Commit a9e18eeb authored by David's avatar David

Adding the things

parents
.env
secrets/*
\ No newline at end of file
# Copyright 2015 clair authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
clair:
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: host=sarafan.dark.kow.is port=5432 user=clair password=nopenopenope sslmode=disable statement_timeout=60000
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384
# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationkey:
api:
# v3 grpc/RESTful API server address
addr: "0.0.0.0:6060"
# Health server address
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthaddr: "0.0.0.0:6061"
# Deadline before an API request will respond with a 503
timeout: 900s
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:
worker:
namespace_detectors:
- os-release
- lsb-release
- apt-sources
- alpine-release
- redhat-release
feature_listers:
- apk
- dpkg
- rpm
updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: 2h
enabledupdaters:
- debian
- ubuntu
- rhel
- oracle
- alpine
- suse
notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3
# Duration before a failed notification is retried
renotifyinterval: 2h
http:
# Optional endpoint that will receive notifications via POST requests
endpoint:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/cloudflare/cfssl
# https://github.com/coreos/etcd-ca
servername:
cafile:
keyfile:
certfile:
# Optional HTTP Proxy: must be a valid URL (including the scheme).
proxy:
version: '3'
services:
portus:
image: opensuse/portus:head
restart: unless-stopped
dns:
- 10.10.220.231
environment:
- CCONFIG_PREFIX=PORTUS
- PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
- PORTUS_SECURITY_CLAIR_SERVER=http://clair:6060
# DB. The password for the database should definitely not be here. You are
# probably better off with Docker Swarm secrets.
- PORTUS_DB_ADAPTER=postgresql
- PORTUS_DB_HOST=sarafan.dark.kow.is
- PORTUS_DB_DATABASE=portus
- PORTUS_DB_USERNAME=portus
- PORTUS_DB_PASSWORD=${DATABASE_PASSWORD}
- PORTUS_DB_POOL=5
# Secrets. It can possibly be handled better with Swarm's secrets.
- PORTUS_SECRET_KEY_BASE=${SECRET_KEY_BASE}
- PORTUS_KEY_PATH=/certificates/registry.dark.kow.is.key
- PORTUS_PASSWORD=${PORTUS_PASSWORD}
# SSL
- PORTUS_PUMA_TLS_KEY=/certificates/registry.dark.kow.is.key
- PORTUS_PUMA_TLS_CERT=/certificates/registry.dark.kow.is.crt
# LDAP
- PORTUS_LDAP_ENABLED=true
- PORTUS_LDAP_HOSTNAME=ldap.dark.kow.is
- PORTUS_LDAP_PORT=389
- PORTUS_LDAP_UID=uid
- PORTUS_LDAP_BASE=ou=Users,dc=dark,dc=kow,dc=is
- PORTUS_LDAP_GROUP_BASE=
- PORTUS_LDAP_FILTER=(memberOf=cn=dockerRegistry,ou=Access,dc=dark,dc=kow,dc=is)
- PORTUS_LDAP_AUTHENTICATION_ENABLED=true
- PORTUS_LDAP_AUTHENTICATION_BIND_DN=cn=portus,ou=Applications,dc=dark,dc=kow,dc=is
- PORTUS_LDAP_AUTHENTICATION_PASSWORD=${LDAP_PASSWORD}
- PORTUS_LDAP_GUESS_EMAIL_ATTR=mail
- PORTUS_LDAP_ENCRYPTION_METHOD=start_tls
- PORTUS_LDAP_ENCRYPTION_OPTIONS_CA_FILE=/certificates/dark.kow.is.crt
- PORTUS_LDAP_ENCRYPTION_OPTIONS_SSL_VERSION=TLSv1_2
# NGinx is serving the assets instead of Puma. If you want to change this,
# uncomment this line.
#- RAILS_SERVE_STATIC_FILES='true'
ports:
- 3000:3000
networks:
- registry_net
volumes:
- ./secrets:/certificates:ro
- static:/srv/Portus/public
background:
image: opensuse/portus:head
restart: unless-stopped
depends_on:
- portus
dns:
- 10.10.220.231
environment:
# Theoretically not needed, but cconfig's been buggy on this...
- CCONFIG_PREFIX=PORTUS
- PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
- PORTUS_SECURITY_CLAIR_SERVER=http://clair:6060
# DB. The password for the database should definitely not be here. You are
# probably better off with Docker Swarm secrets.
- PORTUS_DB_ADAPTER=postgresql
- PORTUS_DB_HOST=sarafan.dark.kow.is
- PORTUS_DB_DATABASE=portus
- PORTUS_DB_USERNAME=portus
- PORTUS_DB_PASSWORD=${DATABASE_PASSWORD}
- PORTUS_DB_POOL=5
# Secrets. It can possibly be handled better with Swarm's secrets.
- PORTUS_SECRET_KEY_BASE=${SECRET_KEY_BASE}
- PORTUS_KEY_PATH=/certificates/registry.dark.kow.is.key
- PORTUS_PASSWORD=${PORTUS_PASSWORD}
# LDAP
- PORTUS_LDAP_ENABLED=true
- PORTUS_LDAP_HOSTNAME=ldap.dark.kow.is
- PORTUS_LDAP_PORT=389
- PORTUS_LDAP_UID=uid
- PORTUS_LDAP_BASE=ou=Users,dc=dark,dc=kow,dc=is
- PORTUS_LDAP_GROUP_BASE=
- PORTUS_LDAP_FILTER=(memberOf=cn=dockerRegistry,ou=Access,dc=dark,dc=kow,dc=is)
- PORTUS_LDAP_AUTHENTICATION_ENABLED=true
- PORTUS_LDAP_AUTHENTICATION_BIND_DN=cn=portus,ou=Applications,dc=dark,dc=kow,dc=is
- PORTUS_LDAP_AUTHENTICATION_PASSWORD=${LDAP_PASSWORD}
- PORTUS_LDAP_GUESS_EMAIL_ATTR=mail
- PORTUS_LDAP_ENCRYPTION_METHOD=start_tls
- PORTUS_LDAP_ENCRYPTION_OPTIONS_CA_FILE=/certificates/dark.kow.is.crt
- PORTUS_LDAP_ENCRYPTION_OPTIONS_SSL_VERSION=TLSv1_2
- PORTUS_BACKGROUND=true
networks:
- registry_net
volumes:
- ./secrets:/certificates:ro
registry:
image: library/registry:2.6
command: ["/bin/sh", "/etc/docker/registry/init"]
restart: unless-stopped
dns:
- 10.10.220.231
environment:
# Authentication
REGISTRY_AUTH_TOKEN_REALM: https://${MACHINE_FQDN}/v2/token
REGISTRY_AUTH_TOKEN_SERVICE: ${MACHINE_FQDN}
REGISTRY_AUTH_TOKEN_ISSUER: ${MACHINE_FQDN}
#REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /secrets/registry.dark.kow.is.crt
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /secrets/bundle.crt
# SSL
REGISTRY_HTTP_TLS_CERTIFICATE: /secrets/registry.dark.kow.is.crt
REGISTRY_HTTP_TLS_KEY: /secrets/registry.dark.kow.is.key
# Portus endpoint
REGISTRY_NOTIFICATIONS_ENDPOINTS: >
- name: portus
url: https://${MACHINE_FQDN}/v2/webhooks/events
timeout: 2000ms
threshold: 5
backoff: 1s
volumes:
- /var/lib/portus/registry:/var/lib/registry
- ./secrets:/secrets:ro
- ./registry/config.yml:/etc/docker/registry/config.yml:ro
- ./registry/init:/etc/docker/registry/init:ro
ports:
- 5000:5000
- 5001:5001 # required to access debug service
networks:
- registry_net
nginx:
image: library/nginx:alpine
restart: unless-stopped
dns:
- 10.10.220.231
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./secrets:/secrets:ro
- static:/srv/Portus/public:ro
ports:
- 80:80
- 443:443
networks:
- registry_net
clair:
image: quay.io/coreos/clair:v2.0.8
restart: unless-stopped
dns:
- 10.10.220.231
networks:
- registry_net
ports:
- "6060-6061:6060-6061"
volumes:
- /tmp:/tmp
- ./clair/clair.yml:/clair.yml
command: [-config, /clair.yml]
volumes:
static:
driver: local
networks:
registry_net:
# This file is largely based on the one written by @Djelibeybi in:
# https://github.com/Djelibeybi/Portus-On-OracleLinux7/
# List of known problems with this file:
#
# NOTE: this file uses only one certificate for the different services. This is
# not the best way to go (see #1906).
# BUG: proxy_ssl_verify is off (NGinx default). This means that certificate
# validation is off on proxied traffic, which is bad (see #1907).
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
charset UTF-8;
# Some basic config.
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# On timeouts.
keepalive_timeout 65;
client_header_timeout 240;
client_body_timeout 240;
fastcgi_read_timeout 249;
reset_timedout_connection on;
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
upstream portus {
least_conn;
server portus:3000 max_fails=3 fail_timeout=15s;
}
upstream registry {
least_conn;
server registry:5000 max_fails=3 fail_timeout=15s;
}
server {
listen 443 ssl http2;
server_name 172.17.0.1;
root /srv/Portus/public;
##
# SSL
ssl on;
# Certificates
ssl_certificate /secrets/registry.dark.kow.is.crt;
ssl_certificate_key /secrets/registry.dark.kow.is.key;
# Enable session resumption to improve https performance
#
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# Disable SSLv3 (enabled by default since nginx 0.8.19)
# since it's less secure than TLS
# http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Ciphers chosen for forward secrecy and compatibility.
#
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
##
# Docker-specific stuff.
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486
# (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
##
# Custom headers.
# Adding HSTS[1] (HTTP Strict Transport Security) to avoid SSL stripping[2].
#
# [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# Don't allow the browser to render the page inside a frame or iframe
# and avoid Clickjacking. More in the following link:
#
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options DENY;
# Disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into
# most recent web browsers. It's usually enabled by default anyway, so the
# role of this header is to re-enable the filter for this particular
# website if it was disabled by the user.
add_header X-XSS-Protection "1; mode=block";
# Add header for IE in compatibility mode.
add_header X-UA-Compatible "IE=edge";
# Redirect (most) requests to /v2/* to the Docker Registry
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass https://registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_buffering on;
}
# Portus needs to handle /v2/token for authentication
location = /v2/token {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_buffering on;
}
# Portus needs to handle /v2/webhooks/events for notifications
location = /v2/webhooks/events {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_buffering on;
}
# Assets are mapped inside of /srv/Portus/public from a shared volume.
location ~ ^/(assets)/ {
access_log off;
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
# Portus handles everything else for the UI
location / {
try_files $uri/index.html $uri.html $uri @portus;
}
location @portus {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_buffering on;
}
}
}
version: 0.1
storage:
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
http:
addr: 0.0.0.0:5000
debug:
addr: 0.0.0.0:5001
http2:
disabled: false
#!/bin/sh
set -x
cp /secrets/dark.kow.is.crt /usr/local/share/ca-certificates
update-ca-certificates
registry serve /etc/docker/registry/config.yml
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment