initial

Dockerfile

@@ -0,0 +1,182 @@
+FROM rockylinux:8.6 AS php-build
+
+RUN dnf -y install dnf-plugins-core
+RUN yum -y install epel-release
+RUN dnf config-manager --set-enabled powertools
+RUN yum -y update && yum -y install \
+        autoconf \
+        bison \
+        gcc \
+        httpd-devel \
+        libargon2-devel \
+        libcurl-devel \
+        libedit-devel \
+        libsodium-devel \
+        libxml2-devel \
+        libxslt-devel \
+        make \
+        mariadb-devel \
+        oniguruma-devel \
+        openldap-devel \
+        openssl-devel \
+        postgresql-devel \
+        re2c \
+        sqlite-devel \
+        findutils \
+        wget
+
+WORKDIR /usr/local/src
+
+ARG PHP_VERSION=7.4.30
+ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz
+
+RUN mkdir php-src \
+        && wget -O php-src.tar.gz ${PHP_SRC_URL} \
+        && tar zxf php-src.tar.gz -C php-src --strip-components=1 \
+        && rm php-src.tar.gz
+
+ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV PHP_CPPFLAGS="$PHP_CFLAGS"
+ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie"
+
+RUN cd php-src \
+        && ./buildconf --force \
+        && ./configure \
+            --disable-cgi \
+            --enable-mbstring \
+            --enable-mysqlnd \
+            --with-apxs2=/usr/bin/apxs \
+            --with-config-file-path=/usr/local/etc/php \
+            --with-config-file-scan-dir=/usr/local/etc/php/conf.d \
+            --with-curl \
+            --with-ldap \
+            --with-libdir=lib64 \
+            --with-libedit \
+            --with-mysqli \
+            --with-openssl \
+            --with-password-argon2 \
+            --with-pdo-mysql \
+            --with-pdo-pgsql \
+            --with-pgsql \
+            --with-sodium \
+            --with-xsl \
+            --with-zlib \
+        && export CFLAGS="$PHP_CFLAGS" \
+        && export CPPFLAGS="$PHP_CPPFLAGS" \
+        && export LDFLAGS="$PHP_LDFLAGS" \
+        && make -j "$(nproc)" \
+        && make install 
+
+FROM i2incommon/shibboleth_sp:3.4.0_02092023_rocky8_multiarch
+
+RUN rm -f /etc/yum.repos.d/security:shibboleth.repo
+RUN dnf -y install dnf-plugins-core && dnf config-manager --set-enabled powertools
+RUN yum -y update && yum -y install \
+        libedit-devel \
+        autoconf \
+        bison \
+        gcc \
+        httpd-devel \
+        libargon2-devel \
+        libcurl-devel \
+        libsodium-devel \
+        libxml2-devel \
+        libxslt-devel \
+        make \
+        mariadb-devel \
+        oniguruma-devel \
+        openldap-devel \
+        openssl-devel \
+        postgresql-devel \
+        re2c \
+        wget \
+        supervisor \
+    && yum clean -y all
+
+COPY --from=php-build /usr/lib64/httpd/modules/libphp7.so /usr/lib64/httpd/modules/
+COPY --from=php-build /usr/local/lib/php /usr/local/lib/php/
+COPY --from=php-build /usr/local/include/php /usr/local/include/php/
+COPY --from=php-build /usr/local/bin /usr/local/bin/
+
+RUN /usr/local/bin/php -v
+
+ARG COMANAGE_REGISTRY_VERSION=4.1.0
+ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz
+ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION}
+
+LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
+LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL}
+
+ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
+
+WORKDIR "$COMANAGE_REGISTRY_DIR"
+
+RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \
+        && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \
+        && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \
+        && rm -f comanage.tar.gz \
+        && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
+        && cd /var/www/html \
+        && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
+        && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
+        && ln -s ${COMANAGE_REGISTRY_DIR}/local /local 
+
+COPY container_files/httpd/000-comanage.conf /etc/httpd/conf.d/
+COPY container_files/httpd/10-php7.conf /etc/httpd/conf.modules.d/
+COPY container_files/httpd/php.conf /etc/httpd/conf.d/
+COPY container_files/system/supervisord.conf /usr/local/etc/supervisord.conf
+COPY container_files/shibboleth/shibd.logger /etc/shibboleth/
+COPY container_files/shibboleth/native.logger /etc/shibboleth/
+COPY container_files/httpd/httpd.conf /etc/httpd/conf/
+COPY container_files/system/sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh
+COPY container_files/system/setupcron.sh /usr/local/bin/setupcron.sh
+
+RUN cd /etc/httpd/conf.d \
+    && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf \
+    && cd /etc/httpd \
+    && ln -s /etc/pki/tls/certs/localhost.crt cert.pem \
+    && ln -s /etc/pki/tls/private/localhost.key privkey.pem \
+    && chmod 755 /usr/local/bin/sendtierbeacon.sh \
+    && chmod 755 /usr/local/bin/setupcron.sh \
+    && /usr/local/bin/setupcron.sh
+
+# Allow values for first administrator bootstrapped into the
+# platform to be specified at image build time, in addition to
+# being injected at run time through the entrypoint script.
+ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME
+ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME
+ARG COMANAGE_REGISTRY_ADMIN_USERNAME
+ARG COMANAGE_REGISTRY_ENABLE_POOLING
+
+# Set simple defaults for first administrator bootstrapped into the
+# platform to make simple evaluation of the platform easier.
+ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry}
+ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin}
+ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
+ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
+
+EXPOSE 80 443
+
+COPY container_files/system/docker-comanage-entrypoint /usr/local/bin/
+COPY container_files/system/docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
+COPY container_files/system/docker-supervisord-entrypoint /usr/local/bin/
+
+# TIER Beacon Opt-out
+#
+# Completely uncomment the following ENV line to prevent the containers from
+# sending analytics information to Internet2.  With the default/release
+# configuration, it will only send product (Shibb/Grouper/COmanage) and version
+# (3.3.1-17040, etc) once daily between midnight and 4am.  There is no
+# configuration or private information collected or sent.  This data helps with
+# the scaling and funding of TIER.  Please do not disable it if you find the
+# TIER tools useful.  To keep it commented, keep multiple comments on the
+# following line (to prevent other scripts from processing it).
+#####     ENV TIER_BEACON_OPT_OUT True
+
+ENV TIER_RELEASE=20230215
+ENV TIER_MAINTAINER=i2incommon
+
+ENTRYPOINT ["docker-supervisord-entrypoint"]
+

container_files/httpd/000-comanage.conf

@@ -0,0 +1,86 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Listen 443
+ServerName %%SERVER_NAME%%
+PassEnv ENV
+PassEnv USERTOKEN
+
+<VirtualHost *:80>
+ServerName http://%%SERVER_NAME%%:80
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+</VirtualHost>
+
+<VirtualHost *:443>
+
+ServerName https://%%SERVER_NAME%%:443
+
+PassEnv ENV
+PassEnv USERTOKEN
+
+DocumentRoot /var/www/html
+
+RedirectMatch ^/$ /registry/
+
+ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+ErrorLog /tmp/logpipe
+LogLevel warn
+
+LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
+CustomLog /tmp/logpipe ssl_combined
+
+Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+SSLEngine on
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLHonorCipherOrder on
+
+SSLCertificateFile /etc/httpd/cert.pem
+SSLCertificateKeyFile /etc/httpd/privkey.pem
+
+<Directory /var/www/html/registry>
+Options Indexes FollowSymLinks
+DirectoryIndex index.php
+AllowOverride All
+Require all granted
+</Directory>
+
+<Location "/Shibboleth.sso">
+SetHandler shib
+</Location>
+
+<Directory /var/www/html/registry/auth/login>
+AuthType shibboleth
+ShibRequestSetting requireSession 1
+Require valid-user
+</Directory>
+
+<Location />
+AuthType shibboleth
+Require shibboleth
+</Location>
+
+RewriteEngine On
+RewriteCond %{QUERY_STRING} !after_redirect
+RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>

container_files/httpd/10-php7.conf

@@ -0,0 +1,3 @@
+<IfModule prefork.c>
+  LoadModule php7_module modules/libphp7.so
+</IfModule>

container_files/httpd/httpd.conf

@@ -0,0 +1,74 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ServerRoot "/etc/httpd"
+Listen 80
+Include conf.modules.d/*.conf
+User apache
+Group apache
+ServerAdmin root@localhost
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "/var/www/html"
+
+<Directory "/var/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+DirectoryIndex index.html
+
+<Files ".ht*">
+    Require all denied
+</Files>
+
+PassEnv ENV
+PassEnv USERTOKEN
+
+ErrorLogFormat "httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+ErrorLog "/tmp/logpipe"
+LogLevel warn
+
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+CustomLog "/tmp/logpipe" combined
+
+TypesConfig /etc/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+AddType text/html .shtml
+AddOutputFilter INCLUDES .shtml
+
+AddDefaultCharset UTF-8
+
+MIMEMagicFile conf/magic
+
+EnableSendfile on
+
+IncludeOptional conf.d/*.conf

container_files/httpd/php.conf

@@ -0,0 +1,10 @@
+<FilesMatch \.php$>
+    SetHandler application/x-httpd-php
+</FilesMatch>
+
+AddType text/html .php
+
+DirectoryIndex index.php
+
+#php_value session.save_handler "files"
+#php_value session.save_path    "/var/lib/php/session"