diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dc913c0ec..a9e9cd945 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v2 - name: Setup Go environment - uses: actions/setup-go@v2.1.2 + uses: actions/setup-go@v2 with: go-version: 1.13 diff --git a/.github/workflows/pushimage-next.yaml b/.github/workflows/pushimage-next.yaml index 5633d2e2f..51e425af5 100644 --- a/.github/workflows/pushimage-next.yaml +++ b/.github/workflows/pushimage-next.yaml @@ -28,4 +28,4 @@ jobs: - name: Build the registry metadata image run: cd oci-devfile-registry-metadata && ./build.sh - name: Push the registry metadata image - run: cd oci-devfile-registry-metadata && ./push.sh quay.io/devfile/metadata-server:next + run: cd oci-devfile-registry-metadata && ./push.sh quay.io/devfile/devfile-index-base:next diff --git a/deploy/kubernetes/registry.yaml b/deploy/kubernetes/registry.yaml index e665ac5fb..be6810316 100644 --- a/deploy/kubernetes/registry.yaml +++ b/deploy/kubernetes/registry.yaml @@ -32,13 +32,13 @@ spec: cpu: "250m" livenessProbe: httpGet: - path: /devfiles/index.json + path: / port: 8080 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: - path: /devfiles/index.json + path: / port: 8080 initialDelaySeconds: 3 periodSeconds: 3 diff --git a/oci-devfile-registry-metadata/.htaccess b/oci-devfile-registry-metadata/.htaccess deleted file mode 100644 index 615ba8613..000000000 --- a/oci-devfile-registry-metadata/.htaccess +++ /dev/null @@ -1,24 +0,0 @@ -Header set Access-Control-Allow-Origin "*" -Header set Access-Control-Allow-Headers "*" -DirectoryIndex README.md - -AddType image/svg+xml svg svgz -AddEncoding gzip svgz - - - - - ExpiresActive Off - - - - FileETag None - Header unset ETag - Header unset Pragma - Header unset Cache-Control - Header unset Last-Modified - Header set Pragma "no-cache" - Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" - Header set Expires "Mon, 10 Apr 1972 00:00:00 GMT" - - diff --git a/oci-devfile-registry-metadata/Dockerfile b/oci-devfile-registry-metadata/Dockerfile index bfe56fb2c..d1172f106 100644 --- a/oci-devfile-registry-metadata/Dockerfile +++ b/oci-devfile-registry-metadata/Dockerfile @@ -1,44 +1,36 @@ -# Build the registry index generator -FROM golang:alpine3.11 AS build -WORKDIR /tools -COPY generator . -RUN ./build.sh - -FROM docker.io/httpd:2.4.43-alpine AS registry +FROM nginx:stable-alpine # Install and configure dependencies -RUN apk add --no-cache bash git curl && \ - # Allow htaccess - sed -i 's| AllowOverride None| AllowOverride All|' /usr/local/apache2/conf/httpd.conf && \ - sed -i 's|Listen 80|Listen 8080|' /usr/local/apache2/conf/httpd.conf && \ - mkdir -m 777 /usr/local/apache2/htdocs/devfiles && \ - mkdir -p /var/www && ln -s /usr/local/apache2/htdocs /var/www/html && \ - chmod -R g+rwX /usr/local/apache2 && \ - echo "ServerName localhost" >> /usr/local/apache2/conf/httpd.conf && \ - apk add --no-cache coreutils - -# Install ORAS +RUN apk add --no-cache bash git curl coreutils RUN wget https://github.com/deislabs/oras/releases/download/v0.8.1/oras_0.8.1_linux_amd64.tar.gz && \ mkdir -p oras-install/ && \ tar -zxf oras_0.8.1_*.tar.gz -C oras-install/ && \ mv oras-install/oras /usr/local/bin/ && \ rm -rf oras_0.8.1_*.tar.gz oras-install/ - - -COPY .htaccess /usr/local/apache2/htdocs/ -RUN chgrp -R 0 /usr/local/apache2/htdocs && \ - chmod -R g=u /usr/local/apache2/htdocs +COPY nginx.conf /etc/nginx/nginx.conf +COPY entrypoint.sh / + +# Create a non-root user to run the nginx server as +RUN set -x ; \ + adduser -u 82 -D -S -G root www-data && exit 0 ; exit 1 + +RUN touch /var/run/nginx.pid +RUN mkdir -p /www/data + +# Modify the permissions on the necessary files to allow the container to properly run as a non-root UID +RUN chown -R www-data:root /var/run/nginx.pid && \ + chown -R www-data:root /var/cache/nginx && \ + chown www-data:root /etc/nginx/conf.d /etc/nginx/nginx.conf +RUN chmod g+rwx /var/run/nginx.pid && \ + chmod -R g+rwx /var/cache/nginx && chmod -R g+rwx /etc/nginx && chmod -R g+rwx /www/data -COPY entrypoint.sh /scripts/entrypoint.sh +USER www-data -# Git clone the devfiles -# ToDo: Switch to github.com/devfile/catalog/ -RUN git clone https://github.com/devfile/registry /registry -COPY --from=build /tools/index-generator /registry/index-generator -RUN chgrp -R 0 /registry && \ - chmod -R g=u /registry +# Set env vars for the locations of the devfile stacks and index.json +ENV DEVFILE_STACKS /stacks +ENV DEVFILE_INDEX /index.json -# Load the devfiles into the registry -ENTRYPOINT ["/scripts/entrypoint.sh"] -CMD ["httpd-foreground"] \ No newline at end of file +EXPOSE 8080 +ENTRYPOINT ["/entrypoint.sh"] +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/oci-devfile-registry-metadata/build.sh b/oci-devfile-registry-metadata/build.sh index 0f994200f..eed77b50e 100755 --- a/oci-devfile-registry-metadata/build.sh +++ b/oci-devfile-registry-metadata/build.sh @@ -3,4 +3,4 @@ # Build the metadata container for the registry buildfolder="$(basename "$(dirname "$0")")" cp -rf $buildfolder/../index/generator $buildfolder -docker build -t devfile-registry-metadata:latest $buildfolder \ No newline at end of file +docker build -t devfile-index-base:latest $buildfolder \ No newline at end of file diff --git a/oci-devfile-registry-metadata/entrypoint.sh b/oci-devfile-registry-metadata/entrypoint.sh index 2d55aca3e..46645f4bc 100755 --- a/oci-devfile-registry-metadata/entrypoint.sh +++ b/oci-devfile-registry-metadata/entrypoint.sh @@ -1,14 +1,15 @@ #!/bin/sh ## Simple proof of concept bootstrap script to load devfiles into an oci registry -DEVFILES=/registry/stacks -# Generate the index.json from the devfiles -cd /registry -./index-generator $DEVFILES /usr/local/apache2/htdocs/devfiles/index.json - -# Push the devfiles to the registry -cd $DEVFILES +if [ ! -d "$DEVFILE_STACKS" ]; then + echo "The container does not contain any devfile stacks in $DEVFILE_STACKS. Exiting..." + exit 1 +fi +if [ ! -e "$DEVFILE_INDEX" ]; then + echo "The container does not contain an index.json at $DEVFILE_INDEX. Exiting..." + exit 1 +fi # Wait for the registry to start until $(curl --output /dev/null --silent --head --fail http://localhost:5000); do @@ -16,7 +17,9 @@ until $(curl --output /dev/null --silent --head --fail http://localhost:5000); d sleep 0.5 done -for devfileDir in "$DEVFILES"/* +# Push the devfiles to the registry +cd $DEVFILE_STACKS +for devfileDir in "$DEVFILE_STACKS"/* do devfile="$devfileDir/devfile.yaml" stackName=`basename $devfileDir` @@ -31,9 +34,11 @@ do echo "Pushing $stackName to $REGISTRY_HOST" cd $stackName oras push localhost:5000/devfile-catalog/$stackName:latest --manifest-config /dev/null:application/vnd.devfileio.devfile.config.v2+json ./devfile.yaml:application/vnd.devfileio.devfile.layer.v1 --plain-http - cd $DEVFILES + cd $DEVFILE_STACKS done -# Launch the server hosting the index.json -echo $REGISTRY_HOST -exec "${@}" \ No newline at end of file +# Copy the index.json over to /www/data +cp $DEVFILE_INDEX /www/data/ + +# Start the nginx server +exec "$@" \ No newline at end of file diff --git a/oci-devfile-registry-metadata/nginx.conf b/oci-devfile-registry-metadata/nginx.conf new file mode 100644 index 000000000..74702e71a --- /dev/null +++ b/oci-devfile-registry-metadata/nginx.conf @@ -0,0 +1,62 @@ +events { + worker_connections 1024; +} + +http { + + upstream docker-registry { + server localhost:5000; + } + + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { + '' 'registry/2.0'; + } + + server { + listen 8080; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + location / { + # Temporary until the new metadata server has been delivered + # ToDo: Update to point to the new server when ready + default_type application/json; + root /www/data; + index index.json; + } + + location /v2 { + # Only allow HEAD (implicit) and GET requests on the V2 api + limit_except GET { + # block does not inherit the access limitations from above + deny all; + } + + ## If $docker_distribution_api_version is empty, the header is not added. + ## See the map directive above where this variable is defined. + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; + + proxy_pass http://docker-registry; + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + } + } +} diff --git a/oci-devfile-registry-metadata/push.sh b/oci-devfile-registry-metadata/push.sh index 47fab4383..4751e2178 100755 --- a/oci-devfile-registry-metadata/push.sh +++ b/oci-devfile-registry-metadata/push.sh @@ -1,4 +1,4 @@ #!/bin/sh IMAGE_TAG=$1 -docker tag devfile-registry-metadata:latest $IMAGE_TAG +docker tag devfile-index-base:latest $IMAGE_TAG docker push $1 \ No newline at end of file