Added portus

portus/docker-compose.yml

@@ -0,0 +1,121 @@
+version: "2"
+
+services:
+  portus:
+    image: opensuse/portus:head
+    environment:
+      - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
+
+      # DB. The password for the database should definitely not be here. You are
+      # probably better off with Docker Swarm secrets.
+      - PORTUS_DB_HOST=db
+      - PORTUS_DB_DATABASE=portus_production
+      - PORTUS_DB_PASSWORD=${DATABASE_PASSWORD}
+      - PORTUS_DB_POOL=5
+
+      # Secrets. It can possibly be handled better with Swarm's secrets.
+      - PORTUS_SECRET_KEY_BASE=${SECRET_KEY_BASE}
+      - PORTUS_KEY_PATH=/certificates/portus.key
+      - PORTUS_PASSWORD=${PORTUS_PASSWORD}
+
+      # SSL
+      - PORTUS_PUMA_TLS_KEY=/certificates/portus.key
+      - PORTUS_PUMA_TLS_CERT=/certificates/portus.crt
+
+      # NGinx is serving the assets instead of Puma. If you want to change this,
+      # uncomment this line.
+      #- RAILS_SERVE_STATIC_FILES='true'
+    ports:
+      - 3000:3000
+    links:
+      - db
+    volumes:
+      - ./secrets:/certificates:ro
+      - static:/srv/Portus/public
+
+  background:
+    image: opensuse/portus:head
+    depends_on:
+      - portus
+      - db
+    environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
+      - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
+
+      # DB. The password for the database should definitely not be here. You are
+      # probably better off with Docker Swarm secrets.
+      - PORTUS_DB_HOST=db
+      - PORTUS_DB_DATABASE=portus_production
+      - PORTUS_DB_PASSWORD=${DATABASE_PASSWORD}
+      - PORTUS_DB_POOL=5
+
+      # Secrets. It can possibly be handled better with Swarm's secrets.
+      - PORTUS_SECRET_KEY_BASE=${SECRET_KEY_BASE}
+      - PORTUS_KEY_PATH=/certificates/portus.key
+      - PORTUS_PASSWORD=${PORTUS_PASSWORD}
+
+      - PORTUS_BACKGROUND=true
+    links:
+      - db
+    volumes:
+      - ./secrets:/certificates:ro
+
+  db:
+    image: library/mariadb:10.0.23
+    command: mysqld --character-set-server=utf8 --collation-server=utf8_unicode_ci --init-connect='SET NAMES UTF8;' --innodb-flush-log-at-trx-commit=0
+    environment:
+      - MYSQL_DATABASE=portus_production
+
+      # Again, the password shouldn't be handled like this.
+      - MYSQL_ROOT_PASSWORD=${DATABASE_PASSWORD}
+    volumes:
+      - /var/lib/portus/mariadb:/var/lib/mysql
+
+  registry:
+    image: library/registry:2.6
+    command: ["/bin/sh", "/etc/docker/registry/init"]
+    environment:
+      # Authentication
+      REGISTRY_AUTH_TOKEN_REALM: https://${MACHINE_FQDN}/v2/token
+      REGISTRY_AUTH_TOKEN_SERVICE: ${MACHINE_FQDN}
+      REGISTRY_AUTH_TOKEN_ISSUER: ${MACHINE_FQDN}
+      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /secrets/portus.crt
+
+      # SSL
+      REGISTRY_HTTP_TLS_CERTIFICATE: /secrets/portus.crt
+      REGISTRY_HTTP_TLS_KEY: /secrets/portus.key
+
+      # Portus endpoint
+      REGISTRY_NOTIFICATIONS_ENDPOINTS: >
+        - name: portus
+          url: https://${MACHINE_FQDN}/v2/webhooks/events
+          timeout: 2000ms
+          threshold: 5
+          backoff: 1s
+    volumes:
+      - /var/lib/portus/registry:/var/lib/registry
+      - ./secrets:/secrets:ro
+      - ./registry/config.yml:/etc/docker/registry/config.yml:ro
+      - ./registry/init:/etc/docker/registry/init:ro
+    ports:
+      - 5000:5000
+      - 5001:5001 # required to access debug service
+    links:
+      - portus:portus
+
+  nginx:
+    image: library/nginx:alpine
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./secrets:/secrets:ro
+      - static:/srv/Portus/public:ro
+    ports:
+      - 8005:80
+    links:
+      - registry:registry
+      - portus:portus
+
+volumes:
+  static:
+    driver: local

portus/nginx/nginx.conf

@@ -0,0 +1,198 @@
+# This file is largely based on the one written by @Djelibeybi in:
+#      https://github.com/Djelibeybi/Portus-On-OracleLinux7/
+
+# List of known problems with this file:
+#
+# NOTE: this file uses only one certificate for the different services. This is
+# not the best way to go (see #1906).
+# BUG: proxy_ssl_verify is off (NGinx default). This means that certificate
+# validation is off on proxied traffic, which is bad (see #1907).
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include       mime.types;
+  default_type  application/octet-stream;
+  charset       UTF-8;
+
+  # Some basic config.
+  server_tokens off;
+  sendfile      on;
+  tcp_nopush    on;
+  tcp_nodelay   on;
+
+  # On timeouts.
+  keepalive_timeout     65;
+  client_header_timeout 240;
+  client_body_timeout   240;
+  fastcgi_read_timeout  249;
+  reset_timedout_connection on;
+
+  ## Set a variable to help us decide if we need to add the
+  ## 'Docker-Distribution-Api-Version' header.
+  ## The registry always sets this header.
+  ## In the case of nginx performing auth, the header will be unset
+  ## since nginx is auth-ing before proxying.
+  map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+	'' 'registry/2.0';
+  }
+
+  upstream portus {
+    least_conn;
+    server portus:3000 max_fails=3 fail_timeout=15s;
+  }
+
+  upstream registry {
+    least_conn;
+    server registry:5000 max_fails=3 fail_timeout=15s;
+  }
+
+  server {
+    listen 443 ssl http2;
+    server_name 172.17.0.1;
+    root /srv/Portus/public;
+
+    ##
+    # SSL
+
+    ssl on;
+
+    # Certificates
+    ssl_certificate /secrets/portus.crt;
+    ssl_certificate_key /secrets/portus.key;
+
+    # Enable session resumption to improve https performance
+    #
+    # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Enables server-side protection from BEAST attacks
+    # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+    ssl_prefer_server_ciphers on;
+
+    # Disable SSLv3 (enabled by default since nginx 0.8.19)
+    # since it's less secure than TLS
+    # http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+    # Ciphers chosen for forward secrecy and compatibility.
+    #
+    # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+    ##
+    # Docker-specific stuff.
+
+    proxy_set_header Host $http_host;   # required for Docker client sake
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme $scheme;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486
+    # (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    ##
+    # Custom headers.
+
+    # Adding HSTS[1] (HTTP Strict Transport Security) to avoid SSL stripping[2].
+    #
+    # [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+    # [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+    # Don't allow the browser to render the page inside a frame or iframe
+    # and avoid Clickjacking. More in the following link:
+    #
+    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+    add_header X-Frame-Options DENY;
+
+    # Disable content-type sniffing on some browsers.
+    add_header X-Content-Type-Options nosniff;
+
+    # This header enables the Cross-site scripting (XSS) filter built into
+    # most recent web browsers. It's usually enabled by default anyway, so the
+    # role of this header is to re-enable the filter for this particular
+    # website if it was disabled by the user.
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Add header for IE in compatibility mode.
+    add_header X-UA-Compatible "IE=edge";
+
+	# Redirect (most) requests to /v2/* to the Docker Registry
+	location /v2/ {
+	  # Do not allow connections from docker 1.5 and earlier
+	  # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+	  if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+        return 404;
+      }
+
+      ## If $docker_distribution_api_version is empty, the header will not be added.
+      ## See the map directive above where this variable is defined.
+      add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+      proxy_pass https://registry;
+      proxy_set_header Host $http_host;   # required for docker client's sake
+      proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_read_timeout 900;
+      proxy_buffering on;
+	}
+
+	# Portus needs to handle /v2/token for authentication
+	location = /v2/token {
+      proxy_pass https://portus;
+      proxy_set_header Host $http_host;   # required for docker client's sake
+      proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_read_timeout 900;
+      proxy_buffering on;
+    }
+
+	# Portus needs to handle /v2/webhooks/events for notifications
+	location = /v2/webhooks/events {
+      proxy_pass https://portus;
+      proxy_set_header Host $http_host;   # required for docker client's sake
+      proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_read_timeout 900;
+      proxy_buffering on;
+    }
+
+    # Assets are mapped inside of /srv/Portus/public from a shared volume.
+    location ~ ^/(assets)/ {
+      access_log  off;
+      gzip_static on;
+      expires     max;
+      add_header  Cache-Control public;
+      add_header  Last-Modified "";
+      add_header  ETag "";
+      break;
+    }
+
+	# Portus handles everything else for the UI
+	location / {
+      try_files $uri/index.html $uri.html $uri @portus;
+    }
+
+    location @portus {
+      proxy_pass https://portus;
+      proxy_set_header Host $http_host;   # required for docker client's sake
+      proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_read_timeout 900;
+      proxy_buffering on;
+    }
+  }
+}

portus/registry/config.yml

@@ -0,0 +1,10 @@
+version: 0.1
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+http:
+  addr: 0.0.0.0:5000
+  debug:
+    addr: 0.0.0.0:5001

portus/registry/init

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -x
+
+cp /secrets/portus.crt /usr/local/share/ca-certificates
+update-ca-certificates
+registry serve /etc/docker/registry/config.yml

portus/secrets/.gitignore

@@ -0,0 +1 @@
+portus.*