From 3a9c625caa66e1ff97f749a853acf43a9089cf69 Mon Sep 17 00:00:00 2001
From: thediveo <thediveo@gmx.eu>
Date: Mon, 1 Dec 2025 18:04:11 +0100
Subject: [PATCH] feat/feat: oci image cache: configure ttl, use volume for
 caching, disable debug endpoint, update test to check that debug endpoint is
 disabled

Signed-off-by: thediveo <thediveo@gmx.eu>
---
 src/pull-through-cache-registry/NOTES.md      | 11 +++++++++
 src/pull-through-cache-registry/README.md     | 20 ++++++++++++----
 .../devcontainer-feature.json                 | 23 +++++++++++++++----
 src/pull-through-cache-registry/install.sh    | 17 +++++++++-----
 test/pull-through-cache-registry/test.sh      |  6 +++++
 5 files changed, 62 insertions(+), 15 deletions(-)

diff --git a/src/pull-through-cache-registry/NOTES.md b/src/pull-through-cache-registry/NOTES.md
index 67af198..c26f3a0 100644
--- a/src/pull-through-cache-registry/NOTES.md
+++ b/src/pull-through-cache-registry/NOTES.md
@@ -4,12 +4,23 @@ As this feature relies on the [Docker-in-Docker
 feature](https://github.com/devcontainers/features/tree/main/src/docker-in-docker)
 we only support the same Debian/Ubuntu platforms.
 
+## Cache Volume
+
+This feature uses a named volume `ptcr-var-lib-registry-${devcontainerId}` for
+caching pulled images, where `${devcontainerId}` is a unique identifier specific
+to the development container where this feature is installed into, stable across
+rebuilds.
+
 ## Registry Configuration
 
+The Distribution Registry service configuration is done by passing environment
+variables to the service, as follows:
+
 - pull-through caching is enabled by passing `REGISTRY_PROXY_REMOTEURL` (a.k.a.
   `proxy:{remoteulr:}`).
 - logging is set to info level by passing `REGISTRY_LOG_LEVEL` (a.k.a.
   `log:{level:}`).
+- the default `debug:` configuration is completely disabled.
 
 ## Acknowledgement
 
diff --git a/src/pull-through-cache-registry/README.md b/src/pull-through-cache-registry/README.md
index d2957d4..5d798a0 100644
--- a/src/pull-through-cache-registry/README.md
+++ b/src/pull-through-cache-registry/README.md
@@ -15,10 +15,11 @@ Deploys a devcontainer-local CNCF Distribution Registry configured as a pull-thr
 
 | Options Id | Description | Type | Default Value |
 |-----|-----|-----|-----|
-| proxy-remote-url | URL of the upstream OCI registry | string | https://registry-1.docker.io |
-| port | port to bind the CNCF Distribution Registry service to | string | 5000 |
-| registry-name | the Docker container name to give the CNCF Distribution Registry | string | registry-cache |
-| wait | maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service | string | 30 |
+| proxy-remote-url | URL of the upstream OCI registry. | string | https://registry-1.docker.io |
+| port | port to bind the CNCF Distribution Registry service to. | string | 5000 |
+| ttl | expire proxy cache storage after this duration, 168h corresponds with 7 days by default, set to 0 to disable any expiration. Valid duration suffixes are s, m, h, without suffix nanoseconds are assumed. | string | 168h |
+| registry-name | the Docker container name to give the CNCF Distribution Registry. | string | registry-cache |
+| wait | maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service. | string | 30 |
 
 ## OS Support
 
@@ -26,12 +27,23 @@ As this feature relies on the [Docker-in-Docker
 feature](https://github.com/devcontainers/features/tree/main/src/docker-in-docker)
 we only support the same Debian/Ubuntu platforms.
 
+## Cache Volume
+
+This feature uses a named volume `ptcr-var-lib-registry-${devcontainerId}` for
+caching pulled images, where `${devcontainerId}` is a unique identifier specific
+to the development container where this feature is installed into, stable across
+rebuilds.
+
 ## Registry Configuration
 
+The Distribution Registry service configuration is done by passing environment
+variables to the service, as follows:
+
 - pull-through caching is enabled by passing `REGISTRY_PROXY_REMOTEURL` (a.k.a.
   `proxy:{remoteulr:}`).
 - logging is set to info level by passing `REGISTRY_LOG_LEVEL` (a.k.a.
   `log:{level:}`).
+- the default `debug:` configuration is completely disabled.
 
 ## Acknowledgement
 
diff --git a/src/pull-through-cache-registry/devcontainer-feature.json b/src/pull-through-cache-registry/devcontainer-feature.json
index fd20d4a..9fcf3df 100644
--- a/src/pull-through-cache-registry/devcontainer-feature.json
+++ b/src/pull-through-cache-registry/devcontainer-feature.json
@@ -1,32 +1,45 @@
 {
     "name": "OCI registry pull-through cache to mirror rate-limited upstream registries, such as Docker Hub",
     "id": "pull-through-cache-registry",
-    "version": "0.0.1",
+    "version": "0.0.2",
     "description": "Deploys a devcontainer-local CNCF Distribution Registry configured as a pull-through cache for the local docker-in-docker",
     "documentationURL": "https://github.com/thediveo/devcontainer-features/blob/master/src/registry-pull-through-cache/README.md",
     "options": {
         "proxy-remote-url": {
             "type": "string",
             "default": "https://registry-1.docker.io",
-            "description": "URL of the upstream OCI registry"
+            "description": "URL of the upstream OCI registry."
         },
         "port": {
             "type": "string",
             "default": "5000",
-            "description": "port to bind the CNCF Distribution Registry service to",
+            "description": "port to bind the CNCF Distribution Registry service to.",
             "proposals": ["5000", "9999"]
         },
+        "ttl": {
+            "type": "string",
+            "default": "168h",
+            "description": "expire proxy cache storage after this duration, 168h corresponds with 7 days by default, set to 0 to disable any expiration. Valid duration suffixes are s, m, h, without suffix nanoseconds are assumed.",
+            "proposals": ["24h", "168h"]
+        },
         "registry-name": {
             "type": "string",
             "default": "registry-cache",
-            "description": "the Docker container name to give the CNCF Distribution Registry"
+            "description": "the Docker container name to give the CNCF Distribution Registry."
         },
         "wait": {
             "type": "string",
             "default": "30",
-            "description": "maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service"
+            "description": "maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service."
         }
     },
+    "mounts": [
+        {
+            "source": "ptcr-var-lib-registry-${devcontainerId}",
+            "target": "/var/lib/registry",
+            "type": "volume"
+        }
+    ],
     "postCreateCommand": "/usr/local/bin/registry-pull-through-cache",
     "dependsOn": {
         "ghcr.io/devcontainers/features/docker-in-docker:2": {}
diff --git a/src/pull-through-cache-registry/install.sh b/src/pull-through-cache-registry/install.sh
index 89730b0..11a9fd6 100755
--- a/src/pull-through-cache-registry/install.sh
+++ b/src/pull-through-cache-registry/install.sh
@@ -3,9 +3,11 @@
 set -e
 
 REGISTRYDEPLOYSCRIPT_PATH="/usr/local/bin/registry-pull-through-cache"
+DOCKERDCONFIG_PATH="/etc/docker/daemon.json"
 
 PROXY_REMOTE_URL=${PROXY_REMOTE_URL:-"https://registry-1.docker.io"}
 PORT=${PORT:-5000}
+TTL=${TTL:-168h}
 REGISTRY_NAME=${REGISTRY_NAME:-"registry-cache"}
 WAIT=${WAIT:-30}
 
@@ -14,6 +16,7 @@ echo "installing feature registry-pull-through-cache"
 cat <<EOF >"${REGISTRYDEPLOYSCRIPT_PATH}"
 PROXY_REMOTE_URL=${PROXY_REMOTE_URL}
 PORT="${PORT}"
+TTL="${TTL}"
 REGISTRY_NAME="${REGISTRY_NAME}"
 
 timeout=${WAIT}
@@ -37,6 +40,8 @@ else
         --name "\${REGISTRY_NAME}" \
         -p \${PORT}:5000 \
         -e REGISTRY_PROXY_REMOTEURL="\${PROXY_REMOTE_URL}" \
+        -e REGISTRY_PROXY_TTL="\${TTL}" \
+        -e REGISTRY_HTTP_DEBUG= \
         -e REGISTRY_LOG_LEVEL=info \
         -e OTEL_TRACES_EXPORTER=none \
         registry:3
@@ -44,11 +49,11 @@ fi
 echo "pull-through cache registry started"
 EOF
 
-echo generating /etc/docker/daemon.json configuring registry-mirrors
-cat <<EOF >/etc/docker/daemon.json
-{
-  "registry-mirrors": [ "http://localhost:${PORT}" ]
-}
-EOF
+echo generating ${DOCKERDCONFIG_PATH} configuring registry-mirrors
+if [ ! -f "${DOCKERDCONFIG_PATH}" ]; then
+    echo '{}' > "${DOCKERDCONFIG_PATH}"
+fi
+jq --arg port "${PORT}" '.["registry-mirrors"] = [ "http://localhost:" + $port ]' "${DOCKERDCONFIG_PATH}" > "${DOCKERDCONFIG_PATH}.new"
+mv "${DOCKERDCONFIG_PATH}.new" "${DOCKERDCONFIG_PATH}"
 
 chmod 0755 "${REGISTRYDEPLOYSCRIPT_PATH}"
diff --git a/test/pull-through-cache-registry/test.sh b/test/pull-through-cache-registry/test.sh
index cbdfa98..6294cc0 100755
--- a/test/pull-through-cache-registry/test.sh
+++ b/test/pull-through-cache-registry/test.sh
@@ -3,7 +3,13 @@ set -e
 
 source dev-container-features-test-lib
 
+cat /etc/docker/daemon.json
+check "Docker demon configuration is updated" bash -c "jq -e '.[\"registry-mirrors\"] | index(\"http://localhost:5000\")' /etc/docker/daemon.json"
+
 check "registry service is up" bash -c "source ./wait.sh && whalewaiting registry-cache"
 check "registry service responds" bash -c "source ./wait.sh && registrywaiting http://localhost:5000"
 
+registry_ip="$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' registry-cache)"
+check "default registry debug port 5001 is disabled on ${registry_ip}" bash -c "! curl -m 2 http://${registry_ip}:5001/"
+
 reportResults