| # This config lists all the possible config options. |
| # |
| # To configure Docker Registry to talk to this server, put the following in the registry config file: |
| # |
| # auth: |
| # token: |
| # realm: "https://127.0.0.1:5001/auth" |
| # service: "Docker registry" |
| # issuer: "Acme auth server" |
| # rootcertbundle: "/path/to/server.pem" |
| |
| server: # Server settings. |
| # Address to listen on. |
| addr: ":5001" |
| |
| # TLS options. |
| # |
| # Use specific certificate and key. |
| certificate: "/path/to/server.pem" |
| key: "/path/to/server.key" |
| # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate. |
| # Note that this only applies to server TLS certificate, this certificate will not be used for tokens |
| letsencrypt: |
| # Email is required. It will be used to register with LetsEncrypt. |
| email: webmaster@example.org |
| # Cache directory, where certificates issued by LE will be stored. Must exist. |
| # It is recommended to make it a volume mount so it persists across restarts. |
| cache_dir: /data/sslcache |
| # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to. |
| # With this option, you can limit it to a specific host name. |
| # host: "docker.example.org" |
| # If neither certificate+key or letsencrypt are configured, the listener does not use TLS. |
| |
| # Take client's address from the specified HTTP header instead of connection. |
| # May be useful if the server is behind a proxy or load balancer. |
| # If configured, this header must be present, requests without it will be rejected. |
| # real_ip_header: "X-Forwarded-For" |
| # Optional position of client ip in X-Forwarded-For, negative starts from |
| # end of addresses. |
| # real_ip_pos: -2 |
| |
| token: # Settings for the tokens. |
| issuer: "Acme auth server" # Must match issuer in the Registry config. |
| expiration: 900 |
| # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain |
| # can be constructed from one of the certificates in registry's auth.token.rootcertbundle. |
| # If not specified, server's TLS certificate and key are used. |
| # certificate: "..." |
| # key: "..." |
| |
| # Authentication methods. All are tried, any one returning success is sufficient. |
| # At least one must be configured. If you want an unauthenticated public setup, |
| # configure static user map with anonymous access. |
| |
| # Static user map. |
| users: |
| # Password is specified as a BCrypt hash. Use htpasswd -B to generate. |
| "admin": |
| password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin |
| "test": |
| password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123 |
| "": {} # Allow anonymous (no "docker login") access. |
| |
| # Google authentication. |
| # ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK. |
| # Instead, Auth server maintains a database of Google authentication tokens. |
| # Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link. |
| # Once signed in, you will get a throw-away password which you can use for Docker login. |
| google_auth: |
| domain: "example.com" # Optional. If set, only logins from this domain are accepted. |
| # client_id and client_secret for API access. Required. |
| # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project |
| # NB: Make sure JavaScript origins are configured correctly. |
| client_id: "1223123456-somethingsomething.apps.googleusercontent.com" |
| # Either client_secret or client_secret_file is required. Use client_secret_file if you don't |
| # want to have sensitive information checked in. |
| # client_secret: "verysecret" |
| client_secret_file: "/path/to/client_secret.txt" |
| # Where to store server tokens. Required. |
| token_db: "/somewhere/to/put/google_tokens.ldb" |
| # How long to wait when talking to Google servers. Optional. |
| http_timeout: 10 |
| |
| # GitHub authentication. |
| # ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK. |
| # Instead, Auth server maintains a database of GitHub authentication tokens. |
| # Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link. |
| # Once signed in, you will get a throw-away password which you can use for Docker login. |
| github_auth: |
| organization: "acme" # Optional. If set, only logins from this organization are accepted. |
| # client_id and client_secret for API access. Required. |
| # You can register a new application here: https://github.com/settings/developers |
| # NB: Make sure JavaScript origins are configured correctly. |
| client_id: "1223123456" |
| # Either client_secret or client_secret_file is required. Use client_secret_file if you don't |
| # want to have sensitive information checked in. |
| # client_secret: "verysecret" |
| client_secret_file: "/path/to/client_secret.txt" |
| # Where to store server tokens. Required. |
| token_db: "/somewhere/to/put/github_tokens.ldb" |
| # How long to wait when talking to GitHub servers. Optional. |
| http_timeout: "10s" |
| # How long to wait before revalidating the GitHub token. Optional. |
| revalidate_after: "1h" |
| # The Github Web URI in case you are using Github Enterprise. |
| # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com |
| github_web_uri: "https://github.acme.com" |
| # The Github API URI in case you are using Github Enterprise. |
| # Includes the protocol, without trailing slash. - defaults to: https://api.github.com |
| github_api_uri: "https://github.acme.com/api/v3" |
| |
| # LDAP authentication. |
| # Authentication is performed by first binding to the server, looking up the user entry |
| # by using the specified filter, and then re-binding using the matched DN and the password provided. |
| ldap_auth: |
| # Addr is the hostname:port or ip:port |
| addr: ldap.example.com:636 |
| # Setup tls connection method to be |
| # "" or "none": the communication won't be encrypted |
| # "always": setup LDAP over SSL/TLS |
| # "starttls": sets StartTLS as the encryption method |
| tls: always |
| # set to true to allow insecure tls |
| insecure_tls_skip_verify: false |
| # In case bind DN and password is required for querying user information, |
| # specify them here. Plain text password is read from the file. |
| bind_dn: |
| bind_password_file: |
| # User query settings. ${account} is expanded from auth request |
| base: o=example.com |
| filter: (&(uid=${account})(objectClass=person)) |
| |
| mongo_auth: |
| # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo |
| dial_info: |
| # The MongoDB hostnames or IPs to connect to. |
| addrs: ["localhost"] |
| # The time to wait for a server to respond when first connecting and on |
| # follow up operations in the session. If timeout is zero, the call may |
| # block forever waiting for a connection to be established. |
| # (See https://golang.org/pkg/time/#ParseDuration for a format description.) |
| timeout: "10s" |
| # Database name that will be used on the MongoDB server. |
| database: "docker_auth" |
| # The username with which to connect to the MongoDB server. |
| username: "" |
| # Path to the text file with the password in it. |
| password_file: "" |
| # Name of the collection in which ACLs will be stored in MongoDB. |
| collection: "users" |
| # Unlike acl_mongo we don't cache the full user set. We just query mongo for |
| # an exact match for each authorization |
| |
| # External authentication - call an external progam to authenticate user. |
| # Username and password are passed to command's stdin and exit code is examined. |
| # 0 - allow, 1 - deny, 2 - no match, other - error. |
| # In case of success, if any output is returned, it is parsed as a JSON object. |
| # The "labels" key may contain labels to be passed down to authz, where they can |
| # be used in matching. See ext_auth.sh for an example. |
| ext_auth: |
| command: "/usr/local/bin/my_auth" # Can be a relative path too; $PATH works. |
| args: ["--flag", "--more", "--flags"] |
| |
| # Authorization methods. All are tried, any one returning success is sufficient. |
| # At least one must be configured. |
| |
| # ACL specifies who can do what. If the match section of an entry matches the |
| # request, the set of allowed actions will be applied to the token request |
| # and a ticket will be issued only for those of the requested actions that are |
| # allowed by the rule. |
| # * It is possible to match on user's name ("account"), subject type ("type") |
| # and name ("name"; for type=repository this is the image name). |
| # * Matches are evaluated as shell file name patterns ("globs") by default, |
| # so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility |
| # match patterns can be evaluated as regexes by enclosing them in //, e.g. |
| # "/(foo|bar)/". |
| # * IP match can be single IP address or a subnet in the "prefix/mask" notation. |
| # * ACL is evaluated in the order it is defined until a match is found. |
| # Rules below the first match are not evaluated, so you'll need to put more |
| # specific rules above more broad ones. |
| # * Empty match clause matches anything, it only makes sense at the end of the |
| # list and can be used as a way of specifying default permissions. |
| # * Empty actions set means "deny everything". Thus, a rule with `actions: []` |
| # is in effect a "deny" rule. |
| # * A special set consisting of a single "*" action means "allow everything". |
| # * If no match is found the default is to deny the request. |
| # |
| # You can use the following variables from the ticket request in any field: |
| # * ${account} - the account name, currently the same as authenticated user's name. |
| # * ${service} - the service name, specified by auth.token.service in the registry config. |
| # * ${type} - the type of the entity, normally "repository". |
| # * ${name} - the name of the repository (i.e. image), e.g. centos. |
| acl: |
| - match: {ip: "127.0.0.0/8"} |
| actions: ["*"] |
| comment: "Allow everything from localhost (IPv4)" |
| - match: {ip: "::1"} |
| actions: ["*"] |
| comment: "Allow everything from localhost (IPv6)" |
| - match: {ip: "172.17.0.1"} |
| actions: ["*"] |
| comment: "Allow everything from the local Docker bridge address" |
| - match: {account: "admin"} |
| actions: ["*"] |
| comment: "Admin has full access to everything." |
| - match: {account: "test", name: "test-*"} |
| actions: ["*"] |
| comment: "User \"test\" has full access to test-* images but nothing else. (1)" |
| - match: {account: "test"} |
| actions: [] |
| comment: "User \"test\" has full access to test-* images but nothing else. (2)" |
| - match: {account: "/.+/", name: "${account}/*"} |
| actions: ["*"] |
| comment: "Logged in users have full access to images that are in their 'namespace'" |
| - match: {account: "/.+/", type: "registry", name: "catalog"} |
| actions: ["*"] |
| comment: "Logged in users can query the catalog." |
| - match: {account: "/.+/"} |
| actions: ["pull"] |
| comment: "Logged in users can pull all images." |
| - match: {account: "", name: "hello-world"} |
| actions: ["pull"] |
| comment: "Anonymous users can pull \"hello-world\"." |
| - match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"} |
| actions: [] |
| comment: "Emit domain part of account to make it a correct repo name" |
| # Access is denied by default. |
| |
| # (optional) Define to query ACL from a MongoDB server. |
| acl_mongo: |
| # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo |
| dial_info: |
| # The MongoDB hostnames or IPs to connect to. |
| addrs: ["localhost"] |
| # The time to wait for a server to respond when first connecting and on |
| # follow up operations in the session. If timeout is zero, the call may |
| # block forever waiting for a connection to be established. |
| # (See https://golang.org/pkg/time/#ParseDuration for a format description.) |
| timeout: "10s" |
| # Database name that will be used on the MongoDB server. |
| database: "docker_auth" |
| # The username with which to connect to the MongoDB server. |
| username: "" |
| # Path to the text file with the password in it. |
| password_file: "" |
| # Name of the collection in which ACLs will be stored in MongoDB. |
| collection: "acl" |
| # Specify how long an ACL remains valid before they will be fetched again from |
| # the MongoDB server. |
| # (See https://golang.org/pkg/time/#ParseDuration for a format description.) |
| cache_ttl: "1m" |
| |
| # External authorization - call an external progam to authorize user. |
| # JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined. |
| # 0 - allow, 1 - deny, other - error. |
| ext_authz: |
| command: "/usr/local/bin/my_authz" # Can be a relative path too; $PATH works. |
| args: ["--flag", "--more", "--flags"] |