From 92a306ddc5909aa3a2faa2681f07cd4b67c175f7 Mon Sep 17 00:00:00 2001 From: continuist Date: Fri, 22 Aug 2025 22:37:51 -0400 Subject: [PATCH] Removed no longer needed docker-compose yml for registry --- CI_CD_PIPELINE_SETUP_GUIDE.md | 33 +++++++----------- registry/README.md | 2 +- registry/docker-registry.yml | 66 ----------------------------------- 3 files changed, 13 insertions(+), 88 deletions(-) delete mode 100644 registry/docker-registry.yml diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 6d23d5e..356f425 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -702,17 +702,9 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/op sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf ``` -#### 5.2.1 Alternative: Use Podman Compose -```bash -# Use podman-compose (Docker Compose compatible) -podman-compose -f docker-registry.yml up -d -# Check status -podman-compose -f docker-registry.yml ps -``` - -#### 5.2.2 Security Features Applied +#### 5.2.1 Security Features Applied The Docker Registry v2 setup includes comprehensive security hardening: @@ -740,6 +732,9 @@ The Docker Registry v2 setup includes comprehensive security hardening: - ✅ Container policy enforcement via containers-policy.json - ✅ Volume mounts with read-only where possible +#### 5.2.2 Set Up Authentication and Permissions + +```bash # Create FHS-compliant authentication directory sudo mkdir -p /etc/registry/auth sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/auth @@ -759,17 +754,15 @@ sudo chmod 600 /etc/registry/auth/.htpasswd # Set proper permissions for configuration files sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/nginx.conf sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/openssl.conf -sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/docker-registry.yml sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/registry-pod.yaml sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/containers-policy.json sudo chmod 644 /opt/APP_NAME/registry/nginx.conf sudo chmod 644 /opt/APP_NAME/registry/openssl.conf -sudo chmod 644 /opt/APP_NAME/registry/docker-registry.yml sudo chmod 644 /opt/APP_NAME/registry/registry-pod.yaml sudo chmod 644 /opt/APP_NAME/registry/containers-policy.json ``` -#### 5.3 Create FHS-Compliant Directory Structure +#### 5.2.3 Create FHS-Compliant Directory Structure ```bash # Create FHS-compliant certificate directory structure @@ -794,7 +787,7 @@ sudo chmod 755 /var/lib/registry/data # Registry data sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry ``` -#### 5.4 Generate TLS Certificate and Install for Podman +#### 5.2.4 Generate TLS Certificate and Install for Podman **Choose one of the following options based on whether you have a domain name:** @@ -888,9 +881,9 @@ sudo cp /etc/registry/certs/registry.crt /etc/containers/certs.d/YOUR_DOMAIN_NAM --- -**After completing the steps for your chosen option, continue with Step 5.7 (Start Docker Registry with Docker Compose).** +**After completing the steps for your chosen option, continue with Step 5.5 (Set Up Systemd Service for Docker Registry v2).** -#### 5.5 Install Certificate for Podman (Option B Only) +#### 5.3 Install Certificate for Podman (Option B Only) **Important**: This step adds the Let's Encrypt certificate for Podman. Since Let's Encrypt is a trusted CA, Podman will automatically trust this certificate. @@ -913,7 +906,7 @@ echo "Certificate installation completed successfully!" echo "Podman can now connect to the registry securely using your domain name" ``` -#### 5.6 Set Up Automatic Certificate Renewal (Option B Only) +#### 5.4 Set Up Automatic Certificate Renewal (Option B Only) **Important**: Let's Encrypt certificates expire after 90 days, so we need to set up automatic renewal. @@ -930,7 +923,7 @@ echo "Automatic certificate renewal configured!" echo "Certificates will be renewed automatically and the registry service will be restarted" ``` -#### 5.7 Set Up Systemd Service for Docker Registry v2 +#### 5.5 Set Up Systemd Service for Docker Registry v2 ```bash # Create system-wide Podman configuration to avoid permission issues @@ -969,7 +962,7 @@ sudo systemctl status docker-registry.service sudo journalctl -u docker-registry.service -f --no-pager -n 50 ``` -#### 5.8 Verify Docker Registry v2 Service +#### 5.6 Verify Docker Registry v2 Service ```bash # Check that the service is running properly @@ -985,7 +978,7 @@ sudo su - CI_SERVICE_USER -c "podman logs registry-pod-nginx" sudo su - CI_SERVICE_USER -c "podman logs registry-pod-registry" ``` -#### 5.9 Test Registry Setup +#### 5.7 Test Registry Setup **For Option A (Self-signed certificates):** @@ -1432,7 +1425,6 @@ ls -la /tmp/ci-workspace The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) for better organization and security: **Application Files** (in `/opt/APP_NAME/registry/`): -- `docker-registry.yml` - Podman Compose configuration for Docker Registry v2 and nginx - `registry-pod.yaml` - Kubernetes Pod manifest for Docker Registry v2 and nginx - `nginx.conf` - nginx reverse proxy configuration from project repository - `openssl.conf` - OpenSSL configuration for certificate generation from project repository @@ -2452,7 +2444,6 @@ sudo rm -rf /opt/APP_NAME/registry/openssl.conf sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf # Note: DO NOT remove these files as they are needed for operation: -# - /opt/APP_NAME/registry/docker-registry.yml # - /opt/APP_NAME/registry/registry-pod.yaml # - /opt/APP_NAME/registry/nginx.conf # - /opt/APP_NAME/registry/containers-policy.json diff --git a/registry/README.md b/registry/README.md index bf07152..364db70 100644 --- a/registry/README.md +++ b/registry/README.md @@ -4,7 +4,7 @@ This folder contains the configuration files for the Docker Registry setup used ## Files -- **`docker-registry.yml`**: Podman Compose configuration for Docker Registry v2 and nginx reverse proxy + - **`nginx.conf`**: nginx configuration for HTTPS and authentication - **`docker-registry.service`**: Systemd service file for Docker Registry v2 - **`README.md`**: This documentation file diff --git a/registry/docker-registry.yml b/registry/docker-registry.yml deleted file mode 100644 index 30842dd..0000000 --- a/registry/docker-registry.yml +++ /dev/null @@ -1,66 +0,0 @@ -services: - registry: - image: registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d - container_name: registry - restart: unless-stopped - user: "1000:1000" - environment: - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry - # Disable image deletion for security - REGISTRY_STORAGE_DELETE_ENABLED: "false" - # Listen only inside the compose network - REGISTRY_HTTP_ADDR: 0.0.0.0:5000 - # TLS configuration - REGISTRY_HTTP_TLS_CERTIFICATE: /etc/registry/certs/registry.crt - REGISTRY_HTTP_TLS_KEY: /etc/registry/certs/private/registry.key - volumes: - - ./registry:/var/lib/registry - - /etc/registry/certs:/etc/registry/certs:ro - expose: - - "5000" # internal only, not published - deploy: - resources: - limits: - cpus: '1.0' - memory: 1G - reservations: - cpus: '0.5' - memory: 512M - security_opt: - - no-new-privileges:true - - seccomp:unconfined - read_only: true - tmpfs: - - /tmp:noexec,nosuid,size=100m - - nginx: - image: nginx@sha256:6650513efd1d27c1f8a5351cbd33edf85cc7e3b73dc4d4d4e8f8c0b3d0b3d0b3d - container_name: nginx - restart: unless-stopped - user: "1000:1000" - depends_on: - - registry - ports: - - "443:443" # HTTPS only - - "4443:4443" - # deliberately no "80:80" – no HTTP - volumes: - - ./nginx.conf:/etc/nginx/nginx.conf:ro - - /etc/registry/certs:/etc/registry/certs:ro - - /etc/registry/auth/.htpasswd:/etc/nginx/.htpasswd:ro - - /var/log/nginx:/var/log/nginx - - ./containers-policy.json:/etc/containers/policy.json:ro - deploy: - resources: - limits: - cpus: '0.5' - memory: 512M - reservations: - cpus: '0.25' - memory: 256M - security_opt: - - no-new-privileges:true - - seccomp:unconfined - read_only: true - tmpfs: - - /tmp:noexec,nosuid,size=100m