Public Repository

Last pushed: 2 years ago
Short Description
Portus frontend for Docker Repository:2.1 or later; fork of SUSE/Portus
Full Description

Portus

Build from https://github.com/sshipway/Portus ( fork of https://github.com/SUSE/Portus )

Portus is an authoritzation server and a user interface for the next generation of the Docker registry. Portus targets version 2 of the Docker Registry API. The minimum required version of Registry is 2.1, which is the first version supporting soft deletes of blobs. Supports registry 2.2 and 2.3.

This container is built from the standard software, with additional startup script items to initialise the database, set up registry linkages, and so on. The updated startup will, in addition to the normal behaviour:

  • Create certificates
  • Initialise and upgrade Portus database
  • Add registry definition to database
  • Create Portus user in application
  • Configure nginx SSL offload proxy
  • Schedule periodic resynch job based on passed environment

Exported Configurations

If you have set PORTUS_MACHINE_FQDN and PORTUS_KEY_PATH, and there is not a key file present at this location, then the startup script will generate a self-signed certificate and key and store them in this location (the certificate will be in the same location as the key, but with a .crt extension). By default, these will be in /certs, so you can map this from a shared location.

The directory /etc/nginx/conf.d is an exportable volume, and a file portus.conf will be created in it that holds an NGINX configuration file suitable for use by an SSL-offloading proxy. If you mount this path to an NGINX container, along with the /certs volume, then NGINX will be automatically configured.

This is an example of the portus.conf created:

      server {
        listen 443 ssl;
        ssl_certificate     certs/registry.crt;
        ssl_certificate_key certs/registry.key;
        location / {
          proxy_set_header Host docker.example.com;
          proxy_set_header X-Forwarded-Proto https;
          proxy_set_header X-Forwarded-Host docker.example.com:443;
          proxy_pass http://portus:3000/;
          proxy_http_version 1.1;
          proxy_set_header Connection "upgrade";
          proxy_read_timeout 900s;
        }
      }

TL;DR

You need to have a mysql database for this to start up. Here is an example with no SSL, no webhooks, and local authentication only.

docker run \
  -d --restart=always --name portus-mysql \
  -e MYSQL_DATABASE=portus \
  -e MYSQL_ROOT_PASSWORD="$ROOTPASSWORD" \
  -e MYSQL_USER=portus \
  -e MYSQL_PASSWORD="$DBPASSWORD" \
  -v $DIR/portus:/var/lib/mysql \
  mysql

docker run \
  -d --restart=always --name portus \
  -e PORTUS_MACHINE_FQDN=$DOMAIN \
  --link=portus-mysql:portus-mysql \
  -e PORTUS_PRODUCTION_HOST=portus-mysql \
  -e PORTUS_PRODUCTION_DATABASE=portus \
  -e PORTUS_PRODUCTION_USERNAME=portus \
  -e PORTUS_PRODUCTION_PASSWORD="$DBPASSWORD" \
  -e PORTUS_GRAVATAR_ENABLED=true \
  -e PORTUS_CHECK_SSL_USAGE_ENABLED=false \
  -p 80:3000 \
  -e PORTUS_PASSWORD="$DBPASSWORD" \
  -e PORTUS_SECRET_KEY_BASE="$KEY" \
  sshipway/portus:latest

Of course, you can use other options to enable LDAP authentication, SMTP links, and so on. Here is a full registry setup with certificates, authentication, webhooks and everything. Data is stored in $DIR. A self-signed certificate is created if necessary. Note that a special version of the nginx container is used which takes the configuration in an environment variable.

docker run -d -p 5000:5000 --restart=always --name registry \
  -e REGISTRY_LOG_LEVEL=warn \
  -v $DIR/data:/var/lib/registry \
  -e REGISTRY_STORAGE_DELETE_ENABLED=true \
  -v $DIR/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/server.key  \
  -e REGISTRY_AUTH_TOKEN_REALM=https://docker.example.com:443/v2/token \
  -e REGISTRY_AUTH_TOKEN_SERVICE=docker.example.com:5000 \
  -e REGISTRY_AUTH_TOKEN_ISSUER=docker.example.com \
  -e REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/server.crt \
  -e REGISTRY_NOTIFICATIONS_ENDPOINTS_NAME=portus \
  -e REGISTRY_NOTIFICATIONS_ENDPOINTS_URL=https://docker.example.com:443/v2/webhooks/events \
  -e REGISTRY_NOTIFICATIONS_ENDPOINTS_TIMEOUT=500 \
  -e REGISTRY_NOTIFICATIONS_ENDPOINTS_THRESHOLD=5 \
  -e REGISTRY_NOTIFICATIONS_ENDPOINTS_BACKOFF=1 \
  registry:2.1

docker run \
  -d --restart=always --name portus-mysql \
  -e MYSQL_DATABASE=portus \
  -e MYSQL_ROOT_PASSWORD=password \
  -e MYSQL_USER=portus \
  -e MYSQL_PASSWORD=dbpassword \
  -v $DIR/portus:/var/lib/mysql \
  mysql

docker run \
  -d --restart=always --name portus \
  -e PORTUS_MACHINE_FQDN=docker.example.com \
  --link=registry:registry \
  -e PORTUS_LDAP_ENABLED=true \
  -e PORTUS_LDAP_HOSTNAME=ldap.example.com \
  -e PORTUS_LDAP_PORT=389 \
  -e PORTUS_LDAP_METHOD=starttls \
  -e PORTUS_LDAP_BASE=ou=People,dc=example,dc=com \
  -e PORTUS_LDAP_UID=cn \
  -e PORTUS_LDAP_AUTHENTICATION_ENABLED=true \
  -e PORTUS_LDAP_AUTHENTICATION_BIND_DN=cn=portus,dc=example,dc=com \
  -e PORTUS_LDAP_AUTHENTICATION_PASSWORD=ldappassword \
  -e PORTUS_LDAP_GUESS_EMAIL_ENABLED=true \
  -e PORTUS_LDAP_GUESS_EMAIL_ATTR=mail \
  --link=portus-mysql:portus-mysql \
  -e PORTUS_PRODUCTION_HOST=portus-mysql \
  -e PORTUS_PRODUCTION_DATABASE=portus \
  -e PORTUS_PRODUCTION_USERNAME=portus \
  -e PORTUS_PRODUCTION_PASSWORD=dbpassword \
  -e PORTUS_GRAVATAR_ENABLED=true \
  -e PORTUS_EMAIL_FROM=docker@example.com \
  -e PORTUS_EMAIL_REPLY_TO=nobody@example.com \
  -e PORTUS_SMTP_ENABLED=true \
  -e PORTUS_SMTP_ADDRESS=mail.example.com \
  -e PORTUS_KEY_PATH=/certs/server.key \
  -v $DIR/certs:/certs \
  -e PORTUS_PASSWORD="password" \
  -e PORTUS_SECRET_KEY_BASE="apikeybase" \
  -e REGISTRY_USE_SSL=true \
  -e REGISTRY_NAME=Registry \
  -e REGISTRY_HOSTNAME=docker.example.com \
  -e REGISTRY_PORT=5000 \
   -e PORTUS_CHECK_SSL_USAGE_ENABLED=true  \
  -v $DIR/proxy:/etc/nginx/conf.d \
  sshipway/portus:2.0.0

docker run -d --restart=always \
  --link=portus \
  --name=portus-ssl \
  -p 443:443  \
  -v $DIR/proxy:/etc/nginx/conf.d \
  -v $DIR/certs:/etc/nginx/certs \
    -e NGINX_CERT_FILE: /etc/nginx/certs/server.crt \
    -e NGINX_KEY_FILE: /etc/nginx/certs/server.key \
    -e NGINX_DOMAIN: docker.example.com \
  nginx

Features

Fine-grained control of permissions

Portus supports the concept of users and teams. Users have their own personal Docker namespace where they have both read (aka docker pull) and write (aka docker push) access. A team is a group of users that have read and write access to a certain namespace. You can read more about this in our documentation page about it.

Portus implements the token based authentication system described by the new version of the Docker registry. This can be used to have full control over the images served by an instance of the Docker registry.

Web interface for Docker registry

Portus provides quick access to all the images available on your private instance of Docker registry. User's privileges are taken into account to make sure private images (the ones requiring special rights also for docker pull) are not shown to unauthorized personnel.

Self-hosted

Portus allows you to host everything on your servers, on your own infrastructure. You don't have to trust a third-party service, just own everything yourself. Take a look at our documentation to read the different setups in which you can deploy Portus.

And more!

Some highlights:

Take a tour by our documentation site to read more about this.

Overview

In this video you can get an overview of some of the features and capabilities of Portus.

Licensing

Portus is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Docker Pull Command
Owner
sshipway