Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-22 18:25:56 +01:00
Code Issues Projects Releases Wiki Activity

Deprivilege harbor-ui harbor-jobservice harbor-adminserver

Browse Source 
Use non-root user to run the service within these docker images, and provide HEALTHCHECK
mechanism.
This commit is contained in:
reasonerjt 2017-11-08 05:22:00 -08:00
parent 367c2b142f
commit 19a13e8575
30 changed files with 75 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -19,7 +19,7 @@ env:
MYSQL_PWD: root123 MYSQL_PWD: root123
MYSQL_DATABASE: registry MYSQL_DATABASE: registry
SQLITE_FILE: /tmp/registry.db SQLITE_FILE: /tmp/registry.db
ADMIN_SERVER_URL: http://127.0.0.1:8888 ADMINSERVER_URL: http://127.0.0.1:8888
DOCKER_COMPOSE_VERSION: 1.7.1 DOCKER_COMPOSE_VERSION: 1.7.1
HARBOR_ADMIN: admin HARBOR_ADMIN: admin
HARBOR_ADMIN_PASSWD: Harbor12345 HARBOR_ADMIN_PASSWD: Harbor12345

2
make/common/nginx/Dockerfile
View File

@ -4,10 +4,10 @@ RUN tdnf distro-sync -y || echo \
&& tdnf install -y nginx \ && tdnf install -y nginx \
&& ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \
&& mkdir -p /var/run \
&& tdnf clean all && tdnf clean all
EXPOSE 80 EXPOSE 80
VOLUME /var/cache/nginx /var/log/nginx /run
STOPSIGNAL SIGQUIT STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

5
make/common/templates/adminserver/env
View File

@ -1,3 +1,4 @@
PORT=8080
LOG_LEVEL=debug LOG_LEVEL=debug
EXT_ENDPOINT=$ui_url EXT_ENDPOINT=$ui_url
AUTH_MODE=$auth_mode AUTH_MODE=$auth_mode
@ -42,5 +43,5 @@ RESET=false
UAA_ENDPOINT=$uaa_endpoint UAA_ENDPOINT=$uaa_endpoint
UAA_CLIENTID=$uaa_clientid UAA_CLIENTID=$uaa_clientid
UAA_CLIENTSECRET=$uaa_clientsecret UAA_CLIENTSECRET=$uaa_clientsecret
UI_URL=http://ui UI_URL=http://ui:8080
JOBSERVICE_URL=http://jobservice JOBSERVICE_URL=http://jobservice:8080

2
make/common/templates/clair/config.yaml
View File

@ -22,4 +22,4 @@ clair:
attempts: 3 attempts: 3
renotifyinterval: 2h renotifyinterval: 2h
http: http:
endpoint: http://ui/service/notifications/clair endpoint: http://ui:8080/service/notifications/clair

2
make/common/templates/jobservice/app.conf
View File

@ -2,4 +2,4 @@ appname = jobservice
runmode = dev runmode = dev
[dev] [dev]
httpport = 80 httpport = 8080

1
make/common/templates/jobservice/env
View File

@ -2,4 +2,5 @@ LOG_LEVEL=debug
CONFIG_PATH=/etc/jobservice/app.conf CONFIG_PATH=/etc/jobservice/app.conf
UI_SECRET=$ui_secret UI_SECRET=$ui_secret
JOBSERVICE_SECRET=$jobservice_secret JOBSERVICE_SECRET=$jobservice_secret
ADMINSERVER_URL=http://adminserver:8080
GODEBUG=netdns=cgo GODEBUG=netdns=cgo

2
make/common/templates/nginx/nginx.http.conf
View File

@ -18,7 +18,7 @@ http {
} }
upstream ui { upstream ui {
server ui:80; server ui:8080;
} }
log_format timed_combined '$$remote_addr - ' log_format timed_combined '$$remote_addr - '

2
make/common/templates/nginx/nginx.https.conf
View File

@ -18,7 +18,7 @@ http {
} }
upstream ui { upstream ui {
server ui:80; server ui:8080;
} }
log_format timed_combined '$$remote_addr - ' log_format timed_combined '$$remote_addr - '

2
make/common/templates/registry/config.yml
View File

@ -29,7 +29,7 @@ notifications:
endpoints: endpoints:
- name: harbor - name: harbor
disabled: false disabled: false
url: http://ui/service/notifications url: http://ui:8080/service/notifications
timeout: 3000ms timeout: 3000ms
threshold: 5 threshold: 5
backoff: 1s backoff: 1s

2
make/common/templates/ui/app.conf
View File

@ -3,4 +3,4 @@ runmode = dev
enablegzip = true enablegzip = true
[dev] [dev]
httpport = 80 httpport = 8080

1
make/common/templates/ui/env
View File

@ -3,4 +3,5 @@ CONFIG_PATH=/etc/ui/app.conf
UI_SECRET=$ui_secret UI_SECRET=$ui_secret
JOBSERVICE_SECRET=$jobservice_secret JOBSERVICE_SECRET=$jobservice_secret
GODEBUG=netdns=cgo GODEBUG=netdns=cgo
ADMINSERVER_URL=http://adminserver:8080
UAA_CA_ROOT=/etc/ui/certificates/uaa_ca.pem UAA_CA_ROOT=/etc/ui/certificates/uaa_ca.pem

9
make/photon/adminserver/Dockerfile
View File

@ -2,10 +2,13 @@ FROM vmware/photon:1.0
RUN tdnf erase vim -y \ RUN tdnf erase vim -y \
&& tdnf distro-sync -y || echo \ && tdnf distro-sync -y || echo \
&& tdnf install -y sudo \
&& tdnf clean all \ && tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
&& mkdir /harbor/ && mkdir /harbor/
COPY ./make/dev/adminserver/harbor_adminserver /harbor/ COPY ./make/dev/adminserver/harbor_adminserver ./make/photon/adminserver/start.sh /harbor/
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/configurations|grep 401
RUN chmod u+x /harbor/harbor_adminserver RUN chmod u+x /harbor/harbor_adminserver /harbor/start.sh
WORKDIR /harbor/ WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_adminserver"] ENTRYPOINT ["/harbor/start.sh"]

5
make/photon/adminserver/start.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
if [ -d /etc/adminserver ]; then
chown -R 10000:10000 /etc/adminserver
fi
sudo -E -u \#10000 "/harbor/harbor_adminserver"

12
make/photon/jobservice/Dockerfile
View File

@ -2,9 +2,13 @@ FROM vmware/photon:1.0
RUN mkdir /harbor/ \ RUN mkdir /harbor/ \
&& tdnf distro-sync -y || echo \ && tdnf distro-sync -y || echo \
&& tdnf clean all && tdnf install sudo -y \
COPY ./make/dev/jobservice/harbor_jobservice /harbor/ && tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8080/api/jobs/replication/1/log|grep 401
RUN chmod u+x /harbor/harbor_jobservice COPY ./make/photon/jobservice/start.sh ./make/dev/jobservice/harbor_jobservice /harbor/
RUN chmod u+x /harbor/harbor_jobservice /harbor/start.sh
WORKDIR /harbor/ WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_jobservice"] ENTRYPOINT ["/harbor/start.sh"]

9
make/photon/jobservice/start.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
if [ -d /etc/jobservice/ ]; then
chown -R 10000:10000 /etc/jobservice/
fi
if [ -d /var/log/jobs ]; then
chown -R 10000:10000 /var/log/jobs/
fi
sudo -E -u \#10000 "/harbor/harbor_jobservice"

13
make/photon/ui/Dockerfile
View File

@ -2,16 +2,17 @@ FROM vmware/photon:1.0
RUN tdnf distro-sync -y \ RUN tdnf distro-sync -y \
&& tdnf erase vim -y \ && tdnf erase vim -y \
&& tdnf install sudo -y \
&& tdnf clean all \ && tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
&& mkdir /harbor/ && mkdir /harbor/
COPY ./make/dev/ui/harbor_ui /harbor/
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/systeminfo|grep 200
COPY ./make/dev/ui/harbor_ui ./src/favicon.ico ./make/photon/ui/start.sh ./VERSION /harbor/
COPY ./src/ui/views /harbor/views COPY ./src/ui/views /harbor/views
COPY ./src/ui/static /harbor/static COPY ./src/ui/static /harbor/static
COPY ./src/favicon.ico /harbor/favicon.ico
COPY ./VERSION /harbor/VERSION
RUN chmod u+x /harbor/harbor_ui RUN chmod u+x /harbor/start.sh /harbor/harbor_ui
WORKDIR /harbor/ WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_ui"]
ENTRYPOINT ["/harbor/start.sh"]

6
make/photon/ui/start.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
if [ -d /etc/ui/ ]; then
chown -R 10000:10000 /etc/ui/
fi
sudo -E -u \#10000 "/harbor/harbor_ui"

4
src/common/utils/ldap/ldap_test.go
View File

@ -72,8 +72,8 @@ func TestMain(t *testing.T) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
secretKeyPath := "/tmp/secretkey" secretKeyPath := "/tmp/secretkey"

2
src/common/utils/notary/helper.go
View File

@ -36,7 +36,7 @@ import (
) )
var ( var (
notaryCachePath = "/root/notary" notaryCachePath = "/etc/ui/notary-cache"
trustPin trustpinning.TrustPinConfig trustPin trustpinning.TrustPinConfig
mockRetriever notary.PassRetriever mockRetriever notary.PassRetriever
) )

2
src/common/utils/notary/helper_test.go
View File

@ -47,7 +47,7 @@ func TestMain(m *testing.M) {
panic(err) panic(err)
} }
defer adminServer.Close() defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err) panic(err)
} }
if err := config.Init(); err != nil { if err := config.Init(); err != nil {

4
src/jobservice/config/config.go
View File

@ -45,7 +45,7 @@ func Init() error {
//init key provider //init key provider
initKeyProvider() initKeyProvider()
adminServerURL := os.Getenv("ADMIN_SERVER_URL") adminServerURL := os.Getenv("ADMINSERVER_URL")
if len(adminServerURL) == 0 { if len(adminServerURL) == 0 {
adminServerURL = "http://adminserver" adminServerURL = "http://adminserver"
} }
@ -163,7 +163,7 @@ func ExtEndpoint() (string, error) {
// InternalTokenServiceEndpoint ... // InternalTokenServiceEndpoint ...
func InternalTokenServiceEndpoint() string { func InternalTokenServiceEndpoint() string {
return "http://ui/service/token" return LocalUIURL() + "/service/token"
} }
// ClairEndpoint returns the end point of clair instance, by default it's the one deployed within Harbor. // ClairEndpoint returns the end point of clair instance, by default it's the one deployed within Harbor.

4
src/jobservice/config/config_test.go
View File

@ -30,8 +30,8 @@ func TestConfig(t *testing.T) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
secretKeyPath := "/tmp/secretkey" secretKeyPath := "/tmp/secretkey"

4
src/jobservice/job/job_test.go
View File

@ -55,8 +55,8 @@ func TestMain(m *testing.M) {
log.Fatalf("failed to create a mock admin server: %v", err) log.Fatalf("failed to create a mock admin server: %v", err)
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
log.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) log.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
secretKeyPath := "/tmp/secretkey" secretKeyPath := "/tmp/secretkey"
_, err = test.GenerateKey(secretKeyPath) _, err = test.GenerateKey(secretKeyPath)

4
src/ui/auth/ldap/ldap_test.go
View File

@ -71,8 +71,8 @@ func TestMain(t *testing.T) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
secretKeyPath := "/tmp/secretkey" secretKeyPath := "/tmp/secretkey"

4
src/ui/auth/uaa/uaa_test.go
View File

@ -33,8 +33,8 @@ func TestGetClient(t *testing.T) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
err = config.Init() err = config.Init()
if err != nil { if err != nil {

2
src/ui/config/config.go
View File

@ -62,7 +62,7 @@ func Init() error {
//init key provider //init key provider
initKeyProvider() initKeyProvider()
adminServerURL := os.Getenv("ADMIN_SERVER_URL") adminServerURL := os.Getenv("ADMINSERVER_URL")
if len(adminServerURL) == 0 { if len(adminServerURL) == 0 {
adminServerURL = "http://adminserver" adminServerURL = "http://adminserver"
} }

4
src/ui/config/config_test.go
View File

@ -29,8 +29,8 @@ func TestConfig(t *testing.T) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err) t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
} }
secretKeyPath := "/tmp/secretkey" secretKeyPath := "/tmp/secretkey"

4
src/ui/proxy/interceptor_test.go
View File

@ -40,7 +40,7 @@ func TestMain(m *testing.M) {
panic(err) panic(err)
} }
defer adminServer.Close() defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err) panic(err)
} }
if err := config.Init(); err != nil { if err := config.Init(); err != nil {
@ -129,7 +129,7 @@ func TestPMSPolicyChecker(t *testing.T) {
panic(err) panic(err)
} }
defer adminServer.Close() defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err) panic(err)
} }
if err := config.Init(); err != nil { if err := config.Init(); err != nil {

2
src/ui/service/token/token_test.go
View File

@ -41,7 +41,7 @@ func TestMain(m *testing.M) {
} }
defer server.Close() defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil { if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
panic(err) panic(err)
} }
if err := config.Init(); err != nil { if err := config.Init(); err != nil {

2
tests/docker-compose.test.yml
View File

@ -33,4 +33,4 @@ services:
- /data/secretkey:/etc/adminserver/key - /data/secretkey:/etc/adminserver/key
- /data/:/data/ - /data/:/data/
ports: ports:
- 8888:80 - 8888:8080