From 838078f896dd59a3760f48f7bab5c72a33cda2e1 Mon Sep 17 00:00:00 2001 From: continuist Date: Sun, 13 Jul 2025 11:06:38 -0400 Subject: [PATCH] Use CI service user to run docker registry --- CI_CD_PIPELINE_SETUP_GUIDE.md | 40 ++++++++++++----------------------- registry/README.md | 7 ++++-- 2 files changed, 19 insertions(+), 28 deletions(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 2bd672d..073a30d 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -657,33 +657,21 @@ sudo usermod -aG docker CI_SERVICE_USER We'll set up a basic Docker Registry with Caddy as a reverse proxy, configured to allow unauthenticated pulls but require authentication for pushes. -#### 5.1 Create Registry Service User +#### 5.1 Configure Registry Directory for CI_SERVICE_USER ```bash -# Create dedicated user and group for Docker Registry -sudo groupadd -r registry -sudo useradd -r -g registry -s /bin/bash -m -d /opt/registry registry - -# Set secure password for emergency access -echo "registry:$(openssl rand -base64 32)" | sudo chpasswd - -# Add registry user to docker group -sudo usermod -aG docker registry - -# Add CI_DEPLOY_USER to registry group for monitoring access -sudo usermod -aG registry CI_DEPLOY_USER - -# Set proper permissions on /opt/registry directory -sudo chown registry:registry /opt/registry +# Create registry directory structure +sudo mkdir -p /opt/registry +sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry sudo chmod 755 /opt/registry ``` #### 5.2 Create Docker Compose Setup ```bash -# Create registry directory structure +# Create registry directory structure (if not already created) sudo mkdir -p /opt/registry -sudo chown registry:registry /opt/registry +sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry cd /opt/registry # Copy registry configuration from repository @@ -705,7 +693,7 @@ REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH EOF # Set proper permissions -sudo chown registry:registry .env +sudo chown CI_SERVICE_USER:CI_SERVICE_USER .env sudo chmod 600 .env ``` @@ -714,7 +702,7 @@ sudo chmod 600 .env ```bash # Create registry data directory sudo mkdir -p /opt/registry/data -sudo chown registry:registry /opt/registry/data +sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/data # Copy registry configuration from repository sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml @@ -723,7 +711,7 @@ sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml # Set proper permissions -sudo chown registry:registry /opt/registry/config.yml +sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/config.yml ``` @@ -731,8 +719,8 @@ sudo chown registry:registry /opt/registry/config.yml #### 5.5 Start Docker Registry with Docker Compose ```bash -# Switch to registry user -sudo su - registry +# Switch to CI_SERVICE_USER +sudo su - CI_SERVICE_USER # Navigate to registry directory cd /opt/registry @@ -743,7 +731,7 @@ docker compose up -d # Verify services are running docker compose ps -# Exit registry user shell +# Exit CI_SERVICE_USER shell exit ``` @@ -760,8 +748,8 @@ Requires=docker.service [Service] Type=oneshot RemainAfterExit=yes -User=registry -Group=registry +User=CI_SERVICE_USER +Group=CI_SERVICE_USER WorkingDirectory=/opt/registry ExecStart=/usr/bin/docker compose up -d ExecStop=/usr/bin/docker compose down diff --git a/registry/README.md b/registry/README.md index 307e4fa..7b2b14a 100644 --- a/registry/README.md +++ b/registry/README.md @@ -15,6 +15,7 @@ The registry setup uses: - **Docker Registry**: Basic registry for storing Docker images - **Caddy**: Reverse proxy with automatic HTTPS and authentication - **Environment Variables**: For authentication credentials +- **Service User**: The registry and Caddy services run as the existing `CI_SERVICE_USER` (not a separate registry user) ## Authentication Model @@ -41,14 +42,16 @@ The setup is configured through: 2. **Caddyfile**: Handles HTTPS and authentication 3. **Docker Compose**: Orchestrates the registry and Caddy services 4. **Registry Config**: `config.yml` contains the Docker Registry configuration +5. **User/Permissions**: All files and services are owned and run by `CI_SERVICE_USER` for consistency and security ## Usage -The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. +The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by `CI_SERVICE_USER`. ## Security - Authentication is handled by Caddy using environment variables - HTTPS is automatically managed by Caddy - Registry data is persisted in Docker volumes -- Environment file contains sensitive credentials and should be properly secured \ No newline at end of file +- Environment file contains sensitive credentials and should be properly secured +- All files and services are owned by `CI_SERVICE_USER` (not a separate registry user) \ No newline at end of file