From 904f04fac174214219ddcfed30c58d5972eea3a1 Mon Sep 17 00:00:00 2001 From: Qian Deng Date: Mon, 22 Jul 2019 06:21:28 +0000 Subject: [PATCH] Enhance: Running contaienr with non-root user * core * portal Signed-off-by: Qian Deng --- make/photon/portal/Dockerfile | 23 ++++++++++--------- make/photon/portal/nginx.conf | 9 +++++++- .../docker_compose/docker-compose.yml.jinja | 2 ++ .../templates/nginx/nginx.http.conf.jinja | 2 +- .../templates/nginx/nginx.https.conf.jinja | 2 +- 5 files changed, 24 insertions(+), 14 deletions(-) diff --git a/make/photon/portal/Dockerfile b/make/photon/portal/Dockerfile index 6201519da..6d9acf40d 100644 --- a/make/photon/portal/Dockerfile +++ b/make/photon/portal/Dockerfile @@ -17,23 +17,24 @@ VOLUME ["/portal_src"] FROM photon:2.0 -RUN tdnf install -y nginx >> /dev/null \ - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && tdnf clean all - -EXPOSE 80 -VOLUME /var/cache/nginx /var/log/nginx /run - - COPY --from=nodeportal /build_dir/dist /usr/share/nginx/html COPY --from=nodeportal /build_dir/swagger.yaml /usr/share/nginx/html COPY --from=nodeportal /build_dir/swagger.json /usr/share/nginx/html COPY make/photon/portal/nginx.conf /etc/nginx/nginx.conf +RUN tdnf install -y nginx >> /dev/null \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && tdnf clean all \ + && chown -R 10000:10000 /etc/nginx + +EXPOSE 80 +VOLUME /var/cache/nginx /var/log/nginx /run + STOPSIGNAL SIGQUIT -HEALTHCHECK CMD curl --fail -s http://127.0.0.1 || exit 1 +HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080 || exit 1 + +CMD ["nginx", "-g", "pid /tmp/nginx.pid; daemon off;"] -CMD ["nginx", "-g", "daemon off;"] diff --git a/make/photon/portal/nginx.conf b/make/photon/portal/nginx.conf index b9b631df7..2695a3637 100644 --- a/make/photon/portal/nginx.conf +++ b/make/photon/portal/nginx.conf @@ -6,8 +6,15 @@ events { } http { + + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { - listen 80; + listen 8080; server_name localhost; root /usr/share/nginx/html; diff --git a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja index ccebcad23..6f4db9d19 100644 --- a/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja +++ b/make/photon/prepare/templates/docker_compose/docker-compose.yml.jinja @@ -133,6 +133,7 @@ services: env_file: - ./common/config/core/env restart: always + user: 10000:10000 cap_drop: - ALL cap_add: @@ -185,6 +186,7 @@ services: image: goharbor/harbor-portal:{{version}} container_name: harbor-portal restart: always + user: 10000:10000 cap_drop: - ALL cap_add: diff --git a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja index 0f7f5107e..37553631c 100644 --- a/make/photon/prepare/templates/nginx/nginx.http.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.http.conf.jinja @@ -17,7 +17,7 @@ http { } upstream portal { - server portal:80; + server portal:8080; } log_format timed_combined '$remote_addr - ' diff --git a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja index b497fb5ec..c3fa98a4a 100644 --- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja @@ -18,7 +18,7 @@ http { } upstream portal { - server portal:80; + server portal:8080; } log_format timed_combined '$remote_addr - '