diff --git a/docs/accounts/how-to-add-service-access-for-project.md b/docs/accounts/how-to-add-service-access-for-project.md index 584115cf82..e04e1a4de3 100644 --- a/docs/accounts/how-to-add-service-access-for-project.md +++ b/docs/accounts/how-to-add-service-access-for-project.md @@ -3,7 +3,7 @@ Access can be granted to the following services: * Supercomputers **Puhti** and **Mahti** -* Cloud services **cPouta**, **Rahti** and **Pukki DBaaS** +* Cloud services **cPouta**, **Rahti**, **Pukki DBaaS** and **Satama** * Storage services **Allas** and **IDA** * Sensitive data services **SD Services** diff --git a/docs/cloud/index.md b/docs/cloud/index.md index f6e6a91456..5c54b50bde 100644 --- a/docs/cloud/index.md +++ b/docs/cloud/index.md @@ -29,3 +29,9 @@ If you need an environment to run a containerised software application that does Noppe is a hosted platform for teaching and research. It provides a technical environment for hosting e.g. Jupyter Notebook, RStudio Server and Apache Spark environments combined with user management. If you need a turnkey solution for listed environments, choose [Noppe](noppe/index.md). + +### Satama + +Satama is a cloud-native container image registry for CSC. It provides a secure and centralized place for users to push and pull container images, just like Docker Hub, but with added features such as role-based access control, vulnerability scanning, and image signing. + +If you need an environment to manage your images, choose [Satama](satama/index.md) diff --git a/docs/cloud/satama/audit_logs.md b/docs/cloud/satama/audit_logs.md new file mode 100644 index 0000000000..d3f4fe92fb --- /dev/null +++ b/docs/cloud/satama/audit_logs.md @@ -0,0 +1,31 @@ +# Audit Logs + +Audit logs provide a record of all important activities performed in Satama. These logs help administrators track user actions and investigate security incidents. + +Audit logs typically record actions such as: +* User login attempts +* Image push or pull operations +* Project creation or deletion +* Permission changes +* Configuration updates + +### Viewing Audit Logs + +* Log in to Satama Web UI. +* Click on **Logs** + +You can also check project wise logs by: + +* Click on your project. +* Open **Log** tab. + +![Audit logs](img/logs_audit.png) + +Here, you can see all logs. Admin can review these logs to monitor system usage and detect suspicious activity. + +Audit logs are important for: + +* Security monitoring +* Compliance requirements +* Troubleshooting issues +* User activity tracking \ No newline at end of file diff --git a/docs/cloud/satama/best_practices.md b/docs/cloud/satama/best_practices.md new file mode 100644 index 0000000000..55ddbf9e97 --- /dev/null +++ b/docs/cloud/satama/best_practices.md @@ -0,0 +1,70 @@ +# Best Practices + +Following these best practices will help you manage container images in Satama efficiently and securely. + +### Organize Repositories Clearly + +If you are a project admin, create repositories in a way that makes sense to your team. For example, repositories can be grouped by: + +* Application +* Microservice +* Environment (development, staging, production) + +A clear structure helps others quickly locate and reuse images. + +### Assign Appropriate User Permissions + +Project administrators should assign permissions carefully. + +Only users who need to push images should receive **Developer** access. Users who only need to pull images should remain **Guests**. Limiting push permissions helps prevent accidental overwrites or unauthorized image modifications. + +### Use Robot Accounts for Automation + +Try to use project-scoped robot accounts rather than using personal login. +Robot accounts provide several advantages: + +* Controlled access permissions +* Easier credential rotation +* Reduced risk of exposing personal accounts + +This approach improves security and simplifies automation workflows. + +### Use CLI Secrets for Authentication + +If you authenticate using a myCSC account, always use the CLI secret instead of the Web UI password when logging in through Docker or other command-line tools. + +Using CLI secrets ensures secure authentication and prevents issues caused by expired UI sessions. + +### Avoid Using the latest Tag + +Avoid relying on the latest tag for production images. The latest tag can be overwritten and may not always refer to the expected version of an image. + +Instead, use meaningful and consistent tags such as: + +* Version numbers (v1.2.0) +* Release identifiers (release-2024-01) +* Commit hashes (git-sha) + +Using explicit version tags improves traceability and ensures reproducible deployments. + +### Regularly Review Vulnerability Reports + +Periodically review vulnerability scan reports for images stored in Satama. + +If vulnerabilities are detected: +* Update the base image +* Update affected packages +* Rebuild the container image + +High-severity vulnerabilities should be addressed before deploying images to production environments. + +### Remove Unused Images + +Over time, repositories may accumulate outdated images and unused tags. Removing these unused artifacts helps keep the registry organized. + +Cleaning up old images provides several benefits: +* Reduces storage usage +* Prevents confusion between image versions +* Improves overall repository management + +Administrators can also configure tag retention policies to automatically remove outdated tags while preserving the most recent or important versions. \ No newline at end of file diff --git a/docs/cloud/satama/billing_and_quota.md b/docs/cloud/satama/billing_and_quota.md new file mode 100644 index 0000000000..314b842163 --- /dev/null +++ b/docs/cloud/satama/billing_and_quota.md @@ -0,0 +1,25 @@ +# Billing + +## Terminology + +* Billing Unit (BU): A unit used for billing at CSC - each resource consumes a given amount of BUs per hour. + +* Storage Billing Unit: Billing Units assigned to usage of storage. + +* CSC Project: A placeholder for the user's resources information - including: the number of Cloud BUs and the CSC services which are available for use. + +* Satama Project: A Satama project is one which is created at https://satama.csc.fi after satama service is activated at CSC project. + +## Billing Model + +Currently, Satama will bill for storage only. Billing is based on the amount of data stored. The account of resource usage is provided in one-hour increments. The rate is 3 Storage BU/TiBh i.e. 1 Tib of data stored at Satama will consume 3 Storage BU per hour and 72 Storage BU in a day. + +If 10GB of storage is consumed, BU can be calculated using the following formula +``` +(10/1024) * 3 ~= 0.029 BUs per hour +``` +A good way to estimate usage cost is the [Billing Unit calculator](https://research.csc.fi/resources/#buc) utility. For more information about Billing in CSC, visit the [Billing](../../accounts/billing.md) page. + +# Quota + +The default quota for a new project is **50 GB**, but this can be increased if needed. If you need more resources than the defaults, you can apply for more quota by contacting the Service Desk. See the [Contact page](../../support/contact.md) for instructions. Quota requests are handled on a case-by-case basis depending on the currently available resources in Satama and the use case. \ No newline at end of file diff --git a/docs/cloud/satama/cli.md b/docs/cloud/satama/cli.md new file mode 100644 index 0000000000..1aa46cd85c --- /dev/null +++ b/docs/cloud/satama/cli.md @@ -0,0 +1,95 @@ +# Command Line Tool + +Most day-to-day operations, such as pushing or pulling images, require you to authenticate with Satama using OCI compatible tools like, Docker and Podman. It's a good idea to use CLI secret instead of a password for security reasons. The CLI secret functions as a token that grants permission to interact with the registry via command line tools. + +## Logging in to Satama Using Personal CLI Secret + +To generate your CLI secret, log in to the Satama web interface, click on your username in the upper right corner, and select **User Profile**. A pop-up window will be displayed. + +![Generate Token](img/generate_token.png) + +Within this page, you will see a section labeled **CLI Secret**. If you have not generated one before, click **Generate New Secret**, and Satama will display a unique string of characters. This secret should be copied and stored securely. It acts like a personal API key and can be revoked or regenerated at any time. + +!!! warning "Known Issue" + + If you see errors such as “unauthorized” , your session token may have expired. In this case, log out from the Satama web UI and log in again. This will refresh the token, copy that and then authenticate again using Docker/Podman. + +You can log in from the terminal using this secret by running the following command: + +To log in using Docker: +``` +docker login satama.csc.fi -u +``` +You will be prompted to enter your password. Add this CLI secret there. +``` +Password: +``` +If the authentication is successful, the terminal will display: +``` +Login Succeeded +``` + +The same process can be performed using Podman: +``` +podman login satama.csc.fi -u +``` + +Once you’ve logged in successfully, Docker/Podman will save your credentials locally, allowing you to perform push and pull operations without re-authenticating until your session expires or you log out manually. + + +## Logging in to Satama Using Robot Account + +It is recommended to use robot accounts instead of personal credentials to login specially when it is used in automated workflow. Robot accounts provide secure token-based authentication and can be limited to specific projects. + +To know more about robot account, read [robot account](robot_account.md) . + +Log in using robot account: +``` +docker login satama.csc.fi -u +``` +For example, +``` +docker login satama.csc.fi -u robot@test-project+test +``` +You will be prompted to enter your password. Add CLI secret of the robot account. If you don't have credentials, please ask your project admin. + +## Pulling an Image + +To use an existing container image stored in Satama, you can pull it using the CLI. Pulling an image downloads its layers and metadata to your local machine so that you can run containers from it. The basic syntax is: +``` +docker pull satama.csc.fi//: +``` +This command downloads the specified image and stores it locally so it can be executed or used as a base image for other builds. + + +## Tagging an Image + +If you have built a new image locally and want to store it in Satama, you need to tag it correctly before pushing. Tagging an image tells Docker where to send it within the registry. Suppose you want to push a ubuntu:24.04 image. To push it to your project, you would tag it like this: +``` +docker tag ubuntu:24.04 satama.csc.fi//ubuntu:24.04 +``` +This prepares the image to be uploaded to the project repository. + +You can also check available images on your system using: +``` +docker images +``` + +## Pushing an Image + +Once an image is tagged correctly, it can be pushed to the registry, using: +``` +docker push satama.csc.fi//ubuntu:24.04 +``` +You can check push command for your project on web UI by selecting your project and in right-hand side, clicking on **PUSH COMMAND** + +![Push Commands](img/push_commands.png) + +Docker will upload all the image layers to Satama. If it’s the first time pushing this image, all layers will be uploaded. Subsequent pushes of similar images will be faster since Docker reuses existing layers. When the push completes, you can verify that the image appears in the Satama web interface under the appropriate repository and tag. + +Please note that if you encounter a “permission denied” error, it usually indicates that you don’t have push access to that project, and you should contact your project administrator. + +If an image is no longer needed locally, it can be removed to free disk space. +``` +docker rmi IMAGE_NAME:TAG +``` \ No newline at end of file diff --git a/docs/cloud/satama/cve_allowlist.md b/docs/cloud/satama/cve_allowlist.md new file mode 100644 index 0000000000..d8844e49bc --- /dev/null +++ b/docs/cloud/satama/cve_allowlist.md @@ -0,0 +1,16 @@ +# CVE Allowlist + +A CVE Allowlist is used to ignore specific vulnerabilities that are known but accepted temporarily. + +Sometimes vulnerabilities cannot be fixed immediately because: +* No patch is available +* The vulnerability is not exploitable in your environment +* It does not affect the application functionality + +In these cases, administrators can add the vulnerability to the CVE Allowlist. This allows certain vulnerabilities to be ignored for this project. + +You have two options: +* **System allowlist** Uses the global allowlist defined by Satama administrators +* **Project allowlist** uses defined custom CVEs specific to this project. + +You can click **ADD** to add CVE IDs manually. Click **COPY FROM SYSTEM** to copy global allowlist entries and set expiration date or choose "Never expires". diff --git a/docs/cloud/satama/deployment_security.md b/docs/cloud/satama/deployment_security.md new file mode 100644 index 0000000000..19361f569c --- /dev/null +++ b/docs/cloud/satama/deployment_security.md @@ -0,0 +1,15 @@ +# Deployment Security + +This section controls image verification and vulnerability enforcement. + +Administrators can enforce security policies such as: + +### Allowing only signed images + +Two image signature verification mechanisms are there, cosign and Notation. If enabled, only signed images can be deployed. It ensures image integrity and authenticity. + +### Preventing the use of vulnerable images + +If 'Prevent vulnerable images from running' is enabled, Satama blocks deployment of images that contain vulnerabilities above a selected severity level. + +You can adjust severity threshold from dropdown. If 'Low' vulnerability severity is selected, that means if any vulnerability (Low, Medium, High, Critical) exists, deployment can be blocked. diff --git a/docs/cloud/satama/getting_access.md b/docs/cloud/satama/getting_access.md new file mode 100644 index 0000000000..58708c541a --- /dev/null +++ b/docs/cloud/satama/getting_access.md @@ -0,0 +1,41 @@ + +# Getting Access to Satama + +## Login Using a CSC Account + +In order to use the Satama container registry with a CSC account, you need: + +1. A CSC user account. You can check which is your "CSC username" in [MyCSC profile page](https://my.csc.fi/profile). You can also change the password from there. If you don't have a CSC account already, you can create one by following [Create a new CSC user account](../../accounts/how-to-create-new-user-account.md) + +2. Multi Factor Authentication (MFA) is required when login. For more information, visit the [Multi-Factor Authentication (MFA) Guide](../../accounts/mfa.md) + +3. A CSC project with Satama service enabled. To create a new CSC project, follow [Create a new CSC project](../../accounts/how-to-create-new-project.md) or ask to be added to an existing project. The project should have Satama service enabled to access. Follow [Apply for Satama access](../../accounts/how-to-add-service-access-for-project.md) to enable Satama in your CSC project. + +Please contact [servicedesk@csc.fi](mailto:servicedesk@csc.fi) in case you need assistance. + +## Change Role of Individual Members + +The user must be added to the MyCSC project and then log in to the Satama platform. This will automatically create a username on Satama. When a user logs in for the first time, only **library** project will be visible. After 15 minutes, other CSC projects with Satama enabled will appear. + +By default, everyone having access to project have **Project admin** role. Members with project admin role, can remove members and change the role of other members in the project. However, please note that these changes are temporary and may be overridden by the periodic synchronization process. Satama enforces role-based access control to ensure that only authorized users can perform specific actions. + +1. Click on your project +2. Click on **Members** tab +3. Select the member from the list +4. Click on **Action..** +5. A list will appear +6. Remove/change role of that member. + +![Change Role](img/assign_role.png) + +The primary roles are Limited Guest, Guest, Developer, Maintainer, and Project Admin. + +* **Limited Guest** can pull images but cannot push, and they cannot see logs or the other members of a project. +* **Guest** has read-only permission, they can only retag and pull images. +* **Developer** can both push and pull images. +* **Maintainer** have extended rights, such as the ability to scan images, view replications jobs, and delete images and helm charts. +* **Project Admin** can manage project members, assign roles, configure project settings and starting a vulnerability scan. + +If you find that you cannot perform certain actions, such as pushing an image or initiating a scan, it’s likely due to insufficient permissions. In such cases, you should contact your project administrator to adjust your role or confirm your access level. You can check detail permission of the role [here](https://goharbor.io/docs/2.14.0/administration/managing-users/user-permissions-by-role/). + +It is also possible to have read-only access to public projects when user is not logged in. That type of user is known as **Anonymous user**. \ No newline at end of file diff --git a/docs/cloud/satama/img/Add_basics_of_robo.png b/docs/cloud/satama/img/Add_basics_of_robo.png new file mode 100644 index 0000000000..a6250389c5 Binary files /dev/null and b/docs/cloud/satama/img/Add_basics_of_robo.png differ diff --git a/docs/cloud/satama/img/Select_robot.png b/docs/cloud/satama/img/Select_robot.png new file mode 100644 index 0000000000..0effdfdf8f Binary files /dev/null and b/docs/cloud/satama/img/Select_robot.png differ diff --git a/docs/cloud/satama/img/add_tag_immutability.png b/docs/cloud/satama/img/add_tag_immutability.png new file mode 100644 index 0000000000..07a63f35f7 Binary files /dev/null and b/docs/cloud/satama/img/add_tag_immutability.png differ diff --git a/docs/cloud/satama/img/add_tag_retention_rule.png b/docs/cloud/satama/img/add_tag_retention_rule.png new file mode 100644 index 0000000000..4bb6f29147 Binary files /dev/null and b/docs/cloud/satama/img/add_tag_retention_rule.png differ diff --git a/docs/cloud/satama/img/assign_role.png b/docs/cloud/satama/img/assign_role.png new file mode 100644 index 0000000000..0085ed085b Binary files /dev/null and b/docs/cloud/satama/img/assign_role.png differ diff --git a/docs/cloud/satama/img/generate_token.png b/docs/cloud/satama/img/generate_token.png new file mode 100644 index 0000000000..b9dc066319 Binary files /dev/null and b/docs/cloud/satama/img/generate_token.png differ diff --git a/docs/cloud/satama/img/login_page.png b/docs/cloud/satama/img/login_page.png new file mode 100644 index 0000000000..4b91bf5930 Binary files /dev/null and b/docs/cloud/satama/img/login_page.png differ diff --git a/docs/cloud/satama/img/logs_audit.png b/docs/cloud/satama/img/logs_audit.png new file mode 100644 index 0000000000..0d75f92241 Binary files /dev/null and b/docs/cloud/satama/img/logs_audit.png differ diff --git a/docs/cloud/satama/img/manual_scan.png b/docs/cloud/satama/img/manual_scan.png new file mode 100644 index 0000000000..9fe979deae Binary files /dev/null and b/docs/cloud/satama/img/manual_scan.png differ diff --git a/docs/cloud/satama/img/personal_dashboard.png b/docs/cloud/satama/img/personal_dashboard.png new file mode 100644 index 0000000000..e355a9a5e8 Binary files /dev/null and b/docs/cloud/satama/img/personal_dashboard.png differ diff --git a/docs/cloud/satama/img/policy_immutability.png b/docs/cloud/satama/img/policy_immutability.png new file mode 100644 index 0000000000..9fb6cf060d Binary files /dev/null and b/docs/cloud/satama/img/policy_immutability.png differ diff --git a/docs/cloud/satama/img/policy_retention.png b/docs/cloud/satama/img/policy_retention.png new file mode 100644 index 0000000000..f53d3f66e0 Binary files /dev/null and b/docs/cloud/satama/img/policy_retention.png differ diff --git a/docs/cloud/satama/img/project_configuration.png b/docs/cloud/satama/img/project_configuration.png new file mode 100644 index 0000000000..b502590351 Binary files /dev/null and b/docs/cloud/satama/img/project_configuration.png differ diff --git a/docs/cloud/satama/img/project_level_navigation.png b/docs/cloud/satama/img/project_level_navigation.png new file mode 100644 index 0000000000..1c7b905da7 Binary files /dev/null and b/docs/cloud/satama/img/project_level_navigation.png differ diff --git a/docs/cloud/satama/img/push_commands.png b/docs/cloud/satama/img/push_commands.png new file mode 100644 index 0000000000..c867db8d6b Binary files /dev/null and b/docs/cloud/satama/img/push_commands.png differ diff --git a/docs/cloud/satama/img/select_permissions_of_robo.png b/docs/cloud/satama/img/select_permissions_of_robo.png new file mode 100644 index 0000000000..4c77638c9d Binary files /dev/null and b/docs/cloud/satama/img/select_permissions_of_robo.png differ diff --git a/docs/cloud/satama/index.md b/docs/cloud/satama/index.md new file mode 100644 index 0000000000..e55d391d3b --- /dev/null +++ b/docs/cloud/satama/index.md @@ -0,0 +1,20 @@ +# Satama + +Welcome to the Satama container registry. This is CSC's own container registry designed to securely store, manage, and distribute container images within the organization. + +Satama provides more than just image storage. It includes additional features such as vulnerability scanning and SBOM (Software Bill of Materials) generation, helping users understand what is inside their images and identify potential security risks. These features support secure development, compliance requirements, and safer deployments. + +By using Satama, teams can ensure that container images are centrally managed, properly versioned, and accessible only to authorized users. This helps maintain reliability, security, and consistency across development, research, and production environments. + +To understand more about Satama and how to use this, please read following topics:- + +* [What is Satama?](what_is_satama.md) +* [Getting Access](getting_access.md) +* [Web User Interface](ui.md) +* [Command Line Tool](cli.md) +* [Billing and Quota](billing_and_quota.md) +* [Project Configuration](project_configuration.md) +* [Known Issues](known_issues.md) +* [Best Practices](best_practices.md) +* [Tutorials](tutorials/index.md) +* [FAQ](../../support/faq/index.md#satama) diff --git a/docs/cloud/satama/known_issues.md b/docs/cloud/satama/known_issues.md new file mode 100644 index 0000000000..19fde2ceb8 --- /dev/null +++ b/docs/cloud/satama/known_issues.md @@ -0,0 +1,83 @@ +# Known Issues + +The most common issues encountered while using Satama are related to authentication and user permissions. The following examples describe typical errors and how to resolve them. + +### Authentication Required + +If you encounter the error: +``` +unauthorized: authentication required +``` +This usually means that the Docker or CLI client is not authenticated with the Satama registry. + +Possible solutions: + +* Ensure you are logged in using the correct credentials. +* Run the login command again: + +``` +docker login satama.csc.fi +``` +* Verify that your CLI secret or authentication token has not expired. + +### Insufficient Permissions + +If the following error appears while pushing an image: +``` +denied: requested access to the resource is denied +``` +This means your account does not have permission to push images to the specified project. + +Possible causes include: + +* You are not a member of the project. +* Your role does not allow pushing images. + +Contact the project administrator to request the necessary permissions. + +### Expired Session Token + +During image push or pull operations, you may see errors such as: +``` +unauthorized +``` +This may occur when your session token has expired. To resolve this issue: + +1. Log out from the Satama Web UI. +2. Log in again to refresh your session. +3. Authenticate again using the Docker/Podman CLI. + +### Image Push Fails Due to Tag Immutability + +If tag immutability is enabled, attempting to overwrite an existing tag may result in an error. This happens when a repository policy prevents tags from being modified after creation. + +Possible solution is to use a new tag for the image. + +### Docker Login Fails + +If the login command fails: +``` +docker login satama.csc.fi +``` +Possible causes include: + +* Incorrect username or password +* Expired credentials +* Incorrect registry URL +* Network connectivity issues + +Verify the registry URL and ensure that your account has valid credentials. + +### Repository Not Found + +When pulling an image, you may encounter: +``` +repository does not exist +``` +This usually means: + +* The repository name is incorrect. +* The project name is incorrect. +* The image tag does not exist. + +Verify the image reference in the Satama Web UI before pulling the image. \ No newline at end of file diff --git a/docs/cloud/satama/project_configuration.md b/docs/cloud/satama/project_configuration.md new file mode 100644 index 0000000000..1773aab59a --- /dev/null +++ b/docs/cloud/satama/project_configuration.md @@ -0,0 +1,9 @@ +# Project Configuration + +After the initial creation of a project, users with project admin privileges can configure or reconfigure its properties. Project configuration in Satama allows administrators and developers to control how container images are stored, secured, scanned, and maintained within a project. These settings help enforce security policies, manage image lifecycle, and automate repository maintenance. + +Login to Satama, in the landing page click on your project and you can see few tabs there. All your project related settings can be done there. + +![project configuration](img/project_configuration.png) + +These configurations help ensure that container images are secure, properly maintained, and accessible only to authorized users. diff --git a/docs/cloud/satama/project_visibility.md b/docs/cloud/satama/project_visibility.md new file mode 100644 index 0000000000..8409811603 --- /dev/null +++ b/docs/cloud/satama/project_visibility.md @@ -0,0 +1,9 @@ +# Project Visibility + +Project type can be set to Public or Private. By default, all projects are private. To make your project public, check the box in front of public. + +A public project allows anyone with network access to Satama to view and pull images without authentication. Please note that even in public projects, anonymous push is not allowed. + +A private project restricts access to only authenticated users, groups, or robot accounts who have been explicitly granted permissions. + +Private projects are generally recommended for production workloads or sensitive images. \ No newline at end of file diff --git a/docs/cloud/satama/robot_account.md b/docs/cloud/satama/robot_account.md new file mode 100644 index 0000000000..17eb5d3abb --- /dev/null +++ b/docs/cloud/satama/robot_account.md @@ -0,0 +1,39 @@ +# Robot Account + +Robot accounts in Satama are special service accounts designed for automated processes, such as CI/CD pipelines, deployment systems, or build servers, that need to interact with the registry without using a personal user account. Unlike regular user accounts, which are tied to individual identities and may expire or change, robot accounts provide stable credentials that can be used by systems to perform operations like pushing and pulling images programmatically. + +Each robot account is scoped to a specific project and inherits only the permissions granted within that project’s configuration. This ensures that automation tools have the minimum necessary privileges and cannot access unrelated repositories. + +### Create a Robot Account + +To create a robot account, a project administrator can navigate to the desired project in the Satama web interface, open the **Robot Accounts** tab + +![Select Robot Account](img/Select_robot.png) + +Click on **New Robot Account**. A pop-up window will open. + +![Add details of robot account](img/Add_basics_of_robo.png) + +Enter the details about robot account. Provide a name, add the description about robot account like, purpose of the account and selects an expiration date. You can also select **never** expire. + +After adding all details, click on **Next** button. + +![Add permissions](img/select_permissions_of_robo.png) + +Here, you can add permissions you want to give to this robot account. Here, you can specify which actions the robot account can perform, such as pushing, pulling, or deleting images. You can also give full permissions by selecting all. Now, click on **Finish** Button. + +## Save the Credentials +Once created, Satama generates a robot username and a secret key that must be copied immediately, as it cannot be retrieved later. The credentials can be used in Docker/Podman CLI or CI tools by logging in with a command like + +## Authenticate Using the Robot Account +Log in using robot account: +``` +docker login satama.csc.fi -u +``` +For example, +``` +docker login satama.csc.fi -u robot@test-project+test +``` + +## Use the Robot Account in Automation +Robot accounts are especially useful for continuous integration pipelines that automatically build and publish container images, since they enable secure, auditable, and controlled access without requiring a human user. By using robot accounts, consistent automation workflows can be maintained while keeping individual user credentials private and ensuring compliance with least-privilege principles. \ No newline at end of file diff --git a/docs/cloud/satama/sbom_generation.md b/docs/cloud/satama/sbom_generation.md new file mode 100644 index 0000000000..3e38f55674 --- /dev/null +++ b/docs/cloud/satama/sbom_generation.md @@ -0,0 +1,22 @@ +# SBOM Generation + +SBOM (Software Bill of Materials) generation in Satama provides users with a clear inventory of the components, libraries, and dependencies included in a container image. + +SBOM generation helps improve software transparency and supply chain security by showing exactly what software is included inside an image. + +### Benefits of SBOM + +* Better visibility into image contents +* Faster vulnerability investigation +* Compliance with security standards +* Improved supply chain security + +### Automatically generate SBOM + +You can enable automatic SBOM generation of images on push. + +* Inside the project, navigate to **Configuration** tab. +* Locate the **SBOM generation** section. +* Check box in front of **Automatically generate SBOM on push** + +When SBOM generation is enabled, Satama automatically analyzes images after they are pushed to a project, producing a structured list of components that can be viewed directly from the image details page. If disabled, user can manually trigger SBOM generation, click on the repository and select the image. Now you can start scanning by clicking the button 'generate SBOM'. \ No newline at end of file diff --git a/docs/cloud/satama/tag_immutability.md b/docs/cloud/satama/tag_immutability.md new file mode 100644 index 0000000000..b40b01b9b0 --- /dev/null +++ b/docs/cloud/satama/tag_immutability.md @@ -0,0 +1,27 @@ +# Tag Immutability + +Tag immutability prevents container image tags from being overwritten or modified after they are pushed. + +Normally, users can push a new image with the same tag (for example latest). This can cause issues because deployments may use different image versions without noticing. + +Tag immutability ensures that once a tag is created, it cannot be changed. + +### Benefits + +* Prevents accidental image overwrites +* Improves deployment consistency +* Strengthens supply chain security +* Ensures traceability of image versions + +### How to Configure Tag Immutability + +To configure tag immutability, open the Project in Satama and go to **Policy** tab. + +![Policy tab](img/policy_immutability.png) + +Click on **Tag Immutability** section. Click on **Add rule**. A pop-up window will open + +![Add tag Immutability](img/add_tag_immutability.png) + +Create a rule specifying which tags should be immutable. + diff --git a/docs/cloud/satama/tag_retention.md b/docs/cloud/satama/tag_retention.md new file mode 100644 index 0000000000..79ca0a04d1 --- /dev/null +++ b/docs/cloud/satama/tag_retention.md @@ -0,0 +1,24 @@ +# Tag Retention Policy + +Container registries can accumulate many image versions over time. Tag retention policies help automatically remove unused or old image tags to save storage space. + +Instead of manually deleting images, administrators can define rules that determine which tags should be kept and which should be removed. + +### How to Configure Tag Retention + +To configure tag retention, open the Project in Satama and go to **Policy** tab. + +![Policy tab](img/policy_retention.png) + +Click on **Tag Retention** section. Click on **Add rule**. A pop-up window will open + +![Add tag Retention](img/add_tag_retention_rule.png) + +Create a rule specifying which images should be retained and which should be deleted. + +For example, +* Keep the latest 10 tags +* Delete tags older than 30 days +* Keep tags matching release- pattern* + +Once configured, Satama will automatically apply the policy according to the defined schedule. \ No newline at end of file diff --git a/docs/cloud/satama/tutorials/cleanup.md b/docs/cloud/satama/tutorials/cleanup.md new file mode 100644 index 0000000000..37e9969936 --- /dev/null +++ b/docs/cloud/satama/tutorials/cleanup.md @@ -0,0 +1,60 @@ +# Clean Up Old Image Tags + +Over time, repositories may accumulate many image tags created during development, testing, or automated builds. Keeping unnecessary tags can make repositories harder to navigate and may increase storage usage. Cleaning up old tags helps to keep projects organized and ensures that only the relevant image versions remain available. + +This tutorial explains how to remove old image tags using the Satama Web UI. + +## Step 1: Open the Project + +* Log in to the Satama Web UI. +* Navigate to Projects. +* Select the project that contains the repository you want to clean up. + +Inside the project page, you will see a list of all repositories belonging to that project. + +## Step 2: Open the Repository + +* Click on the repository where the old image tags are stored. +* The repository page displays all artifacts and tags associated with that image. + +Each tag represents a different version of the container image. + +## Step 3: Identify Unused or Old Tags + +Review the available tags and identify versions that are no longer needed. These might include: + +* Old development builds +* Outdated release versions +* Temporary testing images + +You can use the following information to decide which tags to remove: + +* Tag name +* Push time +* Vulnerability scan results + +## Step 4: Delete the Tag + +To remove an image tag: + +* Locate and check the box in front of the tag you want to remove. +* Click on **Remove Tag** button +* A pop-up window will appear. Click on **Delete**. + +Once deleted, the tag will no longer appear in the repository. + +Note that deleting a tag removes the reference to the image. The underlying data may be removed later during storage cleanup processes. + +## Step 5: Verify the Repository + +After deleting old tags: + +* Refresh the repository page. +* Verify that only the required image versions remain. +* Ensure that active deployments are not using the deleted tags. + +This helps prevent accidental removal of images that are still in use. + +## Optional: Use Tag Retention Policies + +Instead of manually deleting tags, projects can use [Tag Retention](../tag_retention.md) policies to automatically remove outdated tags. \ No newline at end of file diff --git a/docs/cloud/satama/tutorials/index.md b/docs/cloud/satama/tutorials/index.md new file mode 100644 index 0000000000..eecbd34886 --- /dev/null +++ b/docs/cloud/satama/tutorials/index.md @@ -0,0 +1,10 @@ +# Tutorials + +* [Push Your First Image](push_image.md) +* [Pull an Image](../cli.md#pulling-an-image) +* [Explore Image in UI](../ui.md) +* [Robot Accounts for Automation](../robot_account.md) +* [Vulnerability Scanning](../vulnerability_scanning.md) +* [Clean Up Old Tags](cleanup.md) + +We also have an [FAQ](../../../support/faq/index.md#satama) for Satama. Take a look at it. \ No newline at end of file diff --git a/docs/cloud/satama/tutorials/push_image.md b/docs/cloud/satama/tutorials/push_image.md new file mode 100644 index 0000000000..c840063e6d --- /dev/null +++ b/docs/cloud/satama/tutorials/push_image.md @@ -0,0 +1,38 @@ +# Push Your First Image + +This tutorial walks through the process of building a container image and storing it in Satama. + +## Step 1: Build a Container Image + +First build your container image locally: +``` +docker build -t : . +``` +And verify that the image exists locally + +``` +docker image ls +``` +Here you should see your image +## Step 2: Tag the Image + +Before pushing the image to Satama, it must be tagged with the registry path. + +For a detailed explanation of tagging images, see [Tag image](../cli.md#tagging-an-image) + + +## Step 3: Authenticate to Satama + +Log in to Satama by personal [CLI token](../cli.md#logging-in-to-satama-using-personal-cli-secret) or by [Robot account](../cli.md#logging-in-to-satama-using-robot-account). + +## Step 4: Push the Image +Push the tagged image to the registry. +``` +docker push satama.csc.fi//: +``` +For more detail about [pushing image](../cli.md#pushing-an-image) +## Step 5: Verify the Image + +After pushing the image, open the Satama Web UI and verify that the repository and tag appear in your project. + +You can learn more about navigating the [Web interface](../ui.md#project-level-navigation-top-tabs-inside-a-project) \ No newline at end of file diff --git a/docs/cloud/satama/ui.md b/docs/cloud/satama/ui.md new file mode 100644 index 0000000000..bc99155f2d --- /dev/null +++ b/docs/cloud/satama/ui.md @@ -0,0 +1,61 @@ +# Using the Web Interface + +Web UI is the graphical interface that allows users to manage container images, projects, security settings, and automation features without using the command line. + +To access Satama web interface, open your browser and navigate to [https://satama.csc.fi/](https://satama.csc.fi/). You will be presented with a login page. + +Use HAKA/MyCSC/Virtu login page and enter your credentials. Once logged in, you will be taken to your personal dashboard. This page shows a summary of all projects you have access to. + +![Personal Dashboard](img/personal_dashboard.png) + +The interface is organized into two main levels: + +1. System-Level Navigation (left sidebar) +2. Project-Level Navigation (top tabs inside a project) + +## System-Level Navigation (left sidebar) + +The left panel provides access to high-level sections, projects and logs. + +By clicking on **Projects**, you can check your existing projects and details about these projects. + +By clicking on **Logs**, you can check all the activities happened in your projects, such as image push/pull. + +## Project-Level Navigation (top tabs inside a project) + +When you open your project at Satama web interface, a horizontal menu appears at the top of the page. Each tab in this menu provides access to a different part of the project and allows users to manage container images, permissions, security settings, and automation features. + +![Project Level Navigation](img/project_level_navigation.png) + +Each tab in this menu provides access to a different part of the project and allows users to manage container images, permissions, security settings, and automation features: + +* **Summary** tab provides an overview of number of repositories and members of the project. + +* **Repositories** tab is where users manage container images. It lists all repositories that belong to the project. Inside each repository, users can see available image tags, check image digests, view vulnerability reports, and obtain the commands needed to pull images to their systems. Most daily interactions with container images happen in this section. + + * Project admin can add information to describe the repository. Adding a description to a repository helps users and teams understand the purpose, contents, and usage of the images stored within it. + + * Go into the repository and select the Info tab, and click the Edit button. Enter a description—for example, its base image, its intended use, or any relevant deployment notes and click Save to save the description. + +* **Members** tab is used to manage access to the project. Project administrators can add users and assign them roles such as Guest, Developer, Maintainer, or Project Admin. These roles determine what actions users are allowed to perform within the project, such as pulling images, pushing new images, or managing project settings. + +* **Labels** Labels can be used to categorize and organize repositories and images. it can help in quickly understand the purpose or ownership. You can also filter images by labels. Satama has two types of labels: + + * Global Level Labels: System administrators can create, update and delete the global level labels. These can be used by any image under any project. + * Project Level Labels: Project administrators and system administrators can list, create, update and delete the project level labels. These are mainly managed by project administrators only because of the scope of these labels. + +* **Scanner** tab shows information about the vulnerability scanning service used by the project. Here, we have **Trivy** as the scanner. + +* **P2P Preheat** tab is used to improve image distribution performance. + +* **Policy** tab is used to define rules related to image tags, such as tag immutability. Tag immutability prevents certain tags from being overwritten, which helps ensure that important versions of images remain unchanged. + +* **Robot Accounts** tab allows users to create service accounts for automation. These accounts are commonly used to push or pull images without using personal user credentials. + +* **Webhooks** tab allows the project to send notifications to external systems when certain events occur. + +* **Logs** tab displays activity logs related to the project. These logs record actions such as image pushes, pulls, deletions, and configuration changes. They help users track activity and troubleshoot issues. + +* **Configuration** tab contains project-level settings that control security and behavior of the project. Here, users can configure project visibility (public or private), enable automatic vulnerability scanning, enable SBOM generation, configure deployment security rules, and manage the CVE allowlist. + +To know more about project configuration, please read [Project configuration](project_configuration.md). \ No newline at end of file diff --git a/docs/cloud/satama/vulnerability_scanning.md b/docs/cloud/satama/vulnerability_scanning.md new file mode 100644 index 0000000000..295c03265f --- /dev/null +++ b/docs/cloud/satama/vulnerability_scanning.md @@ -0,0 +1,35 @@ +# Vulnerability Scanning + +Vulnerability scanning analyzes container images to identify known security issues in the operating system packages or libraries they contain. Satama has an integrated tools Trivy to perform these scans automatically or on-demand. + + +### Enable Automatic Vulnerability Scanning + +You can enable automatic scan of images on push. + +* Inside the project, navigate to **Configuration** tab. +* Locate the **Vulnerability scanning** section. +* Check box in front of **Automatically scan images on push** + +If enabled, every time a user pushes an image, Satama automatically scans it for CVEs. If disabled, user can manually trigger scans. + +### Run Manual Scan + +You can run manual scan for individual images. + +![Manual CVE scan](img/manual_scan.png) + +* Click on the repository and select the image you want to scan. +* Go to **Additions** section. +* Click on **Vulnerabilities** tab. +* You can start scanning by clicking on **scan vulnerability** button. + + +### Check the Scan Result + +Once scan is completed, all CVEs will be displayed under **Vulnerabilities** tab. Satama displays: + + * Number of vulnerabilities + * Severity levels (Critical, High, Medium, Low) + * Affected packages + * Recommended fixes diff --git a/docs/cloud/satama/what_is_satama.md b/docs/cloud/satama/what_is_satama.md new file mode 100644 index 0000000000..b6acc1fb5e --- /dev/null +++ b/docs/cloud/satama/what_is_satama.md @@ -0,0 +1,21 @@ +# What is Satama + +!!! warning "Recommendations" + Before using Satama, we recommend that you familiarise yourself with containers. + +Satama is a cloud-native container image registry for CSC. It is based on [Harbor](https://goharbor.io/). Harbor is a open source CNCF graduated project and provides a more secure and feature-rich alternative to Docker Hub. + +Satama provides a secure and centralized location for users to push, pull, and manage container images within CSC’s infrastructure. While it offers functionality similar to Docker Hub, it includes additional enterprise features such as role-based access control (RBAC), vulnerability scanning, image signing, and detailed audit logging. + +By using Satama, teams can organize images into projects, control who can access or modify them, and ensure that only verified and authorized images are deployed across cloud and HPC environments. Built-in security features such as vulnerability scanning and SBOM generation help users understand image contents and identify potential risks before deployment. + +Satama simplifies image lifecycle management by enabling consistent versioning, structured organization, and controlled sharing of container images. This ensures reproducibility, reliability, and compliance across development, research, and production workloads. + +## When should I choose Satama + +Satama can be a good choice in following scenarios: + +* Need full control over container images and cannot rely on public registries. This is important if your workloads, research tools, or internal applications should not be exposed or affected by external changes. +* If reproducibility matters and deployments must run with the exact same environment months later. +* when security is a concern, it allows vulnerability scanning, controlled access to images, and tracking of who uploaded or modified something. +* When multiple projects and users are involved, it provides structured access control and better organization of images. diff --git a/docs/support/faq/index.md b/docs/support/faq/index.md index 4efd845fff..49a2ff90da 100644 --- a/docs/support/faq/index.md +++ b/docs/support/faq/index.md @@ -98,6 +98,11 @@ * [Why Rahti cannot find this docker image?](get-image-format.md) * [Why this container report permission denied errors?](why-this-container-does-not-work.md) +## Satama + +* [Satama Known issues](../../cloud/satama/known_issues.md) +* [How to manage labels](satama-manage-labels.md) +* [How to add description to repositories](satama-add-description.md) ## Applications diff --git a/docs/support/faq/satama-add-description.md b/docs/support/faq/satama-add-description.md new file mode 100644 index 0000000000..1554430d09 --- /dev/null +++ b/docs/support/faq/satama-add-description.md @@ -0,0 +1,10 @@ +# Add Description to repositories + +After pushing an image, the project administrator can add information to describe the repository. Adding a description to a repository helps users and teams understand the purpose, contents, and usage of the images stored within it. + +## Steps + +* Go into the repository and select the **Info** ta +* Click the **Edit** button +* Enter the description. For example, its base image, its intended use, or any relevant deployment notes. +* Click **Save** to save the description. \ No newline at end of file diff --git a/docs/support/faq/satama-manage-labels.md b/docs/support/faq/satama-manage-labels.md new file mode 100644 index 0000000000..8fa4f39084 --- /dev/null +++ b/docs/support/faq/satama-manage-labels.md @@ -0,0 +1,11 @@ +# Managing Labels + +Labels can be used to categorize and organize repositories an images. it can help in quickly understand the purpose or ownership. You can also filter images by labels. Satama has two types of labels: + +## 1. Global Level Labels + + System administrators can create, update and delete the global level labels. These can be used by any image under any project. + +## 2. Project Level Labels + + Project administrators and system administrators can list, create, update and delete the project level labels. These are mainly managed by project administrators only because of the scope of these labels. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 7de97287aa..20f7faa513 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -507,6 +507,33 @@ nav: - Setup a HTTP redirection in Rahti: cloud/rahti/tutorials/http-redirector.md - Short introduction to YAML: cloud/rahti/tutorials/yaml_introduction.md - Webhooks: cloud/rahti/tutorials/webhooks.md + - Satama: + - cloud/satama/index.md + - What is Satama: + - cloud/satama/what_is_satama.md + - Getting Started: + - Getting Access: cloud/satama/getting_access.md + - Web User Interface: cloud/satama/ui.md + - Command Line Tool: cloud/satama/cli.md + - Billing and Quota: cloud/satama/billing_and_quota.md + - Project Configuration: + - cloud/satama/project_configuration.md + - Project Visibility: cloud/satama/project_visibility.md + - Deployment Security: cloud/satama/deployment_security.md + - Vulnerability Scanning: cloud/satama/vulnerability_scanning.md + - SBOM Generation: cloud/satama/sbom_generation.md + - CVE Allowlist: cloud/satama/cve_allowlist.md + - Audit Logs: cloud/satama/audit_logs.md + - Tag Retention Policy: cloud/satama/tag_retention.md + - Tag Immutability: cloud/satama/tag_immutability.md + - Robot Account: cloud/satama/robot_account.md + - Known Issues: cloud/satama/known_issues.md + - Best Practices: cloud/satama/best_practices.md + - Tutorials: + - cloud/satama/tutorials/index.md + - Clean Up Old Tags: cloud/satama/tutorials/cleanup.md + - Push Your First Image: cloud/satama/tutorials/push_image.md + - Data: - data/index.md # - Datasets: data/datasets.md