Deploying Zot Registry

• 2 min read
Last updated on
containers registry devops infrastructure zot

Running your own container registry sounds heavy until you actually do it. With Zot, it turns out to be refreshingly simple: small binary, no database, OCI-native, and easy to operate.

This post documents a production-style deployment of Zot running behind Nginx with TLS termination.

Registry URL (example): https://reg.example.internal

Overview

  • Registry: Zot (OCI-native)
  • Version: 2.1.12
  • Deployment: Single-node, systemd-managed
  • Authentication: Basic auth via htpasswd
  • Storage: Local filesystem
  • TLS: Terminated at Nginx

Documentation: https://zotregistry.dev/v2.1.12/

Architecture

Internet


Nginx (ports 80 / 443)
    │  SSL termination + reverse proxy

Zot Registry (127.0.0.1:38000)


/data/zot (OCI image storage)

Key Paths

ComponentPath
Binary/usr/bin/zot
Configuration/etc/zot/config.json
Authentication/etc/zot/htpasswd
Data Storage/data/zot
Systemd Service/etc/systemd/system/zot.service

Configuration

{
  "distSpecVersion": "1.1.1",
  "storage": {
    "rootDirectory": "/data/zot"
  },
  "http": {
    "address": "0.0.0.0",
    "port": "38000",
    "externalUrl": "https://reg.example.internal",
    "compat": ["docker2s2"],
    "auth": {
      "htpasswd": {
        "path": "/etc/zot/htpasswd"
      }
    }
  },
  "log": {
    "level": "debug"
  }
}

Service Management

sudo systemctl status zot
sudo systemctl restart zot
sudo journalctl -u zot -f
sudo zot verify /etc/zot/config.json

User Management

sudo htpasswd -bnB username password >> /etc/zot/htpasswd
sudo systemctl restart zot

Usage

docker login reg.example.internal
docker tag myimage:latest reg.example.internal/myimage:latest
docker push reg.example.internal/myimage:latest
docker pull reg.example.internal/myimage:latest

Backup

sudo systemctl stop zot
tar -czvf zot-backup-$(date +%Y%m%d).tar.gz /data/zot /etc/zot
sudo systemctl start zot

Security Notes

  • htpasswd owned by root
  • Zot data directory owned by zot user
  • TLS terminated at Nginx
  • Rotate credentials after initial setup

Final Thoughts

Zot is a great fit for private registries where you want minimal moving parts and predictable operations.

You might also like

Deploying Zot Registry

containers

A practical guide to deploying the Zot OCI registry with Nginx, systemd, and basic auth.

Docker Reference Guide: Tips, Configurations, and Best Practices

tech

Quick Start: Deploying Applications with Flux (Infra-Owned Registry)

flux

A practical guide to deploying applications with Flux using a shared installation and infra-owned app registry pattern, keeping app repos clean while enabling predictable GitOps workflows.