search

nicholasamorim / ansible-role-harbor

An Ansible Role that installs Harbor.
MIT License
24 stars 29 forks source link

Too permissive permissions? #4

Closed ghost closed 5 years ago

ghost commented 5 years ago

By default, things are created with "mode": "0755" This could be changed to 0750 I believe.

nicholasamorim commented 5 years ago

I'll try this today.

I'm having quite the struggle with permissions on Harbor, because if I set user/gid 10000 to own the files but don't open the permissions, then Nginx has trouble reading nginx/nginx.conf.

I'm doing a fresh run on this playbook today, so I'll test this.

Thank you for opening this issue!

ghost commented 5 years ago

I run the playbook with become(sudo) and I got the site online and running. I am still solving a few things on my side with the user creation so I have not tested the other functionalities yet. I changed the permissions there:

- name: "Creating Harbor directory... ({{ harbor_install_dir }}/harbor)"
  file:
    path: "{{ harbor_install_dir }}"
    state: directory
    mode: 0750
  when:
    - not harbor_folder_st.stat.exists or (harbor_folder_st.stat.isdir is defined and not harbor_folder_st.stat.isdir)

- name: "Uncompressing Harbor installer..."
  unarchive:
    remote_src: True
    src: /tmp/harbor.tgz
    dest: "{{ harbor_install_dir }}"
    mode: 0750
    creates: "{{ harbor_install_dir }}/harbor"
  when:
    - not harbor_folder_st.stat.exists or (harbor_folder_st.stat.isdir is defined and not harbor_folder_st.stat.isdir)
nicholasamorim commented 5 years ago

I get it running but when I stop and start it using docker-compose, nginx always complains. I just ran with 0750 and went great, but as soon as I stop and start, nginx goes:

open() "/etc/nginx/nginx.conf" failed (13: Permission denied)

ghost commented 5 years ago

I see. Would it work if group: docker is added? So then the files are not root:root but root:docker

- name: "Creating Harbor directory... ({{ harbor_install_dir }}/harbor)"
  file:
    path: "{{ harbor_install_dir }}"
    state: directory
    mode: 0750
    group: docker
  when:
    - not harbor_folder_st.stat.exists or (harbor_folder_st.stat.isdir is defined and not harbor_folder_st.stat.isdir)

- name: "Uncompressing Harbor installer..."
  unarchive:
    remote_src: True
    src: /tmp/harbor.tgz
    dest: "{{ harbor_install_dir }}"
    mode: 0750
    group: docker
    creates: "{{ harbor_install_dir }}/harbor"
  when:
    - not harbor_folder_st.stat.exists or (harbor_folder_st.stat.isdir is defined and not harbor_folder_st.stat.isdir)
nicholasamorim commented 5 years ago

I don't know, I will check. This seems to be a known issue of sorts as seen here: https://github.com/goharbor/harbor/issues/6412

nicholasamorim commented 5 years ago

0750 on group docker works fine except for nginx which complains about permission denied. Still investigating the best course of action on this.

nicholasamorim commented 5 years ago

I have changed to be 0750 and group docker. But Nginx complains, so I have the more open permissions only for nginx folder.

Marking this as resolved. I opened an issue on harbor to figure out what's correct: https://github.com/goharbor/harbor/issues/7188