From: Jim Curtis Date: Mon, 5 Dec 2016 01:05:55 +0000 (-0800) Subject: Adding playbook directory for creating private docker registry X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c03c77c25b1699fe8983f38b1d432d4b8f5aca9f;p=ceph-build.git Adding playbook directory for creating private docker registry --- diff --git a/ansible/private-docker-registry/README.md b/ansible/private-docker-registry/README.md new file mode 100644 index 000000000..287554f64 --- /dev/null +++ b/ansible/private-docker-registry/README.md @@ -0,0 +1,86 @@ +private-registry +================ + +Ansible playbook for deploying a self-signed private docker registry container. + +## What does it do? + +This playbook will generate a self-signed cert and start a private docker +registry container using that cert. This private docker registry can then +be used by any client that has the cert. + +This directory also includes vagrant files that will spin up two VMs and then +run the ansible playbook to provision one as a private docker registry and the +other as a test client to validate that it can use the self-signed cert to +push an image to the private docker registry on the other node. + +## Running Vagrant to Provision and Test + +* Edit vagrant_variables.yml and change the `vagrant_box` variable if needed +* Use `vsgrant up` command to deploy and provision the VMs + +When the playbook completes successfully, it will have started the private +docker registry container and used the other VM to test pushing a test image +to that private docker container. + +## Running the playbook against an existing machine + +When you are ready to provision onto an existing machine, first make sure +that docker is installed on that machine. + +In the top directory of this playbook where the site.yml file exist, add +an `ansible-hosts` file to specify the machine you want to provision. It +should look something like this: + +``` +--- +[registry] +ceph-docker-registry ansible_host=xx.xx.xx.xx ansible_port=2222 ansible_user=ubuntu +``` + +Once this is specified, you are ready to run the playbook with: + +``` +ansible-playbook -i ansible-hosts site.yml +``` + +Once the playbook is complete you can go out to your machine and do a +`sudo docker ps` to see the private registry container running. + +Any other docker client machine can now push to or pull from this private +registry if it has the self-signed cert in its docker certs directory. To +enable this on another machine: + +* Create the directory on the client machine to hold the cert + +``` +$ sudo mkdir /etc/docker/certs.d/XX.XX.XX.XX\:5000 +``` + +where `XX.XX.XX.XX` is the ip address of your private registry machine + +* Copy the self-signed certificate from the private registry machine and place the cert in the newly created directory + +``` +$ scp XX.XX.XX.XX:/var/registry/certs/self.crt /etc/docker/certs.d/XX.XX.XX.XX\:5000/ca.crt +``` + +where `XX.XX.XX.XX` is the ip address of your private registry machine + +Now you should be able to push images to and pull images from your private docker registry. + +* To tag an image before pushing it to the private docker registry + +``` +$ docker tag myimage XX.XX.XX.XX\:5000/myimage +``` + +* To push the tagged image to the private docker registry +``` +$ docker push XX.XX.XX.XX\:5000/myimage +``` + +* To pull an image from the private docker registry +``` +$ docker pull XX.XX.XX.XX\:5000/someimage +``` diff --git a/ansible/private-docker-registry/Vagrantfile b/ansible/private-docker-registry/Vagrantfile new file mode 100644 index 000000000..cf3cf8737 --- /dev/null +++ b/ansible/private-docker-registry/Vagrantfile @@ -0,0 +1,68 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +require 'yaml' +VAGRANTFILE_API_VERSION = '2' + +config_file=File.expand_path(File.join(File.dirname(__FILE__), 'vagrant_variables.yml')) +settings=YAML.load_file(config_file) + +BOX = settings['vagrant_box'] +SYNC_DIR = settings['vagrant_sync_dir'] +MEMORY = settings['memory'] +TEST_CLIENT_VM = settings['provision_test_client_vm'] + +ansible_provision = proc do |ansible| + ansible.playbook = 'site.yml' + ansible.groups = { + "registry" => ["docker-registry"] + } + if TEST_CLIENT_VM then + ansible.groups['testclient'] = "docker-reg-test" + end + + ansible.limit = 'all' +end + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + config.vm.box = BOX + config.ssh.insert_key = false # workaround for https://github.com/mitchellh/vagrant/issues/5048 + + # Faster bootup. Disable if you need this for libvirt + config.vm.provider :libvirt do |v,override| + override.vm.synced_folder '.', SYNC_DIR, disabled: true + end + + if TEST_CLIENT_VM then + config.vm.define "docker-reg-test" do |regtest| + regtest.vm.hostname = "docker-reg-test" + end + end + + config.vm.define "docker-registry" do |registry| + registry.vm.hostname = "docker-registry" + # Virtualbox + registry.vm.provider :virtualbox do |vb| + vb.customize ['modifyvm', :id, '--memory', "#{MEMORY}"] + end + + # VMware + registry.vm.provider :vmware_fusion do |v| + v.vmx['memsize'] = "#{MEMORY}" + end + + # Libvirt + registry.vm.provider :libvirt do |lv| + lv.memory = MEMORY + end + + # Parallels + registry.vm.provider "parallels" do |prl| + prl.name = "docker-registry" + prl.memory = "#{MEMORY}" + end + + # Run the provisioner after the machine comes up + registry.vm.provision 'ansible', &ansible_provision + end +end diff --git a/ansible/private-docker-registry/group_vars/all b/ansible/private-docker-registry/group_vars/all new file mode 100644 index 000000000..1cef26b76 --- /dev/null +++ b/ansible/private-docker-registry/group_vars/all @@ -0,0 +1,2 @@ +--- +dummy: diff --git a/ansible/private-docker-registry/roles/docker-registry/tasks/main.yml b/ansible/private-docker-registry/roles/docker-registry/tasks/main.yml new file mode 100644 index 000000000..5947b6847 --- /dev/null +++ b/ansible/private-docker-registry/roles/docker-registry/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- name: create directory for self-signed SSL cert + file: path=/var/registry/certs state=directory + +- name: create self-signed cfssl json file + template: + src: "{{ role_path }}/templates/self-csr.json.j2" + dest: ./self-csr.json + +- name: get cfssl + get_url: + url: https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 + dest: ./cfssl + mode: 0755 + +- name: get cfssljson + get_url: + url: https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 + dest: ./cfssljson + mode: 0755 + +- name: gencert + shell: ./cfssl gencert -initca self-csr.json | ./cfssljson -bare ca + +- name: push self-signed cfssl cert to the ansible server + fetch: + src: ca.pem + dest: fetch/certs/self.crt + flat: yes + +- name: mv the cert to be accessible by container + command: mv ca.pem /var/registry/certs/self.crt + +- name: mv the key to be accessible by container + command: mv ca-key.pem /var/registry/certs/self.key + +- name: start registry container + command: docker run -d --name=docker-registry \ + -p 5000:5000 \ + --privileged=true \ + --restart=unless-stopped \ + -v /var/registry:/var/registry \ + -e STORAGE_PATH=/var/registry/data \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/registry/certs/self.crt \ + -e REGISTRY_HTTP_TLS_KEY=/var/registry/certs/self.key \ + registry diff --git a/ansible/private-docker-registry/roles/docker-registry/templates/self-csr.json.j2 b/ansible/private-docker-registry/roles/docker-registry/templates/self-csr.json.j2 new file mode 100644 index 000000000..3ebfb0e27 --- /dev/null +++ b/ansible/private-docker-registry/roles/docker-registry/templates/self-csr.json.j2 @@ -0,0 +1,19 @@ +{ + "CN": "docker-registry", + "hosts": [ + "{{ ansible_default_ipv4.address }}", + "127.0.0.1" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "XX", + "L": "Default City", + "O": "Default Company Ltd", + "ST": "." + } + ] +} diff --git a/ansible/private-docker-registry/roles/test-client/tasks/main.yml b/ansible/private-docker-registry/roles/test-client/tasks/main.yml new file mode 100644 index 000000000..34d223096 --- /dev/null +++ b/ansible/private-docker-registry/roles/test-client/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: create directory for self-signed cert of docker-registry + file: path=/etc/docker/certs.d/{{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000 state=directory + +- name: copy self-signed cert of docker-registry + copy: + src: fetch/certs/self.crt + dest: /etc/docker/certs.d/{{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/ca.crt + +- name: pull a small image from docker hub + command: docker pull busybox + +- name: tag image + command: docker tag busybox {{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/mybusybox + +- name: push tagged image to private registry + command: docker push {{ hostvars['docker-registry']['ansible_default_ipv4']['address'] }}:5000/mybusybox diff --git a/ansible/private-docker-registry/site.yml b/ansible/private-docker-registry/site.yml new file mode 100644 index 000000000..2afe6fb92 --- /dev/null +++ b/ansible/private-docker-registry/site.yml @@ -0,0 +1,12 @@ +--- +# Defines deployment design and assigns role to server groups + +- hosts: registry + become: True + roles: + - docker-registry + +- hosts: testclient + become: True + roles: + - test-client diff --git a/ansible/private-docker-registry/vagrant_variables.yml b/ansible/private-docker-registry/vagrant_variables.yml new file mode 100644 index 000000000..78ea46eee --- /dev/null +++ b/ansible/private-docker-registry/vagrant_variables.yml @@ -0,0 +1,7 @@ +--- +provision_test_client_vm: true +memory: 1024 +vagrant_box: centos/atomic-host +# The sync directory changes based on vagrant box +# Set to /home/vagrant/sync for Centos/7, /home/{ user }/vagrant for openstack and defaults to /vagrant +vagrant_sync_dir: /home/vagrant/sync