diff --git a/Makefile b/Makefile index fe354c40d18..f890c45ffb1 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ CHECKENVCMD=checkenv.sh REGISTRYSERVER= REGISTRYPROJECTNAME=goharbor DEVFLAG=true -TRIVYFLAG=false +TRIVYFLAG=true HTTPPROXY= BUILDBIN=true NPM_REGISTRY=https://registry.npmjs.org @@ -126,7 +126,7 @@ endef # docker parameters DOCKERCMD=$(shell which docker) -DOCKERBUILD=$(DOCKERCMD) build +DOCKERBUILD=$(DOCKERCMD) buildx build --platform linux/amd64,linux/arm64 --provenance=false --push --no-cache DOCKERRMIMAGE=$(DOCKERCMD) rmi DOCKERPULL=$(DOCKERCMD) pull DOCKERIMAGES=$(DOCKERCMD) images @@ -359,6 +359,26 @@ compile_standalone_db_migrator: compile: check_environment versions_prepare compile_core compile_jobservice compile_registryctl +core: + @echo "build core" + @echo $(GOBUILDPATH_CORE) + @cd ${GOBUILDPATH_CORE} ;$(GOIMAGEBUILD_CORE) -o $(GOBUILDPATHINCONTAINER)/$(GOBUILDMAKEPATH_CORE)/$(CORE_BINARYNAME) + @echo "Done." + + +jobservice: + @echo "build jobservice" + @cd ${GOBUILDPATH_JOBSERVICE} ;$(GOIMAGEBUILD_COMMON) -o $(GOBUILDPATHINCONTAINER)/$(GOBUILDMAKEPATH_JOBSERVICE)/$(JOBSERVICEBINARYNAME) + +registryctl: + @echo "build registryctl" + @cd ${GOBUILDPATH_REGISTRYCTL} ;$(GOIMAGEBUILD_COMMON) -o $(GOBUILDPATHINCONTAINER)/$(GOBUILDMAKEPATH_REGISTRYCTL)/$(REGISTRYCTLBINARYNAME) + + +standalone_db_migrator: + @echo "build standalone db migrator" + @cd ${GOBUILDPATH_STANDALONE_DB_MIGRATOR} ;$(GOIMAGEBUILD_COMMON) -o $(GOBUILDPATHINCONTAINER)/$(GOBUILDMAKEPATH_STANDALONE_DB_MIGRATOR)/$(STANDALONE_DB_MIGRATOR_BINARYNAME) + update_prepare_version: @echo "substitute the prepare version tag in prepare file..." @$(SEDCMDI) -e 's/goharbor\/prepare:.*[[:space:]]\+/goharbor\/prepare:$(VERSIONTAG) prepare /' $(MAKEPATH)/prepare ; @@ -397,7 +417,8 @@ build: -e TRIVY_DOWNLOAD_URL=$(TRIVY_DOWNLOAD_URL) -e TRIVY_ADAPTER_DOWNLOAD_URL=$(TRIVY_ADAPTER_DOWNLOAD_URL) \ -e PULL_BASE_FROM_DOCKERHUB=$(PULL_BASE_FROM_DOCKERHUB) -e BUILD_BASE=$(BUILD_BASE) \ -e REGISTRYUSER=$(REGISTRYUSER) -e REGISTRYPASSWORD=$(REGISTRYPASSWORD) \ - -e PUSHBASEIMAGE=$(PUSHBASEIMAGE) + -e PUSHBASEIMAGE=$(PUSHBASEIMAGE) \ + -e TRIVYFLAG=$(TRIVYFLAG) build_standalone_db_migrator: compile_standalone_db_migrator make -f $(MAKEFILEPATH_PHOTON)/Makefile _build_standalone_db_migrator -e BASEIMAGETAG=$(BASEIMAGETAG) -e VERSIONTAG=$(VERSIONTAG) diff --git a/make/photon/Makefile b/make/photon/Makefile index 0dc0678cc09..a726134070a 100644 --- a/make/photon/Makefile +++ b/make/photon/Makefile @@ -18,8 +18,8 @@ TIMESTAMP=$(shell date +"%Y%m%d") # docker parameters DOCKERCMD=$(shell which docker) -DOCKERBUILD=$(DOCKERCMD) build --no-cache -DOCKERBUILD_WITH_PULL_PARA=$(DOCKERBUILD) --pull=$(PULL_BASE_FROM_DOCKERHUB) +DOCKERBUILD=$(DOCKERCMD) buildx build --platform linux/amd64,linux/arm64 --provenance=false --push --no-cache +DOCKERBUILD_WITH_PULL_PARA=$(DOCKERBUILD) #--pull=$(PULL_BASE_FROM_DOCKERHUB) DOCKERRMIMAGE=$(DOCKERCMD) rmi DOCKERIMAGES=$(DOCKERCMD) images IMAGENAMESPACE=goharbor @@ -122,19 +122,19 @@ _build_db: _build_portal: @$(call _build_base,$(PORTAL),$(DOCKERFILEPATH_PORTAL)) @echo "building portal container for photon..." - $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg npm_registry=$(NPM_REGISTRY) -f $(DOCKERFILEPATH_PORTAL)/$(DOCKERFILENAME_PORTAL) -t $(DOCKERIMAGENAME_PORTAL):$(VERSIONTAG) . + @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg npm_registry=$(NPM_REGISTRY) -f $(DOCKERFILEPATH_PORTAL)/$(DOCKERFILENAME_PORTAL) -t $(DOCKERIMAGENAME_PORTAL):$(VERSIONTAG) . @echo "Done." _build_core: @$(call _build_base,$(CORE),$(DOCKERFILEPATH_CORE)) @echo "building core container for photon..." - @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_CORE)/$(DOCKERFILENAME_CORE) -t $(DOCKERIMAGENAME_CORE):$(VERSIONTAG) . + @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg GOBUILDIMAGE=${GOBUILDIMAGE} -f $(DOCKERFILEPATH_CORE)/$(DOCKERFILENAME_CORE) -t $(DOCKERIMAGENAME_CORE):$(VERSIONTAG) . @echo "Done." _build_jobservice: @$(call _build_base,$(JOBSERVICE),$(DOCKERFILEPATH_JOBSERVICE)) @echo "building jobservice container for photon..." - @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_JOBSERVICE)/$(DOCKERFILENAME_JOBSERVICE) -t $(DOCKERIMAGENAME_JOBSERVICE):$(VERSIONTAG) . + @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg GOBUILDIMAGE=${GOBUILDIMAGE} -f $(DOCKERFILEPATH_JOBSERVICE)/$(DOCKERFILENAME_JOBSERVICE) -t $(DOCKERIMAGENAME_JOBSERVICE):$(VERSIONTAG) . @echo "Done." _build_log: @@ -146,20 +146,12 @@ _build_log: _build_trivy_adapter: @if [ "$(TRIVYFLAG)" = "true" ] ; then \ $(call _build_base,$(TRIVY_ADAPTER),$(DOCKERFILEPATH_TRIVY_ADAPTER)) ; \ - rm -rf $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary && mkdir -p $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary ; \ - echo "Downloading Trivy scanner $(TRIVYVERSION)..." ; \ - $(call _extract_archive, $(TRIVY_DOWNLOAD_URL), $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary/) ; \ - if [ "$(BUILDBIN)" != "true" ] ; then \ - echo "Downloading Trivy adapter $(TRIVYADAPTERVERSION)..." ; \ - $(call _extract_archive, $(TRIVY_ADAPTER_DOWNLOAD_URL), $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary/) ; \ - else \ - echo "Building Trivy adapter $(TRIVYADAPTERVERSION) from sources..." ; \ - cd $(DOCKERFILEPATH_TRIVY_ADAPTER) && $(DOCKERFILEPATH_TRIVY_ADAPTER)/builder.sh $(TRIVYADAPTERVERSION) && cd - ; \ - fi ; \ echo "Building Trivy adapter container for photon..." ; \ $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) \ --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) \ - --build-arg trivy_version=$(TRIVYVERSION) \ + --build-arg TRIVYVERSION=$(TRIVYVERSION) \ + --build-arg TRIVYADAPTERVERSION=$(TRIVYADAPTERVERSION) \ + --build-arg GOBUILDIMAGE=$(GOBUILDIMAGE) \ -f $(DOCKERFILEPATH_TRIVY_ADAPTER)/$(DOCKERFILENAME_TRIVY_ADAPTER) \ -t $(DOCKERIMAGENAME_TRIVY_ADAPTER):$(VERSIONTAG) . ; \ rm -rf $(DOCKERFILEPATH_TRIVY_ADAPTER)/binary; \ @@ -174,21 +166,14 @@ _build_nginx: _build_registry: @$(call _build_base,$(REGISTRY),$(DOCKERFILEPATH_REG)) - @if [ "$(BUILDBIN)" != "true" ] ; then \ - rm -rf $(DOCKERFILEPATH_REG)/binary && mkdir -p $(DOCKERFILEPATH_REG)/binary && \ - $(call _get_binary, $(REGISTRYURL), $(DOCKERFILEPATH_REG)/binary/registry); \ - else \ - cd $(DOCKERFILEPATH_REG) && $(DOCKERFILEPATH_REG)/builder $(REGISTRY_SRC_TAG) $(DISTRIBUTION_SRC) && cd - ; \ - fi @echo "building registry container for photon..." - @chmod 655 $(DOCKERFILEPATH_REG)/binary/registry && $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_REG)/$(DOCKERFILENAME_REG) -t $(DOCKERIMAGENAME_REG):$(VERSIONTAG) . + @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg GOBUILDIMAGE=${GOBUILDIMAGE} --build-arg REGISTRY_SRC_TAG=${REGISTRY_SRC_TAG} -f $(DOCKERFILEPATH_REG)/$(DOCKERFILENAME_REG) -t $(DOCKERIMAGENAME_REG):$(VERSIONTAG) . @echo "Done." _build_registryctl: @$(call _build_base,$(REGISTRYCTL),$(DOCKERFILEPATH_REGISTRYCTL)) @echo "building registry controller for photon..." - @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_REGISTRYCTL)/$(DOCKERFILENAME_REGISTRYCTL) -t $(DOCKERIMAGENAME_REGISTRYCTL):$(VERSIONTAG) . - @rm -rf $(DOCKERFILEPATH_REG)/binary + @$(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg GOBUILDIMAGE=${GOBUILDIMAGE} --build-arg REGISTRY_SRC_TAG=${REGISTRY_SRC_TAG} -f $(DOCKERFILEPATH_REGISTRYCTL)/$(DOCKERFILENAME_REGISTRYCTL) -t $(DOCKERIMAGENAME_REGISTRYCTL):$(VERSIONTAG) . @echo "Done." _build_redis: @@ -205,7 +190,7 @@ _build_standalone_db_migrator: _compile_and_build_exporter: @$(call _build_base,$(EXPORTER),$(DOCKERFILEPATH_EXPORTER)) @echo "compiling and building image for exporter..." - @$(DOCKERCMD) build --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg build_image=$(GOBUILDIMAGE) -f ${DOCKERFILEPATH_EXPORTER}/${DOCKERFILENAME_EXPORTER} -t $(DOCKERIMAGENAME_EXPORTER):$(VERSIONTAG) . + @$(DOCKERCMD) build --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) --build-arg build_image=$(GOBUILDIMAGE) --build-arg GOBUILDIMAGE=${GOBUILDIMAGE} -f ${DOCKERFILEPATH_EXPORTER}/${DOCKERFILENAME_EXPORTER} -t $(DOCKERIMAGENAME_EXPORTER):$(VERSIONTAG) . @echo "Done." define _extract_archive diff --git a/make/photon/core/Dockerfile b/make/photon/core/Dockerfile index da561a875b5..ebeca5ab37c 100644 --- a/make/photon/core/Dockerfile +++ b/make/photon/core/Dockerfile @@ -1,17 +1,29 @@ +ARG GOBUILDIMAGE +ARG harbor_base_image_version +ARG harbor_base_namespace +FROM ${GOBUILDIMAGE} AS builder +WORKDIR /harbor +COPY ./ /harbor +ENV CGO_ENABLED=0 +RUN apt update \ + && apt install -y make \ + && cd /harbor \ + && make core + + ARG harbor_base_image_version ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-core-base:${harbor_base_image_version} HEALTHCHECK CMD curl --fail -s http://localhost:8080/api/v2.0/ping || curl -k --fail -s https://localhost:8443/api/v2.0/ping || exit 1 -COPY ./make/photon/common/install_cert.sh /harbor/ -COPY ./make/photon/core/entrypoint.sh /harbor/ -COPY ./make/photon/core/harbor_core /harbor/ -COPY ./src/core/views /harbor/views -COPY ./make/migrations /harbor/migrations -COPY ./icons /harbor/icons +COPY --from=builder /harbor/make/photon/common/install_cert.sh /harbor/ +COPY --from=builder /harbor/make/photon/core/entrypoint.sh /harbor/ +COPY --from=builder /harbor/make/photon/core/harbor_core /harbor/ +COPY --from=builder /harbor/src/core/views /harbor/views +COPY --from=builder /harbor/make/migrations /harbor/migrations +COPY --from=builder /harbor/icons /harbor/icons -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ +RUN chown -R harbor:harbor /harbor/ \ && chmod u+x /harbor/entrypoint.sh \ && chmod u+x /harbor/install_cert.sh \ && chmod u+x /harbor/harbor_core @@ -19,4 +31,4 @@ RUN chown -R harbor:harbor /etc/pki/tls/certs \ WORKDIR /harbor/ USER harbor ENTRYPOINT ["/harbor/entrypoint.sh"] -COPY make/photon/prepare/versions /harbor/ +COPY --from=builder /harbor/make/photon/prepare/versions /harbor/ diff --git a/make/photon/core/Dockerfile.base b/make/photon/core/Dockerfile.base index a6c7f097c97..3b26ec076e3 100644 --- a/make/photon/core/Dockerfile.base +++ b/make/photon/core/Dockerfile.base @@ -1,6 +1,6 @@ -FROM photon:5.0 +FROM alpine:3.18 -RUN tdnf install -y tzdata shadow >> /dev/null \ - && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ +RUN apk add --no-cache tzdata shadow \ + && groupadd -r -g 10000 harbor \ + && useradd -r -m -g 10000 -u 10000 harbor \ && mkdir /harbor/ diff --git a/make/photon/db/Dockerfile.base b/make/photon/db/Dockerfile.base index 6c816cc8171..7b3dbda40ef 100644 --- a/make/photon/db/Dockerfile.base +++ b/make/photon/db/Dockerfile.base @@ -1,20 +1,21 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -ENV PGDATA /var/lib/postgresql/data +ENV PGDATA=/var/lib/postgresql/data -RUN tdnf install -y shadow >> /dev/null \ +# Install shadow tools (for useradd and groupadd), and create the postgres user and group +# Install PostgreSQL 15, gzip, findutils, bc, and create necessary directories +RUN apk add --no-cache shadow \ + && groupdel ping \ && groupadd -r postgres --gid=999 \ - && useradd -m -r -g postgres --uid=999 postgres - -RUN tdnf install -y postgresql14-server >> /dev/null -RUN tdnf install -y gzip postgresql15-server findutils bc >> /dev/null \ + && useradd -r -g postgres --uid=999 postgres \ + && apk add --no-cache postgresql15 postgresql15-client gzip findutils bc util-linux net-tools bash \ && mkdir -p /docker-entrypoint-initdb.d \ && mkdir -p /run/postgresql \ && chown -R postgres:postgres /run/postgresql \ && chmod 2777 /run/postgresql \ - && mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" \ - && sed -i "s|#listen_addresses = 'localhost'.*|listen_addresses = '*'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \ - && sed -i "s|#unix_socket_directories = '/tmp'.*|unix_socket_directories = '/run/postgresql'|g" /usr/pgsql/15/share/postgresql/postgresql.conf.sample \ - && tdnf clean all - -RUN tdnf erase -y toybox && tdnf install -y util-linux net-tools + && mkdir -p "$PGDATA" \ + && chown -R postgres:postgres "$PGDATA" \ + && chmod 777 "$PGDATA" \ + && sed -i "s|#listen_addresses = 'localhost'.*|listen_addresses = '*'|g" /usr/share/postgresql/postgresql.conf.sample \ + && sed -i "s|#unix_socket_directories = '/tmp'.*|unix_socket_directories = '/run/postgresql'|g" /usr/share/postgresql/postgresql.conf.sample diff --git a/make/photon/exporter/Dockerfile b/make/photon/exporter/Dockerfile index 42f94481af0..e9538082892 100644 --- a/make/photon/exporter/Dockerfile +++ b/make/photon/exporter/Dockerfile @@ -2,23 +2,22 @@ ARG build_image ARG harbor_base_image_version ARG harbor_base_namespace -FROM ${build_image} AS build +FROM ${build_image} AS builder ENV CGO_ENABLED=0 -ENV GOOS=linux -ENV GOARCH=amd64 -COPY src /harbor/src +COPY ./ /harbor + WORKDIR /harbor/src/cmd/exporter RUN go build -o /out/harbor_exporter FROM ${harbor_base_namespace}/harbor-exporter-base:${harbor_base_image_version} -COPY --from=build /out/harbor_exporter /harbor/harbor_exporter -COPY ./make/photon/exporter/entrypoint.sh ./make/photon/common/install_cert.sh /harbor/ +COPY --from=builder /out/harbor_exporter /harbor/harbor_exporter +COPY --from=builder /harbor/make/photon/exporter/entrypoint.sh /harbor/ +COPY --from=builder /harbor/make/photon/common/install_cert.sh /harbor/ -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ +RUN chown -R harbor:harbor /harbor/ \ && chmod u+x /harbor/entrypoint.sh \ && chmod u+x /harbor/install_cert.sh \ && chmod u+x /harbor/harbor_exporter diff --git a/make/photon/exporter/Dockerfile.base b/make/photon/exporter/Dockerfile.base index a6c7f097c97..4e99b15e2f3 100644 --- a/make/photon/exporter/Dockerfile.base +++ b/make/photon/exporter/Dockerfile.base @@ -1,6 +1,8 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y tzdata shadow >> /dev/null \ - && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ +# Install tzdata (for time zone data) and shadow (for groupadd and useradd commands) +RUN apk add --no-cache tzdata shadow \ + && groupadd -r -g 10000 harbor \ + && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ && mkdir /harbor/ diff --git a/make/photon/jobservice/Dockerfile b/make/photon/jobservice/Dockerfile index accd7519dba..f973818d993 100644 --- a/make/photon/jobservice/Dockerfile +++ b/make/photon/jobservice/Dockerfile @@ -1,14 +1,24 @@ +ARG GOBUILDIMAGE ARG harbor_base_image_version ARG harbor_base_namespace -FROM ${harbor_base_namespace}/harbor-jobservice-base:${harbor_base_image_version} +FROM ${GOBUILDIMAGE} AS builder +WORKDIR /harbor +COPY ./ /harbor +ENV CGO_ENABLED=0 +RUN apt update \ + && apt install -y make \ + && cd /harbor \ + && make jobservice + -COPY ./make/photon/common/install_cert.sh /harbor/ -COPY ./make/photon/jobservice/entrypoint.sh /harbor/ -COPY ./make/photon/jobservice/harbor_jobservice /harbor/ + +FROM ${harbor_base_namespace}/harbor-jobservice-base:${harbor_base_image_version} +COPY --from=builder /harbor/make/photon/common/install_cert.sh /harbor/ +COPY --from=builder /harbor/make/photon/jobservice/entrypoint.sh /harbor/ +COPY --from=builder /harbor/make/photon/jobservice/harbor_jobservice /harbor/ -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown -R harbor:harbor /harbor/ \ +RUN chown -R harbor:harbor /harbor/ \ && chmod u+x /harbor/entrypoint.sh \ && chmod u+x /harbor/install_cert.sh \ && chmod u+x /harbor/harbor_jobservice diff --git a/make/photon/jobservice/Dockerfile.base b/make/photon/jobservice/Dockerfile.base index 7157c6c59c0..4e99b15e2f3 100644 --- a/make/photon/jobservice/Dockerfile.base +++ b/make/photon/jobservice/Dockerfile.base @@ -1,5 +1,8 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y tzdata shadow >> /dev/null \ - && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -r -m -g 10000 -u 10000 harbor +# Install tzdata (for time zone data) and shadow (for groupadd and useradd commands) +RUN apk add --no-cache tzdata shadow \ + && groupadd -r -g 10000 harbor \ + && useradd --no-log-init -r -m -g 10000 -u 10000 harbor \ + && mkdir /harbor/ diff --git a/make/photon/log/Dockerfile b/make/photon/log/Dockerfile index f147e59c55a..08397de5f59 100644 --- a/make/photon/log/Dockerfile +++ b/make/photon/log/Dockerfile @@ -7,15 +7,16 @@ COPY ./make/photon/log/rsyslog.conf /etc/rsyslog.conf # rsyslog configuration file for docker COPY ./make/photon/log/rsyslog_docker.conf /etc/rsyslog.d/ -# remove the original "logrotate" in directory "/etc/cron.daily/" -# and copy the customized one to directory "/etc/cron.hourly/" -# to run logrotate hourly -RUN rm /etc/cron.daily/logrotate -COPY ./make/photon/log/logrotate /etc/cron.hourly/ +COPY ./make/photon/log/logrotate /etc/periodic/hourly/ COPY ./make/photon/log/start.sh /usr/local/bin/ -RUN chmod +x /usr/local/bin/start.sh /etc/rsyslog.d/ && \ - chown -R 10000:10000 /etc/rsyslog.conf /etc/rsyslog.d/ /run /var/lib/logrotate/ + +# remove the original "logrotate" in directory "/etc/periodic/daily/" +# and copy the customized one to directory "/etc/periodic/hourly/" +# to run logrotate hourly +RUN rm /etc/periodic/daily/logrotate && \ + chmod +x /usr/local/bin/start.sh /etc/rsyslog.d/ && \ + chown -R 10000:10000 /etc/rsyslog.conf /run HEALTHCHECK CMD netstat -ltun|grep 10514 diff --git a/make/photon/log/Dockerfile.base b/make/photon/log/Dockerfile.base index ab20227b6cf..0e0bb877888 100644 --- a/make/photon/log/Dockerfile.base +++ b/make/photon/log/Dockerfile.base @@ -1,7 +1,6 @@ -FROM photon:5.0 +FROM alpine:3.18 -RUN tdnf install -y cronie rsyslog logrotate shadow tar gzip sudo >> /dev/null\ +RUN apk add --no-cache tzdata shadow tar gzip sudo cronie rsyslog logrotate \ && mkdir /var/spool/rsyslog \ - && groupadd -r -g 10000 syslog && useradd --no-log-init -r -g 10000 -u 10000 syslog \ - && tdnf clean all \ - && chage -M 99999 root + && groupadd -r -g 10000 syslog \ + && useradd --no-log-init -r -g 10000 -u 10000 syslog \ No newline at end of file diff --git a/make/photon/nginx/Dockerfile.base b/make/photon/nginx/Dockerfile.base index d6a18e543fc..014cc0bf803 100644 --- a/make/photon/nginx/Dockerfile.base +++ b/make/photon/nginx/Dockerfile.base @@ -1,7 +1,11 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y nginx shadow >> /dev/null \ - && tdnf clean all \ - && groupmod -g 10000 nginx && usermod -g 10000 -u 10000 -d /home/nginx -s /bin/bash nginx \ +# Install nginx and shadow (for groupmod and usermod commands) +RUN apk add --no-cache shadow \ + && groupadd -g 10000 nginx \ + && useradd -g 10000 -u 10000 -d /home/nginx -s /bin/bash nginx \ + && apk add --no-cache nginx \ + && mkdir -p /home/nginx \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log diff --git a/make/photon/portal/Dockerfile.base b/make/photon/portal/Dockerfile.base index 7d078696a6d..9baae7808c0 100644 --- a/make/photon/portal/Dockerfile.base +++ b/make/photon/portal/Dockerfile.base @@ -1,8 +1,11 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y nginx shadow >> /dev/null \ - && tdnf clean all \ +# Install nginx and shadow (for groupmod and usermod commands) +RUN apk add --no-cache shadow \ + && groupadd -g 10000 nginx \ + && useradd -g 10000 -u 10000 -d /home/nginx -s /bin/bash nginx \ + && apk add --no-cache nginx \ + && mkdir -p /home/nginx \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && groupmod -g 10000 nginx && usermod -g 10000 -u 10000 -d /home/nginx -s /bin/bash nginx \ - && chown -R nginx:nginx /etc/nginx + && ln -sf /dev/stderr /var/log/nginx/error.log \ No newline at end of file diff --git a/make/photon/prepare/Dockerfile.base b/make/photon/prepare/Dockerfile.base index e88bbb7da06..134d05d1a2b 100644 --- a/make/photon/prepare/Dockerfile.base +++ b/make/photon/prepare/Dockerfile.base @@ -1,8 +1,15 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y python3 python3-pip python3-PyYAML python3-jinja2 && tdnf clean all +# Install Python 3, pip, PyYAML, Jinja2, and necessary tools +RUN apk add --no-cache \ + python3 \ + py3-pip \ + py3-yaml \ + py3-jinja2 + +# Install a specific version of pipenv RUN pip3 install pipenv==2022.1.8 -#To install only htpasswd binary from photon package httpd -RUN tdnf install -y rpm cpio apr-util -RUN tdnf -y --downloadonly --downloaddir=/tmp/ install httpd && rpm2cpio /tmp/httpd-*.rpm | cpio -ivdm ./usr/bin/htpasswd && rm -f /tmp/* +# Install only the htpasswd binary from the apache2-utils package +RUN apk add --no-cache apache2-utils diff --git a/make/photon/redis/Dockerfile.base b/make/photon/redis/Dockerfile.base index 331306bd8ee..525fd38b3e7 100644 --- a/make/photon/redis/Dockerfile.base +++ b/make/photon/redis/Dockerfile.base @@ -1,6 +1,9 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y shadow >> /dev/null \ +# Install shadow (for groupadd and useradd commands) and redis +RUN apk add --no-cache shadow \ + && groupdel ping \ && groupadd -g 999 redis \ - && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis -RUN tdnf install -y redis && tdnf clean all + && useradd -u 999 -g 999 -c "Redis Database Server" -d /var/lib/redis -s /sbin/nologin -m redis \ + && apk add --no-cache redis \ No newline at end of file diff --git a/make/photon/registry/Dockerfile b/make/photon/registry/Dockerfile index f6565ff386e..525414a07c6 100644 --- a/make/photon/registry/Dockerfile +++ b/make/photon/registry/Dockerfile @@ -1,13 +1,33 @@ ARG harbor_base_image_version ARG harbor_base_namespace +ARG GOBUILDIMAGE +FROM ${GOBUILDIMAGE} AS builder + +ARG REGISTRY_SRC_TAG +ENV DISTRIBUTION_DIR=/go/src/github.com/docker +ENV BUILDTAGS="include_oss include_gcs" +ENV GO111MODULE=auto +RUN mkdir -p $DISTRIBUTION_DIR +COPY ./ /harbor + +WORKDIR $DISTRIBUTION_DIR +ENV CGO_ENABLED=0 +RUN git clone -b $REGISTRY_SRC_TAG https://github.com/distribution/distribution.git \ + && cd distribution \ + && git apply /harbor/make/photon/registry/redis.patch \ + && mkdir -p binary \ + && make PREFIX=/go clean binaries + + + FROM ${harbor_base_namespace}/harbor-registry-base:${harbor_base_image_version} COPY ./make/photon/common/install_cert.sh /home/harbor COPY ./make/photon/registry/entrypoint.sh /home/harbor -COPY ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC +COPY --from=builder /go/src/github.com/docker/distribution/bin/registry /usr/bin/registry_DO_NOT_USE_GC +COPY --from=builder /go/src/github.com/docker/distribution/cmd/registry/config-example.yml /etc/registry/config.yml -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \ +RUN chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \ && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \ && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC diff --git a/make/photon/registry/Dockerfile.base b/make/photon/registry/Dockerfile.base index 3c4a465e6ac..b31101cdf7f 100644 --- a/make/photon/registry/Dockerfile.base +++ b/make/photon/registry/Dockerfile.base @@ -1,6 +1,8 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y shadow >> /dev/null \ - && tdnf clean all \ +# Install shadow (for groupadd and useradd commands) +RUN apk add --no-cache shadow \ && mkdir -p /etc/registry \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor + && groupadd -r -g 10000 harbor \ + && useradd -r -g 10000 -u 10000 -d /home/harbor -m -s /sbin/nologin harbor \ No newline at end of file diff --git a/make/photon/registry/Dockerfile.binary b/make/photon/registry/Dockerfile.binary deleted file mode 100644 index cdc312e038d..00000000000 --- a/make/photon/registry/Dockerfile.binary +++ /dev/null @@ -1,10 +0,0 @@ -FROM golang:1.23.2 - -ENV DISTRIBUTION_DIR /go/src/github.com/docker/distribution -ENV BUILDTAGS include_oss include_gcs -ENV GO111MODULE auto - -WORKDIR $DISTRIBUTION_DIR -COPY . $DISTRIBUTION_DIR - -RUN CGO_ENABLED=0 make PREFIX=/go clean binaries diff --git a/make/photon/registry/builder b/make/photon/registry/builder deleted file mode 100755 index 0c254cbf7bb..00000000000 --- a/make/photon/registry/builder +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -set +e - -if [ -z $1 ]; then - error "Please set the 'version' variable" - exit 1 -fi - -if [ -z $2 ]; then - error "Please set the 'distribution_src' variable" - exit 1 -fi - -VERSION="$1" -DISTRIBUTION_SRC="$2" - -set -e - -# the temp folder to store binary file... -mkdir -p binary -rm -rf binary/registry || true - -cd `dirname $0` -cur=$PWD - -# the temp folder to store distribution source code... -TEMP=`mktemp -d ${TMPDIR-/tmp}/distribution.XXXXXX` -git clone -b $VERSION $DISTRIBUTION_SRC $TEMP - -# add patch redis -cd $TEMP -git apply $cur/redis.patch -cd $cur - -echo 'build the registry binary ...' -cp Dockerfile.binary $TEMP -docker build -f $TEMP/Dockerfile.binary -t registry-golang $TEMP - -echo 'copy the registry binary to local...' -ID=$(docker create registry-golang) -docker cp $ID:/go/src/github.com/docker/distribution/bin/registry binary/registry - -docker rm -f $ID -docker rmi -f registry-golang - -echo "Build registry binary success, then to build photon image..." -cd $cur -cp $TEMP/cmd/registry/config-example.yml config.yml -rm -rf $TEMP diff --git a/make/photon/registryctl/Dockerfile b/make/photon/registryctl/Dockerfile index b4733df9083..373025c0f18 100644 --- a/make/photon/registryctl/Dockerfile +++ b/make/photon/registryctl/Dockerfile @@ -1,14 +1,38 @@ ARG harbor_base_image_version ARG harbor_base_namespace +ARG GOBUILDIMAGE +FROM ${GOBUILDIMAGE} AS builder +COPY ./ /harbor +ENV CGO_ENABLED=0 +RUN apt update \ + && apt install -y make \ + && cd /harbor \ + && make registryctl + +ARG REGISTRY_SRC_TAG +ENV DISTRIBUTION_DIR=/go/src/github.com/docker +ENV BUILDTAGS="include_oss include_gcs" +ENV GO111MODULE=auto + + +WORKDIR $DISTRIBUTION_DIR + +RUN git clone -b $REGISTRY_SRC_TAG https://github.com/distribution/distribution.git \ + && cd distribution \ + && git apply /harbor/make/photon/registry/redis.patch \ + && mkdir -p binary \ + && make PREFIX=/go clean binaries + + + FROM ${harbor_base_namespace}/harbor-registryctl-base:${harbor_base_image_version} -COPY ./make/photon/common/install_cert.sh /home/harbor -COPY ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC -COPY ./make/photon/registryctl/start.sh /home/harbor -COPY ./make/photon/registryctl/harbor_registryctl /home/harbor +COPY --from=builder /harbor/make/photon/common/install_cert.sh /home/harbor +COPY --from=builder /go/src/github.com/docker/distribution/bin/registry /usr/bin/registry_DO_NOT_USE_GC +COPY --from=builder /harbor/make/photon/registryctl/start.sh /home/harbor +COPY --from=builder /harbor/make/photon/registryctl/harbor_registryctl /home/harbor -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \ +RUN chown harbor:harbor /home/harbor/harbor_registryctl && chmod u+x /home/harbor/harbor_registryctl \ && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC \ && chown harbor:harbor /home/harbor/start.sh && chmod u+x /home/harbor/start.sh \ && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh diff --git a/make/photon/registryctl/Dockerfile.base b/make/photon/registryctl/Dockerfile.base index 09809d6d4cc..b31101cdf7f 100644 --- a/make/photon/registryctl/Dockerfile.base +++ b/make/photon/registryctl/Dockerfile.base @@ -1,6 +1,8 @@ -FROM photon:5.0 +# Use Alpine as the base image +FROM alpine:3.18 -RUN tdnf install -y shadow >> /dev/null \ - && tdnf clean all \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \ - && mkdir -p /etc/registry +# Install shadow (for groupadd and useradd commands) +RUN apk add --no-cache shadow \ + && mkdir -p /etc/registry \ + && groupadd -r -g 10000 harbor \ + && useradd -r -g 10000 -u 10000 -d /home/harbor -m -s /sbin/nologin harbor \ No newline at end of file diff --git a/make/photon/trivy-adapter/Dockerfile b/make/photon/trivy-adapter/Dockerfile index 5379c96aa3a..3423fc2cf9a 100644 --- a/make/photon/trivy-adapter/Dockerfile +++ b/make/photon/trivy-adapter/Dockerfile @@ -1,24 +1,41 @@ ARG harbor_base_image_version ARG harbor_base_namespace +ARG GOBUILDIMAGE +FROM ${GOBUILDIMAGE} AS builder +ARG TRIVYADAPTERVERSION +ARG TRIVYVERSION +ENV CGO_ENABLED=0 +RUN mkdir -p /go/src/github.com/aquasecurity +WORKDIR /go/src/github.com/aquasecurity + + +RUN git clone -b $TRIVYADAPTERVERSION https://github.com/aquasecurity/harbor-scanner-trivy.git \ + && cd harbor-scanner-trivy/ \ + && make build + +RUN git clone -b $TRIVYVERSION https://github.com/aquasecurity/trivy.git \ + && cd trivy/ \ + && go build -o trivy cmd/trivy/main.go + + FROM ${harbor_base_namespace}/harbor-trivy-adapter-base:${harbor_base_image_version} ARG trivy_version COPY ./make/photon/common/install_cert.sh /home/scanner COPY ./make/photon/trivy-adapter/entrypoint.sh /home/scanner -COPY ./make/photon/trivy-adapter/binary/trivy /usr/local/bin/trivy -COPY ./make/photon/trivy-adapter/binary/scanner-trivy /home/scanner/bin/scanner-trivy +COPY --from=builder /go/src/github.com/aquasecurity/trivy/trivy /usr/local/bin/trivy +COPY --from=builder /go/src/github.com/aquasecurity/harbor-scanner-trivy/scanner-trivy /home/scanner/bin/scanner-trivy -RUN chown -R scanner:scanner /etc/pki/tls/certs \ - && chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \ +RUN chown scanner:scanner /home/scanner/entrypoint.sh && chmod u+x /home/scanner/entrypoint.sh \ && chown scanner:scanner /usr/local/bin/trivy && chmod u+x /usr/local/bin/trivy \ && chown scanner:scanner /home/scanner/bin/scanner-trivy && chmod u+x /home/scanner/bin/scanner-trivy \ && chown scanner:scanner /home/scanner/install_cert.sh && chmod u+x /home/scanner/install_cert.sh HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl --fail -s http://localhost:8080/probe/healthy || curl -k --fail -s https://localhost:8443/probe/healthy || exit 1 -ENV TRIVY_VERSION=${trivy_version} +ENV TRIVY_VERSION=${TRIVYVERSION} USER scanner diff --git a/make/photon/trivy-adapter/Dockerfile.base b/make/photon/trivy-adapter/Dockerfile.base index 41a6bb740ab..c698ee0e9f8 100644 --- a/make/photon/trivy-adapter/Dockerfile.base +++ b/make/photon/trivy-adapter/Dockerfile.base @@ -1,6 +1,9 @@ -FROM photon:5.0 - -RUN tdnf install -y rpm shadow >> /dev/null \ - && tdnf clean all \ +# Use Alpine as the base image +FROM alpine:3.18 +USER root +# Install shadow (for groupadd and useradd commands) +RUN apk add --no-cache shadow \ + && mkdir -p /etc/registry \ && groupadd -r -g 10000 scanner \ - && useradd --no-log-init -m -r -g 10000 -u 10000 scanner + && useradd -r -g 10000 -u 10000 -d /home/harbor -m -s /sbin/nologin scanner \ + && mkdir /home/scanner/bin/ -p diff --git a/make/photon/trivy-adapter/Dockerfile.binary b/make/photon/trivy-adapter/Dockerfile.binary deleted file mode 100644 index 61bfdeef081..00000000000 --- a/make/photon/trivy-adapter/Dockerfile.binary +++ /dev/null @@ -1,7 +0,0 @@ -FROM golang:1.23.2 - -ADD . /go/src/github.com/goharbor/harbor-scanner-trivy/ -WORKDIR /go/src/github.com/goharbor/harbor-scanner-trivy/ - -RUN export GOOS=linux GO111MODULE=on CGO_ENABLED=0 && \ - go build -o scanner-trivy cmd/scanner-trivy/main.go diff --git a/make/photon/trivy-adapter/builder.sh b/make/photon/trivy-adapter/builder.sh deleted file mode 100755 index eba579960b2..00000000000 --- a/make/photon/trivy-adapter/builder.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash - -set +e - -if [ -z $1 ]; then - error "Please set the 'version' variable" - exit 1 -fi - -VERSION="$1" - -set -e - -cd $(dirname $0) -cur=$PWD - -# The temporary directory to clone Trivy adapter source code -TEMP=$(mktemp -d ${TMPDIR-/tmp}/trivy-adapter.XXXXXX) -git clone https://github.com/goharbor/harbor-scanner-trivy.git $TEMP -cd $TEMP; git checkout $VERSION; cd - - -echo "Building Trivy adapter binary based on golang:1.23.2..." -cp Dockerfile.binary $TEMP -docker build -f $TEMP/Dockerfile.binary -t trivy-adapter-golang $TEMP - -echo "Copying Trivy adapter binary from the container to the local directory..." -ID=$(docker create trivy-adapter-golang) -docker cp $ID:/go/src/github.com/goharbor/harbor-scanner-trivy/scanner-trivy binary - -docker rm -f $ID -docker rmi -f trivy-adapter-golang - -echo "Building Trivy adapter binary finished successfully" -cd $cur -rm -rf $TEMP