flywithu/rancher_community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add registry template (using registry:2 and Portus)

Browse Source
This commit is contained in:
sshipway 2016-03-04 03:54:01 +00:00
parent b85c3e2220
commit 4b97b21b76
6 changed files with 496 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
templates/logspout/0/rancher-compose.yml
View File

@ -28,6 +28,6 @@
- "rfc5424"
- "rfc3164"
required: true
default: ""
default: "rfc5424"
description: |
The Syslog format to use. If not certain, use rfc5424

99
templates/registry/0/docker-compose.yml Normal file
View File

@ -0,0 +1,99 @@
db:
image: mysql:5.7.10
environment:
MYSQL_DATABASE: portus
MYSQL_ROOT_PASSWORD: ${ROOTPASSWORD}
MYSQL_USER: portus
MYSQL_PASSWORD: ${DBPASSWORD}
tty: true
stdin_open: true
volumes:
- ${DIR}/db:/var/lib/mysql
sslproxy:
image: nginx:1.9.9
tty: true
stdin_open: true
links:
- portus:portus
volumes:
- ${DIR}/certs:/etc/nginx/certs:ro
- ${DIR}/proxy:/etc/nginx/conf.d:ro
registry:
image: registry:2.1
environment:
REGISTRY_LOG_LEVEL: warn
REGISTRY_STORAGE_DELETE_ENABLED: true
REGISTRY_AUTH_TOKEN_REALM: https://${DOMAIN}:${PPORT}/v2/token
REGISTRY_AUTH_TOKEN_SERVICE: ${DOMAIN}:${RPORT}
REGISTRY_AUTH_TOKEN_ISSUER: ${DOMAIN}
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
REGISTRY_HTTP_TLS_KEY: /certs/registry.key
REGISTRY_HTTP_SECRET: httpsecret
REGISTRY_NOTIFICATIONS_ENDPOINTS: >
- name: portus
url: http://portus:3000/v2/webhooks/events
timeout: 500
threshold: 5
backoff: 1
tty: true
stdin_open: true
links:
- portus:portus
volumes:
- ${DIR}/certs:/certs:ro
- ${DIR}/data:/var/lib/registry
lb:
image: rancher/load-balancer-service
tty: true
stdin_open: true
ports:
- ${RPORT}:5000/tcp
- ${PPORT}:443/tcp
labels:
io.rancher.loadbalancer.target.sslproxy: ${PPORT}=443
io.rancher.loadbalancer.target.registry: ${RPORT}=5000
io.rancher.scheduler.global: 'true'
io.rancher.scheduler.affinity:not_host_label: lb=0
links:
- registry:registry
- sslproxy:sslproxy
portus:
image: sshipway/portus:2.0.3
environment:
PORTUS_MACHINE_FQDN: ${DOMAIN}
PORTUS_PRODUCTION_HOST: db
PORTUS_PRODUCTION_DATABASE: portus
PORTUS_PRODUCTION_USERNAME: portus
PORTUS_PRODUCTION_PASSWORD: ${DBPASSWORD}
PORTUS_GRAVATAR_ENABLED: true
PORTUS_KEY_PATH: /certs/registry.key
PORTUS_PASSWORD: ${DBPASSWORD}
PORTUS_SECRET_KEY_BASE: ${ROOTPASSWORD}
PORTUS_CHECK_SSL_USAGE_ENABLED: true
PORTUS_SMTP_ENABLED: false
PORTUS_LDAP_ENABLED: ${LDAP}
PORTUS_LDAP_HOSTNAME: ${LDAPHOST}
PORTUS_LDAP_PORT: ${LDAPPORT}
PORTUS_LDAP_METHOD: ${LDAPTLS}
PORTUS_LDAP_BASE: ${LDAPBASE}
PORTUS_LDAP_UID: cn
PORTUS_LDAP_AUTHENTICATION_ENABLED: ${LDAPBIND}
PORTUS_LDAP_AUTHENTICATION_BIND_DN: ${LDAPBINDDN}
PORTUS_LDAP_AUTHENTICATION_PASSWORD: ${LDAPBINDPASS}
PORTUS_LDAP_GUESS_EMAIL_ENABLED: true
PORTUS_LDAP_GUESS_EMAIL_ATTR: mail
PORTUS_PORT: ${PPORT}
REGISTRY_SSL_ENABLED: true
REGISTRY_HOSTNAME: ${DOMAIN}
REGISTRY_PORT: ${RPORT}
REGISTRY_NAME: Registry
tty: true
stdin_open: true
volumes:
- ${DIR}/certs:/certs
- ${DIR}/proxy:/etc/nginx/conf.d
links:
- db:db
labels:
io.rancher.container.pull_image: always

109
templates/registry/0/rancher-compose.yml Normal file
View File

@ -0,0 +1,109 @@
.catalog:
name: "Registry"
version: "v2.1.0-2.0"
description: "Docker Registry"
uuid: registry-2
questions:
- variable: "RPORT"
label: "Registry Port"
description: "Port on which to run the registry service"
default: 5000
required: true
type: "int"
- variable: "PPORT"
label: "Admin Port"
description: "Port on which to run the SSL Portus administration service and API"
default: 443
required: true
type: "int"
- variable: "DBPASSWORD"
label: "DB Password"
description: "Password for Portus database access, must be 8 characters or longer"
required: true
default: password
type: "password"
- variable: "ROOTPASSWORD"
label: "DB Root Password"
description: "Root Password for MySQL database, must be 8 characters or longer. This is not normally used."
required: true
default: password
type: "password"
- variable: "DIR"
label: "Storage directory"
description: "Path of shared storage to use for registry, database, and certificates. This should be available on all hosts"
required: true
type: "string"
- variable: "DOMAIN"
label: "FQDN"
description: "FQDN of server. This should be the CN in the certificates and will be the URL to contact the Registry and Web interface"
required: true
type: "string"
- variable: "LDAP"
label: "LDAP Enabled"
description: "Enable LDAP authentication"
required: true
default: false
type: "boolean"
- variable: "LDAPHOST"
label: "LDAP Server"
description: "The FQDN of the LDAP server (if LDAP authentication is being used)"
required: false
default: "ldap.company.com"
type: "string"
- variable: "LDAPPORT"
label: "LDAP Server port"
description: "The port number on the LDAP server (if LDAP authentication is being used)"
required: false
default: 389
type: "int"
- variable: "LDAPTLS"
label: "LDAP TLS"
description: "The TLS option for the LDAP server (if LDAP authentication is being used)"
required: false
default: "starttls"
type: "enum"
options:
- starttls
- simple_tls
- plain
- variable: "LDAPBASE"
label: "LDAP Base DN"
description: "The Base DN for User lookups on the LDAP server (if LDAP authentication is being used)"
required: false
default: "ou=People,dc=company,dc=com"
type: "string"
- variable: "LDAPBIND"
label: "LDAP Bind enabled"
description: "Should an authenticated Bind be used to access LDAP (if LDAP authentication is being used)"
required: false
default: false
type: "boolean"
- variable: "LDAPBINDDN"
label: "LDAP Bind DN"
description: "The DN to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
required: false
default: "ou=portus,dc=company,dc=com"
type: "string"
- variable: "LDAPBINDPASS"
label: "LDAP Bind Password"
description: "The password to use for binding to the LDAP server (if LDAP authentication is being used with Bind enabled)"
required: false
default: "password"
type: "password"
db:
scale: 1
sslproxy:
scale: 1
lb:
load_balancer_config:
haproxy_config: {}
health_check:
port: 42
interval: 2000
unhealthy_threshold: 3
healthy_threshold: 2
response_timeout: 2000
registry:
scale: 1
portus:
scale: 1

79
templates/registry/README.md Normal file
View File

@ -0,0 +1,79 @@
# Registry
This catalogue item consists of a Registry, and the Portus web UI for
authentication. There is also a MySQL database for storage, and a nginx
proxy to provide SSL for the web frontend.
A directory path is required for storage of the Registry data, Database,
Certificates and generated Nginx configuration files. If you have
multiple Hosts then this needs to be a shared mount across all Hosts which
will run any of these containers.
If no certificates are provided in the /certs directory, then the system
will generate self-signed SSL certificates to use.
Note that the containers will take a significant amount of time to initialse after
they are started. You may need to wait 15 minutes for the Portus instance
to finally spot the registry instance and perform its first synchronisation,
after which the web interface will come online.
## Backing Store
A persistent shared filesystem is required to host the Registry, and also the
MySQL database. This will also hold the certificates under certs/server.crt
and certs/server.key; if no certificate is present, then a self-signed
certificate will be created (valid for one year only) that can later be
replaced.
## LDAP Authentication
If you enable LDAP authentication, then this will be used for both the
Web interface and for Registry authentication. The LDAP configuration
may optionally have authenticated Bind credentials, and TLS options.
## Security
All connections are protected by SSL. A self-signed certificate is
automatically generated as certs/server.crt and certs/server.key in
the persistent shared storage; this can be replaced if necessary.
The certificate is used for registry access, for web admin access,
and for signing API access keys.
Registry access is controlled by the same user access as the web interface;
so if you link to LDAP then this will also lock the Registry access.
If not using LDAP, then the 'portus' use password is the Database Password
as defined in the template options.
## Access
The template will create a Load Balancer for access to the Registry and
to the Web Admin interface. This will run on all Hosts with the label
LB=1, listening on the defined ports.
To access the web UI, use https on the hostname and port you configured.
To upload to the repository, use an SSL connection to the hostname and
registry port you configured.
## Administration
The first user to log in to the web interface will be granted Admin
privileges.
## Synchronisation with Registry
The Web interface will be initially configured to use the incorporated
registry. A periodic synchronisation task and the upload webhook will
ensure they are in synch. If, for some reason, your registry already
has items (for example, if you are recreating the stack on preexisting
shared storage) then it may take up to 5min for the Portus Web UI to
synchronise the registry content to its database.
## Feedback
This is a complex setup, and uses a custom build of the Portus container,
which is not yet available as an official release. You may need to
customise this heavily for your own site. Any feedback can
be logged against https://github.com/sshipway/Portus

201
templates/registry/catalogIcon-registry.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

7
templates/registry/config.yml Normal file
View File

@ -0,0 +1,7 @@
name: Registry
description: |
Secure Docker registry. Web based administration. Optional LDAP authentication.
version: v2.1.0-2.0
category: Applications
maintainer: Steve Shipway <s.shipway@auckland.ac.nz>