From 7237067d637ebd0f667e9f97e5bf761ef584f5b8 Mon Sep 17 00:00:00 2001 From: DQ Date: Thu, 7 Nov 2019 17:06:20 +0800 Subject: [PATCH 1/3] Bump config version Bump version to 1.10 Signed-off-by: DQ --- make/harbor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/harbor.yml b/make/harbor.yml index 307ab9941..c16d73769 100644 --- a/make/harbor.yml +++ b/make/harbor.yml @@ -96,7 +96,7 @@ log: # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! -_version: 1.9.0 +_version: 1.10.0 # Uncomment external_database if using external database. # external_database: From cecc0fe85a4b4d2eb864c984d80f0e8d0074a4bc Mon Sep 17 00:00:00 2001 From: DQ Date: Thu, 7 Nov 2019 17:08:06 +0800 Subject: [PATCH 2/3] Upgrade should not render http is config not provide Just ingore if not congifured http Signed-off-by: DQ --- tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja b/tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja index 5ce55dc83..c9386104e 100644 --- a/tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja +++ b/tools/migration/cfg/migrator_1_10_0/harbor.yml.jinja @@ -5,10 +5,14 @@ hostname: {{ hostname }} # http related config -{% if http %} +{% if http is defined %} http: # port for http, default is 80. If https enabled, this port will redirect to https port port: {{ http.port }} +{% else %} +# http: +# # port for http, default is 80. If https enabled, this port will redirect to https port +# port: 80 {% endif %} {% if https is defined %} From 80c3e76b5af3be0ba28f221abf6cbba52d61cd38 Mon Sep 17 00:00:00 2001 From: DQ Date: Fri, 8 Nov 2019 13:28:46 +0800 Subject: [PATCH 3/3] check the permission of ca bundle file CA bundle need check before use Signed-off-by: DQ --- make/photon/prepare/main.py | 7 +++++-- make/photon/prepare/utils/configs.py | 22 ++++++++++++++++++++-- make/photon/prepare/utils/misc.py | 14 ++++++++++++++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/make/photon/prepare/main.py b/make/photon/prepare/main.py index 8f4be759e..626511fca 100644 --- a/make/photon/prepare/main.py +++ b/make/photon/prepare/main.py @@ -1,7 +1,8 @@ # pylint: disable=no-value-for-parameter +import sys +import logging import click - from utils.misc import delfile from utils.configs import validate, parse_yaml_config from utils.cert import prepare_ca, SSL_CERT_KEY_PATH, SSL_CERT_PATH, get_secret_key @@ -34,7 +35,9 @@ def main(conf, with_notary, with_clair, with_chartmuseum): try: validate(config_dict, notary_mode=with_notary) except Exception as e: - print("Config validation Error: ", e) + logging.info('Error happend in config validation...') + logging.error(e) + sys.exit(-1) prepare_log_configs(config_dict) prepare_nginx(config_dict) diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index d40c1ee48..12beb07d5 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -1,12 +1,15 @@ +import os import yaml import logging -from g import versions_file_path -from .misc import generate_random_string +from g import versions_file_path, host_root_dir, DEFAULT_UID +from utils.misc import generate_random_string, owner_can_read, other_can_read default_db_max_idle_conns = 2 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxIdleConns default_db_max_open_conns = 0 # NOTE: https://golang.org/pkg/database/sql/#DB.SetMaxOpenConns default_https_cert_path = '/your/certificate/path' default_https_key_path = '/your/certificate/path' + + def validate(conf: dict, **kwargs): # hostname validate if conf.get('hostname') == '127.0.0.1': @@ -47,6 +50,21 @@ def validate(conf: dict, **kwargs): if storage_provider_config == "": raise Exception( "Error: no provider configurations are provided for provider %s" % storage_provider_name) + # ca_bundle validate + if conf.get('registry_custom_ca_bundle_path'): + registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or '' + ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path) + try: + uid = os.stat(ca_bundle_host_path).st_uid + st_mode = os.stat(ca_bundle_host_path).st_mode + except Exception as e: + logging.error(e) + raise Exception('Can not get file info') + err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path) + if uid == DEFAULT_UID and not owner_can_read(st_mode): + raise Exception(err_msg) + if uid != DEFAULT_UID and not other_can_read(st_mode): + raise Exception(err_msg) # Redis validate redis_host = conf.get("redis_host") diff --git a/make/photon/prepare/utils/misc.py b/make/photon/prepare/utils/misc.py index 43fa74fc8..0b4d0e66d 100644 --- a/make/photon/prepare/utils/misc.py +++ b/make/photon/prepare/utils/misc.py @@ -140,3 +140,17 @@ def check_permission(path: str, uid:int = None, gid:int = None, mode:int = None) if mode is not None and (path.stat().st_mode - mode) % 0o1000 != 0: return False return True + + +def owner_can_read(st_mode: int) -> bool: + """ + Check if owner have the read permission of this st_mode + """ + return True if st_mode & 0o400 else False + + +def other_can_read(st_mode: int) -> bool: + """ + Check if other user have the read permission of this st_mode + """ + return True if st_mode & 0o004 else False