Deprivilege harobr-log, harbor-db, registry image.

This change involves using non-root user to run the process of the
docker images.  Also made update in Dockerfile to make the containers
support "read-only" and introduce "HEALTHCHECK". Note the "read-only"
options are not enabled in docker-compose, to cover the very corner
case when user wants to update the container filesystem manually.

Remove read only option from docker-compose template by default

Makefile

@@ -313,7 +313,7 @@ prepare:
 
 build_common: version
 	@echo "buildging db container for photon..."
-	@cd $(DOCKERFILEPATH_DB) && $(DOCKERBUILD) -f $(DOCKERFILENAME_DB) -t $(DOCKERIMAGENAME_DB):$(VERSIONTAG) .
+	@cd $(DOCKERFILEPATH_DB) && $(DOCKERBUILD) --pull -f $(DOCKERFILENAME_DB) -t $(DOCKERIMAGENAME_DB):$(VERSIONTAG) .
 	@echo "Done."
 
 build_photon: build_common

make/common/db/Dockerfile

@@ -1,5 +1,7 @@
 FROM vmware/mariadb-photon:10.2.8
 
+HEALTHCHECK CMD mysqladmin -uroot -p$MYSQL_ROOT_PASSWORD ping
+
 COPY registry.sql /docker-entrypoint-initdb.d/
 COPY registry-flag.sh /docker-entrypoint-initdb.d/
 COPY upgrade.sh /docker-entrypoint-updatedb.d/

make/common/mariadb/Dockerfile

@@ -4,7 +4,7 @@ FROM vmware/photon:1.0
 
 RUN tdnf distro-sync -y || echo \
     && tdnf install -y sed shadow procps-ng gawk gzip sudo net-tools \
-    && groupadd -r -g 999 mysql && useradd --no-log-init -r -g 999 -u 999 mysql \
+    && groupadd -r -g 10000 mysql && useradd --no-log-init -r -g 10000 -u 10000 mysql \
     && tdnf install -y mariadb-server mariadb \
     && mkdir /docker-entrypoint-initdb.d /docker-entrypoint-updatedb.d \
     && rm -fr /var/lib/mysql \
@@ -18,7 +18,7 @@ RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 COPY my.cnf /etc/
 RUN ln -s usr/local/bin/docker-entrypoint.sh /
 
-VOLUME /var/lib/mysql
+VOLUME /var/lib/mysql /docker-entrypoint-initdb.d /docker-entrypoint-updatedb.d /tmp /var/run/mysqld
 EXPOSE 3306
 
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

make/common/rsyslog/Dockerfile

@@ -6,6 +6,5 @@ RUN tdnf distro-sync -y || echo \
     && tdnf install -y cronie rsyslog shadow tar gzip \
 	&& mkdir /etc/rsyslog.d/ \
     && mkdir /var/spool/rsyslog \
-    && groupadd syslog \
-    && useradd -g syslog syslog \
+    && groupadd -r -g 10000 syslog && useradd --no-log-init -r -g 10000 -u 10000 syslog \
     && tdnf clean all

make/docker-compose.tpl

@@ -9,7 +9,7 @@ services:
     volumes:
       - /var/log/harbor/:/var/log/docker/:z
     ports:
-      - 127.0.0.1:1514:514
+      - 127.0.0.1:1514:10514
     networks:
       - harbor
   registry:

make/photon/Makefile

@@ -75,7 +75,7 @@ build:
 	@echo "Done."
 	
 	@echo "building log container for photon..."
-	$(DOCKERBUILD) -f $(DOCKERFILEPATH_LOG)/$(DOCKERFILENAME_LOG) -t $(DOCKERIMAGENAME_LOG):$(VERSIONTAG) .
+	$(DOCKERBUILD) -f $(DOCKERFILEPATH_LOG)/$(DOCKERFILENAME_LOG) -t $(DOCKERIMAGENAME_LOG):$(VERSIONTAG) $(DOCKERFILEPATH_LOG)
 	@echo "Done."
 	
 cleanimage:

make/photon/log/Dockerfile

@@ -1,16 +1,24 @@
 FROM vmware/rsyslog-photon:8.15.0
 
-ADD make/common/log/rsyslog.conf /etc/rsyslog.conf
+COPY rsyslog.conf /etc/rsyslog.conf
 
 # rotate logs weekly
 # notes: file name cannot contain dot, or the script will not run
-ADD make/common/log/rotate.sh /etc/cron.daily/rotate
+COPY rotate.sh /etc/cron.daily/rotate
 
 # rsyslog configuration file for docker
-ADD make/common/log/rsyslog_docker.conf /etc/rsyslog.d/
+COPY rsyslog_docker.conf /etc/rsyslog.d/
 
-VOLUME /var/log/docker/
+COPY start.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/start.sh && \
+    tdnf install -y sudo net-tools && \
+    chown -R 10000:10000 /run 
 
-EXPOSE 514
+HEALTHCHECK CMD netstat -ltu|grep 10514
 
-CMD crond && rm -f /var/run/rsyslogd.pid && rsyslogd -n
+VOLUME /var/log/docker/ /run/
+
+EXPOSE 10514
+
+#CMD crond && rm -f /var/run/rsyslogd.pid && rsyslogd -n
+CMD /usr/local/bin/start.sh

make/photon/log/rsyslog.conf

@@ -10,17 +10,17 @@
 #### MODULES ####
 #################
 
-$ModLoad imuxsock # provides support for local system logging
+#$ModLoad imuxsock # provides support for local system logging
 #$ModLoad imklog   # provides kernel logging support
 #$ModLoad immark  # provides --MARK-- message capability
 
 # provides UDP syslog reception
 $ModLoad imudp
-$UDPServerRun 514
+$UDPServerRun 10514
 
 # provides TCP syslog reception
 $ModLoad imtcp
-$InputTCPServerRun 514
+$InputTCPServerRun 10514
              
 # Enable non-kernel facility klog messages
 #$KLogPermitNonKernelFacility on

make/photon/log/start.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+chown -R 10000:10000 /var/log/docker
+crond
+rm -f /var/run/rsyslogd.pid
+sudo -u \#10000 -E  'rsyslogd' '-n'
+set +e

make/photon/registry/Dockerfile

@@ -5,17 +5,22 @@ MAINTAINER wangyan@vmware.com
 # The original script in the docker offical registry image.
 RUN tdnf distro-sync -y \
     && tdnf erase vim -y \
-    && tdnf clean all
+    && tdnf install sudo -y \
+    && tdnf clean all \
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
+
 COPY entrypoint.sh /
 RUN chmod u+x /entrypoint.sh
 
-RUN mkdir -p /etc/docker/registry
-COPY config.yml /etc/docker/registry/config.yml
+RUN mkdir -p /etc/registry
+COPY config.yml /etc/registry/config.yml
 
 COPY binary/registry /usr/bin
 RUN chmod u+x /usr/bin/registry
 
+HEALTHCHECK CMD curl 127.0.0.1:5000/
+
 VOLUME ["/var/lib/registry"]
 EXPOSE 5000
 ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/etc/docker/registry/config.yml"]
+CMD ["/etc/registry/config.yml"]

make/photon/registry/entrypoint.sh

@@ -2,9 +2,18 @@
 
 set -e
 
+if [ -d /etc/registry ]; then
+    chown 10000:10000 -R /etc/registry
+fi
+if [ -d /var/lib/registry ]; then
+    chown 10000:10000 -R /var/lib/registry
+fi  
+if [ -d /storage ]; then
+    chown 10000:10000 -R /storage
+fi  
 case "$1" in
     *.yaml|*.yml) set -- registry serve "$@" ;;
     serve|garbage-collect|help|-*) set -- registry "$@" ;;
 esac
 
-exec "$@"
+sudo -E -u \#10000 "$@"