Skip to content

Quickstart

CERN Registry

This section documents a registry that is fully OCI compliant, available at registry.cern.ch.

The official Harbor documentation can be found here.

Repositories

By default newly created repositories have a limited quota of 20GB. If you need more space please open a Service Desk ticket.

DockerHub Cache

A proxy cache is available to hub.docker.com, which should offer a lower latency and higher bandwidth option for workloads running inside CERN. To use it, prefix the image with registry.cern.ch/docker.io, so:

docker pull myrepo/myimage:mytag becomes registry.cern.ch/docker.io/myrepo/myimage:mytag

A special case are the default images, where you need to prefix with library, so:

docker pull ubuntu:20.04 becomes docker pull registry.cern.ch/docker.io/library/ubuntu:20.04

Quay.io Cache

Similar to the proxy cache above, we also offer a proxy cache for quay.io.

To use it, prefix the image with registry.cern.ch/quay.io, so:

docker pull quay.io/myrepo/myimage:mytag becomes registry.cern.ch/quay.io/myrepo/myimage:mytag

Project Access Control With e-groups (under testing)

To allow a group access to the project go to <project> -> Members -> +Group and specify the e-group name and associated Harbor role. As of today there is no validation of e-group names, make sure the value given is correct.

Warning

Please be aware that only e-groups that have 'Privacy Policy' set to 'Open' or 'CERN Users' can be used.

Harbor Groups

Pushing Singularity Images

If you cannot push singularity images into Harbor, please check and upgrade Singularity version to >3.7.3. If updating singularity is not an option, use ORAS to upload your image by setting the OCI SIF metatype or the pushed image will not be pull-able. :application/vnd.sylabs.sif.layer.v1.sif

Notice

  • This workaround will only work for 1 layer .sif images. Consider squashing your multi-layer images before pushing.
  • Pulling with singularity requires the tag/hash. Singularity cannot resolve "latest" automatically.

Pushing with ORAS:

oras login -u <username> -p <OIDC CLI SECRET> registry.cern.ch
Login Succeeded

oras push registry.cern.ch/iotools/root-f31:latest root-f31.sif:application/vnd.sylabs.sif.layer.v1.sif
Uploading 9e951d68cadb root-f31.sif
Pushed registry.cern.ch/iotools/root-f31:latest
Digest: sha256:3da44d1209efef7b15a963ab211815c330d641076c98b26c28aa7a8f9d92fd51

Pulling natively:

singularity pull oras://registry.cern.ch/iotools/root-f31:latest
INFO:    Downloading oras image

Last update: March 31, 2022