diff --git a/make/photon/core/Dockerfile b/make/photon/core/Dockerfile index 994348aaa..40739acdc 100644 --- a/make/photon/core/Dockerfile +++ b/make/photon/core/Dockerfile @@ -6,11 +6,11 @@ RUN tdnf install sudo -y >> /dev/null\ && mkdir /harbor/ HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/ping || exit 1 -COPY ./make/photon/core/harbor_core ./make/photon/core/start.sh ./UIVERSION /harbor/ +COPY ./make/photon/core/harbor_core ./UIVERSION /harbor/ COPY ./src/core/views /harbor/views COPY ./make/migrations /harbor/migrations -RUN chmod u+x /harbor/start.sh /harbor/harbor_core +RUN chmod u+x /harbor/harbor_core WORKDIR /harbor/ ENTRYPOINT ["/harbor/harbor_core"] diff --git a/make/photon/core/start.sh b/make/photon/core/start.sh deleted file mode 100644 index 82595202e..000000000 --- a/make/photon/core/start.sh +++ /dev/null @@ -1,3 +0,0 @@ -#! sh -./harbor/harbor_core - diff --git a/make/photon/nginx/Dockerfile b/make/photon/nginx/Dockerfile index 3d244ee58..902107205 100644 --- a/make/photon/nginx/Dockerfile +++ b/make/photon/nginx/Dockerfile @@ -1,14 +1,19 @@ FROM photon:2.0 -RUN tdnf install -y nginx >> /dev/null\ +RUN tdnf install sudo nginx -y >> /dev/null\ + && tdnf clean all \ + && groupadd -r -g 10000 nginx && useradd --no-log-init -r -g 10000 -u 10000 nginx \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && tdnf clean all + && ln -sf /dev/stderr /var/log/nginx/error.log -EXPOSE 80 VOLUME /var/cache/nginx /var/log/nginx /run + +EXPOSE 8080 + STOPSIGNAL SIGQUIT -HEALTHCHECK CMD curl --fail -s http://127.0.0.1 || exit 1 +HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1 + +USER nginx CMD ["nginx", "-g", "daemon off;"] diff --git a/make/photon/portal/Dockerfile b/make/photon/portal/Dockerfile index 6d9acf40d..5033bb9ff 100644 --- a/make/photon/portal/Dockerfile +++ b/make/photon/portal/Dockerfile @@ -1,7 +1,6 @@ FROM node:10.15.0 as nodeportal -RUN mkdir -p /portal_src -RUN mkdir -p /build_dir +RUN mkdir -p /portal_src && mkdir -p /build_dir COPY make/photon/portal/entrypoint.sh / COPY src/portal /portal_src @@ -12,7 +11,6 @@ WORKDIR /portal_src RUN npm install && \ chmod u+x /entrypoint.sh RUN /entrypoint.sh -VOLUME ["/portal_src"] FROM photon:2.0 @@ -36,5 +34,5 @@ STOPSIGNAL SIGQUIT HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1 -CMD ["nginx", "-g", "pid /tmp/nginx.pid; daemon off;"] +CMD ["nginx", "-g", "daemon off;"] diff --git a/make/photon/portal/nginx.conf b/make/photon/portal/nginx.conf index 2695a3637..9a643e340 100644 --- a/make/photon/portal/nginx.conf +++ b/make/photon/portal/nginx.conf @@ -1,5 +1,7 @@ -worker_processes 1; +user nginx nginx; +worker_processes auto; +pid /tmp/nginx.pid; events { worker_connections 1024; diff --git a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja index 6f4db9d19..59725e3e3 100644 --- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja +++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja @@ -292,9 +292,9 @@ services: {% endif %} dns_search: . ports: - - {{http_port}}:80 + - {{http_port}}:8080 {% if protocol == 'https' %} - - {{https_port}}:443 + - {{https_port}}:8443 {% endif %} {% if with_notary %} - 4443:4443 diff --git a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja index 37553631c..09e1f4346 100644 --- a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja @@ -1,4 +1,5 @@ worker_processes auto; +pid /tmp/nginx.pid; events { worker_connections 1024; @@ -7,6 +8,11 @@ events { } http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; tcp_nodelay on; # this is necessary for us to be able to disable request buffering in all cases @@ -28,7 +34,7 @@ http { access_log /dev/stdout timed_combined; server { - listen 80; + listen 8080; server_tokens off; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; @@ -117,7 +123,7 @@ http { proxy_request_buffering off; } - location /service/notifications { + location /service/notifications { return 404; } } diff --git a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja index c3fa98a4a..e4ac93078 100644 --- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja @@ -1,4 +1,5 @@ worker_processes auto; +pid /tmp/nginx.pid; events { worker_connections 1024; @@ -7,6 +8,11 @@ events { } http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; tcp_nodelay on; include /etc/nginx/conf.d/*.upstream.conf; @@ -31,7 +37,7 @@ http { include /etc/nginx/conf.d/*.server.conf; server { - listen 443 ssl; + listen 8443 ssl; # server_name harbordomain.com; server_tokens off; # SSL @@ -141,10 +147,9 @@ http { return 404; } } - server { - listen 80; - #server_name harbordomain.com; - return 308 https://$host$request_uri; + listen 8080; + #server_name harbordomain.com; + return 308 https://$host$request_uri; } } diff --git a/make/photon/prepare/utils/nginx.py b/make/photon/prepare/utils/nginx.py index a8706349a..3705e31a7 100644 --- a/make/photon/prepare/utils/nginx.py +++ b/make/photon/prepare/utils/nginx.py @@ -2,7 +2,7 @@ import os, shutil from fnmatch import fnmatch from pathlib import Path -from g import config_dir, templates_dir +from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID from utils.misc import prepare_config_dir, mark_file from utils.jinja import render_jinja from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH @@ -17,12 +17,17 @@ CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS = 'harbor.https.*.conf' CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP = 'harbor.http.*.conf' def prepare_nginx(config_dict): - prepare_config_dir(nginx_confd_dir) + file_path = prepare_config_dir(nginx_confd_dir) + os.chown(file_path, DEFAULT_UID, DEFAULT_GID) render_nginx_template(config_dict) def render_nginx_template(config_dict): if config_dict['protocol'] == "https": - render_jinja(nginx_https_conf_template, nginx_conf, + render_jinja( + nginx_https_conf_template, + nginx_conf, + uid=DEFAULT_UID, + gid=DEFAULT_GID, ssl_cert=SSL_CERT_PATH, ssl_cert_key=SSL_CERT_KEY_PATH) location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS @@ -35,7 +40,9 @@ def render_nginx_template(config_dict): else: render_jinja( nginx_http_conf_template, - nginx_conf) + nginx_conf, + uid=DEFAULT_UID, + gid=DEFAULT_GID) location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern) diff --git a/make/photon/prepare/utils/notary.py b/make/photon/prepare/utils/notary.py index 8d1d1175e..87dae8d08 100644 --- a/make/photon/prepare/utils/notary.py +++ b/make/photon/prepare/utils/notary.py @@ -72,9 +72,12 @@ def prepare_env_notary(nginx_config_dir): print("Copying nginx configuration file for notary") - shutil.copy2( + + render_jinja( os.path.join(templates_dir, "nginx", "notary.upstream.conf.jinja"), - os.path.join(nginx_config_dir, "notary.upstream.conf")) + os.path.join(nginx_config_dir, "notary.upstream.conf"), + gid=DEFAULT_GID, + uid=DEFAULT_UID) mark_file(os.path.join(notary_secret_dir, "notary-signer.crt")) mark_file(os.path.join(notary_secret_dir, "notary-signer.key")) @@ -88,6 +91,8 @@ def prepare_notary(config_dict, nginx_config_dir, ssl_cert_path, ssl_cert_key_pa render_jinja( notary_server_nginx_config_template, os.path.join(nginx_config_dir, "notary.server.conf"), + gid=DEFAULT_GID, + uid=DEFAULT_UID, ssl_cert=ssl_cert_path, ssl_cert_key=ssl_cert_key_path)