Enhance: Running contaienr with non-root user

* core * portal Signed-off-by: Qian Deng <dengq@vmware.com>
2019-07-22 06:21:28 +00:00 · 2019-07-22 06:21:28 +00:00 · 904f04fac1
parent 96b62e5741
commit 904f04fac1
5 changed files with 24 additions and 14 deletions
--- a/make/photon/portal/Dockerfile
+++ b/make/photon/portal/Dockerfile
@ -17,23 +17,24 @@ VOLUME ["/portal_src"]

 FROM photon:2.0

-RUN tdnf install -y nginx >> /dev/null \
-    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log \
-    && tdnf clean all
-
-EXPOSE 80
-VOLUME /var/cache/nginx /var/log/nginx /run
-
-
 COPY --from=nodeportal /build_dir/dist /usr/share/nginx/html
 COPY --from=nodeportal /build_dir/swagger.yaml /usr/share/nginx/html
 COPY --from=nodeportal /build_dir/swagger.json /usr/share/nginx/html

 COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf

+RUN tdnf install -y nginx >> /dev/null \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && tdnf clean all \
+    && chown -R 10000:10000 /etc/nginx
+
+EXPOSE 80
+VOLUME /var/cache/nginx /var/log/nginx /run
+
 STOPSIGNAL SIGQUIT

-HEALTHCHECK CMD curl --fail -s http://127.0.0.1 || exit 1
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1
+
+CMD ["nginx", "-g", "pid /tmp/nginx.pid; daemon off;"]

-CMD ["nginx", "-g", "daemon off;"]
--- a/make/photon/portal/nginx.conf
+++ b/make/photon/portal/nginx.conf
@ -6,8 +6,15 @@ events {
 }

 http {
+
+    client_body_temp_path /tmp/client_body_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
    server {
-        listen 80;
+        listen 8080;
        server_name  localhost;

        root   /usr/share/nginx/html;
--- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
+++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja
@ -133,6 +133,7 @@ services:
    env_file:
      - ./common/config/core/env
    restart: always
+    user: 10000:10000
    cap_drop:
      - ALL
    cap_add:
@ -185,6 +186,7 @@ services:
    image: goharbor/harbor-portal:{{version}}
    container_name: harbor-portal
    restart: always
+    user: 10000:10000
    cap_drop:
      - ALL
    cap_add:
--- a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja
@ -17,7 +17,7 @@ http {
  }

  upstream portal {
-    server portal:80;
+    server portal:8080;
  }

  log_format timed_combined '$remote_addr - '
--- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
+++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja
@ -18,7 +18,7 @@ http {
  }

  upstream portal {
-    server portal:80;
+    server portal:8080;
  }
  
  log_format timed_combined '$remote_addr - '