Configuring a registry

The Registry configuration is based on a YAML file, detailed below. While it comes with sane default values out of the box, you should review it exhaustively before moving your systems to production.

Override specific configuration options

In a typical setup where you run your registry as a container, you can specify a configuration variable from the environment by passing -e arguments to your docker run stanza or from within a Dockerfile using the ENV instruction.

To override a configuration option, create an environment variable named REGISTRY_variable where variable is the name of the configuration option and the _ (underscore) represents indention levels. For example, you can configure the rootdirectory of the filesystem storage backend:

  1. storage:
  2. filesystem:
  3. rootdirectory: /var/lib/registry

To override this value, set an environment variable like this:

  1. REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/somewhere

This variable overrides the /var/lib/registry value to the /somewhere directory.

Note: Create a base configuration file with environment variables that can be configured to tweak individual values. Overriding configuration sections with environment variables is not recommended.

Overriding the entire configuration file

If the default configuration is not a sound basis for your usage, or if you are having issues overriding keys from the environment, you can specify an alternate YAML configuration file by mounting it as a volume in the container.

Typically, create a new configuration file from scratch,named config.yml, then specify it in the docker run command:

  1. $ docker run -d -p 5000:5000 --restart=always --name registry \
  2. -v `pwd`/config.yml:/etc/distribution/config.yml \
  3. registry:2

Use this example YAML file as a starting point.

List of configuration options

These are all configuration options for the registry. Some options in the list are mutually exclusive. Read the detailed reference information about each option before finalizing your configuration.

  1. version: 0.1
  2. log:
  3. accesslog:
  4. disabled: true
  5. level: debug
  6. formatter: text
  7. fields:
  8. service: registry
  9. environment: staging
  10. hooks:
  11. - type: mail
  12. disabled: true
  13. levels:
  14. - panic
  15. options:
  16. smtp:
  17. addr: mail.example.com:25
  18. username: mailuser
  19. password: password
  20. insecure: true
  21. from: sender@example.com
  22. to:
  23. - errors@example.com
  24. loglevel: debug # deprecated: use "log"
  25. storage:
  26. filesystem:
  27. rootdirectory: /var/lib/registry
  28. maxthreads: 100
  29. azure:
  30. accountname: accountname
  31. accountkey: base64encodedaccountkey
  32. container: containername
  33. rootdirectory: /az/object/name/prefix
  34. credentials:
  35. type: client_secret
  36. clientid: client_id_string
  37. tenantid: tenant_id_string
  38. secret: secret_string
  39. copy_status_poll_max_retry: 10
  40. copy_status_poll_delay: 100ms
  41. gcs:
  42. bucket: bucketname
  43. keyfile: /path/to/keyfile
  44. credentials:
  45. type: service_account
  46. project_id: project_id_string
  47. private_key_id: private_key_id_string
  48. private_key: private_key_string
  49. client_email: client@example.com
  50. client_id: client_id_string
  51. auth_uri: http://example.com/auth_uri
  52. token_uri: http://example.com/token_uri
  53. auth_provider_x509_cert_url: http://example.com/provider_cert_url
  54. client_x509_cert_url: http://example.com/client_cert_url
  55. rootdirectory: /gcs/object/name/prefix
  56. chunksize: 5242880
  57. s3:
  58. accesskey: awsaccesskey
  59. secretkey: awssecretkey
  60. region: us-west-1
  61. regionendpoint: http://myobjects.local
  62. forcepathstyle: true
  63. accelerate: false
  64. bucket: bucketname
  65. encrypt: true
  66. keyid: mykeyid
  67. secure: true
  68. v4auth: true
  69. chunksize: 5242880
  70. multipartcopychunksize: 33554432
  71. multipartcopymaxconcurrency: 100
  72. multipartcopythresholdsize: 33554432
  73. rootdirectory: /s3/object/name/prefix
  74. usedualstack: false
  75. loglevel: debug
  76. inmemory: # This driver takes no parameters
  77. tag:
  78. concurrencylimit: 8
  79. delete:
  80. enabled: false
  81. redirect:
  82. disable: false
  83. cache:
  84. blobdescriptor: redis
  85. blobdescriptorsize: 10000
  86. maintenance:
  87. uploadpurging:
  88. enabled: true
  89. age: 168h
  90. interval: 24h
  91. dryrun: false
  92. readonly:
  93. enabled: false
  94. auth:
  95. silly:
  96. realm: silly-realm
  97. service: silly-service
  98. token:
  99. autoredirect: true
  100. realm: token-realm
  101. service: token-service
  102. issuer: registry-token-issuer
  103. rootcertbundle: /root/certs/bundle
  104. signingalgorithms:
  105. - EdDSA
  106. - HS256
  107. htpasswd:
  108. realm: basic-realm
  109. path: /path/to/htpasswd
  110. middleware:
  111. registry:
  112. - name: ARegistryMiddleware
  113. options:
  114. foo: bar
  115. repository:
  116. - name: ARepositoryMiddleware
  117. options:
  118. foo: bar
  119. storage:
  120. - name: cloudfront
  121. options:
  122. baseurl: https://my.cloudfronted.domain.com/
  123. privatekey: /path/to/pem
  124. keypairid: cloudfrontkeypairid
  125. duration: 3000s
  126. ipfilteredby: awsregion
  127. awsregion: us-east-1, use-east-2
  128. updatefrequency: 12h
  129. iprangesurl: https://ip-ranges.amazonaws.com/ip-ranges.json
  130. storage:
  131. - name: redirect
  132. options:
  133. baseurl: https://example.com/
  134. http:
  135. addr: localhost:5000
  136. prefix: /my/nested/registry/
  137. host: https://myregistryaddress.org:5000
  138. secret: asecretforlocaldevelopment
  139. relativeurls: false
  140. draintimeout: 60s
  141. tls:
  142. certificate: /path/to/x509/public
  143. key: /path/to/x509/private
  144. clientcas:
  145. - /path/to/ca.pem
  146. - /path/to/another/ca.pem
  147. letsencrypt:
  148. cachefile: /path/to/cache-file
  149. email: emailused@letsencrypt.com
  150. hosts: [myregistryaddress.org]
  151. directoryurl: https://acme-v02.api.letsencrypt.org/directory
  152. debug:
  153. addr: localhost:5001
  154. prometheus:
  155. enabled: true
  156. path: /metrics
  157. headers:
  158. X-Content-Type-Options: [nosniff]
  159. http2:
  160. disabled: false
  161. h2c:
  162. enabled: false
  163. notifications:
  164. events:
  165. includereferences: true
  166. endpoints:
  167. - name: alistener
  168. disabled: false
  169. url: https://my.listener.com/event
  170. headers: <http.Header>
  171. timeout: 1s
  172. threshold: 10
  173. backoff: 1s
  174. ignoredmediatypes:
  175. - application/octet-stream
  176. ignore:
  177. mediatypes:
  178. - application/octet-stream
  179. actions:
  180. - pull
  181. redis:
  182. tls:
  183. certificate: /path/to/cert.crt
  184. key: /path/to/key.pem
  185. clientcas:
  186. - /path/to/ca.pem
  187. addrs: [localhost:6379]
  188. password: asecret
  189. db: 0
  190. dialtimeout: 10ms
  191. readtimeout: 10ms
  192. writetimeout: 10ms
  193. maxidleconns: 16
  194. poolsize: 64
  195. connmaxidletime: 300s
  196. tls:
  197. enabled: false
  198. health:
  199. storagedriver:
  200. enabled: true
  201. interval: 10s
  202. threshold: 3
  203. file:
  204. - file: /path/to/checked/file
  205. interval: 10s
  206. http:
  207. - uri: http://server.to.check/must/return/200
  208. headers:
  209. Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
  210. statuscode: 200
  211. timeout: 3s
  212. interval: 10s
  213. threshold: 3
  214. tcp:
  215. - addr: redis-server.domain.com:6379
  216. timeout: 3s
  217. interval: 10s
  218. threshold: 3
  219. proxy:
  220. remoteurl: https://registry-1.docker.io
  221. username: [username]
  222. password: [password]
  223. ttl: 168h
  224. validation:
  225. manifests:
  226. urls:
  227. allow:
  228. - ^https?://([^/]+\.)*example\.com/
  229. deny:
  230. - ^https?://www\.example\.com/
  231. indexes:
  232. platforms: List
  233. platformlist:
  234. - architecture: amd64
  235. os: linux

In some instances a configuration option is optional but it contains child options marked as required. In these cases, you can omit the parent with all its children. However, if the parent is included, you must also include all the children marked required.

version

  1. version: 0.1

The version option is required. It specifies the configuration’s version. It is expected to remain a top-level field, to allow for a consistent version check before parsing the remainder of the configuration file.

log

The log subsection configures the behavior of the logging system. The logging system outputs everything to stderr. You can adjust the granularity and format with this configuration section.

  1. log:
  2. accesslog:
  3. disabled: true
  4. level: debug
  5. formatter: text
  6. fields:
  7. service: registry
  8. environment: staging
ParameterRequiredDescription
levelnoSets the sensitivity of logging output. Permitted values are error, warn, info, and debug. The default is info.
formatternoThis selects the format of logging output. The format primarily affects how keyed attributes for a log line are encoded. Options are text, json, and logstash. The default is text.
fieldsnoA map of field names to values. These are added to every log line for the context. This is useful for identifying log messages source after being mixed in other systems.

accesslog

  1. accesslog:
  2. disabled: true

Within log, accesslog configures the behavior of the access logging system. By default, the access logging system outputs to stdout in Combined Log Format. Access logging can be disabled by setting the boolean flag disabled to true.

hooks

  1. hooks:
  2. - type: mail
  3. levels:
  4. - panic
  5. options:
  6. smtp:
  7. addr: smtp.sendhost.com:25
  8. username: sendername
  9. password: password
  10. insecure: true
  11. from: name@sendhost.com
  12. to:
  13. - name@receivehost.com

The hooks subsection configures the logging hooks’ behavior. This subsection includes a sequence handler which you can use for sending mail, for example. Refer to loglevel to configure the level of messages printed.

loglevel

DEPRECATED: Please use log instead.

  1. loglevel: debug

Permitted values are error, warn, info and debug. The default is info.

storage

  1. storage:
  2. filesystem:
  3. rootdirectory: /var/lib/registry
  4. azure:
  5. accountname: accountname
  6. accountkey: base64encodedaccountkey
  7. container: containername
  8. gcs:
  9. bucket: bucketname
  10. keyfile: /path/to/keyfile
  11. credentials:
  12. type: service_account
  13. project_id: project_id_string
  14. private_key_id: private_key_id_string
  15. private_key: private_key_string
  16. client_email: client@example.com
  17. client_id: client_id_string
  18. auth_uri: http://example.com/auth_uri
  19. token_uri: http://example.com/token_uri
  20. auth_provider_x509_cert_url: http://example.com/provider_cert_url
  21. client_x509_cert_url: http://example.com/client_cert_url
  22. rootdirectory: /gcs/object/name/prefix
  23. s3:
  24. accesskey: awsaccesskey
  25. secretkey: awssecretkey
  26. region: us-west-1
  27. regionendpoint: http://myobjects.local
  28. forcepathstyle: true
  29. accelerate: false
  30. bucket: bucketname
  31. encrypt: true
  32. keyid: mykeyid
  33. secure: true
  34. v4auth: true
  35. chunksize: 5242880
  36. multipartcopychunksize: 33554432
  37. multipartcopymaxconcurrency: 100
  38. multipartcopythresholdsize: 33554432
  39. rootdirectory: /s3/object/name/prefix
  40. loglevel: debug
  41. inmemory:
  42. delete:
  43. enabled: false
  44. cache:
  45. blobdescriptor: inmemory
  46. blobdescriptorsize: 10000
  47. maintenance:
  48. uploadpurging:
  49. enabled: true
  50. age: 168h
  51. interval: 24h
  52. dryrun: false
  53. readonly:
  54. enabled: false
  55. redirect:
  56. disable: false

The storage option is required and defines which storage backend is in use. You must configure exactly one backend. If you configure more, the registry returns an error. You can choose any of these backend storage drivers:

Storage driverDescription
filesystemUses the local disk to store registry files. It is ideal for development and may be appropriate for some small-scale production applications. See the driver’s reference documentation.
azureUses Microsoft Azure Blob Storage. See the driver’s reference documentation.
gcsUses Google Cloud Storage. See the driver’s reference documentation.
s3Uses Amazon Simple Storage Service (S3) and compatible Storage Services. See the driver’s reference documentation.

For testing only, you can use the inmemory storage driver. If you would like to run a registry from volatile memory, use the filesystem driver on a ramdisk.

If you are deploying a registry on Windows, a Windows volume mounted from the host is not recommended. Instead, you can use a S3 or Azure backing data-store. If you do use a Windows volume, the length of the PATH to the mount point must be within the MAX_PATH limits (typically 255 characters), or this error will occur:

  1. mkdir /XXX protocol error and your registry will not function properly.

maintenance

Currently, upload purging and read-only mode are the only maintenance functions available.

uploadpurging

Upload purging is a background process that periodically removes orphaned files from the upload directories of the registry. Upload purging is enabled by default. To configure upload directory purging, the following parameters must be set.

ParameterRequiredDescription
enabledyesSet to true to enable upload purging. Defaults to true.
ageyesUpload directories which are older than this age will be deleted.Defaults to 168h (1 week).
intervalyesThe interval between upload directory purging. Defaults to 24h.
dryrunyesSet dryrun to true to obtain a summary of what directories will be deleted. Defaults to false.

Note: age and interval are strings containing a number with optional fraction and a unit suffix. Some examples: 45m, 2h10m, 168h.

readonly

If the readonly section under maintenance has enabled set to true, clients will not be allowed to write to the registry. This mode is useful to temporarily prevent writes to the backend storage so a garbage collection pass can be run. Before running garbage collection, the registry should be restarted with readonly’s enabled set to true. After the garbage collection pass finishes, the registry may be restarted again, this time with readonly removed from the configuration (or set to false).

delete

Use the delete structure to enable the deletion of image blobs and manifests by digest. It defaults to false, but it can be enabled by writing the following on the configuration file:

  1. delete:
  2. enabled: true

cache

Use the cache structure to enable caching of data accessed in the storage backend. Currently, the only available cache provides fast access to layer metadata, which uses the blobdescriptor field if configured.

You can set blobdescriptor field to redis or inmemory. If set to redis,a Redis pool caches layer metadata. If set to inmemory, an in-memory map caches layer metadata.

NOTE: Formerly, blobdescriptor was known as layerinfo. While these are equivalent, layerinfo has been deprecated.

If blobdescriptor is set to inmemory, the optional blobdescriptorsize parameter sets a limit on the number of descriptors to store in the cache. The default value is 10000. If this parameter is set to 0, the cache is allowed to grow with no size limit.

tag

The tag subsection provides configuration to set concurrency limit for tag lookup. When user calls into the registry to delete the manifest, which in turn then does a lookup for all tags that reference the deleted manifest. To find the tag references, the registry will iterate every tag in the repository and read it’s link file to check if it matches the deleted manifest (i.e. to see if uses the same sha256 digest). So, the more tags in repository, the worse the performance will be (as there will be more S3 API calls occurring for the tag directory lookups and tag file reads if using S3 storage driver).

Therefore, add a single flag concurrencylimit to set concurrency limit to optimize tag lookup performance under the tag section. When a value is not provided or equal to 0, GOMAXPROCS will be used.

  1. tag:
  2. concurrencylimit: 8

redirect

The redirect subsection provides configuration for managing redirects from content backends. For backends that support it, redirecting is enabled by default. In certain deployment scenarios, you may decide to route all data through the Registry, rather than redirecting to the backend. This may be more efficient when using a backend that is not co-located or when a registry instance is aggressively caching.

To disable redirects, add a single flag disable, set to true under the redirect section:

  1. redirect:
  2. disable: true

auth

  1. auth:
  2. silly:
  3. realm: silly-realm
  4. service: silly-service
  5. token:
  6. realm: token-realm
  7. service: token-service
  8. issuer: registry-token-issuer
  9. rootcertbundle: /root/certs/bundle
  10. signingalgorithms:
  11. - EdDSA
  12. - HS256
  13. - ES512
  14. htpasswd:
  15. realm: basic-realm
  16. path: /path/to/htpasswd

The auth option is optional. Possible auth providers include:

You can configure only one authentication provider.

silly

The silly authentication provider is only appropriate for development. It simply checks for the existence of the Authorization header in the HTTP request. It does not check the header’s value. If the header does not exist, the silly auth responds with a challenge response, echoing back the realm, service, and scope for which access was denied.

The following values are used to configure the response:

ParameterRequiredDescription
realmyesThe realm in which the registry server authenticates.
serviceyesThe service being authenticated.

token

Token-based authentication allows you to decouple the authentication system from the registry. It is an established authentication paradigm with a high degree of security.

ParameterRequiredDescription
realmyesThe realm in which the registry server authenticates.
serviceyesThe service being authenticated.
issueryesThe name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer.
rootcertbundleyesThe absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens.
autoredirectnoWhen set to true, realm will automatically be set using the Host header of the request as the domain and a path of /auth/token/(or specified by autoredirectpath), the realm URL Scheme will use X-Forwarded-Proto header if set, otherwise it will be set to https.
autoredirectpathnoThe path to redirect to if autoredirect is set to true, default: /auth/token/.
signingalgorithmsnoA list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default.

Available signingalgorithms:

  • EdDSA
  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS256
  • PS384
  • PS512

Default signingalgorithms:

  • EdDSA
  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS256
  • PS384
  • PS512

For more information about Token based authentication configuration, see the specification.

htpasswd

The htpasswd authentication backed allows you to configure basic authentication using an Apache htpasswd file. The only supported password format is bcrypt. Entries with other hash types are ignored. The htpasswd file is loaded once, at startup. If the file is invalid, the registry will display an error and will not start.

Warning: If the htpasswd file is missing, the file will be created and provisioned with a default user and automatically generated password. The password will be printed to stdout.

Warning: Only use the htpasswd authentication scheme with TLS configured, since basic authentication sends passwords as part of the HTTP header.

ParameterRequiredDescription
realmyesThe realm in which the registry server authenticates.
pathyesThe path to the htpasswd file to load at startup.

middleware

The middleware structure is optional. Use this option to inject middleware at named hook points. Each middleware must implement the same interface as the object it is wrapping. For instance, a registry middleware must implement the distribution.Namespace interface, while a repository middleware must implement distribution.Repository, and a storage middleware must implement driver.StorageDriver.

This is an example configuration of the cloudfront middleware, a storage middleware:

  1. middleware:
  2. registry:
  3. - name: ARegistryMiddleware
  4. options:
  5. foo: bar
  6. repository:
  7. - name: ARepositoryMiddleware
  8. options:
  9. foo: bar
  10. storage:
  11. - name: cloudfront
  12. options:
  13. baseurl: https://my.cloudfronted.domain.com/
  14. privatekey: /path/to/pem
  15. keypairid: cloudfrontkeypairid
  16. duration: 3000s
  17. ipfilteredby: awsregion
  18. awsregion: us-east-1, use-east-2
  19. updatefrequency: 12h
  20. iprangesurl: https://ip-ranges.amazonaws.com/ip-ranges.json

Each middleware entry has name and options entries. The name must correspond to the name under which the middleware registers itself. The options field is a map that details custom configuration required to initialize the middleware. It is treated as a map[string]interface{}. As such, it supports any interesting structures desired, leaving it up to the middleware initialization function to best determine how to handle the specific interpretation of the options.

cloudfront

ParameterRequiredDescription
baseurlyesThe SCHEME://HOST[/PATH] at which Cloudfront is served.
privatekeyyesThe private key for Cloudfront, provided by AWS.
keypairidyesThe key pair ID provided by AWS.
durationnoAn integer and unit for the duration of the Cloudfront session. Valid time units are ns, us (or µs), ms, s, m, or h. For example, 3000s is valid, but 3000 s is not. If you do not specify a duration or you specify an integer without a time unit, the duration defaults to 20m (20 minutes).
ipfilteredbynoA string with the following value none, aws or awsregion.
awsregionnoA comma separated string of AWS regions, only available when ipfilteredby is awsregion. For example, us-east-1, us-west-2
updatefrequencynoThe frequency to update AWS IP regions, default: 12h
iprangesurlnoThe URL contains the AWS IP ranges information, default: https://ip-ranges.amazonaws.com/ip-ranges.json

Value of ipfilteredby can be:

ValueDescription
nonedefault, do not filter by IP
awsIP from AWS goes to S3 directly
awsregionIP from certain AWS regions goes to S3 directly, use together with awsregion.

redirect

You can use the redirect storage middleware to specify a custom URL to a location of a proxy for the layer stored by the S3 storage driver.

ParameterRequiredDescription
baseurlyesSCHEME://HOST at which layers are served. Can also contain port. For example, https://example.com:5443.

http

  1. http:
  2. addr: localhost:5000
  3. net: tcp
  4. prefix: /my/nested/registry/
  5. host: https://myregistryaddress.org:5000
  6. secret: asecretforlocaldevelopment
  7. relativeurls: false
  8. draintimeout: 60s
  9. tls:
  10. certificate: /path/to/x509/public
  11. key: /path/to/x509/private
  12. clientcas:
  13. - /path/to/ca.pem
  14. - /path/to/another/ca.pem
  15. minimumtls: tls1.2
  16. ciphersuites:
  17. - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  18. - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  19. letsencrypt:
  20. cachefile: /path/to/cache-file
  21. email: emailused@letsencrypt.com
  22. hosts: [myregistryaddress.org]
  23. directoryurl: https://acme-v02.api.letsencrypt.org/directory
  24. debug:
  25. addr: localhost:5001
  26. headers:
  27. X-Content-Type-Options: [nosniff]
  28. http2:
  29. disabled: false
  30. h2c:
  31. enabled: false

The http option details the configuration for the HTTP server that hosts the registry.

ParameterRequiredDescription
addrnoThe address for which the server should accept connections. The form depends on a network type (see the net option). Use HOST:PORT for TCP and FILE for a UNIX socket. The addr field is only optional if socket-activation is used (in which case addr and net are ignored regardless of if they are specified).
netnoThe network used to create a listening socket. Known networks are unix and tcp.
prefixnoIf the server does not run at the root path, set this to the value of the prefix. The root path is the section before v2. It requires both preceding and trailing slashes, such as in the example /path/.
hostnoA fully-qualified URL for an externally-reachable address for the registry. If present, it is used when creating generated URLs. Otherwise, these URLs are derived from client requests.
secretnoA random piece of data used to sign state that may be stored with the client to protect against tampering. For production environments you should generate a random piece of data using a cryptographically secure random generator. If you omit the secret, the registry will automatically generate a secret when it starts. If you are building a cluster of registries behind a load balancer, you MUST ensure the secret is the same for all registries.
relativeurlsnoIf true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. This option is not compatible with Docker 1.7 and earlier.
draintimeoutnoAmount of time to wait for HTTP connections to drain before shutting down after registry receives SIGTERM signal

tls

The tls structure within http is optional. Use this to configure TLS for the server. If you already have a web server running on the same host as the registry, you may prefer to configure TLS on that web server and proxy connections to the registry server.

ParameterRequiredDescription
certificateyesAbsolute path to the x509 certificate file.
keyyesAbsolute path to the x509 private key file.
clientcasnoAn array of absolute paths to x509 CA files.
minimumtlsnoMinimum TLS version allowed (tls1.0, tls1.1, tls1.2, tls1.3). Defaults to tls1.2
ciphersuitesnoCipher suites allowed. Please see below for allowed values and default.

Available cipher suites:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Default cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_256_GCM_SHA384

letsencrypt

The letsencrypt structure within tls is optional. Use this to configure TLS certificates provided by Let’s Encrypt.

NOTE: When using Let’s Encrypt, ensure that the outward-facing address is accessible on port 443. The registry defaults to listening on port 5000. If you run the registry as a container, consider adding the flag -p 443:5000 to the docker run command or using a similar setting in a cloud configuration. You should also set the hosts option to the list of hostnames that are valid for this registry to avoid trying to get certificates for random hostnames due to malicious clients connecting with bogus SNI hostnames. Please ensure that you have the ca-certificates package installed in order to verify letsencrypt certificates.

ParameterRequiredDescription
cachefileyesAbsolute path to a file where the Let’s Encrypt agent can cache data.
emailyesThe email address used to register with Let’s Encrypt.
hostsnoThe hostnames allowed for Let’s Encrypt certificates.
directoryurlnoThe url to use for the ACME server.

debug

The debug option is optional . Use it to configure a debug server that can be helpful in diagnosing problems. The debug endpoint can be used for monitoring registry metrics and health, as well as profiling. Sensitive information may be available via the debug endpoint. Please be certain that access to the debug endpoint is locked down in a production environment. The debug endpoint should not be exposed publicly to the internet. Instead, keep the debug endpoint private or enforce authentication for it.

The debug section takes a single required addr parameter, which specifies the HOST:PORT on which the debug server should accept connections.

If configured, notification, redis, and proxy statistics are exposed at /debug/vars in JSON format.

prometheus

  1. prometheus:
  2. enabled: true
  3. path: /metrics

The prometheus option defines whether the prometheus metrics are enabled, as well as the path to access the metrics.

The prometheus metrics cover storage, notification and proxy statistics.

ParameterRequiredDescription
enablednoSet true to enable the prometheus server
pathnoThe path to access the metrics, /metrics by default

The url to access the metrics is HOST:PORT/path, where HOST:PORT is defined in addr under debug.

headers

The headers option is optional . Use it to specify headers that the HTTP server should include in responses. This can be used for security headers such as Strict-Transport-Security.

The headers option should contain an option for each header to include, where the parameter name is the header’s name, and the parameter value a list of the header’s payload values.

Including X-Content-Type-Options: [nosniff] is recommended, so that browsers will not interpret content as HTML if they are directed to load a page from the registry. This header is included in the example configuration file.

http2

The http2 structure within http is optional. Use this to control HTTP/2 over TLS settings for the registry. If tls is not configured this option is ignored. To enable HTTP/2 over non TLS connections use h2c instead.

ParameterRequiredDescription
disablednoIf true, then http2 support is disabled.

h2c

The h2c structure within http is optional. Use this to control H2C (HTTP/2 Cleartext) settings for the registry. Useful when deploying the registry behind a load balancer (e.g. Google Cloud Run)

ParameterRequiredDescription
enablednoIf true, then h2c support is enabled.

notifications

  1. notifications:
  2. events:
  3. includereferences: true
  4. endpoints:
  5. - name: alistener
  6. disabled: false
  7. url: https://my.listener.com/event
  8. headers: <http.Header>
  9. timeout: 1s
  10. threshold: 10
  11. backoff: 1s
  12. ignoredmediatypes:
  13. - application/octet-stream
  14. ignore:
  15. mediatypes:
  16. - application/octet-stream
  17. actions:
  18. - pull

The notifications option is optional and currently may contain a single option, endpoints.

endpoints

The endpoints structure contains a list of named services (URLs) that can accept event notifications.

ParameterRequiredDescription
nameyesA human-readable name for the service.
disablednoIf true, notifications are disabled for the service.
urlyesThe URL to which events should be published.
headersyesA list of static headers to add to each request. Each header’s name is a key beneath headers, and each value is a list of payloads for that header name. Values must always be lists.
timeoutyesA value for the HTTP timeout. A positive integer and an optional suffix indicating the unit of time, which may be ns, us, ms, s, m, or h. If you omit the unit of time, ns is used.
thresholdyesAn integer specifying how long to wait before backing off a failure.
backoffyesHow long the system backs off before retrying after a failure. A positive integer and an optional suffix indicating the unit of time, which may be ns, us, ms, s, m, or h. If you omit the unit of time, ns is used.
ignoredmediatypesnoA list of target media types to ignore. Events with these target media types are not published to the endpoint.
ignorenoEvents with these mediatypes or actions are not published to the endpoint.

ignore

ParameterRequiredDescription
mediatypesnoA list of target media types to ignore. Events with these target media types are not published to the endpoint.
actionsnoA list of actions to ignore. Events with these actions are not published to the endpoint.

events

The events structure configures the information provided in event notifications.

ParameterRequiredDescription
includereferencesnoIf true, include reference information in manifest events.

redis

Declare parameters for constructing the redis connections. Registry instances may use the Redis instance for several applications. Currently, it caches information about immutable blobs. Most of the redis options control how the registry connects to the redis instance.

You should configure Redis with the allkeys-lru eviction policy, because the registry does not set an expiration value on keys.

Under the hood distribution uses go-redis Go module for Redis connectivity and its UniversalOptions struct.

You can optionally specify TLS configuration on top of the UniversalOptions settings.

Use these settings to configure Redis TLS:

ParameterRequiredDescription
certificateyesAbsolute path to the x509 certificate file.
keyyesAbsolute path to the x509 private key file.
clientcasnoAn array of absolute paths to x509 CA files.
  1. redis:
  2. tls:
  3. certificate: /path/to/cert.crt
  4. key: /path/to/key.pem
  5. clientcas:
  6. - /path/to/ca.pem
  7. addrs: [localhost:6379]
  8. password: asecret
  9. db: 0
  10. dialtimeout: 10ms
  11. readtimeout: 10ms
  12. writetimeout: 10ms
  13. maxidleconns: 16
  14. poolsize: 64
  15. connmaxidletime: 300s

health

  1. health:
  2. storagedriver:
  3. enabled: true
  4. interval: 10s
  5. threshold: 3
  6. file:
  7. - file: /path/to/checked/file
  8. interval: 10s
  9. http:
  10. - uri: http://server.to.check/must/return/200
  11. headers:
  12. Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
  13. statuscode: 200
  14. timeout: 3s
  15. interval: 10s
  16. threshold: 3
  17. tcp:
  18. - addr: redis-server.domain.com:6379
  19. timeout: 3s
  20. interval: 10s
  21. threshold: 3

The health option is optional, and contains preferences for a periodic health check on the storage driver’s backend storage, as well as optional periodic checks on local files, HTTP URIs, and/or TCP servers. The results of the health checks are available at the /debug/health endpoint on the debug HTTP server if the debug HTTP server is enabled (see http section).

storagedriver

The storagedriver structure contains options for a health check on the configured storage driver’s backend storage. The health check is only active when enabled is set to true.

ParameterRequiredDescription
enabledyesSet to true to enable storage driver health checks or false to disable them.
intervalnoHow long to wait between repetitions of the storage driver health check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.
thresholdnoA positive integer which represents the number of times the check must fail before the state is marked as unhealthy. If not specified, a single failure marks the state as unhealthy.

file

The file structure includes a list of paths to be periodically checked for the
existence of a file. If a file exists at the given path, the health check will fail. You can use this mechanism to bring a registry out of rotation by creating a file.

ParameterRequiredDescription
fileyesThe path to check for existence of a file.
intervalnoHow long to wait before repeating the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.

http

The http structure includes a list of HTTP URIs to periodically check with HEAD requests. If a HEAD request does not complete or returns an unexpected status code, the health check will fail.

ParameterRequiredDescription
uriyesThe URI to check.
headersnoStatic headers to add to each request. Each header’s name is a key beneath headers, and each value is a list of payloads for that header name. Values must always be lists.
statuscodenoThe expected status code from the HTTP URI. Defaults to 200.
timeoutnoHow long to wait before timing out the HTTP request. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.
intervalnoHow long to wait before repeating the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.
thresholdnoThe number of times the check must fail before the state is marked as unhealthy. If this field is not specified, a single failure marks the state as unhealthy.

tcp

The tcp structure includes a list of TCP addresses to periodically check using TCP connection attempts. Addresses must include port numbers. If a connection attempt fails, the health check will fail.

ParameterRequiredDescription
addryesThe TCP address and port to connect to.
timeoutnoHow long to wait before timing out the TCP connection. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.
intervalnoHow long to wait between repetitions of the check. A positive integer and an optional suffix indicating the unit of time. The suffix is one of ns, us, ms, s, m, or h. Defaults to 10s if the value is omitted. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.
thresholdnoThe number of times the check must fail before the state is marked as unhealthy. If this field is not specified, a single failure marks the state as unhealthy.

proxy

  1. proxy:
  2. remoteurl: https://registry-1.docker.io
  3. username: [username]
  4. password: [password]
  5. ttl: 168h

The proxy structure allows a registry to be configured as a pull-through cache to Docker Hub. See mirror for more information. Pushing to a registry configured as a pull-through cache is unsupported.

ParameterRequiredDescription
remoteurlyesThe URL for the repository on Docker Hub.
usernamenoThe username registered with Docker Hub which has access to the repository.
passwordnoThe password used to authenticate to Docker Hub using the username specified in username.
ttlnoExpire proxy cache configured in “storage” after this time. Cache 168h(7 days) by default, set to 0 to disable cache expiration, The suffix is one of ns, us, ms, s, m, or h. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds.

To enable pulling private repositories (e.g. batman/robin) specify the username (such as batman) and the password for that username.

Note: These private repositories are stored in the proxy cache’s storage. Take appropriate measures to protect access to the proxy cache.

validation

  1. validation:
  2. disabled: false

Use these settings to configure what validation the registry performs on content.

Validation is performed when content is uploaded to the registry. Changing these settings will not validate content that has already been accepting into the registry.

disabled

The disabled flag disables the other options in the validation section. They are enabled by default. This option deprecates the enabled flag.

manifests

Use the manifests subsection to configure validation of manifests. If disabled is false, the validation allows nothing.

urls

  1. validation:
  2. manifests:
  3. urls:
  4. allow:
  5. - ^https?://([^/]+\.)*example\.com/
  6. deny:
  7. - ^https?://www\.example\.com/

The allow and deny options are each a list of regular expressions that restrict the URLs in pushed manifests.

If allow is unset, pushing a manifest containing URLs fails.

If allow is set, pushing a manifest succeeds only if all URLs match one of the allow regular expressions and one of the following holds:

  1. deny is unset.
  2. deny is set but no URLs within the manifest match any of the deny regular expressions.

indexes

By default the registry will validate that all platform images exist when an image index is uploaded to the registry. Disabling this validatation is experimental because other tooling that uses the registry may expect the image index to be complete.

validation: manifests: indexes: platforms: [all|none|list] platformlist: - os: linux architecture: amd64

Use these settings to configure what validation the registry performs on image index manifests uploaded to the registry.

platforms

Set platformexist to all (the default) to validate all platform images exist. The registry will validate that the images referenced by the index exist in the registry before accepting the image index.

Set platforms to none to disable all validation that images exist when an image index manifest is uploaded. This allows image lists to be uploaded to the registry without their associated images. This setting is experimental because other tooling that uses the registry may expect the image index to be complete.

Set platforms to list to selectively validate the existence of platforms within image index manifests. This setting is experimental because other tooling that uses the registry may expect the image index to be complete.

platformlist

When platforms is set to list, set platformlist to an array of platforms to validate. If a platform is included in this the array and in the images contained within an index, the registry will validate that the platform specific image exists in the registry before accepting the index. The registry will not validate the existence of platform specific images in the index that do not appear in the platformlist array.

This parameter does not validate that the configured platforms are included in every index. If an image index does not include one of the platform specific images configured in the platformlist array, it may still be accepted by the registry.

Each platform is a map with two keys, os and architecture, as defined in the OCI Image Index specification.

Example: Development configuration

You can use this simple example for local development:

  1. version: 0.1
  2. log:
  3. level: debug
  4. storage:
  5. filesystem:
  6. rootdirectory: /var/lib/registry
  7. http:
  8. addr: localhost:5000
  9. secret: asecretforlocaldevelopment
  10. debug:
  11. addr: localhost:5001

This example configures the registry instance to run on port 5000, binding to localhost, with the debug server enabled. Registry data is stored in the /var/lib/registry directory. Logging is set to debug mode, which is the most verbose.

See config-example.yml for another simple configuration. Both examples are generally useful for local development.

Example: Middleware configuration

This example configures Amazon Cloudfront as the storage middleware in a registry. Middleware allows the registry to serve layers via a content delivery network (CDN). This reduces requests to the storage layer.

Cloudfront requires the S3 storage driver.

This is the configuration expressed in YAML:

  1. middleware:
  2. storage:
  3. - name: cloudfront
  4. disabled: false
  5. options:
  6. baseurl: http://d111111abcdef8.cloudfront.net
  7. privatekey: /path/to/asecret.pem
  8. keypairid: asecret
  9. duration: 60s

See the configuration reference for Cloudfront for more information about configuration options.

Cloudfront keys exist separately from other AWS keys. See the documentation on AWS credentials for more information.