Zot OCI Registry Review and Configuration

While searching an alternative to Docker's private registry, found Zot OCI registry. And wanted to see the capabilities and limitations. It's an image registry which allows you to store and distribute container images. The difference is from other registry servers, it follows the OCI distribution specs published by Open container initiative (OCI). OCI is the governor who sets the rules and defines common structure for the software developers and companies build around that standards.

Expectations

Usually, we expect the below criteria from an image registry.

• Push and pull container images
• Delete container images
• Persistent storage for images, preferably object storage like S3
• Authentication layer for security

Extras

• Mirroring on Docker hub or another container registry
• Security vulnerability scans on images
• Container image signing and licence checking
• Automatic retaining images by defined rules

Zot support all of the above features.

Configuration

This is the version I used: ghcr.io/project-zot/zot:v2.1.2-rc3
The entry point command is zot and I mount the configuration file below.

docker run -d -p 8000:8000 --name zot -v `pwd`/config.json:/etc/zot/config.json ghcr.io/project-zot/zot:v2.1.2-rc3 serve /etc/zot/config.json

{
    "distSpecVersion": "1.0.1",
    "storage": {
        "rootDirectory": "/tmp/zot",
        "commit": true,
        "dedupe": false,
        "gc": true,
        "gcDelay": "2h",
        "gcInterval": "1h",
        "storageDriver": {
            "name": "s3",
            "region": "eu-west-1",
            "bucket": "harver-zot-private-registry",
            "secure": true,
            "skipverify": false
        },
        "retention": {
            "dryRun": false,
            "delay": "24h",
            "policies": [
                {
                    "repositories": ["infra/**", "base/**"],
                    "keepTags": [{
                        "patterns": [".*"]
                    }]
                },
                {
                    "keepTags": [{
                        "patterns": [".*"]
                    }]
                }
            ]
        }
    },
    "http": {
        "address": "0.0.0.0",
        "port": "8000"
    },
    "extensions": {
        "metrics": {
            "enable": true,
            "prometheus": {
                "path": "/metrics"
            }
        },
        "sync": {
            "downloadDir": "/tmp/mirror",
            "enable": true,
            "registries": [
                {
                    "urls": ["https://docker.io"],
                    "content": [
                        {
                            "prefix": "**",
                            "destination": "/docker"
                        }
                    ],
                    "onDemand": true,
                    "tlsVerify": true
                }
            ]
        },
        "search": {
            "enable": true
        },
        "scrub": {},
        "lint": {},
        "trust": {},
        "ui": {
            "enable": true
        }
    },
    "log": {
        "level": "debug"
    }
}