000-comanage.conf

@@ -18,51 +18,30 @@
 # limitations under the License.
 
 Listen 443
-ServerName %%SERVER_NAME%%
+ServerName ${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN}
 PassEnv ENV
 PassEnv USERTOKEN
 
-<VirtualHost *:80>
-ServerName http://%%SERVER_NAME%%:80
-RewriteEngine On
-RewriteCond %{HTTPS} off
-RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
-</VirtualHost>
+Include apache-include-virtual-host-port80-redirect
 
 <VirtualHost *:443>
 
-ServerName https://%%SERVER_NAME%%:443
+Include apache-include-virtual-host-port443-base
+
+SSLCertificateFile /etc/httpd/cert.pem
+SSLCertificateKeyFile /etc/httpd/privkey.pem
 
 PassEnv ENV
 PassEnv USERTOKEN
 
-DocumentRoot /var/www/html
-
-RedirectMatch ^/$ /registry/
-
 ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
 ErrorLog /tmp/logpipe
 LogLevel warn
 
 LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
 CustomLog /tmp/logpipe ssl_combined
 
-Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
-
-SSLEngine on
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-SSLHonorCipherOrder on
-
-SSLCertificateFile /etc/httpd/cert.pem
-SSLCertificateKeyFile /etc/httpd/privkey.pem
-
-<Directory /var/www/html/registry>
-Options Indexes FollowSymLinks
-DirectoryIndex index.php
-AllowOverride All
-Require all granted
-</Directory>
+Include apache-include-directory-registry
 
 <Location "/Shibboleth.sso">
 SetHandler shib
@@ -81,6 +60,6 @@ Require shibboleth
 
 RewriteEngine On
 RewriteCond %{QUERY_STRING} !after_redirect
-RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R]
 
 </VirtualHost>

Dockerfile

@@ -16,73 +16,32 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM centos:centos7 AS php-build
+ARG COMANAGE_REGISTRY_VERSION=3.2.2
+ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=20191108
+ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=3.2.2-20191108
 
-RUN yum -y install epel-release
+FROM tier/comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage
 
-RUN yum -y update && yum -y install \
-        autoconf \
-        bison \
-        gcc \
-        httpd-devel \
-        libargon2-devel \
-        libcurl-devel \
-        libedit-devel \
-        libsodium-devel \
-        libxml2-devel \
-        libxslt-devel \
-        make \
-        mariadb-devel \
-        openldap-devel \
-        openssl-devel \
-        postgresql-devel \
-        re2c \
-        wget
-
-WORKDIR /usr/local/src
-
-ARG PHP_VERSION=7.2.5
-ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz
-
-RUN mkdir php-src \
-        && wget -O php-src.tar.gz ${PHP_SRC_URL} \
-        && tar zxf php-src.tar.gz -C php-src --strip-components=1 \
-        && rm php-src.tar.gz
-
-ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
-ENV PHP_CPPFLAGS="$PHP_CFLAGS"
-ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie"
-
-RUN cd php-src \
-        && ./buildconf --force \
-        && ./configure \
-            --disable-cgi \
-            --enable-mbstring \
-            --enable-mysqlnd \
-            --with-apxs2=/usr/bin/apxs \
-            --with-config-file-path=/usr/local/etc/php \
-            --with-config-file-scan-dir=/usr/local/etc/php/conf.d \
-            --with-curl \
-            --with-ldap \
-            --with-libdir=lib64 \
-            --with-libedit \
-            --with-mysqli \
-            --with-openssl \
-            --with-password-argon2 \
-            --with-pdo-mysql \
-            --with-pdo-pgsql \
-            --with-pgsql \
-            --with-sodium \
-            --with-xsl \
-            --with-zlib \
-        && export CFLAGS="$PHP_CFLAGS" \
-        && export CPPFLAGS="$PHP_CPPFLAGS" \
-        && export LDFLAGS="$PHP_LDFLAGS" \
-        && make -j "$(nproc)" \
-        && make install 
+FROM tier/comanage-registry-internet2-tier-base:${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} AS php-build
 
 FROM centos:centos7
 
+ARG COMANAGE_REGISTRY_VERSION
+ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION}
+LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
+
+ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION
+ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}
+LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}
+
+ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION
+ENV COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}
+LABEL comanage_registry_i2_base_image_version=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}
+
+ARG COMANAGE_REGISTRY_DIR
+ENV COMANAGE_REGISTRY_DIR ${COMANAGE_REGISTRY_DIR:-/srv/comanage-registry}
+LABEL comanage_registry_dir=${COMANAGE_REGISTRY_DIR}
+
 RUN yum -y install epel-release
 
 COPY shibboleth.repo /etc/yum.repos.d/
@@ -101,6 +60,7 @@ RUN yum -y update && yum -y install \
         postgresql \
         python-pip \
         shibboleth \
+        sudo \
         wget \
         zlib \
     && pip install --upgrade pip \
@@ -112,28 +72,13 @@ COPY --from=php-build /usr/local/lib/php /usr/local/lib/php/
 COPY --from=php-build /usr/local/include/php /usr/local/include/php/
 COPY --from=php-build /usr/local/bin /usr/local/bin/
 
-ARG COMANAGE_REGISTRY_VERSION=3.1.1
-ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz
-ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION}
-
-LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
-LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL}
-
-ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
-
-WORKDIR "$COMANAGE_REGISTRY_DIR"
-
-RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \
-        && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \
-        && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \
-        && rm -f comanage.tar.gz \
-        && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && cd /var/www/html \
-        && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
-        && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
-        && ln -s ${COMANAGE_REGISTRY_DIR}/local /local 
+COPY --from=comanage ${COMANAGE_REGISTRY_DIR} ${COMANAGE_REGISTRY_DIR}/
+COPY --from=comanage /etc/apache2/apache-include-directory-registry /etc/httpd/
+COPY --from=comanage /etc/apache2/apache-include-virtual-host-port443-base /etc/httpd/
+COPY --from=comanage /etc/apache2/apache-include-virtual-host-port80-redirect /etc/httpd/
+COPY --from=comanage /usr/local/lib/comanage_utils.sh /usr/local/lib/
+COPY --from=comanage /usr/local/lib/comanage_shibboleth_sp_utils.sh /usr/local/lib/
+COPY --from=comanage /usr/local/bin/docker-comanage-entrypoint /usr/local/bin/
 
 COPY 000-comanage.conf /etc/httpd/conf.d/
 COPY 10-php7.conf /etc/httpd/conf.modules.d/
@@ -144,6 +89,9 @@ COPY native.logger /etc/shibboleth/
 COPY httpd.conf /etc/httpd/conf/
 COPY sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh
 COPY setupcron.sh /usr/local/bin/setupcron.sh
+COPY docker-comanage-entrypoint /usr/local/bin/
+COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
+COPY docker-supervisord-entrypoint /usr/local/bin/
 
 RUN cd /etc/httpd/conf.d \
     && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf \
@@ -152,7 +100,12 @@ RUN cd /etc/httpd/conf.d \
     && ln -s /etc/pki/tls/private/localhost.key privkey.pem \
     && chmod 755 /usr/local/bin/sendtierbeacon.sh \
     && chmod 755 /usr/local/bin/setupcron.sh \
-    && /usr/local/bin/setupcron.sh
+    && /usr/local/bin/setupcron.sh \
+    && cd /var/www/html \
+    && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
+    && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
+    && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
+    && rm -f /etc/shibboleth/shibboleth2.xml
 
 # Allow values for first administrator bootstrapped into the
 # platform to be specified at image build time, in addition to
@@ -169,15 +122,9 @@ ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-A
 ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
 ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
 
-EXPOSE 80 443
-
-VOLUME ["/srv/comanage-registry/local"]
-
-VOLUME ["/etc/shibboleth"]
+VOLUME ${COMANAGE_REGISTRY_DIR}/local /etc/shibboleth
 
-COPY docker-comanage-entrypoint /usr/local/bin/
-COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
-COPY docker-supervisord-entrypoint /usr/local/bin/
+EXPOSE 80 443
 
 # TIER Beacon Opt-out
 #
@@ -191,7 +138,7 @@ COPY docker-supervisord-entrypoint /usr/local/bin/
 # following line (to prevent other scripts from processing it).
 #####     ENV TIER_BEACON_OPT_OUT True
 
-ENV TIER_RELEASE=180801
+ENV TIER_RELEASE=180501
 ENV TIER_MAINTAINER=tier
 
 ENTRYPOINT ["docker-supervisord-entrypoint"]

Jenkinsfile

@@ -4,7 +4,7 @@ pipeline {
         maintainer = "t"
         imagename = 'g'
         tag = 'l'
-        version='3.1.1'
+        version='3.2.0-rc1'
     }
     stages {
         stage('Setting build context') {
@@ -34,7 +34,7 @@ pipeline {
             steps {
                 script {
                    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-                      def baseImg = docker.build("$maintainer/$imagename", "--build-arg COMANAGE_REGISTRY_VERSION=$version .")
+                      def baseImg = docker.build("$maintainer/$imagename", "--no-cache --build-arg COMANAGE_REGISTRY_VERSION=$version .")
                       baseImg.push("$tag")
                    }
                }