From a41b1a3dd979febde2f7e37ea3722657e7e31393 Mon Sep 17 00:00:00 2001 From: Gerrod Ubben Date: Mon, 23 Sep 2024 15:44:05 -0400 Subject: [PATCH] Make staging docs the new docs [noissue] --- docs/CHANGES.md | 14 - .../admin/guides/configure-certificates.md | 0 .../guides/configure-database-encryption.md | 0 .../admin/guides/configure-signing-service.md | 0 .../guides/deploy-multi-process-images.md | 0 ...migrate-pulp-installer-to-multi-process.md | 0 {staging_docs => docs}/admin/learn/.gitkeep | 0 .../admin/reference/available-images/index.md | 0 .../available-images/multi-process-images.md | 0 .../available-images/single-process-images.md | 0 .../admin/tutorials/quickstart.md | 0 docs/certificates.md | 171 -------- docs/database-encryption.md | 19 - .../dev/guides/release-image.md | 0 docs/developer-instructions.md | 17 - docs/images/pulp_logo_big.png | Bin 9626 -> 0 bytes docs/index.md | 13 +- ...gration-pulp-installer-to-multi-process.md | 322 --------------- docs/multi-process-images.md | 382 ------------------ docs/overrides/main.html | 12 - docs/quickstart.md | 172 -------- docs/signing_script.md | 215 ---------- docs/single-process-images.md | 101 ----- staging_docs/index.md | 12 - 24 files changed, 12 insertions(+), 1438 deletions(-) delete mode 100644 docs/CHANGES.md rename {staging_docs => docs}/admin/guides/configure-certificates.md (100%) rename {staging_docs => docs}/admin/guides/configure-database-encryption.md (100%) rename {staging_docs => docs}/admin/guides/configure-signing-service.md (100%) rename {staging_docs => docs}/admin/guides/deploy-multi-process-images.md (100%) rename {staging_docs => docs}/admin/guides/migrate-pulp-installer-to-multi-process.md (100%) rename {staging_docs => docs}/admin/learn/.gitkeep (100%) rename {staging_docs => docs}/admin/reference/available-images/index.md (100%) rename {staging_docs => docs}/admin/reference/available-images/multi-process-images.md (100%) rename {staging_docs => docs}/admin/reference/available-images/single-process-images.md (100%) rename {staging_docs => docs}/admin/tutorials/quickstart.md (100%) delete mode 100644 docs/certificates.md delete mode 100644 docs/database-encryption.md rename {staging_docs => docs}/dev/guides/release-image.md (100%) delete mode 100644 docs/developer-instructions.md delete mode 100644 docs/images/pulp_logo_big.png mode change 120000 => 100644 docs/index.md delete mode 100644 docs/migration-pulp-installer-to-multi-process.md delete mode 100644 docs/multi-process-images.md delete mode 100644 docs/overrides/main.html delete mode 100644 docs/quickstart.md delete mode 100644 docs/signing_script.md delete mode 100644 docs/single-process-images.md delete mode 100644 staging_docs/index.md diff --git a/docs/CHANGES.md b/docs/CHANGES.md deleted file mode 100644 index 52aa054a..00000000 --- a/docs/CHANGES.md +++ /dev/null @@ -1,14 +0,0 @@ -Changelog -========= - - - - diff --git a/staging_docs/admin/guides/configure-certificates.md b/docs/admin/guides/configure-certificates.md similarity index 100% rename from staging_docs/admin/guides/configure-certificates.md rename to docs/admin/guides/configure-certificates.md diff --git a/staging_docs/admin/guides/configure-database-encryption.md b/docs/admin/guides/configure-database-encryption.md similarity index 100% rename from staging_docs/admin/guides/configure-database-encryption.md rename to docs/admin/guides/configure-database-encryption.md diff --git a/staging_docs/admin/guides/configure-signing-service.md b/docs/admin/guides/configure-signing-service.md similarity index 100% rename from staging_docs/admin/guides/configure-signing-service.md rename to docs/admin/guides/configure-signing-service.md diff --git a/staging_docs/admin/guides/deploy-multi-process-images.md b/docs/admin/guides/deploy-multi-process-images.md similarity index 100% rename from staging_docs/admin/guides/deploy-multi-process-images.md rename to docs/admin/guides/deploy-multi-process-images.md diff --git a/staging_docs/admin/guides/migrate-pulp-installer-to-multi-process.md b/docs/admin/guides/migrate-pulp-installer-to-multi-process.md similarity index 100% rename from staging_docs/admin/guides/migrate-pulp-installer-to-multi-process.md rename to docs/admin/guides/migrate-pulp-installer-to-multi-process.md diff --git a/staging_docs/admin/learn/.gitkeep b/docs/admin/learn/.gitkeep similarity index 100% rename from staging_docs/admin/learn/.gitkeep rename to docs/admin/learn/.gitkeep diff --git a/staging_docs/admin/reference/available-images/index.md b/docs/admin/reference/available-images/index.md similarity index 100% rename from staging_docs/admin/reference/available-images/index.md rename to docs/admin/reference/available-images/index.md diff --git a/staging_docs/admin/reference/available-images/multi-process-images.md b/docs/admin/reference/available-images/multi-process-images.md similarity index 100% rename from staging_docs/admin/reference/available-images/multi-process-images.md rename to docs/admin/reference/available-images/multi-process-images.md diff --git a/staging_docs/admin/reference/available-images/single-process-images.md b/docs/admin/reference/available-images/single-process-images.md similarity index 100% rename from staging_docs/admin/reference/available-images/single-process-images.md rename to docs/admin/reference/available-images/single-process-images.md diff --git a/staging_docs/admin/tutorials/quickstart.md b/docs/admin/tutorials/quickstart.md similarity index 100% rename from staging_docs/admin/tutorials/quickstart.md rename to docs/admin/tutorials/quickstart.md diff --git a/docs/certificates.md b/docs/certificates.md deleted file mode 100644 index 2710c0a0..00000000 --- a/docs/certificates.md +++ /dev/null @@ -1,171 +0,0 @@ -# CERTIFICATES - -By default, running the Multi-Process image with https image tag (`pulp/pulp:https`) will create and configure a self-signed certificate in Nginx. -This documentation provide the steps to configure a custom certificate instead of using the provided self-signed. - -There are a lot of excelent tools to generate X.509 certificates, like [`OpenSSL`](https://github.com/openssl/openssl), [`Vault`](https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine), [Let's Encrypt](https://letsencrypt.org/getting-started/), etc. -It is out of scope of this document to provide the steps to install or configure them. - -> :information_source: The following steps are meant to be a starting point to create a **test** certificate and configure it in Pulp multi-process containers. - - -## GENERATING A NEW CERTIFICATE - -> :information_source: The following steps are optional in case a certificate is already available. - -The current image of Pulp multi-process container comes with `openssl` installed. -It also comes with an [init script](https://github.com/pulp/pulp-oci-images/blob/latest/images/s6_assets/init/certs) that generates a default certificate in case none is provided. - -Here is an example of how to create a new custom certificate using `openssl`: -* create a self-signed certificate with `Subject: CN=$MY_DOMAIN` and the additional hosts (SubjectAlternativeName) `$CERT_SAN` -```console -$ podman exec -it pulp bash -[root@f14649b06e01 /]# MY_DOMAIN=pulp.example.com -[root@f14649b06e01 /]# CERTS_DIR=/etc/pulp/certs -[root@f14649b06e01 /]# CERT_SAN="subjectAltName=IP:0.0.0.0,DNS:pulp,DNS:pulp.example.com,DNS:localhost" -[root@f14649b06e01 /]# openssl req -x509 -nodes -newkey rsa:2048 -keyout ${CERTS_DIR}/pulp_webserver.key -out ${CERTS_DIR}/pulp_webserver.crt -days 365 -subj "/CN=$MY_DOMAIN" -addext $CERT_SAN -[root@f14649b06e01 /]# chgrp pulp ${CERTS_DIR}/pulp_webserver.crt ${CERTS_DIR}/pulp_webserver.key -``` - -* check the certificate content -```console -[root@c20257cd4dd4 /]# openssl x509 -noout -text -in ${CERTS_DIR}/pulp_webserver.crt -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 7a:ff:8d:e3:92:02:bf:6e:ad:76:ea:45:1c:80:ea:fd:49:c2:da:5e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN = pulp.example.com - Validity - Not Before: Dec 13 13:17:29 2022 GMT - Not After : Dec 13 13:17:29 2023 GMT - Subject: CN = pulp.example.com - Subject Public Key Info: -... -``` - - -## CONFIGURING A CUSTOM SERVER CERTIFICATE IN NGINX - -### **Configuring the new custom certificate** - -To use the custom certificate created using the steps from [*GENERATING A NEW CERTIFICATE*](#generating-a-new-certificate): -* copy the certificates into `/etc/pki/tls/certs/` directory: -> :warning: make sure to not modify the destination file names and path (`/etc/pki/tls/certs/pulp_webserver.crt` and `/etc/pki/tls/private/pulp_webserver.key`) because these are the names configured in Nginx -```console -$ podman exec -it pulp bash -[root@f14649b06e01 /]# cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/tls/certs/pulp_webserver.crt -cp: overwrite '/etc/pki/tls/certs/pulp_webserver.crt'? y -[root@f14649b06e01 /]# cp /etc/pulp/certs/pulp_webserver.key /etc/pki/tls/private/pulp_webserver.key -cp: overwrite '/etc/pki/tls/private/pulp_webserver.key'? y -``` - -* restart nginx process to get the new certificate -``` -$ podman exec pulp s6-svc -r /run/service/nginx -``` - -* verify that Nginx is now using the new certificate -``` -$ podman exec pulp openssl s_client -connect pulp:443 -Can't use SSL_get_servername -depth=0 CN = pulp.example.com -verify error:num=18:self signed certificate -verify return:1 -depth=0 CN = pulp.example.com -verify return:1 -CONNECTED(00000003) ---- -Certificate chain - 0 s:CN = pulp.example.com - i:CN = pulp.example.com ---- -Server certificate ------BEGIN CERTIFICATE----- -MIIDTTCCAjWgAwIBAgIUZFS+5+hhWrM270+X+k8vpfwIQL8wDQYJKoZIhvcNAQEL -BQAwGzEZMBcGA1UEAwwQcHVscC5leGFtcGxlLmNvbTAeFw0yMjEyMTQxNzMxMzda -Fw0yMzEyMTQxNzMxMzdaMBsxGTAXBgNVBAMMEHB1bHAuZXhhbXBsZS5jb20wggEi -... ------END CERTIFICATE----- -subject=CN = pulp.example.com -issuer=CN = pulp.example.com -``` - -### **Configuring an existing certificate** - -It is also possible to bring your own company certificate instead of creating a new one through [*GENERATING A NEW CERTIFICATE*](#generating-a-new-certificate) steps. - -* copy the certificates into `/etc/pulp/certs/` directory. This will prevent having to copy the certificates again in case of a container reprovisioning (the certificates will be persisted in container volume): -```console -$ podman cp my-company-generated-certificate.crt pulp:/etc/pulp/certs/pulp_webserver.crt -$ podman cp my-company-generated-certificate.key pulp:/etc/pulp/certs/pulp_webserver.key -``` - -* now, copy the certificates into `/etc/pki/tls/certs/` directory: -> :warning: make sure to not modify the destination file names and path (`/etc/pki/tls/certs/pulp_webserver.crt` and `/etc/pki/tls/private/pulp_webserver.key`) because these are the names configured in Nginx -```console -$ podman exec -it pulp bash -[root@f14649b06e01 /]# cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/tls/certs/pulp_webserver.crt -cp: overwrite '/etc/pki/tls/certs/pulp_webserver.crt'? y -[root@f14649b06e01 /]# cp /etc/pulp/certs/pulp_webserver.key /etc/pki/tls/private/pulp_webserver.key -cp: overwrite '/etc/pki/tls/private/pulp_webserver.key'? y -``` - -* restart nginx process to get the new certificate -``` -$ podman exec pulp s6-svc -r /run/service/nginx -``` - - -* verify that Nginx is now using the new certificate -``` -$ podman exec pulp openssl s_client -connect pulp:443 -Can't use SSL_get_servername -depth=0 CN = /test -depth=0 CN = /test -CONNECTED(00000003) ---- -Certificate chain - 0 s:CN = my-company-domain - i:CN = my-company-domain ---- -Server certificate ------BEGIN CERTIFICATE----- -MIIDTTCCAjWgAwIBAgIUZFS+5+hhWrM270+X+k8vpfwIQL8wDQYJKoZIhvcNAQEL -BQAwGzEZMBcGA1UEAwwQcHVscC5leGFtcGxlLmNvbTAeFw0yMjEyMTQxNzMxMzda -Fw0yMzEyMTQxNzMxMzdaMBsxGTAXBgNVBAMMEHB1bHAuZXhhbXBsZS5jb20wggEi -... ------END CERTIFICATE----- -subject=CN = my-company-domain -issuer=CN = my-company-domain -``` - -## SETTING UP ADDITIONAL TRUSTED CAs - -Use the following steps to set up additional certificate authorities (CA) to be trusted by the services running in Pulp container. - -```console -$ podman cp my-company-CA.crt pulp:/etc/pki/ca-trust/source/anchors/ -$ podman exec pulp update-ca-trust -``` - -* check the ca-trust list -```console -$ podman exec pulp grep pulp.example.com -A20 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -# pulp.example.com ------BEGIN TRUSTED CERTIFICATE----- -MIIDFzCCAf+gAwIBAgIUBd+SIbUJPVSgO2jR9mgtoGfRo3IwDQYJKoZIhvcNAQEL -BQAwGzEZMBcGA1UEAwwQcHVscC5leGFtcGxlLmNvbTAeFw0yMjEyMTMxMzI1MDFa -... ------END TRUSTED CERTIFICATE----- -``` - -To avoid having to run these steps everytime a new container is provisioned, it is also possible to create a new image with the CA built in it: -```console -$ cat< /etc/pulp/certs/database_fields.symmetric.key -chmod 640 /etc/pulp/certs/database_fields.symmetric.key -chown root:pulp /etc/pulp/certs/database_fields.symmetric.key -``` - -## ROTATING THE DATABASE ENCRYPTION KEY - -It is **not** possible to rotate the database encryption key yet. -Check `pulpcore` [issue #2048](https://github.com/pulp/pulpcore/issues/2048) for further information: https://github.com/pulp/pulpcore/issues/2048 \ No newline at end of file diff --git a/staging_docs/dev/guides/release-image.md b/docs/dev/guides/release-image.md similarity index 100% rename from staging_docs/dev/guides/release-image.md rename to docs/dev/guides/release-image.md diff --git a/docs/developer-instructions.md b/docs/developer-instructions.md deleted file mode 100644 index ec212b1f..00000000 --- a/docs/developer-instructions.md +++ /dev/null @@ -1,17 +0,0 @@ -# Developer instructions - -## Release instructions (multi-process images) - -We maintain a container tag for every pulpcore y-release (e.g. 3.7, 3.8, ...). When there's a -pulpcore z-release, the existing y-release branch is built and published again. - -### Pulpcore Y release - -* First create a new release branch in this pulp-oci-images repo for the prior Y release - (if it does not already exist.) So if you are releasing 3.23, create the 3.22 branch. -* Update PULPCORE_VERSION in the following files on the prior Y release branch - (see [here](https://github.com/pulp/pulp-oci-images/pull/61/files) as an example, albeit of only 1 file): - * images/pulp/stable/Containerfile - * images/pulp-minimal/stable/Containerfile.core -* Update `branches` on the latest branch `.ci/scripts/update_ci_branches.py` to include the prior Y release. - (Once merged, it will trigger a build of the new released version from the latest branch.) diff --git a/docs/images/pulp_logo_big.png b/docs/images/pulp_logo_big.png deleted file mode 100644 index 9edae704c7022cf571720b9888be6a4ee697170f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9626 zcmaKSbx<75^EdA9uEB#tkU-#qyB;n94tG7=g6rY#?gV!TZUKV3y9ak(p6|bJ)o-e1 zr*^8lcc-`K(>=W%uB<49jzWS01qFpJBQ37_F&2LGAtZ#4Ys%b17#ig zfxRo{_D`+88h5JCW&1nv|QBe&0N4nPNq;`FqqBK&f3|;$ibA&-pM@U zT!;h;iV8|b9H8!=d6wnj4xF2N7dgqySmj{mVzj^~`=ws^3EGhn&LKI1aklwlWmyN` zbSl5eO774@Ceun65r@&G_O`0a7ON7Ml>jFXKSIV~e*PHKyU`ye0_785>p|rPCGsd_ zH~VOPHR#%d!iQ(c>nv&2{!YN_qHzI-hUP`taW<|vjf|eA&)*0MRz(1(0db048j2Fu zKBBL3aO}%M3n!^u!5DT{IGq$l679qz$^opo{~G4*^~H(#`?46>A>xhLFd_{=5{}k< zWUHiXSbWplA;fBwg0&z&wB42znakLa;=R|Oj6pyfSfdWIVEkfwQPyDl!66D?Y)Ro5 zPUM8|=F|}w?uA}77$@1RKntK4S4SJ+HCbUN-2L){!#8Jy2`lc8-HK$O5RpfRQmhu2 z8+zTVBn0}1Lh;vzWpZh^LJm#eSv$K9b~BtFLZXUQG+)fEWh#Jo`bvwM(UI?yh^?d*x1~ zAz5*zp|??U1Agdw%M;nB4ed)T9WG&TOCw<--!?zB8>G;9|LXKnap64Z>K>EJ`CtfJ zobDT1Zu*9BV`Fa!)ek}JyyKkSk`~|ROrhW;jxq&>69wFkglD`TH>&Z7xxtJNA;{y+ zNe$;ussVjZOAO~|X;E0gdAB7%r^grF@ zAirp(93o(Ahx{(^rBDKl__*}^kSc?6;udz(Ej=WQkbXK^!5}Rn&sm&?PRf;d_IZ>5 z`kJj|P#U4QEoW(Yg6whi84evSDaT0XM&!Q4ioXO~iARzcTF5yD_KCYQ5}dr3x9*0a z&U_WZ>3ee}h~Q*mUUq_hGmrp#+qGn(X_04IiEeA>N58W%FD*gn_^q14;5iU-cAH%nR0i-yp*KI)<644-Q zW6E2<^r7b)B(Bm{P|t#8+iePv@pA)%ohKKXZXA^l)n$CF-9i6pCUZ8~COe1Ql98}P zrkD4v0?Sif7LR$bDJxDPrTYBSX&R;VEWVIy!+`@w{kMx4c|E?%VGOlQ8F`Nyw$DHR zlVs(NBDfZ-W)dBZpObahVkGl!0@o?nlX@hI-<8m^`?I-^hXi>V5j~~zp6il*10nIB z*#`7|o2}hpt?GdzB<{Lu19$K&Qp|Nea$8fjZn$+kOfeAERfnk>`c6e{5mcHa|Vxm4`* zXZBC9=)RuEzYT>A^TEbo(_GzyFw|ZU6kDiqKv-zLB(p)~736gn741-1R~^{X|2Be)dZDqH$EP#ytvH zr`Tqt23_w9J4#+<{*Er10mm%NguD zfz7LuUxL4X8s^}?f7Lf8(S$p-QKHgZCN5z}d#)PuDY!FgwZ85b9}u%b6M#+1FdUHUexv?;e?;B-tfl%821{ zkkgp9QI3KaT?CO5?5`qNJLt|a>uylYO*GxDRpQs_Elt!#laayZ(J?1slS8*Ex}ZjjE1M}uDgt$G;8u!0w`RZrYc z?5UcOpK6Swgi5JM2RiZFGul^{=yCGzG9 z8$S!pW$oE3zazId1vd3PrCca<>t!T{SgGhM77e+0pbdL6`TR^}tP;njcQ9v9Tn{48 z9HP90>ef5l`geEzEqgbUD}iF0wRnvjZqZM}Hd|!{UIQfY@XU&6QDW#rM@2LqG^Z|P zOW}FQDhISPBOZLeUOS_gAReqV|9^8P6LHplc}N>u?zp7fim@>1fJdn+r=6YO5eMZ8 zqTx9rFi&G1b}ooG>aeTcAS>jVuVlP06^|kYcF-b_{>nlRIbJzACwlj#_sx#!2e1!& zS6I~=Ij7T3aER^U1*=)&=+Q4CbiiFj^vIRBH5I#@ig5F|X*f+GJGC?#ms*YqL}bEe zVm!!ErGIOJvBuMgWSX4SlBj8F7E3FfL3N4(Cf!@cU!ys)sqYGHmfqcs&|Z{ZnFo}# z4eh3xSLHw5xiMzB$O0(-TgH^w)dVn=rdKmSw6(K7Oi7sn42cl8IpMC+R(mmQ|D!6H zL?xxgqNpxat)9dZ&@dY|LIC$oRjV@9w2`jB(9+(oH@^?n>1r3nxlhK2{r6NF6h9}s&2-K) zKq&6+R7MIo@?g)PD8D%lf9ZE!{8?D?z{!q?&-swK*=H4XA{Qb+%&+n*x8;dOs%9MI zzpT1==P&M3uf5It`jEecD!xZpfuA$$odU~O5y@88yIhpl;msBjqkKv`$z>!oQ0u13 zNs61+5u@zv4FzFgk}&qc^&Y_Nq(CxWYlW0S3fJb`E7(irAB?@|G69d_ZG)7conD3$ zxHJ)SiMY~VNc>%$K1aJ9Ob!aJBa2kPk?#!FZ~}wnqbqy-$>rX$j01AT$^jmfXQl7H zO`kpMzC#`dDipCBDFF|vUe9%eu1Ga`Psu-Q)J+Ru-($i%$rH{#Ev{qnoe@^$lY4%mSNd3SEkGNKCKw3 zDr#JJ3ulL7&&dDTOEY)bHFnpUBHN3a#Czp%&UVgzm4VmA(OG&F(}rhV1;4&j8#6wJ~O-)pThWB4L z5XvYXB!OG7<+8(axag!Z|DH>b?Tl)8Yd#_`#8yaQe;Y>x+V`R-|CY|gnw!V06pug? z18_rH?!@b$6%w*`+7l%IKEcI2ypNmm4&PSf$KxXgc_wpSxUi~1CTC;SmqY9H@MvD` zSbhKQLXd{c_=vZ6l|KDzjEjQ+0ss(9XnQo4e})?8!Mx2x0nbmc>LA1?1O%FjYK(H%?kD0mcgL+efyrp+%6JpiBsIO{ zxxtoXk^uWkCStH5$q*D5)o|eUC?!;L$yisfq(;zyCQD4pn>4 zBOYf{?u!W87YGP;an_9o9UM({F4uYnv8wBTy7B7rk&9gxJ^@2kuVAIYEV=MccH##PgQcJC6aNfiTF~Bopp$eXRp`{ryl=##f3yuIa^|K zdP+RdaKwUMHgqW7Ta)+5ac4mvn1CWr4Bvsf`g@Y-$I54P7IGuTK$}wo!w?Q3G~GXy z+_vVkg4Qo5fG7)(7kAdNS9E^+0`C+D^AP#J=&2}A#mNJdQ&)BYZ->^E`I-ZXGos~U zSC~`1VwfY(5=6-`s9b(`qbL3>Vwdnx5;>zwX_|PS!1?Q9e5_;bu zX%KJSu^sRU?3?D>oW@@QUT_TbqgvRT4{dkLae1y8402s5avay_86-)4G1(Q;{a0PB)c+ns`f{WN=jS5R0V_C!+7hG1Lv>YgO_PwD5$bF_!I(`;r z_nT+F@-8gKj4#>y_Y5F_4Gq~*3N2({#{3WydSkvmSxd;CZM-nhQOGnP6Uqfg$=zIUtbHAWP1EbpN7

qwUd&0HjyWWf zu#R14vN)f0mMj^`0vq7f*kIfc?qE8XPRdsjsL)qhVmCFh@RC?wSD$9;I#{qh z5rE6S7P$&e5MP@39Mil zchJeMKTJ*JNtY*u?P?{T2(Od<>{COYlk@eQGYG5tvxUm<%u%_uCO5kOZ4^t4Sj-?K zzY8npwZjGy*mkek6IVo-4HBfa<)~Tmm=d z7U@EqgLBTZgu`;Vs(i6IojGcGazzkHMP}+&$2wiyKlJ+}!$|;(hxH~`Uq){rpcro# ztD?M}CcEV2Rb{t*Qg>$q%?eSp_tg=dD1@fEjA$vi3}X=ECv)&PRV?a>a0?SP%k`rscRg0CP+V`gR(e`T{xMMbcU z_A#rDw0ef(e&G7~i$S?|odUp3;fg$PKVGG^pvh%*CBUXd)NHnfK8`44bWK!e`p}g| zu{Y{nWA4>bSK(;Uj~PyX@owbL*sF#vx(@#C?g)Ny1i~7epQg#zi`!`c;ck@j*v5R! zs&v+PX*d3m0Qwf4$QKM6`fbO(tak1Tw#|2#XlBou55B5%(`M%3=%3GevOQd6FnnGz zH-*CP|Rjl8*1k1Lxxj##=<^-xa+IpWr z82ctZHEd>ExDpo5<7M2`5pM&`n=YwVGZJ>5d*+V}XpLBXAO)Pqd3WVaXa+=;uuQ1N zQ;C>9pR=B~hdn(+-8cFh#Q7=wflj%=z}n60yqbXZL?k--Lt@f+LKfXdbubpzCOj<& zbJHv+@>ZA(ehgH4ha817gwu7w2|>9WK21Y=U`ElT8Q6#Ko!u*&RQjU1v-B+b6m2k= zU%U^%!j)lUn;hO9)p+KV&}_#z`pNk=2qO^&Tt_4i*(%+; zO??Y|;TiFOlNM$;yjajCY{5jw?K%KgPAX48Y1iy|Bx^uUhJw5^JU^CZWI@e5iFn84 zblyTZ1OMXV0#yaSQ8dO1CIO1{fJy-6PD@{XuqHP+q zb^%NvbxVSD`o?T3DCfwWiTQ&>DwMOSvWe)qPqI;GDofwEr2WJerJSFURO6gs7Jb|I z?;Ov~3HP3Za&oTl$V{S>2mH!WkB*1@wfO(T6`B$lKjfwE@dBRQabr*8e7%8Cql}s^ zpH-3`aAjcrb5NfT{qV~+ump<=NfYw!de+Y_fVRukZBo=D-Vz6T0kXzEzriM0-o7gp zGfV(nP-7s{C-5m5r;pEPZMS{Y>SXb_Vj!l=Pt9~-@QZB8HP{8Y?seB=y3jx z$@r~j0eYN1JbrZY?PX^)-3$qV$u1gT_n!JG898}6l^3N|gUr zaAU1Fe$&8qy8Yhx0cOMk;R*Hp`&Z=sM6@%w_s<^UCmoqE@&9gf69Vd8j27PPo>88n z7XIBGzb=6+prUFuvU8^$>Q4q^3?!eEB)a?yugjB%%;6T5H`ef+Eu$on6O|i* ziBdh*k62|rifBoeuGwmNJbQYv8$m{uTh|aV*p;ruMs)0Z5`IYEwRw$DwWV^8BM1a# z67yxbLa$jvK%_^@XbLt}YGbwAvs1T@kE{M%AhX{=ecy9Y8JyH7ZT88ocUBEMx!uAb zmP?^{!B3(3-d9*_%=5+!@PfR_aGJ9Sbo9v)9I_~->EWz2A}RsYQ^70VT1#&wEw@j) zB_-+;Iw3(Dp!Z5B4kh1y_&eH-4;3dsh;Kz;$T61Zw~hD?$w+XjF=2L>Ll#VRwuKT= zEnh9J6&xf-qWWQ!V)zQK+cE=qI;LFkR%lFC*E_YXv+k)k+YwsJF@nti;r{rI} zjD3+3%^$Ud*UgmpppmBB2dsD@KJvg1la6z(VCku$efqTKndtlNlF zqci>USQFgj(4#Nm#1=@{(Q<9xY;HGVQ`p2Q)x zm{-FDIl}o8nwt_)P`%Rnht&}h z-sbBkaElm`OM_H>*u;kmP>0>?>0m%FaK^XQuu!b%@5~54dX2UAI^Xg~AoL;THI>pZ zW<}~Iz@=|QctoLZ|CqSzr<=qXAf)smn|f|6ugwJXe(DZ2P5L*~#rI{hjmrLqm)8zH z>m*CBr8hP|71v4zbLft*Pth*8M<)Exc0}brQ@#>+*&~}#bBfy=fnOxDatQhVxGFcmsEu9k2Ub&ga|VVc zwMOi`XUACCi@|{SxaTf$0#=DpNwb2EnOS4sSCxL}Pc5e3BUx}#1Mh92?}0A1N(r-F zNS){~v&;>1#x$D$b`C=I^*p|TJtKS;8ACfDr$-Hr+{|96w^^w{7^dSmC)S7qCw9HnU= z=ER*ZG^11myLMiyRHBZ~RTszAl6h+*14y}N58PG=F-#&(ghfC@%4=aUn189I59>9@ zSt%}>Y};mT^`e1U1R&w?o?B=i+B>v|I!%)ERS zb7QG7*8?h;ndB@=5tS#e8Vf&4K3gGOck@wVpuzeGLf2WFz0RqIn!JduZg4=&5%WuC zPJO8J0u;vjeYCYysF5reniiaN;Z&5sl&D9Nu#bF~@z(@-@tbac?)av=-&j%mwNTi< zn}WqK|2U&WXm%BUFDm_9&BUa$(;RODaNHxFa*Lysx}CT!+7U`xXMNc!XD>BsP9v9x zgjUE!`0fl;8%loU^jvHTIvOungtT)?kITB4HgPdv>85tQ0#c{XQMt$VjC-k(GL9(L1=m=FJ*}hD$~kLaXjy zj1NwLr(kpFs(|6@5;Svh9 zo-1C;6CX=&`{A|+pSSq61uNKqdNDkb16)$&C%8A?9b$9=CAiGo&d`e+JdlKlw;Ddo zxU=(Xa8zYJr!URsF24X7r$^nrbTgENJ1dya*gnW8+RaWvcVO{#Dm&1{|4(iWRK{g8 zE`1Djq?FE>H=#$wL)88a!xMtLqPw77-$-XQU-0**9vCex> zlXw(S0rw)cqG-V6;PcdR*1&j~8*n{#AUF8xb79+vJs*L4R``!sEOqa=Q*Ey)ZayNy zb^bwlTGw11QvQ-JC13q<=oQ>_dL0uH025v!PDS)?msjAAO1pM`Z*}WG1>S!%6kG;B z#r%XQiKnUygHK13yB<4u-xP8Sr^=t;o4z4sE~vJ54ma8sz^#_}*+oVP*Wr6qerbAI zPVR4E&;Q6g66RgGs)`Icll65meWt{Ou>oeSrW4&4FEcOKnMl2g{|07X%b}QQwv9rP zBjk~yjy zb9<}2hQp{{lPPq~^)JIwVhe374mDpEMN+YLTaQG3u0)p)gtjcN-->O^M?Z@&Y7?zB(OTWkDPw3Xf6Ac)TxM;GD*8Hae!**9Q_ zo}at3mZ4xU^}Q^MXko=^!lY}Z)CF(By^&3`N#nyvgjROm-w4tbMQ0C9>Ls5a*O8M9 zac-bZZ(te7uE{>Z5yNs_4Qos`s$r@cM3;xNDe+~Tj z7lFSRCOc|qMkD3JU?5DyaUAG_L0=ug1OJBh@u0rToN+65z1>v>7l;*f;X^3K#RP931%w$L+8YyBdgiqqX9M~0>q z2ooNx>2)qLR}$9a(6O#S2Gg5}a<}>MuIC?og0O)%U=B4xRtVHlX2wW=(XNm*(|aN=Yv46=Bp$)_Q41UEnSW?e@onge3P8S?~&r+10Qw-X8x<7H|0+&eMX!cd%i>>jH8v|XHc6mSJ_Dj6tvsz!b z_u?|?|ExegP;X;aHPF%%5J%TOEw-)L5lFwXF%(hp zQO><`=Gu#zv3uO|*qFG!WtOvu>i)4c;BU9`Ce$?)72r++1TP?V{_4!H`ZCn{%ND+t zF1U;g_@>3tZpEBDw|xOBY^*eYI~_F+wxXIMh$xSH;!1KjC#o0)t5keJQ(AR!${B4k zPzzb_=+NEDOag}w&$KLJ5w>twddmkStP_rxc~>{8GuvLq&_qgjpf0lIhf;f1mg}LR zxmk(VySDoFC?)Yv! z@XLyn%_@3K$ALm+%SUbR&j++M5p8m8hXUba^5*P(tOpUw;Pk17>4QJW!qPano;lE6P|oUJ+r5P(_##=(_QnLhbWqQ0Dg z!;cY#yAxRRE7^z*t7>~}y`oK{shV@06hGu#OdAQ|2EM@cpP=5qb}4f_fBC=s*7 zQTRc>B-+&gpoeR%AJlVAkMKslfyaEc3D{#6EE?1kp8d1u1`eA~j(ToQclw;){PQHO zghC5cE>LKBTUpi=uXMwn%kOJ`%auB!upG4^2L|C^14aRqugXo~ z!`);>P1MA?_%~t}kvbI?q#UGU>D>8_Hx5G%6XGBaW~oRE_F$sXXC%@9=9$v>vGvxl zSspXu#j179m^c?#SCfC+OkW(pZ>)Zgt=O?y2mFGHL9~D;6a~82xmQYs44wn@oHTo3 zkH{?-@=y|5JYns0rw6ipY1qRdq>If^*i}1b zl&V0xDpuCEuWH{Oi)dM`XfR+tYI{KVaa6Q*|91rVf08}C3k<_V$2mUAeAH1v$w(-Q KSAYKz`2PU3*wD}b diff --git a/docs/index.md b/docs/index.md deleted file mode 120000 index 32d46ee8..00000000 --- a/docs/index.md +++ /dev/null @@ -1 +0,0 @@ -../README.md \ No newline at end of file diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 00000000..31ad693b --- /dev/null +++ b/docs/index.md @@ -0,0 +1,12 @@ +# Welcome to Pulp OCI-images + +The [pulp-oci-images](https://github.com/pulp/pulp-oci-images) repository is used to provide container images for running Pulp. +These images represent the preferred methods for installing Pulp. +They are also used by [Pulp Operator](site:pulp-operator). + +You may want to check: + +- [Quickstart Tutorial](site:pulp-oci-images/docs/admin/tutorials/quickstart/): get up and running real quick. +- [Available Images](site:pulp-oci-images/docs/admin/reference/available-images/), choose what best fits your needs. +- The *How-to Guides*: learn how to achieve some specific tasks. +- [OCI Website](https://opencontainers.org/): learn more about the Open Container Initiative. diff --git a/docs/migration-pulp-installer-to-multi-process.md b/docs/migration-pulp-installer-to-multi-process.md deleted file mode 100644 index cae551bf..00000000 --- a/docs/migration-pulp-installer-to-multi-process.md +++ /dev/null @@ -1,322 +0,0 @@ -# Migrating from pulp_installer to a multi-process container - -## Overview - -These instructions will migrate you from a [pulp_installer deployment](https://docs.pulpproject.org/pulp_installer/) to a [multi-process container deployment](multi-process-images). - -The same host will be running Pulp, but in a container now. - -All of pulp_installer 3.23's supported distros are documented, but instructions will have extra steps depending upon the PostgreSQL version (the container runs PostgreSQL 13). These steps are all listed in the instructions per distro, but here is an overview: - -| Distro | PostgreSQL Version | Extra Steps | -| ------ | ------------------ | ------------- | -| Debian 11 | 13 | | -| EL7 | 10 | Dump and restore the database | -| EL8 | 10 | Dump and restore the database | -| EL9 | 13 | | -| Fedora 33 | 12 | Starting the container will take longer the 1st time | -| Fedora 34 | 13 | | -| Fedora 35 | 13 | | -| Fedora 36 | 14 | PostgreSQL must remain running on the host | -| Ubuntu 22.04 | 14 | PostgreSQL must remain running on the host | - -## Limitations - -1. All of your existing installed plugins must be installed in the multi-process container image. See the list of installed plugins [here.](multi-process-images#available-images) - -## Prerequisites - -1. Either [podman](https://podman.io/getting-started/installation) or -[docker](https://docs.docker.com/engine/install/)/[moby-engine](https://mobyproject.org/) -must be installed on the host. -2. If you are running podman in rootless mode (which is recommended for security), make sure your user account has subuid's and subgid's (the default behavior for new acconts on many Linux distros.) See [this guide](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration) to verify / set this up. -3. If you are running docker/moby-engine, either the user account is in the docker group, or you preface `docker` commands with `sudo`. - -## Assumptions - -1. The directory you run the commands in is one where you want the Pulp data and configuration directories to reside under. You can actually let them reside in their current (pulp_installer defaulted or specified) directories on the system if you'd prefer, just specify the absolute folder paths in the commands below, and do not run the move commands. -2. If you are running rootless podman, you are running `podman` commands from the account that the container will run under. -3. sudo commands are run under an account that actually has sudo. This need not necessarily be the rootless podman account, but if it isn't, substitute `$USER:$(id -gn)` with the user and primary group (seperated by a colon) of the rootless podman account. -4. If you are running docker, substitue `docker` for `podman` in the commands. - -## Step-By-Step-Guide - -### Disable and stop the Pulp service - -``` -sudo systemctl disable --now pulpcore -``` - -### Configure PostgreSQL to listen on all network interfaces (Fedora 36 and Ubuntu 22.04 only) - -This is necessary for container networks to access PostgreSQL. - -Ensure this line is in `/var/lib/pgsql/data/pg_hba.conf` (Fedora 36) / `/etc/postgresql/14/main/pg_hba.conf` (Ubuntu 22.04): -``` -host all all 0.0.0.0/0 md5 -``` - -Ensure this line is in `/var/lib/pgsql/data/postgresql.conf` (Fedora 36) / `/etc/postgresql/14/main/postgresql.conf` (Ubuntu 22.04): -``` -listen_addresses = '*' -``` - -Run: -``` -sudo systemctl restart postgresql -``` - -### Dump the PostgreSQL database (EL7 and EL8 only) - -``` -sudo -u postgres pg_dumpall > /tmp/dump.sql -``` - -Verify that this command outputs "0", which indicates that the dump was successful. - -``` -echo $? -``` - -``` -sudo mv /tmp/dump.sql /var/lib/pgsql -``` - -### Disable/restart the third-party services - -On Fedora 36: -``` -sudo systemctl disable --now nginx redis -``` -On Ubuntu 22.04: -``` -sudo systemctl disable --now nginx redis-server -``` -On on EL, or Fedora prior to 36: -``` -sudo systemctl disable --now postgresql nginx redis -``` -On Debian 11: -``` -sudo systemctl disable --now postgresql nginx redis-server -``` - - -### Manage the Pulp storage directory - -1st, move the directory: - -``` -sudo mv /var/lib/pulp/ pulp_storage -``` - -Next change ownership of the directory: - -If running rootless podman: -``` -sudo chown -R $USER:$(id -gn) pulp_storage -podman unshare chown -R 700:700 pulp_storage -``` - -If running podman as root, or docker: -``` -sudo chown -R 700:700 pulp_storage -``` - -### Manage the Pulp configuration directory - -1st, move the directory: -``` -sudo mv /etc/pulp settings -``` - -Next change ownership of the directory: - -If running rootless podman: -``` -sudo chown -R $USER:$(id -gn) settings -podman unshare chown -R 700:700 settings -``` -If running podman as root, or docker: -``` -sudo chown -R 700:700 settings -``` - -### Configure Pulp to talk to the database (Fedora 36 and Ubuntu 22.04 only) - -If running podman, modify `settings/settings.py` so that "DATABASE" includes: -``` -'HOST': 'host.containers.internal' -``` -An example of what the line will look like: -``` -DATABASES = {'default': {'HOST': 'host.containers.internal', 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'pulp', 'USER': 'pulp', 'PASSWORD': 'pulp'}} -``` - -If running docker, modify `settings/settings.py` so that "DATABASE" includes: -``` -'HOST': 'host.docker.internal' -``` -An example of what the line will look like: -``` -DATABASES = {'default': {'HOST': 'host.docker.internal', 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'pulp', 'USER': 'pulp', 'PASSWORD': 'pulp'}} -``` - -### Manage the PostgreSQL data directory (EL, Fedora prior to 36, and Debian 11 only) - -1st, move the directory: - -If on EL, or Fedora prior to 36 -``` -sudo mv /var/lib/pgsql pgsql -``` -If on Debian 11: -``` -sudo mv /var/lib/postgresql/13 pgsql -sudo mv pgsql/main pgsql/data -``` -If on EL7 or EL8: -``` -sudo mv pgsql/data pgsql/data_old -``` - -Next, if on Debian 11, move the config files: -``` -sudo mv /etc/postgresql/13/main/*.conf /etc/postgresql/13/main/conf.d/ pgsql/data/ -``` - -Next change ownership of the directory: - -If running rootless podman: -``` -sudo chown -R $USER:$(id -gn) pgsql -podman unshare chown -R 26:26 pgsql -``` -If running podman as root, or docker: -``` -sudo chown -R 26:26 pgsql -``` - -### Configure Postgres to be compatible with the EL8-based container (Debian 11 only) - -Backup `pgsql/data/postgresql.conf` before you modify it: -``` -sudo cp pgsql/data/postgresql.conf pgsql/data/postgresql.conf.old -``` - -Next, comment out the following lines in `pgsql/data/postgresql.conf`: -``` -data_directory -hba_file -ident_file -external_pid_file -unix_socket_directories -ssl -ssl_cert_file -ssl_key_file -cluster_name -stats_temp_directory -``` - -### Create an empty containers directory - -We do not bother to move `/var/lib/containers` because it is only ever used for temporary files by pulp_container, and may be used on the host for other purposes (like running podman): - -``` -mkdir containers -``` - -### Configure the system to allow listening on low ports (rootless podman only) - -The default ports for pulp_installer were 443 (with https, the default) or 80 (without https). - -If you are running rootless podman, and you wish to preserve the low port (anything under 1024) -that Pulp listens on (recommended to avoid reconfiguring clients), -you must configure the system to permit unprivileged -processes listening on low ports. - -Assuming the port is 443, run the following command: -``` -sudo sysctl net.ipv4.ip_unprivileged_port_start=443 -echo "net.ipv4.ip_unprivileged_port_start=443" | sudo tee /etc/sysctl.d/10-low_ports.conf -``` - -### Restore the database (EL7 or EL8 only) - -Run the container with the normal [command](multi-process-images#starting-the-container), but with `-it` instead of `-detach`, and with `/bin/bash` as the specified command. We also omit the "--publish 8080:80" -``` -podman run -it \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp:Z \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp:Z \ - --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ - --volume "$(pwd)/containers":/var/lib/containers:Z \ - --device /dev/fuse \ - pulp/pulp \ - /bin/bash -``` - -You will now be running commands in the container: -``` -su postgres -c "initdb -E UTF8 --locale=C.UTF-8 --pgdata=/var/lib/pgsql/data" -su postgres -c "pg_ctl start -D /var/lib/pgsql/data" -su postgres -c "psql -d postgres -f /var/lib/pgsql/dump.sql" -``` - -Verify that this next command outputs "0" to indicate that the database restore was successful. -``` -echo $? -``` - -``` -su postgres -c "pg_ctl stop -D /var/lib/pgsql/data" -``` - -Now exit the container: -``` -exit -``` - -Now delete the container (but not the data directories): -``` -podman rm pulp -``` - -### Run the container like normal. - -Run the container with the normal [command](multi-process-images#starting-the-container). - -There are 2 migration-specific exceptions to the instructions on that page. - -The 1st exception is the port that Pulp listens on. - -https is the default for pulp_installer, so see the https instructions on [that page](multi-process-images#starting-the-container) if you wish to continue running https. However, instead of specifying `--publish 8080:443` or `--publish 80:80`, specify `--publish 443:443`. This will keep Pulp listening on port 443, thus avoiding the need to reconfigure clients. This will be part of your new normal command. - -If you are not running https, the command below has been modified to listen on port 80 rather than -8080. `--publish 8080:80` has been replaced with `--publish 80:80`. This will be part of your new -normal command. - -The 2nd possible exception is for the pgsql directory and networking. - -If you are running podman on Fedora 36 or Ubuntu 22.04, leave out `--volume "$(pwd)/pgsql":/var/lib/pgsql:Z`, and add `--network slirp4netns:allow_host_loopback=true,cidr=10.0.100.0/24`. This will be part of your new normal command. - -If you are running docker on Fedora 36 or Ubuntu 22.04, leave out `--volume "$(pwd)/pgsql":/var/lib/pgsql:Z`, and add `--add-host=host.docker.internal:host-gateway`. This will be part of your new normal command. - -``` -podman run --detach \ - --publish 80:80 \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp:Z \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp:Z \ - --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ - --volume "$(pwd)/containers":/var/lib/containers:Z \ - --device /dev/fuse \ - pulp/pulp -``` - -It is recommended to view the container logs: -``` -podman logs -f pulp -``` - -If you are running Fedora 33, startup will take longer than usual as the database is migrated from PostgreSQL 12 to 13. This is done automatically using the image's built-in upgrade logic. diff --git a/docs/multi-process-images.md b/docs/multi-process-images.md deleted file mode 100644 index 2481dec5..00000000 --- a/docs/multi-process-images.md +++ /dev/null @@ -1,382 +0,0 @@ -# Multi-Process Images - -These images are also known as "Single Container", or "Pulp in One Container". - -Each image runs all 3 Pulp services (pulp-api, pulp-content and pulp-worker), -as well as Pulp's third-party services (nginx, postgresql and redis), -in one single container. - -## System Requirements - -Either [podman](https://podman.io/getting-started/installation) or -[docker](https://docs.docker.com/engine/install/)/[moby-engine](https://mobyproject.org/) -must be installed. - -Podman has been tested at versions as low as 1.6.4, which is available on CentOS/RHEL 7 and later. - -## Available images - -### pulp - -This image contains [Pulp](https://github.com/pulp/pulpcore) and the following plugins currently: - -- [pulp_ansible](https://docs.pulpproject.org/pulp_ansible/) -- [pulp-certguard](https://docs.pulpproject.org/pulp_certguard/) -- [pulp_container](https://docs.pulpproject.org/pulp_container/) -- [pulp_deb](https://docs.pulpproject.org/pulp_deb/) -- [pulp_file](https://docs.pulpproject.org/pulp_file/) -- [pulp_maven](https://docs.pulpproject.org/pulp_maven/) -- [pulp_python](https://docs.pulpproject.org/pulp_python/) -- [pulp_rpm](https://docs.pulpproject.org/pulp_rpm/) -- [pulp_ostree](https://docs.pulpproject.org/pulp_ostree/) - -This image can also function the same as the single-process image `pulp-minimal`. See the [Single-Process Images](single-process-images) page for usage. - -#### Tags - -- `stable`: Built nightly, with latest released version of each plugin. Also called `latest`. -- `nightly`: Built nightly, With master/main branches of each plugin. Also built with several - additional plugins that are not GA yet. -- `3.y`: Pulpcore 3.y version and its compatible plugins. Built whenever there is a z-release. - -[Browse available tags](https://hub.docker.com/r/pulp/pulp/tags) - -#### Discontinued tags - -- `https`: These were built nightly, with latest released version of each plugin. Nginx webserver ran with SSL/TLS. Now, use `stable` instead with `-e PULP_HTTPS=true`. -- `3.y-https`: Pulpcore 3.y version and its compatible plugins. These were built whenever there is a z-release. - Nginx webserver ran with SSL/TLS. Now, use `3.y` instead with `-e PULP_HTTPS=true`. - -### galaxy - -This image contains Ansible [Galaxy](https://github.com/ansible/galaxy_ng). - -This image can also function the same as the single-process image `galaxy-minimal`. -See the [Single-Process Images](single-process-images) page for usage. - -Note that this name `galaxy` used to be for single-process images. Version tags `4.6.3` and earlier -are single-process rather than multi-process. - -#### Tags - -- `stable`: Built nightly, with latest released version of each plugin. Also called `latest`. - -[Browse available tags](https://hub.docker.com/r/pulp/galaxy/tags) - -#### Discontinued tags - -- `https`: These were built nightly, with latest released version of each plugin. Nginx webserver ran with SSL/TLS. Now, use `stable` instead with `-e PULP_HTTPS=true`. - -## Quickstart - -### Galaxy Quickstart - -The galaxy base image includes a default settings.py and can be configured using environment variables. This image can be configured with the following two environment variables: - -- `GALAXY_HOSTNAME`: publicly accessible hostname that the API and content app will run on. -- `GALAXY_PORT`: public port that the API and content app will run on. - -The galaxy image can also be run just like any of the other multi process pulp images by mounting a custom settings.py file, however this setup provides an easy, out of the box configuration for running galaxy. - -#### Examples - -Run galaxy on localhost: - -``` -$ podman run -p 8080:80 ghcr.io/pulp/galaxy:latest -``` - -Run galaxy on localhost with https: - -``` -$ podman run -p 443:443 -e "PULP_HTTPS=true" -e "GALAXY_PORT=443" ghcr.io/pulp/galaxy:latest -``` - -Run galaxy from a server with https: - -``` -$ podman run -p 443:443 -e "PULP_HTTPS=true" -e "GALAXY_PORT=443" -e "GALAXY_HOSTNAME=192.168.0.100" ghcr.io/pulp/galaxy:latest -``` - -Modify the system settings to allow for uploads without approval: - -``` -$ podman run -p 8080:80 -e "PULP_GALAXY_REQUIRE_CONTENT_APPROVAL=false" ghcr.io/pulp/galaxy:latest -``` - -Mount the storage directories for persistent data and https: - -NOTE: don't mount volumes to `/etc/pulp/` as you would with the vanilla pulp images, as this will -override the default settings.py file. - -``` -$ podman run --detach \ - --publish 443:443 \ - --name pulp \ - -e "GALAXY_HOSTNAME=my.galaxy.host.example.com" \ - -e "PULP_HTTPS=true" \ - -e "GALAXY_PORT=443" \ - --volume "$(pwd)/settings/certs":/etc/pulp/certs:Z \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp:Z \ - --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ - --volume "$(pwd)/containers":/var/lib/containers:Z \ - --device /dev/fuse \ - ghcr.io/pulp/galaxy:latest -``` - -Once your containers are running see "Reset the Admin Password" section to set up your admin user. - -### Create the Directories and Settings - -1st, create the directories for storage/configuration, and create the `settings.py` file: - -``` -$ mkdir -p settings/certs pulp_storage pgsql containers -$ echo "CONTENT_ORIGIN='http://$(hostname):8080' -ANSIBLE_API_HOSTNAME='http://$(hostname):8080' -ANSIBLE_CONTENT_HOSTNAME='http://$(hostname):8080/pulp/content' -CACHE_ENABLED=True" >> settings/settings.py -``` - -* For a complete list of available settings for `settings.py`, see [the Pulpcore Settings](https://docs.pulpproject.org/pulpcore/configuration/settings.html). - -* These 4 directories `settings pulp_storage pgsql containers` must be preserved. `settings` has - your settings, generated certificates, and generated database encrypted fields key. The - `pulp_storage pgsql containers` are the application data. - -### Starting the Container - -For systems with SELinux enabled, use the following command to start Pulp: - -``` -$ podman run --detach \ - --publish 8080:80 \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp:Z \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp:Z \ - --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ - --volume "$(pwd)/containers":/var/lib/containers:Z \ - --device /dev/fuse \ - pulp/pulp -``` - -For systems with SELinux disabled, use the following command to start Pulp: - -``` -$ podman run --detach \ - --publish 8080:80 \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp \ - --volume "$(pwd)/pgsql":/var/lib/pgsql \ - --volume "$(pwd)/containers":/var/lib/containers \ - --device /dev/fuse \ - pulp/pulp -``` - -* For Docker systems, use the last 2 command, but substitute `docker` for `podman`. - -* These examples use the image `pulp` with the tag `stable` (AKA `latest`). To use an alternative image and tag like `pulp:3.21`, substitute `pulp/pulp` with `pulp/pulp:3.21`. - -* To use https instead of http, add `-e PULP_HTTPS=true` Also change `--publish 8080:80` to `--publish 8080:443` - -### Reset the Admin Password - -Now, reset the admin user’s password. - -``` -$ podman exec -it pulp bash -c 'pulpcore-manager reset-admin-password' -Please enter new password for user "admin": -Please enter new password for user "admin" again: -Successfully set password for "admin" user. -``` - -* For Docker systems, substitute `docker` for `podman`. - - -### Test Access - -At this point, both the REST API and the content app are available on your host’s port 8080. Try hitting the pulp status endpoint to confirm: - -``` -curl localhost:8080/pulp/api/v3/status/ -``` - -### What to do after the Quickstart - -To start working with Pulp, check out the [Workflows and Use Cases](https://docs.pulpproject.org/workflows/index.html). For individual plugin documentation, see [Pulp 3 Content Plugin Documentation](https://pulpproject.org/docs/#pulp-3-content-plugin-documentation). - -We recommend using [pulp-cli](https://github.com/pulp/pulp-cli) to interact with Pulp. If you have Python 3 installed on the host OS, you can run these commands to get started: - -``` -pip install pulp-cli[pygments] -pulp config create --username admin --base-url http://localhost:8080 --password -``` - -## Advanced Usage Instructions - -### Available Environment Variables - -The following environment variables configure the container's behavior. - -* `PULP_WORKERS` An integer that specifies the number of worker processes (which perform syncing, importing of content, and other asynchronous operations that require resource locking.) Defaults to 2. - -* `PULP_API_WORKERS` A positive integer that specifies the number of [gunicorn worker processes](https://docs.gunicorn.org/en/stable/settings.html#workers) for handling Pulp API requests. Default to 2. - -* `PULP_CONTENT_WORKERS` A positive integer that specifies the number of [gunicorn worker processes](https://docs.gunicorn.org/en/stable/settings.html#workers) for handling Pulp Content requests. Default to 2. - -* `PULP_GUNICORN_RELOAD` Set to "true" (all lowercase) for the pulpcore-api gunicorn process to be started with ["--reload"](https://docs.gunicorn.org/en/latest/settings.html?highlight=reload#reload). Intended for developers. - -* `PULP_GUNICORN_TIMEOUT` A positive integer that specifies the [timeout for gunicorn process](https://docs.gunicorn.org/en/stable/settings.html#timeout). Default to 90. - -* `PULP_OTEL_ENABLED` Set to "true" (all lowercase) if you wish to enable pulp telemetry. - -* `PULP_API_WORKERS_MAX_REQUESTS` The maximum number of requests a worker will process before restarting API workers. If this is set to zero (the default) then the automatic worker restarts are disabled. NOTE: Only supported for pulpcore >= 3.41.0 - -* `PULP_API_WORKERS_MAX_REQUESTS_JITTER` The maximum jitter to add to the max_requests setting for API workers. NOTE: Only supported for pulpcore >= 3.41.0 - -* `PULP_CONTENT_WORKERS_MAX_REQUESTS` The maximum number of requests a worker will process before restarting Content workers. If this is set to zero (the default) then the automatic worker restarts are disabled. NOTE: Only supported for pulpcore >= 3.41.0 - -* `PULP_CONTENT_WORKERS_MAX_REQUESTS_JITTER` The maximum jitter to add to the max_requests setting for Content workers. NOTE: Only supported for pulpcore >= 3.41.0 - -To add one of them, modify the command you use to start pulp to include syntax like the following at the beginning: Instead of `podman run`, specify `podman run -e PULP_WORKERS=4 -e PULP_GUNICORN_TIMEOUT=30 -e PULP_API_WORKERS_MAX_REQUESTS=1000 -e PULP_API_WORKERS_MAX_REQUESTS_JITTER=50 ...` - -### Adding Signing Services - -Administrators can add signing services to Pulp using the command line tools. Users may then associate the signing services with repositories that support content signing. -See [Signing Services](signing_script) documentation for more information. - -### Certificates and Keys - -Follow the instructions from [certificates](../certificates) documentation for more information about how to configure custom certificates. - -Check [database encryption](../database-encryption) documentation for more information about the key to encrypt sensitive fields in the database. - -### Command to specify - -To run all the services, you do not need to specify a container command ("CMD"). The default CMD is: - -- **/init** - The [s6 service manager](https://github.com/just-containers/s6-overlay) that runs all the services. - -## Upgrading - -To upgrade to a newer version of Pulp, such as the `latest` image which is published every night, start by running: - -``` -podman stop pulp -podman rm pulp -``` - -Then update the image in the local podman/docker cache: - -``` -podman pull pulp/pulp -``` - -Then repeat the original command in [Starting the Container](#starting-the-container) (with any customizations you added to it.) - - -## Known Issues - -### NFS or SSHFS - -When using rootless podman, you cannot create the directories (settings pulp_storage pgsql containers) on [NFS](https://github.com/containers/podman/blob/master/rootless.md#shortcomings-of-rootless-podman), SSHFS, or certain other non-standard filesystems. - -### Podman on CentOS 7 - -When using on CentOS 7, container-selinux has a -limitation. [1](https://github.com/containers/podman/issues/9513) -[2](https://github.com/containers/podman/issues/6414) -SELinux denials will prevent Pulp from running. To -overcome it, you must do one of the following: - -* Run the container with "--privileged" -* Run the container as root -* Disable SELinux - -Additionally, you will likely run into a limit on the number of open files (ulimit) in the -container. -One way to overcome this is to add `DefaultLimitNOFILE=65536` to `/etc/systemd/system.conf`. - -### Docker on CentOS 7 - -While using the version of Docker that is provided with CentOS 7, there are known issues that cause the following errors to occur: - -* When starting the container: - - `FATAL: could not create lock file "/var/run/postgresql/.s.PGSQL.5432.lock": No such file or directory` - -* (If the preceding error is worked around,) when executing `docker exec -it pulp bash -c 'pulpcore-manager reset-admin-password'`: - - ``` - psycopg2.OperationalError: could not connect to server: No such file or directory - Is the server running locally and accepting - connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"? - ``` - -* Pulp tasks are stuck in `waiting` status, and executing `docker exec -it pulp bash -c 'rq info'` returns `0 workers`: - - ``` - 1 queues, 2 jobs total - - 0 workers, 1 queues - ``` - -The version of Docker that is provided with CentOS 7 mounts `tmpfs` on `/run`. The Pulp Container recipe uses `/var/run`, which is a symlink to `/run`, and expects its contents to be available at container run time. You can work around this by specifying an additional `/run` volume, which suppresses this behavior of the Docker runtime. Docker will copy the image's contents to that volume and the container should start as expected. - -The `/run` volume will need to contain a `postgresql` directory (with permissions that the container's postgresql can write to) and a separate `pulpcore-*` directory for the rq manager and its workers to start: - -```console -$ mkdir -p settings pulp_storage pgsql containers run/postgresql run/pulpcore-{resource-manager,worker-{1,2}} -$ chmod a+w run/postgresql -``` - -### Upgrading from ``pulp/pulp-fedora31`` image - -The ``pulp/pulp-fedora31`` container vendored PostgreSQL 11. The ``pulp/pulp`` image vendors PostgreSQL 13, and only automatically upgrades from PostgreSQL 12. To upgrade the database from 11 to 12, refer to [PostgreSQL documentation](https://www.postgresql.org/docs/12/upgrading.html). - - -## Build instructions - -The Container file and all other assets used to build the container image are available on [GitHub](https://github.com/pulp/pulp-oci-images). - -```bash -$ --file images/Containerfile.core.base --tag pulp/base:latest . -$ --file images/pulp_ci_centos/Containerfile --tag pulp/pulp-ci-centos9:latest . -$ --file images/pulp/stable/Containerfile --tag pulp/pulp:latest . -$ --file images/galaxy/stable/Containerfile --tag pulp/galaxy:latest -``` - -### Specifying versions - -By default, containers get built using the latest version of each Pulp component. If you want to -specify a version of a particular component, you can do so with args: - -```bash -$ --build-arg PULPCORE_VERSION="==3.5.0" --file images/pulp/Containerfile -$ --build-arg PULP_FILE_VERSION=">=1.0.0" --file images/pulp/Containerfile -``` - -## Debugging instructions - -### Debugging the services - -To debug the services and actually see their output, after stating the container run: -```bash -docker logs -f pulp -``` -You will then see the output of the commands and echo statements from the service scripts on the -console. - -Afterwards, to see what services started successfully: -```bash -s6-rc -a list -``` -And what services failed to start: -```bash -s6-rc -da list -``` -To attempt to manually start a failed service: -```bash -s6-rc change servicename -``` diff --git a/docs/overrides/main.html b/docs/overrides/main.html deleted file mode 100644 index 5886f331..00000000 --- a/docs/overrides/main.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "base.html" %} - -{% block announce %} -

- - {% include ".icons/octicons/alert-24.svg" %} - - This docs will be deactivated in July 2024. - Learn More - or go to the New Pulp Docs (beta). -

-{% endblock %} diff --git a/docs/quickstart.md b/docs/quickstart.md deleted file mode 100644 index 5ecbd94d..00000000 --- a/docs/quickstart.md +++ /dev/null @@ -1,172 +0,0 @@ -# Quickstart - -Here are some common deployment scenarios, each with a guide on how to get started further below. - -1. To deploy to [K8s](https://kubernetes.io/), - [EKS](https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html), or - [Openshift](https://www.redhat.com/en/technologies/cloud-computing/openshift) use the - [Pulp Operator](https://docs.pulpproject.org/pulp_operator/quickstart/) which was specially built - for this purpose. -2. Local [deployment via a single container](#single-container). This is for small deployments that - don't need to scale beyond the hardware available to a single container. -3. Local [deployment with multiple containers using podman or docker compose]( - #podman-or-docker-compose). - -In all cases, after deployment see[what to do after the quickstart]( -#what-to-do-after-the-quickstart) to start using your installation. - - -## Single Container - -This deployment is a 2-step process: -1. [Creating persistent directories and settings](#create-the-directories-and-settings). -2. [Starting the container](#starting-the-container) - - -### Create the Directories and Settings - -1st, create the directories for storage/configuration, and create the `settings.py` file: - -``` -$ mkdir -p settings/certs pulp_storage pgsql containers -$ echo "CONTENT_ORIGIN='http://$(hostname):8080'" >> settings/settings.py -``` - -* For a complete list of available settings for `settings.py`, see [the Pulpcore Settings](https://docs.pulpproject.org/pulpcore/configuration/settings.html). - -* These 4 directories `settings`, `pulp_storage`, `pgsql`, `containers` must be preserved. `settings` - has your settings, generated certificates, and generated database encrypted fields key. The - `pulp_storage pgsql containers` are the application data. - - -### Starting the Container - -For systems with SELinux enabled, use the following command to start Pulp: - -``` -$ podman run --detach \ - --publish 8080:80 \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp:Z \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp:Z \ - --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ - --volume "$(pwd)/containers":/var/lib/containers:Z \ - --device /dev/fuse \ - pulp/pulp -``` - -For systems with SELinux disabled, use the following command to start Pulp: - -``` -$ podman run --detach \ - --publish 8080:80 \ - --name pulp \ - --volume "$(pwd)/settings":/etc/pulp \ - --volume "$(pwd)/pulp_storage":/var/lib/pulp \ - --volume "$(pwd)/pgsql":/var/lib/pgsql \ - --volume "$(pwd)/containers":/var/lib/containers \ - --device /dev/fuse \ - pulp/pulp -``` - -* For Docker systems, use the last 2 command, but substitute `docker` for `podman`. - -* These examples use the image `pulp` with the tag `stable` (AKA `latest`). To use an alternative image and tag like `pulp:3.21`, substitute `pulp/pulp` with `pulp/pulp:3.21`. - -* To use https instead of http, add `-e PULP_HTTPS=true` Also change `--publish 8080:80` to `--publish 8080:443` - - -## Podman or Docker Compose - -Everything under the assets directory will be mounted into the container. -Please modify the files as needed. - -[podman-compose installation docs](https://github.com/containers/podman-compose#installation). - -### Running with podman - -```shell -pip install podman-compose -git clone git@github.com:pulp/pulp-oci-images.git -cd images/compose -podman-compose up -``` - -### Running with docker and scaling - -```shell -pip install docker-compose -git clone git@github.com:pulp/pulp-oci-images.git -cd images/compose -docker-compose up -docker-compose scale pulp_api=4 pulp_content=4 -``` - -### Running with podman and using existing directories for data -```shell -pip install podman-compose -git clone git@github.com:pulp/pulp-oci-images.git -cd images/compose -mkdir ../../pgsql ../../pulp_storage -podman unshare chown 700:700 ../../pulp_storage -podman-compose -f docker-compose.folders.yml up -``` - -### Running with docker and using existing directories for data -```shell -pip install podman-compose -git clone git@github.com:pulp/pulp-oci-images.git -cd images/compose -mkdir ../../pgsql ../../pulp_storage -sudo chown 700:700 ../../pulp_storage -podman-compose -f docker-compose.folders.yml up -``` - - - -## What to do after the Quickstart - -Typically after installation do these steps: - -1. [Reset the admin password](#reset-the-admin-password). -2. [Test access](#test-access). -3. [Install the pulp-cli](#install-the-pulp-cli). -4. [Try out a workflow](#try-out-a-workflow)! - - -### Reset the Admin Password - -Now, reset the admin user’s password. - -``` -$ podman exec -it pulp bash -c 'pulpcore-manager reset-admin-password' -Please enter new password for user "admin": -Please enter new password for user "admin" again: -Successfully set password for "admin" user. -``` - -> **Note**: For Docker systems, substitute `docker` for `podman`. - - -### Test Access - -At this point, both the REST API and the content app are available on your host’s port 8080. Try hitting the pulp status endpoint to confirm: - -``` -curl localhost:8080/pulp/api/v3/status/ -``` - - -### Install the pulp-cli - -We recommend using [pulp-cli](https://github.com/pulp/pulp-cli) to interact with Pulp. If you have Python 3 installed on the host OS, you can run these commands to get started: - -``` -pip install pulp-cli[pygments] -pulp config create --username admin --base-url http://localhost:8080 --password -``` - - -### Try out a workflow - -To start working with Pulp, check out the [Workflows and Use Cases](https://docs.pulpproject.org/workflows/index.html). For individual plugin documentation, see [Pulp 3 Content Plugin Documentation](https://pulpproject.org/docs/#pulp-3-content-plugin-documentation). diff --git a/docs/signing_script.md b/docs/signing_script.md deleted file mode 100644 index 38448735..00000000 --- a/docs/signing_script.md +++ /dev/null @@ -1,215 +0,0 @@ - -# Adding Signing Services - - -> :information_source: Content Signing is in tech-preview and may change in backwards incompatible ways in future releases. - -It is possible to sign Pulp's metadata so that users can verify the authenticity of an object. -This is done by enabling the *Signing Services* feature. The steps to enable it are: - -* [create a gpg key](#creating-a-gpg-key) -* [create the signing script](#creating-the-collection-signing-script) -* [create the signing services](#creating-the-signing-services) - - -See pulpcore documentation for details on ***Content Signing***: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html#metadata-signing -See pulp_container documentation for details on ***Container Image Signing***: https://docs.pulpproject.org/pulp_container/workflows/sign-images.html - - -## Creating a gpg key - -* open a shell in `pulp` container -> :information_source: Make sure to run the `exec` with `-u pulp`. -```console -$ podman exec -u pulp -it pulp bash -``` - -* generate a gpg key for user `pulp@example.com` -```console -bash-4.4$ GPG_EMAIL=pulp@example.com -bash-4.4$ cat >/tmp/gpg.txt < -sub rsa2048 2022-12-14 [E] -``` - -The above uid will be used in [*create the signing services*](#creating-the-signing-services) step. -See the GnuPG official documentation for more information on how to generate a new keypair: https://www.gnupg.org/gph/en/manual/c14.html - -## Creating the collection signing script - -Administrators can add *Signing Services* to Pulp using the command line tools. Users may then associate the *Signing Services* with repositories that support content signing. -To do so, the first thing needed is to create a script that will be used by the *Signing Service*. - -* open a shell in `pulp` container -```console -$ podman exec -it -u pulp pulp bash -``` - -* example of a *collection signing script* -```console -bash-4.4$ SIGNING_SCRIPT_PATH=/var/lib/pulp/scripts -bash-4.4$ COLLECTION_SIGNING_SCRIPT=my_collection_signing_script.sh -bash-4.4$ cat< "$SIGNING_SCRIPT_PATH/$COLLECTION_SIGNING_SCRIPT" -#!/usr/bin/env bash -set -u -FILE_PATH=\$1 -SIGNATURE_PATH="\$1.asc" - -ADMIN_ID="\$PULP_SIGNING_KEY_FINGERPRINT" -PASSWORD="password" - -# Create a detached signature -gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \ - \$PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key \$ADMIN_ID \ - --armor --output \$SIGNATURE_PATH \$FILE_PATH - -# Check the exit status -STATUS=\$? -if [ \$STATUS -eq 0 ]; then - echo {\"file\": \"\$FILE_PATH\", \"signature\": \"\$SIGNATURE_PATH\"} -else - exit \$STATUS -fi -EOF - -bash-4.4$ chmod +x "$SIGNING_SCRIPT_PATH/$COLLECTION_SIGNING_SCRIPT" -``` - -The script should print out a JSON structure with the following format. All the file names are relative paths inside the current working directory: -```json -{"file": "filename", "signature": "filename.asc"} -``` - - -## Creating the container signing script - -Administrators can add a container manifest *Signing Services* to the Pulp Registry using the command line tools. Users may then associate the *Signing Services* with container repositories. -To do so, the first thing needed is to create a script that will be used by the *Signing Service*. - -* open a shell in `pulp` container -```console -$ podman exec -it -u pulp pulp bash -``` - -* example of a *container signing script* -```console -bash-4.4$ SIGNING_SCRIPT_PATH=/var/lib/pulp/scripts -bash-4.4$ CONTAINER_SIGNING_SCRIPT=my_container_signing_script.sh -bash-4.4$ cat< "$SIGNING_SCRIPT_PATH/$CONTAINER_SIGNING_SCRIPT" -#!/usr/bin/env bash -set -u - -MANIFEST_PATH=\$1 -IMAGE_REFERENCE="\$REFERENCE" -SIGNATURE_PATH="\$SIG_PATH" - -skopeo standalone-sign \ - \$MANIFEST_PATH \ - \$IMAGE_REFERENCE \ - \$PULP_SIGNING_KEY_FINGERPRINT \ - --output \$SIGNATURE_PATH - -# Check the exit status -STATUS=\$? -if [ \$STATUS -eq 0 ]; then - echo {\"signature_path\": \"\$SIGNATURE_PATH\"} -else - exit \$STATUS -fi -EOF - -bash-4.4$ chmod +x "$SIGNING_SCRIPT_PATH/$CONTAINER_SIGNING_SCRIPT" -``` - -The script should print out a JSON structure with the following format. The path of the created signature is a relative path inside the current working directory: -```json -{"signature_path": "signature"} -``` - -## Creating the signing services - - -* open a shell in `pulp` container -```console -$ podman exec -it -u pulp pulp bash -``` - -* get the subkey fingerprint from `pulp@example.com` (the same uid from [*creating a gpg key*](#creating-a-gpg-key)) -```console -bash-4.4$ KEY_UID=pulp@example.com -bash-4.4$ export PULP_SIGNING_KEY_FINGERPRINT=$(gpg --with-colons --list-keys ${KEY_UID}|awk -F: '/sub/{getline;print $10;exit}') -``` - -* create the collection signing service -```console -bash-4.4$ COLLECTION_SIGNING_SERVICE="ansible-default" -bash-4.4$ COLLECTION_SIGNING_SCRIPT=/var/lib/pulp/scripts/my_collection_signing_script.sh -bash-4.4$ /usr/local/bin/pulpcore-manager add-signing-service ${COLLECTION_SIGNING_SERVICE} ${COLLECTION_SIGNING_SCRIPT} ${PULP_SIGNING_KEY_FINGERPRINT} -``` - -* create the container signing service -```console -bash-4.4$ CONTAINER_SIGNING_SERVICE="container-default" -bash-4.4$ CONTAINER_SIGNING_SCRIPT=/var/lib/pulp/scripts/my_container_signing_script.sh -bash-4.4$ /usr/local/bin/pulpcore-manager add-signing-service ${CONTAINER_SIGNING_SERVICE} ${CONTAINER_SIGNING_SCRIPT} ${PULP_SIGNING_KEY_FINGERPRINT} --class container:ManifestSigningService -``` - - -## Verifying the signing services - -* To check the signing services, make a request to `/pulp/api/v3/signing-services/` endpoint. For example: -```console -$ podman exec pulp curl -Ls -u admin:password localhost:24817/pulp/api/v3/signing-services/ |jq -``` -```json -{ - "count": 2, - "next": null, - "previous": null, - "results": [ - { - "pulp_href": "/pulp/api/v3/signing-services/95f7fb89-d134-42e3-8fb1-3565dfbe2583/", - "pulp_created": "2022-12-12T16:01:34.912449Z", - "name": "ansible-default", - "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGOTMxwBEADNF...MJfhcG0MpAsiQ\n=/r5T\n-----END PGP PUBLIC KEY BLOCK-----\n", - "pubkey_fingerprint": "0141A0760878E84C4854BEC43EBAAB0BBB58CFDB", - "script": "/var/lib/pulp/scripts/my_collection_signing_script.sh" - }, - { - "pulp_href": "/pulp/api/v3/signing-services/0b5bbb01-8768-4fa9-b4bc-441f24ced42a/", - "pulp_created": "2022-12-12T16:29:55.007360Z", - "name": "container-default", - "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGOTMxwBEADNFkuhOVkQR...MJfhcG0MpAsiQ\n=/r5T\n-----END PGP PUBLIC KEY BLOCK-----\n", - "pubkey_fingerprint": "0141A0760878E84C4854BEC43EBAAB0BBB58CFDB", - "script": "/var/lib/pulp/scripts/my_container_signing_script.sh" - } - ] -} -``` \ No newline at end of file diff --git a/docs/single-process-images.md b/docs/single-process-images.md deleted file mode 100644 index 489f7c83..00000000 --- a/docs/single-process-images.md +++ /dev/null @@ -1,101 +0,0 @@ -# Single-Process Images - -These images are currently used on [pulp operator](https://docs.pulpproject.org/pulp_operator/), but they can be used in docker-compose or podman-compose. You can find a compose example [here](https://github.com/pulp/pulp-oci-images/tree/latest/images/compose). - -## pulp-minimal - -A single [Pulp](https://github.com/pulp/pulpcore) image that can be run as each of the following services, specified as the container command ("CMD"): - -- **pulp-api** - serves the Pulp(v3) API. The number of instances of this service should be scaled as demand requires. _Administrators and users of all of the APIs put demand on this service_. If pulp_python or pulp_container are in use, _Content consumers also put demand on this service_. - -- **pulp-content** - serves content to clients. pulpcore-api redirects clients to pulpcore-content to download content. When content is being mirrored from a remote source, this service can download that content and stream it to the client the first time the content is requested. The number of instances of this service should be scaled as demand requires. _Content consumers put demand on this service_. - -- **pulp-worker** - performs syncing, importing of content, and other asynchronous operations that require resource locking. The number of instances of this service should be scaled as demand requires. _Administrators and content importers put demand on this service_. - -For complete documentation on how to use this image, -see the compose example [here](https://github.com/pulp/pulp-oci-images/tree/latest/images/compose). -It is the reference on how this image can be used to create the 3 services/containers. - -pulp-minimal is currently built with the following plugins: - -- [pulp_ansible](https://docs.pulpproject.org/pulp_ansible/) -- [pulp-certguard](https://docs.pulpproject.org/pulp_certguard/) -- [pulp_container](https://docs.pulpproject.org/pulp_container/) -- [pulp_deb](https://docs.pulpproject.org/pulp_deb/) -- [pulp_file](https://docs.pulpproject.org/pulp_file/) -- [pulp_maven](https://docs.pulpproject.org/pulp_maven/) -- [pulp_python](https://docs.pulpproject.org/pulp_python/) -- [pulp_rpm](https://docs.pulpproject.org/pulp_rpm/) -- [pulp_ostree](https://docs.pulpproject.org/pulp_ostree/) - -### Tags - -- `stable`: Built nightly, with latest released version of each plugin. Also called `latest`. -- `nightly`: Built nightly, With master/main branches of each plugin. Also contains several - additional plugins that are not GA yet. -- `3.y.z`: Pulpcore 3.y.z version and its compatible plugins. - -[https://quay.io/repository/pulp/pulp-minimal?tab=tags](https://quay.io/repository/pulp/pulp-minimal?tab=tags) - -## pulp-web - -An Nginx image based on [centos/nginx-116-centos7](https://hub.docker.com/r/centos/nginx-116-centos7), -with configuration specific to the plugins found in [pulp-minimal](#pulp-minimal). - -No command ("CMD") needs to be specified, the images's built-in command is sufficient. - -For complete documentation on how to use this image, -see the compose example [here](https://github.com/pulp/pulp-oci-images/tree/latest/images/compose). -It is the reference on how this image can be used. - -### Tags - -- `stable`: Built nightly, with latest released version of each plugin. Also called `latest`. -- `nightly`: Built nightly, With master/main branches of each plugin. Also built with several - additional plugins that are not GA yet. -- `3.y.z`: Pulpcore 3.y.z version and its compatible plugins. - -[https://quay.io/repository/pulp/pulp-web?tab=tags](https://quay.io/repository/pulp/pulp-web?tab=tags) - -## galaxy-minimal - -An single [galaxy](https://github.com/ansible/galaxy_ng) image that can be run as each of the following services, specified as the container command ("CMD"): - -- **pulp-api** - serves the Galaxy (v3) API. The number of instances of this service should be scaled as demand requires. _Administrators and users of all of the APIs put demand on this service_. _Content consumers also put demand on this service_. - -- **pulp-content** - serves content to clients. pulpcore-api redirects clients to pulpcore-content to download content. When content is being mirrored from a remote source, this service can download that content and stream it to the client the first time the content is requested. The number of instances of this service should be scaled as demand requires. _Content consumers put demand on this service_. - -- **pulp-worker** - performs syncing, importing of content, and other asynchronous operations that require resource locking. The number of instances of this service should be scaled as demand requires. _Administrators and content importers put demand on this service_. - -For complete documentation on how to use this image, -see the compose example [here](https://github.com/pulp/pulp-oci-images/tree/latest/images/compose). -It is the reference on how this image can be used to create the 3 services/containers. -(You will have to replace references to "pulp-minimal" and "pulp-web" with "galaxy-minimal" -and "galaxy-web" respectively.) - -### Tags - -- `stable`: Built nightly, with latest released version of galaxy. -- `nightly`: Built nightly, With master/main branch galaxy. -- `4.y.z`: Galaxy 4.y.z version. - -[https://quay.io/repository/pulp/galaxy-minimal?tab=tags](https://quay.io/repository/pulp/galaxy-minimal?tab=tags) - -## galaxy-web - -An Nginx image based on [centos/nginx-116-centos7](https://hub.docker.com/r/centos/nginx-116-centos7), -with configuration specific to the plugins found in [galaxy-minimal](#galaxy-minimal). - -For complete documentation on how to use this image, -see the compose example [here](https://github.com/pulp/pulp-oci-images/tree/latest/images/compose). -It is the reference on how this image can be used. -(You will have to replace references to "pulp-minimal" and "pulp-web" with "galaxy-minimal" -and "galaxy-web" respectively.) - -### Tags - -- `stable`: Built nightly, with latest released version of galaxy. -- `nightly`: Built nightly, With master/main branch galaxy. -- `4.y.z`: Galaxy 4.y.z version. - -[https://quay.io/repository/pulp/galaxy-web?tab=tags](https://quay.io/repository/pulp/galaxy-web?tab=tags) diff --git a/staging_docs/index.md b/staging_docs/index.md deleted file mode 100644 index 31ad693b..00000000 --- a/staging_docs/index.md +++ /dev/null @@ -1,12 +0,0 @@ -# Welcome to Pulp OCI-images - -The [pulp-oci-images](https://github.com/pulp/pulp-oci-images) repository is used to provide container images for running Pulp. -These images represent the preferred methods for installing Pulp. -They are also used by [Pulp Operator](site:pulp-operator). - -You may want to check: - -- [Quickstart Tutorial](site:pulp-oci-images/docs/admin/tutorials/quickstart/): get up and running real quick. -- [Available Images](site:pulp-oci-images/docs/admin/reference/available-images/), choose what best fits your needs. -- The *How-to Guides*: learn how to achieve some specific tasks. -- [OCI Website](https://opencontainers.org/): learn more about the Open Container Initiative.