Fixes some Clair exporting commands (#992) (#1019)

stevsmit · Steven Smith · web-flow · commit 0b0eabbc338c · 2024-07-29T13:54:56.000-04:00
Co-authored-by: Steven Smith &lt;stevsmit@stevsmit-thinkpadt14gen4.remote.csb&gt;
diff --git a/modules/builders-virtual-environment.adoc b/modules/builders-virtual-environment.adoc
@@ -26,7 +26,11 @@ To add the builder route, use the following format:
 [id="red-hat-quay-quota-builders-establishment"]
 == Using {ocp} for {productname} builders
 
+<<<<<<< HEAD
 Builders require SSL/TLS certificates. For more information about SSL/TLS certificates, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/proof_of_concept_-_deploying_red_hat_quay/index#advanced-quay-poc-deployment[Using SSL/TLS certificates].
+=======
+Builders require SSL/TLS certificates. For more information about SSL/TLS certificates, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html/proof_of_concept_-_deploying_red_hat_quay/advanced-quay-poc-deployment[Proof of concept deployment using SSL/TLS certificates].
+>>>>>>> 7068057f (Fixes some Clair exporting commands (#992))
 
 If you are using Amazon Web Service (AWS) S3 storage, you must modify your storage bucket in the AWS console, prior to running builders. See "Modifying your AWS S3 storage bucket" in the following section for the required parameters.
 
@@ -246,8 +250,7 @@ BUILD_MANAGER:
 
 Due to a known issue with the configuration tool, you must manually add your custom SSL/TLS certificates to properly run builders. Use the following procedure to manually add custom SSL/TLS certificates.
 
-For more information about SSL/TLS certificates, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/proof_of_concept_-_deploying_red_hat_quay/index#advanced-quay-poc-deployment[Using SSL/TLS certificates].
-
+For more information creating SSL/TLS certificates, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html/proof_of_concept_-_deploying_red_hat_quay/advanced-quay-poc-deployment[Proof of concept deployment using SSL/TLS certificates].
 
 
 [id="create-sign-certificates"]
@@ -257,8 +260,7 @@ Use the following procedure to create and sign an SSL/TLS certificate.
 
 .Procedure
 
-* Create a certificate authority and sign a certificate. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/proof_of_concept_-_deploying_red_hat_quay/index#advanced-quay-poc-deployment[Using SSL/TLS certificates].
-
+* Create a certificate authority and sign a certificate. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/proof_of_concept_-_deploying_red_hat_quay/index#creating-a-certificate-authority[Creating a Certificate Authority].
 +
 .openssl.cnf
 [source,terminal]
diff --git a/modules/clair-standalone-database.adoc b/modules/clair-standalone-database.adoc
@@ -3,7 +3,7 @@
 
 Clair requires a Postgres database.  You can share a common database between Quay and Clair if Quay is also using Postgres, but in this example a separate, Clair-specific database is deployed.
 
-In this proof-of-concept scenario, you will use a directory on the local file system to persist database data. 
+In this proof of concept scenario, you will use a directory on the local file system to persist database data. 
 
 . In the installation folder, denoted here by the variable $QUAY, create a directory for the Clair database data and set the permissions appropriately: 
 +
diff --git a/modules/config-fields-ldap.adoc b/modules/config-fields-ldap.adoc
@@ -23,6 +23,8 @@
 | **LDAP_URI** | String | The LDAP URI.
 | **LDAP_USER_FILTER** | String | The user filter for LDAP authentication.
 | **LDAP_USER_RDN** | Array of String|  The user RDN for LDAP authentication.
+| **LDAP_SECONDARY_USER_RDNS** | Array of String | Provide Secondary User Relative DNs if there are multiple Organizational Units where user objects are located.
+
 | **TEAM_RESYNC_STALE_TIME**  | String | If team syncing is enabled for a team, how often to check its membership and resync if necessary. + 
  + 
 **Pattern:** + 
@@ -38,15 +40,21 @@ With this field, administrators can add or remove superusers without having to u
 
 This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`. 
 
+| **GLOBAL_READONLY_SUPER_USERS** | String | When set, grants users of this list read access to all repositories, regardless of whether they are public repositories. Only works for those superusers defined with the `LDAP_SUPERUSER_FILTER` configuration field.
+
 | **LDAP_RESTRICTED_USER_FILTER** | String | Subset of the `LDAP_USER_FILTER` configuration field. When configured, allows {productname} administrators the ability to configure Lightweight Directory Access Protocol (LDAP) users as restricted users when {productname} uses LDAP as its authentication provider.
 
-This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`. 
+This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`.
 
-| **LDAP_TIMEOUT** |Integer | Determines the maximum time period. in seconds, allowed for establishing a connection to the Lightweight Directory Access Protocol (LDAP) server. +
+| **FEATURE_RESTRICTED_USERS** | Boolean | When set to `True` with `LDAP_RESTRICTED_USER_FILTER` active, only the listed users in the defined LDAP group are restricted.
+
+*Default:* `False` 
+
+| **LDAP_TIMEOUT** |Integer | Specifies the time limit, in seconds, for LDAP operations. This limits the amount of time an LDAP search, bind, or other operation can take. Similar to the `-l` option in `ldapsearch`, it sets a client-side operation timeout. +
  +
 **Default:** `10`
 
-| **LDAP_NETWORK_TIMEOUT** |Integer | Defines the maximum time duration, in seconds, that {productname} waits for a response from the Lightweight Directory Access Protocol (LDAP) server during network operations. +
+| **LDAP_NETWORK_TIMEOUT** |Integer | Specifies the time limit, in seconds, for establishing a connection to the LDAP server. This is the maximum time {productname} waits for a response during network operations, similar to the `-o nettimeout` option in `ldapsearch`. +
  +
 **Default:** `10`
 
@@ -83,6 +91,11 @@ LDAP_USER_RDN: <10>
     - o=<organization_id>
     - dc=<example_domain_component>
     - dc=com
+LDAP_SECONDARY_USER_RDNS: <11>
+    - ou=<example_organization_unit_one>
+    - ou=<example_organization_unit_two>
+    - ou=<example_organization_unit_three>
+    - ou=<example_organization_unit_four>
 ----
 <1> Required. Must be set to `LDAP`.
 <2> Required. The admin DN for LDAP authentication.
@@ -94,6 +107,7 @@ LDAP_USER_RDN: <10>
 <8> Required. The LDAP URI.
 <9> Required. The user filter for LDAP authentication.
 <10> Required. The user RDN for LDAP authentication.
+<11> Optional. Secondary User Relative DNs if there are multiple Organizational Units where user objects are located.
 
 [id="reference-ldap-restricted-user"]
 === LDAP restricted user configuration
@@ -105,6 +119,8 @@ Use the following reference for an LDAP restricted user configuration.
 # ...
 AUTHENTICATION_TYPE: LDAP
 # ...
+FEATURE_RESTRICTED_USERS: true <1>
+# ...
 LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
 LDAP_ADMIN_PASSWD: ABC123
 LDAP_ALLOW_INSECURE_FALLBACK: false
@@ -116,15 +132,16 @@ LDAP_EMAIL_ATTR: mail
 LDAP_UID_ATTR: uid
 LDAP_URI: ldap://<example_url>.com
 LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
-LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>) <1>
+LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>) <2>
 LDAP_USER_RDN:
     - ou=<example_organization_unit>
     - o=<organization_id>
     - dc=<example_domain_component>
     - dc=com
 # ...
 ----
-<1> Configures specified users as restricted users.
+<1> Must be set to `true` when configuring an LDAP restricted user.
+<2> Configures specified users as restricted users.
 
 [id="reference-ldap-super-user"]
 === LDAP superuser configuration reference
diff --git a/modules/config-fields-user.adoc b/modules/config-fields-user.adoc
@@ -53,13 +53,17 @@
 
 *Default:* `False`
 
-| **FEATURE_RESTRICTED_USERS** | Boolean | When set with `RESTRICTED_USERS_WHITELIST`, restricted users cannot create organizations or content in their own namespace. Normal permissions apply for an organization's membership, for example, a restricted user will still have normal permissions in organizations based on the teams that they are members of.
+| **FEATURE_RESTRICTED_USERS** | Boolean | When set to `True` with `RESTRICTED_USERS_WHITELIST`:
+
+* All normal users and superusers are restricted from creating organizations or content in their own namespace unless they are allowlisted via `RESTRICTED_USERS_WHITELIST`.
+
+* Restricted users retain their normal permissions within organizations based on team memberships.
 
 *Default:* `False` 
 
 | **RESTRICTED_USERS_WHITELIST** | String | When set with `FEATURE_RESTRICTED_USERS: true`, specific users are excluded from the `FEATURE_RESTRICTED_USERS` setting.
 
-| **GLOBAL_READONLY_SUPER_USERS** | String | When set, grants users of this list read access to all repositories, regardless of whether they are public repositories.  
+| **GLOBAL_READONLY_SUPER_USERS** | String | When set, grants users of this list read access to all repositories, regardless of whether they are public repositories. Only works for those superusers defined with the `SUPER_USERS` configuration field.
 
 |===
 
diff --git a/modules/config-intro.adoc b/modules/config-intro.adoc
@@ -5,17 +5,6 @@
 {productname} can be deployed by an independent, standalone configuration, or by using the {productname} Operator on {ocp}.
 
 How you create, retrieve, update, and validate the {productname} configuration varies depending on the type of deployment you are using. However, the core configuration options are the same for either deployment type. Core configuration is primarily set through a `config.yaml` file, but can also be set by using the configuration API. 
-////
-+
-[NOTE]
-====
-As of {productname} 3.10, the configuration tool has been removed on {ocp} deployments, meaning that users cannot configure, or reconfigure, directly from the {ocp} console.
-
-As a workaround, you can deploy the configuration tool locally and create your own configuration bundle. This includes entering the database and storage credentials used for your {productname} on {ocp} deployment, generating a `config.yaml` file, and using it to deploy {productname} on {ocp} via the command-line interface.
-
-To deploy the configuration tool locally, see link:https://access.redhat.com/documentation/en-us/red_hat_quay/3.10/html-single/deploy_red_hat_quay_for_proof-of-concept_non-production_purposes/index#poc-getting-started[Getting started with {productname}] and follow the instructions up to "Configuring {productname}".
-====
-////
 
 For standalone deployments of {productname}, you must supply the minimum required configuration parameters before the registry can be started. The minimum requirements to start a {productname} registry can be found in the "Retrieving the current configuration" section.
 
diff --git a/modules/georepl-prereqs.adoc b/modules/georepl-prereqs.adoc
@@ -36,6 +36,11 @@ Geo-replication does not replicate the database. In the event of an outage, {pro
 
 * Geo-replication requires your Clair configuration to be set to `unmanaged`. An unmanaged Clair database allows the {productname} Operator to work in a geo-replicated environment, where multiple instances of the {productname} Operator must communicate with the same database. For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_quay/3.7/html-single/deploy_red_hat_quay_on_openshift_with_the_quay_operator/index#clair-unmanaged[Advanced Clair configuration].
 
+<<<<<<< HEAD
 * Geo-Replication requires SSL/TLS certificates and keys. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html-single/proof_of_concept_-_deploying_red_hat_quay/index#advanced-quay-poc-deployment[Using SSL/TLS certificates].
+=======
+* Geo-Replication requires SSL/TLS certificates and keys. For more information, see * Geo-Replication requires SSL/TLS certificates and keys. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/3/html/proof_of_concept_-_deploying_red_hat_quay/advanced-quay-poc-deployment[Proof of concept deployment using SSL/TLS certificates].
+.
+>>>>>>> 7068057f (Fixes some Clair exporting commands (#992))
 
 If the above requirements cannot be met, you should instead use two or more distinct {productname} deployments and take advantage of repository mirroring functions.
diff --git a/modules/obtaining-quay-logs.adoc b/modules/obtaining-quay-logs.adoc
@@ -57,6 +57,16 @@ gunicorn-web stdout | 2023-01-20 15:41:52,071 [205] [DEBUG] [app] Starting reque
 
 {productname} does not have verbose logs, however, with the following procedures, you can obtain a detailed status check of your database pod or container. 
 
+[NOTE]
+====
+Additional debugging information can be returned if you have deployed {productname} in one of the following ways:
+
+* You have deployed {productname} by passing in the `DEBUGLOG=true` variable.
+* You have deployed {productname} with LDAP authentication enabled by passing in the `DEBUGLOG=true` and `USERS_DEBUG=1` variables.
+* You have configured {productname-ocp} by updating the `QuayRegistry` resource to include `DEBUGLOG=true`. 
+
+For more information, see "Running {productname} in debug mode".
+====
 .Procedure
 
 . Enter the following commands to examine verbose database logs.
@@ -82,15 +92,15 @@ $ oc cp <quay_pod_name>:/var/lib/pgsql/data/userdata/log/* /path/to/desired_dire
 +
 [source,terminal]
 ----
-$ podman logs <quay_container_name> --previous
+$ podman logs <quay_container_id> --previous
 ----
 +
 [source,terminal]
 ----
-$ podman logs <quay_container_name> --previous -c <container_name>
+$ podman logs <quay_container_id> --previous -c <container_name>
 ----
 +
 [source,terminal]
 ----
-$ podman cp <quay_container_name>:/var/lib/pgsql/data/userdata/log/* /path/to/desired_directory_on_host
+$ podman cp <quay_container_id>:/var/lib/pgsql/data/userdata/log/* /path/to/desired_directory_on_host
 ----
diff --git a/modules/proc_manage-ldap-setup.adoc b/modules/proc_manage-ldap-setup.adoc
@@ -126,6 +126,11 @@ LDAP_USER_RDN: <10>
     - o=<organization_id>
     - dc=<example_domain_component>
     - dc=com
+LDAP_SECONDARY_USER_RDNS: <11>
+    - ou=<example_organization_unit_one>
+    - ou=<example_organization_unit_two>
+    - ou=<example_organization_unit_three>
+    - ou=<example_organization_unit_four>
 # ...
 ----
 <1> Required. Must be set to `LDAP`.
@@ -162,6 +167,8 @@ Use the following procedure to enable LDAP restricted users on your {productname
 # ...
 AUTHENTICATION_TYPE: LDAP
 # ...
+FEATURE_RESTRICTED_USERS: true <1>
+# ...
 LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
 LDAP_ADMIN_PASSWD: ABC123
 LDAP_ALLOW_INSECURE_FALLBACK: false
@@ -173,15 +180,16 @@ LDAP_EMAIL_ATTR: mail
 LDAP_UID_ATTR: uid
 LDAP_URI: ldap://<example_url>.com
 LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
-LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>) <1>
+LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>) <2>
 LDAP_USER_RDN:
     - ou=<example_organization_unit>
     - o=<organization_id>
     - dc=<example_domain_component>
     - dc=com
 # ...
 ----
-<1> Configures specified users as restricted users.
+<1> Must be set to `true` when configuring an LDAP restricted user.
+<2> Configures specified users as restricted users.
 
 . Start, or restart, your {productname} deployment. 
 
diff --git a/modules/running-ldap-debug-mode.adoc b/modules/running-ldap-debug-mode.adoc
@@ -0,0 +1,26 @@
+:_content-type: PROCEDURE
+[id="running-ldap-debug-mode"]
+= Running an LDAP {productname} deployment in debug mode
+
+Use the following procedure to run an LDAP deployment of {productname} in debug mode.
+
+.Procedure 
+
+. Enter the following command to run your LDAP {productname} deployment in debug mode:
++
+[source,terminal]
+----
+$ podman run -p 443:8443 -p 80:8080 -e DEBUGLOG=true -e USERS_DEBUG=1  -v /config:/conf/stack -v /storage:/datastorage -d {productrepo}/{quayimage}:{productminv}
+----
+
+. To view the debug logs, enter the following command:
++
+[source,terminal]
+----
+$ podman logs <quay_container_name>
+----
++
+[IMPORTANT]
+====
+Setting `USERS_DEBUG=1` exposes credentials in clear text. This variable should be removed from the {productname} deployment after debugging. The log file that is generated with this environment variable should be scrutinized, and passwords should be removed before sending to other users. Use with caution.
+====
diff --git a/modules/running-operator-debug-mode.adoc b/modules/running-operator-debug-mode.adoc
@@ -0,0 +1,29 @@
+:_content-type: PROCEDURE
+[id="running-operator-debug-mode"]
+= Running the {productname} Operator in debug mode
+
+Use the following procedure to run the {productname} Operator in debug mode. 
+
+.Procedure 
+
+. Enter the following command to edit the `QuayRegistry` custom resource definition:
++
+[source,terminal]
+----
+$ oc edit quayregistry <quay_registry_name> -n <quay_namespace>
+----
+
+. Update the `QuayRegistry` to add the following parameters:
++
+[source,yaml]
+----
+spec:
+  - kind: quay
+    managed: true
+    overrides:
+      env:
+      - name: DEBUGLOG
+        value: "true"
+----
+
+. After the {productname} Operator has restarted with debugging enabled, try pulling an image from the registry. If it is still slow, dump all dogs from all `Quay` pods to a file, and check the files for more information. 
diff --git a/modules/running-quay-debug-mode-intro.adoc b/modules/running-quay-debug-mode-intro.adoc
@@ -2,4 +2,21 @@
 [id="running-quay-debug-mode-intro"]
 = Running {productname} in debug mode
 
-Red Hat recommends gathering your debugging information when opening a support case. Running {productname} in debug mode provides verbose logging to help administrators find more information about various issues. Enabling debug mode can speed up the process to reproduce errors and validate a solution for things like geo-replication deployments, Operator deployments, standalone {productname} deployments, object storage issues, and so on. Additionally, it helps the Red Hat Support to perform a root cause analysis.
+Red Hat recommends gathering your debugging information when opening a support case. Running {productname} in debug mode provides verbose logging to help administrators find more information about various issues. Enabling debug mode can speed up the process to reproduce errors and validate a solution for things like geo-replication deployments, Operator deployments, standalone {productname} deployments, object storage issues, and so on. Additionally, it helps the Red Hat Support to perform a root cause analysis.
+
+[id="debug-configuration-fields"]
+== {productname} debug variables
+
+{productname} offers two configuration fields that can be added to your `config.yaml` file to help diagnose issues or help obtain log information.
+
+.Debug configuration variables
+[cols="3a,1a,2a",options="header"]
+|===
+| Variable | Type | Description
+| **DEBUGLOG** | Boolean | Whether to enable or disable debug logs. Must be `true` or `false`.
+| **USERS_DEBUG** |Integer. Either `0` or `1`. | Used to debug LDAP operations in clear text, including passwords. Must be used with `DEBUGLOG=TRUE`. +
+[IMPORTANT]
+====
+Setting `USERS_DEBUG=1` exposes credentials in clear text. This variable should be removed from the {productname} deployment after debugging. The log file that is generated with this environment variable should be scrutinized, and passwords should be removed before sending to other users. Use with caution.  
+====
+|===
diff --git a/modules/running-quay-debug-mode.adoc b/modules/running-quay-debug-mode.adoc
@@ -1,4 +1,4 @@
-:_content-type: CONCEPT
+:_content-type: PROCEDURE
 [id="running-standalone-debug-mode"]
 = Running a standalone {productname} deployment in debug mode
 
@@ -19,34 +19,5 @@ $ podman run -p 443:8443 -p 80:8080 -e DEBUGLOG=true  -v /config:/conf/stack -v
 +
 [source,terminal]
 ----
-$ podman logs quay
-----
-
-[id="running-operator-debug-mode"]
-= Running the {productname} Operator in debug mode
-
-Use the following procedure to run the {productname} Operator in debug mode. 
-
-.Procedure 
-
-. Enter the following command to edit the `QuayRegistry` custom resource definition:
-+
-[source,terminal]
-----
-$ oc edit quayregistry <quay_registry_name> -n <quay_namespace>
-----
-
-. Update the `QuayRegistry` to add the following parameters:
-+
-[source,yaml]
-----
-spec:
-  - kind: quay
-    managed: true
-    overrides:
-      env:
-      - name: DEBUGLOG
-        value: "true"
-----
-
-. After the {productname} Operator has restarted with debugging enabled, try pulling an image from the registry. If it is still slow, dump all dogs from all `Quay` pods to a file, and check the files for more information. 
+$ podman logs <quay_container_name>
+----
diff --git a/troubleshooting_quay/master.adoc b/troubleshooting_quay/master.adoc
diff --git a/upgrade_quay/master.adoc b/upgrade_quay/master.adoc

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`
`4`	`4`	`Clair requires a Postgres database. You can share a common database between Quay and Clair if Quay is also using Postgres, but in this example a separate, Clair-specific database is deployed.`
`5`	`5`
`6`		`-In this proof-of-concept scenario, you will use a directory on the local file system to persist database data.`
	`6`	`+In this proof of concept scenario, you will use a directory on the local file system to persist database data.`
`7`	`7`
`8`	`8`	`. In the installation folder, denoted here by the variable $QUAY, create a directory for the Clair database data and set the permissions appropriately:`
`9`	`9`	`+`