1. Change way for quotas verification in upgrade pipeline, prepare specific size of image, then it's an known value for verifcation;
2. Add notary key rotate test;
3. For issue brought by docker 20, clean containerd cache is the only effective way, so both dockerd and containerd should be cache cleard and restarted;
4. Upgrade E2E Dockerfile for importing readable file size package, and other issues;
5. Uncomment project level robot account test in nightly.
6. Get DNS from local setting, and set it into docker deamon config file;
Signed-off-by: danfengliu <danfengl@vmware.com>
* update blob list query
Deprecate blob list parameters, and use the query for instead.
Signed-off-by: wang yan <wangyan@vmware.com>
* update per review comments
Signed-off-by: Wang Yan <wangyan@vmware.com>
The "*" is used by notary server for permission checking:
84287fd8df/server/server.go (L200)
Hence, we need to add this into the JWT token such that actions like key
rotation can be executed.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1. Local image should be removed, otherwise docker 20 will not tigger
get manifest request to harbor;
2. E2E image Dockerfile update;
3. Fix nighlty test issue of tag retention, add execution refesh to get
result;
4. Fix nighlty test keyword 'Create An New Project And Go Into
Project' issue that waiting long enough time for list display;
5. Add nightly test case, in GUI, scan result will show if cve id exist in allow list configuration;
6. Move proxy cache test to schdule pipeline, it will save some time for
db pipeline.t p
Signed-off-by: danfengliu <danfengl@vmware.com>
The server to handle token-review may have a limitation for the size of
the header. When the token is huge the token review may fail.
This commit remove the necessary header to harden the flow.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Fixes#13740
Update ManifestExist to return Descriptor instead of digest
For docker 20.10 or containerd, it HEAD the manifest before pull, then
it GET the manifest with digest, add logic to handle this scenario and
correlate the tag between the digest in proxy cache
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit directly maps the actoin permission in security context to
the scope generated by the token service in harbor-core.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Change source of most of test image samples from docker-hub to local building ones, so it will cost less docker-hub pull requests.
And some of cases like push cnab, they have to use docker-hub, but image samples in cnab test will cost 17 quotas, in this PR, we
replace those samples, now cnab case will cost 6 quotas.
Signed-off-by: danfengliu <danfengl@vmware.com>
- update StopJob() of basic worker
- update UnSchedule() of basic scheduler
- update the policy store to get more data
fix#13599 , fix#13597
Signed-off-by: Steven Zou <szou@vmware.com>
CI job timeout is 60 minutes, but proxy cache case timeout is 20 minutes, once
proxy cache case is timeout, it will reach CI job timeout, then cause CI job terminated
by timeout without running rest of test steps, expecially uploading useful harbor logs,
so move this test into a new clean job for saving time and debugging.
Signed-off-by: danfengliu <danfengl@vmware.com>
In v2.1 security/readonly middleware will query DB by creating new
connection.
If it is put after transaction middleware there's a bigger chance of
deadlock if the concurrent open connections are set too low (#13155)
This commit mitigates that issue. But we still need work to lower the
connections and better handle the case when http connection is closed.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
