From 11b0715f71155e7ee93a2658a1884fce055d6d1d Mon Sep 17 00:00:00 2001 From: continuist Date: Fri, 4 Jul 2025 18:32:08 -0400 Subject: [PATCH] Fix DinD Harbor cert registration --- CI_CD_PIPELINE_SETUP_GUIDE.md | 59 ++++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 6afa709..20bd01e 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -988,14 +988,14 @@ sudo journalctl -u forgejo-runner.service -f --no-pager ```bash -# Switch to CI_DEPLOY_USER (who has sudo access for Docker operations) -sudo su - CI_DEPLOY_USER +# Switch to CI_SERVICE_USER (who has Docker group access) +sudo su - CI_SERVICE_USER # Navigate to the application directory cd /opt/APP_NAME # Start DinD container for isolated Docker operations -sudo docker run -d \ +docker run -d \ --name ci-dind \ --privileged \ -p 2375:2375 \ @@ -1005,7 +1005,7 @@ sudo docker run -d \ # Wait for a minute or two for DinD to be ready (wait for Docker daemon inside DinD) # Test DinD connectivity -sudo docker exec ci-dind docker version +docker exec ci-dind docker version ``` **What this does**: @@ -1013,7 +1013,7 @@ sudo docker exec ci-dind docker version - **Health checks**: Ensures DinD is fully ready before proceeding - **Simple setup**: Direct Docker commands for maximum flexibility -**Why CI_DEPLOY_USER**: The CI_DEPLOY_USER handles deployment orchestration and has sudo access for Docker operations, following the principle of least privilege. +**Why CI_SERVICE_USER**: The CI_SERVICE_USER is in the docker group and runs the CI pipeline, so it needs direct access to the DinD container for seamless CI/CD operations. #### 7.2 Configure DinD for Harbor Registry @@ -1023,20 +1023,35 @@ sudo docker exec ci-dind docker version cd /opt/APP_NAME # Copy Harbor certificate to DinD container -sudo docker cp /etc/ssl/registry/registry.crt ci-dind:/usr/local/share/ca-certificates/ -sudo docker exec ci-dind update-ca-certificates +docker cp /etc/ssl/registry/registry.crt ci-dind:/usr/local/share/ca-certificates/ + +# Fix certificate ownership (crucial for CA certificate trust) +docker exec ci-dind chown root:root /usr/local/share/ca-certificates/registry.crt + +# Update CA certificates +docker exec ci-dind update-ca-certificates + +# Restart DinD container to pick up new CA certificates +docker restart ci-dind + +# Wait for DinD to be ready again +sleep 30 + +# Login to Harbor from within DinD +echo "ci-user-password" | docker exec -i ci-dind docker login YOUR_CI_CD_IP -u ci-user --password-stdin # Test Harbor connectivity from DinD (using certificate trust) -sudo docker exec ci-dind docker pull alpine:latest -sudo docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP:80/test/alpine:latest -sudo docker exec ci-dind docker push YOUR_CI_CD_IP:80/test/alpine:latest +docker exec ci-dind docker pull alpine:latest +docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP/APP_NAME/test:latest +docker exec ci-dind docker push YOUR_CI_CD_IP/APP_NAME/test:latest # Clean up test image -sudo docker exec ci-dind docker rmi YOUR_CI_CD_IP:80/test/alpine:latest +docker exec ci-dind docker rmi YOUR_CI_CD_IP/APP_NAME/test:latest ``` **What this does**: -- **Configures insecure registry**: Allows DinD to push to Harbor without SSL verification +- **Configures certificate trust**: Properly sets up Harbor certificate trust in DinD +- **Fixes ownership issues**: Ensures certificate has correct ownership for CA trust - **Tests connectivity**: Verifies DinD can pull, tag, and push images to Harbor - **Validates setup**: Ensures the complete CI/CD pipeline will work @@ -1089,11 +1104,11 @@ docker exec ci-dind docker run --rm alpine:latest echo "DinD is working!" # Test Harbor integration docker exec ci-dind docker pull alpine:latest -docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP:80/test/dind-test:latest -docker exec ci-dind docker push YOUR_CI_CD_IP:80/test/dind-test:latest +docker exec ci-dind docker tag alpine:latest YOUR_CI_CD_IP/APP_NAME/dind-test:latest +docker exec ci-dind docker push YOUR_CI_CD_IP/APP_NAME/dind-test:latest # Clean up test -docker exec ci-dind docker rmi YOUR_CI_CD_IP:80/test/dind-test:latest +docker exec ci-dind docker rmi YOUR_CI_CD_IP/APP_NAME/dind-test:latest ``` **Expected Output**: @@ -1171,13 +1186,13 @@ sudo ufw allow 443/tcp # Harbor registry (public read access) ```bash docker --version -docker compose --version +docker compose version ``` #### 9.2 Check Harbor Status ```bash -cd /opt/APP_NAME/registry +cd /opt/harbor/harbor docker compose ps ``` @@ -1185,20 +1200,12 @@ docker compose ps ```bash # Test Harbor API -curl -k https://localhost:8080/api/v2.0/health +curl -k https://localhost/api/v2.0/health # Test Harbor UI curl -k -I https://localhost ``` -#### 9.4 Get Public Key for Production Server - -```bash -cat ~/.ssh/id_ed25519.pub -``` - -**Important**: Copy this public key - you'll need it for the production server setup. - --- ## Part 2: Production Linode Setup