mirror of
https://github.com/goharbor/harbor.git
synced 2024-06-25 22:35:11 +02:00
DB container run as non-root
Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
8b7f1ae4c0
commit
303471563f
|
@ -12,5 +12,5 @@ COPY ./make/migrations /harbor/migrations
|
||||||
|
|
||||||
RUN chmod u+x /harbor/harbor_core
|
RUN chmod u+x /harbor/harbor_core
|
||||||
WORKDIR /harbor/
|
WORKDIR /harbor/
|
||||||
|
USER harbor
|
||||||
ENTRYPOINT ["/harbor/harbor_core"]
|
ENTRYPOINT ["/harbor/harbor_core"]
|
||||||
|
|
|
@ -18,15 +18,16 @@ RUN tdnf erase -y toybox && tdnf install -y util-linux net-tools
|
||||||
|
|
||||||
VOLUME /var/lib/postgresql/data
|
VOLUME /var/lib/postgresql/data
|
||||||
|
|
||||||
ADD ./make/photon/db/docker-entrypoint.sh /entrypoint.sh
|
COPY ./make/photon/db/docker-entrypoint.sh /entrypoint.sh
|
||||||
ADD ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
|
COPY ./make/photon/db/docker-healthcheck.sh /docker-healthcheck.sh
|
||||||
RUN chmod u+x /entrypoint.sh /docker-healthcheck.sh
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
|
||||||
HEALTHCHECK CMD ["/docker-healthcheck.sh"]
|
|
||||||
|
|
||||||
COPY ./make/photon/db/initial-notaryserver.sql /docker-entrypoint-initdb.d/
|
COPY ./make/photon/db/initial-notaryserver.sql /docker-entrypoint-initdb.d/
|
||||||
COPY ./make/photon/db/initial-notarysigner.sql /docker-entrypoint-initdb.d/
|
COPY ./make/photon/db/initial-notarysigner.sql /docker-entrypoint-initdb.d/
|
||||||
COPY ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/
|
COPY ./make/photon/db/initial-registry.sql /docker-entrypoint-initdb.d/
|
||||||
|
RUN chown -R postgres:postgres /entrypoint.sh /docker-healthcheck.sh /docker-entrypoint-initdb.d \
|
||||||
|
&& chmod u+x /entrypoint.sh /docker-healthcheck.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
HEALTHCHECK CMD ["/docker-healthcheck.sh"]
|
||||||
|
|
||||||
EXPOSE 5432
|
EXPOSE 5432
|
||||||
CMD ["postgres"]
|
USER postgres
|
||||||
|
|
|
@ -23,95 +23,89 @@ file_env() {
|
||||||
unset "$fileVar"
|
unset "$fileVar"
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ "${1:0:1}" = '-' ]; then
|
# chown -R postgres:postgres $PGDATA
|
||||||
set -- postgres "$@"
|
# look specifically for PG_VERSION, as it is expected in the DB dir
|
||||||
fi
|
if [ ! -s "$PGDATA/PG_VERSION" ]; then
|
||||||
|
file_env 'POSTGRES_INITDB_ARGS'
|
||||||
if [ "$1" = 'postgres' ]; then
|
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
|
||||||
chown -R postgres:postgres $PGDATA
|
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
|
||||||
# look specifically for PG_VERSION, as it is expected in the DB dir
|
fi
|
||||||
if [ ! -s "$PGDATA/PG_VERSION" ]; then
|
initdb -D $PGDATA -U postgres -E UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8 $POSTGRES_INITDB_ARGS
|
||||||
file_env 'POSTGRES_INITDB_ARGS'
|
# check password first so we can output the warning before postgres
|
||||||
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
|
# messes it up
|
||||||
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
|
file_env 'POSTGRES_PASSWORD'
|
||||||
fi
|
if [ "$POSTGRES_PASSWORD" ]; then
|
||||||
su - $1 -c "initdb -D $PGDATA -U postgres -E UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8 $POSTGRES_INITDB_ARGS"
|
pass="PASSWORD '$POSTGRES_PASSWORD'"
|
||||||
# check password first so we can output the warning before postgres
|
authMethod=md5
|
||||||
# messes it up
|
else
|
||||||
file_env 'POSTGRES_PASSWORD'
|
# The - option suppresses leading tabs but *not* spaces. :)
|
||||||
if [ "$POSTGRES_PASSWORD" ]; then
|
cat >&2 <<-EOF
|
||||||
pass="PASSWORD '$POSTGRES_PASSWORD'"
|
****************************************************
|
||||||
authMethod=md5
|
WARNING: No password has been set for the database.
|
||||||
else
|
This will allow anyone with access to the
|
||||||
# The - option suppresses leading tabs but *not* spaces. :)
|
Postgres port to access your database. In
|
||||||
cat >&2 <<-EOF
|
Docker's default configuration, this is
|
||||||
****************************************************
|
effectively any other container on the same
|
||||||
WARNING: No password has been set for the database.
|
system.
|
||||||
This will allow anyone with access to the
|
Use "-e POSTGRES_PASSWORD=password" to set
|
||||||
Postgres port to access your database. In
|
it in "docker run".
|
||||||
Docker's default configuration, this is
|
****************************************************
|
||||||
effectively any other container on the same
|
|
||||||
system.
|
|
||||||
Use "-e POSTGRES_PASSWORD=password" to set
|
|
||||||
it in "docker run".
|
|
||||||
****************************************************
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
pass=
|
pass=
|
||||||
authMethod=trust
|
authMethod=trust
|
||||||
fi
|
fi
|
||||||
|
|
||||||
{
|
{
|
||||||
echo
|
echo
|
||||||
echo "host all all all $authMethod"
|
echo "host all all all $authMethod"
|
||||||
} >> "$PGDATA/pg_hba.conf"
|
} >> "$PGDATA/pg_hba.conf"
|
||||||
su postgres
|
echo `whoami`
|
||||||
echo `whoami`
|
# internal start of server in order to allow set-up using psql-client
|
||||||
# internal start of server in order to allow set-up using psql-client
|
# does not listen on external TCP/IP and waits until start finishes
|
||||||
# does not listen on external TCP/IP and waits until start finishes
|
pg_ctl -D "$PGDATA" -o "-c listen_addresses=''" -w start
|
||||||
su - $1 -c "pg_ctl -D \"$PGDATA\" -o \"-c listen_addresses='localhost'\" -w start"
|
|
||||||
|
|
||||||
file_env 'POSTGRES_USER' 'postgres'
|
file_env 'POSTGRES_USER' 'postgres'
|
||||||
file_env 'POSTGRES_DB' "$POSTGRES_USER"
|
file_env 'POSTGRES_DB' "$POSTGRES_USER"
|
||||||
|
|
||||||
psql=( psql -v ON_ERROR_STOP=1 )
|
psql=( psql -v ON_ERROR_STOP=1 )
|
||||||
|
|
||||||
if [ "$POSTGRES_DB" != 'postgres' ]; then
|
if [ "$POSTGRES_DB" != 'postgres' ]; then
|
||||||
"${psql[@]}" --username postgres <<-EOSQL
|
|
||||||
CREATE DATABASE "$POSTGRES_DB" ;
|
|
||||||
EOSQL
|
|
||||||
echo
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$POSTGRES_USER" = 'postgres' ]; then
|
|
||||||
op='ALTER'
|
|
||||||
else
|
|
||||||
op='CREATE'
|
|
||||||
fi
|
|
||||||
"${psql[@]}" --username postgres <<-EOSQL
|
"${psql[@]}" --username postgres <<-EOSQL
|
||||||
$op USER "$POSTGRES_USER" WITH SUPERUSER $pass ;
|
CREATE DATABASE "$POSTGRES_DB" ;
|
||||||
EOSQL
|
EOSQL
|
||||||
echo
|
echo
|
||||||
|
|
||||||
psql+=( --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" )
|
|
||||||
|
|
||||||
echo
|
|
||||||
for f in /docker-entrypoint-initdb.d/*; do
|
|
||||||
case "$f" in
|
|
||||||
*.sh) echo "$0: running $f"; . "$f" ;;
|
|
||||||
*.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
|
|
||||||
*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
|
|
||||||
*) echo "$0: ignoring $f" ;;
|
|
||||||
esac
|
|
||||||
echo
|
|
||||||
done
|
|
||||||
|
|
||||||
PGUSER="${PGUSER:-postgres}" \
|
|
||||||
su - $1 -c "pg_ctl -D \"$PGDATA\" -m fast -w stop"
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo 'PostgreSQL init process complete; ready for start up.'
|
|
||||||
echo
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$POSTGRES_USER" = 'postgres' ]; then
|
||||||
|
op='ALTER'
|
||||||
|
else
|
||||||
|
op='CREATE'
|
||||||
|
fi
|
||||||
|
"${psql[@]}" --username postgres <<-EOSQL
|
||||||
|
$op USER "$POSTGRES_USER" WITH SUPERUSER $pass ;
|
||||||
|
EOSQL
|
||||||
|
echo
|
||||||
|
|
||||||
|
psql+=( --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" )
|
||||||
|
|
||||||
|
echo
|
||||||
|
for f in /docker-entrypoint-initdb.d/*; do
|
||||||
|
case "$f" in
|
||||||
|
*.sh) echo "$0: running $f"; . "$f" ;;
|
||||||
|
*.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
|
||||||
|
*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
|
||||||
|
*) echo "$0: ignoring $f" ;;
|
||||||
|
esac
|
||||||
|
echo
|
||||||
|
done
|
||||||
|
|
||||||
|
PGUSER="${PGUSER:-postgres}" \
|
||||||
|
pg_ctl -D "$PGDATA" -m fast -w stop
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo 'PostgreSQL init process complete; ready for start up.'
|
||||||
|
echo
|
||||||
fi
|
fi
|
||||||
exec su - $1 -c "$@ -D $PGDATA"
|
|
||||||
|
postgres -D $PGDATA
|
||||||
|
|
|
@ -21,11 +21,12 @@ COPY --from=nodeportal /build_dir/swagger.json /usr/share/nginx/html
|
||||||
|
|
||||||
COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf
|
COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf
|
||||||
|
|
||||||
RUN tdnf install -y nginx >> /dev/null \
|
RUN tdnf install -y nginx sudo >> /dev/null \
|
||||||
&& ln -sf /dev/stdout /var/log/nginx/access.log \
|
&& ln -sf /dev/stdout /var/log/nginx/access.log \
|
||||||
&& ln -sf /dev/stderr /var/log/nginx/error.log \
|
&& ln -sf /dev/stderr /var/log/nginx/error.log \
|
||||||
&& tdnf clean all \
|
&& groupadd -r -g 10000 nginx && useradd --no-log-init -r -g 10000 -u 10000 nginx \
|
||||||
&& chown -R 10000:10000 /etc/nginx
|
&& chown -R nginx:nginx /etc/nginx \
|
||||||
|
&& tdnf clean all
|
||||||
|
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
VOLUME /var/cache/nginx /var/log/nginx /run
|
VOLUME /var/cache/nginx /var/log/nginx /run
|
||||||
|
@ -33,6 +34,6 @@ VOLUME /var/cache/nginx /var/log/nginx /run
|
||||||
STOPSIGNAL SIGQUIT
|
STOPSIGNAL SIGQUIT
|
||||||
|
|
||||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
||||||
|
USER nginx
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
|
|
||||||
|
|
|
@ -5,10 +5,17 @@ from pathlib import Path
|
||||||
DEFAULT_UID = 10000
|
DEFAULT_UID = 10000
|
||||||
DEFAULT_GID = 10000
|
DEFAULT_GID = 10000
|
||||||
|
|
||||||
|
PG_UID = 999
|
||||||
|
PG_GID = 999
|
||||||
|
|
||||||
|
REDIS_UID = 999
|
||||||
|
REDIS_GID = 999
|
||||||
|
|
||||||
## Global variable
|
## Global variable
|
||||||
base_dir = '/harbor_make'
|
base_dir = '/harbor_make'
|
||||||
templates_dir = "/usr/src/app/templates"
|
templates_dir = "/usr/src/app/templates"
|
||||||
config_dir = '/config'
|
config_dir = '/config'
|
||||||
|
data_dir = '/data'
|
||||||
|
|
||||||
secret_dir = '/secret'
|
secret_dir = '/secret'
|
||||||
secret_key_dir='/secret/keys'
|
secret_key_dir='/secret/keys'
|
||||||
|
|
|
@ -16,6 +16,7 @@ from utils.clair import prepare_clair
|
||||||
from utils.chart import prepare_chartmuseum
|
from utils.chart import prepare_chartmuseum
|
||||||
from utils.docker_compose import prepare_docker_compose
|
from utils.docker_compose import prepare_docker_compose
|
||||||
from utils.nginx import prepare_nginx, nginx_confd_dir
|
from utils.nginx import prepare_nginx, nginx_confd_dir
|
||||||
|
from utils.redis import prepare_redis
|
||||||
from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
|
from g import (config_dir, input_config_path, private_key_pem_path, root_crt_path, secret_key_dir,
|
||||||
old_private_key_pem_path, old_crt_path)
|
old_private_key_pem_path, old_crt_path)
|
||||||
|
|
||||||
|
@ -38,6 +39,7 @@ def main(conf, with_notary, with_clair, with_chartmuseum):
|
||||||
prepare_registry_ctl(config_dict)
|
prepare_registry_ctl(config_dict)
|
||||||
prepare_db(config_dict)
|
prepare_db(config_dict)
|
||||||
prepare_job_service(config_dict)
|
prepare_job_service(config_dict)
|
||||||
|
prepare_redis(config_dict)
|
||||||
|
|
||||||
get_secret_key(secret_key_dir)
|
get_secret_key(secret_key_dir)
|
||||||
|
|
||||||
|
|
|
@ -133,7 +133,6 @@ services:
|
||||||
env_file:
|
env_file:
|
||||||
- ./common/config/core/env
|
- ./common/config/core/env
|
||||||
restart: always
|
restart: always
|
||||||
user: 10000:10000
|
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
cap_add:
|
||||||
|
@ -186,7 +185,6 @@ services:
|
||||||
image: goharbor/harbor-portal:{{version}}
|
image: goharbor/harbor-portal:{{version}}
|
||||||
container_name: harbor-portal
|
container_name: harbor-portal
|
||||||
restart: always
|
restart: always
|
||||||
user: 10000:10000
|
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
cap_add:
|
||||||
|
|
|
@ -1,20 +1,22 @@
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from g import config_dir, templates_dir
|
from g import config_dir, templates_dir, data_dir, PG_UID, PG_GID
|
||||||
from utils.misc import prepare_config_dir
|
from utils.misc import prepare_config_dir
|
||||||
from utils.jinja import render_jinja
|
from utils.jinja import render_jinja
|
||||||
|
|
||||||
db_config_dir = os.path.join(config_dir, "db")
|
db_config_dir = os.path.join(config_dir, "db")
|
||||||
db_env_template_path = os.path.join(templates_dir, "db", "env.jinja")
|
db_env_template_path = os.path.join(templates_dir, "db", "env.jinja")
|
||||||
db_conf_env = os.path.join(config_dir, "db", "env")
|
db_conf_env = os.path.join(config_dir, "db", "env")
|
||||||
|
database_data_path = os.path.join(data_dir, 'database')
|
||||||
|
|
||||||
def prepare_db(config_dict):
|
def prepare_db(config_dict):
|
||||||
prepare_db_config_dir()
|
prepare_config_dir(database_data_path)
|
||||||
|
stat_info = os.stat(database_data_path)
|
||||||
|
uid, gid = stat_info.st_uid, stat_info.st_gid
|
||||||
|
if not (uid == PG_UID and gid == PG_GID):
|
||||||
|
os.chown(database_data_path, PG_UID, PG_GID)
|
||||||
|
prepare_config_dir(db_config_dir)
|
||||||
render_jinja(
|
render_jinja(
|
||||||
db_env_template_path,
|
db_env_template_path,
|
||||||
db_conf_env,
|
db_conf_env,
|
||||||
harbor_db_password=config_dict['harbor_db_password'])
|
harbor_db_password=config_dict['harbor_db_password'])
|
||||||
|
|
||||||
def prepare_db_config_dir():
|
|
||||||
prepare_config_dir(db_config_dir)
|
|
|
@ -24,7 +24,7 @@ def prepare_nginx(config_dict):
|
||||||
def render_nginx_template(config_dict):
|
def render_nginx_template(config_dict):
|
||||||
if config_dict['protocol'] == "https":
|
if config_dict['protocol'] == "https":
|
||||||
render_jinja(
|
render_jinja(
|
||||||
nginx_https_conf_template,
|
nginx_https_conf_template,
|
||||||
nginx_conf,
|
nginx_conf,
|
||||||
uid=DEFAULT_UID,
|
uid=DEFAULT_UID,
|
||||||
gid=DEFAULT_GID,
|
gid=DEFAULT_GID,
|
||||||
|
|
14
make/photon/prepare/utils/redis.py
Normal file
14
make/photon/prepare/utils/redis.py
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
import os
|
||||||
|
|
||||||
|
from g import data_dir, REDIS_UID, REDIS_GID
|
||||||
|
from utils.misc import prepare_config_dir
|
||||||
|
|
||||||
|
redis_data_path = os.path.join(data_dir, 'redis')
|
||||||
|
|
||||||
|
def prepare_redis(config_dict):
|
||||||
|
prepare_config_dir(redis_data_path)
|
||||||
|
|
||||||
|
stat_info = os.stat(redis_data_path)
|
||||||
|
uid, gid = stat_info.st_uid, stat_info.st_gid
|
||||||
|
if not (uid == REDIS_UID and gid == REDIS_GID):
|
||||||
|
os.chown(redis_data_path, REDIS_UID, REDIS_GID)
|
|
@ -8,7 +8,6 @@ COPY ./make/photon/redis/docker-entrypoint.sh /usr/bin/
|
||||||
COPY ./make/photon/redis/redis.conf /etc/redis.conf
|
COPY ./make/photon/redis/redis.conf /etc/redis.conf
|
||||||
RUN chmod +x /usr/bin/docker-entrypoint.sh \
|
RUN chmod +x /usr/bin/docker-entrypoint.sh \
|
||||||
&& chown redis:redis /etc/redis.conf
|
&& chown redis:redis /etc/redis.conf
|
||||||
ENTRYPOINT ["docker-entrypoint.sh"]
|
|
||||||
USER redis
|
USER redis
|
||||||
|
|
||||||
EXPOSE 6379
|
EXPOSE 6379
|
||||||
|
|
Loading…
Reference in New Issue
Block a user