How to Run a Private Cargo Registry
If you build applications using Rust and package them using Cargo, the Rust package manager, you’re likely familiar with crates.io. Crates.io is a public registry for Cargo packages, where Rust developers upload and share Rust code.
Crates.io is a great solution for managing Rust applications that you want to share publicly. But what if you need a registry for hosting Rust packages for internal use within your organization? Or, what if you need to host a package that contains proprietary code or sensitive information that should not be publicly accessible? In these cases, a better solution is to set up a private Cargo registry.
Support for private Cargo registries has not been a major focus of the Rust development community. As a result, there are no particularly elegant or fully mature ways to create such a registry. Nonetheless, approaches to setting up private Cargo registries exist that are viable for production use as long as you can commit the necessary engineering resources to setting up and sustaining them.
This article explains the benefits of running a private Cargo registry. It then outlines a couple of different approaches for setting up such a registry.
What is a private Cargo registry?
A private Cargo registry is a registry for Rust packages that is only available to users you designate.
That is what makes private Cargo registries different from crates.io. The latter is designed for hosting Rust packages that are available to the public at large. That makes crates.io a great solution if you are building Rust packages applications that are designed for use outside your organization. But if you just want to host Rust packages for internal use, crates.io is not ideal, because it doesn’t allow you to restrict package downloads to users inside your organization.
A private Cargo registry does provide this type of restriction. With a private registry, you can determine exactly who can and can’t access packages.
It’s worth noting that private Cargo registries don’t have to be hosted on private servers. You could set up this type of Rust registry on public cloud infrastructure. The defining characteristic of a private Cargo registry is that it’s not available to the public at large, rather than the type of infrastructure that hosts it.
3 ways to run a private Cargo registry
Currently, there are three main ways to go about setting up a private Cargo registry. You can use either private or public cloud infrastructure for these approaches.
1. Install crates.io locally
The first approach to setting up a private Cargo registry is to install crates.io locally. Crates.io is open source software, and although it’s designed primarily to power the public crates.io website, you can also download and install the software on a server that you control.
Full installation instructions for crates.io are available here. But in short, you’ll need a server environment provisioned with the following prerequisites:
- A Postgres database
- OpenSSL
- The Diesel CLI tool
- Rust
- Git
With these components in place, simply clone the crates.io Git repository on your server:
git clone https://github.com/rust-lang/crates.io.git
Your local crates.io instance will be available in a browser at http://localhost:4200.
Because crates.io isn’t designed to operate as a private Rust registry on a local server, taking this approach in order to set up a private registry for production use is only viable if you have a fair amount of expertise with Rust and Rust packages.
2. Using a Git repository as a private Cargo registry
Another approach to installing a private Cargo registry is to configure a Git repository to serve as a Cargo registry. Under this strategy (which is explained in more detail in this blog post), you host your Cargo packages in a Git repo, and pull them from there in a fashion that is similar in most ways to the process you’d use with a registry like crates.io.
To do this, you’ll first need a Git repository. You can set that up on your own server, or by using a hosted service like GitHub.
You then need to create an index file that tells Rust how to pull packages from your Git repository. Do this by creating a JSON file that looks something like the following:
"dl": "https://github.com/yourgithub/{crate}/releases/download/v{version}/{crate}-{version}.crate"
```
{"name": "abrade","vers": "0.1.0","deps": [],"cksum": "65b07c5782e771125d9feda1ec08d908087997051339c492220346a14d6dd936","features": {},"yanked": false,"links": null}
```
The “dl”: field tells Rust the path to your Git repository. The second entry identifies a Cargo package that exists in that repository. You’ll need to add a similar line for each package you want to make available through the registry.
The advantage of using Git as the basis for a private Cargo registry is that it’s relatively easy to set up, and you can use Git’s access control tooling to manage exactly who is able to access packages. The major downside is that you have to create the index file manually. This may become infeasible if you have a large number of Cargo packages to manage, or you add or remove packages constantly.
Thus, the Git approach works well for private registries that operate on a relatively small scale, but it’s probably not viable if you have hundreds or thousands of packages to manage.
3. Artifactory as a private Cargo registry
The third – and simplest – way to host Cargo packages in a private registry is to use Artifactory.
Because Artifactory can host Cargo packages in addition to a variety of other types of artifacts, you can use any Artifactory installation as a Cargo registry, without having to create special integrations with Git or other tools. Simply create a local repository, set Cargo as the package type and start managing your Cargo packages.
Source: https://www.jfrog.com/confluence/display/JFROG/Cargo+Package+Registry