diff options
| author | unitexe <unitexe70@gmail.com> | 2026-01-22 00:46:47 -0600 |
|---|---|---|
| committer | unitexe <unitexe70@gmail.com> | 2026-01-22 22:38:37 -0600 |
| commit | 45e4965f00e7c6061943e47ae895886c9f4ea68d (patch) | |
| tree | b05b4fa224ae6eece6cf5f8aaba6440e0d1e46ba | |
| parent | 1c5117ee7a94a2452b4930068cdee403d73e68de (diff) | |
Switch from legacy, rootful registry to rootless CNCF distribution
12 files changed, 125 insertions, 82 deletions
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/distribution.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/distribution.bb new file mode 100644 index 0000000..dc769d5 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/distribution.bb @@ -0,0 +1,31 @@ +SUMMARY = "Distribution quadlet" +DESCRIPTION = "A quadlet for a distribution container that runs rootless" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${UNPACKDIR}/LICENSE;md5=d2794c0df5b907fdace235a619d80314" + +SRC_URI = "\ + file://config.yml \ + file://distribution.container \ + file://prometheus-target.yml \ + file://LICENSE \ +" + +RDEPENDS:${PN}:append = " systemd-regkeygen" +RDEPENDS:${PN}:append = " podman" +RDEPENDS:${PN}:append = " add-user-svc" + +S = "${UNPACKDIR}" + +ROOTLESS_USER_NAME ?= "svc" + +do_install() { + install -D -p -m 0644 ${UNPACKDIR}/distribution.container ${D}/home/${ROOTLESS_USER_NAME}/.config/containers/systemd/distribution.container + install -D -p -m 0644 ${UNPACKDIR}/config.yml ${D}/home/${ROOTLESS_USER_NAME}/.config/containers/distribution/config.yml + install -D -m 0644 ${UNPACKDIR}/prometheus-target.yml ${D}${sysconfdir}/prometheus/targets.d/distribution.yml +} + +FILES:${PN} = "\ + /home/${ROOTLESS_USER_NAME}/.config/containers/systemd/distribution.container \ + /home/${ROOTLESS_USER_NAME}/.config/containers/distribution/config.yml \ + ${sysconfdir}/prometheus/targets.d/distribution.yml \ +" diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/files/LICENSE b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/LICENSE index 5c304d1..e06d208 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/files/LICENSE +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/LICENSE @@ -199,3 +199,4 @@ Apache License WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/config.yml b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/config.yml new file mode 100644 index 0000000..ee15050 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/config.yml @@ -0,0 +1,29 @@ +version: 0.1 +storage: + delete: + enabled: true + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /var/lib/distribution + maintenance: + uploadpurging: + enabled: false + tag: + concurrencylimit: 8 +http: + addr: 0.0.0.0:5000 + tls: + certificate: /certs/domain.crt + key: /certs/domain.key + debug: + addr: 0.0.0.0:5001 + prometheus: + enabled: true + headers: + X-Content-Type-Options: [nosniff] +health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/distribution.container b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/distribution.container new file mode 100644 index 0000000..e8eb7dc --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/distribution.container @@ -0,0 +1,22 @@ +[Unit] +Description=A distribution container +After=regkeygen.service +Requires=regkeygen.service + +[Container] +ContainerName=distribution +Image=docker.io/distribution/distribution:latest +PublishPort=127.0.0.1:5000:5000,127.0.0.1:5001:5001 +Volume=%h/.config/containers/distribution/certs:/certs +Volume=%h/.config/containers/distribution/config.yml:/etc/distribution/config.yml:ro +Volume=distribution-data:/var/lib/distribution + +[Service] +Restart=on-failure +RestartSec=10s +RestartSteps=5 +RestartMaxDelaySec=1min +TimeoutStartSec=15min + +[Install] +WantedBy=default.target diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/prometheus-target.yml b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/prometheus-target.yml new file mode 100644 index 0000000..c7ac184 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/distribution/files/prometheus-target.yml @@ -0,0 +1,5 @@ +- targets: + - '127.0.0.1:5001' + labels: + job: 'distribution' + context: 'rootless' diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/packagegroups/packagegroup-unit-quadlets.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/packagegroups/packagegroup-unit-quadlets.bb index ecacb6f..127dd54 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/packagegroups/packagegroup-unit-quadlets.bb +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/packagegroups/packagegroup-unit-quadlets.bb @@ -3,7 +3,7 @@ SUMMARY = "Unit quadlet packages" inherit packagegroup RDEPENDS:${PN}:append = " banner" -RDEPENDS:${PN}:append = " registry-quadlet" +RDEPENDS:${PN}:append = " distribution" RDEPENDS:${PN}:append = " prometheus" RDEPENDS:${PN}:append = " prometheus-podman-exporter-rootful" RDEPENDS:${PN}:append = " prometheus-podman-exporter-rootless" diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/prometheus/files/prometheus.container b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/prometheus/files/prometheus.container index cbc955c..b6a533f 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/prometheus/files/prometheus.container +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/prometheus/files/prometheus.container @@ -6,7 +6,7 @@ Wants=time-sync.target systemd-time-wait-sync.service [Container] ContainerName=prometheus Image=docker.io/prom/prometheus:latest -Network=pasta:-T,9091:9091,-T,9882:9882,-T,9883:9883,-T,9100:9100 +Network=pasta:-T,9091:9091,-T,9882:9882,-T,9883:9883,-T,9100:9100,-T,5001:5001 PublishPort=127.0.0.1:9090:9090 Volume=prometheus-data:/var/lib/prometheus Volume=%h/.config/containers/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/files/registry.container b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/files/registry.container deleted file mode 100644 index 41b3248..0000000 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/files/registry.container +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=A registry container -After=time-sync.target regkeygen.service -Wants=time-sync.target systemd-time-wait-sync.service regkeygen.service - -[Container] -ContainerName=registry -Image=docker.io/registry:latest -PublishPort=127.0.0.1:5000:5000 -Volume=/etc/registry:/certs -Volume=registry-data:/var/lib/registry -Environment=REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -Environment=REGISTRY_HTTP_TLS_KEY=/certs/domain.key - -[Service] -Restart=on-failure -RestartSec=10s -RestartSteps=5 -RestartMaxDelaySec=1min -TimeoutStartSec=15min - -[Install] -WantedBy=multi-user.target default.target diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/registry-quadlet.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/registry-quadlet.bb deleted file mode 100644 index 35ee02b..0000000 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/registry-quadlet/registry-quadlet.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "Registry quadlet" -DESCRIPTION = "A quadlet for a registry container that runs rootful" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${UNPACKDIR}/LICENSE;md5=136e4f49dbf29942c572a3a8f6e88a77" - -SRC_URI = "\ - file://registry.container \ - file://LICENSE \ -" - -RDEPENDS:${PN}:append = " systemd-regkeygen" - -S = "${UNPACKDIR}" - -do_install() { - install -D -p -m 0644 ${UNPACKDIR}/registry.container ${D}${sysconfdir}/containers/systemd/registry.container -} - -FILES:${PN} = "${sysconfdir}/containers/systemd/registry.container" diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb index 5acae19..7272206 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb @@ -1,30 +1,34 @@ -SUMMARY = "Systemd service for generating TLS key and cert for local registry" -SECTION = "core" +SUMMARY = "Systemd service for generating TLS key and cert for distribution" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LIC_FILES_CHKSUM = "file://${UNIT_CORE_LAYERDIR}/LICENSE;md5=38bf13be5d6979b28bd8adddb2f2f9b3" -SYSTEMD_SERVICE:${PN} = "regkeygen.service" +inherit systemd SRC_URI = "\ file://regkeygen.service \ file://regkeygen.sh \ " +RDEPENDS:${PN}:append = " add-user-svc" +RDEPENDS:${PN}:append = " openssl" + S = "${UNPACKDIR}" +SYSTEMD_USER = "svc" +SYSTEMD_USER_UNITDIR = "/home/${SYSTEMD_USER}/.config/systemd/user" +USER_BINDIR = "/home/${SYSTEMD_USER}/bin" + do_install() { - install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${systemd_system_unitdir}/regkeygen.service - install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${bindir}/regkeygen.sh + install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/regkeygen.service + install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${USER_BINDIR}/regkeygen.sh + + # Auto-enable systemd unit by creating the appropriate symlink + install -d ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants + ln -sf ${SYSTEMD_USER_UNITDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service } -inherit systemd - FILES:${PN} = "\ - ${systemd_system_unitdir} \ - ${bindir} \ -" - -RDEPENDS:${PN} = "\ - openssl \ - ca-certificates \ + ${SYSTEMD_USER_UNITDIR}/regkeygen.service \ + ${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service \ + ${USER_BINDIR}/regkeygen.sh \ " diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service index 07c2b87..6f1eca2 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service @@ -1,13 +1,12 @@ [Unit] -Description=Generate registry TLS keys for device -ConditionPathExists=!/etc/registry/domain.crt -ConditionPathExists=!/etc/registry/domain.key -After=time-sync.target -Wants=time-sync.target systemd-time-wait-sync.service +Description=Generate distribution TLS keys +ConditionPathExists=!%h/.config/containers/distribution/certs/domain.crt +ConditionPathExists=!%h/.config/containers/distribution/certs/domain.key [Service] Type=oneshot -ExecStart=/usr/bin/regkeygen.sh +Environment="XDG_CONFIG_HOME=%h/.config" +ExecStart=%h/bin/regkeygen.sh [Install] -WantedBy=multi-user.target +WantedBy=default.target diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh index 5edf519..e929194 100644 --- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh @@ -2,32 +2,26 @@ set -e -echo "Generating TLS certificate and key for local registry..." +echo "Generating TLS certificate and key for distribution..." -mkdir -p /etc/registry +mkdir -p "$XDG_CONFIG_HOME/containers/distribution/certs" openssl req -x509 -newkey ec \ -pkeyopt ec_paramgen_curve:P-256 \ - -keyout /etc/registry/domain.key \ - -out /etc/registry/domain.crt \ + -keyout "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" \ + -out "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" \ -days 365 \ -nodes \ - -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=/CN=localhost/emailAddress=unitexe70@gmail.com' \ + -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=R&D/CN=localhost/emailAddress=unitexe70@gmail.com' \ -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1' echo "Setting permissions on generated artifacts..." -chmod 640 /etc/registry/domain.key -chmod 644 /etc/registry/domain.crt +chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" +chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" -echo "Adding CA to system trust store..." +echo "Adding CA to user containers trust store..." -mkdir -p /usr/local/share/ca-certificates -cp /etc/registry/domain.crt /usr/local/share/ca-certificates/registry.crt -update-ca-certificates - -echo "Adding CA to containers trust store..." - -mkdir -p /etc/containers/certs.d/localhost:5000/ -cp /etc/registry/domain.crt /etc/containers/certs.d/localhost:5000/ca.crt +mkdir -p "$XDG_CONFIG_HOME/containers/localhost:5000/" +cp "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/localhost:5000/ca.crt" echo "Registry TLS configuration created and ready for use" |