Artifactory supports proxying remote OCI registries through remote repositories. A Remote Repository in Artifactory serves as a caching proxy for a registry managed at a remote URL such as https://registry-1.docker.io/
, or even an OCI repository managed at a remote site by another instance of Artifactory. Since there is no default registry for OCI, DockerHub is used as the default as a popular registry.
Resources that are requested from a remote repository are cached on demand. You can remove downloaded resources from the remote repository cache, however, you can not manually push resources to a remote repository.
Preventing DockerHub Remote Repository Restrictions
Unauthenticated users on DockerHub are blocked once reaching the download rate limit of 100 pulls per six hours. To prevent reaching this limit, please authenticate using your DockerHub credentials.
To create a remote repository to proxy a remote OCI registry, follow these steps:
From the Administration module, select Repositories | Repositories | Remote.
Click New Remote Repository and select OCI from the Select Package Type dialog.
In the Basic tab, set the Repository Key value, and specify the URL to the remote registry in the URL field.
If you are proxying DockerHub, use
https://registry-1.docker.io/
as the URL, and make sure the Enable Token Authentication checkbox is selected (these are the default settings).Alternatively, to use your Docker account type, you need to authenticate the DockerHub pull requests, by setting your user and password in your basic OCI repository.
To allow Artifactory to download foreign layers to the OCI remote repository, click the Advanced tab and select the Enable Foreign Layers Caching checkbox.
(Optional) To match external URL when downloading from foreign layers, set include/exclude patterns. These are Ant-style expressions that allow you to specify where foreign layers may be downloaded from: supported expressions include
*
,**
,?
.For example, setting the pattern
**/github.com/**
will allow the downloading of foreign layers only from the github.com host.The default setting for this field is
**
,which allows the download of foreign layers from any source.Configure the network settings. For more information, see Network Settings.
Click Save and Finish.
Smart Remote Repository Path and Domain
When accessing a Smart Remote OCI repository through Artifactory, the repository URL must be prefixed with api/oci
in the path:
Tip
Make sure to replace the placeholder with your JFrog domain information.
<YOUR_JFROG_DOMAIN>/artifactory/api/oci/<REPOSITORY>/v2
For example:
https://my-awesome-jfrog.io:8081/artifactory/api/oci/jfrog-oci-remote/v2