Merge pull request #9400 from ninjadq/inject_certs_to_non_root

Inject certs to non root

make/photon/chartserver/Dockerfile

@@ -2,21 +2,26 @@ FROM photon:2.0
 
 RUN tdnf install -y shadow sudo >>/dev/null\
     && tdnf clean all \
-    && mkdir /chartserver/ \
-    && mkdir /harbor/ \
-    && groupadd -r -g 10000 chartuser \
-    && useradd --no-log-init -m -r -g 10000 -u 10000 chartuser
-COPY ./make/photon/chartserver/binary/chartm /chartserver/
-COPY ./make/photon/chartserver/docker-entrypoint.sh /docker-entrypoint.sh
-COPY ./make/photon/common/install_cert.sh /harbor
+    && groupadd -r -g 10000 chart \
+    && useradd --no-log-init -m -g 10000 -u 10000 chart
+
+COPY ./make/photon/chartserver/binary/chartm /home/chart/
+COPY ./make/photon/chartserver/docker-entrypoint.sh /home/chart/
+COPY ./make/photon/common/install_cert.sh /home/chart/
+
+RUN chown -R chart:chart /etc/pki/tls/certs \
+    && chown -R chart:chart /home/chart \
+    && chmod u+x /home/chart/chartm \
+    && chmod u+x /home/chart/docker-entrypoint.sh \
+    && chmod u+x /home/chart/install_cert.sh
+
+USER chart
+
+WORKDIR /home/chart
+
+ENTRYPOINT ["./docker-entrypoint.sh"]
 
 VOLUME ["/chart_storage"]
 EXPOSE 9999
 
-RUN chown -R 10000:10000 /chartserver \
-    && chmod u+x /chartserver/chartm \
-    && chmod u+x /docker-entrypoint.sh
-
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:9999/health || exit 1
-
-ENTRYPOINT ["/docker-entrypoint.sh"]

make/photon/chartserver/docker-entrypoint.sh

@@ -1,14 +1,10 @@
 #!/bin/bash
 set -e
 
-#/chart_storage is the directory in the contaienr for storing the chart artifacts
-#if storage driver is set to 'local'
-if [ -d /chart_storage ]; then
-    chown 10000:10000 -R /chart_storage
-fi
 
-/harbor/install_cert.sh
+/home/chart/install_cert.sh
 
 #Start the server process
-sudo -E -H -u \#10000 sh -c "/chartserver/chartm" #Parameters are set by ENV
+/home/chart/chartm
+
 set +e

make/photon/clair/Dockerfile

@@ -2,24 +2,25 @@ FROM photon:2.0
 
 RUN tdnf install -y git shadow sudo rpm xz python-xml >>/dev/null\
     && tdnf clean all \
-    && mkdir /clair/ \
-    && mkdir /harbor \
     && groupadd -r -g 10000 clair \
-    && useradd --no-log-init -m -r -g 10000 -u 10000 clair
-COPY ./make/photon/clair/binary/clair /clair/
-COPY ./make/photon/clair/docker-entrypoint.sh /docker-entrypoint.sh
-COPY ./make/photon/clair/dumb-init /dumb-init
-COPY ./make/photon/common/install_cert.sh /harbor 
+    && useradd --no-log-init -m -g 10000 -u 10000 clair
+COPY ./make/photon/clair/binary/clair /home/clair/
+COPY ./make/photon/clair/docker-entrypoint.sh /home/clair/
+COPY ./make/photon/clair/dumb-init /home/clair/
+COPY ./make/photon/common/install_cert.sh /home/clair/
 
 VOLUME /config
 
 EXPOSE 6060 6061
 
-RUN chown -R 10000:10000 /clair \
-    && chmod u+x /clair/clair \
-    && chmod u+x /docker-entrypoint.sh \
-    && chmod +x /dumb-init
+RUN chown -R clair:clair /etc/pki/tls/certs \
+    && chown -R clair:clair /home/clair \
+    && chmod u+x /home/clair/clair \
+    && chmod u+x /home/clair/docker-entrypoint.sh \
+    && chmod +x /home/clair/dumb-init
 
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:6061/health || exit 1
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+WORKDIR /home/clair
+USER clair
+ENTRYPOINT ["./docker-entrypoint.sh"]

make/photon/clair/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 set -e
 
-/harbor/install_cert.sh
-sudo -E -H -u \#10000 sh -c "/dumb-init -- /clair/clair -config /etc/clair/config.yaml $*"
+/home/clair/install_cert.sh
+/home/clair/dumb-init -- /home/clair/clair -config /etc/clair/config.yaml $*
+
 set +e

make/photon/prepare/utils/configs.py

@@ -59,6 +59,8 @@ def validate(conf: dict, **kwargs):
         raise Exception(
             "Error: redis_port in harbor.yml needs to point to the port of Redis server or cluster.")
 
+    # TODO:
+    # If user enable trust cert dir, need check if the files in this dir is readable.
 
 def parse_versions():
     if not versions_file_path.is_file():

make/photon/registry/Dockerfile

@@ -1,24 +1,27 @@
 FROM photon:2.0
 
-MAINTAINER wangyan@vmware.com
+LABEL maintainer="wangyan@vmware.com"
 
 # The original script in the docker offical registry image.
 RUN tdnf install sudo -y >> /dev/null\
     && tdnf clean all \
-    && mkdir /harbor/ \
     && mkdir -p /etc/registry \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor  
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor  
 
-COPY ./make/photon/common/install_cert.sh /harbor
-COPY ./make/photon/registry/entrypoint.sh /
+COPY ./make/photon/common/install_cert.sh /home/harbor
+COPY ./make/photon/registry/entrypoint.sh /home/harbor
 COPY ./make/photon/registry/binary/registry /usr/bin
 
-RUN chmod u+x /entrypoint.sh \
-    && chmod u+x /usr/bin/registry
+RUN chown -R harbor:harbor /etc/pki/tls/certs \
+    && chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \
+    && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \
+    && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry
 
 HEALTHCHECK CMD curl 127.0.0.1:5000/
 
+USER harbor
+
+ENTRYPOINT ["/home/harbor/entrypoint.sh"]
+
 VOLUME ["/var/lib/registry"]
 EXPOSE 5000
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/etc/registry/config.yml"]

make/photon/registry/entrypoint.sh

@@ -4,24 +4,10 @@ set -e
 
 # The directory /var/lib/registry is within the container, and used to store image in CI testing.
 # So for now we need to chown to it to avoid failure in CI.
-if [ -d /var/lib/registry ]; then
-    chown 10000:10000 -R /var/lib/registry
-fi
+# if [ -d /var/lib/registry ]; then
+#     chown 10000:10000 -R /var/lib/registry
+# fi
 
-if [ -d /storage ]; then
-    if ! stat -c '%u:%g' /storage | grep -q '10000:10000' ; then
-        # 10000 is the id of harbor user/group.
-        # Usually NFS Server does not allow changing owner of the export directory,
-        # so need to skip this step and requires NFS Server admin to set its owner to 10000.
-        chown 10000:10000 -R /storage
-    fi
-fi
+/home/harbor/install_cert.sh
 
-/harbor/install_cert.sh
-
-case "$1" in
-    *.yaml|*.yml) set -- registry serve "$@" ;;
-    serve|garbage-collect|help|-*) set -- registry "$@" ;;
-esac
-
-sudo -E -u \#10000 "$@"
+/usr/bin/registry serve /etc/registry/config.yml

make/photon/registryctl/Dockerfile

@@ -1,25 +1,28 @@
 FROM photon:2.0
 
-MAINTAINER wangyan@vmware.com
+Label maintainer="wangyan@vmware.com"
 
 RUN tdnf install sudo -y >> /dev/null \
     && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor \
-    && mkdir -p /etc/registry \
-    && mkdir /harbor/
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \
+    && mkdir -p /etc/registry
 
-COPY ./make/photon/common/install_cert.sh /harbor
+COPY ./make/photon/common/install_cert.sh /home/harbor
 COPY ./make/photon/registry/binary/registry /usr/bin
-COPY ./make/photon/registryctl/start.sh /harbor/
-COPY ./make/photon/registryctl/harbor_registryctl /harbor/
+COPY ./make/photon/registryctl/start.sh /home/harbor
+COPY ./make/photon/registryctl/harbor_registryctl /home/harbor
 
-RUN chmod u+x /harbor/harbor_registryctl \
-    && chmod u+x /usr/bin/registry \
-    && chmod u+x /harbor/start.sh
+RUN chown -R harbor:harbor /etc/pki/tls/certs \
+    && chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \
+    && chown harbor:harbor /usr/bin/registry && chmod u+x /usr/bin/registry \
+    && chown harbor:harbor /home/harbor/start.sh && chmod u+x /home/harbor/start.sh \
+    && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh
 
-HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1 
+
+HEALTHCHECK CMD curl --fail -s http://127.0.0.1:8080/api/health || exit 1
 
 VOLUME ["/var/lib/registry"]
-WORKDIR /harbor/
 
-ENTRYPOINT ["/harbor/start.sh"]
+ENTRYPOINT ["/home/harbor/start.sh"]
+
+USER harbor

make/photon/registryctl/start.sh

@@ -4,19 +4,10 @@ set -e
 
 # The directory /var/lib/registry is within the container, and used to store image in CI testing.
 # So for now we need to chown to it to avoid failure in CI.
-if [ -d /var/lib/registry ]; then
-    chown 10000:10000 -R /var/lib/registry
-fi
+# if [ -d /var/lib/registry ]; then
+#     chown 10000:10000 -R /var/lib/registry
+# fi
 
-if [ -d /storage ]; then
-    if ! stat -c '%u:%g' /storage | grep -q '10000:10000' ; then
-        # 10000 is the id of harbor user/group.
-        # Usually NFS Server does not allow changing owner of the export directory,
-        # so need to skip this step and requires NFS Server admin to set its owner to 10000.
-        chown 10000:10000 -R /storage
-    fi
-fi
+/home/harbor/install_cert.sh
 
-/harbor/install_cert.sh
-
-sudo -E -u \#10000 "/harbor/harbor_registryctl" "-c" "/etc/registryctl/config.yml"
+/home/harbor/harbor_registryctl -c /etc/registryctl/config.yml

tests/docker-compose.test.yml

@@ -6,6 +6,7 @@ services:
     volumes:
       - /data/registry:/storage
       - ./common/config/registry/:/etc/registry/
+      - /etc/core/ca/ca.crt:/etc/registry/root.crt
     ports:
       - 5000:5000
     command:

tests/pushimage.sh

@@ -7,6 +7,8 @@ docker login -u admin -p Harbor12345 $IP:5000
 
 docker tag hello-world $IP:5000/library/hello-world:latest
 docker push $IP:5000/library/hello-world:latest
+echo "$? pushed hello world"
 
 docker tag busybox $IP:5000/library/busybox:latest
 docker push $IP:5000/library/busybox:latest
+echo "$? pushed busybox"

tests/reg_config.yml

@@ -6,7 +6,7 @@ storage:
   cache:
     blobdescriptor: inmemory
   filesystem:
-    rootdirectory: /var/lib/registry
+    rootdirectory: /storage
 http:
   addr: :5000
   headers:
@@ -15,4 +15,4 @@ health:
   storagedriver:
     enabled: true
     interval: 10s
-    threshold: 3
+    threshold: 3

tests/travis/ut_install.sh

@@ -29,4 +29,5 @@ sudo ./tests/testprepare.sh
 cd tests && sudo ./ldapprepare.sh && sudo ./admiral.sh && cd ..
 sudo sed -i 's/__reg_version__/${REG_VERSION}-dev/g' ./make/docker-compose.test.yml
 sudo sed -i 's/__version__/dev/g' ./make/docker-compose.test.yml
-sudo mkdir -p ./make/common/config/registry/ && sudo mv ./tests/reg_config.yml ./make/common/config/registry/config.yml
+sudo mkdir -p ./make/common/config/registry/ && sudo mv ./tests/reg_config.yml ./make/common/config/registry/config.yml
+sudo mkdir /storage && sudo chown 10000:10000 -R /storage