mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-28 21:25:55 +01:00
Fix nginx permission issue
* mount root of host * copy file to data dir and change ownership and permission Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
parent
1bfba278f2
commit
b4975d8601
@ -12,11 +12,12 @@ REDIS_UID = 999
|
|||||||
REDIS_GID = 999
|
REDIS_GID = 999
|
||||||
|
|
||||||
## Global variable
|
## Global variable
|
||||||
|
host_root_dir = '/hostfs'
|
||||||
|
|
||||||
base_dir = '/harbor_make'
|
base_dir = '/harbor_make'
|
||||||
templates_dir = "/usr/src/app/templates"
|
templates_dir = "/usr/src/app/templates"
|
||||||
config_dir = '/config'
|
config_dir = '/config'
|
||||||
data_dir = '/data'
|
data_dir = '/data'
|
||||||
|
|
||||||
secret_dir = '/secret'
|
secret_dir = '/secret'
|
||||||
secret_key_dir='/secret/keys'
|
secret_key_dir='/secret/keys'
|
||||||
|
|
||||||
|
@ -276,12 +276,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- ./common/config/nginx:/etc/nginx:z
|
- ./common/config/nginx:/etc/nginx:z
|
||||||
{% if protocol == 'https' %}
|
{% if protocol == 'https' %}
|
||||||
- type: bind
|
- {{data_volume}}/secret/cert:/etc/cert:z
|
||||||
source: {{cert_key_path}}
|
|
||||||
target: /etc/cert/server.key
|
|
||||||
- type: bind
|
|
||||||
source: {{cert_path}}
|
|
||||||
target: /etc/cert/server.crt
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
networks:
|
networks:
|
||||||
- harbor
|
- harbor
|
||||||
|
@ -2,11 +2,13 @@ import os, shutil
|
|||||||
from fnmatch import fnmatch
|
from fnmatch import fnmatch
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID
|
from g import config_dir, templates_dir, host_root_dir, DEFAULT_GID, DEFAULT_UID, data_dir
|
||||||
from utils.misc import prepare_dir, mark_file
|
from utils.misc import prepare_dir, mark_file
|
||||||
from utils.jinja import render_jinja
|
from utils.jinja import render_jinja
|
||||||
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
|
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
|
||||||
|
|
||||||
|
host_ngx_real_cert_dir = Path(os.path.join(data_dir, 'secret', 'cert'))
|
||||||
|
|
||||||
nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
|
nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
|
||||||
nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d")
|
nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d")
|
||||||
nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja")
|
nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja")
|
||||||
@ -20,8 +22,38 @@ def prepare_nginx(config_dict):
|
|||||||
prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||||
render_nginx_template(config_dict)
|
render_nginx_template(config_dict)
|
||||||
|
|
||||||
|
|
||||||
|
def prepare_nginx_certs(cert_key_path, cert_path):
|
||||||
|
"""
|
||||||
|
Prepare the certs file with proper ownership
|
||||||
|
1. Remove nginx cert files in secret dir
|
||||||
|
2. Copy cert files on host filesystem to secret dir
|
||||||
|
3. Change the permission to 644 and ownership to 10000:10000
|
||||||
|
"""
|
||||||
|
host_ngx_cert_key_path = Path(os.path.join(host_root_dir, cert_key_path.lstrip('/')))
|
||||||
|
host_ngx_cert_path = Path(os.path.join(host_root_dir, cert_path.lstrip('/')))
|
||||||
|
|
||||||
|
if host_ngx_real_cert_dir.exists() and host_ngx_real_cert_dir.is_dir():
|
||||||
|
shutil.rmtree(host_ngx_real_cert_dir)
|
||||||
|
|
||||||
|
os.makedirs(host_ngx_real_cert_dir, mode=0o755)
|
||||||
|
real_key_path = os.path.join(host_ngx_real_cert_dir, 'server.key')
|
||||||
|
real_crt_path = os.path.join(host_ngx_real_cert_dir, 'server.crt')
|
||||||
|
shutil.copy2(host_ngx_cert_key_path, real_key_path)
|
||||||
|
shutil.copy2(host_ngx_cert_path, real_crt_path)
|
||||||
|
|
||||||
|
os.chown(host_ngx_real_cert_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||||
|
mark_file(real_key_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||||
|
mark_file(real_crt_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
|
||||||
|
|
||||||
|
|
||||||
def render_nginx_template(config_dict):
|
def render_nginx_template(config_dict):
|
||||||
if config_dict['protocol'] == "https":
|
"""
|
||||||
|
1. render nginx config file through protocol
|
||||||
|
2. copy additional configs to cert.d dir
|
||||||
|
"""
|
||||||
|
if config_dict['protocol'] == 'https':
|
||||||
|
prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
|
||||||
render_jinja(
|
render_jinja(
|
||||||
nginx_https_conf_template,
|
nginx_https_conf_template,
|
||||||
nginx_conf,
|
nginx_conf,
|
||||||
@ -30,12 +62,7 @@ def render_nginx_template(config_dict):
|
|||||||
ssl_cert=SSL_CERT_PATH,
|
ssl_cert=SSL_CERT_PATH,
|
||||||
ssl_cert_key=SSL_CERT_KEY_PATH)
|
ssl_cert_key=SSL_CERT_KEY_PATH)
|
||||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
||||||
cert_dir = Path(os.path.join(config_dir, 'cert'))
|
|
||||||
ssl_key_path = Path(os.path.join(cert_dir, 'server.key'))
|
|
||||||
ssl_crt_path = Path(os.path.join(cert_dir, 'server.crt'))
|
|
||||||
cert_dir.mkdir(parents=True, exist_ok=True)
|
|
||||||
ssl_key_path.touch()
|
|
||||||
ssl_crt_path.touch()
|
|
||||||
else:
|
else:
|
||||||
render_jinja(
|
render_jinja(
|
||||||
nginx_http_conf_template,
|
nginx_http_conf_template,
|
||||||
@ -45,22 +72,23 @@ def render_nginx_template(config_dict):
|
|||||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
|
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
|
||||||
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
|
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
|
||||||
|
|
||||||
def add_additional_location_config(src, dst):
|
|
||||||
"""
|
|
||||||
These conf files is used for user that wanna add additional customized locations to harbor proxy
|
|
||||||
:params src: source of the file
|
|
||||||
:params dst: destination file path
|
|
||||||
"""
|
|
||||||
if not os.path.isfile(src):
|
|
||||||
return
|
|
||||||
print("Copying nginx configuration file {src} to {dst}".format(
|
|
||||||
src=src, dst=dst))
|
|
||||||
shutil.copy2(src, dst)
|
|
||||||
mark_file(dst, mode=0o644)
|
|
||||||
|
|
||||||
def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern):
|
def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern):
|
||||||
if not os.path.exists(src_config_dir):
|
if not os.path.exists(src_config_dir):
|
||||||
return
|
return
|
||||||
|
|
||||||
|
def add_additional_location_config(src, dst):
|
||||||
|
"""
|
||||||
|
These conf files is used for user that wanna add additional customized locations to harbor proxy
|
||||||
|
:params src: source of the file
|
||||||
|
:params dst: destination file path
|
||||||
|
"""
|
||||||
|
if not os.path.isfile(src):
|
||||||
|
return
|
||||||
|
print("Copying nginx configuration file {src} to {dst}".format(src=src, dst=dst))
|
||||||
|
shutil.copy2(src, dst)
|
||||||
|
mark_file(dst, mode=0o644)
|
||||||
|
|
||||||
map(lambda filename: add_additional_location_config(
|
map(lambda filename: add_additional_location_config(
|
||||||
os.path.join(src_config_dir, filename),
|
os.path.join(src_config_dir, filename),
|
||||||
os.path.join(dst_config_dir, filename)),
|
os.path.join(dst_config_dir, filename)),
|
||||||
|
@ -50,6 +50,7 @@ docker run --rm -v $input_dir:/input:z \
|
|||||||
-v $harbor_prepare_path:/compose_location:z \
|
-v $harbor_prepare_path:/compose_location:z \
|
||||||
-v $config_dir:/config:z \
|
-v $config_dir:/config:z \
|
||||||
-v $secret_dir:/secret:z \
|
-v $secret_dir:/secret:z \
|
||||||
|
-v /:/hostfs:z \
|
||||||
goharbor/prepare:dev $@
|
goharbor/prepare:dev $@
|
||||||
|
|
||||||
echo "Clean up the input dir"
|
echo "Clean up the input dir"
|
||||||
|
Loading…
Reference in New Issue
Block a user