|
|
|
|
@ -686,14 +686,25 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/Ca
|
|
|
|
|
sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/openssl.conf
|
|
|
|
|
sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf
|
|
|
|
|
|
|
|
|
|
# Create environment file for registry authentication
|
|
|
|
|
# Create FHS-compliant environment directory
|
|
|
|
|
sudo mkdir -p /etc/registry/env
|
|
|
|
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
|
|
|
|
|
sudo chmod 755 /etc/registry/env
|
|
|
|
|
|
|
|
|
|
# Create secure environment file for registry authentication
|
|
|
|
|
# First, create a secure password hash
|
|
|
|
|
# Save this password somewhere safe
|
|
|
|
|
REGISTRY_PASSWORD="your-secure-registry-password"
|
|
|
|
|
REGISTRY_PASSWORD_HASH=$(htpasswd -nbB registry-user "$REGISTRY_PASSWORD" | cut -d: -f2)
|
|
|
|
|
|
|
|
|
|
# Update Caddyfile with the actual password hash
|
|
|
|
|
sudo sed -i "s/DOCKER_REGISTRY_PASSWORD/$REGISTRY_PASSWORD_HASH/g" /opt/APP_NAME/registry/Caddyfile
|
|
|
|
|
# Create the .env file in FHS-compliant location
|
|
|
|
|
sudo tee /etc/registry/env/.env > /dev/null <<EOF
|
|
|
|
|
REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# Set secure permissions on .env file (owner read/write only)
|
|
|
|
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env/.env
|
|
|
|
|
sudo chmod 600 /etc/registry/env/.env
|
|
|
|
|
|
|
|
|
|
# Set proper permissions for configuration files
|
|
|
|
|
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/Caddyfile
|
|
|
|
|
@ -704,7 +715,7 @@ sudo chmod 644 /opt/APP_NAME/registry/openssl.conf
|
|
|
|
|
sudo chmod 644 /opt/APP_NAME/registry/docker-compose.registry.yml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 5.3 Create FHS-Compliant Certificate Directory Structure
|
|
|
|
|
#### 5.3 Create FHS-Compliant Directory Structure
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Create FHS-compliant certificate directory structure
|
|
|
|
|
@ -713,8 +724,12 @@ sudo mkdir -p /etc/registry/certs/requests
|
|
|
|
|
sudo mkdir -p /etc/registry/certs/ca
|
|
|
|
|
sudo mkdir -p /var/lib/registry/data
|
|
|
|
|
|
|
|
|
|
# Set proper ownership for certificate directories
|
|
|
|
|
# Create FHS-compliant environment directory structure
|
|
|
|
|
sudo mkdir -p /etc/registry/env
|
|
|
|
|
|
|
|
|
|
# Set proper ownership for certificate and environment directories
|
|
|
|
|
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs
|
|
|
|
|
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
|
|
|
|
|
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data
|
|
|
|
|
|
|
|
|
|
# Set proper permissions for certificate directories
|
|
|
|
|
@ -724,6 +739,9 @@ sudo chmod 755 /etc/registry/certs/requests # Certificate requests
|
|
|
|
|
sudo chmod 755 /etc/registry/certs/ca # CA certificates
|
|
|
|
|
sudo chmod 755 /var/lib/registry/data # Registry data
|
|
|
|
|
|
|
|
|
|
# Set proper permissions for environment directory
|
|
|
|
|
sudo chmod 755 /etc/registry/env # Environment directory
|
|
|
|
|
|
|
|
|
|
# Create registry data directory symlink for docker-compose
|
|
|
|
|
sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
|
|
|
|
|
```
|
|
|
|
|
@ -876,30 +894,7 @@ echo "Automatic certificate renewal configured!"
|
|
|
|
|
echo "Certificates will be renewed automatically and the registry service will be restarted"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 5.7 Start Docker Registry with Docker Compose
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Switch to CI_SERVICE_USER
|
|
|
|
|
sudo su - CI_SERVICE_USER
|
|
|
|
|
|
|
|
|
|
# Navigate to the application directory
|
|
|
|
|
cd /opt/APP_NAME/registry
|
|
|
|
|
|
|
|
|
|
# Start the Docker Registry and Caddy services using the project's registry compose file
|
|
|
|
|
docker compose -f docker-compose.registry.yml up -d
|
|
|
|
|
|
|
|
|
|
# Verify services are running
|
|
|
|
|
docker compose -f docker-compose.registry.yml ps
|
|
|
|
|
|
|
|
|
|
# Check service logs for any issues
|
|
|
|
|
docker compose -f docker-compose.registry.yml logs caddy
|
|
|
|
|
docker compose -f docker-compose.registry.yml logs registry
|
|
|
|
|
|
|
|
|
|
# Exit CI_SERVICE_USER shell
|
|
|
|
|
exit
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 5.8 Install Systemd Service for Docker Registry
|
|
|
|
|
#### 5.7 Set Up Systemd Service for Docker Registry
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Install systemd service from repository
|
|
|
|
|
@ -916,8 +911,27 @@ sudo systemctl daemon-reload
|
|
|
|
|
sudo systemctl enable docker-registry.service
|
|
|
|
|
sudo systemctl start docker-registry.service
|
|
|
|
|
|
|
|
|
|
# Monitor startup
|
|
|
|
|
sudo journalctl -u docker-registry.service -f
|
|
|
|
|
# Verify services are running
|
|
|
|
|
sudo systemctl status docker-registry.service
|
|
|
|
|
|
|
|
|
|
# Check service logs for any issues
|
|
|
|
|
sudo journalctl -u docker-registry.service -f --no-pager -n 50
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 5.8 Verify Docker Registry Service
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Check that the service is running properly
|
|
|
|
|
sudo systemctl status docker-registry.service
|
|
|
|
|
|
|
|
|
|
# Check that containers are running
|
|
|
|
|
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml ps"
|
|
|
|
|
|
|
|
|
|
# Check Caddy logs
|
|
|
|
|
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs caddy"
|
|
|
|
|
|
|
|
|
|
# Check Registry logs
|
|
|
|
|
sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs registry"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 5.9 Test Registry Setup
|
|
|
|
|
@ -1375,6 +1389,7 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
|
|
|
|
|
- `docker-compose.registry.yml` - Docker Compose configuration from project repository
|
|
|
|
|
- `Caddyfile` - Caddy reverse proxy configuration from project repository
|
|
|
|
|
- `openssl.conf` - OpenSSL configuration for certificate generation from project repository
|
|
|
|
|
- `docker-registry.service` - Systemd service file for Docker Registry
|
|
|
|
|
- `certs/` - Symbolic links to FHS-compliant certificate locations
|
|
|
|
|
|
|
|
|
|
**System Files** (FHS-compliant locations):
|
|
|
|
|
@ -1384,12 +1399,17 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
|
|
|
|
|
- `/etc/registry/certs/ca/` - CA certificates (mode 644)
|
|
|
|
|
- `/etc/registry/certs/requests/` - Certificate requests and configs (mode 644)
|
|
|
|
|
- `/etc/registry/certs/registry.crt` - Server certificate (mode 644)
|
|
|
|
|
- `/etc/registry/env/` - Environment variables and secrets:
|
|
|
|
|
- `/etc/registry/env/.env` - Registry authentication secrets (mode 600)
|
|
|
|
|
- `/etc/systemd/system/docker-registry.service` - Systemd service configuration
|
|
|
|
|
- `/var/log/registry/` - Registry and Caddy logs
|
|
|
|
|
|
|
|
|
|
**Benefits of FHS Compliance**:
|
|
|
|
|
- **Data persistence**: Registry data stored in `/var/lib/registry/data/` survives container restarts
|
|
|
|
|
- **Certificate security**: Hierarchical certificate structure with proper permissions
|
|
|
|
|
- **Separation of concerns**: Private keys isolated from public certificates
|
|
|
|
|
- **Environment security**: Secrets stored in `/etc/registry/env/` with restrictive permissions (600)
|
|
|
|
|
- **Service management**: Systemd service for proper startup, shutdown, and monitoring
|
|
|
|
|
- **Separation of concerns**: Private keys isolated from public certificates, secrets isolated from configs
|
|
|
|
|
- **Log management**: Logs in `/var/log/registry/` for centralized logging
|
|
|
|
|
- **Configuration separation**: App configs in app directory, system data in system directories
|
|
|
|
|
```
|
|
|
|
|
@ -2376,6 +2396,30 @@ You have successfully set up a complete CI/CD pipeline with:
|
|
|
|
|
|
|
|
|
|
Your application is now ready for continuous deployment with proper security, monitoring, and maintenance procedures in place!
|
|
|
|
|
|
|
|
|
|
### Cleanup Installation Files
|
|
|
|
|
|
|
|
|
|
After successful setup, you can clean up the installation files to remove sensitive information:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Remove installation files (optional - for security)
|
|
|
|
|
sudo rm -rf /opt/APP_NAME/registry/openssl.conf
|
|
|
|
|
sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf
|
|
|
|
|
|
|
|
|
|
# Note: DO NOT remove these files as they are needed for operation:
|
|
|
|
|
# - /opt/APP_NAME/registry/docker-compose.registry.yml
|
|
|
|
|
# - /opt/APP_NAME/registry/Caddyfile
|
|
|
|
|
# - /opt/APP_NAME/registry/docker-registry.service
|
|
|
|
|
# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations)
|
|
|
|
|
# - /etc/registry/env/.env (contains the actual secrets)
|
|
|
|
|
# - /etc/systemd/system/docker-registry.service
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**Security Note**: The `.env` file in `/etc/registry/env/.env` contains sensitive authentication data and should be:
|
|
|
|
|
- **Backed up securely** if needed for disaster recovery
|
|
|
|
|
- **Never committed to version control**
|
|
|
|
|
- **Protected with proper permissions** (600 - owner read/write only)
|
|
|
|
|
- **Rotated regularly** by updating the password and regenerating the hash
|
|
|
|
|
|
|
|
|
|
### Step 8.6 CI/CD Workflow Summary Table
|
|
|
|
|
|
|
|
|
|
| Stage | What Runs | How/Where |
|
|
|
|
|
|
