The official production registry is hosted by gitlab.cern.ch.
This page documents an experimental registry fully OCI compliant, available at registry.cern.ch
The official Harbor documentation can be found here.
A proxy cache is available to hub.docker.com, which should offer a lower latency and higher bandwidth option for workloads running inside CERN. To use it, prefix the image with registry.cern.ch/docker.io, so:
docker pull myrepo/myimage:mytag becomes
A special case are the default images, where you need to prefix with library, so:
docker pull ubuntu:20.04 becomes
docker pull registry.cern.ch/docker.io/library/ubuntu:20.04
Project Access Control With e-groups (under testing)
To allow a group access to the project go to
<project> -> Members -> +Group and specify the e-group name and associated Harbor role.
As of today there is no validation of e-group names, make sure the value given is correct.
⚠ WARNING: Please be aware that only e-groups that have visibility set to 'Open' can be used.
Pushing Singularity Images
If you cannot push singularity images into Harbor, please check and upgrade Singularity version to >3.7.3.
If updating singularity is not an option, use ORAS to upload your image by setting the OCI SIF metatype or the pushed image will not be pull-able.
Please note that pulling with singularity requires the tag/hash. Singularity cannot resolve "latest" automatically.
Pushing with ORAS:
oras login -u <username> -p <OIDC CLI SECRET> registry.cern.ch Login Succeeded oras push registry.cern.ch/iotools/root-f31:latest root-f31.sif:application/vnd.sylabs.sif.layer.v1.sif Uploading 9e951d68cadb root-f31.sif Pushed registry.cern.ch/iotools/root-f31:latest Digest: sha256:3da44d1209efef7b15a963ab211815c330d641076c98b26c28aa7a8f9d92fd51
singularity pull oras://registry.cern.ch/iotools/root-f31:latest INFO: Downloading oras image
By default newly created repositories have a limited quota of 5GB. If you need more space please open a Service Desk ticket.