In our current setup we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache etc. During configuration of repository there was this option to set custom index
for the repository, so my two questions are :
custom index
option will I be able to achieve what I explained above?https://hub.docker.com/_/centos/
for centos but it didn't worked.Please suggest how to go about this.
Yes, you can use a custom index to limit what's available in your repo. To achieve that you have to deploy and maintain your own docker registry index service and use that when configuring your docker proxy repository.
However, an easier solution would be to use a content selector to limit what's allowed to be access via your docker proxy repository while still using Docker Hub with it's original index.
Using the simplified content selector solution is a bit hacky, but might work for you. Essentially you have to provide a whitelist (or a blacklist) in a form of a regex. The implication of this solution is that users of your registry will still be able to search for any available image, because you can keep using the Docker Hub's index for simplicity.
path =~ '^/v2/library/(alpine|ubuntu).*$'
will only allow alpine
and ubuntu
to be downloaded. Now, the user you have created shall log into your registry, eg. $ docker login nexus.local:8085
. That user will be authorised to pull both alpine
and ubuntu
(based on the content selector from step 2), but will fail to download anything else.
A sample succesful pull: $ docker pull nexus.local:8085/alpine Using default tag: latest latest: Pulling from alpine Digest: sha256:0873c923e00e0fd2ba78041bfb64a105e1ecb7678916d1f7776311e45bf5634b Status: Image is up to date for nexus.local:8085/alpine:latest
A sample failed pull: $ docker pull nexus.local:8085/postgres Using default tag: latest Error response from daemon: unauthorized: access to the requested resource is not authorized
we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache
What I did was:
Mode:
ALLOW
alpine
and centos
so I created two matches with:
^/v2/library/centos.*$
^/v2/library/alpine.*$
Routing Rule
That way all except centos and alpine are available from that docker proxy repo. Pulling anything else results in "manigest unknown" error from docker.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.