Merge pull request #99 from sshipway/master

Updates for Janitor and Registry templates

templates/janitor/2/docker-compose.yml

@@ -0,0 +1,18 @@
+cleanup:
+  image: meltwater/docker-cleanup:1.6.0
+  environment:
+    CLEAN_PERIOD: ${FREQUENCY}
+    DELAY_TIME: "900"
+    KEEP_IMAGES: "${KEEP}"
+    KEEP_CONTAINERS: "${KEEPC}"
+    LOOP: "true"
+    DEBUG: "0"
+  labels:
+     io.rancher.scheduler.global: "true"
+     io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}"
+  privileged: true
+  tty: false
+  stdin_open: false
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+    - /var/lib/docker:/var/lib/docker

templates/janitor/2/rancher-compose.yml

@@ -0,0 +1,31 @@
+.catalog:
+  name: "Janitor"
+  version: "v1.6"
+  description: "Docker cleanup"
+  uuid: janitor-2
+  questions: 
+    - variable: "FREQUENCY"
+      label: "Frequency"
+      description: "Run the cleanup on a cycle of this many seconds"
+      default: 3600
+      required: true
+      type: "int"
+    - variable: "EXCLUDE_LABEL"
+      label: "Exclude label"
+      description: "Specify a Rancher host label here that will be used to determine on which hosts the Janitor container should not deploy."
+      default: janitor.exclude=true
+      required: true
+      type: "string"
+    - variable: "KEEP"
+      label: "Keep images"
+      description: "A comma separated list of images that should never be removed. These are left-anchored Bash Shell Wildcard patterns."
+      default: "rancher/"
+      required: false
+      type: "string"
+    - variable: "KEEPC"
+      label: "Keep containers"
+      description: "A comma separated list of images that should never have stopped containers removed. These are left-anchored Bash Shell Wildcard patterns."
+      default: "*:*"
+      required: false
+      type: "string"
+

templates/janitor/README.md

@@ -11,10 +11,13 @@ This will run a task daily (by default) that will delete any unused
 image, and any orphaned volume.  The rancher container images are excluded
 from the list of images to clean up, and you can add your own containers to
 the exclude list if you wish.  It will also remove any stopped containers
-that are taking up space.
+that are taking up space; note that this may not be what you want if you
+are using stopped containers to hold volumes!  If this is the case, use the
+Keep List below.
 
-This will halp to prevent the /var/lib/docker filesystem from filling up
-with old and unused container images.
+This cleanup will help to prevent the /var/lib/docker filesystem from filling 
+up with old and unused container images, which is an issue on lighter-weight
+Docker hosts.
 
 ### Keep list
 
@@ -31,7 +34,7 @@ patterns.  For example, an image called **foo/bar:latest** will match:
 * \*:\*
 * fo
 
-However it will notmatch
+However it will not match
 
 * foo/baz
 * bar:latest

templates/janitor/config.yml

@@ -1,7 +1,7 @@
 name: Janitor
 description: |
   Automatic cleanup of unused images on hosts, in order to save disk space.
-version: v1.5.2
+version: v1.6
 category: Monitoring
 maintainer: Steve Shipway <s.shipway@auckland.ac.nz>
 

templates/registry/1/docker-compose.yml

@@ -0,0 +1,100 @@
+db:
+  image: mysql:5.7.10
+  environment:
+    MYSQL_DATABASE: portus
+    MYSQL_ROOT_PASSWORD: ${ROOTPASSWORD}
+    MYSQL_USER: portus
+    MYSQL_PASSWORD: ${DBPASSWORD}
+  tty: true
+  stdin_open: true
+  volumes:
+  - ${DIR}/db:/var/lib/mysql
+sslproxy:
+  image: nginx:1.9.9
+  tty: true
+  stdin_open: true
+  links:
+  - portus:portus
+  volumes:
+  - ${DIR}/certs:/etc/nginx/certs:ro
+  - ${DIR}/proxy:/etc/nginx/conf.d:ro
+registry:
+  image: registry:2.3.1
+  environment:
+    REGISTRY_LOG_LEVEL: warn
+    REGISTRY_STORAGE_DELETE_ENABLED: true
+    REGISTRY_AUTH: token
+    REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token
+    REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT}
+    REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN}
+    REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
+    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
+    REGISTRY_HTTP_TLS_KEY: /certs/registry.key
+    REGISTRY_HTTP_SECRET: httpsecret
+    REGISTRY_NOTIFICATIONS_ENDPOINTS: >
+      - name: portus
+        url: http://portus:3000/v2/webhooks/events
+        timeout: 500
+        threshold: 5
+        backoff: 1
+  tty: true
+  stdin_open: true
+  links:
+  - portus:portus
+  volumes:
+  - ${DIR}/certs:/certs
+  - ${DIR}/data:/var/lib/registry
+lb:
+  image: rancher/load-balancer-service
+  tty: true
+  stdin_open: true
+  ports:
+  - ${RPORT}:5000/tcp
+  - ${PPORT}:443/tcp
+  labels:
+    io.rancher.loadbalancer.target.sslproxy: ${PPORT}=443
+    io.rancher.loadbalancer.target.registry: ${RPORT}=5000
+    io.rancher.scheduler.global: 'true'
+    io.rancher.scheduler.affinity:not_host_label: lb=0
+  links:
+  - registry:registry
+  - sslproxy:sslproxy
+portus:
+  image: sshipway/portus:2.0.4
+  environment: 
+    PORTUS_MACHINE_FQDN: ${DOMAIN}
+    PORTUS_PRODUCTION_HOST: db
+    PORTUS_PRODUCTION_DATABASE: portus
+    PORTUS_PRODUCTION_USERNAME: portus
+    PORTUS_PRODUCTION_PASSWORD: ${DBPASSWORD}
+    PORTUS_GRAVATAR_ENABLED: true
+    PORTUS_KEY_PATH: /certs/registry.key
+    PORTUS_PASSWORD: ${DBPASSWORD}
+    PORTUS_SECRET_KEY_BASE: ${ROOTPASSWORD}
+    PORTUS_CHECK_SSL_USAGE_ENABLED: true
+    PORTUS_SMTP_ENABLED: false
+    PORTUS_LDAP_ENABLED: ${LDAP}
+    PORTUS_LDAP_HOSTNAME: ${LDAPHOST}
+    PORTUS_LDAP_PORT: ${LDAPPORT}
+    PORTUS_LDAP_METHOD: ${LDAPTLS}
+    PORTUS_LDAP_BASE: ${LDAPBASE}
+    PORTUS_LDAP_UID: cn
+    PORTUS_LDAP_AUTHENTICATION_ENABLED: ${LDAPBIND}
+    PORTUS_LDAP_AUTHENTICATION_BIND_DN: ${LDAPBINDDN}
+    PORTUS_LDAP_AUTHENTICATION_PASSWORD: ${LDAPBINDPASS}
+    PORTUS_LDAP_GUESS_EMAIL_ENABLED: true
+    PORTUS_LDAP_GUESS_EMAIL_ATTR: mail
+    PORTUS_PORT: ${PPORT}
+    REGISTRY_SSL_ENABLED: true
+    REGISTRY_HOSTNAME: ${DOMAIN}
+    REGISTRY_PORT: ${RPORT}
+    REGISTRY_NAME: Registry
+  tty: true
+  stdin_open: true
+  volumes:
+  - ${DIR}/certs:/certs
+  - ${DIR}/proxy:/etc/nginx/conf.d
+  links:
+  - db:db
+  labels:
+    io.rancher.container.pull_image: always

templates/registry/1/rancher-compose.yml

@@ -0,0 +1,109 @@
+.catalog:
+  name: "Registry"
+  version: "v2.3.1-3.0"
+  description: "Docker Registry"
+  uuid: registry-3
+  questions: 
+    - variable: "RPORT"
+      label: "Registry Port"
+      description: "Port on which to run the registry service"
+      default: 5000
+      required: true
+      type: "int"
+    - variable: "PPORT"
+      label: "Admin Port"
+      description: "Port on which to run the SSL Portus administration service and API"
+      default: 443
+      required: true
+      type: "int"
+    - variable: "DBPASSWORD"
+      label: "DB Password"
+      description: "Password for Portus database access, must be 8 characters or longer"
+      required: true
+      default: password
+      type: "password"
+    - variable: "ROOTPASSWORD"
+      label: "DB Root Password"
+      description: "Root Password for MySQL database, must be 8 characters or longer.  This is not normally used."
+      required: true
+      default: password
+      type: "password"
+    - variable: "DIR"
+      label: "Storage directory"
+      description: "Path of shared storage to use for registry, database, and certificates.  This should be available on all hosts"
+      required: true
+      type: "string"
+    - variable: "DOMAIN"
+      label: "FQDN"
+      description: "FQDN of server.  This should be the CN in the certificates and will be the URL to contact the Registry and Web interface"
+      required: true
+      type: "string"
+    - variable: "LDAP"
+      label: "LDAP Enabled"
+      description: "Enable LDAP authentication"
+      required: true
+      default: false
+      type: "boolean"
+    - variable: "LDAPHOST"
+      label: "LDAP Server"
+      description: "The FQDN of the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "ldap.company.com"
+      type: "string"
+    - variable: "LDAPPORT"
+      label: "LDAP Server port"
+      description: "The port number on the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: 389
+      type: "int"
+    - variable: "LDAPTLS"
+      label: "LDAP TLS"
+      description: "The TLS option for the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "starttls"
+      type: "enum"
+      options:
+        - starttls
+        - simple_tls
+        - plain
+    - variable: "LDAPBASE"
+      label: "LDAP Base DN"
+      description: "The Base DN for User lookups on the LDAP server (if LDAP authentication is being used)"
+      required: false
+      default: "ou=People,dc=company,dc=com"
+      type: "string"
+    - variable: "LDAPBIND"
+      label: "LDAP Bind enabled"
+      description: "Should an authenticated Bind be used to access LDAP (if LDAP authentication is being used)"
+      required: false
+      default: false
+      type: "boolean"
+    - variable: "LDAPBINDDN"
+      label: "LDAP Bind DN"
+      description: "The DN to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
+      required: false
+      default: "ou=portus,dc=company,dc=com"
+      type: "string"
+    - variable: "LDAPBINDPASS"
+      label: "LDAP Bind Password"
+      description: "The password to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
+      required: false
+      default: "password"
+      type: "password"
+db:
+  scale: 1
+sslproxy:
+  scale: 1
+lb:
+  load_balancer_config:
+    haproxy_config: {}
+  health_check:
+    port: 42
+    interval: 2000
+    unhealthy_threshold: 3
+    healthy_threshold: 2
+    response_timeout: 2000
+registry:
+  scale: 1
+portus:
+  scale: 1

templates/registry/config.yml

@@ -1,7 +1,7 @@
 name: Registry
 description: |
   Secure Docker registry.  Web based administration.  Optional LDAP authentication.
-version: v2.1.0-2.0
+version: v2.3.1-3.0
 category: Applications
 maintainer: Steve Shipway <s.shipway@auckland.ac.nz>