From a34d248b9cb95a0fa7957c4707824f5b3f25fb22 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Mon, 8 Jul 2024 15:40:04 +0000 Subject: [PATCH 01/12] add docker login to cloud-init for codimd --- .../cloud_init/cloud-init-codimd.mustache.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml index dd6e84c768..c0c5898c08 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml @@ -204,6 +204,7 @@ runcmd: - sleep 1m - systemctl status docker - docker --version + - docker login -u {{shm.docker.account}} -p {{shm.docker.password}} - docker compose --version # Set up the codimddaemon user From 19f35a29ce76ceafd54e470b945355ffc9220cee Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Mon, 8 Jul 2024 15:40:38 +0000 Subject: [PATCH 02/12] parse docker info from shm config --- deployment/common/Configuration.psm1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deployment/common/Configuration.psm1 b/deployment/common/Configuration.psm1 index 3cbc37c16d..0d79f7d49c 100644 --- a/deployment/common/Configuration.psm1 +++ b/deployment/common/Configuration.psm1 @@ -83,7 +83,9 @@ function Get-ShmConfig { vmImagesRgPrefix = $shmConfigBase.vmImages.rgPrefix ? $shmConfigBase.vmImages.rgPrefix : "RG_VMIMAGES" storageTypeDefault = "Standard_GRS" diskTypeDefault = "Standard_LRS" -} + dockerAccount = $shmConfigBase.docker.account ? $shmConfigBase.docker.account : "NA" + dockerPassword = $shmConfigBase.docker.password ? $shmConfigBase.docker.password : "NA" + } # For normal usage this does not need to be user-configurable. # However, if you are migrating an existing SHM you will need to ensure that the address spaces of the SHMs do not overlap $shmIpPrefix = $shmConfigBase.overrides.ipPrefix ? $shmConfigBase.overrides.ipPrefix : "10.0.0" From 259dea8e3ac7664d2bd4ca875313e450415bdb89 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:01:20 +0000 Subject: [PATCH 03/12] Write docker password to file on vm --- .../cloud_init/cloud-init-codimd.mustache.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml index c0c5898c08..2a1a591c58 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml @@ -89,6 +89,10 @@ write_files: content: | {{set_dns.mustache.sh}} + - path: "/opt/configuration/docker_pat.txt" + permissions: "0400" + content: {{shm.dockerPassword}} + # Set locale and timezone locale: en_GB.UTF-8 timezone: {{sre.time.timezone.linux}} @@ -204,7 +208,6 @@ runcmd: - sleep 1m - systemctl status docker - docker --version - - docker login -u {{shm.docker.account}} -p {{shm.docker.password}} - docker compose --version # Set up the codimddaemon user @@ -217,7 +220,8 @@ runcmd: # Deploy CodiMD using Docker - echo ">=== Deploying CodiMD with Docker... ===<" - - su codimddaemon -c "docker compose -f /opt/codimd/docker-compose.yml up -d" + - su codimddaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{shm.dockerAccount}}' --password-stdin && ` + docker compose -f /opt/codimd/docker-compose.yml up -d" # Wait for deployment to finish - | From 6cedf109427b93289ed03243c768324bd0b4c8f4 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:01:53 +0000 Subject: [PATCH 04/12] add Ubuntu archives to explictly allowed mirror domains --- .../cloud_init/cloud-init-update-server-linux.mustache.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml b/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml index cac0cb6e80..d29ef6d706 100644 --- a/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml +++ b/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml @@ -37,6 +37,8 @@ write_files: content: | # Additional mirror domains that are allowed by this cache apt.postgresql.org + archive.ubuntu.com + azure.archive.ubuntu.com d20rj4el6vkp4c.cloudfront.net dbeaver.io developer.download.nvidia.com From bf6141769f48a0f3c21d6c59494297d807056ce1 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:40:29 +0000 Subject: [PATCH 05/12] give codimddaemon access to pat file --- .../cloud_init/cloud-init-codimd.mustache.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml index 2a1a591c58..3fe8bb0771 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml @@ -208,7 +208,7 @@ runcmd: - sleep 1m - systemctl status docker - docker --version - - docker compose --version + - docker compose version # Set up the codimddaemon user - echo ">=== Configuring codimddaemon user... ===<" @@ -220,8 +220,9 @@ runcmd: # Deploy CodiMD using Docker - echo ">=== Deploying CodiMD with Docker... ===<" - - su codimddaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{shm.dockerAccount}}' --password-stdin && ` - docker compose -f /opt/codimd/docker-compose.yml up -d" + - chown codimddaemon:codimddaemon /opt/configuration/docker_pat.txt # Ensure that the file is owned by the codimddaemon user + - su codimddaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{shm.dockerAccount}}' --password-stdin && \ + docker compose -f /opt/codimd/docker-compose.yml up -d" # Wait for deployment to finish - | From e957168a66024a0305fdd5f7affe3501fa0a7bfe Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:29:39 +0000 Subject: [PATCH 06/12] Add additional Ubuntu archive addresses --- deployment/common/Configuration.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/common/Configuration.psm1 b/deployment/common/Configuration.psm1 index 0d79f7d49c..b3b80e99fa 100644 --- a/deployment/common/Configuration.psm1 +++ b/deployment/common/Configuration.psm1 @@ -329,7 +329,7 @@ function Get-ShmConfig { externalIpAddresses = [ordered]@{ linux = ( @("72.32.157.246", "87.238.57.227", "147.75.85.69", "217.196.149.55") + # apt.postgresql.org - @("91.189.91.38", "91.189.91.39", "91.189.91.48", "91.189.91.49", "91.189.91.81", "91.189.91.82", "91.189.91.83", "185.125.190.17", "185.125.190.18", "185.125.190.36", "185.125.190.39") + # archive.ubuntu.com, changelogs.ubuntu.com, security.ubuntu.com + @("91.189.91.38", "91.189.91.39", "91.189.91.48", "91.189.91.49", "91.189.91.81", "91.189.91.82", "91.189.91.83", "185.125.190.17", "185.125.190.18", "185.125.190.36", "185.125.190.39", "185.125.190.81", "185.125.190.82", "185.125.190.83") + # archive.ubuntu.com, changelogs.ubuntu.com, security.ubuntu.com $cloudFlareIpAddresses + # database.clamav.net, packages.gitlab.com and qgis.org use Cloudflare $cloudFrontIpAddresses + # packages.gitlab.com uses Cloudfront to host its Release file @("104.131.190.124") + # dbeaver.io From 30eb0e69773e8dc689f875f69596e192e2795219 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:31:12 +0000 Subject: [PATCH 07/12] Remove unnecessary domains from acl --- .../cloud_init/cloud-init-update-server-linux.mustache.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml b/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml index d29ef6d706..cac0cb6e80 100644 --- a/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml +++ b/deployment/safe_haven_management_environment/cloud_init/cloud-init-update-server-linux.mustache.yaml @@ -37,8 +37,6 @@ write_files: content: | # Additional mirror domains that are allowed by this cache apt.postgresql.org - archive.ubuntu.com - azure.archive.ubuntu.com d20rj4el6vkp4c.cloudfront.net dbeaver.io developer.download.nvidia.com From 603ba34abdf2452b408c15f7231448c07c4906eb Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:31:56 +0000 Subject: [PATCH 08/12] Correctly format multiple lines in codimd mustache --- .../cloud_init/cloud-init-codimd.mustache.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml index 3fe8bb0771..bd2cb4e2b2 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-codimd.mustache.yaml @@ -221,8 +221,8 @@ runcmd: # Deploy CodiMD using Docker - echo ">=== Deploying CodiMD with Docker... ===<" - chown codimddaemon:codimddaemon /opt/configuration/docker_pat.txt # Ensure that the file is owned by the codimddaemon user - - su codimddaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{shm.dockerAccount}}' --password-stdin && \ - docker compose -f /opt/codimd/docker-compose.yml up -d" + - su codimddaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{shm.dockerAccount}}' --password-stdin + && docker compose -f /opt/codimd/docker-compose.yml up -d" # Wait for deployment to finish - | From 531ec372a2044a649d1e7539fc2b042ca12073cb Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 10 Jul 2024 14:25:04 +0000 Subject: [PATCH 09/12] configure proxy repository servers to use docker account --- .../cloud-init-repository-proxy.mustache.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/deployment/safe_haven_management_environment/cloud_init/cloud-init-repository-proxy.mustache.yaml b/deployment/safe_haven_management_environment/cloud_init/cloud-init-repository-proxy.mustache.yaml index bb887d6b4f..57d9792075 100644 --- a/deployment/safe_haven_management_environment/cloud_init/cloud-init-repository-proxy.mustache.yaml +++ b/deployment/safe_haven_management_environment/cloud_init/cloud-init-repository-proxy.mustache.yaml @@ -68,6 +68,10 @@ write_files: content: | /usr/local/bin/configure-nexus --admin-password {{perInstance.nexusAdminPassword}} update-allowlists --tier {{perInstance.tier}} --pypi-package-file /etc/nexus/allowlist-pypi --cran-package-file /etc/nexus/allowlist-cran >> /var/log/configure_nexus.log 2>&1 + - path: "/opt/configuration/docker_pat.txt" + permissions: "0400" + content: {{dockerPassword}} + # Set locale and timezone locale: en_GB.UTF-8 timezone: {{time.timezone.linux}} @@ -146,7 +150,7 @@ runcmd: - sleep 1m - systemctl status docker - docker --version - - docker compose --version + - docker compose version # Create directory for Nexus data that is owned by the correct user inside the Docker container - echo ">=== Creating Nexus data directory... ===<" @@ -163,7 +167,9 @@ runcmd: # Set up the Nexus container - echo ">=== Creating Nexus container... ===<" - - su nexusdaemon -c "docker compose -f /etc/nexus/docker-compose.yaml up -d" + - chown nexusdaemon:nexusdaemon /opt/configuration/docker_pat.txt # Ensure that the file is owned by the nexusdaemon user + - su nexusdaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username '{{dockerAccount}}' --password-stdin + && docker compose -f /etc/nexus/docker-compose.yaml up -d" # Give Nexus some time to initialise - echo ">=== Waiting for Nexus to initialise (5 minutes)... ===<" From de673c8efc13b1520df8baff3a8919d6b7ecf45f Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:42:32 +0000 Subject: [PATCH 10/12] use docker credentials for guacamole --- .../cloud_init/cloud-init-guacamole.mustache.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-guacamole.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-guacamole.mustache.yaml index cfa8bc4206..236fa5be4e 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-guacamole.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-guacamole.mustache.yaml @@ -84,6 +84,10 @@ write_files: content: | SRD Main;{{guacamole.ipAddressFirstSRD}} + - path: "/opt/configuration/docker_pat.txt" + permissions: "0400" + content: {{shm.dockerPassword}} + # Set locale and timezone locale: en_GB.UTF-8 timezone: {{sre.time.timezone.linux}} @@ -170,7 +174,7 @@ runcmd: - sleep 1m - systemctl status docker - docker --version - - docker compose --version + - docker compose version # Set up the guacamoledaemon user - echo ">=== Configuring guacamoledaemon user... ===<" @@ -197,6 +201,8 @@ runcmd: # Deploy Guacamole using Docker - echo ">=== Deploying Guacamole with Docker... ===<" + - chown guacamoledaemon:guacamoledaemon /opt/configuration/docker_pat.txt # Ensure that the file is owned by the codimddaemon user + - su guacamoledaemon -c "cat /opt/configuration/docker_pat.txt | docker login --username {{shm.dockerAccount}} --password-stdin" - su guacamoledaemon -c "docker compose -f /opt/guacamole/docker-compose.yaml up -d" # Generate the necessary SQL config for the local PostgreSQL database and run it From c10541c509817b208f60907e24dcc6ed3ca42b5e Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Fri, 12 Jul 2024 11:35:32 +0000 Subject: [PATCH 11/12] Add Docker instructions to deploy_shm docs --- docs/source/deployment/deploy_shm.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index fa6e19f331..7f307ea450 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -52,6 +52,10 @@ Alternatively, you may run multiple SHMs concurrently, for example you may have - ![Linux](https://img.shields.io/badge/-555?&logo=linux&logoColor=white) use your favourite package manager or install manually following the [instructions on GitHub](https://github.com/openssl/openssl) +- `Docker Hub` account + - The DSH makes use of several public Docker images. Due to Docker Hub download rate limits https://docs.docker.com/docker-hub/download-rate-limit/, we now require Docker credentials to ensure that all images are successfully downloaded at the time of deployment. + - We recommend using a personal access token (PAT) with Public Repo Read-Only permissions rather than your Docker account password. See [instructions on Docker](https://docs.docker.com/security/for-developers/access-tokens/) for details of how to create a PAT. + ````{hint} If you run: @@ -118,6 +122,10 @@ The following core SHM properties are required - look in the `environment_config "location": "[Optional] Azure location where VM images should be built (if not specified then the value from the 'azure' block will be used). Multiple Safe Haven deployments can share a single set of VM images in a common subscription if desired - this is what is done in the Turing deployment. If you are hoping to use images that have already been built for another Safe Haven deployment, make sure you specify this parameter accordingly.", "buildIpAddresses": "[Optional] One or more IP addresses which admins will be running the VM build scripts from (if not specified then Turing IP addresses will be used)." }, + "docker": { + "account": "A Docker Hub account name.", + "password": "The password or personal access token for the above account. We strongly recommend using a Personal Access Token with permissions set to Public Repo Read-only" + }, "overrides": "[Optional, Advanced] Do not use this unless you know what you're doing! If you want to override any of the default settings, you can do so by creating the same JSON structure that would be found in the final config file and nesting it under this entry. For example, to change the size of the data disk on the domain controller, you could use something like: 'shm: { dc: { disks: { data: { sizeGb: 50 } } } }'" } ``` From 86dd70e5b83161546fae4c3d3236ab721fcf277c Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:28:51 +0000 Subject: [PATCH 12/12] Add example docker fields --- environment_configs/shm_blue_core_config.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/environment_configs/shm_blue_core_config.json b/environment_configs/shm_blue_core_config.json index b80dbd5075..236d7bf9cb 100644 --- a/environment_configs/shm_blue_core_config.json +++ b/environment_configs/shm_blue_core_config.json @@ -22,5 +22,9 @@ }, "vmImages": { "subscriptionName": "[Prod] Safe Haven VM Images" + }, + "docker": { + "account": "youraccountname", + "password": "dckr_pat_0o0o0o0o0o0o0o0o0o0o0o0o0o0" } }