Angos

A fully OCI-compliant and Docker-compatible container registry.

Website | Documentation | Quick Start

Key Features

• Online garbage collection
• Pull-through cache
• Immutable tags with configurable exclusions
• Access control policies (CEL-based)
• Retention policies
• Native mTLS support
• OIDC authentication (GitHub Actions, Google, Okta, and more)
• Webhook authorization for external policy decisions
• Web UI for browsing and managing images

Properties

• Resource efficient: Asynchronous, streaming operations
• Secure: mTLS, OIDC/JWT authentication, authorization policies (CEL and webhooks)
• Scalable: Light footprint, S3-compatible storage, distributed locking
• Easy to operate: Online garbage collection, auto-reload of configuration and certificates
• Cross-platform: Portable on most mainstream operating systems just by recompiling

Quick Start

# Create a minimal config
cat > config.toml << 'EOF'
[server]
bind_address = "0.0.0.0"
port = 5000

[blob_store.fs]
root_dir = "./registry-data"

[global.access_policy]
default_allow = true

[repository."test"]
EOF

# Run the registry
./angos -c config.toml server

# Push an image
docker tag alpine:latest localhost:5000/test/alpine:latest
docker push localhost:5000/test/alpine:latest

See the Quickstart Tutorial for a complete walkthrough.

Documentation

Tutorials

• Quickstart - Get a registry running in 5 minutes
• Your First Private Registry - Add authentication and access control
• Mirror Docker Hub - Set up a pull-through cache

How-To Guides

• Deploy with Docker Compose
• Deploy on Kubernetes
• Configure mTLS
• Configure GitHub Actions OIDC
• Set Up Access Control
• Configure Retention Policies
• Enable the Web UI
• Troubleshoot Common Issues
• Upgrade Angos

Reference

• Configuration Reference
• CLI Reference
• CEL Expressions Reference
• API Endpoints Reference
• Metrics Reference

Understanding Angos

• Architecture Overview
• Storage Backends
• Authentication and Authorization
• Pull-Through Caching
• Security Model

Upgrading

1.0.x → 1.1.0: Redis lock configuration key renamed

The Redis lock configuration key has moved. The old form is still accepted but deprecated and will be removed in a future release.

# Before
[metadata_store.s3.redis]
url = "redis://localhost:6379"

# After
[metadata_store.s3.lock_strategy.redis]
url = "redis://localhost:6379"

New features (non-breaking)

S3-native locking — multi-replica S3 deployments no longer require Redis. Use [metadata_store.s3.lock_strategy.s3] to enable locking backed by S3 conditional writes instead.

Capabilities declaration — add a [metadata_store.s3.capabilities] table to declare which conditional S3 operations your bucket supports (put_if_none_match, put_if_match, delete_if_match). When present, Angos skips the startup probe that would otherwise detect these capabilities automatically.

Usage

Usage: angos [-c <config>] <command> [<args>]

An OCI-compliant and docker-compatible registry service

Options:
  -c, --config      the path to the configuration file, defaults to
                    `config.toml`
  --help, help      display usage information

Commands:
  argon             Generate Argon2 password hashes for basic auth
  scrub             Check the storage backend for inconsistencies
  server            Run the registry listeners

Additional Endpoints

In addition to the standard OCI Distribution endpoints:

• /healthz: Liveness health check endpoint
• /readyz: Readiness health check endpoint
• /metrics: Prometheus metrics endpoint

References

• OCI Distribution Specification
• OCI Image Specification
• OCI Image Index
• Docker Registry HTTP API V2