
91+
"rootDirectory": "/tmp/zot1",
92+
"dedupe": true,
93+
"gc": true
94+
},
95+
"/b": {
96+
"rootDirectory": "/tmp/zot2",
97+
"dedupe": true
98+
},
99+
"/c": {
100+
"rootDirectory": "/tmp/zot3",
101+
"dedupe": false
102+
}
103+
}
104+
},
105+
```
106+
107+
## Authentication
108+
109+
TLS mutual authentication and passphrase-based authentication are supported.
110+
111+
### TLS Mutual Authentication
112+
113+
Apart from the server cert and key specified under
114+
[network configuration](#network), specifying the _cacert_ field enables TLS mutual
115+
authentication:
116+
117+
```
118+
"http": {
119+
"tls": {
120+
"cert":"test/data/server.cert",
121+
"key":"test/data/server.key",
122+
"cacert":"test/data/cacert.cert"
123+
},
124+
```
125+
126+
### Passphrase Authentication
127+
128+
**Local authentication** is supported via htpasswd file with:
129+
130+
```
131+
"http": {
132+
"auth": {
133+
"htpasswd": {
134+
"path": "test/data/htpasswd"
135+
},
136+
```
137+
138+
**LDAP authentication** can be configured with:
139+
140+
```
141+
"http": {
142+
"auth": {
143+
"ldap": {
144+
"address":"ldap.example.org",
145+
"port":389,
146+
"startTLS":false,
147+
"baseDN":"ou=Users,dc=example,dc=org",
148+
"userAttribute":"uid",
149+
"bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
150+
"bindPassword":"ldap-searcher-password",
151+
"skipVerify":false,
152+
"subtreeSearch":true
153+
},
154+
```
155+
156+
NOTE: When both htpasswd and LDAP configuration are specified, LDAP authentication is given preference.
157+
158+
**OAuth2 authentication** (client credentials grant type) support via _Bearer Token_ configured with:
159+
160+
```
161+
"http": {
162+
"auth": {
163+
"bearer": {
164+
"realm": "https://auth.myreg.io/auth/token",
165+
"service": "myauth",
166+
"cert": "/etc/zot/auth.crt"
167+
}
168+
```
169+
170+
#### Authentication Failures
171+
172+
Should authentication fail, to prevent automated attacks, a delayed response can be configured with:
173+
174+
```
175+
"http": {
176+
"auth": {
177+
"failDelay": 5
178+
```
179+
180+
## Identity-based Authorization
181+
182+
Allowing actions on one or more repository paths can be tied to user
183+
identities. An additional per-repository default policy can be specified for
184+
identities not in the whitelist. Furthermore, a global admin policy can also be
185+
specified which can override per-repository policies.
186+
187+
```
188+
"accessControl": {
189+
"repos1/repo": {
190+
"policies": [
191+
{
192+
"users": ["alice", "bob"],
193+
"actions": ["create", "read", "update", "delete"]
194+
},
195+
{
196+
"users": ["mallory"],
197+
"actions": ["create", "read"]
198+
}
199+
],
200+
"defaultPolicy": ["read"]
201+
},
202+
"repos2/repo": {
203+
"policies": [
204+
{
205+
"users": ["bob"],
206+
"actions": ["read", "create"]
207+
},
208+
{
209+
"users": ["mallory"],
210+
"actions": ["create", "read"]
211+
}
212+
],
213+
"defaultPolicy": ["read"]
214+
},
215+
"adminPolicy": {
216+
"users": ["admin"],
217+
"actions": ["read", "create", "update", "delete"]
218+
}
219+
}
220+
```
221+
222+
## Logging
223+
224+
Enable and configure logging with:
225+
226+
```
227+
"log":{
228+
```
229+
230+
Set log level with:
231+
232+
```
233+
"level":"debug",
234+
```
235+
236+
Set output file (default is _stdout_) with:
237+
238+
```
239+
"output":"/tmp/zot.log",
240+
```
241+
242+
Enable audit logs and set output file with:
243+
244+
```
245+
"audit": "/tmp/zot-audit.log"
246+
}
247+
```

0 commit comments

Comments
 (0)