Apache Letsencrypt Docker
Table of Contents
Next, let me briefly describe the Docker WordPress setup we are going to achieve using this guide. WordPress Setup. There is an official WordPress image for Docker. This image has a built-in webserver (Apache) and PHP. There is also a WordPress Docker-Compose example that you can use. All that is needed is a database server (MariaDB). Running Certbot with the certonly command will obtain a certificate and place it in the directory /etc/letsencrypt/live on your system. Because Certonly cannot install the certificate from within Docker, you must install the certificate manually according to the procedure recommended by the provider of your webserver. Configuring a registry. Estimated reading time: 35 minutes. The Registry configuration is based on a YAML file, detailed below. While it comes with sane default values out of the box, you should review it exhaustively before moving your systems to production. Running Certbot with the certonly command will obtain a certificate and place it in the directory /etc/letsencrypt/live on your system. Because Certonly cannot install the certificate from within Docker, you must install the certificate manually according to the procedure recommended by the provider of your webserver.
- Alternate installation methods
- Certbot-Auto
Certbot is meant to be run directly on a web server, normally by a system administrator. In most cases, running Certbot on your personal computer is not a useful option. The instructions below relate to installing and running Certbot on a server.
System administrators can use Certbot directly to request certificates; they should not allow unprivileged users to run arbitrary Certbot commands as root, because Certbot allows its user to specify arbitrary file locations and run arbitrary scripts.
Certbot is packaged for many common operating systems and web servers. Check whethercertbot (or letsencrypt) is packaged for your web server’s OS by visitingcertbot.eff.org, where you will also find the correct installation instructions foryour system.
Note
Unless you have very specific requirements, we kindly suggest that you use the installation instructions for your system found at certbot.eff.org.
Certbot currently requires Python 2.7 or 3.6+ running on a UNIX-like operatingsystem. By default, it requires root access in order to write to/etc/letsencrypt, /var/log/letsencrypt, /var/lib/letsencrypt; tobind to port 80 (if you use the standalone plugin) and to read andmodify webserver configurations (if you use the apache or nginxplugins). If none of these apply to you, it is theoretically possible to runwithout root privileges, but for most users who want to avoid running an ACMEclient as root, either letsencrypt-nosudo or simp_le are more appropriate choices.
The Apache plugin currently requires an OS with augeas version 1.0; currently itsupportsmodern OSes based on Debian, Ubuntu, Fedora, SUSE, Gentoo and Darwin.
If you are offline or your operating system doesn’t provide a package, you can usean alternate method for installing certbot.
Most modern Linux distributions (basically any that use systemd) can installCertbot packaged as a snap. Snaps are available for x86_64, ARMv7 and ARMv8architectures. The Certbot snap provides an easy way to ensure you have thelatest version of Certbot with features like automated certificate renewalpreconfigured.
You can find instructions for installing the Certbot snap athttps://certbot.eff.org/instructions by selecting your server software and thenchoosing “snapd” in the “System” dropdown menu. (You should select “snapd”regardless of your operating system, as our instructions are the same acrossall systems.)
Docker is an amazingly simple and quick way to obtain acertificate. However, this mode of operation is unable to installcertificates or configure your webserver, because our installerplugins cannot reach your webserver from inside the Docker container.
Most users should use the instructions at certbot.eff.org. You should only useDocker if you are sure you know what you are doing and have a good reason to doso.
You should definitely read the Where are my certificates? section, in order toknow how to manage the certsmanually. Our ciphersuites pageprovides some information about recommended ciphersuites. If none ofthese make much sense to you, you should definitely use the installation methodrecommended for your system at certbot.eff.org, which enables you to useinstaller plugins that cover both of those hard topics.
If you’re still not convinced and have decided to use this method, fromthe server that the domain you’re requesting a certficate for resolvesto, install Docker, then issue a command like the one found below. Ifyou are using Certbot with the Standalone plugin, you will needto make the port it uses accessible from outside of the container byincluding something like -p80:80 or -p443:443 on the commandline before certbot/certbot.
Running Certbot with the certonly command will obtain a certificate and place it in the directory/etc/letsencrypt/live on your system. Because Certonly cannot install the certificate fromwithin Docker, you must install the certificate manually according to the procedurerecommended by the provider of your webserver.
There are also Docker images for each of Certbot’s DNS plugins availableat https://hub.docker.com/u/certbot which automate doing domainvalidation over DNS for popular providers. To use one, just replacecertbot/certbot in the command above with the name of the image youwant to use. For example, to use Certbot’s plugin for Amazon Route 53,you’d use certbot/dns-route53. You may also need to add flags toCertbot and/or mount additional directories to provide access to yourDNS API credentials as specified in the DNS plugin documentation.
For more information about the layoutof the /etc/letsencrypt directory, see Where are my certificates?.
Warning
While the Certbot team tries to keep the Certbot packages offeredby various operating systems working in the most basic sense, due todistribution policies and/or the limited resources of distributionmaintainers, Certbot OS packages often have problems that other distributionmechanisms do not. The packages are often old resulting in a lack of bugfixes and features and a worse TLS configuration than is generated by newerversions of Certbot. They also may not configure certificate renewal for youor have all of Certbot’s plugins available. For reasons like these, werecommend most users follow the instructions athttps://certbot.eff.org/instructions and OS packages are only documentedhere as an alternative.
Arch Linux
Debian
If you run Debian Buster or Debian testing/Sid, you can easily install certbotpackages through commands like:
If you run Debian Stretch, we recommend you use the packages in Debianbackports repository. First you’ll have to follow the instructions athttps://backports.debian.org/Instructions/ to enable the Stretch backports repo,if you have not already done so. Then run:
In all of these cases, there also packages available to help Certbot integratewith Apache, nginx, or various DNS services. If you are using Apache or nginx,we strongly recommend that you install the python-certbot-apache orpython-certbot-nginx package so that Certbot can fully automate HTTPSconfiguration for your server. A full list of these packages can be foundthrough a command like:
They can be installed by running the same installation command above butreplacing certbot with the name of the desired package.
Ubuntu
If you run Ubuntu, certbot can be installed using:
Optionally to install the Certbot Apache plugin, you can use:
Fedora
FreeBSD
- Port:
cd/usr/ports/security/py-certbot&&makeinstallclean - Package:
pkginstallpy27-certbot
Gentoo
The official Certbot client is available in Gentoo Portage. From theofficial Certbot plugins, three of them are also available in Portage.They need to be installed separately if you require their functionality.
Note
The app-crypt/certbot-dns-nsone package has a differentmaintainer than the other packages and can lag behind in version.
NetBSD
- Build from source:
cd/usr/pkgsrc/security/py-certbot&&makeinstallclean - Install pre-compiled package:
pkg_addpy27-certbot
OpenBSD
- Port:
cd/usr/ports/security/letsencrypt/client&&makeinstallclean - Package:
pkg_addletsencrypt
Other Operating Systems
OS packaging is an ongoing effort. If you’d like to packageCertbot for your distribution of choice please have alook at the Packaging Guide.
We used to have a shell script named certbot-auto to help people installCertbot on UNIX operating systems, however, this script is no longer supported.If you want to uninstall certbot-auto, you can follow our instructionshere.
When using certbot-auto on a low memory system such as VPS with less than512MB of RAM, the required dependencies of Certbot may fail to build. This canbe identified if the pip outputs contains something like internalcompilererror:Killed(programcc1). You can workaround this restriction by creatinga temporary swapfile:
Disable and remove the swapfile once the virtual environment is constructed:
Installation from source is only supported for developers and thewhole process is described in the Developer Guide.
Warning
Please do not use pythoncertbot/setup.pyinstall, pythonpipinstallcertbot, or easy_installcertbot. Please do not attempt theinstallation commands as superuser/root and/or without virtual environment,e.g. sudopythoncertbot/setup.pyinstall, sudopipinstall, sudo./venv/bin/.... These modes of operation might corrupt your operatingsystem and are not supported by the Certbot team!
Estimated reading time: 35 minutes
The Registry configuration is based on a YAML file, detailed below. While itcomes with sane default values out of the box, you should review it exhaustivelybefore moving your systems to production.
Override specific configuration options
In a typical setup where you run your Registry from the official image, you canspecify a configuration variable from the environment by passing -e argumentsto your docker run stanza or from within a Dockerfile using the ENVinstruction.
To override a configuration option, create an environment variable namedREGISTRY_variable where variable is the name of the configuration optionand the _ (underscore) represents indention levels. For example, you canconfigure the rootdirectory of the filesystem storage backend:
To override this value, set an environment variable like this:
This variable overrides the /var/lib/registry value to the /somewheredirectory.
Note: Create a base configuration file with environment variables that canbe configured to tweak individual values. Overriding configuration sectionswith environment variables is not recommended.
Overriding the entire configuration file
If the default configuration is not a sound basis for your usage, or if you arehaving issues overriding keys from the environment, you can specify an alternateYAML configuration file by mounting it as a volume in the container.
Typically, create a new configuration file from scratch,named config.yml, thenspecify it in the docker run command:
Letsencrypt Apache Docker Container
Use thisexample YAML fileas a starting point.
List of configuration options
These are all configuration options for the registry. Some options in the listare mutually exclusive. Read the detailed reference information about eachoption before finalizing your configuration.
In some instances a configuration option is optional but it contains childoptions marked as required. In these cases, you can omit the parent withall its children. However, if the parent is included, you must also include allthe children marked required.
version
The version option is required. It specifies the configuration’s version.It is expected to remain a top-level field, to allow for a consistent versioncheck before parsing the remainder of the configuration file.
log
The log subsection configures the behavior of the logging system. The loggingsystem outputs everything to stdout. You can adjust the granularity and formatwith this configuration section.
| Parameter | Required | Description |
|---|---|---|
level | no | Sets the sensitivity of logging output. Permitted values are error, warn, info, and debug. The default is info. |
formatter | no | This selects the format of logging output. The format primarily affects how keyed attributes for a log line are encoded. Options are text, json, and logstash. The default is text. |
fields | no | A map of field names to values. These are added to every log line for the context. This is useful for identifying log messages source after being mixed in other systems. |
accesslog
Within log, accesslog configures the behavior of the access loggingsystem. By default, the access logging system outputs to stdout inCombined Log Format.Access logging can be disabled by setting the boolean flag disabled to true.
hooks
The hooks subsection configures the logging hooks’ behavior. This subsectionincludes a sequence handler which you can use for sending mail, for example.Refer to loglevel to configure the level of messages printed.
loglevel
DEPRECATED: Please use log instead.
Permitted values are error, warn, info and debug. The default isinfo.
storage
The storage option is required and defines which storage backend is inuse. You must configure exactly one backend. If you configure more, the registryreturns an error. You can choose any of these backend storage drivers:
| Storage driver | Description |
|---|---|
filesystem | Uses the local disk to store registry files. It is ideal for development and may be appropriate for some small-scale production applications. See the driver’s reference documentation. |
azure | Uses Microsoft Azure Blob Storage. See the driver’s reference documentation. |
gcs | Uses Google Cloud Storage. See the driver’s reference documentation. |
s3 | Uses Amazon Simple Storage Service (S3) and compatible Storage Services. See the driver’s reference documentation. |
swift | Uses Openstack Swift object storage. See the driver’s reference documentation. |
oss | Uses Aliyun OSS for object storage. See the driver’s reference documentation. |
For testing only, you can use the inmemory storagedriver.If you would like to run a registry from volatile memory, use thefilesystem driveron a ramdisk.
If you are deploying a registry on Windows, a Windows volume mounted from thehost is not recommended. Instead, you can use a S3 or Azure backingdata-store. If you do use a Windows volume, the length of the PATH tothe mount point must be within the MAX_PATH limits (typically 255 characters),or this error will occur:
maintenance
Currently, upload purging and read-only mode are the only maintenancefunctions available.
uploadpurging
Upload purging is a background process that periodically removes orphaned filesfrom the upload directories of the registry. Upload purging is enabled bydefault. To configure upload directory purging, the following parameters mustbe set.
| Parameter | Required | Description |
|---|---|---|
enabled | yes | Set to true to enable upload purging. Defaults to true. |
age | yes | Upload directories which are older than this age will be deleted.Defaults to 168h (1 week). |
interval | yes | The interval between upload directory purging. Defaults to 24h. |
dryrun | yes | Set dryrun to true to obtain a summary of what directories will be deleted. Defaults to false. |
Note: age and interval are strings containing a number with optionalfraction and a unit suffix. Some examples: 45m, 2h10m, 168h.
readonly
If the readonly section under maintenance has enabled set to true,clients will not be allowed to write to the registry. This mode is useful totemporarily prevent writes to the backend storage so a garbage collection passcan be run. Before running garbage collection, the registry should berestarted with readonly’s enabled set to true. After the garbage collectionpass finishes, the registry may be restarted again, this time with readonlyremoved from the configuration (or set to false).
delete
Use the delete structure to enable the deletion of image blobs and manifestsby digest. It defaults to false, but it can be enabled by writing the followingon the configuration file:
cache
Use the cache structure to enable caching of data accessed in the storagebackend. Currently, the only available cache provides fast access to layermetadata, which uses the blobdescriptor field if configured.
You can set blobdescriptor field to redis or inmemory. If set to redis,aRedis pool caches layer metadata. If set to inmemory, an in-memory map cacheslayer metadata.
NOTE: Formerly, blobdescriptor was known as layerinfo. While theseare equivalent, layerinfo has been deprecated.
redirect
The redirect subsection provides configuration for managing redirects fromcontent backends. For backends that support it, redirecting is enabled bydefault. In certain deployment scenarios, you may decide to route all datathrough the Registry, rather than redirecting to the backend. This may be moreefficient when using a backend that is not co-located or when a registryinstance is aggressively caching.
To disable redirects, add a single flag disable, set to trueunder the redirect section:
auth
The auth option is optional. Possible auth providers include:
- [
none]
You can configure only one authentication provider.
silly
Apache Letsencrypt Docker Key
The silly authentication provider is only appropriate for development. It simply checksfor the existence of the Authorization header in the HTTP request. It does notcheck the header’s value. If the header does not exist, the silly authresponds with a challenge response, echoing back the realm, service, and scopefor which access was denied.
The following values are used to configure the response:
| Parameter | Required | Description |
|---|---|---|
realm | yes | The realm in which the registry server authenticates. |
service | yes | The service being authenticated. |
token
Token-based authentication allows you to decouple the authentication system fromthe registry. It is an established authentication paradigm with a high degree ofsecurity.
| Parameter | Required | Description |
|---|---|---|
realm | yes | The realm in which the registry server authenticates. |
service | yes | The service being authenticated. |
issuer | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
rootcertbundle | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
autoredirect | no | When set to true, realm will automatically be set using the Host header of the request as the domain and a path of /auth/token/ |
For more information about Token based authentication configuration, see thespecification.
htpasswd
The htpasswd authentication backed allows you to configure basicauthentication using anApache htpasswd file.The only supported password format isbcrypt. Entries with other hash typesare ignored. The htpasswd file is loaded once, at startup. If the file isinvalid, the registry will display an error and will not start.
Warning: If the htpasswd file is missing, the file will be created and provisioned with a default user and automatically generated password.The password will be printed to stdout.
Warning: Only use the htpasswd authentication scheme with TLSconfigured, since basic authentication sends passwords as part of the HTTPheader.
| Parameter | Required | Description |
|---|---|---|
realm | yes | The realm in which the registry server authenticates. |
path | yes | The path to the htpasswd file to load at startup. |
middleware
The middleware structure is optional. Use this option to inject middleware atnamed hook points. Each middleware must implement the same interface as theobject it is wrapping. For instance, a registry middleware must implement thedistribution.Namespace interface, while a repository middleware must implementdistribution.Repository, and a storage middleware must implementdriver.StorageDriver.
This is an example configuration of the cloudfront middleware, a storagemiddleware:
Each middleware entry has name and options entries. The name mustcorrespond to the name under which the middleware registers itself. Theoptions field is a map that details custom configuration required toinitialize the middleware. It is treated as a map[string]interface{}. As such,it supports any interesting structures desired, leaving it up to the middlewareinitialization function to best determine how to handle the specificinterpretation of the options.
cloudfront
| Parameter | Required | Description |
|---|---|---|
baseurl | yes | The SCHEME://HOST[/PATH] at which Cloudfront is served. |
privatekey | yes | The private key for Cloudfront, provided by AWS. |
keypairid | yes | The key pair ID provided by AWS. |
duration | no | An integer and unit for the duration of the Cloudfront session. Valid time units are ns, us (or µs), ms, s, m, or h. For example, 3000s is valid, but 3000 s is not. If you do not specify a duration or you specify an integer without a time unit, the duration defaults to 20m (20 minutes). |
ipfilteredby | no | A string with the following value none, aws or awsregion. |
awsregion | no | A comma separated string of AWS regions, only available when ipfilteredby is awsregion. For example, us-east-1, us-west-2 |
updatefrenquency | no | The frequency to update AWS IP regions, default: 12h |
iprangesurl | no | The URL contains the AWS IP ranges information, default: https://ip-ranges.amazonaws.com/ip-ranges.json |
Value of ipfilteredby can be:
| Value | Description |
|---|---|
none | default, do not filter by IP |
aws | IP from AWS goes to S3 directly |
awsregion | IP from certain AWS regions goes to S3 directly, use together with awsregion. |
redirect
You can use the redirect storage middleware to specify a custom URL to alocation of a proxy for the layer stored by the S3 storage driver.
| Parameter | Required | Description |
|---|---|---|
baseurl | yes | SCHEME://HOST at which layers are served. Can also contain port. For example, https://example.com:5443. |
reporting
The reporting option is optional and configures error and metricsreporting tools. At the moment only two services are supported:
A valid configuration may contain both.
bugsnag
| Parameter | Required | Description |
|---|---|---|
apikey | yes | The API Key provided by Bugsnag. |
releasestage | no | Tracks where the registry is deployed, using a string like production, staging, or development. |
endpoint | no | The enterprise Bugsnag endpoint. |
newrelic
| Parameter | Required | Description |
|---|---|---|
licensekey | yes | License key provided by New Relic. |
name | no | New Relic application name. |
verbose | no | Set to true to enable New Relic debugging output on stdout. |
http
The http option details the configuration for the HTTP server that hosts theregistry.
| Parameter | Required | Description |
|---|---|---|
addr | yes | The address for which the server should accept connections. The form depends on a network type (see the net option). Use HOST:PORT for TCP and FILE for a UNIX socket. |
net | no | The network used to create a listening socket. Known networks are unix and tcp. |
prefix | no | If the server does not run at the root path, set this to the value of the prefix. The root path is the section before v2. It requires both preceding and trailing slashes, such as in the example /path/. |
host | no | A fully-qualified URL for an externally-reachable address for the registry. If present, it is used when creating generated URLs. Otherwise, these URLs are derived from client requests. |
secret | no | A random piece of data used to sign state that may be stored with the client to protect against tampering. For production environments you should generate a random piece of data using a cryptographically secure random generator. If you omit the secret, the registry will automatically generate a secret when it starts. If you are building a cluster of registries behind a load balancer, you MUST ensure the secret is the same for all registries. |
relativeurls | no | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. This option is not compatible with Docker 1.7 and earlier. |
draintimeout | no | Amount of time to wait for HTTP connections to drain before shutting down after registry receives SIGTERM signal |
tls
The tls structure within http is optional. Use this to configure TLSfor the server. If you already have a web server running onthe same host as the registry, you may prefer to configure TLS on that web serverand proxy connections to the registry server.
| Parameter | Required | Description |
|---|---|---|
certificate | yes | Absolute path to the x509 certificate file. |
key | yes | Absolute path to the x509 private key file. |
clientcas | no | An array of absolute paths to x509 CA files. |
minimumtls | no | Minimum TLS version allowed (tls1.0, tls1.1, tls1.2, tls1.3). Defaults to tls1.2 |
ciphersuites | no | Cipher suites allowed. Please see below for allowed values and default. |
Available cipher suites:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Default cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
letsencrypt
The letsencrypt structure within tls is optional. Use this to configureTLS certificates provided byLet’s Encrypt.
NOTE: When using Let’s Encrypt, ensure that the outward-facing address isaccessible on port 443. The registry defaults to listening on port 5000.If you run the registry as a container, consider adding the flag -p 443:5000to the docker run command or using a similar setting in a cloudconfiguration. You should also set the hosts option to the list of hostnamesthat are valid for this registry to avoid trying to get certificates for randomhostnames due to malicious clients connecting with bogus SNI hostnames.
| Parameter | Required | Description |
|---|---|---|
cachefile | yes | Absolute path to a file where the Let’s Encrypt agent can cache data. |
email | yes | The email address used to register with Let’s Encrypt. |
hosts | no | The hostnames allowed for Let’s Encrypt certificates. |
debug
The debug option is optional . Use it to configure a debug server thatcan be helpful in diagnosing problems. The debug endpoint can be used formonitoring registry metrics and health, as well as profiling. Sensitiveinformation may be available via the debug endpoint. Please be certain thataccess to the debug endpoint is locked down in a production environment.
The debug section takes a single required addr parameter, which specifiesthe HOST:PORT on which the debug server should accept connections.
prometheus
The prometheus option defines whether the prometheus metrics is enable, as wellas the path to access the metrics.
| Parameter | Required | Description |
|---|---|---|
enabled | no | Set true to enable the prometheus server |
path | no | The path to access the metrics, /metrics by default |
The url to access the metrics is HOST:PORT/path, where HOST:PORT is definedin addr under debug.
headers
The headers option is optional . Use it to specify headers that the HTTPserver should include in responses. This can be used for security headers suchas Strict-Transport-Security.
The headers option should contain an option for each header to include, wherethe parameter name is the header’s name, and the parameter value a list of theheader’s payload values.
Including X-Content-Type-Options: [nosniff] is recommended, so that browserswill not interpret content as HTML if they are directed to load a page from theregistry. This header is included in the example configuration file.
http2
The http2 structure within http is optional. Use this to control http2settings for the registry.
| Parameter | Required | Description |
|---|---|---|
disabled | no | If true, then http2 support is disabled. |
notifications
The notifications option is optional and currently may contain a singleoption, endpoints.
endpoints
The endpoints structure contains a list of named services (URLs) that canaccept event notifications.
| Parameter | Required | Description |
|---|---|---|
name | yes | A human-readable name for the service. |
disabled | no | If true, notifications are disabled for the service. |
url | yes | The URL to which events should be published. |
headers | yes | A list of static headers to add to each request. Each header’s name is a key beneath headers, and each value is a list of payloads for that header name. Values must always be lists. |
timeout | yes | A value for the HTTP timeout. A positive integer and an optional suffix indicating the unit of time, which may be ns, us, ms, s, m, or h. If you omit the unit of time, ns is used. |
threshold | yes | An integer specifying how long to wait before backing off a failure. |
backoff | yes | How long the system backs off before retrying after a failure. A positive integer and an optional suffix indicating the unit of time, which may be ns, us, ms, s, m, or h. If you omit the unit of time, ns is used. |
ignoredmediatypes | no | A list of target media types to ignore. Events with these target media types are not published to the endpoint. |
ignore | no | Events with these mediatypes or actions are not published to the endpoint. |
ignore
| Parameter | Required | Description ||-----------|----------|-------------------------------------------------------|| mediatypes|no| A list of target media types to ignore. Events with these target media types are not published to the endpoint. || actions |no| A list of actions to ignore. Events with these actions are not published to the endpoint. |
events
The events structure configures the information provided in event notifications.
| Parameter | Required | Description |
|---|---|---|
includereferences | no | If true, include reference information in manifest events. |
redis
Declare parameters for constructing the redis connections. Registry instancesmay use the Redis instance for several applications. Currently, it cachesinformation about immutable blobs. Most of the redis options controlhow the registry connects to the redis instance. You can control the pool’sbehavior with the pool subsection.
You should configure Redis with the allkeys-lru eviction policy, because theregistry does not set an expiration value on keys.
| Parameter | Required | Description |
|---|---|---|
addr | yes | The address (host and port) of the Redis instance. |
password | no | A password used to authenticate to the Redis instance. |
db | no | The name of the database to use for each connection. |
dialtimeout | no | The timeout for connecting to the Redis instance. |
readtimeout | no | The timeout for reading from the Redis instance. |
writetimeout | no | The timeout for writing to the Redis instance. |
pool
Use these settings to configure the behavior of the Redis connection pool.
| Parameter | Required | Description |
|---|---|---|
maxidle | no | The maximum number of idle connections in the pool. |
maxactive | no | The maximum number of connections which can be open before blocking a connection request. |
idletimeout | no | How long to wait before closing inactive connections. |
health
The health option is optional, and contains preferences for a periodichealth check on the storage driver’s backend storage, as well as optionalperiodic checks on local files, HTTP URIs, and/or TCP servers. The results ofthe health checks are available at the /debug/health endpoint on the debugHTTP server if the debug HTTP server is enabled (see http section).
storagedriver
The storagedriver structure contains options for a health check on theconfigured storage driver’s backend storage. The health check is only activewhen enabled is set to true.
| Parameter | Required | Description |
|---|---|---|
enabled | yes | Set to true to enable storage driver health checks or false to disable them. |
interval | no | How long to wait between repetitions of the storage driver health check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
threshold | no | A positive integer which represents the number of times the check must fail before the state is marked as unhealthy. If not specified, a single failure marks the state as unhealthy. |
file
The file structure includes a list of paths to be periodically checked for theexistence of a file. If a file exists at the given path, the health check willfail. You can use this mechanism to bring a registry out of rotation by creatinga file.
| Parameter | Required | Description |
|---|---|---|
file | yes | The path to check for existence of a file. |
interval | no | How long to wait before repeating the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
http
The http structure includes a list of HTTP URIs to periodically check withHEAD requests. If a HEAD request does not complete or returns an unexpectedstatus code, the health check will fail.
| Parameter | Required | Description |
|---|---|---|
uri | yes | The URI to check. |
headers | no | Static headers to add to each request. Each header’s name is a key beneath headers, and each value is a list of payloads for that header name. Values must always be lists. |
statuscode | no | The expected status code from the HTTP URI. Defaults to 200. |
timeout | no | How long to wait before timing out the HTTP request. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
interval | no | How long to wait before repeating the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
threshold | no | The number of times the check must fail before the state is marked as unhealthy. If this field is not specified, a single failure marks the state as unhealthy. |
tcp
The tcp structure includes a list of TCP addresses to periodically check usingTCP connection attempts. Addresses must include port numbers. If a connectionattempt fails, the health check will fail.
| Parameter | Required | Description |
|---|---|---|
addr | yes | The TCP address and port to connect to. |
timeout | no | How long to wait before timing out the TCP connection. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
interval | no | How long to wait between repetitions of the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
threshold | no | The number of times the check must fail before the state is marked as unhealthy. If this field is not specified, a single failure marks the state as unhealthy. |
proxy
The proxy structure allows a registry to be configured as a pull-through cacheto Docker Hub. Seemirrorfor more information. Pushing to a registry configured as a pull-through cacheis unsupported.
| Parameter | Required | Description |
|---|---|---|
remoteurl | yes | The URL for the repository on Docker Hub. |
username | no | The username registered with Docker Hub which has access to the repository. |
password | no | The password used to authenticate to Docker Hub using the username specified in username. |
To enable pulling private repositories (e.g. batman/robin) specify theusername (such as batman) and the password for that username.
Note: These private repositories are stored in the proxy cache’s storage.Take appropriate measures to protect access to the proxy cache.
compatibility
Use the compatibility structure to configure handling of older and deprecatedfeatures. Each subsection defines such a feature with configurable behavior.
schema1
| Parameter | Required | Description |
|---|---|---|
signingkeyfile | no | The signing private key used to add signatures to schema1 manifests. If no signing key is provided, a new ECDSA key is generated when the registry starts. |
enabled | no | If this is not set to true, schema1 manifests cannot be pushed. |
validation
disabled
The disabled flag disables the other options in the validationsection. They are enabled by default. This option deprecates the enabled flag.
manifests
Use the manifests subsection to configure validation of manifests. Ifdisabled is false, the validation allows nothing.
urls
The allow and deny options are each a list ofregular expressions that restrict the URLs inpushed manifests.
If allow is unset, pushing a manifest containing URLs fails.
If allow is set, pushing a manifest succeeds only if all URLs matchone of the allow regular expressions and one of the following holds:
denyis unset.denyis set but no URLs within the manifest match any of thedenyregularexpressions.
Example: Development configuration
You can use this simple example for local development:
This example configures the registry instance to run on port 5000, binding tolocalhost, with the debug server enabled. Registry data is stored in the/var/lib/registry directory. Logging is set to debug mode, which is the mostverbose.
Seeconfig-example.ymlfor another simple configuration. Both examples are generally useful for localdevelopment.
Example: Middleware configuration
This example configures Amazon Cloudfrontas the storage middleware in a registry. Middleware allows the registry to servelayers via a content delivery network (CDN). This reduces requests to thestorage layer.
Cloudfront requires the S3 storage driver.
This is the configuration expressed in YAML:
See the configuration reference for Cloudfront for moreinformation about configuration options.
Note: Cloudfront keys exist separately from other AWS keys. Seethe documentation on AWS credentialsfor more information.
registry, on-prem, images, tags, repository, distribution, configuration