By default Harbor will call catalog API of registry and sync the result to DB, this becomes problematic when registry is configured to custom storage service, there maybe inconsistent result and the whole process may be very time consuming.
So in this commit a env var SYNC_REGISTRY is introduced if user want Harbor to sync the repo when it starts up, by default it's false.
This commit bump up clair to v2.0.4. The current build process is
download the binary from google storage, the update of the binary in
google storage is not reflected in this commit.
It gives Harbor the capability to controll the cache of docker
registry, and the workaround for cache invalidation bug caused
by garbage collection, that is clean cache in GC job.
For more details, see Harbor issue #5078.
The init sql script name nad path was changed by PR #5197, this
commit is to update these and log the package command to console,
make it more easy to debug in future. Also remove the action to
pull migrator as it will built each time locally.
This commit is a temp fix to workaround coreos/clair#562
Recompiled the code at the tip of release-2.0 branch of clair and
updated Makefile.
Once clair provides a new release, we'll need to make update in
Makefiles and Dockerfiles again to consume it.
This commit fixes#5072
Due to an issue in bzr, Clair container may consume a lot of CPU
resource while updating the vuln data. This commit mitigates the impact
by setting the cpu_quota of clair container. (default value of
cpu_period is 100000 in v2 docker-compose template)
This commit fixes#5040, the harbor-db image will only contain empty
databases, and harbor ui container will use migrate tool to run initial
SQL scripts to do initialization. This is helpful for the case to
configure Harbor against external DB or DBaaS like RDS for HA deployment
However, this change will results some confusion as there are two tables
to track schema versions have been using alembic for migration, for this
release we'll try to use alembic to mock a `migration` table during
upgrade so the migrator will be bypassed, in future we'll consider to
consolidate to the golang based migrator.
Another issue is that the UI and adminserver containers will access DB
after start up in different congurations, can't ensure the sequence, so
both of them will try to update the schema when started up.
The secretkey file will be loaded by adminserver which is run by non-root
user (uid:10000) previously the entrypoint script will run `chown` to a
lot files, and there's a breakage in upgrade when we skip running
`chown` inside container.
This commit will fix the issue during upgrade by changing the owner of
the secretkey file.
This commit is to enable data migrator to support migrates data
from mysql to pgsql, this is a specific step for user to upgrade
harbor across v1.5.0, as we have move harbor DB to pgsql from
1.5.0. It supports both harbor and notary db data migration,
and be split into two steps with dependency.
It also fix issue #4847, add build DB migrator in make process.
Narrow down the scope of `chown` in adminserver because the
/etc/adminserver/config/ is the location to store the config.json file.
And /etc/adminserver/key should be readonly.
The job logs directory's permission is not changed by prepare script
because the everything is moved from /data to /storage/data on VIC
appliance. This commit will make sure both cases the directory is
readable by user 10000:10000.
This PR also makes sure the config json of notary signer has 0644
permission.
Previously the log file was set to a hard coded file, but given this
redis should run in container, the update is made to have the process
output log messages to standard output, and redirect it to syslog in
docker-compose template.
This commit fixes a recently discovered issue on Kubernetes #4496
It make necessary to avoid calling `chown` to config files during the
bootstrap of the containers.
replace tcp host:port with
'redis://arbitrary_usrname:password@ipaddress:port/database_index'
update prepare to generate config yaml file of job service based on harbor.cfg
update harbor.cfg default values
Fix typo in Makefile under photon
Fix version tag issue of redis container
Assign container name for redis container
Update docker compose template to enable network for redis
Remove exposed ports of redis from compose yaml tpl
We have to add the uuid/id mapping as new job service will only store uuid.
Further work is in feature branch for now, commit this change to
accelerate migration work.
Default target version is 1.5.0
This is mainly for VIC-appliance upgrade, and should be considered
experimental for oss due to limited test.
Tested with 1.2 and 1.3 harbor.cfg from VIC appliance.
The following are done to avoid travis-ci failing due to too much log
size.
1) Update Makefile and scripts to make go build less verbose.
2) Make tdnf less verbose
As this is for tile deployment only, so add a shortcut for tile/bosh
script to add entry in /etc/hosts inside the container.
Due to effort consideration I don't think we want to render
docker-compose in `prepare` script.
Enable configuring the path of root cert of UAA in harbor.cfg. It only
takes effects if the verify_cert is set to "true" If the file does not
exist, the configuration is skipped.
The intention for this commit is to support integration with nested UAA
in PAS or PKS, we don't expect user to manually configure this value,
though he can do it if he wants.
Remove the attribute "uaa_ca_root" from harbor.cfg and introduce
"uaa_verify_cert". Similar to LDAP settings, this allow user to
explicitly turn of the cert verification against UAA server, such that
the code will work with self-signed certificate.
push test
Add unit test for ldap verify cert
remove common.VerifyRemoteCert
Update code with PR review comments
Add change ldaps config and add UT testcase for TLS feature
add ldap verfiy cert checkbox about #3513
Draft harbor ova install guide
Search and import ldap user when add project members
Add unit test case for SearchAndImportUser
ova guide
Add ova install guide
Add ova install guide 2
Add ova install guide 3
Call ValidateLdapConf before search ldap
trim space in username
Remove leading space in openLdap username
Remove doc change in this branch
Update unit test for ldap search and import user
Add test case about ldap verify cert checkbox
Modify ldap testcase
This change involves using non-root user to run the process of the
docker images. Also made update in Dockerfile to make the containers
support "read-only" and introduce "HEALTHCHECK". Note the "read-only"
options are not enabled in docker-compose, to cover the very corner
case when user wants to update the container filesystem manually.
Remove read only option from docker-compose template by default