Use CI service user to run docker registry
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
This commit is contained in:
parent
a43f2003d0
commit
838078f896
2 changed files with 19 additions and 28 deletions
|
|
@ -657,33 +657,21 @@ sudo usermod -aG docker CI_SERVICE_USER
|
||||||
|
|
||||||
We'll set up a basic Docker Registry with Caddy as a reverse proxy, configured to allow unauthenticated pulls but require authentication for pushes.
|
We'll set up a basic Docker Registry with Caddy as a reverse proxy, configured to allow unauthenticated pulls but require authentication for pushes.
|
||||||
|
|
||||||
#### 5.1 Create Registry Service User
|
#### 5.1 Configure Registry Directory for CI_SERVICE_USER
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Create dedicated user and group for Docker Registry
|
# Create registry directory structure
|
||||||
sudo groupadd -r registry
|
sudo mkdir -p /opt/registry
|
||||||
sudo useradd -r -g registry -s /bin/bash -m -d /opt/registry registry
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry
|
||||||
|
|
||||||
# Set secure password for emergency access
|
|
||||||
echo "registry:$(openssl rand -base64 32)" | sudo chpasswd
|
|
||||||
|
|
||||||
# Add registry user to docker group
|
|
||||||
sudo usermod -aG docker registry
|
|
||||||
|
|
||||||
# Add CI_DEPLOY_USER to registry group for monitoring access
|
|
||||||
sudo usermod -aG registry CI_DEPLOY_USER
|
|
||||||
|
|
||||||
# Set proper permissions on /opt/registry directory
|
|
||||||
sudo chown registry:registry /opt/registry
|
|
||||||
sudo chmod 755 /opt/registry
|
sudo chmod 755 /opt/registry
|
||||||
```
|
```
|
||||||
|
|
||||||
#### 5.2 Create Docker Compose Setup
|
#### 5.2 Create Docker Compose Setup
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Create registry directory structure
|
# Create registry directory structure (if not already created)
|
||||||
sudo mkdir -p /opt/registry
|
sudo mkdir -p /opt/registry
|
||||||
sudo chown registry:registry /opt/registry
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry
|
||||||
cd /opt/registry
|
cd /opt/registry
|
||||||
|
|
||||||
# Copy registry configuration from repository
|
# Copy registry configuration from repository
|
||||||
|
|
@ -705,7 +693,7 @@ REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Set proper permissions
|
# Set proper permissions
|
||||||
sudo chown registry:registry .env
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER .env
|
||||||
sudo chmod 600 .env
|
sudo chmod 600 .env
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
@ -714,7 +702,7 @@ sudo chmod 600 .env
|
||||||
```bash
|
```bash
|
||||||
# Create registry data directory
|
# Create registry data directory
|
||||||
sudo mkdir -p /opt/registry/data
|
sudo mkdir -p /opt/registry/data
|
||||||
sudo chown registry:registry /opt/registry/data
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/data
|
||||||
|
|
||||||
# Copy registry configuration from repository
|
# Copy registry configuration from repository
|
||||||
sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml
|
sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml
|
||||||
|
|
@ -723,7 +711,7 @@ sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml
|
||||||
sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml
|
sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml
|
||||||
|
|
||||||
# Set proper permissions
|
# Set proper permissions
|
||||||
sudo chown registry:registry /opt/registry/config.yml
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/config.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -731,8 +719,8 @@ sudo chown registry:registry /opt/registry/config.yml
|
||||||
#### 5.5 Start Docker Registry with Docker Compose
|
#### 5.5 Start Docker Registry with Docker Compose
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Switch to registry user
|
# Switch to CI_SERVICE_USER
|
||||||
sudo su - registry
|
sudo su - CI_SERVICE_USER
|
||||||
|
|
||||||
# Navigate to registry directory
|
# Navigate to registry directory
|
||||||
cd /opt/registry
|
cd /opt/registry
|
||||||
|
|
@ -743,7 +731,7 @@ docker compose up -d
|
||||||
# Verify services are running
|
# Verify services are running
|
||||||
docker compose ps
|
docker compose ps
|
||||||
|
|
||||||
# Exit registry user shell
|
# Exit CI_SERVICE_USER shell
|
||||||
exit
|
exit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
@ -760,8 +748,8 @@ Requires=docker.service
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
User=registry
|
User=CI_SERVICE_USER
|
||||||
Group=registry
|
Group=CI_SERVICE_USER
|
||||||
WorkingDirectory=/opt/registry
|
WorkingDirectory=/opt/registry
|
||||||
ExecStart=/usr/bin/docker compose up -d
|
ExecStart=/usr/bin/docker compose up -d
|
||||||
ExecStop=/usr/bin/docker compose down
|
ExecStop=/usr/bin/docker compose down
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ The registry setup uses:
|
||||||
- **Docker Registry**: Basic registry for storing Docker images
|
- **Docker Registry**: Basic registry for storing Docker images
|
||||||
- **Caddy**: Reverse proxy with automatic HTTPS and authentication
|
- **Caddy**: Reverse proxy with automatic HTTPS and authentication
|
||||||
- **Environment Variables**: For authentication credentials
|
- **Environment Variables**: For authentication credentials
|
||||||
|
- **Service User**: The registry and Caddy services run as the existing `CI_SERVICE_USER` (not a separate registry user)
|
||||||
|
|
||||||
## Authentication Model
|
## Authentication Model
|
||||||
|
|
||||||
|
|
@ -41,14 +42,16 @@ The setup is configured through:
|
||||||
2. **Caddyfile**: Handles HTTPS and authentication
|
2. **Caddyfile**: Handles HTTPS and authentication
|
||||||
3. **Docker Compose**: Orchestrates the registry and Caddy services
|
3. **Docker Compose**: Orchestrates the registry and Caddy services
|
||||||
4. **Registry Config**: `config.yml` contains the Docker Registry configuration
|
4. **Registry Config**: `config.yml` contains the Docker Registry configuration
|
||||||
|
5. **User/Permissions**: All files and services are owned and run by `CI_SERVICE_USER` for consistency and security
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials.
|
The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by `CI_SERVICE_USER`.
|
||||||
|
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
- Authentication is handled by Caddy using environment variables
|
- Authentication is handled by Caddy using environment variables
|
||||||
- HTTPS is automatically managed by Caddy
|
- HTTPS is automatically managed by Caddy
|
||||||
- Registry data is persisted in Docker volumes
|
- Registry data is persisted in Docker volumes
|
||||||
- Environment file contains sensitive credentials and should be properly secured
|
- Environment file contains sensitive credentials and should be properly secured
|
||||||
|
- All files and services are owned by `CI_SERVICE_USER` (not a separate registry user)
|
||||||
Loading…
Add table
Reference in a new issue