Skip to content
Snippets Groups Projects
Commit 721536e2 authored by Stefano Alberto Russo's avatar Stefano Alberto Russo
Browse files

The registry is now exposed by the proxy server under SSL. Adapted the...

The registry is now exposed by the proxy server under SSL. Adapted the docker-compose-dev.yml file and the standaloneworker accordingly.
parent f3a96c7c
No related branches found
No related tags found
No related merge requests found
...@@ -38,8 +38,6 @@ services: ...@@ -38,8 +38,6 @@ services:
image: "rosetta/dregistry" image: "rosetta/dregistry"
volumes: volumes:
- ./data/dregistry:/var/lib/registry - ./data/dregistry:/var/lib/registry
ports:
- "5000:5000"
postgres: postgres:
image: "rosetta/postgres" image: "rosetta/postgres"
...@@ -70,6 +68,7 @@ services: ...@@ -70,6 +68,7 @@ services:
- TASK_PROXY_HOST=localhost - TASK_PROXY_HOST=localhost
- TASK_TUNNEL_HOST=localhost - TASK_TUNNEL_HOST=localhost
- ROSETTA_HOST=localhost - ROSETTA_HOST=localhost
- REGISTRY_HOST=proxy # Use same value as ROSETTA_HOST for production or to use "real" computing resurces
ports: ports:
- "8080:8080" - "8080:8080"
- "7000-7020:7000-7020" - "7000-7020:7000-7020"
...@@ -79,7 +78,6 @@ services: ...@@ -79,7 +78,6 @@ services:
- ./data/webapp/log:/var/log/webapp - ./data/webapp/log:/var/log/webapp
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
#- ./services/webapp/code:/opt/code #- ./services/webapp/code:/opt/code
proxy: proxy:
image: "rosetta/proxy" image: "rosetta/proxy"
...@@ -92,6 +90,7 @@ services: ...@@ -92,6 +90,7 @@ services:
- "80:80" - "80:80"
- "443:443" - "443:443"
- "9000-9020:9000-9020" - "9000-9020:9000-9020"
- "5000:5000"
volumes: volumes:
- ./data/shared:/shared - ./data/shared:/shared
......
...@@ -50,4 +50,26 @@ ...@@ -50,4 +50,26 @@
</VirtualHost> </VirtualHost>
Listen 5000
<VirtualHost *:5000>
ServerAdmin admin@rosetta.platform
#ServerName ${ROSETTA_HOST}
ProxyPass / http://dregistry:5000/
ProxyPassReverse / http://dregistry:5000/
SSLEngine on
SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
# Browser-specific fixes
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# Required for the Open ID connect redirects to work properly
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
</VirtualHost>
...@@ -21,6 +21,11 @@ RUN mkdir /home/testuser/.ssh ...@@ -21,6 +21,11 @@ RUN mkdir /home/testuser/.ssh
COPY keys/id_rsa.pub /home/testuser/.ssh/authorized_keys COPY keys/id_rsa.pub /home/testuser/.ssh/authorized_keys
RUN dnf install -y python wget RUN dnf install -y python wget
# Install iputils (ping)
RUN dnf install -y iputils
# Copy registries.conf to allow insecure access to dregistry
COPY registries.conf /etc/containers/registries.conf
#---------------------- #----------------------
# Entrypoint # Entrypoint
......
...@@ -8,6 +8,10 @@ set -e ...@@ -8,6 +8,10 @@ set -e
chmod 777 /dev/fuse chmod 777 /dev/fuse
chmod 777 /dev/net/tun chmod 777 /dev/net/tun
# Add rosetta.platform entry to /etc/hosts
#PROXY_IP=$(ping proxy -c1 | head -n1 | cut -d '(' -f2 | cut -d')' -f1)
#echo "$PROXY_IP rosetta.platform" >> /etc/hosts
#--------------------- #---------------------
# Entrypoint command # Entrypoint command
#--------------------- #---------------------
......
# For more information on this configuration file, see containers-registries.conf(5).
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# We recommend always using fully qualified image names including the registry
# server (full dns name), namespace, image name, and tag
# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# When using short names, there is always an inherent risk that the image being
# pulled could be spoofed. For example, a user wants to pull an image named
# `foobar` from a registry and expects it to come from myregistry.com. If
# myregistry.com is not first in the search list, an attacker could place a
# different `foobar` image at a registry earlier in the search list. The user
# would accidentally pull and run the attacker's image and code rather than the
# intended content. We recommend only adding registries which are completely
# trusted (i.e., registries which don't allow unknown or anonymous users to
# create accounts with arbitrary names). This will prevent an image from being
# spoofed, squatted or otherwise made insecure. If it is necessary to use one
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name
# # (taking into account namespace/repo/tag/digest separators) is used.
# #
# # The prefix can also be of the form: *.example.com for wildcard subdomain
# # matching.
# #
# # If the prefix field is missing, it defaults to be the same as the "location" field.
# prefix = "example.com/foo"
#
# # If true, unencrypted HTTP as well as TLS connections with untrusted
# # certificates are allowed.
# insecure = false
#
# # If true, pulling images with matching names is forbidden.
# blocked = false
#
# # The physical location of the "prefix"-rooted namespace.
# #
# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
# # and the [[registry]] TOML table can only specify "location").
# #
# # Example: Given
# # prefix = "example.com/foo"
# # location = "internal-registry-for-example.net/bar"
# # requests for the image example.com/foo/myimage:latest will actually work with the
# # internal-registry-for-example.net/bar/myimage:latest image.
#
# # The location can be empty iff prefix is in a
# # wildcarded format: "*.example.com". In this case, the input reference will
# # be used as-is without any rewrite.
# location = internal-registry-for-example.com/bar"
#
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
# #
# # The mirrors are attempted in the specified order; the first one that can be
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
# # the primary location specified by the "registry.location" field, or using the unmodified
# # user-specified reference, is tried last).
# #
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
# # as if specified in the [[registry]] TOML table directly:
# # - location
# # - insecure
# [[registry.mirror]]
# location = "example-mirror-0.local/mirror-for-foo"
# [[registry.mirror]]
# location = "example-mirror-1.local/mirrors/foo"
# insecure = true
# # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists.
# Enforcing mode for short names is default for Fedora 34 and newer
short-name-mode="enforcing"
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[[registry]]
location = "dregistry:5000"
insecure = true
[[registry]]
location = "rosetta.platform:5000"
insecure = true
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment