Deprivilege harbor-ui harbor-jobservice harbor-adminserver

Use non-root user to run the service within these docker images, and provide HEALTHCHECK
mechanism.
This commit is contained in:
reasonerjt 2017-11-08 05:22:00 -08:00
parent 367c2b142f
commit 19a13e8575
30 changed files with 75 additions and 44 deletions

View File

@ -19,7 +19,7 @@ env:
MYSQL_PWD: root123
MYSQL_DATABASE: registry
SQLITE_FILE: /tmp/registry.db
ADMIN_SERVER_URL: http://127.0.0.1:8888
ADMINSERVER_URL: http://127.0.0.1:8888
DOCKER_COMPOSE_VERSION: 1.7.1
HARBOR_ADMIN: admin
HARBOR_ADMIN_PASSWD: Harbor12345

View File

@ -4,10 +4,10 @@ RUN tdnf distro-sync -y || echo \
&& tdnf install -y nginx \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& mkdir -p /var/run \
&& tdnf clean all
EXPOSE 80
VOLUME /var/cache/nginx /var/log/nginx /run
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]

View File

@ -1,3 +1,4 @@
PORT=8080
LOG_LEVEL=debug
EXT_ENDPOINT=$ui_url
AUTH_MODE=$auth_mode
@ -42,5 +43,5 @@ RESET=false
UAA_ENDPOINT=$uaa_endpoint
UAA_CLIENTID=$uaa_clientid
UAA_CLIENTSECRET=$uaa_clientsecret
UI_URL=http://ui
JOBSERVICE_URL=http://jobservice
UI_URL=http://ui:8080
JOBSERVICE_URL=http://jobservice:8080

View File

@ -22,4 +22,4 @@ clair:
attempts: 3
renotifyinterval: 2h
http:
endpoint: http://ui/service/notifications/clair
endpoint: http://ui:8080/service/notifications/clair

View File

@ -2,4 +2,4 @@ appname = jobservice
runmode = dev
[dev]
httpport = 80
httpport = 8080

View File

@ -2,4 +2,5 @@ LOG_LEVEL=debug
CONFIG_PATH=/etc/jobservice/app.conf
UI_SECRET=$ui_secret
JOBSERVICE_SECRET=$jobservice_secret
ADMINSERVER_URL=http://adminserver:8080
GODEBUG=netdns=cgo

View File

@ -18,7 +18,7 @@ http {
}
upstream ui {
server ui:80;
server ui:8080;
}
log_format timed_combined '$$remote_addr - '

View File

@ -18,7 +18,7 @@ http {
}
upstream ui {
server ui:80;
server ui:8080;
}
log_format timed_combined '$$remote_addr - '

View File

@ -29,7 +29,7 @@ notifications:
endpoints:
- name: harbor
disabled: false
url: http://ui/service/notifications
url: http://ui:8080/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s

View File

@ -3,4 +3,4 @@ runmode = dev
enablegzip = true
[dev]
httpport = 80
httpport = 8080

View File

@ -3,4 +3,5 @@ CONFIG_PATH=/etc/ui/app.conf
UI_SECRET=$ui_secret
JOBSERVICE_SECRET=$jobservice_secret
GODEBUG=netdns=cgo
ADMINSERVER_URL=http://adminserver:8080
UAA_CA_ROOT=/etc/ui/certificates/uaa_ca.pem

View File

@ -2,10 +2,13 @@ FROM vmware/photon:1.0
RUN tdnf erase vim -y \
&& tdnf distro-sync -y || echo \
&& tdnf install -y sudo \
&& tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
&& mkdir /harbor/
COPY ./make/dev/adminserver/harbor_adminserver /harbor/
COPY ./make/dev/adminserver/harbor_adminserver ./make/photon/adminserver/start.sh /harbor/
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/configurations|grep 401
RUN chmod u+x /harbor/harbor_adminserver
RUN chmod u+x /harbor/harbor_adminserver /harbor/start.sh
WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_adminserver"]
ENTRYPOINT ["/harbor/start.sh"]

View File

@ -0,0 +1,5 @@
#!/bin/sh
if [ -d /etc/adminserver ]; then
chown -R 10000:10000 /etc/adminserver
fi
sudo -E -u \#10000 "/harbor/harbor_adminserver"

View File

@ -2,9 +2,13 @@ FROM vmware/photon:1.0
RUN mkdir /harbor/ \
&& tdnf distro-sync -y || echo \
&& tdnf clean all
COPY ./make/dev/jobservice/harbor_jobservice /harbor/
&& tdnf install sudo -y \
&& tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8080/api/jobs/replication/1/log|grep 401
RUN chmod u+x /harbor/harbor_jobservice
COPY ./make/photon/jobservice/start.sh ./make/dev/jobservice/harbor_jobservice /harbor/
RUN chmod u+x /harbor/harbor_jobservice /harbor/start.sh
WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_jobservice"]
ENTRYPOINT ["/harbor/start.sh"]

View File

@ -0,0 +1,9 @@
#!/bin/sh
if [ -d /etc/jobservice/ ]; then
chown -R 10000:10000 /etc/jobservice/
fi
if [ -d /var/log/jobs ]; then
chown -R 10000:10000 /var/log/jobs/
fi
sudo -E -u \#10000 "/harbor/harbor_jobservice"

View File

@ -2,16 +2,17 @@ FROM vmware/photon:1.0
RUN tdnf distro-sync -y \
&& tdnf erase vim -y \
&& tdnf install sudo -y \
&& tdnf clean all \
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
&& mkdir /harbor/
COPY ./make/dev/ui/harbor_ui /harbor/
HEALTHCHECK CMD curl -s -o /dev/null -w "%{http_code}" 127.0.0.1:8080/api/systeminfo|grep 200
COPY ./make/dev/ui/harbor_ui ./src/favicon.ico ./make/photon/ui/start.sh ./VERSION /harbor/
COPY ./src/ui/views /harbor/views
COPY ./src/ui/static /harbor/static
COPY ./src/favicon.ico /harbor/favicon.ico
COPY ./VERSION /harbor/VERSION
RUN chmod u+x /harbor/harbor_ui
RUN chmod u+x /harbor/start.sh /harbor/harbor_ui
WORKDIR /harbor/
ENTRYPOINT ["/harbor/harbor_ui"]
ENTRYPOINT ["/harbor/start.sh"]

6
make/photon/ui/start.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
if [ -d /etc/ui/ ]; then
chown -R 10000:10000 /etc/ui/
fi
sudo -E -u \#10000 "/harbor/harbor_ui"

View File

@ -72,8 +72,8 @@ func TestMain(t *testing.T) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
secretKeyPath := "/tmp/secretkey"

View File

@ -36,7 +36,7 @@ import (
)
var (
notaryCachePath = "/root/notary"
notaryCachePath = "/etc/ui/notary-cache"
trustPin trustpinning.TrustPinConfig
mockRetriever notary.PassRetriever
)

View File

@ -47,7 +47,7 @@ func TestMain(m *testing.M) {
panic(err)
}
defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err)
}
if err := config.Init(); err != nil {

View File

@ -45,7 +45,7 @@ func Init() error {
//init key provider
initKeyProvider()
adminServerURL := os.Getenv("ADMIN_SERVER_URL")
adminServerURL := os.Getenv("ADMINSERVER_URL")
if len(adminServerURL) == 0 {
adminServerURL = "http://adminserver"
}
@ -163,7 +163,7 @@ func ExtEndpoint() (string, error) {
// InternalTokenServiceEndpoint ...
func InternalTokenServiceEndpoint() string {
return "http://ui/service/token"
return LocalUIURL() + "/service/token"
}
// ClairEndpoint returns the end point of clair instance, by default it's the one deployed within Harbor.

View File

@ -30,8 +30,8 @@ func TestConfig(t *testing.T) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
secretKeyPath := "/tmp/secretkey"

View File

@ -55,8 +55,8 @@ func TestMain(m *testing.M) {
log.Fatalf("failed to create a mock admin server: %v", err)
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
log.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
log.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
secretKeyPath := "/tmp/secretkey"
_, err = test.GenerateKey(secretKeyPath)

View File

@ -71,8 +71,8 @@ func TestMain(t *testing.T) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
secretKeyPath := "/tmp/secretkey"

View File

@ -33,8 +33,8 @@ func TestGetClient(t *testing.T) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
err = config.Init()
if err != nil {

View File

@ -62,7 +62,7 @@ func Init() error {
//init key provider
initKeyProvider()
adminServerURL := os.Getenv("ADMIN_SERVER_URL")
adminServerURL := os.Getenv("ADMINSERVER_URL")
if len(adminServerURL) == 0 {
adminServerURL = "http://adminserver"
}

View File

@ -29,8 +29,8 @@ func TestConfig(t *testing.T) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMIN_SERVER_URL", err)
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
t.Fatalf("failed to set env %s: %v", "ADMINSERVER_URL", err)
}
secretKeyPath := "/tmp/secretkey"

View File

@ -40,7 +40,7 @@ func TestMain(m *testing.M) {
panic(err)
}
defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err)
}
if err := config.Init(); err != nil {
@ -129,7 +129,7 @@ func TestPMSPolicyChecker(t *testing.T) {
panic(err)
}
defer adminServer.Close()
if err := os.Setenv("ADMIN_SERVER_URL", adminServer.URL); err != nil {
if err := os.Setenv("ADMINSERVER_URL", adminServer.URL); err != nil {
panic(err)
}
if err := config.Init(); err != nil {

View File

@ -41,7 +41,7 @@ func TestMain(m *testing.M) {
}
defer server.Close()
if err := os.Setenv("ADMIN_SERVER_URL", server.URL); err != nil {
if err := os.Setenv("ADMINSERVER_URL", server.URL); err != nil {
panic(err)
}
if err := config.Init(); err != nil {

View File

@ -33,4 +33,4 @@ services:
- /data/secretkey:/etc/adminserver/key
- /data/:/data/
ports:
- 8888:80
- 8888:8080