Add proxy nginx container as non-root user

Signed-off-by: Qian Deng <dengq@vmware.com>
2019-07-29 07:52:17 +00:00 · 2019-07-29 07:52:17 +00:00 · 8b7f1ae4c0
parent f8a8040c8f
commit 8b7f1ae4c0
10 changed files with 55 additions and 30 deletions
--- a/make/photon/core/Dockerfile
+++ b/make/photon/core/Dockerfile
@ -6,11 +6,11 @@ RUN tdnf install sudo -y >> /dev/null\
    && mkdir /harbor/

 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/ping || exit 1
-COPY ./make/photon/core/harbor_core ./make/photon/core/start.sh ./UIVERSION /harbor/
+COPY ./make/photon/core/harbor_core ./UIVERSION /harbor/
 COPY ./src/core/views /harbor/views
 COPY ./make/migrations /harbor/migrations

-RUN chmod u+x /harbor/start.sh /harbor/harbor_core
+RUN chmod u+x /harbor/harbor_core
 WORKDIR /harbor/

 ENTRYPOINT ["/harbor/harbor_core"]
--- a/make/photon/core/start.sh
+++ b/make/photon/core/start.sh
@ -1,3 +0,0 @@
-#! sh
-./harbor/harbor_core
-
--- a/make/photon/nginx/Dockerfile
+++ b/make/photon/nginx/Dockerfile
@ -1,14 +1,19 @@
 FROM photon:2.0

-RUN tdnf install -y nginx >> /dev/null\
+RUN tdnf install sudo nginx -y >> /dev/null\
+    && tdnf clean all \
+    && groupadd -r -g 10000 nginx && useradd --no-log-init -r -g 10000 -u 10000 nginx \
    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log \
-    && tdnf clean all
+    && ln -sf /dev/stderr /var/log/nginx/error.log

-EXPOSE 80
 VOLUME /var/cache/nginx /var/log/nginx /run
+
+EXPOSE 8080
+
 STOPSIGNAL SIGQUIT

-HEALTHCHECK CMD curl --fail -s http://127.0.0.1 || exit 1
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
+
+USER nginx

 CMD ["nginx", "-g", "daemon off;"]
--- a/make/photon/portal/Dockerfile
+++ b/make/photon/portal/Dockerfile
@ -1,7 +1,6 @@
 FROM node:10.15.0 as nodeportal

-RUN mkdir -p /portal_src
-RUN mkdir -p /build_dir
+RUN mkdir -p /portal_src && mkdir -p /build_dir

 COPY make/photon/portal/entrypoint.sh /
 COPY src/portal /portal_src
@ -12,7 +11,6 @@ WORKDIR /portal_src
 RUN npm install && \
    chmod u+x /entrypoint.sh
 RUN /entrypoint.sh
-VOLUME ["/portal_src"]


 FROM photon:2.0
@ -36,5 +34,5 @@ STOPSIGNAL SIGQUIT

 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1

-CMD ["nginx", "-g", "pid /tmp/nginx.pid; daemon off;"]
+CMD ["nginx", "-g", "daemon off;"]

--- a/make/photon/portal/nginx.conf
+++ b/make/photon/portal/nginx.conf
@ -1,5 +1,7 @@

-worker_processes  1;
+user nginx nginx;
+worker_processes auto;
+pid /tmp/nginx.pid;

 events {
    worker_connections  1024;
--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -292,9 +292,9 @@ services:
 {% endif %}
    dns_search: .
    ports:
-      - {{http_port}}:80
+      - {{http_port}}:8080
 {% if protocol == 'https' %}
-      - {{https_port}}:443
+      - {{https_port}}:8443
 {% endif %}
 {% if with_notary %}
      - 4443:4443
--- a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja
@ -1,4 +1,5 @@
 worker_processes auto;
+pid /tmp/nginx.pid;

 events {
  worker_connections 1024;
@ -7,6 +8,11 @@ events {
 }

 http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
  tcp_nodelay on;

  # this is necessary for us to be able to disable request buffering in all cases
@ -28,7 +34,7 @@ http {
  access_log /dev/stdout timed_combined;

  server {
-    listen 80;
+    listen 8080;
    server_tokens off;
    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;
@ -117,7 +123,7 @@ http {
      proxy_request_buffering off;
    }

-  location /service/notifications {
+    location /service/notifications {
      return 404;
    }
  }
--- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
@ -1,4 +1,5 @@
 worker_processes auto;
+pid /tmp/nginx.pid;

 events {
  worker_connections 1024;
@ -7,6 +8,11 @@ events {
 }

 http {
+  client_body_temp_path /tmp/client_body_temp;
+  proxy_temp_path /tmp/proxy_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
  tcp_nodelay on;
  include /etc/nginx/conf.d/*.upstream.conf;

@ -31,7 +37,7 @@ http {
  include /etc/nginx/conf.d/*.server.conf;

  server {
-    listen 443 ssl;
+    listen 8443 ssl;
 #    server_name harbordomain.com;
    server_tokens off;
    # SSL
@ -141,10 +147,9 @@ http {
      return 404;
    }
  }
-  
  server {
-    listen 80;
-    #server_name harbordomain.com;
-    return 308 https://$host$request_uri;
+      listen 8080;
+      #server_name harbordomain.com;
+      return 308 https://$host$request_uri;
  } 
 }
--- a/make/photon/prepare/utils/nginx.py
+++ b/make/photon/prepare/utils/nginx.py
@ -2,7 +2,7 @@ import os, shutil
 from fnmatch import fnmatch
 from pathlib import Path

-from g import config_dir, templates_dir
+from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID
 from utils.misc import prepare_config_dir, mark_file
 from utils.jinja import render_jinja
 from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
@ -17,12 +17,17 @@ CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS = 'harbor.https.*.conf'
 CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP = 'harbor.http.*.conf'

 def prepare_nginx(config_dict):
-    prepare_config_dir(nginx_confd_dir)
+    file_path = prepare_config_dir(nginx_confd_dir)
+    os.chown(file_path, DEFAULT_UID, DEFAULT_GID)
    render_nginx_template(config_dict)

 def render_nginx_template(config_dict):
    if config_dict['protocol'] == "https":
-        render_jinja(nginx_https_conf_template, nginx_conf,
+        render_jinja(
+            nginx_https_conf_template, 
+            nginx_conf,
+            uid=DEFAULT_UID,
+            gid=DEFAULT_GID,
            ssl_cert=SSL_CERT_PATH,
            ssl_cert_key=SSL_CERT_KEY_PATH)
        location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
@ -35,7 +40,9 @@ def render_nginx_template(config_dict):
    else:
        render_jinja(
            nginx_http_conf_template,
-            nginx_conf)
+            nginx_conf,
+            uid=DEFAULT_UID,
+            gid=DEFAULT_GID)
        location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
    copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)

--- a/make/photon/prepare/utils/notary.py
+++ b/make/photon/prepare/utils/notary.py
@ -72,9 +72,12 @@ def prepare_env_notary(nginx_config_dir):


    print("Copying nginx configuration file for notary")
-    shutil.copy2(
+
+    render_jinja(
        os.path.join(templates_dir, "nginx", "notary.upstream.conf.jinja"),
-        os.path.join(nginx_config_dir, "notary.upstream.conf"))
+        os.path.join(nginx_config_dir, "notary.upstream.conf"),
+        gid=DEFAULT_GID,
+        uid=DEFAULT_UID)

    mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
    mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
@ -88,6 +91,8 @@ def prepare_notary(config_dict, nginx_config_dir, ssl_cert_path, ssl_cert_key_pa
    render_jinja(
        notary_server_nginx_config_template,
        os.path.join(nginx_config_dir, "notary.server.conf"),
+        gid=DEFAULT_GID,
+        uid=DEFAULT_UID,
        ssl_cert=ssl_cert_path,
        ssl_cert_key=ssl_cert_key_path)