mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-25 03:35:21 +01:00
Fix nginx permission issue
* mount root of host * copy file to data dir and change ownership and permission Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
1bfba278f2
commit
b4975d8601
@ -12,11 +12,12 @@ REDIS_UID = 999
|
||||
REDIS_GID = 999
|
||||
|
||||
## Global variable
|
||||
host_root_dir = '/hostfs'
|
||||
|
||||
base_dir = '/harbor_make'
|
||||
templates_dir = "/usr/src/app/templates"
|
||||
config_dir = '/config'
|
||||
data_dir = '/data'
|
||||
|
||||
secret_dir = '/secret'
|
||||
secret_key_dir='/secret/keys'
|
||||
|
||||
|
@ -276,12 +276,7 @@ services:
|
||||
volumes:
|
||||
- ./common/config/nginx:/etc/nginx:z
|
||||
{% if protocol == 'https' %}
|
||||
- type: bind
|
||||
source: {{cert_key_path}}
|
||||
target: /etc/cert/server.key
|
||||
- type: bind
|
||||
source: {{cert_path}}
|
||||
target: /etc/cert/server.crt
|
||||
- {{data_volume}}/secret/cert:/etc/cert:z
|
||||
{% endif %}
|
||||
networks:
|
||||
- harbor
|
||||
|
@ -2,11 +2,13 @@ import os, shutil
|
||||
from fnmatch import fnmatch
|
||||
from pathlib import Path
|
||||
|
||||
from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID
|
||||
from g import config_dir, templates_dir, host_root_dir, DEFAULT_GID, DEFAULT_UID, data_dir
|
||||
from utils.misc import prepare_dir, mark_file
|
||||
from utils.jinja import render_jinja
|
||||
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
|
||||
|
||||
host_ngx_real_cert_dir = Path(os.path.join(data_dir, 'secret', 'cert'))
|
||||
|
||||
nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
|
||||
nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d")
|
||||
nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja")
|
||||
@ -20,8 +22,38 @@ def prepare_nginx(config_dict):
|
||||
prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||
render_nginx_template(config_dict)
|
||||
|
||||
|
||||
def prepare_nginx_certs(cert_key_path, cert_path):
|
||||
"""
|
||||
Prepare the certs file with proper ownership
|
||||
1. Remove nginx cert files in secret dir
|
||||
2. Copy cert files on host filesystem to secret dir
|
||||
3. Change the permission to 644 and ownership to 10000:10000
|
||||
"""
|
||||
host_ngx_cert_key_path = Path(os.path.join(host_root_dir, cert_key_path.lstrip('/')))
|
||||
host_ngx_cert_path = Path(os.path.join(host_root_dir, cert_path.lstrip('/')))
|
||||
|
||||
if host_ngx_real_cert_dir.exists() and host_ngx_real_cert_dir.is_dir():
|
||||
shutil.rmtree(host_ngx_real_cert_dir)
|
||||
|
||||
os.makedirs(host_ngx_real_cert_dir, mode=0o755)
|
||||
real_key_path = os.path.join(host_ngx_real_cert_dir, 'server.key')
|
||||
real_crt_path = os.path.join(host_ngx_real_cert_dir, 'server.crt')
|
||||
shutil.copy2(host_ngx_cert_key_path, real_key_path)
|
||||
shutil.copy2(host_ngx_cert_path, real_crt_path)
|
||||
|
||||
os.chown(host_ngx_real_cert_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||
mark_file(real_key_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||
mark_file(real_crt_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||
|
||||
|
||||
def render_nginx_template(config_dict):
|
||||
if config_dict['protocol'] == "https":
|
||||
"""
|
||||
1. render nginx config file through protocol
|
||||
2. copy additional configs to cert.d dir
|
||||
"""
|
||||
if config_dict['protocol'] == 'https':
|
||||
prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
|
||||
render_jinja(
|
||||
nginx_https_conf_template,
|
||||
nginx_conf,
|
||||
@ -30,12 +62,7 @@ def render_nginx_template(config_dict):
|
||||
ssl_cert=SSL_CERT_PATH,
|
||||
ssl_cert_key=SSL_CERT_KEY_PATH)
|
||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
||||
cert_dir = Path(os.path.join(config_dir, 'cert'))
|
||||
ssl_key_path = Path(os.path.join(cert_dir, 'server.key'))
|
||||
ssl_crt_path = Path(os.path.join(cert_dir, 'server.crt'))
|
||||
cert_dir.mkdir(parents=True, exist_ok=True)
|
||||
ssl_key_path.touch()
|
||||
ssl_crt_path.touch()
|
||||
|
||||
else:
|
||||
render_jinja(
|
||||
nginx_http_conf_template,
|
||||
@ -45,22 +72,23 @@ def render_nginx_template(config_dict):
|
||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
|
||||
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
|
||||
|
||||
def add_additional_location_config(src, dst):
|
||||
"""
|
||||
These conf files is used for user that wanna add additional customized locations to harbor proxy
|
||||
:params src: source of the file
|
||||
:params dst: destination file path
|
||||
"""
|
||||
if not os.path.isfile(src):
|
||||
return
|
||||
print("Copying nginx configuration file {src} to {dst}".format(
|
||||
src=src, dst=dst))
|
||||
shutil.copy2(src, dst)
|
||||
mark_file(dst, mode=0o644)
|
||||
|
||||
def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern):
|
||||
if not os.path.exists(src_config_dir):
|
||||
return
|
||||
|
||||
def add_additional_location_config(src, dst):
|
||||
"""
|
||||
These conf files is used for user that wanna add additional customized locations to harbor proxy
|
||||
:params src: source of the file
|
||||
:params dst: destination file path
|
||||
"""
|
||||
if not os.path.isfile(src):
|
||||
return
|
||||
print("Copying nginx configuration file {src} to {dst}".format(src=src, dst=dst))
|
||||
shutil.copy2(src, dst)
|
||||
mark_file(dst, mode=0o644)
|
||||
|
||||
map(lambda filename: add_additional_location_config(
|
||||
os.path.join(src_config_dir, filename),
|
||||
os.path.join(dst_config_dir, filename)),
|
||||
|
@ -50,6 +50,7 @@ docker run --rm -v $input_dir:/input:z \
|
||||
-v $harbor_prepare_path:/compose_location:z \
|
||||
-v $config_dir:/config:z \
|
||||
-v $secret_dir:/secret:z \
|
||||
-v /:/hostfs:z \
|
||||
goharbor/prepare:dev $@
|
||||
|
||||
echo "Clean up the input dir"
|
||||
|
Loading…
Reference in New Issue
Block a user