Erich Blume
649ae15204
Remove backslash escaping from pipe characters in wiki-links. Correct: [[services/forgejo|Forgejo]] Wrong: [[services/forgejo\|Forgejo]] Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
66 lines
1.5 KiB
Markdown
66 lines
1.5 KiB
Markdown
---
|
|
title: Zot
|
|
tags:
|
|
- service
|
|
- registry
|
|
---
|
|
|
|
# Zot
|
|
|
|
OCI-native container registry providing pull-through cache and private image storage.
|
|
|
|
## Quick Reference
|
|
|
|
| Property | Value |
|
|
|----------|-------|
|
|
| **URL** | https://registry.ops.eblu.me |
|
|
| **Local Port** | 5050 |
|
|
| **Data** | `~/zot` |
|
|
| **Config** | `~/.config/zot/config.json` |
|
|
| **LaunchAgent** | mcquack |
|
|
|
|
## Namespace Convention
|
|
|
|
| Path | Source |
|
|
|------|--------|
|
|
| `registry.ops.eblu.me/docker.io/*` | Cached from Docker Hub |
|
|
| `registry.ops.eblu.me/ghcr.io/*` | Cached from GHCR |
|
|
| `registry.ops.eblu.me/quay.io/*` | Cached from Quay |
|
|
| `registry.ops.eblu.me/blumeops/*` | Private images |
|
|
|
|
## Pull-Through Cache
|
|
|
|
When [[kubernetes/cluster|minikube]] pulls an image:
|
|
1. Containerd checks zot first (`host.minikube.internal:5050`)
|
|
2. If cached, returns immediately
|
|
3. If not, zot fetches from upstream, caches, returns
|
|
|
|
## Private Images
|
|
|
|
```bash
|
|
# Build and push from gilbert
|
|
podman build -t registry.ops.eblu.me/blumeops/myapp:v1 .
|
|
podman push registry.ops.eblu.me/blumeops/myapp:v1
|
|
|
|
# Use in k8s manifest
|
|
image: registry.ops.eblu.me/blumeops/myapp:v1
|
|
```
|
|
|
|
## Security Model
|
|
|
|
Network access only (no authentication). Defense is the Tailscale ACL boundary.
|
|
|
|
## Useful Commands
|
|
|
|
```bash
|
|
# List all images
|
|
curl -s http://indri:5050/v2/_catalog | jq
|
|
|
|
# List tags
|
|
curl -s http://indri:5050/v2/blumeops/devpi/tags/list | jq
|
|
```
|
|
|
|
## Related
|
|
|
|
- [[forgejo|Forgejo]] - Container build CI
|
|
- [[kubernetes/cluster|Cluster]] - Registry consumer
|