Portus VS distribution

Once you have your domain configured properly and the SSL certificate is on the server you can start configuring the registry. Docker themselves maintains and releases a docker image that is a Docker registry. Yea, they put a docker container registry in a docker container. But there’s one problem. There’s no GUI. There’s no access control. It’s not that exciting by itself. If only there was some open source project built off this registry container that had all the cool bells and whistles included. Oh, right, there is. Portus.

To transfer the image between your local machine and the server, you'll need a registry such as Docker Hub or GitHub Container Registry. (Technically you can compress images and distribute them as files but it's more of a headache than it's worth) There are plenty of registries that will allow you to host private images if that's a concern for you, but it will be harder to find a free/cheap solution. You can also host your own registry using the Distribution Project. But be warned that while hosting a basic registry is really easy, locking it down can be a pain because of the lack of well maintained and easy to use projects.

The open source repository my colleague and I reference in this talk can be seen at https://github.com/distribution/distribution/

FWIW, the open source registry application itself is essentially stateless. You just run multiple copies of it and point all of them at the same storage for a High Availability setup. If you have GlusterFS, you can mount it to the local filesystem and use the filesystem storage driver, though you may need to tweak settings for it to function properly (example).

It's always been one of those items deep down on the "to consider" list, and my rationale was that there really aren't any straight-forward solutions for this and with Gitlab and Github offering their own registries it was never a problem.

But yesterday I found out that Docker's Registry core (Distribution) [0] is OpenSource (and used by other registries too!), but I haven't seen many mentions of it until then. I've checked out their documentation and it seems solid.

So, what is your experience with self-hosting registries be it Distribution, Harbour or something else. Any hidden PITA? I myself will spin Distribution up on the dev env and see how it goes!

[0]: https://github.com/distribution/distribution

The original registry "distribution" project (which is the base of Docker Hub, Harbor, etc) was donated to the CNCF: https://github.com/distribution/distribution

Evaluated this a couple of weeks back. Ended up going for registry:2 aka distribution/distribution + https://github.com/cesanta/docker_auth + https://github.com/Quiq/docker-registry-ui

> There's a standards conversion going on where we can trace the provenance of each and every layer of the image, we can start signing those layers, and with that metadata, we can start doing automated decisioning, automated reporting, automated visibility into what's been done to that image at each step of the lifecycle.

Docker's CEO is being disingenuous. When you deploy a Docker container, you specify the image ID. The ID looks like a SHA-256 digest and even starts with the string 'sha256' but it is an arbitrary value generated by the docker daemon on the local machine. The ID is not a hash of the image contents [0]. In other words, docker images are not content-addressed.

Since docker images are not content-addressed, your image registry and image transfer tools can subvert the security of your production systems. The fix is straightforward: make an image ID be the SHA-256 digest of the image contents, which is the same everywhere: on your build system, image registry, test system, and production hosts. This fix will increase supply chain security for all Docker users. It is massive low-hanging fruit.

Now Docker will add image signatures without first making images content-addressed. Their decision makes sense only if their goal is to make money and not make a secure product. I cannot trust a company with such priorities.

[0] https://github.com/distribution/distribution/issues/1662

no docker distribution please, https://github.com/distribution/distribution seems hard to run and config.

I’ve not used it myself but it does look like the Docker registry itself is open source https://docs.docker.com/registry/deploying/ and https://github.com/distribution/distribution