Package Registry

ENTERPRISE

Using the web interface or CLI to manage your package repositories

DC/OS comes pre-configured with the Mesosphere Catalog package repository as the provider of DC/OS packages. However, this assumes Internet access, which is not always possible. For air-gapped environments, DC/OS Enterprise offers a package registry for flexible and seamless management of your packages.

For a full list of the configuration options available for the DC/OS Package Registry, use the following command:

dcos package describe package-registry --config

You can find more information about the dcos package commands in the CLI documentation.

For a detailed description of how to configure and deploy DC/OS Services, see Configuring Catalog Services.

Default installation

Package registry can be activated out of box by executing the following command(s):

# Install the package-registry CLI
dcos package install package-registry --cli --yes

# Activate the package-registry with default options
dcos registry activate

The registry activate command uses the default options, which are NOT recommended if you are installing in a production environment. Read through the rest of the sections to create an options file, and then activate the package registry by executing the following command:

dcos registry activate --options=<custom-options-file>

Configuration

If you have a configuration file from one of the previous installations, skip this section and continue to the next section of installing the package-registry.

Package registry can be configured with the following options during deployment:

  1. Storage Options (Local storage OR Mount Volumes OR S3 Compatible Storage)
  2. Service namespacing and secrets

If you have a config file from one of the previous installations, skip this section and continue to the next section of installing the package-registry.

Storage options

Package registry can be configured to use one of:

  1. Local Storage
  2. Mount Volumes OR
  3. S3 Compatible storage

Local storage

Package registry uses local storage by default, which is NOT recommended for production usage. Configure a persistent volume or S3-compatible storage for production usage. If you are using this for developement purposes and wish to use local storage, skip to the next section.

Mount volume option

To create mount volumes on DC/OS, refer to the Mount Volume documentation, which includes an example that creates a loopback device. The rest of this guide assumes you have a mount volume created at /dcos/package-registry. You must specify the container-path and a pinned-hostname, which refers to the hostname of the agent on which the volume is mounted. The following options can be used to configure package-registry to use a mount volume :

{
    "registry": {
        "mount-volume": {
            "container-path": "package-registry",
            "pinned-hostname": "a.specific.node.com"
        }
    }
}

S3 Storage Option

Given the default configuration of the DC/OS Package Registry, DC/OS Packages are stored in a local persistent volume in the host file system. When using this default storage configuration, you are limited to one instance of the registry. Package Registry also supports a highly available configuration by storing DC/OS Packages on S3-compatible storage, which supports deploying more than one instance of the registry.

To configure a DC/OS Package Registry to store DC/OS Packages using S3 storage, you must provide the following details:

  1. Specific S3 endpoint.
  2. S3 bucket name and path.
  3. S3 access key and secret key.

S3 Endpoint details

When using Amazon S3, refer to Amazon S3 Regions & Endpoints for more details on possible endpoints. Package registry has been tested and is known to work with Amazon S3 and Minio storage. It can work with any other S3 compatible storage. Contact Mesosphere support if you face problems connecting with other S3 compatible storage.

S3 bucket name and path

The combination of an S3 bucket name and path inside the bucket should be unique to each deployment of Package registry. Multiple instances from each deployment ensures synchronized access to this bucket.

Upload the S3 credential to the DC/OS Secret store

Create (or use an existing file) an S3 credential file and use it to create a file based secret in DC/OS.

dcos security secrets create -f ~/.aws/credentials dcos-registry-s3-credential-file

For information on how to create an AWS Credential file, see the AWS CLI User Guide.

The final s3 config should look something like this:

{
    "registry": {
        "s3": {
            "credential-secret-path" : "dcos-registry-s3-credential-file",
            "credential-profile-name" : "default",
            "bucket" : "my-bucket",
            "path" : "my-path-in-bucket",
            "endpoint" : "https://s3.us-east-1.amazonaws.com"
        }
    }
}

NOTE: You must override the value for the properties bucket, path and endpoint to match the S3 configuration.

Service namespacing and secrets

By default, package registry is installed as a marathon app with dcos-registry as its ID. This name has unique significance because the dockerd on agents are configured to trust the package registry instance at dcos-registry.marathon.l4lb.thisdcos.directory:443. If you decide to change this name, you need to configure the dockerd to trust the custom name your registry is deployed at <your-custom-name>.marathon.l4lb.thisdcos.directory:443. For example, if you install package registry under /my/custom/dcos-registry namespace, then ensure that the registry is accessible at https://mycustomdcos-registry.marathon.l4lb.thisdcos.directory (internal to cluster):

curl -k https://mycustomdcos-registry.marathon.l4lb.thisdcos.directory
{"checks":{"/repo":{"Healthy":{"message":"Able to find 0 package(s)."}}}}

You must also require your dockerd to trust the above domain name. To configure dockerd to trust package registry at mycustomdcos-registry.marathon.l4lb.thisdcos.directory, execute the following command:

sudo mkdir -p /etc/docker/certs.d/mycustomdcos-registry.marathon.l4lb.thisdcos.directory
sudo cp /run/dcos/pki/CA/ca-bundle.crt /etc/docker/certs.d/mycustomdcos-registry.marathon.l4lb.thisdcos.directory/ca.crt
sudo systemctl restart docker

Set Up Service Account and Secret

DC/OS Package Registry needs a service account to be able to run in DC/OS Enterprise. Use the following procedure to create a service account with minimum permissions.

  1. Install the DC/OS Enterprise CLI:

    dcos package install dcos-enterprise-cli --yes
    
  2. Create a private/public key pair for the service account:

    dcos security org service-accounts keypair private-key.pem public-key.pem
    
  3. Create the service account:

    dcos security org service-accounts create -p public-key.pem -d "dcos_registry service account" registry-account
    
  4. Store private key in the Secret Store:

    dcos security secrets create-sa-secret --strict private-key.pem registry-account registry-private-key
    
  5. Give full permission to the service account:

    dcos security org users grant registry-account dcos:adminrouter:ops:ca:rw full
    

IMPORTANT: The secret information associated with the service account is stored in a path called registry-private-key in the DC/OS Secret store. If using a different filename, substitute that for registry-private-key.

WARNING: These instructions create two sensitive files on the local file system: private-key.pem and public-key.pem. Make sure to save these files in a secure place or delete them. They are not needed after being stored in the DC/OS Secret Store.

The service instances, cpus, mem, and disk can also be configured as needed. Execute the following command to view an exhaustive list of all configuration options:

dcos package describe package-registry --config

Here is a sample configuration file for the service:

> cat package-registry-options.json
{
    "registry": {
        "s3": {
            "credential-secret-path" : "dcos-registry-s3-credential-file",
            "credential-profile-name" : "default",
            "bucket" : "my-bucket",
            "path" : "my-path-in-bucket",
            "endpoint" : "https://s3.us-east-1.amazonaws.com"
        },
        "service-account-secret-path" : "dcos-registry-secret"
    },
    "service": {
        "mem" : 2048,
        "instances" : 2
    }
    "
}

Installation

Now that you have successfully created the config file (referred to as package-registry-options.json from here on), you are ready to install the package registry. This can accomplished by following :

dcos package install package-registry --options=package-registry-options.json

This would launch the Marathon app for package-registry. This usually takes a couple of minutes. As soon as package-registry is healthy, you can add it as one of the package repositories in DC/OS. This can be done by:

# Change the repo name and URL if you need to customize
dcos package repo add --index=0 "Registry" https://dcos-registry.marathon.l4lb.thisdcos.directory/repo

If you get errors in executing this command, wait for a couple of minutes (to account for the latency in package-registry becoming healthy and its DNS entry being propagated to all master nodes) and try again.

Using package registry

After package-registry is installed, you can start adding packages to it. The two step process to use the package registry is as follows:

  1. Building the package files (.dcos files)
  2. Uploading the packages to package-registry.

Building the packages

Mesosphere hosts all its certified packages at downloads.mesosphere.com/universe/packages/packages.html. If the packages you need are available there, you can download them and skip to the next section to upload these .dcos files to your cluster. When a Catalog package is under development and you want to test it before creating a pull request, or if you want to build a non certified (community) package, this section is useful.

Requirements

  1. Make sure you have the valid Catalog package definition files (Schema). Note that package-registry only supports packages that are packaged with v4 or higher schemas of the Catalog packaging system. See Creating a package for more details.
  2. docker is installed in your system (if your package uses Docker images).
  3. The package registry CLI needs to be installed as well. There are two ways to accomplish this.
    1. Install package-registry CLI from a DC/OS cluster.

      # Install CLI subcommand "registry"
      dcos package install --cli package-registry
      # Make sure the subcommand works
      dcos registry --help
      
    2. If you do not have access to a DC/OS Cluster (such as in CI/CD), download the package-registry CLI for Linux, macOS or Windows

      # Change the URL based on macOS, linux or windows accordingly.
      curl -o dcos-registry https://downloads.mesosphere.io/package-registry/binaries/cli/darwin/x86-64/latest/dcos-registry-darwin
      # Give executable permissions to downloaded binary
      chmod +x dcos-registry
      # Make sure the executable works
      ./dcos-registry registry --help
      
      # You can use this binary in the following manner:
      ./dcos-registry registry --version
      ./dcos-registry registry <your-subcommand>
      

      In the rest of the instructions on this page, we assume you have downloaded the subcommand from an attached DC/OS Cluster. If that is not the case, replace dcos with ./dcos-registry in your instructions whilst retaining the registry suffix.

      NOTE: You must use the aforementioned binary with `./dcos-registry registry ` style of syntax. Eliminating the registry suffix does not work.

Instructions to generate .dcos bundle

The package-registry CLI bundles your package into a .dcos file that can be used by the package-registry. Assume that the Catalog package files are in a directory called /path/to/package/. It should contain the following package definition files:

➜ tree
.
├── config.json
├── marathon.json.mustache
├── package.json
└── resource.json

NOTE: All the assets URIs in the resource.json must be accessible to download from your environment. Relative file paths are also accepted.

# Create a temporary work directory to store the build definition and other files necessary to create the bundle.
mkdir /path/to/output

# `migrate` the unvierse package defintion to create a build defintion for the `.dcos` file.
dcos registry migrate --package-directory=/path/to/package --output-directory=/path/to/output

# `build` to download all the requrired assets and generate a `.dcos` file. This may take a while.
dcos registry build --build-definition-file=/path/to/output/<json-build-defintion-generated-above> --output-directory=/path/to/output

If all these steps are completed successfully, your /path/to/output directory should look similar to the following:

➜ tree
.
├── <package-name>-<package-version>.dcos
└── <package-name>-<package-version>.json

You can clean up the build definition .json file, as it is no longer needed. Both the build and migrate subcommands accept an optional --json flag to support automation.

After executing all the above steps, you should have a brand new .dcos file.

Uploading the packages to package-registry

Now that you have all the .dcos files you need, you can continue to execute:

dcos registry add --dcos-file <your-file>.dcos

This is asynchronous and takes a couple of minutes for the package to be visible in your Catalog. Even if the above command errors out (which can happen even on a successful upload in slow network connections), you can track the status of the upload by executing:

dcos registry describe --package-name=<package-name> --package-version=<package-version>

Be patient and wait for a couple minutes for the package to be uploaded, processed and made visible in the Catalog.

See dcos registry --help for an exhaustive list of operations that you can use to manage the packages in Package registry. The registry subcommand allows you to add, remove and describe a package.

WARNING: Removing a package while a service is still deployed may cause the service to stop working.

After executing the above instructions, the rest of the flow is identical to packages fetched from Catalog. The only difference is that you do not need Internet access (for customers with air-gapped environments) to install packages from package-registry.