github.com/mika/distribution@v2.2.2-0.20160108133430-a75790e3d8e0+incompatible/docs/storage-drivers/s3.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "S3 storage driver"
     4  description = "Explains how to use the S3 storage drivers"
     5  keywords = ["registry, service, driver, images, storage,  S3"]
     6  +++
     7  <![end-metadata]-->
     8  
     9  
    10  # S3 storage driver
    11  
    12  An implementation of the `storagedriver.StorageDriver` interface which uses Amazon S3 for object storage.
    13  
    14  ## Parameters
    15  
    16  `accesskey`: Your aws access key.
    17  
    18  `secretkey`: Your aws secret key.
    19  
    20  **Note** You can provide empty strings for your access and secret keys if you plan on running the driver on an ec2 instance and will handle authentication with the instance's credentials.
    21  
    22  `region`: The name of the aws region in which you would like to store objects (for example `us-east-1`). For a list of regions, you can look at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
    23  
    24  `bucket`: The name of your S3 bucket where you wish to store objects. The bucket must exist prior to the driver initialization.
    25  
    26  `encrypt`: (optional) Whether you would like your data encrypted on the server side (defaults to false if not specified).
    27  
    28  `secure`: (optional) Whether you would like to transfer data to the bucket over ssl or not. Defaults to true (meaning transferring over ssl) if not specified. Note that while setting this to false will improve performance, it is not recommended due to security concerns.
    29  
    30  `v4auth`: (optional) Whether you would like to use aws signature version 4 with your requests. This defaults to false if not specified (note that the eu-central-1 region does not work with version 2 signatures, so the driver will error out if initialized with this region and v4auth set to false)
    31  
    32  `chunksize`: (optional) The default part size for multipart uploads (performed by WriteStream) to S3. The default is 10 MB. Keep in mind that the minimum part size for S3 is 5MB. Depending on the speed of your connection to S3, a larger chunk size may result in better performance; faster connections will benefit from larger chunk sizes.
    33  
    34  `rootdirectory`: (optional) The root directory tree in which all registry files will be stored. Defaults to the empty string (bucket root).
    35  
    36  # CloudFront as Middleware with S3 backend
    37  
    38  ## Use Case
    39  
    40  Adding CloudFront as a middleware for your S3 backed registry can dramatically improve pull times. Your registry will have the ability to retrieve your images from edge servers, rather than the geographically limited location of your S3 bucket. The farther your registry is from your bucket, the more improvements you will see. See [Amazon CloudFront](https://aws.amazon.com/cloudfront/details/).
    41  
    42  ## Configuring CloudFront for Distribution
    43  
    44  If you are unfamiliar with creating a CloudFront distribution, see [Getting Started with Cloudfront](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html).
    45  
    46  Defaults can be kept in most areas except:
    47  
    48  ### Origin:
    49  
    50  The CloudFront distribution must be created such that the `Origin Path` is set to the directory level of the root "docker" key in S3. If your registry exists on the root of the bucket, this path should be left blank.
    51  
    52  ### Behaviors:
    53  
    54    - Viewer Protocol Policy: HTTPS Only
    55    - Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
    56    - Cached HTTP Methods: OPTIONS (checked)
    57    - Restrict Viewer Access (Use Signed URLs or Signed Cookies): Yes
    58      - Trusted Signers: Self (Can add other accounts as long as you have access to CloudFront Key Pairs for those additional accounts)
    59  
    60  ## Registry configuration
    61  
    62  Here the `middleware` option is used. It is still important to keep the `storage` option as CloudFront will only handle `pull` actions; `push` actions are still directly written to S3.
    63  
    64  The following example shows what you will need at minimum:
    65  ```
    66  ...
    67  storage:
    68    s3:
    69      region: us-east-1
    70      bucket: docker.myregistry.com
    71  middleware:
    72    storage:
    73      - name: cloudfront
    74        options:
    75          baseurl: https://abcdefghijklmn.cloudfront.net/
    76          privatekey: /etc/docker/cloudfront/pk-ABCEDFGHIJKLMNOPQRST.pem
    77          keypairid: ABCEDFGHIJKLMNOPQRST
    78  ...
    79  ```
    80  
    81  ## CloudFront Key-Pair
    82  
    83  A CloudFront key-pair is required for all AWS accounts needing access to your CloudFront distribution. For information, please see [Creating CloudFront Key Pairs](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs).