Fix nginx permission issue

* mount root of host
* copy file to data dir and change ownership and permission

Signed-off-by: Qian Deng <dengq@vmware.com>
This commit is contained in:
Qian Deng 2019-08-09 07:17:10 +00:00
parent 1bfba278f2
commit b4975d8601
4 changed files with 52 additions and 27 deletions

View File

@ -12,11 +12,12 @@ REDIS_UID = 999
REDIS_GID = 999 REDIS_GID = 999
## Global variable ## Global variable
host_root_dir = '/hostfs'
base_dir = '/harbor_make' base_dir = '/harbor_make'
templates_dir = "/usr/src/app/templates" templates_dir = "/usr/src/app/templates"
config_dir = '/config' config_dir = '/config'
data_dir = '/data' data_dir = '/data'
secret_dir = '/secret' secret_dir = '/secret'
secret_key_dir='/secret/keys' secret_key_dir='/secret/keys'

View File

@ -276,12 +276,7 @@ services:
volumes: volumes:
- ./common/config/nginx:/etc/nginx:z - ./common/config/nginx:/etc/nginx:z
{% if protocol == 'https' %} {% if protocol == 'https' %}
- type: bind - {{data_volume}}/secret/cert:/etc/cert:z
source: {{cert_key_path}}
target: /etc/cert/server.key
- type: bind
source: {{cert_path}}
target: /etc/cert/server.crt
{% endif %} {% endif %}
networks: networks:
- harbor - harbor

View File

@ -2,11 +2,13 @@ import os, shutil
from fnmatch import fnmatch from fnmatch import fnmatch
from pathlib import Path from pathlib import Path
from g import config_dir, templates_dir, DEFAULT_GID, DEFAULT_UID from g import config_dir, templates_dir, host_root_dir, DEFAULT_GID, DEFAULT_UID, data_dir
from utils.misc import prepare_dir, mark_file from utils.misc import prepare_dir, mark_file
from utils.jinja import render_jinja from utils.jinja import render_jinja
from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH from utils.cert import SSL_CERT_KEY_PATH, SSL_CERT_PATH
host_ngx_real_cert_dir = Path(os.path.join(data_dir, 'secret', 'cert'))
nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf") nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d") nginx_confd_dir = os.path.join(config_dir, "nginx", "conf.d")
nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja") nginx_https_conf_template = os.path.join(templates_dir, "nginx", "nginx.https.conf.jinja")
@ -20,8 +22,38 @@ def prepare_nginx(config_dict):
prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID) prepare_dir(nginx_confd_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
render_nginx_template(config_dict) render_nginx_template(config_dict)
def prepare_nginx_certs(cert_key_path, cert_path):
"""
Prepare the certs file with proper ownership
1. Remove nginx cert files in secret dir
2. Copy cert files on host filesystem to secret dir
3. Change the permission to 644 and ownership to 10000:10000
"""
host_ngx_cert_key_path = Path(os.path.join(host_root_dir, cert_key_path.lstrip('/')))
host_ngx_cert_path = Path(os.path.join(host_root_dir, cert_path.lstrip('/')))
if host_ngx_real_cert_dir.exists() and host_ngx_real_cert_dir.is_dir():
shutil.rmtree(host_ngx_real_cert_dir)
os.makedirs(host_ngx_real_cert_dir, mode=0o755)
real_key_path = os.path.join(host_ngx_real_cert_dir, 'server.key')
real_crt_path = os.path.join(host_ngx_real_cert_dir, 'server.crt')
shutil.copy2(host_ngx_cert_key_path, real_key_path)
shutil.copy2(host_ngx_cert_path, real_crt_path)
os.chown(host_ngx_real_cert_dir, uid=DEFAULT_UID, gid=DEFAULT_GID)
mark_file(real_key_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
mark_file(real_crt_path, uid=DEFAULT_UID, gid=DEFAULT_GID)
def render_nginx_template(config_dict): def render_nginx_template(config_dict):
if config_dict['protocol'] == "https": """
1. render nginx config file through protocol
2. copy additional configs to cert.d dir
"""
if config_dict['protocol'] == 'https':
prepare_nginx_certs(config_dict['cert_key_path'], config_dict['cert_path'])
render_jinja( render_jinja(
nginx_https_conf_template, nginx_https_conf_template,
nginx_conf, nginx_conf,
@ -30,12 +62,7 @@ def render_nginx_template(config_dict):
ssl_cert=SSL_CERT_PATH, ssl_cert=SSL_CERT_PATH,
ssl_cert_key=SSL_CERT_KEY_PATH) ssl_cert_key=SSL_CERT_KEY_PATH)
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
cert_dir = Path(os.path.join(config_dir, 'cert'))
ssl_key_path = Path(os.path.join(cert_dir, 'server.key'))
ssl_crt_path = Path(os.path.join(cert_dir, 'server.crt'))
cert_dir.mkdir(parents=True, exist_ok=True)
ssl_key_path.touch()
ssl_crt_path.touch()
else: else:
render_jinja( render_jinja(
nginx_http_conf_template, nginx_http_conf_template,
@ -45,22 +72,23 @@ def render_nginx_template(config_dict):
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTP
copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern) copy_nginx_location_configs_if_exist(nginx_template_ext_dir, nginx_confd_dir, location_file_pattern)
def add_additional_location_config(src, dst):
"""
These conf files is used for user that wanna add additional customized locations to harbor proxy
:params src: source of the file
:params dst: destination file path
"""
if not os.path.isfile(src):
return
print("Copying nginx configuration file {src} to {dst}".format(
src=src, dst=dst))
shutil.copy2(src, dst)
mark_file(dst, mode=0o644)
def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern): def copy_nginx_location_configs_if_exist(src_config_dir, dst_config_dir, filename_pattern):
if not os.path.exists(src_config_dir): if not os.path.exists(src_config_dir):
return return
def add_additional_location_config(src, dst):
"""
These conf files is used for user that wanna add additional customized locations to harbor proxy
:params src: source of the file
:params dst: destination file path
"""
if not os.path.isfile(src):
return
print("Copying nginx configuration file {src} to {dst}".format(src=src, dst=dst))
shutil.copy2(src, dst)
mark_file(dst, mode=0o644)
map(lambda filename: add_additional_location_config( map(lambda filename: add_additional_location_config(
os.path.join(src_config_dir, filename), os.path.join(src_config_dir, filename),
os.path.join(dst_config_dir, filename)), os.path.join(dst_config_dir, filename)),

View File

@ -50,6 +50,7 @@ docker run --rm -v $input_dir:/input:z \
-v $harbor_prepare_path:/compose_location:z \ -v $harbor_prepare_path:/compose_location:z \
-v $config_dir:/config:z \ -v $config_dir:/config:z \
-v $secret_dir:/secret:z \ -v $secret_dir:/secret:z \
-v /:/hostfs:z \
goharbor/prepare:dev $@ goharbor/prepare:dev $@
echo "Clean up the input dir" echo "Clean up the input dir"