mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-22 10:15:35 +01:00
Deprivilege harobr-log, harbor-db, registry image.
This change involves using non-root user to run the process of the docker images. Also made update in Dockerfile to make the containers support "read-only" and introduce "HEALTHCHECK". Note the "read-only" options are not enabled in docker-compose, to cover the very corner case when user wants to update the container filesystem manually. Remove read only option from docker-compose template by default
This commit is contained in:
parent
6a9dc8a133
commit
6f335bdb1a
2
Makefile
2
Makefile
@ -313,7 +313,7 @@ prepare:
|
||||
|
||||
build_common: version
|
||||
@echo "buildging db container for photon..."
|
||||
@cd $(DOCKERFILEPATH_DB) && $(DOCKERBUILD) -f $(DOCKERFILENAME_DB) -t $(DOCKERIMAGENAME_DB):$(VERSIONTAG) .
|
||||
@cd $(DOCKERFILEPATH_DB) && $(DOCKERBUILD) --pull -f $(DOCKERFILENAME_DB) -t $(DOCKERIMAGENAME_DB):$(VERSIONTAG) .
|
||||
@echo "Done."
|
||||
|
||||
build_photon: build_common
|
||||
|
@ -1,5 +1,7 @@
|
||||
FROM vmware/mariadb-photon:10.2.8
|
||||
|
||||
HEALTHCHECK CMD mysqladmin -uroot -p$MYSQL_ROOT_PASSWORD ping
|
||||
|
||||
COPY registry.sql /docker-entrypoint-initdb.d/
|
||||
COPY registry-flag.sh /docker-entrypoint-initdb.d/
|
||||
COPY upgrade.sh /docker-entrypoint-updatedb.d/
|
||||
|
@ -4,7 +4,7 @@ FROM vmware/photon:1.0
|
||||
|
||||
RUN tdnf distro-sync -y || echo \
|
||||
&& tdnf install -y sed shadow procps-ng gawk gzip sudo net-tools \
|
||||
&& groupadd -r -g 999 mysql && useradd --no-log-init -r -g 999 -u 999 mysql \
|
||||
&& groupadd -r -g 10000 mysql && useradd --no-log-init -r -g 10000 -u 10000 mysql \
|
||||
&& tdnf install -y mariadb-server mariadb \
|
||||
&& mkdir /docker-entrypoint-initdb.d /docker-entrypoint-updatedb.d \
|
||||
&& rm -fr /var/lib/mysql \
|
||||
@ -18,7 +18,7 @@ RUN chmod +x /usr/local/bin/docker-entrypoint.sh
|
||||
COPY my.cnf /etc/
|
||||
RUN ln -s usr/local/bin/docker-entrypoint.sh /
|
||||
|
||||
VOLUME /var/lib/mysql
|
||||
VOLUME /var/lib/mysql /docker-entrypoint-initdb.d /docker-entrypoint-updatedb.d /tmp /var/run/mysqld
|
||||
EXPOSE 3306
|
||||
|
||||
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
|
||||
|
@ -6,6 +6,5 @@ RUN tdnf distro-sync -y || echo \
|
||||
&& tdnf install -y cronie rsyslog shadow tar gzip \
|
||||
&& mkdir /etc/rsyslog.d/ \
|
||||
&& mkdir /var/spool/rsyslog \
|
||||
&& groupadd syslog \
|
||||
&& useradd -g syslog syslog \
|
||||
&& groupadd -r -g 10000 syslog && useradd --no-log-init -r -g 10000 -u 10000 syslog \
|
||||
&& tdnf clean all
|
||||
|
@ -9,7 +9,7 @@ services:
|
||||
volumes:
|
||||
- /var/log/harbor/:/var/log/docker/:z
|
||||
ports:
|
||||
- 127.0.0.1:1514:514
|
||||
- 127.0.0.1:1514:10514
|
||||
networks:
|
||||
- harbor
|
||||
registry:
|
||||
|
@ -75,7 +75,7 @@ build:
|
||||
@echo "Done."
|
||||
|
||||
@echo "building log container for photon..."
|
||||
$(DOCKERBUILD) -f $(DOCKERFILEPATH_LOG)/$(DOCKERFILENAME_LOG) -t $(DOCKERIMAGENAME_LOG):$(VERSIONTAG) .
|
||||
$(DOCKERBUILD) -f $(DOCKERFILEPATH_LOG)/$(DOCKERFILENAME_LOG) -t $(DOCKERIMAGENAME_LOG):$(VERSIONTAG) $(DOCKERFILEPATH_LOG)
|
||||
@echo "Done."
|
||||
|
||||
cleanimage:
|
||||
|
@ -1,16 +1,24 @@
|
||||
FROM vmware/rsyslog-photon:8.15.0
|
||||
|
||||
ADD make/common/log/rsyslog.conf /etc/rsyslog.conf
|
||||
COPY rsyslog.conf /etc/rsyslog.conf
|
||||
|
||||
# rotate logs weekly
|
||||
# notes: file name cannot contain dot, or the script will not run
|
||||
ADD make/common/log/rotate.sh /etc/cron.daily/rotate
|
||||
COPY rotate.sh /etc/cron.daily/rotate
|
||||
|
||||
# rsyslog configuration file for docker
|
||||
ADD make/common/log/rsyslog_docker.conf /etc/rsyslog.d/
|
||||
COPY rsyslog_docker.conf /etc/rsyslog.d/
|
||||
|
||||
VOLUME /var/log/docker/
|
||||
COPY start.sh /usr/local/bin/
|
||||
RUN chmod +x /usr/local/bin/start.sh && \
|
||||
tdnf install -y sudo net-tools && \
|
||||
chown -R 10000:10000 /run
|
||||
|
||||
EXPOSE 514
|
||||
HEALTHCHECK CMD netstat -ltu|grep 10514
|
||||
|
||||
CMD crond && rm -f /var/run/rsyslogd.pid && rsyslogd -n
|
||||
VOLUME /var/log/docker/ /run/
|
||||
|
||||
EXPOSE 10514
|
||||
|
||||
#CMD crond && rm -f /var/run/rsyslogd.pid && rsyslogd -n
|
||||
CMD /usr/local/bin/start.sh
|
||||
|
@ -10,17 +10,17 @@
|
||||
#### MODULES ####
|
||||
#################
|
||||
|
||||
$ModLoad imuxsock # provides support for local system logging
|
||||
#$ModLoad imuxsock # provides support for local system logging
|
||||
#$ModLoad imklog # provides kernel logging support
|
||||
#$ModLoad immark # provides --MARK-- message capability
|
||||
|
||||
# provides UDP syslog reception
|
||||
$ModLoad imudp
|
||||
$UDPServerRun 514
|
||||
$UDPServerRun 10514
|
||||
|
||||
# provides TCP syslog reception
|
||||
$ModLoad imtcp
|
||||
$InputTCPServerRun 514
|
||||
$InputTCPServerRun 10514
|
||||
|
||||
# Enable non-kernel facility klog messages
|
||||
#$KLogPermitNonKernelFacility on
|
7
make/photon/log/start.sh
Normal file
7
make/photon/log/start.sh
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
chown -R 10000:10000 /var/log/docker
|
||||
crond
|
||||
rm -f /var/run/rsyslogd.pid
|
||||
sudo -u \#10000 -E 'rsyslogd' '-n'
|
||||
set +e
|
@ -5,17 +5,22 @@ MAINTAINER wangyan@vmware.com
|
||||
# The original script in the docker offical registry image.
|
||||
RUN tdnf distro-sync -y \
|
||||
&& tdnf erase vim -y \
|
||||
&& tdnf clean all
|
||||
&& tdnf install sudo -y \
|
||||
&& tdnf clean all \
|
||||
&& groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor
|
||||
|
||||
COPY entrypoint.sh /
|
||||
RUN chmod u+x /entrypoint.sh
|
||||
|
||||
RUN mkdir -p /etc/docker/registry
|
||||
COPY config.yml /etc/docker/registry/config.yml
|
||||
RUN mkdir -p /etc/registry
|
||||
COPY config.yml /etc/registry/config.yml
|
||||
|
||||
COPY binary/registry /usr/bin
|
||||
RUN chmod u+x /usr/bin/registry
|
||||
|
||||
HEALTHCHECK CMD curl 127.0.0.1:5000/
|
||||
|
||||
VOLUME ["/var/lib/registry"]
|
||||
EXPOSE 5000
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
CMD ["/etc/docker/registry/config.yml"]
|
||||
CMD ["/etc/registry/config.yml"]
|
||||
|
@ -2,9 +2,18 @@
|
||||
|
||||
set -e
|
||||
|
||||
if [ -d /etc/registry ]; then
|
||||
chown 10000:10000 -R /etc/registry
|
||||
fi
|
||||
if [ -d /var/lib/registry ]; then
|
||||
chown 10000:10000 -R /var/lib/registry
|
||||
fi
|
||||
if [ -d /storage ]; then
|
||||
chown 10000:10000 -R /storage
|
||||
fi
|
||||
case "$1" in
|
||||
*.yaml|*.yml) set -- registry serve "$@" ;;
|
||||
serve|garbage-collect|help|-*) set -- registry "$@" ;;
|
||||
esac
|
||||
|
||||
exec "$@"
|
||||
sudo -E -u \#10000 "$@"
|
||||
|
Loading…
Reference in New Issue
Block a user