We run a very simple insecure OCI registry using the docker registry version 2 image. Since we run this container using rootless podman, the registry container itself has no more privileges than the user who runs it.
The following shell scripts can be used to control the registry:
-
runRegistryruns the registry in the current terminal (so you can see all activity logged to the terminal AND you can stop the registry by typing ^C). -
removeRegistrydeletes the podman-registry container created (but not deleted by the runRegistry command). -
clearRegistryclears out ALL images contained in the current file system registry (using our exampleregistryConfig(see below), this is located in $HOME/.local/share/containers/registry). -
listContainersusespodman container ls --allto list all known containers. -
listRegistryusespodman searchto list all images in the current podman-registry.
The registryConfig script, which is sourced by all of the above scripts,
contains the following configuration parameters:
-
$REGISTRY_DIRThis is the (local) file system directory used to store the uploaded images. -
$REGISTRY_HOSTThis is the DNS name of the host which runs this registry. It must be configured in your (local) DNS service or, alternatively in the /etc/hosts files on each machine which will access this registry. -
$REGISTRY_PORTThis is the port on which the registry will listen. The firewall on the machine which runs this registry must allow inbound traffic on this port.
The registryConfigExample script provides an example. Rename it to
registryConfig and update the values to suit your needs.
You can use the standard podman push, podman pull and podman search
tools to push, pull and search this podman-registry. You may need to append
the switch --tls-verify=false to allow podman to use http instead of
(the default) https transport.
Using our example registryConfig, the registry prefix is:
podman-registry:5000. This will need to be appended to podman tag as
well as any image names you might want to push or pull from this local
registry.
Using our example registryConfig, to be accessible from all machines on
the LAN, you need to ensure the ufw firewall allows traffic to/from tcp
port 5000. To do this type:
sudo ufw allow 5000
See: