DB container run as non-root

Signed-off-by: Qian Deng <dengq@vmware.com>

make/photon/core/Dockerfile

@@ -12,5 +12,5 @@ COPY ./make/migrations /harbor/migrations
 
 RUN chmod u+x /harbor/harbor_core
 WORKDIR /harbor/
-
+USER harbor
 ENTRYPOINT ["/harbor/harbor_core"]

make/photon/db/Dockerfile

@@ -18,15 +18,16 @@ RUN tdnf erase -y toybox && tdnf install -y util-linux net-tools
 
 VOLUME /var/lib/postgresql/data
 
-ADD ./make/photon/db/docker-entrypoint.sh /entrypoint.sh
+COPY ./make/photon/db/docker-entrypoint.sh /entrypoint.sh
-ADD ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
+COPY ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
-RUN chmod u+x /entrypoint.sh /docker-healthcheck.sh
-ENTRYPOINT ["/entrypoint.sh"]
-HEALTHCHECK CMD ["/docker-healthcheck.sh"]
-
 COPY ./make/photon/db/initial-notaryserver.sql /docker-entrypoint-initdb.d/
 COPY ./make/photon/db/initial-notarysigner.sql /docker-entrypoint-initdb.d/
 COPY ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/
+RUN chown -R postgres:postgres /entrypoint.sh /docker-healthcheck.sh /docker-entrypoint-initdb.d \
+    && chmod u+x /entrypoint.sh /docker-healthcheck.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+HEALTHCHECK CMD ["/docker-healthcheck.sh"]
 
 EXPOSE 5432
-CMD ["postgres"]
+USER postgres

make/photon/db/docker-entrypoint.sh

@@ -23,95 +23,89 @@ file_env() {
         unset "$fileVar"
 }
 
-if [ "${1:0:1}" = '-' ]; then
+# chown -R postgres:postgres $PGDATA
-        set -- postgres "$@"
+# look specifically for PG_VERSION, as it is expected in the DB dir
-fi
+if [ ! -s "$PGDATA/PG_VERSION" ]; then
-
+        file_env 'POSTGRES_INITDB_ARGS'
-if [ "$1" = 'postgres' ]; then
+        if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
-        chown -R postgres:postgres $PGDATA
+                export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
-        # look specifically for PG_VERSION, as it is expected in the DB dir
+        fi
-        if [ ! -s "$PGDATA/PG_VERSION" ]; then
+        initdb -D $PGDATA  -U postgres -E UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8 $POSTGRES_INITDB_ARGS
-                file_env 'POSTGRES_INITDB_ARGS'
+        # check password first so we can output the warning before postgres
-                if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+        # messes it up
-                        export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
+        file_env 'POSTGRES_PASSWORD'
-                fi
+        if [ "$POSTGRES_PASSWORD" ]; then
-                su - $1 -c "initdb -D $PGDATA  -U postgres -E UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8 $POSTGRES_INITDB_ARGS"
+                pass="PASSWORD '$POSTGRES_PASSWORD'"
-                # check password first so we can output the warning before postgres
+                authMethod=md5
-                # messes it up
+        else
-                file_env 'POSTGRES_PASSWORD'
+                # The - option suppresses leading tabs but *not* spaces. :)
-                if [ "$POSTGRES_PASSWORD" ]; then
+                cat >&2 <<-EOF
-                        pass="PASSWORD '$POSTGRES_PASSWORD'"
+                        ****************************************************
-                        authMethod=md5
+                        WARNING: No password has been set for the database.
-                else
+                                        This will allow anyone with access to the
-                        # The - option suppresses leading tabs but *not* spaces. :)
+                                        Postgres port to access your database. In
-                        cat >&2 <<-EOF
+                                        Docker's default configuration, this is
-                                ****************************************************
+                                        effectively any other container on the same
-                                WARNING: No password has been set for the database.
+                                        system.
-                                         This will allow anyone with access to the
+                                        Use "-e POSTGRES_PASSWORD=password" to set
-                                         Postgres port to access your database. In
+                                        it in "docker run".
-                                         Docker's default configuration, this is
+                        ****************************************************
-                                         effectively any other container on the same
-                                         system.
-                                         Use "-e POSTGRES_PASSWORD=password" to set
-                                         it in "docker run".
-                                ****************************************************
 EOF
 
-                        pass=
+                pass=
-                        authMethod=trust
+                authMethod=trust
-                fi
+        fi
 
-                {
+        {
-                        echo
+                echo
-                        echo "host all all all $authMethod"
+                echo "host all all all $authMethod"
-                } >> "$PGDATA/pg_hba.conf"
+        } >> "$PGDATA/pg_hba.conf"
-                su postgres
+        echo `whoami`
-                echo `whoami`
+        # internal start of server in order to allow set-up using psql-client
-                # internal start of server in order to allow set-up using psql-client
+        # does not listen on external TCP/IP and waits until start finishes
-                # does not listen on external TCP/IP and waits until start finishes
+        pg_ctl -D "$PGDATA" -o "-c listen_addresses=''" -w start
-                su - $1 -c "pg_ctl -D \"$PGDATA\" -o \"-c listen_addresses='localhost'\" -w start"
 
-                file_env 'POSTGRES_USER' 'postgres'
+        file_env 'POSTGRES_USER' 'postgres'
-                file_env 'POSTGRES_DB' "$POSTGRES_USER"
+        file_env 'POSTGRES_DB' "$POSTGRES_USER"
 
-                psql=( psql -v ON_ERROR_STOP=1 )
+        psql=( psql -v ON_ERROR_STOP=1 )
 
-                if [ "$POSTGRES_DB" != 'postgres' ]; then
+        if [ "$POSTGRES_DB" != 'postgres' ]; then
-                        "${psql[@]}" --username postgres <<-EOSQL
-                                CREATE DATABASE "$POSTGRES_DB" ;
-EOSQL
-                        echo
-                fi
-
-                if [ "$POSTGRES_USER" = 'postgres' ]; then
-                        op='ALTER'
-                else
-                        op='CREATE'
-                fi
                 "${psql[@]}" --username postgres <<-EOSQL
-                        $op USER "$POSTGRES_USER" WITH SUPERUSER $pass ;
+                        CREATE DATABASE "$POSTGRES_DB" ;
 EOSQL
                 echo
-
-                psql+=( --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" )
-
-                echo
-                for f in /docker-entrypoint-initdb.d/*; do
-                        case "$f" in
-                                *.sh)     echo "$0: running $f"; . "$f" ;;
-                                *.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
-                                *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
-                                *)        echo "$0: ignoring $f" ;;
-                        esac
-                        echo
-                done
-
-                PGUSER="${PGUSER:-postgres}" \
-                su - $1 -c "pg_ctl -D \"$PGDATA\" -m fast -w stop"
-
-                echo
-                echo 'PostgreSQL init process complete; ready for start up.'
-                echo
         fi
+
+        if [ "$POSTGRES_USER" = 'postgres' ]; then
+                op='ALTER'
+        else
+                op='CREATE'
+        fi
+        "${psql[@]}" --username postgres <<-EOSQL
+                $op USER "$POSTGRES_USER" WITH SUPERUSER $pass ;
+EOSQL
+        echo
+
+        psql+=( --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" )
+
+        echo
+        for f in /docker-entrypoint-initdb.d/*; do
+                case "$f" in
+                        *.sh)     echo "$0: running $f"; . "$f" ;;
+                        *.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
+                        *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
+                        *)        echo "$0: ignoring $f" ;;
+                esac
+                echo
+        done
+
+        PGUSER="${PGUSER:-postgres}" \
+        pg_ctl -D "$PGDATA" -m fast -w stop
+
+        echo
+        echo 'PostgreSQL init process complete; ready for start up.'
+        echo
 fi
-exec su - $1 -c "$@ -D $PGDATA"
+
+postgres -D $PGDATA

make/photon/portal/Dockerfile

@@ -21,11 +21,12 @@ COPY --from=nodeportal /build_dir/swagger.json /usr/share/nginx/html
 
 COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf
 
-RUN tdnf install -y nginx >> /dev/null \
+RUN tdnf install -y nginx sudo >> /dev/null \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log \
-    && tdnf clean all \
+    && groupadd -r -g 10000 nginx && useradd --no-log-init -r -g 10000 -u 10000 nginx \
-    && chown -R 10000:10000 /etc/nginx
+    && chown -R nginx:nginx /etc/nginx \
+    && tdnf clean all
 
 EXPOSE 80
 VOLUME /var/cache/nginx /var/log/nginx /run
@@ -33,6 +34,6 @@ VOLUME /var/cache/nginx /var/log/nginx /run
 STOPSIGNAL SIGQUIT
 
 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
-
+USER nginx
 CMD ["nginx", "-g", "daemon off;"]
 

make/photon/prepare/g.py

@@ -5,10 +5,17 @@ from pathlib import Path
 DEFAULT_UID = 10000
 DEFAULT_GID = 10000
 
+PG_UID = 999
+PG_GID = 999
+
+REDIS_UID = 999
+REDIS_GID = 999
+
 ## Global variable
 base_dir = '/harbor_make'
 templates_dir = "/usr/src/app/templates"
 config_dir = '/config'
+data_dir = '/data'
 
 secret_dir = '/secret'
 secret_key_dir='/secret/keys'

make/photon/prepare/main.py

@@ -16,6 +16,7 @@ from utils.clair import prepare_clair
 from utils.chart import prepare_chartmuseum
 from utils.docker_compose import prepare_docker_compose
 from utils.nginx import prepare_nginx, nginx_confd_dir
+from utils.redis import prepare_redis
 from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
 old_private_key_pem_path, old_crt_path)
 
@@ -38,6 +39,7 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
     prepare_registry_ctl(config_dict)
     prepare_db(config_dict)
     prepare_job_service(config_dict)
+    prepare_redis(config_dict)
 
     get_secret_key(secret_key_dir)
 

make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja

@@ -133,7 +133,6 @@ services:
     env_file:
       - ./common/config/core/env
     restart: always
-    user: 10000:10000
     cap_drop:
       - ALL
     cap_add:
@@ -186,7 +185,6 @@ services:
     image: goharbor/harbor-portal:{{version}}
     container_name: harbor-portal
     restart: always
-    user: 10000:10000
     cap_drop:
       - ALL
     cap_add:

make/photon/prepare/utils/db.py

@@ -1,20 +1,22 @@
 import os
 
-from g import config_dir, templates_dir
+from g import config_dir, templates_dir, data_dir, PG_UID, PG_GID
 from utils.misc import prepare_config_dir
 from utils.jinja import render_jinja
 
 db_config_dir = os.path.join(config_dir, "db")
 db_env_template_path = os.path.join(templates_dir, "db", "env.jinja")
 db_conf_env = os.path.join(config_dir, "db", "env")
+database_data_path = os.path.join(data_dir, 'database')
 
 def prepare_db(config_dict):
-    prepare_db_config_dir()
+    prepare_config_dir(database_data_path)
-
+    stat_info = os.stat(database_data_path)
+    uid, gid = stat_info.st_uid, stat_info.st_gid
+    if not (uid == PG_UID and gid == PG_GID):
+            os.chown(database_data_path, PG_UID, PG_GID)
+    prepare_config_dir(db_config_dir)
     render_jinja(
         db_env_template_path,
         db_conf_env,
         harbor_db_password=config_dict['harbor_db_password'])
-
-def prepare_db_config_dir():
-    prepare_config_dir(db_config_dir)

make/photon/prepare/utils/nginx.py

@@ -24,7 +24,7 @@ def prepare_nginx(config_dict):
 def render_nginx_template(config_dict):
     if config_dict['protocol'] == "https":
         render_jinja(
-            nginx_https_conf_template, 
+            nginx_https_conf_template,
             nginx_conf,
             uid=DEFAULT_UID,
             gid=DEFAULT_GID,

make/photon/prepare/utils/redis.py

@@ -0,0 +1,14 @@
+import os
+
+from g import data_dir, REDIS_UID, REDIS_GID
+from utils.misc import prepare_config_dir
+
+redis_data_path = os.path.join(data_dir, 'redis')
+
+def prepare_redis(config_dict):
+    prepare_config_dir(redis_data_path)
+
+    stat_info = os.stat(redis_data_path)
+    uid, gid = stat_info.st_uid, stat_info.st_gid
+    if not (uid == REDIS_UID and gid == REDIS_GID):
+            os.chown(redis_data_path, REDIS_UID, REDIS_GID)

make/photon/redis/Dockerfile

@@ -8,7 +8,6 @@ COPY ./make/photon/redis/docker-entrypoint.sh /usr/bin/
 COPY ./make/photon/redis/redis.conf /etc/redis.conf
 RUN chmod +x /usr/bin/docker-entrypoint.sh \
     && chown redis:redis /etc/redis.conf
-ENTRYPOINT ["docker-entrypoint.sh"]
 USER redis
 
 EXPOSE 6379