Moving the docker registry from DockerHub to ghcr.io

[naveensrinivasan]

Background

lnd docker container is hosted at dockerhub https://hub.docker.com/r/lightninglabs/lnd

• The dockerhub has Ratelimits https://www.docker.com/increase-rate-limits which is drawback
• The docker hub secrets are stored within GitHub, which could be compromised. https://github.com/lightningnetwork/lnd/blob/a329c8061266418bccd797aa5d7d277c736ee930/.github/workflows/docker.yml#L29-L30

Zero-trust security starts with trusting actual entities based on strong identity, not whoever happens to control a secret, or whoever gets behind a firewall. No secrets sounds great in theory!

https://dlorenc.medium.com/a-bit-of-ambiance-comes-to-sigstore-f80d1d6b1c30

Potential solution

• Use ghcr.io/lightninglabs/lnd as to container registry and use the GitHub action to push it directly.
• If not utilize https://docs.docker.com/docker-hub/builds/#configure-automated-build-settings webhooks to build and push within the registry and not storing the secret within GitHub.
  • This approach still has the issue of Dockerhub rate limits
  • Also signing the #5728 images is not going to be easy

[naveensrinivasan]

Here is a PR for this #5818

[Roasbeef]

This came up recently when moved to start building our own containers for the bitcoind repo, Docker Hub has some weird limits now as they want to force ppl towards a paid plan

[naveensrinivasan]

This came up recently when moved to start building our own containers for the bitcoind repo, Docker Hub has some weird limits now as they want to force ppl towards a paid plan

Nice!! With keyless singing and the new OIDC feature even better https://chainguard.dev/posts/2021-11-03-zero-friction-keyless-signing

[thinkmassive]

~I haven't been able to pull from GHCR without logging in, so I don't think it's a full replacement for dockerhub at this time, but~ #5818 seems like a great addition.

Edit: it was a problem with the repo I was trying to pull, looks like ghcr.io does in fact allow anonymous pulls

[naveensrinivasan]

I agree ghcr doesn't allow anonymous pulls.

Compared to Docker hub ghcr has option sign containers with sigstore.dev , no keys for pushing changes lots of advantages.

[thinkmassive]

Ok interesting, I thought I had an anonymous pull work. Regardless, it seems like the only cost of pushing to both registries is the effort to maintain both build scripts. Since we can include signatures in ghcr it seems worth it.