upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor synced 2024-09-20 18:45:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Drop all capabilities when starting containers

Browse Source 
Drop all capabilities when starting containers by modifying docker-compose files to avoid security issue

Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit is contained in:
Wenkai Yin 2018-11-22 16:21:04 +08:00
parent ad77098acf
commit fefb955cfe
4 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
make/docker-compose.chartmuseum.tpl
View File

@ -14,6 +14,13 @@ services:
container_name: chartmuseum container_name: chartmuseum
image: goharbor/chartmuseum-photon:__chartmuseum_version__ image: goharbor/chartmuseum-photon:__chartmuseum_version__
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
networks: networks:
- harbor-chartmuseum - harbor-chartmuseum
dns_search: . dns_search: .

6
make/docker-compose.clair.tpl
View File

@ -22,6 +22,12 @@ services:
container_name: clair container_name: clair
image: goharbor/clair-photon:__clair_version__ image: goharbor/clair-photon:__clair_version__
restart: always restart: always
cap_drop:
- ALL
cap_add:
- DAC_OVERRIDE
- SETGID
- SETUID
cpu_quota: 50000 cpu_quota: 50000
dns_search: . dns_search: .
depends_on: depends_on:

10
make/docker-compose.notary.tpl
View File

@ -15,6 +15,11 @@ services:
image: goharbor/notary-server-photon:__notary_version__ image: goharbor/notary-server-photon:__notary_version__
container_name: notary-server container_name: notary-server
restart: always restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
networks: networks:
- notary-sig - notary-sig
- harbor-notary - harbor-notary
@ -35,6 +40,11 @@ services:
image: goharbor/notary-signer-photon:__notary_version__ image: goharbor/notary-signer-photon:__notary_version__
container_name: notary-signer container_name: notary-signer
restart: always restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
networks: networks:
harbor-notary: harbor-notary:
notary-sig: notary-sig:

63
make/docker-compose.tpl
View File

@ -5,6 +5,13 @@ services:
container_name: harbor-log container_name: harbor-log
restart: always restart: always
dns_search: . dns_search: .
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes: volumes:
- /var/log/harbor/:/var/log/docker/:z - /var/log/harbor/:/var/log/docker/:z
- ./common/config/log/:/etc/logrotate.d/:z - ./common/config/log/:/etc/logrotate.d/:z
@ -16,6 +23,12 @@ services:
image: goharbor/registry-photon:__reg_version__ image: goharbor/registry-photon:__reg_version__
container_name: registry container_name: registry
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes: volumes:
- /data/registry:/storage:z - /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z - ./common/config/registry/:/etc/registry/:z
@ -36,6 +49,12 @@ services:
env_file: env_file:
- ./common/config/registryctl/env - ./common/config/registryctl/env
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes: volumes:
- /data/registry:/storage:z - /data/registry:/storage:z
- ./common/config/registry/:/etc/registry/:z - ./common/config/registry/:/etc/registry/:z
@ -54,6 +73,13 @@ services:
image: goharbor/harbor-db:__version__ image: goharbor/harbor-db:__version__
container_name: harbor-db container_name: harbor-db
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
volumes: volumes:
- /data/database:/var/lib/postgresql/data:z - /data/database:/var/lib/postgresql/data:z
networks: networks:
@ -74,6 +100,12 @@ services:
env_file: env_file:
- ./common/config/adminserver/env - ./common/config/adminserver/env
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes: volumes:
- /data/config/:/etc/adminserver/config/:z - /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z - /data/secretkey:/etc/adminserver/key:z
@ -94,6 +126,11 @@ services:
env_file: env_file:
- ./common/config/core/env - ./common/config/core/env
restart: always restart: always
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
volumes: volumes:
- ./common/config/core/app.conf:/etc/core/app.conf:z - ./common/config/core/app.conf:/etc/core/app.conf:z
- ./common/config/core/private_key.pem:/etc/core/private_key.pem:z - ./common/config/core/private_key.pem:/etc/core/private_key.pem:z
@ -118,6 +155,13 @@ services:
image: goharbor/harbor-portal:__version__ image: goharbor/harbor-portal:__version__
container_name: harbor-portal container_name: harbor-portal
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
networks: networks:
- harbor - harbor
dns_search: . dns_search: .
@ -136,6 +180,12 @@ services:
env_file: env_file:
- ./common/config/jobservice/env - ./common/config/jobservice/env
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes: volumes:
- /data/job_logs:/var/log/jobs:z - /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z - ./common/config/jobservice/config.yml:/etc/jobservice/config.yml:z
@ -155,6 +205,12 @@ services:
image: goharbor/redis-photon:__redis_version__ image: goharbor/redis-photon:__redis_version__
container_name: redis container_name: redis
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
volumes: volumes:
- /data/redis:/var/lib/redis - /data/redis:/var/lib/redis
networks: networks:
@ -171,6 +227,13 @@ services:
image: goharbor/nginx-photon:__version__ image: goharbor/nginx-photon:__version__
container_name: nginx container_name: nginx
restart: always restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes: volumes:
- ./common/config/nginx:/etc/nginx:z - ./common/config/nginx:/etc/nginx:z
networks: networks: