mirror of
https://github.com/goharbor/harbor.git
synced 2024-06-26 06:45:12 +02:00
Add proxy nginx container as non-root user
Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
f8a8040c8f
commit
8b7f1ae4c0
|
@ -6,11 +6,11 @@ RUN tdnf install sudo -y >> /dev/null\
|
||||||
&& mkdir /harbor/
|
&& mkdir /harbor/
|
||||||
|
|
||||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/ping || exit 1
|
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/ping || exit 1
|
||||||
COPY ./make/photon/core/harbor_core ./make/photon/core/start.sh ./UIVERSION /harbor/
|
COPY ./make/photon/core/harbor_core ./UIVERSION /harbor/
|
||||||
COPY ./src/core/views /harbor/views
|
COPY ./src/core/views /harbor/views
|
||||||
COPY ./make/migrations /harbor/migrations
|
COPY ./make/migrations /harbor/migrations
|
||||||
|
|
||||||
RUN chmod u+x /harbor/start.sh /harbor/harbor_core
|
RUN chmod u+x /harbor/harbor_core
|
||||||
WORKDIR /harbor/
|
WORKDIR /harbor/
|
||||||
|
|
||||||
ENTRYPOINT ["/harbor/harbor_core"]
|
ENTRYPOINT ["/harbor/harbor_core"]
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
#! sh
|
|
||||||
./harbor/harbor_core
|
|
||||||
|
|
|
@ -1,14 +1,19 @@
|
||||||
FROM photon:2.0
|
FROM photon:2.0
|
||||||
|
|
||||||
RUN tdnf install -y nginx >> /dev/null\
|
RUN tdnf install sudo nginx -y >> /dev/null\
|
||||||
|
&& tdnf clean all \
|
||||||
|
&& groupadd -r -g 10000 nginx && useradd --no-log-init -r -g 10000 -u 10000 nginx \
|
||||||
&& ln -sf /dev/stdout /var/log/nginx/access.log \
|
&& ln -sf /dev/stdout /var/log/nginx/access.log \
|
||||||
&& ln -sf /dev/stderr /var/log/nginx/error.log \
|
&& ln -sf /dev/stderr /var/log/nginx/error.log
|
||||||
&& tdnf clean all
|
|
||||||
|
|
||||||
EXPOSE 80
|
|
||||||
VOLUME /var/cache/nginx /var/log/nginx /run
|
VOLUME /var/cache/nginx /var/log/nginx /run
|
||||||
|
|
||||||
|
EXPOSE 8080
|
||||||
|
|
||||||
STOPSIGNAL SIGQUIT
|
STOPSIGNAL SIGQUIT
|
||||||
|
|
||||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1 || exit 1
|
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
||||||
|
|
||||||
|
USER nginx
|
||||||
|
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
FROM node:10.15.0 as nodeportal
|
FROM node:10.15.0 as nodeportal
|
||||||
|
|
||||||
RUN mkdir -p /portal_src
|
RUN mkdir -p /portal_src && mkdir -p /build_dir
|
||||||
RUN mkdir -p /build_dir
|
|
||||||
|
|
||||||
COPY make/photon/portal/entrypoint.sh /
|
COPY make/photon/portal/entrypoint.sh /
|
||||||
COPY src/portal /portal_src
|
COPY src/portal /portal_src
|
||||||
|
@ -12,7 +11,6 @@ WORKDIR /portal_src
|
||||||
RUN npm install && \
|
RUN npm install && \
|
||||||
chmod u+x /entrypoint.sh
|
chmod u+x /entrypoint.sh
|
||||||
RUN /entrypoint.sh
|
RUN /entrypoint.sh
|
||||||
VOLUME ["/portal_src"]
|
|
||||||
|
|
||||||
|
|
||||||
FROM photon:2.0
|
FROM photon:2.0
|
||||||
|
@ -36,5 +34,5 @@ STOPSIGNAL SIGQUIT
|
||||||
|
|
||||||
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
|
||||||
|
|
||||||
CMD ["nginx", "-g", "pid /tmp/nginx.pid; daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
|
|
||||||
worker_processes 1;
|
user nginx nginx;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
|
|
|
@ -292,9 +292,9 @@ services:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
dns_search: .
|
dns_search: .
|
||||||
ports:
|
ports:
|
||||||
- {{http_port}}:80
|
- {{http_port}}:8080
|
||||||
{% if protocol == 'https' %}
|
{% if protocol == 'https' %}
|
||||||
- {{https_port}}:443
|
- {{https_port}}:8443
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if with_notary %}
|
{% if with_notary %}
|
||||||
- 4443:4443
|
- 4443:4443
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
worker_processes auto;
|
worker_processes auto;
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
|
@ -7,6 +8,11 @@ events {
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
client_body_temp_path /tmp/client_body_temp;
|
||||||
|
proxy_temp_path /tmp/proxy_temp;
|
||||||
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||||
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||||
|
scgi_temp_path /tmp/scgi_temp;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
|
|
||||||
# this is necessary for us to be able to disable request buffering in all cases
|
# this is necessary for us to be able to disable request buffering in all cases
|
||||||
|
@ -28,7 +34,7 @@ http {
|
||||||
access_log /dev/stdout timed_combined;
|
access_log /dev/stdout timed_combined;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 8080;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
# disable any limits to avoid HTTP 413 for large image uploads
|
# disable any limits to avoid HTTP 413 for large image uploads
|
||||||
client_max_body_size 0;
|
client_max_body_size 0;
|
||||||
|
@ -117,7 +123,7 @@ http {
|
||||||
proxy_request_buffering off;
|
proxy_request_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /service/notifications {
|
location /service/notifications {
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
worker_processes auto;
|
worker_processes auto;
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
|
@ -7,6 +8,11 @@ events {
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
client_body_temp_path /tmp/client_body_temp;
|
||||||
|
proxy_temp_path /tmp/proxy_temp;
|
||||||
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||||
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||||
|
scgi_temp_path /tmp/scgi_temp;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
include /etc/nginx/conf.d/*.upstream.conf;
|
include /etc/nginx/conf.d/*.upstream.conf;
|
||||||
|
|
||||||
|
@ -31,7 +37,7 @@ http {
|
||||||
include /etc/nginx/conf.d/*.server.conf;
|
include /etc/nginx/conf.d/*.server.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 8443 ssl;
|
||||||
# server_name harbordomain.com;
|
# server_name harbordomain.com;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
# SSL
|
# SSL
|
||||||
|
@ -141,10 +147,9 @@ http {
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 8080;
|
||||||
#server_name harbordomain.com;
|
#server_name harbordomain.com;
|
||||||
return 308 https://$host$request_uri;
|
return 308 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@ import os, shutil
|
||||||
from fnmatch import fnmatch
|
from fnmatch import fnmatch
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
from g import config_dir, templates_dir
|
from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID
|
||||||
from utils.misc import prepare_config_dir, mark_file
|
from utils.misc import prepare_config_dir, mark_file
|
||||||
from utils.jinja import render_jinja
|
from utils.jinja import render_jinja
|
||||||
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
|
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
|
||||||
|
@ -17,12 +17,17 @@ CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS = 'harbor.https.*.conf'
|
||||||
CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP = 'harbor.http.*.conf'
|
CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP = 'harbor.http.*.conf'
|
||||||
|
|
||||||
def prepare_nginx(config_dict):
|
def prepare_nginx(config_dict):
|
||||||
prepare_config_dir(nginx_confd_dir)
|
file_path = prepare_config_dir(nginx_confd_dir)
|
||||||
|
os.chown(file_path, DEFAULT_UID, DEFAULT_GID)
|
||||||
render_nginx_template(config_dict)
|
render_nginx_template(config_dict)
|
||||||
|
|
||||||
def render_nginx_template(config_dict):
|
def render_nginx_template(config_dict):
|
||||||
if config_dict['protocol'] == "https":
|
if config_dict['protocol'] == "https":
|
||||||
render_jinja(nginx_https_conf_template, nginx_conf,
|
render_jinja(
|
||||||
|
nginx_https_conf_template,
|
||||||
|
nginx_conf,
|
||||||
|
uid=DEFAULT_UID,
|
||||||
|
gid=DEFAULT_GID,
|
||||||
ssl_cert=SSL_CERT_PATH,
|
ssl_cert=SSL_CERT_PATH,
|
||||||
ssl_cert_key=SSL_CERT_KEY_PATH)
|
ssl_cert_key=SSL_CERT_KEY_PATH)
|
||||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
||||||
|
@ -35,7 +40,9 @@ def render_nginx_template(config_dict):
|
||||||
else:
|
else:
|
||||||
render_jinja(
|
render_jinja(
|
||||||
nginx_http_conf_template,
|
nginx_http_conf_template,
|
||||||
nginx_conf)
|
nginx_conf,
|
||||||
|
uid=DEFAULT_UID,
|
||||||
|
gid=DEFAULT_GID)
|
||||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
|
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
|
||||||
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
|
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
|
||||||
|
|
||||||
|
|
|
@ -72,9 +72,12 @@ def prepare_env_notary(nginx_config_dir):
|
||||||
|
|
||||||
|
|
||||||
print("Copying nginx configuration file for notary")
|
print("Copying nginx configuration file for notary")
|
||||||
shutil.copy2(
|
|
||||||
|
render_jinja(
|
||||||
os.path.join(templates_dir, "nginx", "notary.upstream.conf.jinja"),
|
os.path.join(templates_dir, "nginx", "notary.upstream.conf.jinja"),
|
||||||
os.path.join(nginx_config_dir, "notary.upstream.conf"))
|
os.path.join(nginx_config_dir, "notary.upstream.conf"),
|
||||||
|
gid=DEFAULT_GID,
|
||||||
|
uid=DEFAULT_UID)
|
||||||
|
|
||||||
mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
|
||||||
mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
|
||||||
|
@ -88,6 +91,8 @@ def prepare_notary(config_dict, nginx_config_dir, ssl_cert_path, ssl_cert_key_pa
|
||||||
render_jinja(
|
render_jinja(
|
||||||
notary_server_nginx_config_template,
|
notary_server_nginx_config_template,
|
||||||
os.path.join(nginx_config_dir, "notary.server.conf"),
|
os.path.join(nginx_config_dir, "notary.server.conf"),
|
||||||
|
gid=DEFAULT_GID,
|
||||||
|
uid=DEFAULT_UID,
|
||||||
ssl_cert=ssl_cert_path,
|
ssl_cert=ssl_cert_path,
|
||||||
ssl_cert_key=ssl_cert_key_path)
|
ssl_cert_key=ssl_cert_key_path)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user