This example demonstrates deploying Registry using a container that implements the SAML Shibboleth Service Provider (SP) for authentication and PostgreSQL as the database. The example uses a container to deploy PostgreSQL but it is not a requirement to do so.
The instructions use Docker Compose and assume a Linux environment. We recommend not using Docker Desktop and instead using Docker Engine and Docker CLI with the Compose plugin installed (Scenario two).
This example puts secrets directly into the compose file. We strongly recommend you investigate various container orchestration systems and approaches to managing sensitive information.
Create a directory to store database state:
mkdir -p var/lib/postgresql/data
Create a directory to hold a database initialization script:
mkdir docker-entrypoint-initdb.d
Create the database initialization script file init-user-db.sh in the directory you just created with contents
#!/bin/bash set -e psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL CREATE USER ${COMANAGE_REGISTRY_DATABASE_USER} PASSWORD '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD}'; CREATE DATABASE ${COMANAGE_REGISTRY_DATABASE}; GRANT ALL PRIVILEGES ON DATABASE ${COMANAGE_REGISTRY_DATABASE} TO ${COMANAGE_REGISTRY_DATABASE_USER}; EOSQL
Create a directory to hold an X.509 certificate and private key for HTTPS (This approach uses the slashRoot mechanism. An alternative is to bind mount or COPY the files into the container/image and use the HTTPS_CERT_FILE and HTTPS_PRIVKEY_FILE environment variables):
mkdir -p opt/registry/slashRoot/etc/apache2 cp fullchain.pem opt/registry/slashRoot/etc/apache2/cert.pem cp privkey.pem opt/registry/slashRoot/etc/apache2/privkey.pem sudo chown 33 opt/registry/slashRoot/etc/apache2/*.pem sudo chmod 0600 opt/registry/slashRoot/etc/apache2/privkey.pem
Create a directory to hold Shibboleth SP configuration files (This approach uses the slashRoot mechanism. An alternative is to bind mount or COPY the files into the container/image and/or use environment variables to specify Shibboleth SP configuration details):
mkdir -p opt/registry/slashRoot/etc/shibboleth cp shibboleth2.xml opt/registry/slashRoot/etc/shibboleth/shibboleth2.xml cp attribute-map.xml opt/registry/slashRoot/etc/shibboleth/attribute-map.xml cp sp-encrypt-cert.pem opt/registry/slashRoot/etc/shibboleth/sp-encrypt-cert.pem cp sp-encrypt-key.pem opt/registry/slashRoot/etc/shibboleth/sp-encrypt-key.pem cp sp-signing-cert.pem opt/registry/slashRoot/etc/shibboleth/sp-signing-cert.pem cp sp-signing-key.pem opt/registry/slashRoot/etc/shibboleth/sp-signing-key.pem sudo chown 999 opt/registry/slashRoot/etc/shibboleth/*.pem sudo chmod 0600 opt/registry/slashRoot/etc/shibboleth/*-key.pem
Create the Compose YAML file docker-compose.yml with contents (note that the value for COMANAGE_REGISTRY_ADMIN_USERNAME should be the value that your Shibboleth SP configuration will write into the Apache HTTP Server $REMOTE_USER CGI environment variable)
services: comanage-registry-database: image: postgres:14 volumes: - ${PWD}/var/lib/postgresql/data:/var/lib/postgresql/data - ${PWD}/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d environment: - POSTGRES_PASSWORD=aHTVzRj7y4fLrXyYIG97 - COMANAGE_REGISTRY_DATABASE=registry - COMANAGE_REGISTRY_DATABASE_USER=registry_user - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=GoHElRGInSwx1mQJlPdw comanage-registry: image: comanageproject/comanage-registry:4.1.2-shibboleth-sp-supervisor-1 volumes: - ${PWD}/opt/registry/slashRoot:/opt/registry/slashRoot environment: - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Scott - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Koranda - COMANAGE_REGISTRY_ADMIN_USERNAME=scott.koranda@cilogon.org - COMANAGE_REGISTRY_DATASOURCE=Database/Postgres - COMANAGE_REGISTRY_DATABASE=registry - COMANAGE_REGISTRY_DATABASE_HOST=comanage-registry-database - COMANAGE_REGISTRY_DATABASE_USER=registry_user - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=GoHElRGInSwx1mQJlPdw - COMANAGE_REGISTRY_EMAIL_FROM_EMAIL=registry@example.com - COMANAGE_REGISTRY_EMAIL_FROM_NAME=Registry - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp - COMANAGE_REGISTRY_EMAIL_HOST=tls://smtp.gmail.com - COMANAGE_REGISTRY_EMAIL_PORT=465 - COMANAGE_REGISTRY_EMAIL_ACCOUNT=registry@example.com - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD=Pr3gP6PvaTlxusMMhHEp - COMANAGE_REGISTRY_SECURITY_SALT=HH5WyMJIZ81uwHkPWpalUHSt9sAMIKHILDmNX8pI - COMANAGE_REGISTRY_SECURITY_SEED=076674830359094113871495332036 - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.example.com ports: - "80:80" - "443:443"
Start the containers:
docker compose up -d
- Wait for the images to be pulled and the containers to start.
- Browse to the value you used for COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN.
To stop the containers:
docker compose down