QuickStart Guide: JFrog Self-hosted

JFrog Hosting Models Documentation

Content Type
User Guide
ft:sourceType
Paligo

Overview

Start Working with the JFrog Platform

The purpose of this guide is to easily get you started with your JFrog self-hosted instance. Going through the steps below will introduce you to some of the basic functionality of the JFrog Platform and the solutions that are included with your Pro and ProX subscriptions:

  • JFrog Artifactory: Universal package management and container registry in one, supporting all major packaging formats, build tools, and CI servers.Package Management

    *Available with a JFrog Pro and ProX subscription.

  • JFrog Xray: Open source security scanning and license compliance enabling DevSecOps and ensuring application security throughout your SDLC.Software Composition Analysis

    *Available with a JFrog ProX subscription.

Note

Be sure to follow the guide and use the default names provided.

Before You Start

Here’s what you’ll need:

Step 1: Log in to Your JFrog Platform Environment

Log in using the credentials provided to you by email, or any other administrator user created after login.

Step 2: Add Repositories and Artifacts

This step will walk you through creating a Docker repository type and uploading your container images, allowing you to use Artifactory as your Docker Registry. You can then follow the instructions to create other types of repositories for additional binaries out of the supported technologies such as npm, Maven, Go, and others.

  1. Navigate to the Administration Module. Expand the Repositories menu and click on the Repositories menu item.

    Administration module Repositories menu.png
  2. Create 3 new Docker package type repositories:

    1. Add a new Local Repository with the Repository Key “docker-quickstart-local” and keep the rest of the default settings.

    2. Click the Remote tab and add a new Remote Repository with the Repository Key “docker-quickstart-remote” and keep the rest of the default settings.

    3. Click the Virtual tab and add a new Virtual Repository with the Repository Key “docker-quickstart”.

      1. Add the local and remote Docker repositories you just created.

      2. Select your local repository as the Default Deployment RepositoryDeploy to a Virtual Repository and keep the rest of the default settings.

  3. Configure the Artifactory Docker settings to use the repository path method. This will access your Docker repository directly without a reverse proxy.Getting Started with Artifactory as a Docker Registry

    1. Navigate to the Administration Module. Click on the Artifactory menu and the General > HTTP Settings menu item.

    2. In the Docker Settings panel, select Repository Path as the Docker Access Method.

    3. In the Reverse Proxy Settings panel select Embedded Tomcat as the Server Provider (which indicates you're not using a reverse proxy).

    4. By default, Docker will only send basic HTTP authentication when working against an HTTPS host. Since we are using the repository path method, we’ll use HTTP and need to use insecure registry configuration for our Docker registry.

      • For example, in Linux systems create and add the following daemon.json file under /etc/docker

        {
          "insecure-registries" : ["<My_artifactory_IP:Artifactory_Port"]
        }

        Note

        The repository path method is intended for testing purposes. When working in production, set up a reverse proxy to achieve a secure registry.Getting Started with Artifactory as a Docker Registry

  4. Fork the JFrog Project Examples GitHub repository. Here you will find the JFrog QuickStart example GitHub repository, containing a simple Dockerfile that you will use to build your custom image.

  5. Update the base image reference.

    1. Clone your forked repository and update the FROM line of the Dockerfile to reference your virtual Docker repository.

      FROM ${Artifactory_URL:Artifactory_PORT}/${VIRTUAL_REPO_NAME}/ubuntu:16.04
      

      Note

      TheSERVER_NAMEis the first part of the URL given to you for your environment. For example: Artifactory_IP:Artifactory_Port

      The VIRTUAL_REPO_NAME is the name “docker-quickstart” that you assigned to your virtual repository in the steps above.

  6. Using the following commands, log in to your virtual repository“docker-quickstart”, build, tag and push your custom image to your Docker repository:

    $ docker login ${SERVER_NAME}
    
    $ docker build --tag ${SERVER_NAME}/${VIRTUAL_REPO_NAME}/my-docker-image:latest .
    
    $ docker push ${SERVER_NAME}/${VIRTUAL_REPO_NAME}/my-docker-image:latest

    Tip

    Run these commands from the cloned directory containing the Docker file.

  7. Navigate to the Application Module, in the Platform UI, expand the Artifactory menu and click the Artifacts menu item. Here you’ll be able to see the details of your new artifacts.

    Details of your new artifacts.png

Step 3: Scan for OSS Security Vulnerabilities and Compliance

*Available with a JFrog ProX subscription

This step will walk you through defining a Policy, assigning it to a Watch, selecting a repository to monitor, and running your scan.

  1. Navigate to the Administration Module. Click on theXray Security & Compliancemenu and theIndexed Resourcesmenu item.

  2. Add your “docker-quickstart-local”, “docker-quickstart-remote” repositories to your indexed resources by clicking Add a Repository.

    Tip

    Keep in mind for your future work that indexing all repositories is resource intensive. It is recommended to select only the repositories you need to scan according to your organization needs.

  3. Define a security policy that you will later enforce in a watch.

    1. Navigate to the Application module, expand the Security & Compliance menu and click the Policies menu item.

      Application module Security and Compliance menu Policies.png
    2. Create a new policy called “docker-security”, of type Security, with a rule called “docker-all-severities” set with All-Severities.

  4. Define a watch that includes your new security policy. A watch provides context to a policy by assigning it to resources such as repositories.

    1. Navigate to the Application module, expand the Security & Compliance menu and click the Watches menu item.

    2. Create a new watch called “sample-watch”, with your 2 repositories (“docker-quickstart-local” and “docker-quickstart-remote”) and your “docker-security” policy assigned to it by clicking Manage Policies.

      Watches, Policies & Rules

      Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches. Rules define the behaviors that we want to enforce.

  5. Run your scan by hovering over your watch and clicking on Apply on Existing Content to manually trigger it.

    Tip

    The Xray scan may take some time to complete and show the vulnerabilities results. You can return to this step later to see your vulnerabilities.

  6. View any discovered vulnerabilities by clicking on your watch.

Step 4: Set up Users, Groups, and Permissions

This step will walk you through managing role-based access control (RBAC) for your resources, such as repositories by defining users, groups, roles, and permissions. This will allow you, as an administrator of the JFrog Platform, to set up access for different teams in your organization.

  1. Create a new user.

    1. Navigate to the Administration Module. Click on theIdentity & Access menu and the Usersmenu item.

    2. Create a new user with the User Name “frog”. Set the Email Address and Password.

  2. Create a group and assign your user to this group.

    1. Navigate to the Administration Module. Click on theIdentity & Access menu and the Groupsmenu item.

    2. Create a new group called “dev-team1”. Set the Group Name and assign your newly created “frog” user to it.

  3. Define permission targets that match specific resources to your users and groups. This step will enable access for all the users in your “dev-team1” group to deploy and cache artifacts in the “docker-quickstart-local” and “docker-quickstart-remote” repositories.

    1. Navigate to the Administration Module. Click on the Identity & Access menu and the Permissions menu item.

    2. Create a new permission called “dev-team1-permissions”.

      1. Add your “docker-quickstart-local”, “docker-quickstart-remote” repositories to your resources by clicking Add Repositories.

      2. Click on the Groups tab, select your newly created “dev-team1” group, and select the Deploy/Cache permission. This also will provide your group with Read and Annotation permissions.

Tip

Use a meaningful name for the permission target that will easily help you manage and detect the required permission. For example, RnD_India, Project A, DevOps_US..

Congratulations! You’re all set and ready to continue exploring the JFrog Platform.

Learn More

Now that you’re familiar with the basic functionality of the JFrog Platform and the solutions included in your subscription, here are some useful resources to continue learning and exploring the Platform.

Documentation Resources
Other Resources