diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index f03a353..97591a0 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -724,9 +724,6 @@ sudo mkdir -p /etc/registry/certs/requests sudo mkdir -p /etc/registry/certs/ca sudo mkdir -p /var/lib/registry/data -# Create FHS-compliant environment directory structure -sudo mkdir -p /etc/registry/env - # Set proper ownership for certificate and environment directories sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env @@ -739,9 +736,6 @@ sudo chmod 755 /etc/registry/certs/requests # Certificate requests sudo chmod 755 /etc/registry/certs/ca # CA certificates sudo chmod 755 /var/lib/registry/data # Registry data -# Set proper permissions for environment directory -sudo chmod 755 /etc/registry/env # Environment directory - # Create registry data directory symlink for docker-compose sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry ``` @@ -767,7 +761,7 @@ sudo -u CI_SERVICE_USER openssl genrsa -out private/ca.key 4096 sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/ca.key \ -out ca/ca.crt \ -days 365 \ - -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=APP_NAME-Registry-CA" + -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Registry-CA" # Generate server private key in private subdirectory sudo -u CI_SERVICE_USER openssl genrsa -out private/registry.key 4096 @@ -794,13 +788,6 @@ sudo chmod 600 private/ca.key private/registry.key # Private keys - owner rea sudo chmod 644 ca/ca.crt registry.crt # Certificates - world readable sudo chmod 644 requests/registry.csr requests/openssl.conf # Requests - world readable -# Create certificate symlinks for Caddy (in certs subdirectory for docker-compose) -sudo mkdir -p /opt/APP_NAME/registry/certs -sudo ln -sf /etc/registry/certs/registry.crt /opt/APP_NAME/registry/certs/registry.crt -sudo ln -sf /etc/registry/certs/private/registry.key /opt/APP_NAME/registry/certs/registry.key -sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.crt -sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.key - # Verify certificate creation sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)" @@ -1385,7 +1372,6 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo - `Caddyfile` - Caddy reverse proxy configuration from project repository - `openssl.conf` - OpenSSL configuration for certificate generation from project repository - `docker-registry.service` - Systemd service file for Docker Registry -- `certs/` - Symbolic links to FHS-compliant certificate locations **System Files** (FHS-compliant locations): - `/var/lib/registry/data/` - Registry data storage @@ -2404,7 +2390,6 @@ sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf # - /opt/APP_NAME/registry/docker-compose.registry.yml # - /opt/APP_NAME/registry/Caddyfile # - /opt/APP_NAME/registry/docker-registry.service -# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations) # - /etc/registry/env/.env (contains the actual secrets) # - /etc/systemd/system/docker-registry.service ``` diff --git a/registry/Caddyfile b/registry/Caddyfile index 79f38d9..4a762bc 100644 --- a/registry/Caddyfile +++ b/registry/Caddyfile @@ -1,6 +1,6 @@ # Auth-required pushes on 4443 :4443 { - tls /etc/certs/registry.crt /etc/certs/registry.key + tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key log # require auth on writes diff --git a/registry/docker-compose.registry.yml b/registry/docker-compose.registry.yml index 32605a1..aae20c9 100644 --- a/registry/docker-compose.registry.yml +++ b/registry/docker-compose.registry.yml @@ -26,6 +26,6 @@ services: # deliberately no "80:80" – no HTTP volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - - ./certs:/etc/certs:ro + - /etc/registry/certs:/etc/registry/certs:ro env_file: - /etc/registry/env/.env