Add registryctl to non-root

And the install_cert.sh will changed for non-root too

Signed-off-by: DQ <dengq@vmware.com>

make/photon/registry/Dockerfile

@@ -1,24 +1,27 @@
 FROM photon:2.0
 
-MAINTAINER wangyan@vmware.com
+LABEL maintainer="wangyan@vmware.com"
 
 # The original script in the docker offical registry image.
 RUN tdnf install sudo -y >> /dev/null\
     && tdnf clean all \
-    && mkdir /harbor/ \
     && mkdir -p /etc/registry \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor  
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor  
 
-COPY ./make/photon/common/install_cert.sh /harbor
-COPY ./make/photon/registry/entrypoint.sh /
+COPY ./make/photon/common/install_cert.sh /home/harbor
+COPY ./make/photon/registry/entrypoint.sh /home/harbor
 COPY ./make/photon/registry/binary/registry /usr/bin
 
-RUN chmod u+x /entrypoint.sh \
-    && chmod u+x /usr/bin/registry
+RUN chmod -R 777 /etc/pki/tls/certs \
+    && chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \
+    && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
+    && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
 
 HEALTHCHECK CMD curl 127.0.0.1:5000/
 
+USER harbor
+
+ENTRYPOINT ["/home/harbor/entrypoint.sh"]
+
 VOLUME ["/var/lib/registry"]
 EXPOSE 5000
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/etc/registry/config.yml"]

make/photon/registry/entrypoint.sh

@@ -4,24 +4,10 @@ set -e
 
 # The directory /var/lib/registry is within the container, and used to store image in CI testing.
 # So for now we need to chown to it to avoid failure in CI.
-if [ -d /var/lib/registry ]; then
-    chown 10000:10000 -R /var/lib/registry
-fi
+# if [ -d /var/lib/registry ]; then
+#     chown 10000:10000 -R /var/lib/registry
+# fi
 
-if [ -d /storage ]; then
-    if ! stat -c '%u:%g' /storage | grep -q '10000:10000' ; then
-        # 10000 is the id of harbor user/group.
-        # Usually NFS Server does not allow changing owner of the export directory,
-        # so need to skip this step and requires NFS Server admin to set its owner to 10000.
-        chown 10000:10000 -R /storage
-    fi
-fi
+/home/harbor/install_cert.sh
 
-/harbor/install_cert.sh
-
-case "$1" in
-    *.yaml|*.yml) set -- registry serve "$@" ;;
-    serve|garbage-collect|help|-*) set -- registry "$@" ;;
-esac
-
-sudo -E -u \#10000 "$@"
+/usr/bin/registry serve /etc/registry/config.yml

make/photon/registryctl/Dockerfile

@@ -1,25 +1,28 @@
 FROM photon:2.0
 
-MAINTAINER wangyan@vmware.com
+Label maintainer="wangyan@vmware.com"
 
 RUN tdnf install sudo -y >> /dev/null \
     && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
-    && mkdir -p /etc/registry \
-    && mkdir /harbor/
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \
+    && mkdir -p /etc/registry
 
-COPY ./make/photon/common/install_cert.sh /harbor
+COPY ./make/photon/common/install_cert.sh /home/harbor
 COPY ./make/photon/registry/binary/registry /usr/bin
-COPY ./make/photon/registryctl/start.sh /harbor/
-COPY ./make/photon/registryctl/harbor_registryctl /harbor/
+COPY ./make/photon/registryctl/start.sh /home/harbor
+COPY ./make/photon/registryctl/harbor_registryctl /home/harbor
 
-RUN chmod u+x /harbor/harbor_registryctl \
-    && chmod u+x /usr/bin/registry \
-    && chmod u+x /harbor/start.sh
+RUN chmod -R 777 /etc/pki/tls/certs \
+    && chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \
+    && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry \
+    && chown harbor:harbor /home/harbor/start.sh && chmod u+x /home/harbor/start.sh \
+    && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
 
-HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1 
+
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1
 
 VOLUME ["/var/lib/registry"]
-WORKDIR /harbor/
 
-ENTRYPOINT ["/harbor/start.sh"]
+ENTRYPOINT ["/home/harbor/start.sh"]
+
+USER harbor

make/photon/registryctl/start.sh

@@ -4,19 +4,10 @@ set -e
 
 # The directory /var/lib/registry is within the container, and used to store image in CI testing.
 # So for now we need to chown to it to avoid failure in CI.
-if [ -d /var/lib/registry ]; then
-    chown 10000:10000 -R /var/lib/registry
-fi
+# if [ -d /var/lib/registry ]; then
+#     chown 10000:10000 -R /var/lib/registry
+# fi
 
-if [ -d /storage ]; then
-    if ! stat -c '%u:%g' /storage | grep -q '10000:10000' ; then
-        # 10000 is the id of harbor user/group.
-        # Usually NFS Server does not allow changing owner of the export directory,
-        # so need to skip this step and requires NFS Server admin to set its owner to 10000.
-        chown 10000:10000 -R /storage
-    fi
-fi
+/home/harbor/install_cert.sh
 
-/harbor/install_cert.sh
-
-sudo -E -u \#10000 "/harbor/harbor_registryctl" "-c" "/etc/registryctl/config.yml"
+/home/harbor/harbor_registryctl -c /etc/registryctl/config.yml