| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Somehow we have two similar registry recipes that were developed
from a different pont of view.
We don't need both.
container-registry-index is the mature, QA-compliant version
that also generates the standalone container-registry.sh helper
script.
container-registry-populate is an older, simpler version that
does only the push, so we drop it here
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add vdkr/vpdmn as Dom0 target packages with Xen auto-detection,
native Docker/Podman config sub-packages, and OCI runtime fixes
for Docker compatibility (JSON logging, root.path, kill --all,
monitor PID lifecycle).
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
yocto-check-layer reports an error for any task between do_fetch and
do_build that has network enabled. Two changes fix this:
container-bundle.bbclass: Move do_fetch_containers from a standalone
task into a do_fetch postfunc. When remote containers are configured,
the anonymous function adds extend_recipe_sysroot as a do_fetch
prefunc (so skopeo-native is available) and do_fetch_containers as a
postfunc. Network access during do_fetch is permitted by the QA check.
container-registry-index: Remove do_container_registry_index from the
build dependency chain (drop "before do_build"). Registry push is a
deployment action requiring explicit invocation:
bitbake container-registry-index -c container_registry_index
The default do_build task now prints usage instructions.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add comprehensive test coverage and documentation for the secure
registry infrastructure.
Tests added:
TestRegistryAuthentication - auth modes (none, home, authfile,
credsfile, env, creds, token) for push and import
TestSecureRegistryTLSOnly - TLS-only mode using running registry
TestSecureRegistryWithAuth - isolated TLS+auth instance on port 5001
TestDockerRegistryConfig - static analysis of bbclass/recipe logic
TestContainerCrossInstallSecure - auto IMAGE_INSTALL verification
TestVcontainerSecureRegistry - script pattern verification for
virtio-9p CA transport, daemon _9p=1, shared folder reads
README.md: Document authentication modes (none, home, authfile,
credsfile, env), secure registry setup, PKI generation, target
integration, and CI/CD examples.
conftest.py: Add --secure-registry pytest option and skip_secure
fixture for tests requiring openssl/htpasswd.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install CA certificates and registry configuration into target images
so they can pull from the secure registry at runtime.
docker-registry-config.bb: When CONTAINER_REGISTRY_SECURE=1, install
the CA cert to /etc/docker/certs.d/{host}/ca.crt instead of adding
insecure-registries to daemon.json. Translates localhost/127.0.0.1 to
10.0.2.2 for QEMU targets where the host registry is accessed via
slirp networking.
container-oci-registry-config.bb: Same secure mode support for
podman/CRI-O with insecure=false in registries.conf.
container-registry-ca.bb: New recipe that installs the CA certificate
to Docker, podman/CRI-O, and system trust store paths on the target.
container-cross-install.bbclass: Auto-add docker-registry-config or
container-oci-registry-config to IMAGE_INSTALL when
CONTAINER_REGISTRY_SECURE=1, based on the configured container engine.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add opt-in secure registry mode with auto-generated TLS certificates
and htpasswd authentication.
New BitBake variables:
CONTAINER_REGISTRY_SECURE - Enable TLS (HTTPS) for local registry
CONTAINER_REGISTRY_AUTH - Enable htpasswd auth (requires SECURE=1)
CONTAINER_REGISTRY_USERNAME/PASSWORD - Credential configuration
CONTAINER_REGISTRY_CERT_DAYS/CA_DAYS - Certificate validity
CONTAINER_REGISTRY_CERT_SAN - Custom SAN entries
The bbclass validates conflicting settings (AUTH without SECURE) and
provides credential helper functions for skopeo push operations.
PKI infrastructure (CA + server cert with SAN) is auto-generated at
bitbake build time via openssl-native. The generated helper script
supports both TLS-only and TLS+auth modes.
The script now supports environment variable overrides for
CONTAINER_REGISTRY_STORAGE, CONTAINER_REGISTRY_URL, and
CONTAINER_REGISTRY_NAMESPACE, uses per-port PID files to allow
multiple instances, and auto-generates config files when running
from an overridden storage path.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Abstract registry configuration for Docker/Podman compatibility and add
multi-directory scanning for easy multi-arch manifest list creation.
- Support both DOCKER_REGISTRY_INSECURE and CONTAINER_REGISTRY_INSECURE
- Add DEPLOY_DIR_IMAGES to scan all machine directories
- Support push by path (single OCI) and push by name (all archs)
- Add environment variable overrides for flexibility
- Single 'push' command now creates multi-arch manifest lists
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Registry management commands:
- delete <image>:<tag>: Remove tagged images from registry
- gc: Garbage collection with dry-run preview and confirmation
- push <image> --tag: Explicit tags now require image name
(prevents accidentally tagging all images with same version)
Config improvements:
- Copy config to storage directory with baked-in storage path
- Fixes gc which reads config directly (not via env var)
- All registry files now in ${TOPDIR}/container-registry/
Documentation:
- Development Loop workflow (build, push, pull, test)
- Build-time OCI labels (revision, branch, created)
- Complete command reference
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add comprehensive tag support for registry push operations:
Tag strategies (CONTAINER_REGISTRY_TAG_STRATEGY):
- sha/git: short git commit hash for traceability
- branch: git branch name (sanitized) for dev workflows
- semver: nested SemVer tags (1.2.3 -> 1.2.3, 1.2, 1)
- timestamp: YYYYMMDD-HHMMSS format
- version: single version tag from PV
- latest: the "latest" tag
- arch: append architecture suffix
Helper script enhancements:
- push --tag <tag>: explicit tags (repeatable)
- push --strategy <strategies>: override tag strategy
- push --version <ver>: version for semver strategy
- Baked-in defaults from bitbake variables
- Environment variable overrides supported
This aligns with industry practices:
- Git SHA for CI/CD traceability
- SemVer nested tags for release management
- Branch tags for feature development
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add pytest tests for registry functionality:
- test_vdkr_registry.py: vconfig registry, image commands, CLI override
- test_container_registry_script.py: start/stop/push/import/list/tags
- conftest.py: --registry-url, --registry-script options
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
|
Add container registry support for Yocto container workflows:
- container-registry.bbclass with helper functions
- container-registry-index.bb generates helper script with baked paths
- docker-registry-config.bb for Docker daemon on targets
- container-oci-registry-config.bb for Podman/Skopeo/Buildah targets
- IMAGE_FEATURES container-registry for easy target configuration
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
