Private registry - stanislawbartkowski/CP4D GitHub Wiki
https://www.techrepublic.com/article/how-to-set-up-a-local-image-repository-with-podman/
Creating a private image registry is simple and straightforward. Assume that hostname for registry is thinkde
Use external storage for registry, here /disk/registry.
podman run --privileged -d --name registry -p 5000:5000 -v /disk/registry:/var/lib/registry registry:2
To allow removing images from the registry, switch on REGISTRY_STORAGE_DELETE_ENABLED parameter.
podman run --privileged -d --name registry -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -v /disk/registry:/var/lib/registry registry:2
As a default, podman client is reaching registry using a secure connection.
vi /etc/containers/registries.conf
[registries.insecure]
registries = ['thinkde:5000']
curl -X GET http://thinkde:5000/v2/_catalog
{"repositories":["db2"]}
curl -X GET http://thinkde:5000/v2/db2/tags/list
podman search thinkde:5000/
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
thinkde:5000 thinkde:5000/db2 0
podman tag db2 thinkde:5000/db2
podman push db2 thinkde:5000/db2
podman pull thinkde:5000/db2
To maintain the registry, install skopeo utility.
yum install skopeo
Remove from the registry.
skopeo delete docker://localhost:5000/mail:latest
To configure SSL/TLS connection, key and server certificates are necessary. In the case of CA-signed certificate, also a full certificate chain needs to be included. Important: server certificate should be the first, followed by a certificate chain.
Prepare the following data.
- certificate key. For instance: /home/repos/registry-cert/thinkde.sb.com.key.pem
- server certificate including a certificate chain. For instance: /home/repos/registry-cert/cert-chain.pem
Run a long command.
podman run --privileged -d --name registry -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -v /disk/registry:/var/lib/registry \
-v /home/repos/registry-cert/cert-chain.pem:/certs/cert-chain.pem \
-v /home/repos/registrycert/thinkde.sb.com.key.pem:/certs/thinkde.sb.com.key.pem \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert-chain.pem -e REGISTRY_HTTP_TLS_KEY=/certs/thinkde.sb.com.key.pem registry:2
Verify
openssl s_client -connect <hostname>:5000
Run commands using https instead of http
curl -X GET https://<hostname>:5000/v2/_catalog
curl -X GET https://<hostname>:5000/v2/db2/tags/list
If self-signed certificates are used, the registry needs to be included in insecure registry list.
vi /etc/containers/registries.conf
[registries.insecure]
registries = ['localhost:5000','broth1.fyre.ibm.com:5000']