devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve docker registry + Caddy installation security

Browse source
This commit is contained in:
continuist 2025-08-15 19:12:04 -04:00
parent ed32d5aaaf
commit f13148d53e
4 changed files with 92 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

110
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -686,14 +686,25 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/Ca
sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/openssl.conf
sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf
# Create environment file for registry authentication
# Create FHS-compliant environment directory
sudo mkdir -p /etc/registry/env
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
sudo chmod 755 /etc/registry/env
# Create secure environment file for registry authentication
# First, create a secure password hash
# Save this password somewhere safe
REGISTRY_PASSWORD="your-secure-registry-password"
REGISTRY_PASSWORD_HASH=$(htpasswd -nbB registry-user "$REGISTRY_PASSWORD" | cut -d: -f2)
# Update Caddyfile with the actual password hash
sudo sed -i "s/DOCKER_REGISTRY_PASSWORD/$REGISTRY_PASSWORD_HASH/g" /opt/APP_NAME/registry/Caddyfile
# Create the .env file in FHS-compliant location
sudo tee /etc/registry/env/.env > /dev/null <<EOF
REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH
EOF
# Set secure permissions on .env file (owner read/write only)
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env/.env
sudo chmod 600 /etc/registry/env/.env
# Set proper permissions for configuration files
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/Caddyfile
@ -704,7 +715,7 @@ sudo chmod 644 /opt/APP_NAME/registry/openssl.conf
sudo chmod 644 /opt/APP_NAME/registry/docker-compose.registry.yml
```
#### 5.3 Create FHS-Compliant Certificate Directory Structure
#### 5.3 Create FHS-Compliant Directory Structure
```bash
# Create FHS-compliant certificate directory structure
@ -713,8 +724,12 @@ sudo mkdir -p /etc/registry/certs/requests
sudo mkdir -p /etc/registry/certs/ca
sudo mkdir -p /var/lib/registry/data
# Set proper ownership for certificate directories
# Create FHS-compliant environment directory structure
sudo mkdir -p /etc/registry/env
# Set proper ownership for certificate and environment directories
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data
# Set proper permissions for certificate directories
@ -724,6 +739,9 @@ sudo chmod 755 /etc/registry/certs/requests # Certificate requests
sudo chmod 755 /etc/registry/certs/ca # CA certificates
sudo chmod 755 /var/lib/registry/data # Registry data
# Set proper permissions for environment directory
sudo chmod 755 /etc/registry/env # Environment directory
# Create registry data directory symlink for docker-compose
sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
```
@ -783,6 +801,8 @@ sudo ln -sf /etc/registry/certs/private/registry.key /opt/APP_NAME/registry/cert
sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.crt
sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.key
# Note: .env file is accessed directly from /etc/registry/env/.env in docker-compose.registry.yml
# Verify certificate creation
sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
@ -876,30 +896,7 @@ echo "Automatic certificate renewal configured!"
echo "Certificates will be renewed automatically and the registry service will be restarted"
```
#### 5.7 Start Docker Registry with Docker Compose
```bash
# Switch to CI_SERVICE_USER
sudo su - CI_SERVICE_USER
# Navigate to the application directory
cd /opt/APP_NAME/registry
# Start the Docker Registry and Caddy services using the project's registry compose file
docker compose -f docker-compose.registry.yml up -d
# Verify services are running
docker compose -f docker-compose.registry.yml ps
# Check service logs for any issues
docker compose -f docker-compose.registry.yml logs caddy
docker compose -f docker-compose.registry.yml logs registry
# Exit CI_SERVICE_USER shell
exit
```
#### 5.8 Install Systemd Service for Docker Registry
#### 5.7 Set Up Systemd Service for Docker Registry
```bash
# Install systemd service from repository
@ -916,8 +913,27 @@ sudo systemctl daemon-reload
sudo systemctl enable docker-registry.service
sudo systemctl start docker-registry.service
# Monitor startup
sudo journalctl -u docker-registry.service -f
# Verify services are running
sudo systemctl status docker-registry.service
# Check service logs for any issues
sudo journalctl -u docker-registry.service -f --no-pager -n 50
```
#### 5.8 Verify Docker Registry Service
```bash
# Check that the service is running properly
sudo systemctl status docker-registry.service
# Check that containers are running
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml ps"
# Check Caddy logs
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs caddy"
# Check Registry logs
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs registry"
```
#### 5.9 Test Registry Setup
@ -1375,6 +1391,7 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
- `docker-compose.registry.yml` - Docker Compose configuration from project repository
- `Caddyfile` - Caddy reverse proxy configuration from project repository
- `openssl.conf` - OpenSSL configuration for certificate generation from project repository
- `docker-registry.service` - Systemd service file for Docker Registry
- `certs/` - Symbolic links to FHS-compliant certificate locations
**System Files** (FHS-compliant locations):
@ -1384,12 +1401,17 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
- `/etc/registry/certs/ca/` - CA certificates (mode 644)
- `/etc/registry/certs/requests/` - Certificate requests and configs (mode 644)
- `/etc/registry/certs/registry.crt` - Server certificate (mode 644)
- `/etc/registry/env/` - Environment variables and secrets:
- `/etc/registry/env/.env` - Registry authentication secrets (mode 600)
- `/etc/systemd/system/docker-registry.service` - Systemd service configuration
- `/var/log/registry/` - Registry and Caddy logs
**Benefits of FHS Compliance**:
- **Data persistence**: Registry data stored in `/var/lib/registry/data/` survives container restarts
- **Certificate security**: Hierarchical certificate structure with proper permissions
- **Separation of concerns**: Private keys isolated from public certificates
- **Environment security**: Secrets stored in `/etc/registry/env/` with restrictive permissions (600)
- **Service management**: Systemd service for proper startup, shutdown, and monitoring
- **Separation of concerns**: Private keys isolated from public certificates, secrets isolated from configs
- **Log management**: Logs in `/var/log/registry/` for centralized logging
- **Configuration separation**: App configs in app directory, system data in system directories
```
@ -2376,6 +2398,30 @@ You have successfully set up a complete CI/CD pipeline with:
Your application is now ready for continuous deployment with proper security, monitoring, and maintenance procedures in place!
### Cleanup Installation Files
After successful setup, you can clean up the installation files to remove sensitive information:
```bash
# Remove installation files (optional - for security)
sudo rm -rf /opt/APP_NAME/registry/openssl.conf
sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf
# Note: DO NOT remove these files as they are needed for operation:
# - /opt/APP_NAME/registry/docker-compose.registry.yml
# - /opt/APP_NAME/registry/Caddyfile
# - /opt/APP_NAME/registry/docker-registry.service
# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations)
# - /etc/registry/env/.env (contains the actual secrets)
# - /etc/systemd/system/docker-registry.service
```
**Security Note**: The `.env` file in `/etc/registry/env/.env` contains sensitive authentication data and should be:
- **Backed up securely** if needed for disaster recovery
- **Never committed to version control**
- **Protected with proper permissions** (600 - owner read/write only)
- **Rotated regularly** by updating the password and regenerating the hash
### Step 8.6 CI/CD Workflow Summary Table
| Stage | What Runs | How/Where |

4
registry/Caddyfile
View file

@ -6,7 +6,7 @@
# require auth on writes
@writes method PUT POST PATCH DELETE
basic_auth @writes {
registry-user DOCKER_REGISTRY_PASSWORD
registry-user {env.REGISTRY_PASSWORD_HASH}
}
# also require auth on the /v2/ ping so Docker sends creds
@ -15,7 +15,7 @@
method GET
}
basic_auth @v2ping {
registry-user DOCKER_REGISTRY_PASSWORD
registry-user {env.REGISTRY_PASSWORD_HASH}
}
reverse_proxy /v2/* registry:5000

2
registry/docker-compose.registry.yml
View file

@ -27,3 +27,5 @@ services:
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./certs:/etc/certs:ro
env_file:
- /etc/registry/env/.env

12
registry/docker-registry.service
View file

@ -1,5 +1,5 @@
[Unit]
Description=Docker Registry with Caddy
Description=Docker Registry with Caddy Reverse Proxy
After=docker.service
Requires=docker.service
@ -11,7 +11,15 @@ Group=CI_SERVICE_USER
WorkingDirectory=/opt/APP_NAME/registry
ExecStart=/usr/bin/docker compose -f docker-compose.registry.yml up -d
ExecStop=/usr/bin/docker compose -f docker-compose.registry.yml down
ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml down && /usr/bin/docker compose -f docker-compose.registry.yml up -d
ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml restart
TimeoutStartSec=0
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/APP_NAME/registry /etc/registry /var/lib/registry /var/log/registry
[Install]
WantedBy=multi-user.target