Deprivilege harbor-ui harbor-jobservice harbor-adminserver

Use non-root user to run the service within these docker images, and provide HEALTHCHECK mechanism.
2024-11-22 18:25:56 +01:00 · 2017-11-08 05:22:00 -08:00 · 2017-11-08 05:22:00 -08:00 · 19a13e8575
commit 19a13e8575
parent 367c2b142f
30 changed files with 75 additions and 44 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -19,7 +19,7 @@ env:
  MYSQL_PWD: root123
  MYSQL_DATABASE: registry
  SQLITE_FILE: /tmp/registry.db
-  ADMIN_SERVER_URL: http://127.0.0.1:8888
+  ADMINSERVER_URL: http://127.0.0.1:8888
  DOCKER_COMPOSE_VERSION: 1.7.1
  HARBOR_ADMIN: admin
  HARBOR_ADMIN_PASSWD: Harbor12345 
--- a/make/common/nginx/Dockerfile
+++ b/make/common/nginx/Dockerfile
@ -4,10 +4,10 @@ RUN tdnf distro-sync -y || echo \
    && tdnf install -y nginx \
    && ln -sf /dev/stdout /var/log/nginx/access.log \
    && ln -sf /dev/stderr /var/log/nginx/error.log \
-    && mkdir -p /var/run \
    && tdnf clean all

 EXPOSE 80
+VOLUME /var/cache/nginx /var/log/nginx /run
 STOPSIGNAL SIGQUIT

 CMD ["nginx", "-g", "daemon off;"]
--- a/make/common/templates/adminserver/env
+++ b/make/common/templates/adminserver/env
@ -1,3 +1,4 @@
+PORT=8080
 LOG_LEVEL=debug
 EXT_ENDPOINT=$ui_url
 AUTH_MODE=$auth_mode
@ -42,5 +43,5 @@ RESET=false
 UAA_ENDPOINT=$uaa_endpoint
 UAA_CLIENTID=$uaa_clientid
 UAA_CLIENTSECRET=$uaa_clientsecret
-UI_URL=http://ui
-JOBSERVICE_URL=http://jobservice
+UI_URL=http://ui:8080
+JOBSERVICE_URL=http://jobservice:8080
--- a/make/common/templates/clair/config.yaml
+++ b/make/common/templates/clair/config.yaml
@ -22,4 +22,4 @@ clair:
    attempts: 3
    renotifyinterval: 2h
    http:
-      endpoint: http://ui/service/notifications/clair
+      endpoint: http://ui:8080/service/notifications/clair
--- a/make/common/templates/jobservice/app.conf
+++ b/make/common/templates/jobservice/app.conf
@ -2,4 +2,4 @@ appname = jobservice
 runmode = dev

 [dev]
-httpport = 80
+httpport = 8080
--- a/make/common/templates/jobservice/env
+++ b/make/common/templates/jobservice/env
@ -2,4 +2,5 @@ LOG_LEVEL=debug
 CONFIG_PATH=/etc/jobservice/app.conf
 UI_SECRET=$ui_secret
 JOBSERVICE_SECRET=$jobservice_secret
+ADMINSERVER_URL=http://adminserver:8080
 GODEBUG=netdns=cgo
--- a/make/common/templates/nginx/nginx.http.conf
+++ b/make/common/templates/nginx/nginx.http.conf
@ -18,7 +18,7 @@ http {
  }

  upstream ui {
-    server ui:80;
+    server ui:8080;
  }

  log_format timed_combined '$$remote_addr - '
--- a/make/common/templates/nginx/nginx.https.conf
+++ b/make/common/templates/nginx/nginx.https.conf
@ -18,7 +18,7 @@ http {
  }

  upstream ui {
-    server ui:80;
+    server ui:8080;
  }
  
  log_format timed_combined '$$remote_addr - '
--- a/make/common/templates/registry/config.yml
+++ b/make/common/templates/registry/config.yml
@ -29,7 +29,7 @@ notifications:
  endpoints:
      - name: harbor
        disabled: false
-        url: http://ui/service/notifications
+        url: http://ui:8080/service/notifications
        timeout: 3000ms
        threshold: 5
        backoff: 1s
--- a/make/common/templates/ui/app.conf
+++ b/make/common/templates/ui/app.conf
@ -3,4 +3,4 @@ runmode = dev
 enablegzip = true

 [dev]
-httpport = 80
+httpport = 8080
--- a/make/common/templates/ui/env
+++ b/make/common/templates/ui/env
@ -3,4 +3,5 @@ CONFIG_PATH=/etc/ui/app.conf
 UI_SECRET=$ui_secret
 JOBSERVICE_SECRET=$jobservice_secret
 GODEBUG=netdns=cgo
+ADMINSERVER_URL=http://adminserver:8080
 UAA_CA_ROOT=/etc/ui/certificates/uaa_ca.pem
--- a/make/photon/adminserver/Dockerfile
+++ b/make/photon/adminserver/Dockerfile
@ -2,10 +2,13 @@ FROM vmware/photon:1.0

 RUN tdnf erase vim -y \
    && tdnf distro-sync -y || echo \
+    && tdnf install -y sudo \
    && tdnf clean all \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
    && mkdir /harbor/
-COPY ./make/dev/adminserver/harbor_adminserver /harbor/
+COPY ./make/dev/adminserver/harbor_adminserver ./make/photon/adminserver/start.sh /harbor/
+HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/configurations|grep 401

-RUN chmod u+x /harbor/harbor_adminserver
+RUN chmod u+x /harbor/harbor_adminserver /harbor/start.sh
 WORKDIR /harbor/
-ENTRYPOINT ["/harbor/harbor_adminserver"]
+ENTRYPOINT ["/harbor/start.sh"]
--- a/make/photon/adminserver/start.sh
+++ b/make/photon/adminserver/start.sh
@ -0,0 +1,5 @@
+#!/bin/sh
+if [ -d /etc/adminserver ]; then
+    chown -R 10000:10000 /etc/adminserver
+fi
+sudo -E -u \#10000 "/harbor/harbor_adminserver"
--- a/make/photon/jobservice/Dockerfile
+++ b/make/photon/jobservice/Dockerfile
@ -2,9 +2,13 @@ FROM vmware/photon:1.0

 RUN mkdir /harbor/ \
    && tdnf distro-sync -y || echo \
-    && tdnf clean all
-COPY ./make/dev/jobservice/harbor_jobservice /harbor/
+    && tdnf install sudo -y \
+    && tdnf clean all \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor 
+HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8080/api/jobs/replication/1/log|grep 401

-RUN chmod u+x /harbor/harbor_jobservice
+COPY ./make/photon/jobservice/start.sh ./make/dev/jobservice/harbor_jobservice /harbor/
+
+RUN chmod u+x /harbor/harbor_jobservice /harbor/start.sh
 WORKDIR /harbor/
-ENTRYPOINT ["/harbor/harbor_jobservice"]
+ENTRYPOINT ["/harbor/start.sh"]
--- a/make/photon/jobservice/start.sh
+++ b/make/photon/jobservice/start.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+if [ -d /etc/jobservice/ ]; then
+    chown -R 10000:10000 /etc/jobservice/ 
+fi
+if [ -d /var/log/jobs ]; then
+    chown -R 10000:10000 /var/log/jobs/
+fi
+sudo -E -u \#10000 "/harbor/harbor_jobservice"
+
--- a/make/photon/ui/Dockerfile
+++ b/make/photon/ui/Dockerfile
@ -2,16 +2,17 @@ FROM vmware/photon:1.0

 RUN tdnf distro-sync -y \
    && tdnf erase vim -y \
+    && tdnf install sudo -y \
    && tdnf clean all \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
    && mkdir /harbor/
-COPY ./make/dev/ui/harbor_ui /harbor/

+HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/systeminfo|grep 200
+COPY ./make/dev/ui/harbor_ui ./src/favicon.ico ./make/photon/ui/start.sh ./VERSION /harbor/
 COPY ./src/ui/views /harbor/views
 COPY ./src/ui/static /harbor/static
-COPY ./src/favicon.ico /harbor/favicon.ico
-COPY ./VERSION /harbor/VERSION

-RUN chmod u+x /harbor/harbor_ui 
-	
+RUN chmod u+x /harbor/start.sh /harbor/harbor_ui
 WORKDIR /harbor/
-ENTRYPOINT ["/harbor/harbor_ui"]
+	
+ENTRYPOINT ["/harbor/start.sh"]
--- a/make/photon/ui/start.sh
+++ b/make/photon/ui/start.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+if [ -d /etc/ui/ ]; then
+    chown -R 10000:10000 /etc/ui/ 
+fi
+sudo -E -u \#10000 "/harbor/harbor_ui"
+
--- a/src/common/utils/ldap/ldap_test.go
+++ b/src/common/utils/ldap/ldap_test.go
@ -72,8 +72,8 @@ func TestMain(t *testing.T) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}

 	secretKeyPath := "/tmp/secretkey"
--- a/src/common/utils/notary/helper.go
+++ b/src/common/utils/notary/helper.go
@ -36,7 +36,7 @@ import (
 )

 var (
-	notaryCachePath = "/root/notary"
+	notaryCachePath = "/etc/ui/notary-cache"
 	trustPin        trustpinning.TrustPinConfig
 	mockRetriever   notary.PassRetriever
 )
--- a/src/common/utils/notary/helper_test.go
+++ b/src/common/utils/notary/helper_test.go
@ -47,7 +47,7 @@ func TestMain(m *testing.M) {
 		panic(err)
 	}
 	defer adminServer.Close()
-	if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
+	if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
 		panic(err)
 	}
 	if err := config.Init(); err != nil {
--- a/src/jobservice/config/config.go
+++ b/src/jobservice/config/config.go
@ -45,7 +45,7 @@ func Init() error {
 	//init key provider
 	initKeyProvider()

-	adminServerURL := os.Getenv("ADMIN_SERVER_URL")
+	adminServerURL := os.Getenv("ADMINSERVER_URL")
 	if len(adminServerURL) == 0 {
 		adminServerURL = "http://adminserver"
 	}
@ -163,7 +163,7 @@ func ExtEndpoint() (string, error) {

 // InternalTokenServiceEndpoint ...
 func InternalTokenServiceEndpoint() string {
-	return "http://ui/service/token"
+	return LocalUIURL() + "/service/token"
 }

 // ClairEndpoint returns the end point of clair instance, by default it's the one deployed within Harbor.
--- a/src/jobservice/config/config_test.go
+++ b/src/jobservice/config/config_test.go
@ -30,8 +30,8 @@ func TestConfig(t *testing.T) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}

 	secretKeyPath := "/tmp/secretkey"
--- a/src/jobservice/job/job_test.go
+++ b/src/jobservice/job/job_test.go
@ -55,8 +55,8 @@ func TestMain(m *testing.M) {
 		log.Fatalf("failed to create a mock admin server: %v", err)
 	}
 	defer server.Close()
-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		log.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		log.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}
 	secretKeyPath := "/tmp/secretkey"
 	_, err = test.GenerateKey(secretKeyPath)
--- a/src/ui/auth/ldap/ldap_test.go
+++ b/src/ui/auth/ldap/ldap_test.go
@ -71,8 +71,8 @@ func TestMain(t *testing.T) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}

 	secretKeyPath := "/tmp/secretkey"
--- a/src/ui/auth/uaa/uaa_test.go
+++ b/src/ui/auth/uaa/uaa_test.go
@ -33,8 +33,8 @@ func TestGetClient(t *testing.T) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}
 	err = config.Init()
 	if err != nil {
--- a/src/ui/config/config.go
+++ b/src/ui/config/config.go
@ -62,7 +62,7 @@ func Init() error {
 	//init key provider
 	initKeyProvider()

-	adminServerURL := os.Getenv("ADMIN_SERVER_URL")
+	adminServerURL := os.Getenv("ADMINSERVER_URL")
 	if len(adminServerURL) == 0 {
 		adminServerURL = "http://adminserver"
 	}
--- a/src/ui/config/config_test.go
+++ b/src/ui/config/config_test.go
@ -29,8 +29,8 @@ func TestConfig(t *testing.T) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
-		t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
+		t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
 	}

 	secretKeyPath := "/tmp/secretkey"
--- a/src/ui/proxy/interceptor_test.go
+++ b/src/ui/proxy/interceptor_test.go
@ -40,7 +40,7 @@ func TestMain(m *testing.M) {
 		panic(err)
 	}
 	defer adminServer.Close()
-	if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
+	if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
 		panic(err)
 	}
 	if err := config.Init(); err != nil {
@ -129,7 +129,7 @@ func TestPMSPolicyChecker(t *testing.T) {
 		panic(err)
 	}
 	defer adminServer.Close()
-	if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
+	if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
 		panic(err)
 	}
 	if err := config.Init(); err != nil {
--- a/src/ui/service/token/token_test.go
+++ b/src/ui/service/token/token_test.go
@ -41,7 +41,7 @@ func TestMain(m *testing.M) {
 	}
 	defer server.Close()

-	if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
+	if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
 		panic(err)
 	}
 	if err := config.Init(); err != nil {
--- a/tests/docker-compose.test.yml
+++ b/tests/docker-compose.test.yml
@ -33,4 +33,4 @@ services:
      - /data/secretkey:/etc/adminserver/key
      - /data/:/data/
    ports:
-      - 8888:80
+      - 8888:8080