Last active
March 31, 2018 22:33
-
-
Save simonkowallik/a73a369fdfa60ad118bd4cd675367e97 to your computer and use it in GitHub Desktop.
docker registry daily garbage collection with s6-overlay
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# github issue https://github.com/docker/distribution/issues/2094 and https://github.com/docker/distribution/issues/2270 | |
# Dockerfile, based on the official registry:2 image | |
cat <<EOF > Dockerfile | |
FROM registry:2 | |
ADD s6-overlay-amd64.tar.gz / | |
ADD rootfs / | |
RUN sed -ie 's/^root::/root:!:/' /etc/shadow; \\ | |
addgroup -g 9999 registry; \\ | |
adduser -u 9999 -s /sbin/nologin -H -h /registry -D -G registry registry; \\ | |
chmod +x /etc/periodic/*/*; | |
VOLUME ["/registry"] | |
EXPOSE 5000 | |
ENTRYPOINT ["/init"] | |
EOF | |
# example docker compose file | |
cat <<EOF > docker-compose.yaml | |
version: "3" | |
services: | |
registry: | |
restart: always | |
image: my-custom-registry:latest | |
ports: | |
- 80:5000 | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
- /docker/volumes/registry/config.yml:/etc/docker/registry/config.yml:ro | |
- /docker/volumes/registry:/registry | |
EOF | |
# download and verify s6-overlay | |
cat <<EOF > download+verify-s6-overlay.sh; /bin/sh download+verify-s6-overlay.sh | |
#!/bin/sh | |
echo "* checking latest s6 version" | |
s6fingerprint="DB301BA3F6F807E0D0E6CCB86101B2783B2FD161" | |
version=$(curl -s https://api.github.com/repos/just-containers/s6-overlay/releases/latest 2>/dev/null | grep tag_name | cut -d\" -f4) | |
echo "latest s6 version: \$version" | |
echo "* download s6 & signature" | |
rm -f s6-overlay-amd64.tar.gz s6-overlay-amd64.tar.gz.sig | |
curl -sLo s6-overlay-amd64.tar.gz https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz && echo "downloaded: s6-overlay-amd64.tar.gz" | |
curl -sLo s6-overlay-amd64.tar.gz.sig https://github.com/just-containers/s6-overlay/releases/download/\${version}/s6-overlay-amd64.tar.gz.sig && echo "downloaded: s6-overlay-amd64.tar.gz.sig" | |
file s6-overlay-amd64.tar.gz | grep gzip >/dev/null | |
if [[ $? -ne "0" ]]; then | |
echo "ERROR: download failed."; exit 1 | |
fi | |
echo "* verify signature" | |
if [[ ! -e ./s6.publickey.gpg ]]; then | |
curl -s https://keybase.io/justcontainers/key.asc | gpg --yes -o s6.publickey.gpg --dearmor | |
fi | |
fingerprint=\$(gpg --no-default-keyring --keyring ./s6.publickey.gpg -k | awk '/^pub/ {getline x; gsub(" ","", x); print x}') | |
if [[ "\$fingerprint" != "\$s6fingerprint" ]]; then | |
echo "downloaded GPG key fingerprint: >\$fingerprint<" | |
echo " expected fingerprint: >\$s6fingerprint<" | |
read -p "trust the downloaded GPG key for signature verification anyway? (Type Y to confirm):" -n 1 -r | |
if [[ "\$REPLY" != "Y" ]]; then | |
echo; exit 0 | |
fi | |
echo | |
fi | |
gpg --no-default-keyring --keyring ./s6.publickey.gpg --verify s6-overlay-amd64.tar.gz.sig s6-overlay-amd64.tar.gz | |
if [[ \$? -ne "0" ]]; then | |
echo; echo "ERROR: signature verification failed"; exit 1 | |
fi | |
EOF | |
# create rootfs/ | |
mkdir -p rootfs/etc/services.d/cron | |
cat <<EOF > rootfs/etc/services.d/cron/run | |
#!/usr/bin/execlineb -P | |
/usr/sbin/crond -f -c /etc/crontabs | |
EOF | |
# run file for registry with user 'registry' | |
mkdir -p rootfs/etc/services.d/registry | |
cat <<EOF > rootfs/etc/services.d/registry/run | |
#!/usr/bin/execlineb -P | |
s6-setuidgid registry | |
/bin/registry serve /etc/docker/registry/config.yml | |
EOF | |
# run garbage collection on container startup (via cont-init.d) | |
mkdir -p rootfs/etc/cont-init.d | |
cat <<EOF > rootfs/etc/cont-init.d/garbage-collect | |
#!/bin/sh | |
# only run if the registry has ever had a reposity created -> path ../docker/v2/repositories exists | |
if [[ -d /registry/docker/registry/v2/repositories ]]; then | |
echo "* starting registry garbage collection" | |
/bin/registry garbage-collect /etc/docker/registry/config.yml | |
else | |
echo "* skipping garbage collection, /registry/docker/registry/v2/repositories does not yet exist" | |
exit 0 | |
fi | |
EOF | |
# fix filesystem attributes for user 'registry' | |
mkdir -p rootfs/etc/fix-attrs.d | |
cat <<EOF > rootfs/etc/fix-attrs.d/01-registry | |
/registry true registry 0600 0700 | |
EOF | |
# gracefully restart container daily | |
mkdir -p rootfs/etc/periodic/daily | |
cat <<EOF > rootfs/etc/periodic/daily/registry-restart-container | |
#!/bin/sh | |
echo "* restarting registry to trigger garbage collection" | |
s6-svscanctl -t /var/run/s6/services | |
EOF | |
# build the image | |
docker build -t my-custom-registry:latest . | |
# run it with docker compose | |
docker-compose up |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment