Go to file
Ramkumar Chinchani 2d9c1f52ea docs: improve docs coverage
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-10-14 09:22:34 -07:00
.github/workflows go.mod: update modules 2021-08-25 11:51:23 -07:00
cmd/zot build: remove bazel 2020-12-21 15:30:13 -08:00
docs docs: improve docs coverage 2021-10-14 09:22:34 -07:00
errors search: added graphql api to return repository list with latest tag 2021-09-27 14:36:20 -07:00
examples doc: add initial documentation for configuration options 2021-08-31 17:26:22 -07:00
pkg search: update trivy 2021-10-13 16:37:31 -07:00
test/scripts .gitignore: ignore generated test artifacts 2019-12-13 14:44:10 -08:00
.gitignore .gitignore: add .vscode/ 2020-06-09 17:18:30 -04:00
CODE_OF_CONDUCT.md doc: add a CODE_OF_CONDUCT.md 2020-12-15 11:20:45 -08:00
codecov.yml build: increase wait timeout for travis bazel build process 2020-10-27 19:30:06 -07:00
COMPARISON.md Update COMPARISON.md 2021-09-28 16:51:59 -07:00
CONTRIBUTING.md docs: add a CONTRIBUTING.md 2021-01-08 20:55:22 -08:00
Dockerfile build: fix docker build 2020-11-19 11:41:21 -08:00
Dockerfile-conformance go.mod: update deps to address dependabot alerts 2021-09-23 13:59:26 -07:00
Dockerfile-minimal ci/cd: build a "minimal" container image 2021-07-01 10:07:08 -07:00
go.mod search: update trivy 2021-10-13 16:37:31 -07:00
go.sum search: update trivy 2021-10-13 16:37:31 -07:00
golangcilint.yaml go.mod: update modules 2021-08-25 11:51:23 -07:00
LICENSE Initial commit 2019-06-21 14:40:59 -07:00
MAINTAINERS.md doc: update current project maintainer list 2020-12-10 17:36:22 -08:00
Makefile TLS certs in CLI client 2021-08-16 23:42:21 -07:00
README.md Update README.md 2021-09-23 12:35:39 -07:00
stacker.yaml build: fix stacker build 2020-11-19 11:41:21 -08:00
THIRD-PARTY-LICENSES.md doc: add third-party software deps list 2020-12-03 14:10:32 -08:00
zot.go zot: initial commit 2019-06-21 15:29:19 -07:00

zot build-test codecov.io Conformance Results

zot is a vendor-neutral OCI image registry server purely based on OCI Distribution Specification.

https://anuvu.github.io/zot/

docker pull ghcr.io/anuvu/zot:latest

docker run -p 5000:5000 ghcr.io/anuvu/zot:latest

Why zot?

Features

  • Conforms to OCI distribution spec APIs
  • Clear separation between core dist-spec and zot-specific extensions
    • make binary-minimal builds a dist-spec-only zot
    • make binary builds a zot with all extensions enabled
  • Uses OCI image layout for image storage
    • Can serve any OCI image layout as a registry
  • Supports helm charts
  • Behavior controlled via configuration
  • Supports image deletion by tag
  • Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
  • Compatible with ecosystem tools such as skopeo and cri-o
  • Vulnerability scanning of images
  • Command-line client support
  • TLS support
  • Authentication via:
    • TLS mutual authentication
    • HTTP Basic (local htpasswd and LDAP)
    • HTTP Bearer token
  • Supports Identity-Based Access Control
  • Supports live modifications on the config file while zot is running (Authorization config only)
  • Doesn't require root privileges
  • Storage optimizations:
    • Automatic garbage collection of orphaned blobs
    • Layer deduplication using hard links when content is identical
  • Serve multiple storage paths (and backends) using a single zot server
  • Swagger based documentation
  • Single binary for all the above features
  • Released under Apache 2.0 License
  • go get -u github.com/anuvu/zot/cmd/zot

Presentations

Build and install binary (using host's toolchain)

go get -u github.com/anuvu/zot/cmd/zot

Full CI/CD Build

  • Build inside a container (preferred)
make binary-container
  • Alternatively, build inside a container using stacker (preferred)
make binary-stacker
  • Build using host's toolchain
make

Build artifacts are in bin/

Serving

bin/zot serve _config-file_

Examples of config files are available in examples/ dir.

Container Image

The Dockerfile in this repo can be used to build a container image that runs zot.

To build the image with ref zot:latest:

make image

Then run the image with your preferred container runtime:

# with podman
podman run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

# with docker
docker run --rm -it -p 5000:5000 -v $(pwd)/registry:/var/lib/registry zot:latest

This will run a registry at http://localhost:5000, storing content at ./registry (bind mounted to /var/lib/registry in the container). By default, auth is disabled.

If you wish use custom configuration settings, you can override the YAML config file located at /etc/zot/config.yml:

# Example: using a local file "custom-config.yml" that
# listens on port 8080 and uses /tmp/zot for storage root
podman run --rm -p 8080:8080 \
  -v $(pwd)/custom-config.yml:/etc/zot/config.yml \
  -v $(pwd)/registry:/tmp/zot \
  zot:latest

CLI

The same zot binary can be used for interacting with any zot server instances.

Adding a zot server URL

To add a zot server URL with an alias "remote-zot":

$ zot config add remote-zot https://server-example:8080

List all configured URLs with their aliases:

$ zot config -l
remote-zot https://server-example:8080
local      http://localhost:8080

Listing images

You can list all images from a server by using its alias specified in this step:

$ zot images remote-zot
IMAGE NAME                        TAG                       DIGEST    SIZE
postgres                          9.6.18-alpine             ef27f3e1  14.4MB
postgres                          9.5-alpine                264450a7  14.4MB
busybox                           latest                    414aeb86  707.8KB

Or filter the list by an image name:

$ zot images remote-zot -n busybox
IMAGE NAME                        TAG                       DIGEST    SIZE
busybox                           latest                    414aeb86  707.8KB

Scanning images for known vulnerabilities

You can fetch CVE (Common Vulnerabilities and Exposures) info for images hosted on zot

  • Get all images affected by a CVE
$ zot cve remote-zot -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-5be4d92            ac3762e2  335MB
  • Get all CVEs for an image
$ zot cve remote-zot -I c3/openjdk-dev:0.3.19
ID                SEVERITY  TITLE
CVE-2015-8540     LOW       libpng: underflow read in png_check_keyword()
CVE-2017-16826    LOW       binutils: Invalid memory access in the coff_s...
  • Get detailed json output
$ zot cve remote-zot -I c3/openjdk-dev:0.3.19 -o json
{
  "Tag": "0.3.19",
  "CVEList": [
    {
      "Id": "CVE-2019-17006",
      "Severity": "MEDIUM",
      "Title": "nss: Check length of inputs for cryptographic primitives",
      "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.",
      "PackageList": [
        {
          "Name": "nss",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-sysinit",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        },
        {
          "Name": "nss-tools",
          "InstalledVersion": "3.44.0-7.el7_7",
          "FixedVersion": "Not Specified"
        }
      ]
    },
  • Get all images in a specific repo affected by a CVE
$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a            71046748  338MB
c3/openjdk-dev                    commit-bd5cc94            0ab7fc76  
  • Get all images of a specific repo where a CVE is fixed
$ zot cve remote-zot -I c3/openjdk-dev -i CVE-2017-9935 --fixed
IMAGE NAME                        TAG                       DIGEST    SIZE
c3/openjdk-dev                    commit-2674e8a-squashfs   b545b8ba  321MB
c3/openjdk-dev                    commit-d5024ec-squashfs   cd45f8cf  321MB

Ecosystem

skopeo

skopeo is a tool to work with remote image repositories.

  • Pull Images
skopeo copy docker://<zot-server:port>/repo:tag docker://<another-server:port>/repo:tag
  • Push Images
skopeo copy --format=oci docker://<another-server:port>/repo:tag docker://<zot-server:port>/repo:tag

cri-o

cri-o is a OCI-based Kubernetes container runtime interface.

Works with "docker://" transport which is the default.

Caveats

  • go 1.12+
  • The OCI distribution spec is still WIP, and we try to keep up

Contributing

We encourage and support an active, healthy community of contributors.