From e304b3ec3dec4037484f6c134308dfc45034b019 Mon Sep 17 00:00:00 2001 From: vsoch Date: Sun, 20 Aug 2017 23:50:37 -0400 Subject: [PATCH] updating docs --- docker-compose.yml | 1 + docs/README.md | 6 +- docs/client.md | 2 + docs/config.md | 77 ------------------- docs/deployment.md | 19 +++++ docs/setup.md | 73 ++++++++++++++++++ .../users/management/commands/add_admin.py | 68 ++++++++++++++++ .../management/commands/add_superuser.py | 11 ++- .../users/management/commands/remove_admin.py | 68 ++++++++++++++++ .../management/commands/remove_superuser.py | 11 ++- 10 files changed, 244 insertions(+), 92 deletions(-) delete mode 100644 docs/config.md create mode 100644 docs/setup.md create mode 100644 shub/apps/users/management/commands/add_admin.py create mode 100644 shub/apps/users/management/commands/remove_admin.py diff --git a/docker-compose.yml b/docker-compose.yml index d5ac3514..5e9c851b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,7 @@ uwsgi: volumes: - .:/code - ./static:/var/www/static + - ./images:/var/www/images links: - redis - db diff --git a/docs/README.md b/docs/README.md index 5aa5aeba..f551017b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -8,10 +8,10 @@ Hello there! It's so great that you want to use Singularity Registry. Let's get ## Deploy a Registry - - [introduction](introduction.md): Coverts some background and basic information. + - [introduction](introduction.md): Covers some background and basic information. - [deployment](deployment.md): will cover installing dependencies, configuring the web server, setting up variables and paths to the file system, and starting the application. - - [configuration](): covers how to create an admin ("super user") and register the application. - - [api](): some basics about the api. Most of this usage documentation will live with the client, provided by [singularity-python](https://www.github.com/singularityware/singularity-python). + - [setup](setup.md): setting up the running application, including user accounts and application registration. + - [client](client.md): how to interact with your registry to push and pull images. @vsoch wants [your input!](https://www.github.com/singularityhub/sregistry/issues) This registry is driven by desire and need for clusters small and large, so if you don't tell me what you want, how will I know that you want it? diff --git a/docs/client.md b/docs/client.md index 5d535697..c864a5de 100644 --- a/docs/client.md +++ b/docs/client.md @@ -137,3 +137,5 @@ sregistry labels --value vanessasaur # A specific key and value sregistry labels --key maintainer --value vanessasaur ``` + +That's all for now folks! We will next be writing up interaction with the registry with Singularity proper, and other details like visualizations, sharing, views, labels, and topic tags. diff --git a/docs/config.md b/docs/config.md deleted file mode 100644 index 169f56c9..00000000 --- a/docs/config.md +++ /dev/null @@ -1,77 +0,0 @@ -# Getting Started -By the time you get here, you have added all required secrets and settings to your [settings](../shub/settings) folder, and you've built and started the image. Next, you should navigate to [http://127.0.0.1](http://127.0.0.1) (localhost) to make sure the registry is up and running. If you need to look at logs or shell into the image to poke around, here are your debugging gotos: - - -``` -docker ps # gets you the image ids -docker-compose logs worker # show me the logs of the worker instance -docker-compose logs nginx # logs for the main application - -``` - -and to shell in to an image, you can do the following: - -``` -NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") -docker exec -it ${NAME} bash -``` - -When you see the interface, click Login on the top right and log in with your social account of choice. This will create a user account for yourself that you can use to manage the application. - - -## The Application Manager -At this point, you've started the application, and created a user with your social auth. Your username is in the top right, and it's usually the same as your social account. Keep this in mind because you will need it when you shell into the image to make yourself a superuser. Let's first shell inside: - -``` -NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") -docker exec -it ${NAME} bash -``` - -you will find yourself in a directory called `/code`, which is where the main application lives. For administration you will be using the file [manage.py](../manage.py) to interact with the registry. If you want to see all the different options, type `python manage.py` and it will show you. - -Let's first make yourself a superuser, meaning that you are an administrator **and** manager of the registry. You will be able to set other people as managers, who can push images but not be admins. In summary: - - - `superuser`: you are an admin that can do anything, and you can pull images like managers. - - `manager`: you can push images, but not admin the registry - -Of course anyone that shells into your Docker image could just explode everything - it's up to you to secure and manage the server itself! Let's say my username is `vsoch`. Here is the command I would run: - -```bash -# Inside the image, here is how you would do it -$ python manage.py add_superuser --username vsoch -DEBUG Username: vsoch -DEBUG vsoch can now manage and build. - -``` -# And from outside the Docker image - -NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") -docker exec $NAME python /code/manage.py add_superuser --username vsoch -``` - -You can also choose to remove a superuser at any time. This means he or she will no longer be able to build and access the token and secret to do so. - - -``` -# Inside the image -$ python manage.py remove_superuser --username vsoch -# Outside -NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") -docker exec $NAME python /code/manage.py remove_superuser --username vsoch -``` - - -## Adding users to a registry -A user that stumbles on your web interface can easily authenticate with a social account to look around. If you are OK with this, then we are good to go. However, in the case that you don't have a web UI, you can add users from the command line. Do this with caution, as it will be a username/password stored in the database, and not have a nice token / refresh token flow. - -Let's say that we have a user with username `sputnick` and we want to add him to the registry. That would look like this: - -``` -python manage.py add_registry_user --username sputnick --password sputnick - -DEBUG Username: sputnick -DEBUG Password: provided -DEBUG sputnick created successfully. -``` - -Great! Next you probably want to learn about how the [API]() works, which means granting tokens to admins to push built images, and connecting your registry to Singularity to make the images pull-able. diff --git a/docs/deployment.md b/docs/deployment.md index ce347cb9..d20ffa15 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -174,6 +174,25 @@ cp $INSTALL_ROOT/sregistry/scripts/nginx-index.html /var/www/html/index.html rm /var/www/html/index.nginx-debian.html ``` +If you don't care about user experience during updates and server downtime, you can just ignore this. + +### Storage +The containers that you upload to your registry will be stored "inside" the Docker container, specifically at the location `/var/www/images`. By default, we map this location to the host in the base directory of `sregistry` in a folder called `images`. Equally, we map static web files to a folder named `static`. If you look in the [docker-compose.yml](docker-compose.yml) that looks something like this: + + +``` + - ./static:/var/www/static + - ./images:/var/www/images +``` + +The line reads specifically "map `./images` (the folder "images" in the base directory sregistry on the host) to (`:`) the folder `/var/www/images` (inside the container). This means a few important things: + + - if you container goes away and dies, your image files do not. If the folder wasn't mapped, this wouldn't be the case. + - when the container is running, since Docker is run as sudo, you won't be able to interact with the files without sudo either. + +Thus, you are free to test different configurations of mounting this folder. If you find a more reasonable default than is set, please [let us know!](https://www.github.com/singularityhub/sregistry/issues). + + ### SSL Getting https certificates is really annoying, and getting `dhparams.pem` takes forever. But after the domain is obtained, it's important to do. Again, remember that we are working on the host, and we have an nginx server running. You should follow the instructions (and I do this manually) in [generate_cert.sh](../scripts/generate_cert.sh). It basically comes down to: diff --git a/docs/setup.md b/docs/setup.md new file mode 100644 index 00000000..551f8965 --- /dev/null +++ b/docs/setup.md @@ -0,0 +1,73 @@ +# Setup +By the time you get here, you have added all required secrets and settings to your [settings](../shub/settings) folder, and you've built and started the image. Next, you should navigate to [http://127.0.0.1](http://127.0.0.1) (localhost) to make sure the registry is up and running. + +## Image Interaction +Before we work with accounts and other application setup, you need to know how to interact with the application, meaning Docker images. Here are the basic commands you should get comfortable with as an administrator of your registry. Note that these are really great for debugging too: + +``` +docker ps # gets you the image ids +docker-compose logs worker # show me the logs of the worker instance +docker-compose logs nginx # logs for the main application +docker-compose logs -f nginx # keep the logs open until I Control+C +``` + +and to shell in to an image, you can do the following: + +``` +NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") +docker exec -it ${NAME} bash +``` + +## Accounts +To create your admin account, the first thing you need to do (in the web interface) is click Login on the top right. You should see the social account options that you configured in the [deployment](deployment.md) step. You can now log in with your social account of choice. This will create a user account for yourself that you can use to manage the application, and when you are logged in you should see your username in the top right. It usually corresponds with the one from your social account. + + +## The Application Manager +At this point, you've started the application, and created a user with your social auth. Your username is in the top right, and it's usually the same as your social account. Keep this in mind because you will need it when you shell into the image to make yourself a superuser. Let's first shell inside: + +``` +NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") +docker exec -it ${NAME} bash +``` + +you will find yourself in a directory called `/code`, which is where the main application lives. For administration you will be using the file [manage.py](../manage.py) to interact with the registry. If you want to see all the different options, type `python manage.py` and it will show you. + +Let's first make yourself a superuser and an admin, meaning that you are an administrator **and** have godlevel control of the registry. Just by way of being inside the Docker image you already have that. You will be able to set other people as admins. In summary: + + - `superuser`: you are an admin that can do anything, you have all permissions. + - `admin`: you can push images, but not have significant impact on the registry application. + +Of course anyone that shells into your Docker image could just explode everything - it's up to you to secure and manage the server itself! Let's say my username is `vsoch`. Here is the command I would run to make myself a superuser and admin. Note that we are inside the Docker image `sregistry_uwsgi_1`: + +```bash +$ python manage.py add_superuser --username vsoch +DEBUG Username: vsoch +DEBUG vsoch is now a superuser. + +$ python manage.py add_superuser --username vsoch +DEBUG Username: vsoch +DEBUG vsoch can now manage and build. +``` + +# And from outside the Docker image +NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") +docker exec $NAME python /code/manage.py add_superuser --username vsoch +docker exec $NAME python /code/manage.py add_admin --username vsoch + +``` + +You can also choose to remove a superuser or admin at any time. This means he or she will no longer be able to build and access the token and secret to do so. + + +``` +# Inside the image +$ python manage.py remove_superuser --username vsoch +$ python manage.py remove_admin --username vsoch + +# Outside +NAME=$(docker ps -aqf "name=sregistry_uwsgi_1") +docker exec $NAME python /code/manage.py remove_superuser --username vsoch +docker exec $NAME python /code/manage.py remove_admin --username vsoch +``` + +Great! Now that you have your accounts, you probably want to learn about how to build and push images! You will need to read about the [client](client.md) to do this. diff --git a/shub/apps/users/management/commands/add_admin.py b/shub/apps/users/management/commands/add_admin.py new file mode 100644 index 00000000..0e64014d --- /dev/null +++ b/shub/apps/users/management/commands/add_admin.py @@ -0,0 +1,68 @@ +''' + +Copyright (c) 2017, Vanessa Sochat, All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +''' + +from django.core.management.base import ( + BaseCommand, + CommandError +) + +from shub.apps.users.models import User +from shub.logger import bot +import re + +class Command(BaseCommand): + '''add admin will add admin and manager privs singularity + registry. The super user is an admin that can build, delete, + and manage images + ''' + def add_arguments(self, parser): + # Positional arguments + parser.add_argument('--username', dest='username', default=None, type=str) + + help = "Generates an admin for the registry." + def handle(self,*args, **options): + if options['username'] is None: + raise CommandError("Please provide a username with --username") + + bot.debug("Username: %s" %options['username']) + + try: + user = User.objects.get(username=options['username']) + except User.DoesNotExist: + raise CommandError("This username does not exist.") + + if user.admin is True: #and user.manager is True: + raise CommandError("This user can already manage and build.") + + user.admin = True + #user.manager = True + user.save() + bot.debug("%s can now manage and build." %(user.username)) diff --git a/shub/apps/users/management/commands/add_superuser.py b/shub/apps/users/management/commands/add_superuser.py index 039f7e20..ccc7b92f 100644 --- a/shub/apps/users/management/commands/add_superuser.py +++ b/shub/apps/users/management/commands/add_superuser.py @@ -47,7 +47,7 @@ def add_arguments(self, parser): # Positional arguments parser.add_argument('--username', dest='username', default=None, type=str) - help = "Generates a superuser for the registry. Only for admins." + help = "Generates a superuser for the registry." def handle(self,*args, **options): if options['username'] is None: raise CommandError("Please provide a username with --username") @@ -59,10 +59,9 @@ def handle(self,*args, **options): except User.DoesNotExist: raise CommandError("This username does not exist.") - if user.admin is True and user.manager is True: - raise CommandError("This user can already manage and build.") + if user.is_superuser is True: + raise CommandError("This user is already a superuser.") - user.admin = True - user.manager = True + user.is_superuser = True user.save() - bot.debug("%s can now manage and build." %(user.username)) + bot.debug("%s is now a superuser." %(user.username)) diff --git a/shub/apps/users/management/commands/remove_admin.py b/shub/apps/users/management/commands/remove_admin.py new file mode 100644 index 00000000..cb30ff82 --- /dev/null +++ b/shub/apps/users/management/commands/remove_admin.py @@ -0,0 +1,68 @@ +''' + +Copyright (c) 2017, Vanessa Sochat, All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +''' + +from django.core.management.base import ( + BaseCommand, + CommandError +) + +from shub.apps.users.models import User +from shub.logger import bot +import re + +class Command(BaseCommand): + '''remove admin will remove admin privs for a singularity + registry. The super user is an admin that can build, delete, + and manage images + ''' + def add_arguments(self, parser): + # Positional arguments + parser.add_argument('--username', dest='username', default=None, type=str) + + help = "Removes admin priviledges for the registry." + def handle(self,*args, **options): + if options['username'] is None: + raise CommandError("Please provide a username with --username") + + bot.debug("Username: %s" %options['username']) + + try: + user = User.objects.get(username=options['username']) + except User.DoesNotExist: + raise CommandError("This username does not exist.") + + if user.admin is False: #and user.manager is False: + raise CommandError("This user already can't manage and build.") + + user.admin = False + #user.manager = False + bot.debug("%s can no longer manage and build." %(user.username)) + user.save() diff --git a/shub/apps/users/management/commands/remove_superuser.py b/shub/apps/users/management/commands/remove_superuser.py index bb4f6523..2ce0b409 100644 --- a/shub/apps/users/management/commands/remove_superuser.py +++ b/shub/apps/users/management/commands/remove_superuser.py @@ -47,7 +47,7 @@ def add_arguments(self, parser): # Positional arguments parser.add_argument('--username', dest='username', default=None, type=str) - help = "Removes superuser priviledges for the registry. Only for admins." + help = "Removes superuser priviledges for the registry." def handle(self,*args, **options): if options['username'] is None: raise CommandError("Please provide a username with --username") @@ -59,10 +59,9 @@ def handle(self,*args, **options): except User.DoesNotExist: raise CommandError("This username does not exist.") - if user.admin is False and user.manager is False: - raise CommandError("This user already can't manage and build.") + if user.is_superuser is False: + raise CommandError("This user already is not a superuser.") - user.admin = False - user.manager = False - bot.debug("%s can no longer manage and build." %(user.username)) + user.is_superuser = False + bot.debug("%s is no longer a superuser." %(user.username)) user.save()