Turn-key simple Docker Registry with mDNS, automatic TLS, and configurable minimalistic pull/push ACLs.
There are many good reasons to maintain one (or multiple) private (internal or public) registry(ies). Chief among them, latency (both on push, for developers or build systems, and on pull, for nodes that need to redeploy frequently), but obviously also security (or at least the ability to control it), and confidentiality of your images.
For such small-scale environments, expensive commercial solutions are overblown, and the open-source Docker Registry does not provide much by default in terms of access control and security.
- optional mDNS broadcasting (eg: access your registry with
registry.local) - turn-key TLS, either with self-signed certs, or using LetsEncrypt
- pull can and push can be disabled separately, set to anonymous, or to a specific user
- multi-architecture:
- linux/amd64
- linux/386
- linux/arm64
- linux/arm/v7
- linux/arm/v6
- linux/ppc64le
- linux/s390x
- hardened:
- image runs read-only
- image runs with no capabilities (unless you want it on a privileged port)
- process runs as a non-root user, disabled login, no shell
- lightweight
- based on our slim Debian Bullseye
- simple entrypoint script
- multi-stage build with no installed dependencies for the runtime image
- observable
- healthcheck
- log to stdout
-
prometheus endpoint
docker run -d \
--net bridge \
--cap-drop ALL \
--read-only \
ghcr.io/dubo-dubon-duponey/registryThis is based on: