Merge pull request #11428 from ninjadq/fix_container_unhealth

Fix container unhealth
This commit is contained in:
Daniel Jiang 2020-04-07 15:57:00 +08:00 committed by GitHub
commit e064bd4c01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 27 additions and 13 deletions

View File

@ -20,4 +20,4 @@ ENTRYPOINT ["./docker-entrypoint.sh"]
VOLUME ["/chart_storage"] VOLUME ["/chart_storage"]
EXPOSE 9999 EXPOSE 9999
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:9999/health || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:9999/health || curl -k -sS https://127.0.0.1:9443/health || exit 1

View File

@ -12,7 +12,7 @@ RUN chown -R clair-adapter:clair-adapter /etc/pki/tls/certs \
EXPOSE 8080 EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:8080/probe/healthy || curl -k -sS https://127.0.0.1:8443/probe/healthy || exit 1
USER clair-adapter USER clair-adapter

View File

@ -1,7 +1,7 @@
ARG harbor_base_image_version ARG harbor_base_image_version
FROM goharbor/harbor-core-base:${harbor_base_image_version} FROM goharbor/harbor-core-base:${harbor_base_image_version}
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v2.0/ping || curl -k --fail -s https://127.0.0.1:8443/api/v2.0/ping || exit 1
COPY ./make/photon/common/install_cert.sh /harbor/ COPY ./make/photon/common/install_cert.sh /harbor/
COPY ./make/photon/core/entrypoint.sh /harbor/ COPY ./make/photon/core/entrypoint.sh /harbor/
COPY ./make/photon/core/harbor_core /harbor/ COPY ./make/photon/core/harbor_core /harbor/

View File

@ -17,6 +17,6 @@ USER harbor
VOLUME ["/var/log/jobs/"] VOLUME ["/var/log/jobs/"]
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/v1/stats || curl -k --fail -s https://127.0.0.1:8443/api/v1/stats || exit 1
ENTRYPOINT ["/harbor/entrypoint.sh"] ENTRYPOINT ["/harbor/entrypoint.sh"]

View File

@ -104,7 +104,7 @@ openssl x509 -req -days $DAYS -sha256 -in trivy_adapter.csr -CA harbor_internal_
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \ -newkey rsa:4096 -nodes -sha256 -keyout notary_signer.key \
-out notary_signer.csr \ -out notary_signer.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_signer" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-signer"
# sign notary_signer csr with CA certificate and key # sign notary_signer csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_signer.crt
@ -113,7 +113,7 @@ openssl x509 -req -days $DAYS -sha256 -in notary_signer.csr -CA harbor_internal_
openssl req -new \ openssl req -new \
-newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \ -newkey rsa:4096 -nodes -sha256 -keyout notary_server.key \
-out notary_server.csr \ -out notary_server.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary_server" -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/CN=notary-server"
# sign notary_server csr with CA certificate and key # sign notary_server csr with CA certificate and key
openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt openssl x509 -req -days $DAYS -sha256 -in notary_server.csr -CA harbor_internal_ca.crt -CAkey harbor_internal_ca.key -CAcreateserial -out notary_server.crt

View File

@ -267,6 +267,11 @@ services:
- type: bind - type: bind
source: {{internal_tls.job_service_key_path}} source: {{internal_tls.job_service_key_path}}
target: /etc/harbor/ssl/job_service.key target: /etc/harbor/ssl/job_service.key
{% endif %}
{% if protocol == 'https' %}
- type: bind
source: {{data_volume}}/secret/cert/server.crt
target: /harbor_cust_cert/harbor_ca.crt
{% endif %} {% endif %}
networks: networks:
- harbor - harbor
@ -593,7 +598,7 @@ services:
{%if internal_tls.enabled %} {%if internal_tls.enabled %}
- type: bind - type: bind
source: {{internal_tls.harbor_internal_ca_crt_path}} source: {{internal_tls.harbor_internal_ca_crt_path}}
target: /etc/harbor/ssl/harbor_internal_ca.crt target: /harbor_cust_cert/harbor_internal_ca.crt
- type: bind - type: bind
source: {{internal_tls.chartmuseum_crt_path}} source: {{internal_tls.chartmuseum_crt_path}}
target: /etc/harbor/ssl/chartmuseum.crt target: /etc/harbor/ssl/chartmuseum.crt

View File

@ -10,7 +10,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \ && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
&& chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
HEALTHCHECK CMD curl 127.0.0.1:5000/ HEALTHCHECK CMD curl --fail -s http://127.0.0.1:5000 || curl -k --fail -s https://127.0.0.1:5443 || exit 1
USER harbor USER harbor

View File

@ -13,7 +13,7 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \
&& chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1 HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || curl -k --fail -s https://127.0.0.1:8443/api/health || exit 1
VOLUME ["/var/lib/registry"] VOLUME ["/var/lib/registry"]

View File

@ -3,15 +3,24 @@ FROM goharbor/harbor-trivy-adapter-base:${harbor_base_image_version}
ARG trivy_version ARG trivy_version
COPY ./make/photon/common/install_cert.sh /home/scanner
COPY ./make/photon/trivy-adapter/entrypoint.sh /home/scanner
COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy
COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy
RUN chown -R scanner:scanner /etc/pki/tls/certs \
&& chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \
&& chown scanner:scanner /usr/local/bin/trivy && chmod u+x /usr/local/bin/trivy \
&& chown scanner:scanner /home/scanner/bin/scanner-trivy && chmod u+x /home/scanner/bin/scanner-trivy \
&& chown scanner:scanner /home/scanner/install_cert.sh && chmod u+x /home/scanner/install_cert.sh
EXPOSE 8080 EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080/probe/healthy || exit 1 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl --fail -s http://127.0.0.1:8080/probe/healthy || curl -k --fail -s https://127.0.0.1:8443/probe/healthy || exit 1
ENV TRIVY_VERSION=${trivy_version} ENV TRIVY_VERSION=${trivy_version}
USER scanner USER scanner
ENTRYPOINT ["/home/scanner/bin/scanner-trivy"] ENTRYPOINT ["/home/scanner/entrypoint.sh"]