sealerio · jsparter · Feb 24, 2023
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.idea
diff --git a/auto-build.sh b/auto-build.sh
@@ -12,6 +12,18 @@ for i in "$@"; do
     fi
     shift # past argument=value
     ;;
+  --registry=*)
+    registry="${i#*=}"
+    if [ "$registry" != "docker" ] && [ "$registry" != "oci" ]; then
+      if [ "$registry" != "" ]; then
+        echo "Unsupported registry type: ${registry}"
+        exit 1
+      else
+        registry="docker";
+      fi
+    fi
+    shift # past argument=value
+    ;;
   -n=* | --buildName=*)
     buildName="${i#*=}"
     shift # past argument=value
@@ -42,6 +54,7 @@ for i in "$@"; do
   --k8s-version         set the kubernetes k8s_version of the Clusterimage, k8s_version must be greater than 1.13
   -c, --cri             cri can be set to docker or containerd between kubernetes 1.20-1.24 versions
   -n, --buildName       set build image name, default is 'registry.cn-qingdao.aliyuncs.com/sealer-io/kubernetes:${k8s_version}'
+  --registry            set sealer internal registry type, can be set to docker or oci, default is docker
   --platform            set the build mirror platform, the default is linux/amd64,linux/arm64
   --push                push clusterimage after building the clusterimage. The image name must contain the full name of the repository, and use -u and -p to specify the username and password.
   -u, --username        specify the user's username for pushing the Clusterimage
@@ -102,7 +115,7 @@ if [ "$(sudo ./"${ARCH}"/bin/kubeadm config images list --config rootfs/etc/kube
 sudo sed -i "s/k8s.gcr.io/sea.hub:5000/g" rootfs/etc/kubeadm.yml.tmpl
 pauseImage=$(./"${ARCH}"/bin/kubeadm config images list --config "rootfs/etc/kubeadm.yml" 2>/dev/null | sed "/WARNING/d" | grep pause)
 if [ -f "rootfs/etc/dump-config.toml" ]; then sudo sed -i "s/sea.hub:5000\/pause:3.6/$(echo "$pauseImage" | sed 's/\//\\\//g')/g" rootfs/etc/dump-config.toml; fi
-sudo sealer build -t "docker.io/sealerio/kubernetes:${k8s_version}" -f Kubefile
+sudo sealer build -t "docker.io/sealerio/kubernetes:${k8s_version}" -f Kubefile --registry-type="${registry}"
 if [[ "$push" == "true" ]]; then
   if [[ -n "$username" ]] && [[ -n "$password" ]]; then
     sudo sealer login "$(echo "docker.io" | cut -d "/" -f1)" -u "${username}" -p "${password}"

diff --git a/context/rootfs/etc/oci_registry_config.json b/context/rootfs/etc/oci_registry_config.json
@@ -0,0 +1,20 @@
+{
+  "distspecversion": "1.0.1-dev",
+  "storage": {
+    "rootdirectory": "/var/lib/registry"
+  },
+  "http": {
+    "address": "0.0.0.0",
+    "port": 5000,
+    "realm": "zot",
+    "tls": {
+      "cert": "/certs/REGISTRY_DOMAIN.cert",
+      "key": "/certs/REGISTRY_DOMAIN.key"
+    },
+    "auth": {
+      "htpasswd": {
+        "path": "/etc/zot/htpasswd"
+      }
+    }
+  }
+}
diff --git a/context/rootfs/scripts/init-registry.sh b/context/rootfs/scripts/init-registry.sh
@@ -23,10 +23,12 @@ cd $(dirname "$0")
 REGISTRY_PORT=${1-5000}
 VOLUME=${2-/var/lib/registry}
 REGISTRY_DOMAIN=${3-sea.hub}
+REGISTRY_TYPE=${4-docker}
 
 container=sealer-registry
 rootfs=$(dirname "$(pwd)")
 config="$rootfs/etc/registry_config.yml"
+oci_config="$rootfs/etc/oci_registry_config.json"
 htpasswd="$rootfs/etc/registry_htpasswd"
 certs_dir="$rootfs/certs"
 image_dir="$rootfs/images"
@@ -79,31 +81,93 @@ if [ "$(docker ps -aq -f name=$container)" ]; then
     docker rm -f $container
 fi
 
+# shellcheck disable=SC2034
+# shellcheck disable=SC2089
+ociConfig="{ \
+  \"distspecversion\": \"1.0.1-dev\", \
+  \"storage\": { \
+    \"rootdirectory\": \"/var/lib/registry\" \
+  }, \
+  \"http\": { \
+    \"address\": \"0.0.0.0\", \
+    \"port\": $1, \
+    \"realm\": \"zot\", \
+    \"tls\": {
+      \"cert\": \"/certs/$REGISTRY_DOMAIN.cert\", \
+      \"key\": \"/certs/$REGISTRY_DOMAIN.key\" \
+    } \
+  } \
+}"
+
+# shellcheck disable=SC2034
+# shellcheck disable=SC2089
+ociConfigAuth="{ \
+  \"distspecversion\": \"1.0.1-dev\", \
+  \"storage\": { \
+    \"rootdirectory\": \"/var/lib/registry\" \
+  }, \
+  \"http\": { \
+    \"address\": \"0.0.0.0\", \
+    \"port\": $1, \
+    \"realm\": \"zot\", \
+    \"tls\": {
+      \"cert\": \"/certs/$REGISTRY_DOMAIN.cert\", \
+      \"key\": \"/certs/$REGISTRY_DOMAIN.key\" \
+    }, \
+    \"auth\": { \
+      \"htpasswd\": { \
+        \"path\": \"/etc/zot/htpasswd\" \
+      } \
+    } \
+  } \
+}"
+
 regArgs="-d --restart=always \
 --net=host \
 --name $container \
--v $certs_dir:/certs \
--v $VOLUME:/var/lib/registry \
--e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/$REGISTRY_DOMAIN.crt \
--e REGISTRY_HTTP_TLS_KEY=/certs/$REGISTRY_DOMAIN.key \
--e REGISTRY_HTTP_DEBUG_ADDR=0.0.0.0:5002 \
--e REGISTRY_HTTP_DEBUG_PROMETHEUS_ENABLED=true"
+-v $VOLUME:/var/lib/registry"
 
 # shellcheck disable=SC2086
-if [ -f $config ]; then
-    sed -i "s/5000/$1/g" $config
-    regArgs="$regArgs \
-    -v $config:/etc/docker/registry/config.yml"
-fi
-# shellcheck disable=SC2086
-if [ -f $htpasswd ]; then
-    docker run $regArgs \
-            -v $htpasswd:/htpasswd \
-            -e REGISTRY_AUTH=htpasswd \
-            -e REGISTRY_AUTH_HTPASSWD_PATH=/htpasswd \
-            -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" registry:2.7.1 || startRegistry
-else
-    docker run $regArgs registry:2.7.1 || startRegistry
+if [ "$REGISTRY_TYPE" == "docker" ]; then
+  regArgs="$regArgs \
+  -v $certs_dir:/certs \
+  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/$REGISTRY_DOMAIN.crt \
+  -e REGISTRY_HTTP_TLS_KEY=/certs/$REGISTRY_DOMAIN.key \
+  -e REGISTRY_HTTP_DEBUG_ADDR=0.0.0.0:5002 \
+  -e REGISTRY_HTTP_DEBUG_PROMETHEUS_ENABLED=true"
+  # shellcheck disable=SC2086
+  if [ -f $config ]; then
+      sed -i "s/5000/$1/g" $config
+      regArgs="$regArgs \
+      -v $config:/etc/docker/registry/config.yml"
+  fi
+  # shellcheck disable=SC2086
+  if [ -f $htpasswd ]; then
+      docker run $regArgs \
+              -v $htpasswd:/htpasswd \
+              -e REGISTRY_AUTH=htpasswd \
+              -e REGISTRY_AUTH_HTPASSWD_PATH=/htpasswd \
+              -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" registry:2.7.1 || startRegistry
+  else
+      docker run $regArgs registry:2.7.1 || startRegistry
+  fi
+else # oci registry
+  regArgs="$regArgs \
+  -v $oci_config:/etc/zot/config.json
+  -v $certs_dir/$REGISTRY_DOMAIN.crt:/certs/$REGISTRY_DOMAIN.cert \
+  -v $certs_dir/$REGISTRY_DOMAIN.key:/certs/$REGISTRY_DOMAIN.key"
+   # shellcheck disable=SC2086
+   if [ -f $htpasswd ]; then
+       # shellcheck disable=SC2090
+       echo $ociConfigAuth > $oci_config
+       docker run $regArgs \
+               -v $htpasswd:/etc/zot/htpasswd \
+               ghcr.io/project-zot/zot-linux-amd64:v1.4.3 || startRegistry
+   else
+       # shellcheck disable=SC2090
+       echo $ociConfig > $oci_config
+       docker run $regArgs ghcr.io/project-zot/zot-linux-amd64:v1.4.3 || startRegistry
+   fi
 fi
 
 check_registry