puppet-zot

Puppet module to manage zot registry.

Usage

Following code would start zot registry based on configuration values defined in in Hiera common.yaml.

include zot

Examples

Override installed version, see zot releases.

zot::version: 2.0.0-rc7

Bind on all interfaces and port 8080

zot::config:
  http:
    address: 0.0.0.0
    port: 8080

Turn on debugging:

zot::config:
  log:
    level: debug

Prometheus metrics:

zot::config:
  extensions:
    metrics:
      enable: true
      prometheus:
        path: /metrics

Full example:

---
zot::version: 1.4.3
zot::log_dir: /var/log/zot
zot::data_dir: /var/lib/zot
zot::config:
  distSpecVersion: 1.0.1
  http:
    address: 0.0.0.0
    port: 5000
    realm: zot
    tls:
      cert: /etc/letsencrypt/live/my.registry/fullchain.pem
      key: /etc/letsencrypt/live/my.registry/privkey.pem
  storage:
    dedupe: true
    gc: true
    gcDelay: 1h
    gcInterval: 6h
  log:
    level: info
  extensions:
    metrics:
      enable: true
      prometheus:
        path: /metrics
    search:
      enable: true
      cve:
        updateInterval: 24h
    sync:
      enable: true
      registries:
        - urls:
            - https://docker.io/library
          onDemand: true  # only requested images will be cached
          maxRetries: 3
          retryDelay: 5m
          pollInterval: 6h
    scrub:
      interval: 24h
    ui:
      enable: true

retention:

zot::data_dir: /tmp/zot
zot::config:
  distSpecVersion: 1.1.0-dev
  storage:
    gc: true
    gcDelay: 2h
    gcInterval: 1h
    retention:
      dryRun: false
      delay: 24h
      policies:
        - repositories:
            - infra/*
            - prod/*
          deleteReferrers: false
          keepTags:
            - patterns:
                - v2.*
                - .*-prod
            - patterns:
                - v3.*
                - .*-prod
              pulledWithin: 168h
        - repositories:
            - tmp/**
          deleteReferrers: true
          deleteUntagged: true
          keepTags:
            - patterns:
                - v1.*
              pulledWithin: 168h
              pushedWithin: 168h
        - repositories:
            - '**'
          deleteReferrers: true
          deleteUntagged: true
          keepTags:
            - mostRecentlyPushedCount: 10
              mostRecentlyPulledCount: 10
              pulledWithin: 720h
              pushedWithin: 720h
    subPaths:
      /a:
        rootDirectory: /tmp/zot1
        dedupe: true
        retention:
          policies:
            - repositories:
                - infra/*
                - prod/*
              deleteReferrers: false
  http:
    address: 127.0.0.1
    port: 8080
  log:
    level: debug

Configuration

For full parameter reference see the official documentation for the installed version. This module doesn't attempt to validate registry config specification. Merged configuration is serialized to JSON which will be syntactically correct but the config should be validated against distSpecVersion using e.g. zot verify /etc/zot/config.json.

Change storage directory:

zot::data_dir: /srv/zot

Change log directory:

zot::log_dir: /srv/log

In order to bind the zot service on ports < 1024, you'll need either root priviledges or configure bind capabilities, e.g. using file_capability

file_capability::file_capabilities:
  "/usr/bin/zot-%{lookup('zot::version')}":
    ensure: present
    capability: 'cap_net_bind_service=eip'

All Puppet variables are documented in REFERENCE.md.

Reference

Table of Contents

Classes

Public Classes

• zot: Manage docker registry replacement (zot)

Private Classes

• zot::config: Manages configuration, merges Puppet hashes and serialized them into JSON config
• zot::install: Zot installation
• zot::service: Zot service

Data types

• Zot::Arch: Supported build architecture
• Zot::Config: Configuration passed to zot serve
• Zot::Os: Supported operating system

Classes

zot

Manage docker registry replacement (zot)

• See also
  • https://zotregistry.io/

Examples

include zot

# using Puppet code
class { 'zot':
  config => {
     'http' => {
        'port' => 80,
     }
  }
}

Parameters

The following parameters are available in the zot class:

• version
• binary
• bin_path
• config
• defaults
• user
• group
• config_dir
• log_dir
• data_dir
• manage_service
• manage_user
• user_ensure
• manage_config
• manage_zli
• manage_zb
• service_name
• service_ensure
• service_enable
• download_mirror
• arch
• os
• uid
• gid
• limit_nofile
• memory_high
• memory_max

version

Data type: String

Version to be fetched from github release page, without v prefix (see https://github.com/project-zot/zot/releases)

binary

Data type: String

Main executable name, default: zot

bin_path

Data type: Stdlib::Unixpath

Path for installing binaries, default: /usr/bin

config

Data type: Zot::Config

Main zot configuration, as multi-level hash (see README for more examples)

defaults

Data type: Zot::Config

Default values that would be overwritten by $config Hash

user

Data type: String

Account running the service, default: zot

group

Data type: String

Group owning service and config files, default: zot

config_dir

Data type: Stdlib::Unixpath

Directory storing zot service configuration, default: /etc/zot

log_dir

Data type: Stdlib::Unixpath

Directory used for storing log files

data_dir

Data type: Stdlib::Unixpath

Directory used for storing registry data

manage_service

Data type: Boolean

Whether service should be managed by Puppet, default: true

manage_user

Data type: Boolean

Whether user account should be managed by Puppet, default: true

user_ensure

Data type: String

present or absent, default: present

manage_config

Data type: Boolean

Whether zot config should be managed by Puppet, default: true

manage_zli

Data type: Boolean

Whether zli binary should be installed, default: true

manage_zb

Data type: Boolean

Whether zb binary should be installed, default: true

service_name

Data type: String

service_ensure

Data type: String

service_enable

Data type: Boolean

download_mirror

Data type: Stdlib::HTTPUrl

URI used for downloading zot binaries

arch

Data type: Zot::Arch

Release architecture, eiter amd64 or arm64. Default: amd64

os

Data type: Zot::Os

Used for downloading precompiled binary for given OS, default: linux

uid

Data type: Optional[Integer]

User account UID

Default value: undef

gid

Data type: Optional[Integer]

Group ID

Default value: undef

limit_nofile

Data type: Integer

Limit number of opened files for systemd service, default: 500000

memory_high

Data type: Optional[String]

Systemd service throttling limit on memory usage

Default value: undef

memory_max

Data type: Optional[String]

Systemd service, the absolute limit on memory usage, see https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html

Default value: undef

Data types

Zot::Arch

Supported build architecture

Alias of Enum['amd64', 'arm64']

Zot::Config

Configuration passed to zot serve

Alias of

Struct[{
  Optional[distSpecVersion] => String[1],
  Optional[storage]         => Hash,
  Optional[http]            => Hash,
  Optional[log]             => Hash,
  Optional[extensions]      => Hash,
  Optional[scheduler]       => Hash,
}]

Zot::Os

Supported operating system

Alias of Enum['linux', 'freebsd', 'darwin']

Changelog

All notable changes to this project will be documented in this file.

Release 2.1.0 [2024-06-25]

• Support puppet/systemd 7.x
• Drop Debian 10

Release 2.0.0 [2024-06-25]

• Use stdlib::to_json_pretty (require puppetlabs::stdlib >= 9.0.0)
• Fix min dependency puppet/archive >= 7.0.0

Release 1.2.0 [2024-01-15]

Upgrade to zot registry 2.0.0 by default

Release 1.1.0 [2023-12-12]

Optional user management

Release 1.0.0 [2023-12-10]

Features

Inital (feature complete) release.

Module manages zot registry service and serializes configuration from yaml to JSON that is supplied to the service.