Quay + Clair on AWS

###### tags: `redhat` `Quay` `OpenShift` # Quay + Clair on AWS ### Change hostname to quay-server.example.com ``` $ sudo hostnamectl --static set-hostname quay-server.example.com $ sudo sync;sudo reboot ``` ### Install podman > $ sudo yum module install -y container-tools ### Registry authentication ``` $ sudo podman login registry.redhat.io Username: <username> Password: <password> ``` ### Firewall configuration ``` $ firewall-cmd --permanent --add-port=80/tcp $ firewall-cmd --permanent --add-port=443/tcp $ firewall-cmd --permanent --add-port=5432/tcp $ firewall-cmd --permanent --add-port=5433/tcp $ firewall-cmd --permanent --add-port=6379/tcp $ firewall-cmd --permanent --add-port=8081/tcp $ firewall-cmd --permanent --add-port=8089/tcp $ firewall-cmd --reload ``` ### IP addressing and naming services ``` $ hostname -i 52.15.184.140 # Public IP ``` ### Environment Variable QUAY ```javascript= $ mkdir ~/quay $ vi ~/.bashrc export QUAY=/home/ec2-user/quay $ sudo -i # vi ~/.bashrc export QUAY=/home/ec2-user/quay # exit $ exit ``` #### Reconnect ### Configuring the database ``` $ mkdir -p $QUAY/postgres-quay $ setfacl -m u:26:-wx $QUAY/postgres-quay # Because the default user id is 26 $ sudo podman run -d --rm --name postgresql-quay \ -e POSTGRESQL_USER=quayuser \ -e POSTGRESQL_PASSWORD=quaypass \ -e POSTGRESQL_DATABASE=quay \ -e POSTGRESQL_ADMIN_PASSWORD=adminpass \ -p 5432:5432 \ -v $QUAY/postgres-quay:/var/lib/pgsql/data:Z \ registry.redhat.io/rhel8/postgresql-10:1 ``` ### Install the package pg_rgm ``` $ sudo podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm" | psql -d quay -U postgres' ``` ### Configuring Redis ``` $ sudo podman run -d --rm --name redis \ -p 6379:6379 \ -e REDIS_PASSWORD=strongpassword \ registry.redhat.io/rhel8/redis-5:1 ``` ## using SSL #### Create a root Certificate Authority ##### Generate the root CA key ``` $ openssl genrsa -out rootCA.key 2048 ``` ##### Generate the root CA cert ``` $ openssl req -x509 -new -nodes \ -subj "/C=TW/ST=TAIPEI/L=TAIPEI/O=QUAY/OU=SA/CN=quay-server.example.com" \ -key rootCA.key -sha256 -days 1024 -out rootCA.pem ``` #### Sign a certificate ##### Generate the server key ``` $ openssl genrsa -out ssl.key 2048 ``` ##### Generate a signing request ``` $ openssl req -new -key ssl.key -out ssl.csr \ -subj "/C=TW/ST=TAIPEI/L=TAIPEI/O=QUAY/OU=SA/CN=quay-server.example.com" ``` #### Config file ``` $ cat > openssl.cnf << EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = quay-server.example.com EOF $ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf ``` #### Configuration via UI ``` $ sudo podman run --rm -it --name quay_config -p 80:8080 -p 443:8443 registry.redhat.io/quay/quay-rhel8:v3.6.2 config secret ``` ##### Browser ```javascript= $ curl ifconfig.io Username: quayconfig Password: secret ``` ##### Basic configuration ##### Server configuration ```javascript= quay-server.example.com ``` ##### Server Configuration - SSL ```javascript= Red Hat Quay handles TLS for TLS Upload the certificate file and private key files like: ssl.ley & ssl.cert ``` ##### Database Database Type: Postgres Database Server: quay-server.example.com:5432 Username: quayuser Password: quaypass Database Name: quay ##### Redis Redis Hostname: quay-server.example.com Redis port: 6379 (default) Redis password: strongpassword ##### Validate and download configuration Validate Configuration Changes ``` $ mkdir $QUAY/config $ cp ~/quay-config.tar.gz $QUAY/config $ cd $QUAY/config $ tar xvf quay-config.tar.gz ``` ### Running Quay Server ``` $ mkdir $QUAY/storage $ setfacl -m u:1001:-wx $QUAY/storage $ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.6.2 ``` #### Login to Quay and create an account "quayadmin" #### Configuring podman to trust the Certificate Authority ``` $ sudo mkdir /etc/containers/certs.d/quay-server.example.com $ cd ~ $ sudo cp rootCA.pem /etc/containers/certs.d/quay-server.example.com ``` #### Configuring the system to trust the certificate authority ``` $ sudo cp rootCA.pem /etc/pki/ca-trust/source/anchors/ $ sudo update-ca-trust extract $ trust list | grep quay $ sudo podman login quay-server.example.com Username: quayadmin Password: Login Succeeded! ``` ### Deploy Clair v4 #### Deploying a separate database for Clair ``` $ mkdir -p $QUAY/postgres-clairv4 $ setfacl -m u:26:-wx $QUAY/postgres-clairv4 $ sudo podman run -d --rm --name postgresql-clairv4 \ -e POSTGRESQL_USER=clairuser \ -e POSTGRESQL_PASSWORD=clairpass \ -e POSTGRESQL_DATABASE=clair \ -e POSTGRESQL_ADMIN_PASSWORD=adminpass \ -p 5433:5432 \ -v $QUAY/postgres-clairv4:/var/lib/pgsql/data:Z \ registry.redhat.io/rhel8/postgresql-10:1 $ sudo podman exec -it postgresql-clairv4 /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\"" | psql -d clair -U postgres' ``` #### Quay configuration for Clair ``` $ sudo podman stop quay $ sudo podman run --rm -it --name quay_config \ -p 80:8080 -p 443:8443 \ -v $QUAY/config:/conf/stack:Z \ registry.redhat.io/quay/quay-rhel8:v3.6.2 config secret ``` #### via Browser ```javascript= Security Scanner Endpoint: http://quay-server.example.com:8081 Generate Security Scanner PSK: MTU5YzA4Y2ZkNzJoMQ== ``` #### Clair configuration ```javascript= $ cp ~/quay-config.tar.gz $QUAY/config $ cd $QUAY/config $ tar xvf quay-config.tar.gz $ cd ~ $ sudo mkdir -p /etc/clairv4/config $ sudo vi /etc/clairv4/config/config.yaml http_listen_addr: :8081 introspection_addr: :8089 log_level: debug indexer: connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable scanlock_retry: 10 layer_scan_concurrency: 5 migrations: true matcher: connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable max_conn_pool: 100 run: "" migrations: true indexer_addr: clair-indexer notifier: connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable delivery_interval: 1m poll_interval: 5m migrations: true auth: psk: key: "MTU5YzA4Y2ZkNzJoMQ==" iss: ["quay"] $ sudo podman run -d --rm --name clairv4 \ -p 8081:8081 -p 8089:8089 \ -e CLAIR_CONF=/clair/config.yaml -e CLAIR_MODE=combo \ -e SSL_CERT_DIR=/etc/certs \ -v /home/ec2-user/ssl.cert:/etc/certs/quay-server.example.com.crt:Z \ -v /etc/clairv4/config:/clair:Z \ registry.redhat.io/quay/clair-rhel8:v3.6.2 $ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.6.2 $ sudo podman pull ubuntu:20.04 $ sudo podman tag docker.io/library/ubuntu:20.04 quay-server.example.com/quayadmin/ubuntu:20.04 $ sudo podman push quay-server.example.com/quayadmin/ubuntu:20.04 ```