Skip to content
Permalink
c193df2966
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

ShibbIdP_noVM_Windows/Dockerfile

Go to file
 
 
Cannot retrieve contributors at this time
160 lines (141 sloc) 9.18 KB
Raw Blame
FROM microsoft/windowsservercore:latest
#settings
ENV JAVA_VERSION=8u151
ENV JAVA_BUNDLE_ID=227552_e758a0de34e24606bca991d704f6dcbf
ENV JAVA_INSTALL_FOLDER=jre1.8.0_151
ENV JAVA_OPTS=-XX:+UseG1GC\ -Xmx2000m
ENV TOMCAT_MAJOR_VERSION=8
ENV TOMCAT_VERSION=8.0.47
ENV CATALINA_HOME=c:\\Tomcat
ENV IDP_VERSION=3.3.2.0
###
ENV JAVA_INSTALL_CLI_STRING=INSTALLDIR=c:\\Java\\$JAVA_INSTALL_FOLDER
ENV JAVA_HOME=c:\\Java\\$JAVA_INSTALL_FOLDER
RUN powershell [Environment]::SetEnvironmentVariable('JAVA_HOME', '%JAVA_HOME%', [System.EnvironmentVariableTarget]::Machine )
ENV SHIB_INSTALL_FILE=C:\\shibboleth-identity-provider-$IDP_VERSION-x64.msi
##install Java
RUN powershell (new-object System.Net.WebClient).Downloadfile('http://javadl.oracle.com/webapps/download/AutoDL?BundleId=%JAVA_BUNDLE_ID%', 'C:\jre-%JAVA_VERSION%-windows-x64.exe')
RUN powershell If ((Get-FileHash C:\jre-%JAVA_VERSION%-windows-x64.exe).Hash.ToLower() -eq '4378d712c510930d066bfa256b24e07dfea5ed31aa514afb7c7dd72fcce9bb68') { ` \
start-process -filepath C:\jre-%JAVA_VERSION%-windows-x64.exe -passthru -wait -argumentlist '/s',%JAVA_INSTALL_CLI_STRING%,'/L','installj64.log' ` \
} Else { throw 'bad hash comparison on Java download' }
RUN del C:\jre-%JAVA_VERSION%-windows-x64.exe
##install Java Cryptography Extensions
RUN powershell ` \
$ws = New-Object Microsoft.PowerShell.Commands.WebRequestSession ; ` \
$c = New-Object System.Net.Cookie ; ` \
$c.Name = 'oraclelicense' ; ` \
$c.Value = 'accept-securebackup-cookie' ; ` \
$c.Domain = 'oracle.com' ; ` \
$ws.Cookies.Add($c) ; ` \
Invoke-WebRequest 'http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip' -WebSession $ws -TimeoutSec 1000 -OutFile 'c:\jce_policy-8.zip'
RUN powershell If ((Get-FileHash c:\jce_policy-8.zip).Hash.ToLower() -eq 'f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59') { ` \
Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory('c:\jce_policy-8.zip', 'c:\jcepolicy') ; \
copy -Force -Path c:\jcepolicy\UnlimitedJCEPolicyJDK8\local_policy.jar -Destination c:\Java\%JAVA_INSTALL_FOLDER%\lib\security ; copy -Force -Path c:\jcepolicy\UnlimitedJCEPolicyJDK8\US_export_policy.jar -Destination c:\Java\%JAVA_INSTALL_FOLDER%\lib\security ; \
} Else { throw 'bad hash comparison on JCE download' }
RUN del c:\jce_policy-8.zip
##install Tomcat
RUN powershell (new-object System.Net.WebClient).Downloadfile('http://www.apache.org/dist/tomcat/tomcat-%TOMCAT_MAJOR_VERSION%/v%TOMCAT_VERSION%/bin/apache-tomcat-%TOMCAT_VERSION%.exe', 'C:\apache-tomcat-%TOMCAT_VERSION%.exe')
RUN powershell If ((Get-FileHash C:\apache-tomcat-%TOMCAT_VERSION%.exe -Algorithm SHA1).Hash.ToLower() -eq '51d81b52d595a4d575bbe89ef4fa137e9367a080') { ` \
start-process -filepath C:\apache-tomcat-%TOMCAT_VERSION%.exe -passthru -wait -argumentlist "/S,/D=C:\Tomcat" ` \
} Else { throw 'bad hash comparison on Tomcat download' }
RUN del C:\apache-tomcat-%TOMCAT_VERSION%.exe
#copy temp SSL cert for tomcat in c:\sslcert
COPY keystore.jks c:\\sslcert\\keystore.jks
#copy temp tomcat config file (listening on 443, cert at c:\sslcert\keystore.jks
COPY server.xml c:\\Tomcat\\conf\\server.xml
#cleanup tomcat install
RUN rmdir /S /Q c:\Tomcat\webapps\docs && rmdir /S /Q c:\Tomcat\webapps\manager && del /F /Q c:\tomcat\webapps\ROOT\*.* && del /F /Q c:\tomcat\webapps\ROOT\WEB-INF\*.* && rmdir c:\tomcat\webapps\ROOT\WEB-INF
##install Shibb
RUN powershell (new-object System.Net.WebClient).Downloadfile('https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-%IDP_VERSION%-x64.msi', 'C:\shibboleth-identity-provider-%IDP_VERSION%-x64.msi')
RUN powershell If ((Get-FileHash C:\shibboleth-identity-provider-%IDP_VERSION%-x64.msi -Algorithm SHA1).Hash.ToLower() -eq 'fca024981da85a77c8389563d584230593f5d399') { ` \
start-process -filepath c:\windows\system32\msiexec.exe -passthru -wait -argumentlist '/i','C:\shibboleth-identity-provider-%IDP_VERSION%-x64.msi','/qn','INSTALLDIR=c:\opt\shibboleth-idp','NO_FIREWALL_EXCEPTION=true','DNSNAME=shibboleth.example.org','IDP_SCOPE=example.org' ` \
} Else { throw 'bad hash comparison on IdP download' }
RUN del C:\shibboleth-identity-provider-%IDP_VERSION%-x64.msi
#link IdP's war file to Tomcat
RUN mklink c:\Tomcat\webapps\idp.war c:\opt\shibboleth-idp\war\idp.war
#copy TIER beacon script
RUN mkdir c:\util
RUN mkdir c:\opt\certs
COPY sendtierbeacon.ps1 c:\\util
#schedule script to run (at random time)
#RUN powershell ($tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]) + ":" + ((Get-Random -Minimum 0 -Maximum 60) -as [string]) ; start-process -filepath schtasks -passthru -wait -argumentlist '/create','/tn','\"Send TIER Beacon\"','/tr','c:\util\sendtierbeacon.ps1','/sc','DAILY','/st',"$tm"
#The line above is triggering an apprent bug in docker or windows core (essentially invalid XML), the 2 lines below are the workaround
COPY TIER_Beacon_Task.xml c:\TIER_Beacon_Task.xml
RUN powershell schtasks /Create /XML c:\TIER_Beacon_Task.xml /TN 'TIER Beacon' ; $tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]).padleft(2,'0') + ':' + ((Get-Random -Minimum 0 -Maximum 60) -as [string]).padleft(2,'0') ; schtasks /Change /TN 'TIER Beacon' /ST $tm
RUN del c:\TIER_Beacon_Task.xml
##############################################################################
###############################################
### Settings for a mounted config (default) ###
###############################################
#
# for Windows containers, the directories below (in the VOLUME stmt) **must** be empty or non-existent
# therefore, the use a mounted config on windows, those directories must be cleared first
#
# need to ensure directories below are empty or non-existent (required by Windows)
# This should do it (via a rename, due to bugs doing deletes):
# (for mounted config, uncomment remaining lines in this section)
#RUN powershell $paths='c:\Tomcat\conf','c:\Tomcat\webapps\ROOT','c:\Tomcat\logs','c:\sslcert','c:\opt\shibboleth-idp\conf','c:\opt\shibboleth-idp\credentials','c:\opt\shibboleth-idp\views','c:\opt\shibboleth-idp\edit-webapp','c:\opt\shibboleth-idp\messages','c:\opt\shibboleth-idp\metadata','c:\opt\shibboleth-idp\logs' ; \
# Foreach ($path IN $paths) {Rename-Item -Path $path -NewName ((Split-Path $path -leaf) + '.dist') -Force}
#
#VOLUME ["c:/Tomcat/conf", \
# "c:/Tomcat/webapps/ROOT", \
# "c:/Tomcat/logs", \
# "c:/sslcert", \
# "c:/opt/shibboleth-idp/conf", \
# "c:/opt/shibboleth-idp/credentials", \
# "c:/opt/shibboleth-idp/views", \
# "c:/opt/shibboleth-idp/edit-webapp", \
# "c:/opt/shibboleth-idp/messages", \
# "c:/opt/shibboleth-idp/metadata", \
# "c:/opt/shibboleth-idp/logs"]
#
#############################################################################
#################################################
### Settings for a burned-in config (default) ###
#################################################
# Ensure the following locations are accurate (and uncommented) if you plan to burn your configuration into your containers by uncommenting the relevant section below.
# They represent the folder names/paths on your build host of the relevant config material needed to run the container. You can also specify these
# with --build-arg in your 'docker build' command.
ARG TOMCFG=config\\tomcat
ARG TOMLOG=logs\\tomcat
ARG TOMCERT=credentials\\tomcat
ARG TOMWWWROOT=wwwroot
ARG SHBCFG=config\\shib-idp\\conf
ARG SHBCREDS=credentials\\shib-idp
ARG SHBVIEWS=config\\shib-idp\\views
ARG SHBEDWAPP=config\\shib-idp\\edit-webapp
ARG SHBMSGS=config\\shib-idp\\messages
ARG SHBMD=config\\shib-idp\\metadata
ARG SHBLOG=logs\\shib-idp
# Also, ***NOTE*** For a burned config, *uncomment* the ADD lines below and *comment* the lines of the VOLUME command above (~ 30 lines up)
#
# consider not doing the one volume below (which maps the IdP's logs folder to a local folder) as it creates a run-time
# dependency and a better solution might be to use syslog from the container
# VOLUME ["c:\\idplogs", "c:\\opt\\shibboleth-idp\\logs"]
#
ADD $TOMCFG c:\\Tomcat\\conf
ADD $TOMCERT c:\\sslcert
ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
#
###############################################################################
# remove existing files from the installer so that secrets can propagate
RUN del c:\opt\shibboleth-idp\conf\idp.properties
RUN del c:\opt\shibboleth-idp\conf\ldap.properties
RUN del c:\opt\shibboleth-idp\conf\relying-party.xml
RUN del c:\opt\shibboleth-idp\conf\attribute-filter.xml
RUN del c:\opt\shibboleth-idp\conf\attribute-resolver.xml
RUN del c:\opt\shibboleth-idp\conf\metadata-providers.xml
RUN del c:\opt\shibboleth-idp\credentials\idp-signing.key
RUN del c:\opt\shibboleth-idp\credentials\idp-signing.crt
RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.key
RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.crt
RUN del c:\opt\shibboleth-idp\credentials\sealer.jks
RUN del c:\opt\shibboleth-idp\credentials\sealer.kver
EXPOSE 443
CMD [ "cmd /c c:\\Tomcat\\bin\\catalina.bat run" ]