atomic-registry via systemd

examples/atomic-registry/systemd/Dockerfile

@@ -0,0 +1,24 @@
+#FROM registry.access.redhat.com/openshift3/ose
+FROM openshift/origin
+
+LABEL name="projectatomic/atomic-registry-install" \
+      vendor="Project Atomic" \
+      url="https://projectatomic.io/registry" \
+      summary="Systemd installation container for Atomic Registry" \
+      description="This image installs Atomic Registry on a single host as systemd unit files. Atomic Registry is an open source enterprise registry solution based on the Origin project featuring single sign-on (SSO) user experience, a robust web interface and advanced role-based access control (RBAC)." \
+      INSTALL='docker run -it --rm \
+                --privileged \
+                --net=host \
+                -v /etc/atomic-registry/:/etc/atomic-registry/ \
+                -v /var/lib/atomic-registry/:/var/lib/atomic-registry/ \
+                -v /:/host \
+                --entrypoint /usr/bin/install.sh \
+                $IMAGE' \
+      UNINSTALL='docker run -it --rm \
+                --privileged \
+                -v /:/host \
+                --entrypoint /usr/bin/uninstall.sh \
+                $IMAGE'
+
+ADD services/ templates/ setup-atomic-registry.sh /exports/
+ADD install.sh uninstall.sh /usr/bin/

examples/atomic-registry/systemd/README.md

@@ -0,0 +1,104 @@
+# Atomic Registry managed by systemd
+
+http://docs.projectatomic.io/registry/
+
+## Installation
+
+1. Install
+
+        sudo atomic install projectatomic/atomic-registry-install <hostname>
+
+1. Start system services
+
+        sudo systemctl start atomic-registry-master.service
+
+1. Setup the registry. This script creates the oauth client so the web console can connect. It also configures the registry service account so it can connect to the API master.
+
+        sudo /var/run/setup-atomic-registry.sh <hostname>
+
+1. Until the registry is secured with TLS certificates, configure client docker daemon to **--insecure-registry** and restart.
+
+        /etc/sysconfig/docker
+        sudo systemctl restart docker.service
+
+**Optional post-install configuration:**
+* configure authentication provider. **NOTE**: by default *ANY* username and password will authenticate users.
+* configure storage
+  * mount local storage **/var/lib/atomic-registry/registry** or
+  * configure cloud storage in **/etc/atomic-registry/registry/config.yml**
+* add TLS certificates to services (see below)
+
+## Uninstall
+
+* Uninstall but **retain data** in /var/lib/atomic-registry. This will remove all configuration changes, etc. You can run install steps again and existing data will be available in the new deployment configuration.
+
+        sudo atomic install projectatomic/atomic-registry-install
+* Uninstall and **remove data** in /var/lib/atomic-registry. This will remove all images and the datastore. This will completely clean up the environment.
+
+        sudo atomic install projectatomic/atomic-registry-install --remove-data
+
+## Services
+
+| Service and container name | Role | Configuration | Data | Port |
+| -------------------------- | ---- | ------------- | ---- | ---- |
+| atomic-registry-master | auth, datastore, API | General config, incl auth: /etc/atomic-registry/master/master-config.yaml, Log level: /etc/sysconfig/atomic-registry-master | datastore: /var/lib/atomic-registry/etcd | 8443 |
+| atomic-registry | docker registry | /etc/sysconfig/atomic-registry, /etc/atomic-registry/registry/config.yml | images: /var/lib/atomic-registry/registry | 5000 |
+| atomic-registry-console | web console | /etc/sysconfig/atomic-registry-console | none (stateless) | 9090 |
+
+## Changing configuration
+
+1. Edit appropriate configuration file(s) on host
+1. Restart service via systemd
+
+        sudo systemctl restart <service_name>
+
+## Updating
+
+As a microservice application the three services may theoretically be updated independently. However, it is strongly recommended that the services be updated together to ensure you are deploying a tested configuration.
+
+1. Pull the updated images
+
+        sudo docker pull openshift/origin
+        sudo docker pull openshift/origin-docker-registry
+        sudo docker pull cockpit/kubernetes
+1. Restart the services
+
+        sudo systemctl restart atomic-registry-console
+        sudo systemctl restart atomic-registry-master
+        sudo systemctl restart atomic-registry
+
+## Data persistence and backup
+
+  The data that should be persisted is the configuration, image data and the registry database. These are mounted on the host. See Service table above for specific paths.
+
+## Secure Registry endpoint
+
+Here we create a self-signed certificate so docker clients can connect using TLS. While other tools like openssl may be used to create certificates, the master API provides a tool that may also be used.
+
+1. `sudo docker exec -it atomic-registry-master bash`
+1. `cd /etc/atomic-registry/master`
+1. `oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='<hostname(s)>' --cert=registry.crt --key=registry.key`
+1. `exit`
+1. `sudo cp /etc/atomic-registry/master/registry.* /etc/atomic-registry/registry/`
+1. `sudo chown -R 1001:root /etc/atomic-registry/registry/`
+1. Edit `/etc/sysconfig/atomic-registry`, uncomment environment variables *REGISTRY_HTTP_TLS_CERTIFICATE* and *REGISTRY_HTTP_TLS_KEY*.
+1. `sudo systemctl restart atomic-registry`
+
+### Serving the certificate for docker clients
+
+If you're creating a self-signed certificate key pair you want to make the public CA certificate available to end-users so they don't have to put docker into insecure mode.
+
+1. Edit `/etc/atomic-registry/master/master-config.yaml` and add the following extension.
+
+        assetConfig:
+          ...
+          extensions:
+            - name: certs
+              sourceDirectory: /etc/atomic-registry/master/site
+1. `sudo cp /etc/atomic-registry/master/ca.crt /etc/atomic-registry/master/site/`
+1. `sudo systemctl restart atomic-registry-master`
+1. Clients may then save this cert into their docker client and restart the docker daemon
+
+        curl --insecure -O https://<registry_hostname>:8443/console/extensions/certs/ca.crt
+        sudo cp ca.crt /etc/docker/certs.d/<registry_hostname>:5000/.
+        sudo systemctl restart docker.service

examples/atomic-registry/systemd/install.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+INSTALL_HOST=${1:-`hostname`}
+echo "Installing using hostname ${INSTALL_HOST}"
+
+# write out configuration
+openshift start master --write-config /etc/atomic-registry/master \
+  --etcd-dir /var/lib/atomic-registry/etcd \
+  --public-master ${INSTALL_HOST} \
+  --master https://localhost:8443
+
+echo "Copy files to host"
+
+set -x
+mkdir -p /etc/atomic-registry/master/site
+mkdir -p /etc/atomic-registry/registry
+mkdir -p /etc/atomic-registry/serviceaccount
+mkdir -p /host/var/lib/atomic-registry/registry
+
+cp /exports/unit_files/* /host/etc/systemd/system/
+cp /exports/config/* /host/etc/sysconfig/
+cp /exports/oauthclient.yaml /etc/atomic-registry/master/
+cp /exports/setup-atomic-registry.sh /host/var/run/
+cp /exports/registry-login-template.html /host/etc/atomic-registry/master/site/
+
+chown -R 1001:root /host/var/lib/atomic-registry/registry
+chown -R 1001:root /etc/atomic-registry/registry
+
+set +x
+echo "Add serviceaccount token and certificate to registry configuration"
+ln /etc/atomic-registry/master/ca.crt /etc/atomic-registry/serviceaccount/ca.crt
+echo "default" >> /etc/atomic-registry/serviceaccount/namespace
+echo "This directory stores the service account token, namespace text file and certificate to enable the registry to connect to the API master." \
+    >> /etc/atomic-registry/serviceaccount/README
+cat /etc/atomic-registry/master/ca.crt > /etc/atomic-registry/serviceaccount/service-ca.crt
+cat /etc/atomic-registry/master/service-signer.crt >> /etc/atomic-registry/serviceaccount/service-ca.crt
+
+echo "This directory stores the docker/distribution registry configuration file. To secure the service add TLS certificates here and reference them as environment variables." \
+    >> /etc/atomic-registry/registry/README
+echo "This directory stores configuration and certificates for the API master." \
+    >> /etc/atomic-registry/master/README
+
+set -x
+
+# add OpenShift API master URL to web console env file
+echo "OPENSHIFT_OAUTH_PROVIDER_URL=https://${INSTALL_HOST}:8443" >> /host/etc/sysconfig/atomic-registry-console
+echo "REGISTRY_HOST=${INSTALL_HOST}:5000" >> /host/etc/sysconfig/atomic-registry-console
+# generate random secret for multi-registry shared storage deployment
+echo "REGISTRY_HTTP_SECRET=`date | md5sum`" >> /host/etc/sysconfig/atomic-registry
+
+# load updated systemd unit files
+chroot /host systemctl daemon-reload
+
+set +x
+
+echo "Updating login template"
+sed -i 's/  templates: null$/  templates:\n    login: site\/registry-login-template.html/' /etc/atomic-registry/master/master-config.yaml
+
+echo "Optionally edit configuration file authentication /etc/atomic-registry/master/master-config.yaml,"
+echo "and/or add certificates to /etc/atomic-registry/master,"
+echo "then enable and start services:"
+echo "   sudo systemctl enable --now atomic-registry-master.service"
+echo "Once all 3 containers are running (docker ps), run the setup script"
+echo "(you can run it again if it is run early and fails)"
+echo "   sudo /var/run/setup-atomic-registry.sh ${INSTALL_HOST}"

examples/atomic-registry/systemd/services/config/atomic-registry

@@ -0,0 +1,13 @@
+REGISTRY_HTTP_ADDR=:5000
+REGISTRY_HTTP_NET=tcp
+KUBERNETES_SERVICE_PORT=8443
+KUBERNETES_SERVICE_HOST=localhost
+KUBERNETES_PORT_8443_TCP_PROTO=tcp
+KUBERNETES_SERVICE_PORT_HTTPS=8443
+KUBERNETES_PORT_8443_TCP_ADDR=localhost
+KUBERNETES_PORT_8443_TCP=tcp://localhost:8443
+REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA=true
+
+# To secure the registry, drop the certificates here, uncomment and restart service
+#REGISTRY_HTTP_TLS_CERTIFICATE=/etc/atomic-registry/registry/registry.crt
+#REGISTRY_HTTP_TLS_KEY=/etc/atomic-registry/registry/registry.key

examples/atomic-registry/systemd/services/config/atomic-registry-console

@@ -0,0 +1,7 @@
+# Uncomment to enable debug messages
+#G_MESSAGES_DEBUG=cockpit-ws,cockpit-wrapper,cockpit-bridge
+KUBERNETES_SERVICE_HOST=localhost
+KUBERNETES_SERVICE_PORT=8443
+REGISTRY_ONLY=true
+OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client
+KUBERNETES_INSECURE=true

examples/atomic-registry/systemd/services/config/atomic-registry-master

@@ -0,0 +1,4 @@
+# loglevel 1-5
+OPTIONS=--loglevel=1
+CONFIG_FILE=/etc/atomic-registry/master/master-config.yaml
+KUBECONFIG=/etc/atomic-registry/master/admin.kubeconfig

examples/atomic-registry/systemd/services/unit_files/atomic-registry-console.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Atomic Registry Console
+Documentation=https://github.com/cockpit-project/cockpit
+After=docker.service
+Requires=docker.service
+
+[Service]
+Environment=GOTRACEBACK=crash
+ExecStartPre=-/usr/bin/docker rm -f atomic-registry-console
+ExecStart=/usr/bin/docker run --rm --env-file=/etc/sysconfig/atomic-registry-console --name atomic-registry-console -p 9090:9090 --net=host -u 1001 cockpit/kubernetes
+ExecStop=/usr/bin/docker stop atomic-registry-console
+LimitNOFILE=131072
+LimitCORE=infinity
+SyslogIdentifier=atomic-registry-console
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

examples/atomic-registry/systemd/services/unit_files/atomic-registry-master.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Atomic Registry Master
+Documentation=https://github.com/openshift/origin
+After=docker.service
+Requires=docker.service
+Wants=atomic-registry-console.service
+Wants=atomic-registry.service
+
+[Service]
+EnvironmentFile=/etc/sysconfig/atomic-registry-master
+Environment=GOTRACEBACK=crash
+ExecStartPre=-/usr/bin/docker rm -f atomic-registry-master
+ExecStart=/usr/bin/docker run --rm --privileged --name atomic-registry-master -p 8443:8443 --net=host --env-file=/etc/sysconfig/atomic-registry-master -v /var/lib/atomic-registry/etcd:/var/lib/atomic-registry/etcd -v /etc/atomic-registry/:/etc/atomic-registry/ openshift/origin start master --config=/etc/atomic-registry/master/master-config.yaml $OPTIONS
+ExecStop=/usr/bin/docker stop atomic-registry-master
+LimitNOFILE=131072
+LimitCORE=infinity
+WorkingDirectory=/var/lib/atomic-registry/
+SyslogIdentifier=atomic-registry-master
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
+Also=atomic-registry.service
+Also=atomic-registry-console.service

examples/atomic-registry/systemd/services/unit_files/atomic-registry.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Atomic Registry
+Documentation=https://github.com/docker/distribution
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStartPre=-/usr/bin/docker rm -f atomic-registry
+ExecStart=/usr/bin/docker run --rm --env-file=/etc/sysconfig/atomic-registry --name atomic-registry -p 5000:5000 --net=host -v /var/lib/atomic-registry/registry:/registry:Z -v /etc/atomic-registry/registry:/etc/atomic-registry/registry -v /etc/atomic-registry/serviceaccount:/var/run/secrets/kubernetes.io/serviceaccount -u 1001 openshift/origin-docker-registry
+ExecStop=/usr/bin/docker stop atomic-registry
+LimitNOFILE=131072
+LimitCORE=infinity
+SyslogIdentifier=atomic-registry
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

examples/atomic-registry/systemd/setup-atomic-registry.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# we need the hostname the web console is coming from to whitelist oauth requests
+INSTALL_HOST=${1:-`hostname`}
+# we're running this on the host
+# the commands will be exec'd in the master container that has the oc client
+CMD="docker exec -it"
+
+# boostrap the registry components using the supported command
+# we'll delete the dc and service components later
+$CMD atomic-registry-master oadm registry
+
+# pause for components to create
+sleep 3
+# we don't need the kubernetes components created during bootstrapping
+$CMD atomic-registry-master oc delete dc,service docker-registry
+# Get the service account token for registry to connect to master API
+set -x
+TOKEN_NAME=$($CMD atomic-registry-master oc get sa registry --template '{{ $secret := index .secrets 0 }} {{ $secret.name }}')
+$CMD atomic-registry-master oc get secret ${TOKEN_NAME} --template '{{ .data.token }}' | base64 -d > /etc/atomic-registry/serviceaccount/token
+
+# write registry config to host and reference bindmounted host file
+$CMD atomic-registry cat /config.yml > /etc/atomic-registry/registry/config.yml
+echo "REGISTRY_CONFIGURATION_PATH=/etc/atomic-registry/registry/config.yml" >> /etc/sysconfig/atomic-registry
+
+# Create oauthclient for web console. required for web console to delegate auth
+$CMD atomic-registry-master oc new-app --file=/etc/atomic-registry/master/oauthclient.yaml --param=COCKPIT_KUBE_URL=https://${INSTALL_HOST}:9090
+
+# restart with these changes
+systemctl restart atomic-registry.service
+set +x
+echo "Launch web console in browser at https://${INSTALL_HOST}:9090"
+echo "By default, ANY username and ANY password will successfully authenticate."

examples/atomic-registry/systemd/templates/oauthclient.yaml

@@ -0,0 +1,27 @@
+kind: "Template"
+apiVersion: "v1"
+metadata:
+  name: "cockpit-openshift-template"
+labels:
+  createdBy: "cockpit-openshift-template"
+parameters:
+  - description: "The public url for the Openshift OAuth Provider"
+    name: "COCKPIT_KUBE_URL"
+    required: true
+  - description: "Oauth client secret"
+    name: "OPENSHIFT_OAUTH_CLIENT_SECRET"
+    from: "user[a-zA-Z0-9]{64}"
+    generate: "expression"
+  - description: "Oauth client id"
+    name: "OPENSHIFT_OAUTH_CLIENT_ID"
+    value: "cockpit-oauth-client"
+objects:
+  - kind: "OAuthClient"
+    apiVersion: "v1"
+    metadata:
+      name: "${OPENSHIFT_OAUTH_CLIENT_ID}"
+    respondWithChallenges: false
+    secret: "${OPENSHIFT_OAUTH_CLIENT_SECRET}"
+    allowAnyScope: true
+    redirectURIs:
+      - "${COCKPIT_KUBE_URL}"