Commit Graph

60 Commits

Author SHA1 Message Date
Wenkai Yin
fefb955cfe Drop all capabilities when starting containers
Drop all capabilities when starting containers by modifying docker-compose files to avoid security issue

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2018-11-23 15:38:21 +08:00
stonezdj
0a72f3729a Install custom cert for clair, registry, chartmuseum
Signed-off-by: stonezdj <stonezdj@gmail.com>
2018-11-09 15:03:03 +08:00
Steven Zou
3b76a960e1
Merge pull request #6039 from stonezdj/refact_5996
Refactor capacity
2018-10-24 10:50:11 +08:00
wang yan
f44ff2e4c3 Remove the env GODEBUG=netdns=cgo
This env is the workaroud of dns resolver on golang 1.7.3.
Remove it is bacause of harbor is using golang 1.9.2, the bug
has already been fixed.

Signed-off-by: wang yan <wangyan@vmware.com>
2018-10-17 16:11:25 +08:00
wang yan
bad68c5429 Use docker official way to unset dns search
According docker official document, use 'dns_search= .' in the docker
compose file if you don't wish to set the search domain.

https://docs.docker.com/v17.09/engine/userguide/networking/default_network/configure-dns/

Signed-off-by: wang yan <wangyan@vmware.com>
2018-10-17 14:27:29 +08:00
stonezdj
0278981523 Change admin server to core in jobservice
Signed-off-by: stonezdj <stonezdj@gmail.com>
2018-10-16 19:23:12 +08:00
Yan
08ae5f2f37
Limit dns search in harbor containers (#6057)
This commit is to set dns search to null in the harbor containers,
that means the dns search domains of docker host doesn't impact
the network IO in the containers.

If do not set this, Harbor notary-server and notary-signer are resolving
the "mysql" alias to the resolv.conf search path instead of to "mysql."
for the notary-db bridge IP, see #6031.

Signed-off-by: wang yan <wangyan@vmware.com>
2018-10-16 18:34:36 +08:00
Qian Deng
7873a0312a Rename harbor-ui to harbor-core
1. Update the nginx.conf
2. Update Makefile
3. Update docker-compose
4. Update image name
5. Rename folder ui to core
6. Change the harbor-ui's package name to core
7. Remove unused static file on harbor-core
8. Remove unused code for harbor-portal

Signed-off-by: Qian Deng <dengq@vmware.com>
2018-09-19 16:35:13 +08:00
Daniel Jiang
36ab8a5bf1 Add depdends_on to portal container
Fixes #5878

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2018-09-13 11:00:21 +08:00
Qian Deng
870653a5fb Update nginx config to redirect traffic to specific backend
1. Update nginx.conf file
2. Update photon makefile
3. Update global makefile

Signed-off-by: Qian Deng <dengq@vmware.com>
2018-09-07 13:21:27 +08:00
Qian Deng
dc21f3f5e2 Add container for harbor-portal
1. Add dockerfile for building harbor-portal
2. change the name from ui_ng to harbor-portal

Signed-off-by: Qian Deng <dengq@vmware.com>
2018-09-07 13:20:08 +08:00
wangyan
7713764aec Batch update docker image namespace to goharbor
This commit is to move all the images of harbor from vmware to goharbor
2018-08-09 23:24:21 -07:00
Yan
d5b85a6748
Add the registry controller httpserver, it's responsible for controlling (#5265)
docker regsitry. This version has the API to call regsitry GC with jobservice
secret. Seprates it into a standalone container as do not want to invoke two
processes in one container.

It needs to mount the registry storage into this container in order to do GC,
and needs to copy the registry binary into it.
2018-07-16 16:50:28 +08:00
Yilong Ren
15d6145f5c make/docker-compose.tpl: fix wrong mount configuration(#5208) 2018-07-04 14:12:10 +08:00
Tan Jiang
21ec4808ec Collect log of redis
Previously the log file was set to a hard coded file, but given this
redis should run in container, the update is made to have the process
output log messages to standard output, and redirect it to syslog in
docker-compose template.
2018-04-30 18:16:11 +08:00
Yan
ae257433cc
Fully migrate harbor db to postgresql (#4689)
* Merge harbor db to postgres
2018-04-27 02:27:12 -07:00
Steven Zou
250360307b Modify docker compose file template and make file to enable new job service
Fix typo in Makefile under photon

Fix version tag issue of redis container

Assign container name for redis container

Update docker compose template to enable network for redis

Remove exposed ports of redis from compose yaml tpl
2018-03-30 16:52:55 +08:00
Tan Jiang
7238efd9ae Integrate new jobservice into docker-compose template
This commit doesn't integrate redis.  No change to makefile b/c it
should work once the temporary jobservice_v2 folder is renamed to jobservice.
2018-03-22 19:48:22 +08:00
Tan Jiang
07251181b9 Remove extra-hosts from docker-compose template 2018-02-05 00:02:37 +08:00
Wenkai Yin
2221e114fa Add SELinux label for all volumes 2018-01-30 14:25:43 +08:00
Tan Jiang
5975e6b964 Add place holder for injecting UAA host
As this is for tile deployment only, so add a shortcut for tile/bosh
script to add entry in /etc/hosts inside the container.
Due to effort consideration I don't think we want to render
docker-compose in `prepare` script.
2018-01-25 13:22:43 +08:00
Tan Jiang
e02de2068a Enable configuring the CA Certificate for UAA
Enable configuring the path of root cert of UAA in harbor.cfg.  It only
takes effects if the verify_cert is set to "true" If the file does not
exist, the configuration is skipped.
The intention for this commit is to support integration with nested UAA
in PAS or PKS, we don't expect user to manually configure this value,
though he can do it if he wants.
2018-01-03 16:21:29 +08:00
wangyan
1e750a1ed4 Unify images tags and build process 2017-12-14 23:52:18 -08:00
Wenkai Yin
66b9699ac2 Improve log rotation configurability 2017-11-09 14:33:05 +08:00
root
6f335bdb1a Deprivilege harobr-log, harbor-db, registry image.
This change involves using non-root user to run the process of the
docker images.  Also made update in Dockerfile to make the containers
support "read-only" and introduce "HEALTHCHECK". Note the "read-only"
options are not enabled in docker-compose, to cover the very corner
case when user wants to update the container filesystem manually.

Remove read only option from docker-compose template by default
2017-11-02 23:35:06 -07:00
Daniel Jiang
e6874cf9f1 Merge pull request #3383 from reasonerjt/uaa-integration
Make the root CA certificate of UAA configurable
2017-10-17 12:20:22 +08:00
Tan Jiang
eab6b43d99 Make the root CA certificate of UAA should be configurable 2017-10-16 17:40:29 +08:00
Wenkai Yin
bc3d859571 make log rotate days configurable 2017-10-16 17:09:28 +08:00
Wenkai Yin
232b9ca70c update the psc token dir 2017-08-02 14:50:49 +08:00
Yan
686b477775 update registry to 2.6.2 (#2851)
rm dockerfile

update

add comments
2017-07-24 02:19:32 -07:00
Wenkai Yin
7573d59624 update token file location 2017-07-19 13:46:10 +08:00
Daniel Jiang
1ca1eddb0f Merge pull request #2676 from yixingjia/nginxonphoton
Move nginx to photon OS
2017-07-01 00:08:08 +08:00
Wenkai Yin
bdbdb383ac update 2017-06-30 16:21:55 +08:00
yixingj
fc50fd51d5 Move nginx to photon OS 2017-06-30 14:03:42 +08:00
Wenkai Yin
d6b4330cc8 create a global project manager 2017-06-30 00:08:45 +08:00
Daniel Jiang
0b02231093 Update registry img (#2330)
* update the registry image

* update other yml files and docs to reflect image update
2017-05-19 00:19:27 -07:00
Tan Jiang
965c7a5e70 reference the patched nginx image 2017-04-07 15:07:46 +08:00
Wenkai Yin
e60fd0530f mount config to another dir, fix #1939 2017-04-07 09:14:41 +08:00
wy65701436
f6c4137af1 fix issue 1916 2017-04-05 22:53:09 -07:00
Daniel Jiang
7d6d641827 Merge branch 'master' into dev 2017-04-05 17:01:27 +08:00
Wenkai Yin
ee2a6748c0 mount ca dir to container, fix #1829 2017-03-30 12:50:20 +08:00
Tan Jiang
a33f4151e2 merge with dev branch 2017-03-24 14:40:34 +08:00
Tan Jiang
980101eab5 package vmware/registry into offline package 2017-03-23 12:36:36 +08:00
Tan Jiang
44cd3ec85b update make file and docker compose template 2017-03-22 20:56:08 +08:00
Tan Jiang
f9180c0c96 rebuild registry image on photon 2017-03-22 20:27:15 +08:00
Wenkai Yin
383997f785 read capacity from adminserver 2017-03-21 16:28:24 +08:00
Wenkai Yin
108aa21499 upgrade registry to 2.6.0 2017-03-16 13:44:16 +08:00
Aron Parsons
8ab45d439b label volumes for SELinux
allow Harbor to run when dockerd is running with --selinux-enabled

example AVC denials:
type=AVC msg=audit(1488384855.681:154671): avc:  denied  { read } for  pid=454 comm="registry" name="config.yml" dev="dm-8" ino=12583048 scontext=system_u:system_r:svirt_lxc_net_t:s0:c298,c958 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384855.681:154671): avc:  denied  { open } for  pid=454 comm="registry" path="/etc/registry/config.yml" dev="dm-8" ino=12583048 scontext=system_u:system_r:svirt_lxc_net_t:s0:c298,c958 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384855.687:154672): avc:  denied  { append } for  pid=350 comm=72733A6D61696E20513A526567 name="registry.log" dev="dm-5" ino=4315920 scontext=system_u:system_r:svirt_lxc_net_t:s0:c599,c800 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384856.895:154702): avc:  denied  { remove_name } for  pid=708 comm="mysqld" name="4691d4d62464.lower-test" dev="dm-12" ino=402656159 scontext=system_u:system_r:svirt_lxc_net_t:s0:c149,c797 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1488384856.926:154703): avc:  denied  { lock } for  pid=708 comm="mysqld" path="/var/lib/mysql/ibdata1" dev="dm-12" ino=402656097 scontext=system_u:system_r:svirt_lxc_net_t:s0:c149,c797 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384857.958:154736): avc:  denied  { open } for  pid=924 comm="harbor_jobservi" path="/etc/jobservice/app.conf" dev="dm-8" ino=142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c102,c158 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384858.089:154737): avc:  denied  { read } for  pid=1017 comm="nginx" name="nginx.conf" dev="dm-8" ino=4194445 scontext=system_u:system_r:svirt_lxc_net_t:s0:c847,c996 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384858.089:154737): avc:  denied  { open } for  pid=1017 comm="nginx" path="/etc/nginx/nginx.conf" dev="dm-8" ino=4194445 scontext=system_u:system_r:svirt_lxc_net_t:s0:c847,c996 tcontext=system_u:object_r:default_t:s0 tclass=file
2017-03-03 14:13:39 -05:00
yhua
9f18c8458b fix #1332 2017-02-27 18:52:22 +08:00
Wenkai Yin
9f3f48be59 add harbor network to adminserver 2017-02-24 14:35:11 +08:00