Hosting podman image repository on Opalstack

db122

Related to running rootless containers on Opalstack (https://community.opalstack.com/d/1609-getting-started-with-containers-on-opalstack), is there a way to run a private image repository for our custom images?

sean

db122 that's a great question - the repository, or more-accurately the registry, is itself a container, so this an excellent opportunity to put the info in our container tutorial to use!

Most online tutorials for running a local podman registry assume you have root/sudo access. Opalstack doesn't provide root access on our managed servers so in addition to mapping ports and directories as shown in the tutorial, we're also going to need to create some extra configuration in our home directory instead of in /etc.

The first step is to create a proxy port app to reserve a port number for your registry. We'll map the app's assigned port to the container process with the -p option later. Note that for a local registry we don't need to add the app to a website, so skip step 2 in the tutorial for this. The rest of this example will use 11111 as the assigned port.

The rest of this is done in SSH as your new app's shell user.

We need a place to store the images, certificate, and password file so we'll create a few subdirectories in our new app directory:

mkdir ~/apps/NAME_OF_APP/{registry,certs,auth}

We'll map those directories to the container via the -v option when we start the container.

Next we need to let podman know that our registry exists. To do that, we'll create a local config file in our home directory...

touch ~/.config/containers/registries.conf

... and then edit that file to give it the following contents (substitute 11111 your own assigned port):

[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', '127.0.0.1:11111']

[registries.insecure]
registries = ['127.0.0.1:11111']

registries.insecure is needed because your repo will be running locally with a self-signed certificate.

Next we create the self-signed certificate:

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ~/apps/NAME_OF_APP/certs/reg.key -x509 -days 9999 -out ~/apps/NAME_OF_APP/certs/reg.crt -subj "/CN=127.0.0.1"

... and also the password file (replace USER and PASSWORD with the username and password that you want to use with the registry):

htpasswd -Bbn USER PASSWORD > ~/apps/NAME_OF_APP/auth/htpasswd

Now we'll fire up the registry container, mapping our port and container directories with the appropriate options, and including several environment -e options needed for SSL and authentication:

podman run -d --name registry \
  -p 11111:5000 \
  -v /home/SHELL_USER/apps/NAME_OF_APP/registry:/var/lib/registry \
  -v /home/SHELL_USER/apps/NAME_OF_APP/auth:/auth \
  -v /home/SHELL_USER/apps/NAME_OF_APP/certs:/certs \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/reg.crt" \
  -e "REGISTRY_HTTP_TLS_KEY=/certs/reg.key" \
  --restart=always registry:2

Next, log in to the registry:

podman login 127.0.0.1:11111

... then query podman to ensure that it can see the registry:

podman info -f json | jq '.registries.search'

You should see your registry (127.0.0.1:11111 in our example) in the output, eg:

[
  "registry.access.redhat.com",
  "registry.redhat.io",
  "docker.io",
  "127.0.0.1:11111"
]

At this point our registry should be ready to use! We'll test it by pulling the official nginx image:

podman pull docker.io/nginx:latest

... then we'll tag it and push it to our new registry:

podman tag nginx:latest 127.0.0.1:11111/nginx:latest
podman push 127.0.0.1:11111/nginx:latest

....aaaaand that's it! We now have a working local podman registry 🙂

sean

Updated to include SSL and authentication.

sean

Updated to fix a missing backslash in the podman run command.