diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index fdd68b6..2304043 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -557,10 +557,12 @@ services: networks: - registry_network healthcheck: - test: ["CMD", "curl", "-k", "-f", "https://localhost:5000/v2/_catalog"] + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "https://localhost:5000/v2/", "--no-check-certificate"] interval: 30s timeout: 10s retries: 3 + start_period: 40s + registry-ui: image: joxit/docker-registry-ui:latest @@ -636,7 +638,7 @@ http { # Proxy registry API requests location /v2/ { - proxy_pass http://registry_api; + proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -644,6 +646,7 @@ http { proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; + proxy_ssl_verify off; } # Proxy registry UI requests @@ -687,155 +690,6 @@ docker compose up -d exit ``` -#### 4.6.1 Restart Registry with Updated Configuration - -If you've already started the registry and then updated the `REGISTRY_URL` in the docker-compose.yml file, you need to restart the containers for the changes to take effect: - -```bash -# Switch to SERVICE_USER (registry directory owner) -sudo su - SERVICE_USER - -cd /opt/registry - -# Stop and remove the existing containers -docker compose down - -# Start the containers with the updated configuration -docker compose up -d - -# Exit SERVICE_USER shell -exit -``` - -**Note**: This step is only needed if you've already started the registry and then updated the `REGISTRY_URL`. If you're starting fresh, Step 4.6 is sufficient. - -#### 4.6.2 Troubleshoot Connection Issues - -If you get "Unable to Connect" when accessing `https://YOUR_CI_CD_IP:8080`, run these diagnostic commands: - -```bash -# Switch to SERVICE_USER (registry directory owner) -sudo su - SERVICE_USER - -cd /opt/registry - -# Check if all containers are running -docker compose ps - -# Check container logs for errors -docker compose logs nginx -docker compose logs registry-ui -docker compose logs registry - -# Check if nginx is listening on port 8080 -netstat -tlnp | grep :8080 - -# Test nginx directly -curl -k https://localhost:8080 - -# Exit SERVICE_USER shell -exit -``` - -**Common Issues and Solutions:** -- **Container not running**: Run `docker compose up -d` to start containers -- **Port conflict**: Check if port 8080 is already in use -- **SSL certificate issues**: Verify the certificate files exist and have correct permissions -- **Firewall blocking**: Ensure port 8080 is open in your firewall - -#### 4.6.3 Fix Container Restart Issues - -If containers are restarting repeatedly, check the logs and fix the configuration: - -```bash -# Switch to SERVICE_USER (registry directory owner) -sudo su - SERVICE_USER - -cd /opt/registry - -# Stop all containers -docker compose down - -# Check if SSL certificates exist -ls -la ssl/ - -# If certificates don't exist, generate them -if [ ! -f ssl/registry.crt ]; then - echo "Generating SSL certificates..." - mkdir -p ssl - openssl req -x509 -newkey rsa:4096 -keyout ssl/registry.key -out ssl/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=YOUR_CI_CD_IP" - chmod 600 ssl/registry.key - chmod 644 ssl/registry.crt -fi - -# Check if nginx.conf exists -ls -la nginx.conf - -# If nginx.conf doesn't exist, create it -if [ ! -f nginx.conf ]; then - echo "Creating nginx configuration..." - cat > nginx.conf << 'EOF' -events { - worker_connections 1024; -} - -http { - upstream registry_ui { - server registry-ui:80; - } - - upstream registry_api { - server registry:5000; - } - - server { - listen 443 ssl; - server_name YOUR_CI_CD_IP; - - ssl_certificate /etc/nginx/ssl/registry.crt; - ssl_certificate_key /etc/nginx/ssl/registry.key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - - # Proxy registry API requests - location /v2/ { - proxy_pass http://registry_api; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Proxy registry UI requests - location / { - proxy_pass http://registry_ui; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - } -} -EOF -fi - -# Replace YOUR_CI_CD_IP with actual IP in nginx.conf -sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_CI_CD_IP/g" nginx.conf - -# Start containers and check logs -docker compose up -d - -# Wait a moment, then check logs -sleep 5 -docker compose logs nginx -docker compose logs registry - -# Exit SERVICE_USER shell -exit -``` - -**Important**: Replace `YOUR_ACTUAL_CI_CD_IP` with your actual CI/CD Linode IP address in the command above. - #### 4.7 Test Registry Setup ```bash @@ -878,15 +732,22 @@ docker rmi localhost:8080/test:latest # Clean up test file rm /tmp/test.Dockerfile -# Clean up test repository using registry UI -# 1. Open your browser and go to: https://YOUR_CI_CD_IP:8080 -# 2. You should see the 'test' repository listed -# 3. Click on the 'test' repository -# 4. Click the delete button (trash icon) next to the 'latest' tag -# 5. Confirm the deletion -# 6. The test repository should now be removed +# Get the manifest digest for the 'latest' tag +curl -k -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + https://localhost:8080/v2/test/manifests/latest + +# Copy the "config.digest" value from the output above (starts with "sha256:") +# Then delete the tag using that digest: +curl -k -X DELETE https://localhost:8080/v2/test/manifests/ + +# Run garbage collection to remove orphaned blobs +docker compose exec registry /bin/registry garbage-collect /etc/docker/registry/config.yml --delete-untagged + +# Remove the repository directory structure +docker compose exec registry rm -rf /var/lib/registry/docker/registry/v2/repositories/test # Verify registry is empty +echo "Verifying registry is now empty..." curl -k https://localhost:8080/v2/_catalog # Exit SERVICE_USER shell