From 5d12e5ebddcb29529cb4a025364362e8f2141493 Mon Sep 17 00:00:00 2001 From: sshipway Date: Tue, 29 Mar 2016 21:21:13 +0000 Subject: [PATCH 1/5] Add updated Janitor template using official meltwater/docker-cleanup container image rather than the temporary patched version Some fixes to the README documentation to help clarify behaviour and fix typos. --- templates/janitor/2/docker-compose.yml | 18 ++++++++++++++ templates/janitor/2/rancher-compose.yml | 31 +++++++++++++++++++++++++ templates/janitor/README.md | 11 +++++---- templates/janitor/config.yml | 2 +- 4 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 templates/janitor/2/docker-compose.yml create mode 100644 templates/janitor/2/rancher-compose.yml diff --git a/templates/janitor/2/docker-compose.yml b/templates/janitor/2/docker-compose.yml new file mode 100644 index 0000000..c74c927 --- /dev/null +++ b/templates/janitor/2/docker-compose.yml @@ -0,0 +1,18 @@ +cleanup: + image: meltwater/docker-cleanup:1.6.0 + environment: + CLEAN_PERIOD: ${FREQUENCY} + DELAY_TIME: "900" + KEEP_IMAGES: "${KEEP}" + KEEP_CONTAINERS: "${KEEPC}" + LOOP: "true" + DEBUG: "0" + labels: + io.rancher.scheduler.global: "true" + io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}" + privileged: true + tty: false + stdin_open: false + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker:/var/lib/docker diff --git a/templates/janitor/2/rancher-compose.yml b/templates/janitor/2/rancher-compose.yml new file mode 100644 index 0000000..81b347d --- /dev/null +++ b/templates/janitor/2/rancher-compose.yml @@ -0,0 +1,31 @@ +.catalog: + name: "Janitor" + version: "v1.6" + description: "Docker cleanup" + uuid: janitor-2 + questions: + - variable: "FREQUENCY" + label: "Frequency" + description: "Run the cleanup on a cycle of this many seconds" + default: 3600 + required: true + type: "int" + - variable: "EXCLUDE_LABEL" + label: "Exclude label" + description: "Specify a Rancher host label here that will be used to determine on which hosts the Janitor container should not deploy." + default: janitor.exclude=true + required: true + type: "string" + - variable: "KEEP" + label: "Keep images" + description: "A comma separated list of images that should never be removed. These are left-anchored Bash Shell Wildcard patterns." + default: "rancher/" + required: false + type: "string" + - variable: "KEEPC" + label: "Keep containers" + description: "A comma separated list of images that should never have stopped containers removed. These are left-anchored Bash Shell Wildcard patterns." + default: "*:*" + required: false + type: "string" + diff --git a/templates/janitor/README.md b/templates/janitor/README.md index 08f78f3..68f08d5 100644 --- a/templates/janitor/README.md +++ b/templates/janitor/README.md @@ -11,10 +11,13 @@ This will run a task daily (by default) that will delete any unused image, and any orphaned volume. The rancher container images are excluded from the list of images to clean up, and you can add your own containers to the exclude list if you wish. It will also remove any stopped containers -that are taking up space. +that are taking up space; note that this may not be what you want if you +are using stopped containers to hold volumes! If this is the case, use the +Keep List below. -This will halp to prevent the /var/lib/docker filesystem from filling up -with old and unused container images. +This cleanup will help to prevent the /var/lib/docker filesystem from filling +up with old and unused container images, which is an issue on lighter-weight +Docker hosts. ### Keep list @@ -31,7 +34,7 @@ patterns. For example, an image called **foo/bar:latest** will match: * \*:\* * fo -However it will notmatch +However it will not match * foo/baz * bar:latest diff --git a/templates/janitor/config.yml b/templates/janitor/config.yml index ec38060..e0241f0 100644 --- a/templates/janitor/config.yml +++ b/templates/janitor/config.yml @@ -1,7 +1,7 @@ name: Janitor description: | Automatic cleanup of unused images on hosts, in order to save disk space. -version: v1.5.2 +version: v1.6 category: Monitoring maintainer: Steve Shipway From 2e53bb1fd48639f91d21d1ee5908421834224ac7 Mon Sep 17 00:00:00 2001 From: sshipway Date: Mon, 4 Apr 2016 03:16:21 +0000 Subject: [PATCH 2/5] Updated template for Registry using new v2.0.4 of Portus and Registry 2.3.1 --- templates/registry/1/docker-compose.yml | 99 ++++++++++++++++++++ templates/registry/1/rancher-compose.yml | 109 +++++++++++++++++++++++ templates/registry/config.yml | 2 +- 3 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 templates/registry/1/docker-compose.yml create mode 100644 templates/registry/1/rancher-compose.yml diff --git a/templates/registry/1/docker-compose.yml b/templates/registry/1/docker-compose.yml new file mode 100644 index 0000000..2e541fa --- /dev/null +++ b/templates/registry/1/docker-compose.yml @@ -0,0 +1,99 @@ +db: + image: mysql:5.7.10 + environment: + MYSQL_DATABASE: portus + MYSQL_ROOT_PASSWORD: ${ROOTPASSWORD} + MYSQL_USER: portus + MYSQL_PASSWORD: ${DBPASSWORD} + tty: true + stdin_open: true + volumes: + - ${DIR}/db:/var/lib/mysql +sslproxy: + image: nginx:1.9.9 + tty: true + stdin_open: true + links: + - portus:portus + volumes: + - ${DIR}/certs:/etc/nginx/certs:ro + - ${DIR}/proxy:/etc/nginx/conf.d:ro +registry: + image: registry:2.3.1 + environment: + REGISTRY_LOG_LEVEL: warn + REGISTRY_STORAGE_DELETE_ENABLED: true + REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token + REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT} + REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN} + REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt + REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt + REGISTRY_HTTP_TLS_KEY: /certs/registry.key + REGISTRY_HTTP_SECRET: httpsecret + REGISTRY_NOTIFICATIONS_ENDPOINTS: > + - name: portus + url: http://portus:3000/v2/webhooks/events + timeout: 500 + threshold: 5 + backoff: 1 + tty: true + stdin_open: true + links: + - portus:portus + volumes: + - ${DIR}/certs:/certs:ro + - ${DIR}/data:/var/lib/registry +lb: + image: rancher/load-balancer-service + tty: true + stdin_open: true + ports: + - ${RPORT}:5000/tcp + - ${PPORT}:443/tcp + labels: + io.rancher.loadbalancer.target.sslproxy: ${PPORT}=443 + io.rancher.loadbalancer.target.registry: ${RPORT}=5000 + io.rancher.scheduler.global: 'true' + io.rancher.scheduler.affinity:not_host_label: lb=0 + links: + - registry:registry + - sslproxy:sslproxy +portus: + image: sshipway/portus:v2.0.4 + environment: + PORTUS_MACHINE_FQDN: ${DOMAIN} + PORTUS_PRODUCTION_HOST: db + PORTUS_PRODUCTION_DATABASE: portus + PORTUS_PRODUCTION_USERNAME: portus + PORTUS_PRODUCTION_PASSWORD: ${DBPASSWORD} + PORTUS_GRAVATAR_ENABLED: true + PORTUS_KEY_PATH: /certs/registry.key + PORTUS_PASSWORD: ${DBPASSWORD} + PORTUS_SECRET_KEY_BASE: ${ROOTPASSWORD} + PORTUS_CHECK_SSL_USAGE_ENABLED: true + PORTUS_SMTP_ENABLED: false + PORTUS_LDAP_ENABLED: ${LDAP} + PORTUS_LDAP_HOSTNAME: ${LDAPHOST} + PORTUS_LDAP_PORT: ${LDAPPORT} + PORTUS_LDAP_METHOD: ${LDAPTLS} + PORTUS_LDAP_BASE: ${LDAPBASE} + PORTUS_LDAP_UID: cn + PORTUS_LDAP_AUTHENTICATION_ENABLED: ${LDAPBIND} + PORTUS_LDAP_AUTHENTICATION_BIND_DN: ${LDAPBINDDN} + PORTUS_LDAP_AUTHENTICATION_PASSWORD: ${LDAPBINDPASS} + PORTUS_LDAP_GUESS_EMAIL_ENABLED: true + PORTUS_LDAP_GUESS_EMAIL_ATTR: mail + PORTUS_PORT: ${PPORT} + REGISTRY_SSL_ENABLED: true + REGISTRY_HOSTNAME: ${DOMAIN} + REGISTRY_PORT: ${RPORT} + REGISTRY_NAME: Registry + tty: true + stdin_open: true + volumes: + - ${DIR}/certs:/certs + - ${DIR}/proxy:/etc/nginx/conf.d + links: + - db:db + labels: + io.rancher.container.pull_image: always diff --git a/templates/registry/1/rancher-compose.yml b/templates/registry/1/rancher-compose.yml new file mode 100644 index 0000000..5ce73d9 --- /dev/null +++ b/templates/registry/1/rancher-compose.yml @@ -0,0 +1,109 @@ +.catalog: + name: "Registry" + version: "v2.3.1-3.0" + description: "Docker Registry" + uuid: registry-3 + questions: + - variable: "RPORT" + label: "Registry Port" + description: "Port on which to run the registry service" + default: 5000 + required: true + type: "int" + - variable: "PPORT" + label: "Admin Port" + description: "Port on which to run the SSL Portus administration service and API" + default: 443 + required: true + type: "int" + - variable: "DBPASSWORD" + label: "DB Password" + description: "Password for Portus database access, must be 8 characters or longer" + required: true + default: password + type: "password" + - variable: "ROOTPASSWORD" + label: "DB Root Password" + description: "Root Password for MySQL database, must be 8 characters or longer. This is not normally used." + required: true + default: password + type: "password" + - variable: "DIR" + label: "Storage directory" + description: "Path of shared storage to use for registry, database, and certificates. This should be available on all hosts" + required: true + type: "string" + - variable: "DOMAIN" + label: "FQDN" + description: "FQDN of server. This should be the CN in the certificates and will be the URL to contact the Registry and Web interface" + required: true + type: "string" + - variable: "LDAP" + label: "LDAP Enabled" + description: "Enable LDAP authentication" + required: true + default: false + type: "boolean" + - variable: "LDAPHOST" + label: "LDAP Server" + description: "The FQDN of the LDAP server (if LDAP authentication is being used)" + required: false + default: "ldap.company.com" + type: "string" + - variable: "LDAPPORT" + label: "LDAP Server port" + description: "The port number on the LDAP server (if LDAP authentication is being used)" + required: false + default: 389 + type: "int" + - variable: "LDAPTLS" + label: "LDAP TLS" + description: "The TLS option for the LDAP server (if LDAP authentication is being used)" + required: false + default: "starttls" + type: "enum" + options: + - starttls + - simple_tls + - plain + - variable: "LDAPBASE" + label: "LDAP Base DN" + description: "The Base DN for User lookups on the LDAP server (if LDAP authentication is being used)" + required: false + default: "ou=People,dc=company,dc=com" + type: "string" + - variable: "LDAPBIND" + label: "LDAP Bind enabled" + description: "Should an authenticated Bind be used to access LDAP (if LDAP authentication is being used)" + required: false + default: false + type: "boolean" + - variable: "LDAPBINDDN" + label: "LDAP Bind DN" + description: "The DN to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)" + required: false + default: "ou=portus,dc=company,dc=com" + type: "string" + - variable: "LDAPBINDPASS" + label: "LDAP Bind Password" + description: "The password to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)" + required: false + default: "password" + type: "password" +db: + scale: 1 +sslproxy: + scale: 1 +lb: + load_balancer_config: + haproxy_config: {} + health_check: + port: 42 + interval: 2000 + unhealthy_threshold: 3 + healthy_threshold: 2 + response_timeout: 2000 +registry: + scale: 1 +portus: + scale: 1 diff --git a/templates/registry/config.yml b/templates/registry/config.yml index b48856a..88a6461 100644 --- a/templates/registry/config.yml +++ b/templates/registry/config.yml @@ -1,7 +1,7 @@ name: Registry description: | Secure Docker registry. Web based administration. Optional LDAP authentication. -version: v2.1.0-2.0 +version: v2.3.1-3.0 category: Applications maintainer: Steve Shipway From 8a03093191ed19a9483fe54ae3923db850ff6c80 Mon Sep 17 00:00:00 2001 From: sshipway Date: Mon, 4 Apr 2016 03:49:14 +0000 Subject: [PATCH 3/5] Correct tag for Registry Portus container --- templates/registry/1/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/registry/1/docker-compose.yml b/templates/registry/1/docker-compose.yml index 2e541fa..ae000e1 100644 --- a/templates/registry/1/docker-compose.yml +++ b/templates/registry/1/docker-compose.yml @@ -59,7 +59,7 @@ lb: - registry:registry - sslproxy:sslproxy portus: - image: sshipway/portus:v2.0.4 + image: sshipway/portus:2.0.4 environment: PORTUS_MACHINE_FQDN: ${DOMAIN} PORTUS_PRODUCTION_HOST: db From 1aab3209830334e250bd7080d38b36743142bb0c Mon Sep 17 00:00:00 2001 From: sshipway Date: Tue, 5 Apr 2016 04:26:38 +0000 Subject: [PATCH 4/5] Allow rw mount of /certs in registry as 2.3.1 requires this --- templates/registry/1/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/registry/1/docker-compose.yml b/templates/registry/1/docker-compose.yml index ae000e1..cf9d953 100644 --- a/templates/registry/1/docker-compose.yml +++ b/templates/registry/1/docker-compose.yml @@ -41,7 +41,7 @@ registry: links: - portus:portus volumes: - - ${DIR}/certs:/certs:ro + - ${DIR}/certs:/certs - ${DIR}/data:/var/lib/registry lb: image: rancher/load-balancer-service From 016f2df1dafd7c5b5de86c249af99cc9e50518ba Mon Sep 17 00:00:00 2001 From: sshipway Date: Wed, 13 Apr 2016 21:38:12 +0000 Subject: [PATCH 5/5] Merge in new env var for Registry as per pull req #101 --- templates/registry/1/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/registry/1/docker-compose.yml b/templates/registry/1/docker-compose.yml index cf9d953..375b616 100644 --- a/templates/registry/1/docker-compose.yml +++ b/templates/registry/1/docker-compose.yml @@ -23,6 +23,7 @@ registry: environment: REGISTRY_LOG_LEVEL: warn REGISTRY_STORAGE_DELETE_ENABLED: true + REGISTRY_AUTH: token REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT} REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN}