--- /dev/null
+private-registry
+================
+
+Ansible playbook for deploying a self-signed private docker registry container.
+
+## What does it do?
+
+This playbook will generate a self-signed cert and start a private docker
+registry container using that cert. This private docker registry can then
+be used by any client that has the cert.
+
+This directory also includes vagrant files that will spin up two VMs and then
+run the ansible playbook to provision one as a private docker registry and the
+other as a test client to validate that it can use the self-signed cert to
+push an image to the private docker registry on the other node.
+
+## Running Vagrant to Provision and Test
+
+* Edit vagrant_variables.yml and change the `vagrant_box` variable if needed
+* Use `vsgrant up` command to deploy and provision the VMs
+
+When the playbook completes successfully, it will have started the private
+docker registry container and used the other VM to test pushing a test image
+to that private docker container.
+
+## Running the playbook against an existing machine
+
+When you are ready to provision onto an existing machine, first make sure
+that docker is installed on that machine.
+
+In the top directory of this playbook where the site.yml file exist, add
+an `ansible-hosts` file to specify the machine you want to provision. It
+should look something like this:
+
+```
+---
+[registry]
+ceph-docker-registry ansible_host=xx.xx.xx.xx ansible_port=2222 ansible_user=ubuntu
+```
+
+Once this is specified, you are ready to run the playbook with:
+
+```
+ansible-playbook -i ansible-hosts site.yml
+```
+
+Once the playbook is complete you can go out to your machine and do a
+`sudo docker ps` to see the private registry container running.
+
+Any other docker client machine can now push to or pull from this private
+registry if it has the self-signed cert in its docker certs directory. To
+enable this on another machine:
+
+* Create the directory on the client machine to hold the cert
+
+```
+$ sudo mkdir /etc/docker/certs.d/XX.XX.XX.XX\:5000
+```
+
+where `XX.XX.XX.XX` is the ip address of your private registry machine
+
+* Copy the self-signed certificate from the private registry machine and place the cert in the newly created directory
+
+```
+$ scp XX.XX.XX.XX:/var/registry/certs/self.crt /etc/docker/certs.d/XX.XX.XX.XX\:5000/ca.crt
+```
+
+where `XX.XX.XX.XX` is the ip address of your private registry machine
+
+Now you should be able to push images to and pull images from your private docker registry.
+
+* To tag an image before pushing it to the private docker registry
+
+```
+$ docker tag myimage XX.XX.XX.XX\:5000/myimage
+```
+
+* To push the tagged image to the private docker registry
+```
+$ docker push XX.XX.XX.XX\:5000/myimage
+```
+
+* To pull an image from the private docker registry
+```
+$ docker pull XX.XX.XX.XX\:5000/someimage
+```
--- /dev/null
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+require 'yaml'
+VAGRANTFILE_API_VERSION = '2'
+
+config_file=File.expand_path(File.join(File.dirname(__FILE__), 'vagrant_variables.yml'))
+settings=YAML.load_file(config_file)
+
+BOX = settings['vagrant_box']
+SYNC_DIR = settings['vagrant_sync_dir']
+MEMORY = settings['memory']
+TEST_CLIENT_VM = settings['provision_test_client_vm']
+
+ansible_provision = proc do |ansible|
+ ansible.playbook = 'site.yml'
+ ansible.groups = {
+ "registry" => ["docker-registry"]
+ }
+ if TEST_CLIENT_VM then
+ ansible.groups['testclient'] = "docker-reg-test"
+ end
+
+ ansible.limit = 'all'
+end
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+ config.vm.box = BOX
+ config.ssh.insert_key = false # workaround for https://github.com/mitchellh/vagrant/issues/5048
+
+ # Faster bootup. Disable if you need this for libvirt
+ config.vm.provider :libvirt do |v,override|
+ override.vm.synced_folder '.', SYNC_DIR, disabled: true
+ end
+
+ if TEST_CLIENT_VM then
+ config.vm.define "docker-reg-test" do |regtest|
+ regtest.vm.hostname = "docker-reg-test"
+ end
+ end
+
+ config.vm.define "docker-registry" do |registry|
+ registry.vm.hostname = "docker-registry"
+ # Virtualbox
+ registry.vm.provider :virtualbox do |vb|
+ vb.customize ['modifyvm', :id, '--memory', "#{MEMORY}"]
+ end
+
+ # VMware
+ registry.vm.provider :vmware_fusion do |v|
+ v.vmx['memsize'] = "#{MEMORY}"
+ end
+
+ # Libvirt
+ registry.vm.provider :libvirt do |lv|
+ lv.memory = MEMORY
+ end
+
+ # Parallels
+ registry.vm.provider "parallels" do |prl|
+ prl.name = "docker-registry"
+ prl.memory = "#{MEMORY}"
+ end
+
+ # Run the provisioner after the machine comes up
+ registry.vm.provision 'ansible', &ansible_provision
+ end
+end
--- /dev/null
+---
+dummy:
--- /dev/null
+---
+- name: create directory for self-signed SSL cert
+ file: path=/var/registry/certs state=directory
+
+- name: create self-signed cfssl json file
+ template:
+ src: "{{ role_path }}/templates/self-csr.json.j2"
+ dest: ./self-csr.json
+
+- name: get cfssl
+ get_url:
+ url: https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+ dest: ./cfssl
+ mode: 0755
+
+- name: get cfssljson
+ get_url:
+ url: https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
+ dest: ./cfssljson
+ mode: 0755
+
+- name: gencert
+ shell: ./cfssl gencert -initca self-csr.json | ./cfssljson -bare ca
+
+- name: push self-signed cfssl cert to the ansible server
+ fetch:
+ src: ca.pem
+ dest: fetch/certs/self.crt
+ flat: yes
+
+- name: mv the cert to be accessible by container
+ command: mv ca.pem /var/registry/certs/self.crt
+
+- name: mv the key to be accessible by container
+ command: mv ca-key.pem /var/registry/certs/self.key
+
+- name: start registry container
+ command: docker run -d --name=docker-registry \
+ -p 5000:5000 \
+ --privileged=true \
+ --restart=unless-stopped \
+ -v /var/registry:/var/registry \
+ -e STORAGE_PATH=/var/registry/data \
+ -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/registry/certs/self.crt \
+ -e REGISTRY_HTTP_TLS_KEY=/var/registry/certs/self.key \
+ registry
--- /dev/null
+{
+ "CN": "docker-registry",
+ "hosts": [
+ "{{ ansible_default_ipv4.address }}",
+ "127.0.0.1"
+ ],
+ "key": {
+ "algo": "rsa",
+ "size": 2048
+ },
+ "names": [
+ {
+ "C": "XX",
+ "L": "Default City",
+ "O": "Default Company Ltd",
+ "ST": "."
+ }
+ ]
+}
--- /dev/null
+---
+- name: create directory for self-signed cert of docker-registry
+ file: path=/etc/docker/certs.d/{{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000 state=directory
+
+- name: copy self-signed cert of docker-registry
+ copy:
+ src: fetch/certs/self.crt
+ dest: /etc/docker/certs.d/{{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/ca.crt
+
+- name: pull a small image from docker hub
+ command: docker pull busybox
+
+- name: tag image
+ command: docker tag busybox {{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/mybusybox
+
+- name: push tagged image to private registry
+ command: docker push {{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/mybusybox
--- /dev/null
+---
+# Defines deployment design and assigns role to server groups
+
+- hosts: registry
+ become: True
+ roles:
+ - docker-registry
+
+- hosts: testclient
+ become: True
+ roles:
+ - test-client
--- /dev/null
+---
+provision_test_client_vm: true
+memory: 1024
+vagrant_box: centos/atomic-host
+# The sync directory changes based on vagrant box
+# Set to /home/vagrant/sync for Centos/7, /home/{ user }/vagrant for openstack and defaults to /vagrant
+vagrant_sync_dir: /home/vagrant/sync
projects / ceph-build.git / commitdiff