Pulling OCI containers from own Registry

[ihr]

Hi,

In our lab, we run our own OCI Container Registry and pulling from it requires user authentication. I’ve been searching the documentation about new LXC from OCI and can’t find a way to indicate the registry from which a container has to be pulled and the authentication mechanism to that registry. Can anyone point me to the right place?

Regards
Ignacio

 

[fabian]

authentication is not (yet?) implemented. please file an enhancement request in our bugzilla!

 

[ihr]

authentication is not (yet?) implemented. please file an enhancement request in our bugzilla!

Done, enhancement request filed, thank you for your prompt response.

 

[fschauer]

As a workaround for now you can manually provide the credentials to skopeo directly via the host shell.

skopeo login <registry> -u <username> --authfile /run/containers/33/auth.json

This will ask for a password

Then grant the permissions to the www-data user

chown -R www-data /run/containers/33
chmod 755 /run/containers

 

[zenatuz]

I tried your approach @fschauer but it didn't work. Here's what finally got it working for me:

FYI @ihr .

1. Create the directory structure

mkdir -p /var/www/.config/containers

2. Generate authentication credentials

skopeo login <REGISTRY> -u <USER> -p <PASSWORD> --authfile /var/www/.config/containers/auth.json

chown -R www-data:www-data /var/www/.config
chmod 600 /var/www/.config/containers/auth.json

3. Configure Proxmox services

For pvedaemon:

mkdir -p /etc/systemd/system/pvedaemon.service.d

cat > /etc/systemd/system/pvedaemon.service.d/registry-auth.conf << 'EOF'
[Service]
Environment="REGISTRY_AUTH_FILE=/var/www/.config/containers/auth.json"
Environment="HOME=/var/www"
EOF

For pveproxy:

mkdir -p /etc/systemd/system/pveproxy.service.d

cat > /etc/systemd/system/pveproxy.service.d/registry-auth.conf << 'EOF'
[Service]
Environment="REGISTRY_AUTH_FILE=/var/www/.config/containers/auth.json"
Environment="HOME=/var/www"
EOF

4. Apply changes

systemctl daemon-reload
systemctl restart pvedaemon
systemctl restart pveproxy

Then you can pull from your private registry via Storage > CT Templates > Pull from URL

Cheers,
Renato Batista