simonkowallik/docker-registry-daily-garbage-collection-with-s6.sh

## docker-registry-daily-garbage-collection-with-s6.sh
# github issue https://github.com/docker/distribution/issues/2094 and https://github.com/docker/distribution/issues/2270
# Dockerfile, based on the official registry:2 image
cat <<EOF > Dockerfile
FROM registry:2

ADD s6-overlay-amd64.tar.gz /
ADD rootfs /

RUN sed -ie 's/^root::/root:!:/' /etc/shadow; \\
    addgroup -g 9999 registry; \\
    adduser -u 9999 -s /sbin/nologin -H -h /registry -D -G registry registry; \\
    chmod +x /etc/periodic/*/*;

VOLUME ["/registry"]
EXPOSE 5000

ENTRYPOINT ["/init"]
EOF

# example docker compose file
cat <<EOF > docker-compose.yaml
version: "3"
services:
  registry:
    restart: always
    image: my-custom-registry:latest
    ports:
      - 80:5000
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /docker/volumes/registry/config.yml:/etc/docker/registry/config.yml:ro
      - /docker/volumes/registry:/registry
EOF

# download and verify s6-overlay
cat <<EOF > download+verify-s6-overlay.sh; /bin/sh download+verify-s6-overlay.sh
#!/bin/sh
echo "* checking latest s6 version"
s6fingerprint="DB301BA3F6F807E0D0E6CCB86101B2783B2FD161"
version=$(curl -s https://api.github.com/repos/just-containers/s6-overlay/releases/latest 2>/dev/null | grep tag_name | cut -d\" -f4)
echo "latest s6 version: \$version"
echo "* download s6 & signature"
rm -f s6-overlay-amd64.tar.gz s6-overlay-amd64.tar.gz.sig
curl -sLo s6-overlay-amd64.tar.gz https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz && echo "downloaded: s6-overlay-amd64.tar.gz"
curl -sLo s6-overlay-amd64.tar.gz.sig https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz.sig && echo "downloaded: s6-overlay-amd64.tar.gz.sig"
file s6-overlay-amd64.tar.gz | grep gzip >/dev/null
if [[ $? -ne "0" ]]; then
  echo "ERROR: download failed."; exit 1
fi
echo "* verify signature"
if [[ ! -e ./s6.publickey.gpg ]]; then
  curl -s https://keybase.io/justcontainers/key.asc | gpg --yes -o s6.publickey.gpg --dearmor
fi
fingerprint=\$(gpg --no-default-keyring --keyring ./s6.publickey.gpg -k | awk '/^pub/ {getline x; gsub(" ","", x); print x}')
if [[ "\$fingerprint" != "\$s6fingerprint" ]]; then
  echo "downloaded GPG key fingerprint: >\$fingerprint<"
  echo "          expected fingerprint: >\$s6fingerprint<"
  read -p "trust the downloaded GPG key for signature verification anyway? (Type Y to confirm):" -n 1 -r
  if [[ "\$REPLY" != "Y" ]]; then
    echo; exit 0
  fi
  echo
fi
gpg --no-default-keyring --keyring ./s6.publickey.gpg --verify s6-overlay-amd64.tar.gz.sig s6-overlay-amd64.tar.gz
if [[ \$? -ne "0" ]]; then
 echo; echo "ERROR: signature verification failed"; exit 1
fi
EOF

# create rootfs/
mkdir -p rootfs/etc/services.d/cron
cat <<EOF > rootfs/etc/services.d/cron/run
#!/usr/bin/execlineb -P
/usr/sbin/crond -f -c /etc/crontabs
EOF
# run file for registry with user 'registry'
mkdir -p rootfs/etc/services.d/registry
cat <<EOF > rootfs/etc/services.d/registry/run
#!/usr/bin/execlineb -P
s6-setuidgid registry
/bin/registry serve /etc/docker/registry/config.yml
EOF
# run garbage collection on container startup (via cont-init.d)
mkdir -p rootfs/etc/cont-init.d
cat <<EOF > rootfs/etc/cont-init.d/garbage-collect
#!/bin/sh
# only run if the registry has ever had a reposity created -> path ../docker/v2/repositories exists
if [[ -d /registry/docker/registry/v2/repositories ]]; then
  echo "* starting registry garbage collection"
  /bin/registry garbage-collect /etc/docker/registry/config.yml
else
  echo "* skipping garbage collection, /registry/docker/registry/v2/repositories does not yet exist"
  exit 0
fi
EOF
# fix filesystem attributes for user 'registry'
mkdir -p rootfs/etc/fix-attrs.d
cat <<EOF > rootfs/etc/fix-attrs.d/01-registry
/registry true registry 0600 0700
EOF
# gracefully restart container daily
mkdir -p rootfs/etc/periodic/daily
cat <<EOF > rootfs/etc/periodic/daily/registry-restart-container
#!/bin/sh
echo "* restarting registry to trigger garbage collection"
s6-svscanctl -t /var/run/s6/services
EOF

# build the image
docker build -t my-custom-registry:latest .

# run it with docker compose
docker-compose up
	# github issue https://github.com/docker/distribution/issues/2094 and https://github.com/docker/distribution/issues/2270
	# Dockerfile, based on the official registry:2 image
	cat <<EOF > Dockerfile
	FROM registry:2

	ADD s6-overlay-amd64.tar.gz /
	ADD rootfs /

	RUN sed -ie 's/^root::/root:!:/' /etc/shadow; \\
	addgroup -g 9999 registry; \\
	adduser -u 9999 -s /sbin/nologin -H -h /registry -D -G registry registry; \\
	chmod +x /etc/periodic//;

	VOLUME ["/registry"]
	EXPOSE 5000

	ENTRYPOINT ["/init"]
	EOF

	# example docker compose file
	cat <<EOF > docker-compose.yaml
	version: "3"
	services:
	registry:
	restart: always
	image: my-custom-registry:latest
	ports:
	- 80:5000
	volumes:
	- /etc/localtime:/etc/localtime:ro
	- /docker/volumes/registry/config.yml:/etc/docker/registry/config.yml:ro
	- /docker/volumes/registry:/registry
	EOF

	# download and verify s6-overlay
	cat <<EOF > download+verify-s6-overlay.sh; /bin/sh download+verify-s6-overlay.sh
	#!/bin/sh
	echo "* checking latest s6 version"
	s6fingerprint="DB301BA3F6F807E0D0E6CCB86101B2783B2FD161"
	version=$(curl -s https://api.github.com/repos/just-containers/s6-overlay/releases/latest 2>/dev/null \| grep tag_name \| cut -d\" -f4)
	echo "latest s6 version: \$version"
	echo "* download s6 & signature"
	rm -f s6-overlay-amd64.tar.gz s6-overlay-amd64.tar.gz.sig
	curl -sLo s6-overlay-amd64.tar.gz https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz && echo "downloaded: s6-overlay-amd64.tar.gz"
	curl -sLo s6-overlay-amd64.tar.gz.sig https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz.sig && echo "downloaded: s6-overlay-amd64.tar.gz.sig"
	file s6-overlay-amd64.tar.gz \| grep gzip >/dev/null
	if [[ $? -ne "0" ]]; then
	echo "ERROR: download failed."; exit 1
	fi
	echo "* verify signature"
	if [[ ! -e ./s6.publickey.gpg ]]; then
	curl -s https://keybase.io/justcontainers/key.asc \| gpg --yes -o s6.publickey.gpg --dearmor
	fi
	fingerprint=\$(gpg --no-default-keyring --keyring ./s6.publickey.gpg -k \| awk '/^pub/ {getline x; gsub(" ","", x); print x}')
	if [[ "\$fingerprint" != "\$s6fingerprint" ]]; then
	echo "downloaded GPG key fingerprint: >\$fingerprint<"
	echo " expected fingerprint: >\$s6fingerprint<"
	read -p "trust the downloaded GPG key for signature verification anyway? (Type Y to confirm):" -n 1 -r
	if [[ "\$REPLY" != "Y" ]]; then
	echo; exit 0
	fi
	echo
	fi
	gpg --no-default-keyring --keyring ./s6.publickey.gpg --verify s6-overlay-amd64.tar.gz.sig s6-overlay-amd64.tar.gz
	if [[ \$? -ne "0" ]]; then
	echo; echo "ERROR: signature verification failed"; exit 1
	fi
	EOF

	# create rootfs/
	mkdir -p rootfs/etc/services.d/cron
	cat <<EOF > rootfs/etc/services.d/cron/run
	#!/usr/bin/execlineb -P
	/usr/sbin/crond -f -c /etc/crontabs
	EOF
	# run file for registry with user 'registry'
	mkdir -p rootfs/etc/services.d/registry
	cat <<EOF > rootfs/etc/services.d/registry/run
	#!/usr/bin/execlineb -P
	s6-setuidgid registry
	/bin/registry serve /etc/docker/registry/config.yml
	EOF
	# run garbage collection on container startup (via cont-init.d)
	mkdir -p rootfs/etc/cont-init.d
	cat <<EOF > rootfs/etc/cont-init.d/garbage-collect
	#!/bin/sh
	# only run if the registry has ever had a reposity created -> path ../docker/v2/repositories exists
	if [[ -d /registry/docker/registry/v2/repositories ]]; then
	echo "* starting registry garbage collection"
	/bin/registry garbage-collect /etc/docker/registry/config.yml
	else
	echo "* skipping garbage collection, /registry/docker/registry/v2/repositories does not yet exist"
	exit 0
	fi
	EOF
	# fix filesystem attributes for user 'registry'
	mkdir -p rootfs/etc/fix-attrs.d
	cat <<EOF > rootfs/etc/fix-attrs.d/01-registry
	/registry true registry 0600 0700
	EOF
	# gracefully restart container daily
	mkdir -p rootfs/etc/periodic/daily
	cat <<EOF > rootfs/etc/periodic/daily/registry-restart-container
	#!/bin/sh
	echo "* restarting registry to trigger garbage collection"
	s6-svscanctl -t /var/run/s6/services
	EOF

	# build the image
	docker build -t my-custom-registry:latest .

	# run it with docker compose
	docker-compose up