The registry is now exposed by the proxy server under SSL. Adapted the...

    image: "rosetta/dregistry"

    volumes:

      - ./data/dregistry:/var/lib/registry

    ports:

      - "5000:5000"

  postgres:

    image: "rosetta/postgres"

      - TASK_PROXY_HOST=localhost

      - TASK_TUNNEL_HOST=localhost

      - ROSETTA_HOST=localhost

      - REGISTRY_HOST=proxy     # Use same value as ROSETTA_HOST for production or to use "real" computing resurces 

    ports:

      - "8080:8080"

      - "7000-7020:7000-7020"

      - /var/run/docker.sock:/var/run/docker.sock

      #- ./services/webapp/code:/opt/code

  proxy:

    image: "rosetta/proxy"

    container_name: proxy

      - "80:80"

      - "443:443"

      - "9000-9020:9000-9020"

      - "5000:5000"

    volumes:

      - ./data/shared:/shared   

</VirtualHost>

Listen 5000

<VirtualHost *:5000>

    ServerAdmin admin@rosetta.platform

    #ServerName ${ROSETTA_HOST}

    ProxyPass / http://dregistry:5000/

    ProxyPassReverse / http://dregistry:5000/

    SSLEngine on

    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt

    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key

    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle

    # Browser-specific fixes

    BrowserMatch "MSIE [2-6]" \

            nokeepalive ssl-unclean-shutdown \

            downgrade-1.0 force-response-1.0

    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # Required for the Open ID connect redirects to work properly

    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS        

</VirtualHost>

COPY keys/id_rsa.pub /home/testuser/.ssh/authorized_keys

RUN dnf install -y python wget

# Install iputils (ping)

RUN dnf install -y iputils

# Copy registries.conf to allow insecure access to dregistry

COPY registries.conf /etc/containers/registries.conf

#----------------------

# Entrypoint

chmod 777 /dev/fuse

chmod 777 /dev/net/tun

# Add rosetta.platform entry to /etc/hosts

#PROXY_IP=$(ping proxy -c1 | head -n1 | cut -d '(' -f2 | cut -d')' -f1)

#echo "$PROXY_IP rosetta.platform" >> /etc/hosts

#---------------------

#  Entrypoint command

#---------------------

# For more information on this configuration file, see containers-registries.conf(5).

#

# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES

# We recommend always using fully qualified image names including the registry

# server (full dns name), namespace, image name, and tag

# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,

# quay.io/repository/name@digest) further eliminates the ambiguity of tags.

# When using short names, there is always an inherent risk that the image being

# pulled could be spoofed. For example, a user wants to pull an image named

# `foobar` from a registry and expects it to come from myregistry.com. If

# myregistry.com is not first in the search list, an attacker could place a

# different `foobar` image at a registry earlier in the search list. The user

# would accidentally pull and run the attacker's image and code rather than the

# intended content. We recommend only adding registries which are completely

# trusted (i.e., registries which don't allow unknown or anonymous users to

# create accounts with arbitrary names). This will prevent an image from being

# spoofed, squatted or otherwise made insecure.  If it is necessary to use one

# of these registries, it should be added at the end of the list.

#

# # An array of host[:port] registries to try when pulling an unqualified image, in order.

unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]

#

# [[registry]]

# # The "prefix" field is used to choose the relevant [[registry]] TOML table;

# # (only) the TOML table with the longest match for the input image name

# # (taking into account namespace/repo/tag/digest separators) is used.

# # 

# # The prefix can also be of the form: *.example.com for wildcard subdomain

# # matching.

# #

# # If the prefix field is missing, it defaults to be the same as the "location" field.

# prefix = "example.com/foo"

#

# # If true, unencrypted HTTP as well as TLS connections with untrusted

# # certificates are allowed.

# insecure = false

#

# # If true, pulling images with matching names is forbidden.

# blocked = false

#

# # The physical location of the "prefix"-rooted namespace.

# #

# # By default, this is equal to "prefix" (in which case "prefix" can be omitted

# # and the [[registry]] TOML table can only specify "location").

# #

# # Example: Given

# #   prefix = "example.com/foo"

# #   location = "internal-registry-for-example.net/bar"

# # requests for the image example.com/foo/myimage:latest will actually work with the

# # internal-registry-for-example.net/bar/myimage:latest image.

#

# # The location can be empty iff prefix is in a

# # wildcarded format: "*.example.com". In this case, the input reference will

# # be used as-is without any rewrite.

# location = internal-registry-for-example.com/bar"

#

# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.

# #

# # The mirrors are attempted in the specified order; the first one that can be

# # contacted and contains the image will be used (and if none of the mirrors contains the image,

# # the primary location specified by the "registry.location" field, or using the unmodified

# # user-specified reference, is tried last).

# #

# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics

# # as if specified in the [[registry]] TOML table directly:

# # - location

# # - insecure

# [[registry.mirror]]

# location = "example-mirror-0.local/mirror-for-foo"

# [[registry.mirror]]

# location = "example-mirror-1.local/mirrors/foo"

# insecure = true

# # Given the above, a pull of example.com/foo/image:latest will try:

# # 1. example-mirror-0.local/mirror-for-foo/image:latest

# # 2. example-mirror-1.local/mirrors/foo/image:latest

# # 3. internal-registry-for-example.net/bar/image:latest

# # in order, and use the first one that exists.

# Enforcing mode for short names is default for Fedora 34 and newer

short-name-mode="enforcing"

# If you need to access insecure registries, add the registry's fully-qualified name.

# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.

[[registry]]

location = "dregistry:5000"

insecure = true

[[registry]]

location = "rosetta.platform:5000"

insecure = true