Initial draft #2
Conversation
config/nginx.conf
Outdated
|
|
||
| # SSL | ||
| ssl_certificate /etc/nginx/conf.d/domain.crt; | ||
| ssl_certificate_key /etc/nginx/conf.d/domain.key; |
There was a problem hiding this comment.
@manekenpix has certs, he'll know what he wants done here.
config/nginx.conf
Outdated
|
|
||
| # To add basic authentication to v2 use auth_basic setting. | ||
| auth_basic "Registry realm"; | ||
| auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; |
There was a problem hiding this comment.
This is probably fine to start, until we put in a better GitHub based auth solution.
We'll need to generate nginx.htpasswd with some users to test.
config/registry-config.yaml
Outdated
| service: registry | ||
| storage: | ||
| cache: | ||
| blobdescriptor: inmemory # or redis? |
config/registry-config.yaml
Outdated
| http: | ||
| addr: 443:5000 # Why the 443 -> https://docs.docker.com/registry/configuration/#letsencrypt | ||
| host: docker.cdot.systems | ||
| secret: sUperDuperSecret |
There was a problem hiding this comment.
We can't do this. We'll need an option for how we add this (env?)
docker-compose.yaml
Outdated
| REGISTRY_AUTH_TOKEN_ISSUER: Registry token issuer | ||
| REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /root/certs/bundle | ||
| volumes: | ||
| - /telescope/data:/var/lib/registry |
There was a problem hiding this comment.
We should figure out where in the host we're going to put our stuff.
There was a problem hiding this comment.
I think /usr/share/our_directory would make sense.
There was a problem hiding this comment.
When you say our_directory, would that mean this directory, /mnt/docker0storage/registry?
There was a problem hiding this comment.
Correct, so it would be:
volumes:
- /mnt/docker0storage/registry:/var/lib/registry
Such that the container will overlay /mnt/docker0storage/registry onto /var/lib/registry within the container.
TDDR
force-pushed
the
initial-docker-compose
branch
from
d76c9e8 to
9cb3dbc
Compare
TDDR
force-pushed
the
initial-docker-compose
branch
from
9cb3dbc to
32605b0
Compare
docker-compose.yaml
Outdated
| #https://docs.docker.com/registry/deploying/#deploy-your-registry-using-a-compose-file | ||
| services: | ||
| nginx: | ||
| image: "nginx:alpine" |
There was a problem hiding this comment.
Let's use nginx:stable-alpine. Boring and safe vs cutting edge!
There was a problem hiding this comment.
Do we need to use bcrypt?
There was a problem hiding this comment.
nginx:stable-alpine is still alpine, just a stable vs. development version of nginx
docker-compose.yaml
Outdated
| ports: | ||
| - 5043:443 | ||
| restart: unless-stopped | ||
| links: |
There was a problem hiding this comment.
I don't think we need this, since our registry is named registry already, and will be reachable by nginx.
docker-compose.yaml
Outdated
| links: | ||
| - registry:registry | ||
| volumes: | ||
| - ./auth:/etc/nginx/conf.d |
There was a problem hiding this comment.
@manekenpix where should we put our files in the host? It might make sense to have ./nginx but I don't think auth makes as much sense for these.
There was a problem hiding this comment.
I think a config folder would be ok?
There was a problem hiding this comment.
I had thought the same thing originally, but after going back and looking at the documentation I saw this.
from here https://docs.docker.com/registry/recipes/nginx/#setting-things-up
So I decided to go with the current folder structure. I can create and move it back to a config folder though?
There was a problem hiding this comment.
I think the easiest way to do this is to mimic the layout of what we'll pass in within our repo:
docker-compose.yml
config/ (or this could be called volume/)
etc/
nginx/
conf.d
This way you can look at the overlays we have in our repo, and understand quickly where they end-up in the container.
volumes:
- ./config/etc/nginx/conf.d:/etc/nginx/conf.d
docker-compose.yaml
Outdated
| image: certbot/certbot | ||
| container_name: 'certbot' | ||
| volumes: | ||
| - ../../certbot/conf:/etc/letsencrypt |
There was a problem hiding this comment.
Similar question here, we need to determine our local path
There was a problem hiding this comment.
Maybe somewhere in /etc, like /etc/letsencrypt?
There was a problem hiding this comment.
Yeah, config/etc/letsencrypt would work similar to my comment above.
auth/nginx.conf
Outdated
|
|
||
| server { | ||
| listen 443 ssl; | ||
| server_name docker.cdot.systems; |
There was a problem hiding this comment.
I think we should use a variable here, in case we decide to move it somewhere else.
| server_name docker.cdot.systems; | |
| server_name ${DOMAIN}; |
auth/nginx.conf
Outdated
| # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) | ||
| chunked_transfer_encoding on; | ||
|
|
||
| location /v2/ { |
There was a problem hiding this comment.
Just to make sure I understand. We will push our image to DOMAIN/v2 route?
registry-config.yaml
Outdated
| rootdirectory: /mnt/docker0storage/registry | ||
| http: | ||
| addr: 443:5000 # https://docs.docker.com/registry/configuration/#letsencrypt | ||
| host: docker.cdot.systems |
There was a problem hiding this comment.
Could we change it to ${DOMAIN} like what @manekenpix suggested in one of the other file?
There was a problem hiding this comment.
If we do, we'll have to use envsubst or something to replace the values before we use this file.
auth/nginx.conf
Outdated
| ## See the map directive above where this variable is defined. | ||
| add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; | ||
|
|
||
| proxy_pass http://docker-registry; |
There was a problem hiding this comment.
This should probably be http://registry:${PORT}
There was a problem hiding this comment.
Yeah, we probably don't need the upstream and can use the docker network.
TDDR
force-pushed
the
initial-docker-compose
branch
from
8fd80bf to
f25c5ef
Compare
There was a problem hiding this comment.
We should move toward testing this out.
Because you're using variables in the nginx conf, see the section "Using environment variables in nginx configuration (new in 1.19)" in https://hub.docker.com/_/nginx on how to pass these values in and have the container swap them for you (it won't happen automatically).
config/etc/nginx/conf.d
Outdated
|
|
||
| # SSL | ||
| ssl_certificate /etc/nginx/conf.d/domain.crt; | ||
| ssl_certificate_key /etc/nginx/conf.d/domain.key; |
There was a problem hiding this comment.
@manekenpix where will certbot put these?
There was a problem hiding this comment.
We're setting /etc/letsencrypt below, but I don't know where under there it puts things.
There was a problem hiding this comment.
This should probably be like what we do for telescope's front-end, here.
I think we'll have to change the docker file to match this.
config/etc/nginx/conf.d
Outdated
| return 404; | ||
| } | ||
|
|
||
| # To add basic authentication to v2 use auth_basic setting. |
There was a problem hiding this comment.
NOTE: for testing on the box, we could remove this completely. And when we do token-based/oauth, we won't need it.
config/registry-config.yaml
Outdated
| certificate: /path/to/x509/public | ||
| key: /path/to/x509/private | ||
| letsencrypt: | ||
| cachefile: /path/to/cache-file |
There was a problem hiding this comment.
This section seems wrong. Do we need to do any SSL stuff in here, since nginx is handling it? I doubt it.
config/registry-config.yaml
Outdated
| @@ -0,0 +1,41 @@ | |||
| # https://docs.docker.com/registry/configuration/ | |||
There was a problem hiding this comment.
Where is this file used? it seems we're not passing its path as argument anywhere.
There was a problem hiding this comment.
What's the answer to this question? Can we remove it? If it's going to be used it would be in the docker-compose file below, but you have it commented out.
There was a problem hiding this comment.
I was unsure of the volume naming convention for it, and it would seem that the default configuration is adequate for what we have so far. I'm not sure this config file is needed?
There was a problem hiding this comment.
The only thing we really need from this is to configure auth. Before we can use this for real, we need to have auth. In a follow-up we need:
- GitHub-based auth, https://github.com/cesanta/docker_auth/blob/main/examples/reference.yml#L122-L163
- Probably a Redis instance added to
docker-compose.ymland configured to cache the tokens
There was a problem hiding this comment.
@TDDR delete this file until we need it.
|
After meeting with @manekenpix tonight this should be a testable version of the initial draft. I say should be because I ran out of time to test it out in the box tonight. |
config/etc/nginx/nginx.conf
Outdated
|
|
||
| server { | ||
| listen 443 ssl; | ||
| server_name docker.cdot.systems #${DOMAIN}; |
There was a problem hiding this comment.
Let's remove the comment, and just hard-code this value. It's not going to change often enough to bother with the extra machinery to rotate it based on env vars.
config/registry-config.yaml
Outdated
| @@ -0,0 +1,41 @@ | |||
| # https://docs.docker.com/registry/configuration/ | |||
There was a problem hiding this comment.
What's the answer to this question? Can we remove it? If it's going to be used it would be in the docker-compose file below, but you have it commented out.
TDDR
force-pushed
the
initial-docker-compose
branch
from
5319817 to
8abbeb5
Compare
|
@humphd looks like I was testing it out as you where reviewing. The version that is in here now has been tested and it works
I can either work on resolving the final few comments possibly Saturday or Sunday. Or, maybe we could land what's here and make some issues of the remaining comments? |
config/etc/nginx/nginx.conf
Outdated
|
|
||
| server { | ||
| listen 443 ssl; | ||
| server_name docker.cdot.systems; #${DOMAIN}; |
There was a problem hiding this comment.
Remove the comment at the end of the line.
config/registry-config.yaml
Outdated
| @@ -0,0 +1,41 @@ | |||
| # https://docs.docker.com/registry/configuration/ | |||
There was a problem hiding this comment.
The only thing we really need from this is to configure auth. Before we can use this for real, we need to have auth. In a follow-up we need:
- GitHub-based auth, https://github.com/cesanta/docker_auth/blob/main/examples/reference.yml#L122-L163
- Probably a Redis instance added to
docker-compose.ymland configured to cache the tokens
docker-compose.yaml
Outdated
| image: registry:2 | ||
| volumes: | ||
| - /mnt/docker0storage/registry:/var/lib/registry | ||
| #- ./config/registry-config.yaml:/config/registry-config.yaml Untested use of the registry-config.yaml file |
There was a problem hiding this comment.
Let's remove this if not being used instead of commenting out.
config/registry-config.yaml
Outdated
| @@ -0,0 +1,41 @@ | |||
| # https://docs.docker.com/registry/configuration/ | |||
There was a problem hiding this comment.
@TDDR delete this file until we need it.
TDDR
force-pushed
the
initial-docker-compose
branch
from
2ba7b21 to
8231325
Compare
|
@TDDR let's merge this, first of many! |
This is my initial draft of how I think the
docker-compose,registry-config, and thenginx.configshould look like.I know there is still a lot of work to be done but I figured I would get something up so we can start collaborating.
I included the links for the templates I used to make each of the files at the top of each file. I made altercations to both the
docker-composeand theregistry-config. Thenginx.confhowever was a straight cut and paste from the linked website.