diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml
index 47b54a411efa..2fd7b7709797 100644
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -94,6 +94,13 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
accepted by the nc command.
+
+
+ The services.docker-registry.extraConfig object doesn't contain
+ environment variables anymore. Instead it needs to provide an object structure
+ that can be mapped onto the YAML configuration defined in the docker/distribution docs.
+
+
diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix
index 96ac2a1cf2c9..45931cb42b54 100644
--- a/nixos/modules/services/misc/docker-registry.nix
+++ b/nixos/modules/services/misc/docker-registry.nix
@@ -5,6 +5,45 @@ with lib;
let
cfg = config.services.dockerRegistry;
+ blobCache = if cfg.enableRedisCache
+ then "redis"
+ else "inmemory";
+
+ registryConfig = {
+ version = "0.1";
+ log.fields.service = "registry";
+ storage = {
+ cache.blobdescriptor = blobCache;
+ filesystem.rootdirectory = cfg.storagePath;
+ delete.enabled = cfg.enableDelete;
+ };
+ http = {
+ addr = ":${builtins.toString cfg.port}";
+ headers.X-Content-Type-Options = ["nosniff"];
+ };
+ health.storagedriver = {
+ enabled = true;
+ interval = "10s";
+ threshold = 3;
+ };
+ };
+
+ registryConfig.redis = mkIf cfg.enableRedisCache {
+ addr = "${cfg.redisUrl}";
+ password = "${cfg.redisPassword}";
+ db = 0;
+ dialtimeout = "10ms";
+ readtimeout = "10ms";
+ writetimeout = "10ms";
+ pool = {
+ maxidle = 16;
+ maxactive = 64;
+ idletimeout = "300s";
+ };
+ };
+
+ configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig));
+
in {
options.services.dockerRegistry = {
enable = mkEnableOption "Docker Registry";
@@ -27,6 +66,26 @@ in {
description = "Docker registry storage path.";
};
+ enableDelete = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable delete for manifests and blobs.";
+ };
+
+ enableRedisCache = mkEnableOption "redis as blob cache";
+
+ redisUrl = mkOption {
+ type = types.str;
+ default = "localhost:6379";
+ description = "Set redis host and port.";
+ };
+
+ redisPassword = mkOption {
+ type = types.str;
+ default = "";
+ description = "Set redis password.";
+ };
+
extraConfig = mkOption {
description = ''
Docker extra registry configuration via environment variables.
@@ -34,6 +93,19 @@ in {
default = {};
type = types.attrsOf types.str;
};
+
+ enableGarbageCollect = mkEnableOption "garbage collect";
+
+ garbageCollectDates = mkOption {
+ default = "daily";
+ type = types.str;
+ description = ''
+ Specification (in the format described by
+ systemd.time
+ 7) of the time at
+ which the garbage collect will occur.
+ '';
+ };
};
config = mkIf cfg.enable {
@@ -41,15 +113,8 @@ in {
description = "Docker Container Registry";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
-
- environment = {
- REGISTRY_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.port}";
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = cfg.storagePath;
- } // cfg.extraConfig;
-
script = ''
- ${pkgs.docker-distribution}/bin/registry serve \
- ${pkgs.docker-distribution.out}/share/go/src/github.com/docker/distribution/cmd/registry/config-example.yml
+ ${pkgs.docker-distribution}/bin/registry serve ${configFile}
'';
serviceConfig = {
@@ -58,6 +123,22 @@ in {
};
};
+ systemd.services.docker-registry-garbage-collect = {
+ description = "Run Garbage Collection for docker registry";
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig.Type = "oneshot";
+
+ script = ''
+ ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile}
+ ${pkgs.systemd}/bin/systemctl restart docker-registry.service
+ '';
+
+ startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;
+ };
+
users.extraUsers.docker-registry = {
createHome = true;
home = cfg.storagePath;
diff --git a/nixos/tests/docker-registry.nix b/nixos/tests/docker-registry.nix
index 109fca440e57..1fbd199c7bc4 100644
--- a/nixos/tests/docker-registry.nix
+++ b/nixos/tests/docker-registry.nix
@@ -3,14 +3,16 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "docker-registry";
meta = with pkgs.stdenv.lib.maintainers; {
- maintainers = [ globin ];
+ maintainers = [ globin ma27 ironpinguin ];
};
nodes = {
registry = { config, pkgs, ... }: {
services.dockerRegistry.enable = true;
+ services.dockerRegistry.enableDelete = true;
services.dockerRegistry.port = 8080;
services.dockerRegistry.listenAddress = "0.0.0.0";
+ services.dockerRegistry.enableGarbageCollect = true;
networking.firewall.allowedTCPPorts = [ 8080 ];
};
@@ -33,11 +35,29 @@ import ./make-test.nix ({ pkgs, ...} : {
$registry->start();
$registry->waitForUnit("docker-registry.service");
+ $registry->waitForOpenPort("8080");
$client1->succeed("docker push registry:8080/scratch");
$client2->start();
$client2->waitForUnit("docker.service");
$client2->succeed("docker pull registry:8080/scratch");
$client2->succeed("docker images | grep scratch");
+
+ $client2->succeed(
+ 'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H"Accept: application/vnd.docker.distribution.manifest.v2+json" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e \'s/Docker-Content-Digest: //\' | tr -d \'\r\')'
+ );
+
+ $registry->systemctl("start docker-registry-garbage-collect.service");
+ $registry->waitUntilFails("systemctl status docker-registry-garbage-collect.service");
+ $registry->waitForUnit("docker-registry.service");
+
+ $registry->fail(
+ 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data'
+ );
+
+ $client1->succeed("docker push registry:8080/scratch");
+ $registry->succeed(
+ 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data'
+ );
'';
})