Container Registry
We are running our own container registry.
https://registry.acc.gsi.de
It's not high available, there is no backup, it might change to a different system without data migration.
It's the only registry that is allowed and you will become responsible for any image you upload (see
ContainerPolicies). Do not pull images from dockerhub or others.
Authentication
the registry is attached to the acc account via openid connect (oidc, id.acc.gsi.de).
To login from podman/docker you need to use a commandline secret. Login to the registry. Open your user profile (top right corner, dropdown menu, user profile) and copy your cli secret.
Use this secret to login via podman
podman login -u USERNAME -p CLISECRET registry.acc.gsi.de
This avoids storing your real password or make it visible via process tables. If it get's lost only your registry access is compromised (which is bad enough). It is not possible to login with your real password.
Projects
a container image is stored as an artifact
PROJECT/REPOSITORY:TAG
.
Each project has one project administrator who is responsible for the project and manages permissions and storage for it. New projects can be requested from INN (note for inn, see puppet).
The container registry only knows users that logged in at least once. You can only request a new project after you logged in at least once, and you can only manage user permissions after the user logged in once.
As (most) containers are based on normal operating system base containers they need to be updated on a regular basis to get security fixes.
--
ChristophHandel - 01 Apr 2020