Skip to content

Instantly share code, notes, and snippets.

@ralvares
Last active June 14, 2022 08:00
Show Gist options
  • Save ralvares/709fef3673bfffd526dfbec2ef02cd8f to your computer and use it in GitHub Desktop.
Save ralvares/709fef3673bfffd526dfbec2ef02cd8f to your computer and use it in GitHub Desktop.
Quay - All in One - Using podman pod
podman login registry.redhat.io
export domain=quay.ralvares.local
export QUAY=/data/quay
mkdir -p $QUAY/postgres-quay
mkdir $QUAY/clair
mkdir -p $QUAY/config/extra_ca_certs
mkdir $QUAY/storage
setfacl -m u:26:-wx $QUAY/postgres-quay
setfacl -m u:1001:-wx $QUAY/storage
## Generate Quay Config file
cat > $QUAY/config/config.yaml << EOF
AUTHENTICATION_TYPE: Database
AVATAR_KIND: local
BITTORRENT_FILENAME_PEPPER: 5ca4aae5-cd68-4c2e-a8a8-3e39ac835d85
BUILDLOGS_REDIS:
host: localhost
password: strongpassword
port: 6379
DATABASE_SECRET_KEY: 1534741d-eae4-4e25-b1cc-862994e077ae
DB_CONNECTION_ARGS:
autorollback: true
threadlocals: true
DB_URI: postgresql://quayuser:quaypass@localhost/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
default:
- LocalStorage
- storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
- default
FEATURE_ACI_CONVERSION: false
FEATURE_ACTION_LOG_ROTATION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_REGISTRY: true
FEATURE_APP_SPECIFIC_TOKENS: true
FEATURE_BITBUCKET_BUILD: false
FEATURE_BLACKLISTED_EMAILS: false
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_GITHUB_BUILD: false
FEATURE_GITHUB_LOGIN: false
FEATURE_GITLAB_BUILD: false
FEATURE_GOOGLE_LOGIN: false
FEATURE_INVITE_ONLY_USER_CREATION: false
FEATURE_MAILING: false
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
FEATURE_PROXY_STORAGE: false
FEATURE_REPO_MIRROR: true
FEATURE_REQUIRE_TEAM_INVITE: true
FEATURE_RESTRICTED_V1_PUSH: true
FEATURE_SECURITY_NOTIFICATIONS: false
FEATURE_SECURITY_SCANNER: true
FEATURE_SIGNING: false
FEATURE_STORAGE_REPLICATION: false
FEATURE_TEAM_SYNCING: false
FEATURE_USER_CREATION: true
FEATURE_USER_LAST_ACCESSED: true
FEATURE_USER_LOG_ACCESS: false
FEATURE_USER_METADATA: false
FEATURE_USER_RENAME: false
FEATURE_USERNAME_CONFIRMATION: true
FRESH_LOGIN_TIMEOUT: 10m
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
GPG2_PRIVATE_KEY_FILENAME: signing-private.gpg
GPG2_PUBLIC_KEY_FILENAME: signing-public.gpg
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://localhost
LOG_ARCHIVE_LOCATION: default
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
MAIL_DEFAULT_SENDER: support@quay.io
MAIL_PORT: 587
MAIL_USE_AUTH: false
MAIL_USE_TLS: false
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Project Quay
REGISTRY_TITLE_SHORT: Project Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SEARCH_MAX_RESULT_PAGE_COUNT: 10
SEARCH_RESULTS_PER_PAGE: 10
SECRET_KEY: f5c5c332-df37-48d4-8d0a-b4e955da70a8
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://localhost:9091
SECURITY_SCANNER_V4_PSK: Y2JpMGVlZTM0Zmgy
SERVER_HOSTNAME: ${domain}:8443
SETUP_COMPLETE: true
SUPER_USERS:
- admin
TAG_EXPIRATION_OPTIONS:
- 0s
- 1d
- 1w
- 2w
- 4w
TEAM_RESYNC_STALE_TIME: 30m
TESTING: false
USE_CDN: false
USER_EVENTS_REDIS:
host: localhost
password: strongpassword
port: 6379
USER_RECOVERY_TOKEN_LIFETIME: 30m
USERFILES_LOCATION: default
EOF
## Generate Self-Signed Certificate
openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-out $QUAY/config/ssl.cert \
-keyout $QUAY/config/ssl.key \
-subj "/C=AE/ST=Dubai/L=Dubai/O=Quay/OU=IT Department/CN=${domain}"
chmod 750 $QUAY/config/ssl.*
cp -rf $QUAY/config/ssl.cert $QUAY/config/extra_ca_certs/quay.crt
chmod -R 750 $QUAY/config/extra_ca_certs
unalias cp
cp -rf $QUAY/config/ssl.cert /etc/pki/ca-trust/source/anchors/quay.crt
update-ca-trust
## Create a POD - Shared network stack
podman pod create --name quay-all-in-one -p 8443:8443
## Run postgres container and create pod named quay-all-in-one
podman run -d --pod quay-all-in-one --name postgresql-quay \
-e POSTGRESQL_USER=quayuser \
-e POSTGRESQL_PASSWORD=quaypass \
-e POSTGRESQL_DATABASE=quay \
-e POSTGRESQL_ADMIN_PASSWORD=adminpass \
-v $QUAY/postgres-quay:/var/lib/pgsql/data:Z \
registry.redhat.io/rhel8/postgresql-10:1
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm" | psql -d quay -U postgres'
## Run Redis on quay-all-in-one POD - use the same network namespace
podman run -d --pod quay-all-in-one --name redis \
-e REDIS_PASSWORD=strongpassword \
registry.redhat.io/rhel8/redis-5:1
## Run Clair
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE DATABASE clair" | psql -U postgres'
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\"" | psql -d clair -U postgres'
cat > $QUAY/clair/config.yaml << EOF
http_listen_addr: :9091
introspection_addr: :9099
log_level: debug
indexer:
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable
scanlock_retry: 10
layer_scan_concurrency: 5
migrations: true
matcher:
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable
max_conn_pool: 100
run: ""
migrations: true
indexer_addr: clair-indexer
notifier:
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable
delivery_interval: 1m
poll_interval: 5m
migrations: true
auth:
psk:
key: "Y2JpMGVlZTM0Zmgy"
iss: ["quay"]
EOF
podman run -d --pod quay-all-in-one --name clairv4 \
-e CLAIR_CONF=/config/config.yaml -e CLAIR_MODE=combo \
-e GODEBUG=x509ignoreCN=0 \
-v $QUAY/clair:/config:Z \
-v /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:z \
-v /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:z \
registry.redhat.io/quay/clair-rhel8:v3.4.3
## Run Quay on quay-all-in-one POD - use the same network namespace
podman run -d --pod quay-all-in-one \
--name=quay \
-e GODEBUG=x509ignoreCN=0 \
-v $QUAY/config:/conf/stack:Z \
-v $QUAY/storage:/datastorage:Z \
registry.redhat.io/quay/quay-rhel8:v3.4.3
## Enable mirror
podman run -d --pod quay-all-in-one --name mirroring-worker \
-e GODEBUG=x509ignoreCN=0 \
-v $QUAY/config:/conf/stack:Z \
registry.redhat.io/quay/quay-rhel8:v3.4.3 repomirror
@ralvares
Copy link
Author

ralvares commented Apr 4, 2021

Exposing registry on port (https) 8443

@ralvares
Copy link
Author

ralvares commented Apr 5, 2021

Enable clairv4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment