Monday, July 24, 2017

Registry Option: SUSE Portus

An Open Source alternative to Docker Trusted Registry is Portus from SUSE. This is a front end to a private Open Source registry that allows for fine grained control of registry access and content: it can manage users, teams, and namespaces (no, not the kernel ones). It can integrate with LDAP for authentication and offers an audit trail, and can be extended for security scanning.
Portus dashboard with activity log
To play with Portus, we need:
  1. docker-compose.
  2. a private registry
  3. Portus


docker-compose

There are various way to get to docker-compose. If it is available in your distribution, simply install the package. If not, it can be installed through python's pip. That can be part of your distribution (search for python-pip), or it is simply installed (make sure you have python installed) through:
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
Then docker-compose can be installed with
pip install docker-compose

A private registry

Check out http://containerz.blogspot.com/2016/07/a-private-registry-building-and-using.html to build and run a private registry.
Note: Portus' latest release v2.3 uses version 2.3.1 of the open source registry. To build this specific version, simply check out version 2.3.1 instead of 2.4.1 as shown in the example.
To quickly start playing with Portus, it may be sufficient to not use certificates as shown in the registry post. In that case, make sure you add
"insecure-registries":["your-host-name:5000"]
to /etc/docker/daemon.json. However, always use certificates when considering a more serious environment, leave alone production!

Portus

Run
git clone https://github.com/SUSE/Portus.git
cd Portus/
git checkout v2.3
As long as the set of official images does not consider s390x, we'll have to do small changes to make it run smooth:
and make changes like shown in this patch:
diff --git a/Dockerfile b/Dockerfile
index 4460ff1..160d580 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM library/ruby:2.3.1
+FROM s390x/ruby:2.3
 MAINTAINER Flavio Castelli <fcastelli@suse.com>

 ENV COMPOSE=1
@@ -7,7 +7,8 @@ EXPOSE 3000
 WORKDIR /portus
 COPY Gemfile* ./
 RUN bundle install --retry=3 && bundle binstubs phantomjs
-RUN apt-get update && \
+RUN echo deb http://ftp.de.debian.org/debian stretch main >> /etc/apt/sources.list && \
+    apt-get update && \

     apt-get install -y --no-install-recommends nodejs

 ADD . .
diff --git a/docker-compose.yml b/docker-compose.yml
index 872d117..a4af7e4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,12 +28,12 @@ services:
       - db

   db:
-    image: library/mariadb:10.0.23
+    image: sinenomine/mariadb-s390x
     environment:
       MYSQL_ROOT_PASSWORD: portus

   registry:
-    image: library/registry:2.3.1
+    image: distribution:2.3.1
     environment:
       - REGISTRY_AUTH_TOKEN_REALM=http://${EXTERNAL_IP}:3000/v2/token
       - REGISTRY_AUTH_TOKEN_SERVICE=${EXTERNAL_IP}:${REGISTRY_PORT}
Then simply run
./compose-setup.sh -e your-host-name
which will start all the components up. You will then be able to browse to http://your-host-name:3000/ and create the administrator login. The admin can then create additional users, assign them to teams, and define namespaces (prefix of repositories) that belong to these teams.
Defining a team
Eventually images can be uploaded by authorized users into these namespaces.
Showing namespace details
To explore all the capabilities and advanced setup possibilities, explore http://port.us.org/documentation.html.

PS: If you want to play with the latest version of Portus, the tweaks for s390x are (at the time of writing) slightly different:
create yarn/Dockerfile containing:
FROM s390x/debian:sid
RUN apt-get update && apt-get install -y curl apt-transport-https \
        nodejs npm nodejs-legacy && \
        npm install --global yarn
WORKDIR /workspace
Then build with "docker build -t yarn yarn".
The changes in the Portus tree are (note .env can contain your-host-name):
diff --git a/.env b/.env
index e18af26..a5667ef 100644
--- a/.env
+++ b/.env
@@ -1,2 +1,2 @@
-MACHINE_FQDN=172.17.0.1

+MACHINE_FQDN=s38lp23.boeblingen.de.ibm.com
 REGISTRY_PORT=5000
diff --git a/Dockerfile b/Dockerfile
index a64344e..7f8efe0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM library/ruby:2.3.1
+FROM s390x/ruby:2.3
 MAINTAINER Flavio Castelli <fcastelli@suse.com>

 ENV COMPOSE=1
@@ -7,7 +7,8 @@ EXPOSE 3000
 WORKDIR /srv/Portus
 COPY Gemfile* ./
 RUN bundle install --retry=3
-RUN apt-get update && \
+RUN echo deb http://ftp.de.debian.org/debian stretch main >> /etc/apt/sources.list && \
+    apt-get update && \
     apt-get install -y --no-install-recommends nodejs

 ADD . .
diff --git a/docker-compose.yml b/docker-compose.yml
index f34dfd6..fa470c6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '2'
 services:
   portus:
     build: .
-    image: opensuse/portus:development
+    image: portus
     command: bash /srv/Portus/examples/development/compose/init
     environment:
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
@@ -21,7 +21,7 @@ services:
       - .:/srv/Portus

   crono:
-    image: opensuse/portus:development
+    image: portus
     command: ./bin/crono
     depends_on:
       - portus
@@ -36,19 +36,19 @@ services:
       - db

   webpack:
-    image: kkarczmarczyk/node-yarn:6.9-slim
+    image: yarn
     command: bash /srv/Portus/examples/development/compose/bootstrap-webpack
     working_dir: /srv/Portus
     volumes:
       - .:/srv/Portus

   db:
-    image: library/mariadb:10.0.23
+    image: sinenomine/mariadb-s390x
     environment:
       MYSQL_DATABASE: portus_production

@@ -62,7 +62,7 @@ services:
       - /var/lib/portus/mariadb:/var/lib/mysql

   registry:
-    image: library/registry:2.6
+    image: distribution:2.4.1
     environment:
       # Authentication
       REGISTRY_AUTH_TOKEN_REALM: http://${MACHINE_FQDN}:3000/v2/token
Build with "docker build -t portus Portus" and start with "docker-compose up".

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.