Switch from legacy, rootful registry to rootless CNCF distribution

3 files changed, 35 insertions, 38 deletions

diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
index 5acae19..7272206 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen.bb
@@ -1,30 +1,34 @@
-SUMMARY = "Systemd service for generating TLS key and cert for local registry"
-SECTION = "core"
+SUMMARY = "Systemd service for generating TLS key and cert for distribution"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+LIC_FILES_CHKSUM = "file://${UNIT_CORE_LAYERDIR}/LICENSE;md5=38bf13be5d6979b28bd8adddb2f2f9b3"
 
-SYSTEMD_SERVICE:${PN} = "regkeygen.service"
+inherit systemd
 
 SRC_URI = "\
     file://regkeygen.service \
     file://regkeygen.sh \
 "
 
+RDEPENDS:${PN}:append = " add-user-svc"
+RDEPENDS:${PN}:append = " openssl"
+
 S = "${UNPACKDIR}"
 
+SYSTEMD_USER = "svc"
+SYSTEMD_USER_UNITDIR = "/home/${SYSTEMD_USER}/.config/systemd/user"
+USER_BINDIR = "/home/${SYSTEMD_USER}/bin"
+
 do_install() {
-    install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${systemd_system_unitdir}/regkeygen.service
-    install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${bindir}/regkeygen.sh
+    install -D -p -m0644 ${UNPACKDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/regkeygen.service
+    install -D -p -m0755 ${UNPACKDIR}/regkeygen.sh ${D}${USER_BINDIR}/regkeygen.sh
+    
+    # Auto-enable systemd unit by creating the appropriate symlink
+    install -d ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants
+    ln -sf ${SYSTEMD_USER_UNITDIR}/regkeygen.service ${D}${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service
 }
 
-inherit systemd
-
 FILES:${PN} = "\
-    ${systemd_system_unitdir} \
-    ${bindir} \
-"
-
-RDEPENDS:${PN} = "\
-    openssl \
-    ca-certificates \
+    ${SYSTEMD_USER_UNITDIR}/regkeygen.service \
+    ${SYSTEMD_USER_UNITDIR}/default.target.wants/regkeygen.service \
+    ${USER_BINDIR}/regkeygen.sh \
 "
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
index 07c2b87..6f1eca2 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service
@@ -1,13 +1,12 @@
 [Unit]
-Description=Generate registry TLS keys for device
-ConditionPathExists=!/etc/registry/domain.crt
-ConditionPathExists=!/etc/registry/domain.key
-After=time-sync.target
-Wants=time-sync.target systemd-time-wait-sync.service
+Description=Generate distribution TLS keys
+ConditionPathExists=!%h/.config/containers/distribution/certs/domain.crt
+ConditionPathExists=!%h/.config/containers/distribution/certs/domain.key
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/regkeygen.sh
+Environment="XDG_CONFIG_HOME=%h/.config"
+ExecStart=%h/bin/regkeygen.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=default.target
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
index 5edf519..e929194 100644
--- a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh
@@ -2,32 +2,26 @@
 
 set -e
 
-echo "Generating TLS certificate and key for local registry..."
+echo "Generating TLS certificate and key for distribution..."
 
-mkdir -p /etc/registry
+mkdir -p "$XDG_CONFIG_HOME/containers/distribution/certs"
 openssl req -x509 -newkey ec \
     -pkeyopt ec_paramgen_curve:P-256 \
-    -keyout /etc/registry/domain.key \
-    -out /etc/registry/domain.crt \
+    -keyout "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key" \
+    -out "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" \
     -days 365 \
     -nodes \
-    -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=/CN=localhost/emailAddress=unitexe70@gmail.com' \
+    -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=R&D/CN=localhost/emailAddress=unitexe70@gmail.com' \
     -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1'
 
 echo "Setting permissions on generated artifacts..."
 
-chmod 640 /etc/registry/domain.key
-chmod 644 /etc/registry/domain.crt
+chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.key"
+chmod 644 "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt"
 
-echo "Adding CA to system trust store..."
+echo "Adding CA to user containers trust store..."
 
-mkdir -p /usr/local/share/ca-certificates
-cp /etc/registry/domain.crt /usr/local/share/ca-certificates/registry.crt
-update-ca-certificates
-
-echo "Adding CA to containers trust store..."
-
-mkdir -p /etc/containers/certs.d/localhost:5000/
-cp /etc/registry/domain.crt /etc/containers/certs.d/localhost:5000/ca.crt
+mkdir -p "$XDG_CONFIG_HOME/containers/localhost:5000/"
+cp "$XDG_CONFIG_HOME/containers/distribution/certs/domain.crt" "$XDG_CONFIG_HOME/containers/localhost:5000/ca.crt"
 
 echo "Registry TLS configuration created and ready for use"