From Fedora Project Wiki

Fedora Scale-Out Docker Registry


This is a proposal for a change to the Fedora Infrastructure and Fedora Release Engineering tooling to provide a scalable container registry solution for Fedora that is integrated with the Fedora Docker Layered Image Build Service.


  • Name: Adam Miller and Randy Barlow
  • Email: and
  • Release notes owner:

Current status

Detailed Description


The Fedora project wishes to begin distributing new types of content than it has in the past. One of the types that has been identified as a goal are container images. Adam Miller has already done the work that will allow packagers to build container images, but we still need a way to distribute those builds to Fedora's users. Adam Miller's implementation helpfully drops the builds we want into a container registry.

registry: a collection of container image repositories

repository: named after an image and is a collection of multiple tags of an that image

tag: an arbitrary string assigned to a specific container image (identified by the image's sha256 checksum) NOTE: The "latest" tag is special and is assumed if no tag is provided. This is true also for a 'docker pull' operation and an image tagged "latest" will be the default image pulled by users.


In summary, the proposal is to deploy the docker distribution registry at, which will serve the container registry API to Fedora's users. Users will fetch all API data from this endpoint, except for the container blobs. Fedora will serve 302 redirects for all requests for container blobs to The CDN will handle serving the large blob files to the users.

  • Docker Distribution is the defacto standard open source implementation of the Docker Registry V2 API spec.


  • OSBS will perform Builds, as these builds complete they will be pushed to the docker-distribution (v2) registry, these will be considered "candidate images". These will be stored in candidate repositories on the docker-distribution registry.
  • Testing will occur using the "candidate images" (details of how we want to handle that are outside the scope of this proposal).
  • A "candidate image" will be marked stable once it's criteria have been satisfied to do so. (This is vague because this is a topic of ongoing discussion and work to decide what criteria an image will need to abide by before being considered "stable" and promoted as such)
  • Once stable, the images will be pushed into stable repositories in the docker-distribution registry.
  • The docker clients will request Manifests from Requests for blobs will receive a 302 Redirect to which will serve the blob files.


For the initial implementation of the Fedora Docker registry, we will not be signing the images. This will still be safe for our users, as the manifests will be served by only (the CDN will not be serving manifests or any metadata) and only over TLS. Container manifests reference the blob layers by checksum and the client does verify the checksums of the layers it downloads. Thus we will rely on TLS to safely transmit the checksums of the blobs to the end user, and we will rely on their client to validate the checksums of the blobs it downloads from the CDN.

We may revisit signing in the future when there are more available choices for us to use as an added layer of security.

General Notes

A couple of things to note about maintenance and uptime considerations:

The Intermediate docker-distribution registry is needed for builds in koji+OSBS.

Much of the current design was discussed on the infrastructure mailing list[1].

All new components in this design should be able to be locked down, similar to the "Fedora internal" components like koji (builders, etc) and bodhi (signing, etc).

Benefit to Fedora

This will allow for Fedora to provide packages, software, and other content in the form of container images as officially released artifacts from the Fedora Project that are released much in the same way RPMs are today. These images can then be included in the distribution in various ways. This could potentially be used by the Modularization effort or by any other part of the initiative that may arise.


Proposal owners

Proposal owners shall have to:

  • Implement the proposed Design of a Scaled-Out Docker Registry
  • Deploy Docker-Distribution Registry
  • Document the system

Task matrix

This is a RACI matrix for tasks required to implement the RelEng Automation Workflow Engine. Work is tracked in Taiga:

Is this current?

It is, as of 2017-04-12


Here, we're using what Wikipedia calls "RACI (alternative scheme)":

The person responsible for the performance of the task. There should be exactly one person with this assignment for each task.
Those who assist completion of the task.
Those whose opinions are sought; and with whom there is two-way communication.
Those who are kept up-to-date on progress; and with whom there is one-way communication.

Task Table

This an early cut. Please feel free to add new tasks as appropriate — just let one of the coordinators know.
Task Subtask Responsible Assists Consulted Informed Current Status
Implement the proposed design of a Scaled-Out Docker Registry Adam Miller 0%
Deploy solution, including ansible playbooks added for Fedora Infrastructure Ansible repo Adam Miller 0%
Deploy docker-distribution registry Adam Miller 0%
Document the system Adam Miller 0%

Glossary of Nicknames

Various Task Notes

Functional Requirements

The following features are functional requirements

  • Users must be able to perform a
    docker pull
    and have the actual image layer data come from a local mirror via mirrormanager.

Other developers

  • (anything here)?

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

Once the service is deployed, users can perform the following on their systems to test.

$ dnf -y install docker
$ systemctl start docker
$ docker pull

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)


N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No (not a System Wide Change)
  • Blocks product? N/A



Release Notes