From 721536e286befc6f5b4d48008558cccf6920992a Mon Sep 17 00:00:00 2001
From: Stefano Alberto Russo <stefano.russo@gmail.com>
Date: Fri, 1 Apr 2022 14:20:10 +0200
Subject: [PATCH] The registry is now exposed by the proxy server under SSL.
Adapted the docker-compose-dev.yml file and the standaloneworker accordingly.
---
docker-compose-dev.yml | 5 +-
services/proxy/proxy-global.conf | 22 ++++++
services/standaloneworker/Dockerfile | 5 ++
services/standaloneworker/entrypoint.sh | 4 +
services/standaloneworker/registries.conf | 91 +++++++++++++++++++++++
5 files changed, 124 insertions(+), 3 deletions(-)
create mode 100644 services/standaloneworker/registries.conf
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 2e83dff..0134366 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -38,8 +38,6 @@ services:
image: "rosetta/dregistry"
volumes:
- ./data/dregistry:/var/lib/registry
- ports:
- - "5000:5000"
postgres:
image: "rosetta/postgres"
@@ -70,6 +68,7 @@ services:
- TASK_PROXY_HOST=localhost
- TASK_TUNNEL_HOST=localhost
- ROSETTA_HOST=localhost
+ - REGISTRY_HOST=proxy # Use same value as ROSETTA_HOST for production or to use "real" computing resurces
ports:
- "8080:8080"
- "7000-7020:7000-7020"
@@ -79,7 +78,6 @@ services:
- ./data/webapp/log:/var/log/webapp
- /var/run/docker.sock:/var/run/docker.sock
#- ./services/webapp/code:/opt/code
-
proxy:
image: "rosetta/proxy"
@@ -92,6 +90,7 @@ services:
- "80:80"
- "443:443"
- "9000-9020:9000-9020"
+ - "5000:5000"
volumes:
- ./data/shared:/shared
diff --git a/services/proxy/proxy-global.conf b/services/proxy/proxy-global.conf
index a681b87..9290179 100644
--- a/services/proxy/proxy-global.conf
+++ b/services/proxy/proxy-global.conf
@@ -50,4 +50,26 @@
</VirtualHost>
+Listen 5000
+<VirtualHost *:5000>
+ ServerAdmin admin@rosetta.platform
+ #ServerName ${ROSETTA_HOST}
+ ProxyPass / http://dregistry:5000/
+ ProxyPassReverse / http://dregistry:5000/
+
+ SSLEngine on
+ SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+ SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+ SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+
+ # Browser-specific fixes
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ # Required for the Open ID connect redirects to work properly
+ RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+
+</VirtualHost>
diff --git a/services/standaloneworker/Dockerfile b/services/standaloneworker/Dockerfile
index 66c9815..dbd134a 100755
--- a/services/standaloneworker/Dockerfile
+++ b/services/standaloneworker/Dockerfile
@@ -21,6 +21,11 @@ RUN mkdir /home/testuser/.ssh
COPY keys/id_rsa.pub /home/testuser/.ssh/authorized_keys
RUN dnf install -y python wget
+# Install iputils (ping)
+RUN dnf install -y iputils
+
+# Copy registries.conf to allow insecure access to dregistry
+COPY registries.conf /etc/containers/registries.conf
#----------------------
# Entrypoint
diff --git a/services/standaloneworker/entrypoint.sh b/services/standaloneworker/entrypoint.sh
index 646ebf4..f7f16a6 100644
--- a/services/standaloneworker/entrypoint.sh
+++ b/services/standaloneworker/entrypoint.sh
@@ -8,6 +8,10 @@ set -e
chmod 777 /dev/fuse
chmod 777 /dev/net/tun
+# Add rosetta.platform entry to /etc/hosts
+#PROXY_IP=$(ping proxy -c1 | head -n1 | cut -d '(' -f2 | cut -d')' -f1)
+#echo "$PROXY_IP rosetta.platform" >> /etc/hosts
+
#---------------------
# Entrypoint command
#---------------------
diff --git a/services/standaloneworker/registries.conf b/services/standaloneworker/registries.conf
new file mode 100644
index 0000000..e32f8d0
--- /dev/null
+++ b/services/standaloneworker/registries.conf
@@ -0,0 +1,91 @@
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure. If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# # An array of host[:port] registries to try when pulling an unqualified image, in order.
+unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# #
+# # The prefix can also be of the form: *.example.com for wildcard subdomain
+# # matching.
+# #
+# # If the prefix field is missing, it defaults to be the same as the "location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# # prefix = "example.com/foo"
+# # location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+#
+# # The location can be empty iff prefix is in a
+# # wildcarded format: "*.example.com". In this case, the input reference will
+# # be used as-is without any rewrite.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors contains the image,
+# # the primary location specified by the "registry.location" field, or using the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
+# # in order, and use the first one that exists.
+
+# Enforcing mode for short names is default for Fedora 34 and newer
+short-name-mode="enforcing"
+
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[[registry]]
+location = "dregistry:5000"
+insecure = true
+
+[[registry]]
+location = "rosetta.platform:5000"
+insecure = true
+
--
GitLab