From 629cf2985065ced125f2e6587df742472bf24417 Mon Sep 17 00:00:00 2001 From: Tan Jiang Date: Mon, 17 Jul 2017 15:00:48 +0800 Subject: [PATCH] The password to access clair db can be configured in harbor.cfg, skip auto-scan if clair-db is not ready --- make/common/templates/adminserver/env | 1 + make/harbor.cfg | 4 ++++ make/prepare | 10 ++++++---- src/adminserver/systemcfg/systemcfg.go | 3 +++ src/common/const.go | 1 + src/common/dao/base.go | 6 +++--- src/ui/config/config.go | 10 +++++++++- src/ui/main.go | 6 +++++- src/ui/service/notifications/registry/handler.go | 9 ++++++++- 9 files changed, 40 insertions(+), 10 deletions(-) diff --git a/make/common/templates/adminserver/env b/make/common/templates/adminserver/env index c74e30056..53b6244aa 100644 --- a/make/common/templates/adminserver/env +++ b/make/common/templates/adminserver/env @@ -37,4 +37,5 @@ GODEBUG=netdns=cgo ADMIRAL_URL=$admiral_url WITH_NOTARY=$with_notary WITH_CLAIR=$with_clair +CLAIR_DB_PASSWORD=$pg_password RESET=false diff --git a/make/harbor.cfg b/make/harbor.cfg index f720ab76d..93720ea09 100644 --- a/make/harbor.cfg +++ b/make/harbor.cfg @@ -30,6 +30,10 @@ secretkey_path = /data #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone admiral_url = NA +#The password of the Clair's postgres database, only effective when Harbor is deployed with Clair. +#Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database. +clair_db_password = password + #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES #only take effect in the first boot, the subsequent changes of these properties #should be performed on web ui diff --git a/make/prepare b/make/prepare index 42f4af71c..7cde72116 100755 --- a/make/prepare +++ b/make/prepare @@ -153,6 +153,7 @@ if rcp.has_option("configuration", "admiral_url"): admiral_url = rcp.get("configuration", "admiral_url") else: admiral_url = "" +pg_password = rcp.get("configuration", "clair_db_password") secret_key = get_secret_key(secretkey_path) ######## @@ -225,13 +226,15 @@ render(os.path.join(templates_dir, "adminserver", "env"), token_expiration=token_expiration, admiral_url=admiral_url, with_notary=args.notary_mode, - with_clair=args.clair_mode + with_clair=args.clair_mode, + pg_password=pg_password ) render(os.path.join(templates_dir, "ui", "env"), ui_conf_env, ui_secret=ui_secret, - jobservice_secret=jobservice_secret,) + jobservice_secret=jobservice_secret, + ) render(os.path.join(templates_dir, "registry", "config.yml"), @@ -370,11 +373,10 @@ if args.notary_mode: render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias) if args.clair_mode: - pg_password = "password" clair_temp_dir = os.path.join(templates_dir, "clair") clair_config_dir = prep_conf_dir(config_dir, "clair") - print("Copying offline data file for clair DB") if os.path.exists(os.path.join(clair_config_dir, "postgresql-init.d")): + print("Copying offline data file for clair DB") shutil.rmtree(os.path.join(clair_config_dir, "postgresql-init.d")) shutil.copytree(os.path.join(clair_temp_dir, "postgresql-init.d"), os.path.join(clair_config_dir, "postgresql-init.d")) postgres_env = os.path.join(clair_config_dir, "postgres_env") diff --git a/src/adminserver/systemcfg/systemcfg.go b/src/adminserver/systemcfg/systemcfg.go index 07f3d0bdb..64cfb3927 100644 --- a/src/adminserver/systemcfg/systemcfg.go +++ b/src/adminserver/systemcfg/systemcfg.go @@ -45,6 +45,7 @@ var ( common.LDAPSearchPwd, common.MySQLPassword, common.AdminInitialPassword, + common.ClairDBPassword, } // all configurations need read from environment variables @@ -120,6 +121,7 @@ var ( env: "WITH_CLAIR", parse: parseStringToBool, }, + common.ClairDBPassword: "CLAIR_DB_PASSWORD", } // configurations need read from environment variables @@ -144,6 +146,7 @@ var ( env: "WITH_CLAIR", parse: parseStringToBool, }, + common.ClairDBPassword: "CLAIR_DB_PASSWORD", } ) diff --git a/src/common/const.go b/src/common/const.go index 51215cb30..78516f003 100644 --- a/src/common/const.go +++ b/src/common/const.go @@ -66,6 +66,7 @@ const ( WithNotary = "with_notary" WithClair = "with_clair" ScanAllPolicy = "scan_all_policy" + ClairDBPassword = "clair_db_password" DefaultClairEndpoint = "http://clair:6060" ) diff --git a/src/common/dao/base.go b/src/common/dao/base.go index d2e456842..86f107a1e 100644 --- a/src/common/dao/base.go +++ b/src/common/dao/base.go @@ -43,13 +43,13 @@ type Database interface { } // InitClairDB ... -func InitClairDB() error { - //TODO: Read from env vars. +func InitClairDB(password string) error { + //Except for password other information will not be configurable, so keep it hard coded for 1.2.0. p := &pgsql{ host: "postgres", port: 5432, usr: "postgres", - pwd: "password", + pwd: password, database: "postgres", sslmode: false, } diff --git a/src/ui/config/config.go b/src/ui/config/config.go index 785b0efba..5c3a6a0b7 100644 --- a/src/ui/config/config.go +++ b/src/ui/config/config.go @@ -358,12 +358,20 @@ func ClairEndpoint() string { return common.DefaultClairEndpoint } +// ClairDBPassword returns the password for accessing Clair's DB. +func ClairDBPassword() (string, error) { + cfg, err := mg.Get() + if err != nil { + return "", err + } + return cfg[common.ClairDBPassword].(string), nil +} + // AdmiralEndpoint returns the URL of admiral, if Harbor is not deployed with admiral it should return an empty string. func AdmiralEndpoint() string { cfg, err := mg.Get() if err != nil { log.Errorf("Failed to get configuration, will return empty string as admiral's endpoint, error: %v", err) - return "" } if e, ok := cfg[common.AdmiralEndpoint].(string); !ok || e == "NA" { diff --git a/src/ui/main.go b/src/ui/main.go index 110437fa4..719d1feac 100644 --- a/src/ui/main.go +++ b/src/ui/main.go @@ -92,7 +92,11 @@ func main() { log.Fatalf("failed to initialize database: %v", err) } if config.WithClair() { - if err := dao.InitClairDB(); err != nil { + clairDBPassword, err := config.ClairDBPassword() + if err != nil { + log.Fatalf("failed to load clair database information: %v", err) + } + if err := dao.InitClairDB(clairDBPassword); err != nil { log.Fatalf("failed to initialize clair database: %v", err) } } diff --git a/src/ui/service/notifications/registry/handler.go b/src/ui/service/notifications/registry/handler.go index 2f60622bf..54ed82b63 100644 --- a/src/ui/service/notifications/registry/handler.go +++ b/src/ui/service/notifications/registry/handler.go @@ -22,6 +22,7 @@ import ( "time" "github.com/vmware/harbor/src/common/dao" + clairdao "github.com/vmware/harbor/src/common/dao/clair" "github.com/vmware/harbor/src/common/models" "github.com/vmware/harbor/src/common/utils" "github.com/vmware/harbor/src/common/utils/log" @@ -105,8 +106,14 @@ func (n *NotificationHandler) Post() { }() go api.TriggerReplicationByRepository(pro.ProjectID, repository, []string{tag}, models.RepOpTransfer) + if autoScanEnabled(project) { - if err := uiutils.TriggerImageScan(repository, tag); err != nil { + last, err := clairdao.GetLastUpdate() + if err != nil { + log.Errorf("Failed to get last update from Clair DB, error: %v, the auto scan will be skipped.", err) + } else if last == 0 { + log.Infof("The Vulnerability data is not ready in Clair DB, the auto scan will be skipped.", err) + } else if err := uiutils.TriggerImageScan(repository, tag); err != nil { log.Warningf("Failed to scan image, repository: %s, tag: %s, error: %v", repository, tag, err) } }