Skip to main content
Version: v2.1.0

Proxy Mode

Uses dfget daemon as proxy for Singularity/Apptainer.

Step 1: Generate CA certificate

Generate an RSA private key.

openssl genrsa -out ca.key 2048

Create openssl config file openssl.conf. Note set basicConstraints to true, that you can modify the values.

[ req ]
#default_bits = 2048
#default_md = sha256
#default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
extensions = v3_ca
req_extensions = v3_ca

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

[ v3_ca ]
basicConstraints = CA:TRUE

Generate the CA certificate.

openssl req -new -key ca.key -nodes -out ca.csr -config openssl.conf
openssl x509 -req -days 36500 -extfile openssl.conf \
-extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt

Step 2: Configure dfget daemon

To use dfget daemon as proxy, first you need to append a proxy rule in /etc/dragonfly/dfget.yaml, This will proxy your.private.registry's requests for image layers:

# When enable, using header "X-Dragonfly-Registry" for remote instead of url.
dynamic: true
# URL for the registry mirror.
url: <your.private.registry>
# Whether to ignore https certificate errors.
insecure: false
# Optional certificates if the remote server uses self-signed certificates.
certs: []
# Whether to request the remote registry directly.
direct: false
# Whether to use proxies to decide if dragonfly should be used.
useProxies: false
# proxy all http image layer download requests with dfget
- regx: blobs/sha256.*
- regx: manifests/sha256.*
# Key pair used to hijack https requests.
cert: ca.crt
key: ca.key
- regx: <your.private.registry>

Step 3: Pull images with proxy

Through the above steps, we can start to validate if Dragonfly works as expected.

And you can pull the image through proxy as below:

no_proxy='' NO_PROXY='' HTTPS_PROXY= singularity pull  oras://hostname/path/image:tag

Step 4: Validate Dragonfly

You can execute the following command to check if the image is distributed via Dragonfly.

grep "peer task done" /var/log/dragonfly/daemon/core.log

If the output of command above has content like

"ts":"2022-09-07 12:04:26.485",
"msg":"peer task done, cost: 1ms",