From f57a3f26e76c01528a3223f705ff46de772722d1 Mon Sep 17 00:00:00 2001
From: Scott Koranda <skoranda@gmail.com>
Date: Thu, 15 Mar 2018 09:51:49 -0500
Subject: [PATCH] First commit of Internet2 TIER Docker
---
.../.dockerignore | 1 +
.../000-comanage.conf | 81 +++
comanage-registry-internet2-tier/10-php7.conf | 3 +
comanage-registry-internet2-tier/Dockerfile | 178 ++++++
comanage-registry-internet2-tier/README.md | 557 ++++++++++++++++++
.../docker-comanage-entrypoint | 284 +++++++++
.../docker-comanage-shibboleth-sp-entrypoint | 115 ++++
comanage-registry-internet2-tier/httpd.conf | 71 +++
.../native.logger | 39 ++
comanage-registry-internet2-tier/php.conf | 10 +
.../shibboleth.repo | 7 +
comanage-registry-internet2-tier/shibd.logger | 63 ++
.../supervisord.conf | 36 ++
13 files changed, 1445 insertions(+)
create mode 100644 comanage-registry-internet2-tier/.dockerignore
create mode 100644 comanage-registry-internet2-tier/000-comanage.conf
create mode 100644 comanage-registry-internet2-tier/10-php7.conf
create mode 100644 comanage-registry-internet2-tier/Dockerfile
create mode 100644 comanage-registry-internet2-tier/README.md
create mode 100755 comanage-registry-internet2-tier/docker-comanage-entrypoint
create mode 100755 comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint
create mode 100644 comanage-registry-internet2-tier/httpd.conf
create mode 100644 comanage-registry-internet2-tier/native.logger
create mode 100644 comanage-registry-internet2-tier/php.conf
create mode 100644 comanage-registry-internet2-tier/shibboleth.repo
create mode 100644 comanage-registry-internet2-tier/shibd.logger
create mode 100644 comanage-registry-internet2-tier/supervisord.conf
diff --git a/comanage-registry-internet2-tier/.dockerignore b/comanage-registry-internet2-tier/.dockerignore
new file mode 100644
index 0000000..b43bf86
--- /dev/null
+++ b/comanage-registry-internet2-tier/.dockerignore
@@ -0,0 +1 @@
+README.md
diff --git a/comanage-registry-internet2-tier/000-comanage.conf b/comanage-registry-internet2-tier/000-comanage.conf
new file mode 100644
index 0000000..7e967ab
--- /dev/null
+++ b/comanage-registry-internet2-tier/000-comanage.conf
@@ -0,0 +1,81 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Listen 443
+ServerName %%SERVER_NAME%%
+
+<VirtualHost *:80>
+ServerName http://%%SERVER_NAME%%:80
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+</VirtualHost>
+
+<VirtualHost *:443>
+
+ServerName https://%%SERVER_NAME%%:443
+
+DocumentRoot /var/www/html
+
+RedirectMatch ^/$ /registry/
+
+ErrorLogFormat "httpd ssl_error_log [%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+ErrorLog logs/ssl_error_log
+LogLevel warn
+
+LogFormat "httpd ssl_access_log %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
+CustomLog logs/ssl_access_log ssl_combined
+
+Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+SSLEngine on
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLHonorCipherOrder on
+
+SSLCertificateFile /etc/httpd/cert.pem
+SSLCertificateKeyFile /etc/httpd/privkey.pem
+
+<Directory /var/www/html/registry>
+Options Indexes FollowSymLinks
+DirectoryIndex index.php
+AllowOverride All
+Require all granted
+</Directory>
+
+<Location "/Shibboleth.sso">
+SetHandler shib
+</Location>
+
+<Directory /var/www/html/registry/auth/login>
+AuthType shibboleth
+ShibRequestSetting requireSession 1
+Require valid-user
+</Directory>
+
+<Location />
+AuthType shibboleth
+Require shibboleth
+</Location>
+
+RewriteEngine On
+RewriteCond %{QUERY_STRING} !after_redirect
+RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>
diff --git a/comanage-registry-internet2-tier/10-php7.conf b/comanage-registry-internet2-tier/10-php7.conf
new file mode 100644
index 0000000..64ef2d7
--- /dev/null
+++ b/comanage-registry-internet2-tier/10-php7.conf
@@ -0,0 +1,3 @@
+<IfModule prefork.c>
+ LoadModule php7_module modules/libphp7.so
+</IfModule>
diff --git a/comanage-registry-internet2-tier/Dockerfile b/comanage-registry-internet2-tier/Dockerfile
new file mode 100644
index 0000000..0c56c72
--- /dev/null
+++ b/comanage-registry-internet2-tier/Dockerfile
@@ -0,0 +1,178 @@
+# COmanage Registry Dockerfile
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM centos:centos7 AS php-build
+
+RUN yum -y install epel-release
+
+RUN yum -y update && yum -y install \
+ autoconf \
+ bison \
+ gcc \
+ httpd-devel \
+ libargon2-devel \
+ libcurl-devel \
+ libedit-devel \
+ libsodium-devel \
+ libxml2-devel \
+ libxslt-devel \
+ make \
+ mariadb-devel \
+ openldap-devel \
+ openssl-devel \
+ postgresql-devel \
+ re2c \
+ wget
+
+WORKDIR /usr/local/src
+
+ARG PHP_VERSION=7.2.3
+ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz
+
+RUN mkdir php-src \
+ && wget -O php-src.tar.gz ${PHP_SRC_URL} \
+ && tar zxf php-src.tar.gz -C php-src --strip-components=1 \
+ && rm php-src.tar.gz
+
+ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV PHP_CPPFLAGS="$PHP_CFLAGS"
+ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie"
+
+RUN cd php-src \
+ && ./buildconf --force \
+ && ./configure \
+ --disable-cgi \
+ --enable-mbstring \
+ --enable-mysqlnd \
+ --with-apxs2=/usr/bin/apxs \
+ --with-config-file-path=/usr/local/etc/php \
+ --with-config-file-scan-dir=/usr/local/etc/php/conf.d \
+ --with-curl \
+ --with-ldap \
+ --with-libdir=lib64 \
+ --with-libedit \
+ --with-mysqli \
+ --with-openssl \
+ --with-password-argon2 \
+ --with-pdo-mysql \
+ --with-pdo-pgsql \
+ --with-pgsql \
+ --with-sodium \
+ --with-xsl \
+ --with-zlib \
+ && export CFLAGS="$PHP_CFLAGS" \
+ && export CPPFLAGS="$PHP_CPPFLAGS" \
+ && export LDFLAGS="$PHP_LDFLAGS" \
+ && make -j "$(nproc)" \
+ && make install
+
+FROM centos:centos7
+
+RUN yum -y install epel-release
+
+COPY shibboleth.repo /etc/yum.repos.d/
+
+RUN yum -y update && yum -y install \
+ httpd \
+ libargon2 \
+ libcurl \
+ libedit \
+ libsodium \
+ libxml2 \
+ libxslt \
+ mod_ssl \
+ mariadb-libs \
+ postgresql \
+ shibboleth \
+ supervisor \
+ wget \
+ zlib
+
+COPY --from=php-build /usr/lib64/httpd/modules/libphp7.so /usr/lib64/httpd/modules/
+COPY --from=php-build /usr/local/lib/php /usr/local/lib/php/
+COPY --from=php-build /usr/local/include/php /usr/local/include/php/
+COPY --from=php-build /usr/local/bin /usr/local/bin/
+
+ARG COMANAGE_REGISTRY_VERSION
+ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz
+
+LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
+LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL}
+
+ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
+
+WORKDIR "$COMANAGE_REGISTRY_DIR"
+
+RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \
+ && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \
+ && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \
+ && rm -f comanage.tar.gz \
+ && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \
+ && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \
+ && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
+ && cd /var/www/html \
+ && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
+ && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
+ && ln -s ${COMANAGE_REGISTRY_DIR}/local /local \
+ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php"
+
+COPY 000-comanage.conf /etc/httpd/conf.d/
+COPY 10-php7.conf /etc/httpd/conf.modules.d/
+COPY php.conf /etc/httpd/conf.d/
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+COPY shibd.logger /etc/shibboleth/
+COPY native.logger /etc/shibboleth/
+COPY httpd.conf /etc/httpd/conf/
+
+RUN ln -sfT /dev/stdout /var/log/httpd/access_log \
+ && ln -sfT /dev/stdout /var/log/httpd/error_log \
+ && ln -sfT /dev/stdout /var/log/httpd/ssl_error_log \
+ && ln -sfT /dev/stdout /var/log/httpd/ssl_access_log \
+ && ln -sfT /dev/stdout /var/log/shibboleth-www/native.log \
+ && ln -sfT /dev/stdout /var/log/shibboleth-www/native_warn.log \
+ && cd /etc/httpd/conf.d \
+ && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf \
+ && cd /etc/httpd \
+ && ln -s /etc/pki/tls/certs/localhost.crt cert.pem \
+ && ln -s /etc/pki/tls/private/localhost.key privkey.pem
+
+# Allow values for first administrator bootstrapped into the
+# platform to be specified at image build time, in addition to
+# being injected at run time through the entrypoint script.
+ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME
+ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME
+ARG COMANAGE_REGISTRY_ADMIN_USERNAME
+ARG COMANAGE_REGISTRY_ENABLE_POOLING
+
+# Set simple defaults for first administrator bootstrapped into the
+# platform to make simple evaluation of the platform easier.
+ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry}
+ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin}
+ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
+ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
+
+EXPOSE 80 443
+
+VOLUME ["/srv/comanage-registry/local"]
+
+VOLUME ["/etc/shibboleth"]
+
+COPY docker-comanage-entrypoint /usr/local/bin/
+COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]
diff --git a/comanage-registry-internet2-tier/README.md b/comanage-registry-internet2-tier/README.md
new file mode 100644
index 0000000..1eab300
--- /dev/null
+++ b/comanage-registry-internet2-tier/README.md
@@ -0,0 +1,557 @@
+# COmanage Registry Internet2 TIER Docker
+
+## What it is
+Docker version of [COmanage
+Registry](https://spaces.internet2.edu/display/COmanage/Home) packaged to meet
+the specifications of the
+[Internet2 TIER](https://www.internet2.edu/vision-initiatives/initiatives/trust-identity-education-research/)
+program.
+
+COmanage Registry is a web application that requires a relational database
+and an authentication mechanism such as
+[Shibboleth](http://shibboleth.net/products/service-provider.html).
+
+## How To
+
+* Install Docker. These instructions require version 17.03.1 or higher.
+
+* Clone this repository:
+
+```
+git clone https://github.com/Internet2/comanage-registry-docker.git
+cd comanage-registry-docker
+```
+
+* Define `COMANAGE_REGISTRY_VERSION`. Currently we recommend
+
+```
+export COMANAGE_REGISTRY_VERSION=3.1.0
+```
+
+* Build a local image for COmanage Registry:
+
+```
+pushd comanage-registry-internet2-tier
+docker build \
+ --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \
+ -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-internet2-tier .
+popd
+```
+
+* Create directories to store local state files:
+
+```
+sudo mkdir -p /srv/docker/internet2-tier/srv/comanage-registry/local
+sudo mkdir -p /srv/docker/internet2-tier/var/lib/mysql
+sudo mkdir -p /srv/docker/internet2-tier/var/lib/ldap
+sudo mkdir -p /srv/docker/internet2-tier/etc/ldap/slapd.d
+```
+
+* Initialize Docker Swarm:
+
+```
+docker swarm init
+```
+
+* Hash a password to use as the LDAP admin password:
+
+```
+/usr/sbin/slappasswd -c '$6$rounds=5000$%.86s'
+```
+
+* Create Docker Swarm secrets (please be sure to substitute your own secrets):
+
+
+```
+echo "88cdfwOgQ1OblrHPNTyY" | docker secret create mysql_root_password -
+
+echo "5zY87knHxbP3sVQstRW2" | docker secret create mysql_password -
+
+echo "5zY87knHxbP3sVQstRW2" | docker secret create comanage_registry_database_user_password -
+
+echo "qselvrfaomxktlra" | docker secret create comanage_registry_email_account_password -
+
+docker secret create https_cert_file fullchain.pem
+
+docker secret create https_privkey_file privkey.pem
+
+docker secret create shibboleth_sp_cert sp-cert.pem
+
+docker secret create shibboleth_sp_privkey sp-key.pem
+
+echo '{CRYPT}$6$rounds=5000$HHDyV7yz4yn4FH/d$eAg9uXbSnxvCCTZ8GstprFryip3Br111tArqsIaBDCF2Rm7tciEivDLCjpcMVT7OL.Lg5QKjEUM.C5UA2DNuf1' \
+ | docker secret create olc_root_pw -
+
+docker secret create slapd_cert_file cert.pem
+
+docker secret create slapd_privkey_file privkey.pem
+
+docker secret create slapd_chain_file chain.pem
+```
+
+* Create a Docker compose file:
+
+```
+version: '3.1'
+
+services:
+ comanage-registry:
+ image: comanage-registry:3.1.0-internet2-tier
+ volumes:
+ - /srv/docker/internet2-tier/srv/comanage-registry/local:/srv/comanage-registry/local
+ environment:
+ - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql
+ - COMANAGE_REGISTRY_DATABASE=registry
+ - COMANAGE_REGISTRY_DATABASE_HOST=comanage-registry-database
+ - COMANAGE_REGISTRY_DATABASE_USER=registry_user
+ - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password
+ - COMANAGE_REGISTRY_EMAIL_FROM=registry@some.org
+ - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp
+ - COMANAGE_REGISTRY_EMAIL_HOST=tls://smtp.some.org
+ - COMANAGE_REGISTRY_EMAIL_PORT=465
+ - COMANAGE_REGISTRY_EMAIL_ACCOUNT=registry@some.org
+ - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD_FILE=/run/secrets/comanage_registry_email_account_password
+ - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Emma
+ - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Sanchez
+ - COMANAGE_REGISTRY_ADMIN_USERNAME=emma.sanchez@some.org
+ - HTTPS_CERT_FILE=/run/secrets/https_cert_file
+ - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
+ - SERVER_NAME=registry.some.org
+ - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert
+ - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey
+ secrets:
+ - comanage_registry_database_user_password
+ - comanage_registry_email_account_password
+ - https_cert_file
+ - https_privkey_file
+ - shibboleth_sp_cert
+ - shibboleth_sp_privkey
+ networks:
+ - default
+ ports:
+ - "80:80"
+ - "443:443"
+ logging:
+ driver: syslog
+ options:
+ tag: "comanage_registry"
+ deploy:
+ replicas: 1
+
+ comanage-registry-database:
+ image: mariadb:10.2
+ volumes:
+ - /srv/docker/internet2-tier/var/lib/mysql:/var/lib/mysql
+ environment:
+ - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
+ - MYSQL_DATABASE=registry
+ - MYSQL_USER=registry_user
+ - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
+ secrets:
+ - mysql_root_password
+ - mysql_password
+ networks:
+ - default
+ logging:
+ driver: syslog
+ options:
+ tag: "mariadb"
+ deploy:
+ replicas: 1
+
+ comanage-registry-ldap:
+ image: sphericalcowgroup/comanage-registry-slapd
+ command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:/// ldaps:///", "-u", "openldap", "-g", "openldap"]
+ volumes:
+ - /srv/docker/development/var/lib/ldap:/var/lib/ldap
+ - /srv/docker/development/etc/ldap/slapd.d:/etc/ldap/slapd.d
+ environment:
+ - SLAPD_CERT_FILE=/run/secrets/slapd_cert_file
+ - SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file
+ - SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file
+ - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw
+ - OLC_SUFFIX=dc=sphericalcowgroup,dc=com
+ - OLC_ROOT_DN=cn=admin,dc=sphericalcowgroup,dc=com
+ secrets:
+ - slapd_cert_file
+ - slapd_privkey_file
+ - slapd_chain_file
+ - olc_root_pw
+ networks:
+ - default
+ logging:
+ driver: syslog
+ options:
+ tag: "openldap"
+ ports:
+ - "636:636"
+ - "389:389"
+ deploy:
+ replicas: 1
+
+secrets:
+ mysql_root_password:
+ external: true
+ mysql_password:
+ external: true
+ comanage_registry_database_user_password:
+ external: true
+ comanage_registry_email_account_password:
+ external: true
+ https_cert_file:
+ external: true
+ https_privkey_file:
+ external: true
+ shibboleth_sp_cert:
+ external: true
+ shibboleth_sp_privkey:
+ external: true
+ slapd_cert_file:
+ external: true
+ slapd_privkey_file:
+ external: true
+ slapd_chain_file:
+ external: true
+ olc_root_pw:
+ external: true
+
+```
+
+* Start the services:
+
+```
+docker stack deploy comanage-registry
+```
+
+* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO)
+to learn how to create your first collaborative organization (CO) and begin using
+the platform.
+
+* To stop the services:
+```
+docker stack rm comanage-registry
+```
+
+## Advanced Configuration Options
+
+* [Environment Variables](#environ)
+* [Secrets](#secrets)
+* [Apache HTTP ServerName](#servername)
+* [Full Control](#full)
+
+## Environment Variables <a name="environ"></a>
+
+All deployment details for COmanage Registry may be configured using environment variables set for the container.
+The set of possible environment variables is listed below.
+
+The entrypoint scripts will attempt to use values from environment variables and if not
+present reasonable defaults will be used. *Note that some defaults like passwords are
+easily guessable and not suitable for production deployments*.
+
+For secrets such as passwords you may wish to use the environment variable with
+`_FILE` appended and set the value to a path. The entrypoint scripts will read the
+file to find the value to use. For example to set the database user password to the
+value `dEodxlXQE2dKl8own7T2` you can for the container either set the environment variable
+
+```
+COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=dEodxlXQE2dKl8own7T2
+```
+
+or instead ensure that inside the container the file
+`/db_password` contains
+on a single line the value `dEodxlXQE2dKl8own7T2` and then set the
+environment variable
+
+*When present an environment variable pointing to a file inside the container overrides
+an otherwise configured environment variable*.
+
+```
+COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/db_password
+```
+
+Some deployment details for the Shibboleth SP may be set using environment variables, but most
+deployments will prefer to mount or COPY in `/etc/shibboleth/shibboleth2.xml` to be able
+to configure SAML federation details.
+
+### COmanage Registry
+
+* COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:
+ * Description: platform admin given name
+ * Default: Registry
+ * Example 1: Scott
+ * Example 2: Himari
+
+* COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:
+ * Description: platform admin family name
+ * Default: Admin
+ * Example 1: Koranda
+ * Example 2: Tanaka
+
+* COMANAGE_REGISTRY_ADMIN_USERNAME:
+ * Description: platform admin username identifier (often eduPersonPrincipalName)
+ * Default: registry.admin
+ * Example 1: scott.koranda@sphericalcowgroup.com
+ * Example 2: himaritanaka@some.org
+
+* COMANAGE_REGISTRY_DATASOURCE
+ * Description: database type
+ * Default: Database/Postgres
+ * Example 1: Database/Mysql
+ * Example 2: Database/Postgres
+
+* COMANAGE_REGISTRY_DATABASE
+ * Description: name of the database
+ * Default: registry
+ * Example 1: comanage_registry
+ * Example 2: COmanageRegistryDB
+
+* COMANAGE_REGISTRY_DATABASE_HOST
+ * Description: hostname of the database server
+ * Default: comanage-registry-database
+ * Example 1: comanage-registry-database
+ * Example 2: my-db-container
+
+* COMANAGE_REGISTRY_DATABASE_USER
+ * Description: database username
+ * Default: registry_user
+ * Example 1: comanage
+ * Example 2: comanage_user
+
+* COMANAGE_REGISTRY_DATABASE_USER_PASSWORD
+ * Description: database user password
+ * Default: password
+ * Example 1: AFH9OiyuowiY3Wq6qX0j
+ * Example 2: qVcsJPo7$@
+
+* COMANAGE_REGISTRY_EMAIL_FROM
+ * Description: default From used by Registry for sending email
+ * Default: none
+ * Example 1: registry@some.org
+ * Example 2: skoranda@gmail.com
+
+* COMANAGE_REGISTRY_EMAIL_TRANSPORT
+ * Description: email transport mechanism
+ * Default: Smtp
+ * Example 1: Smtp
+ * Example 2: MyCustom
+
+* COMANAGE_REGISTRY_EMAIL_PORT
+ * Description: email transport port
+ * Default: 465
+ * Example 1: 465
+ * Example 2: 25
+
+* COMANAGE_REGISTRY_EMAIL_HOST
+ * Description: email server host
+ * Default: tls://smtp.gmail.com
+ * Example 1: smtp.my.org
+ * Example 2: mail.some.org
+
+* COMANAGE_REGISTRY_EMAIL_ACCOUNT
+ * Description: email server account
+ * Default: none
+ * Example 1: skoranda@gmail.com
+ * Example 2: registry_email_sender
+
+* COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD
+ * Description: email server account password
+ * Default: none
+ * Example 1: 82P3mt1T0PByZRHNQ6he
+ * Example 2: ak&&u1$@
+
+* COMANAGE_REGISTRY_SECURITY_SALT
+ * Description: security salt value
+ * Default: auto-generated at initial deployment if not specified
+ * Example 1: wciEjD1KbX9Q8nB3YdWItFuzEoRdf6l5BpoCuTHm
+ * Example 2: JpmKTdO88NX6RsCIVnru6hV79zKOfvjGk0tTG0Cb
+
+* COMANAGE_REGISTRY_SECURITY_SEED
+ * Description: security seed value
+ * Default: auto-generated at initial deployment if not specified
+ * Example 1: 32616298446590535751260992683
+ * Example 2: 21812581423282761029813528278
+
+* HTTPS_CERT_FILE
+ * Description: X.509 certificate and CA chain in PEM format for use with Apache HTTP Server to serve HTTPS
+ * Default: self-signed auto-generated certificate
+
+* HTTPS_KEY_FILE
+ * Description: Associated private key for HTTPS in PEM format
+ * Default: private key for self-signed auto-generated certificate
+
+* SERVER_NAME
+ * Description: ServerName for Apache HTTP Server virtual host configuration
+ * Default: none, parsed from X.509 certificate if not defined
+ * Example 1: registry.some.org
+ * Example 2: comanage.my.edu
+
+### MariaDB
+
+* MYSQL_ROOT_PASSWORD
+ * Description: password for root user
+ * Default: none
+ * Example 1: ukZd7IZDRfOqgF82938A
+ * Example 2: 28hvua3%,2
+
+* MYSQL_DATABASE
+ * Description: name of the database, must be same as set for COmanage Registry container
+ * Default: none
+ * Example 1: comanage_registry
+ * Example 2: COmanageRegistryDB
+
+* MYSQL_USER:
+ * Description: database username, must be same as set for COmanage Registry container
+ * Default: none
+ * Example 1: comanage
+ * Example 2: comanage_user
+
+* MYSQL_PASSWORD_FILE:
+ * Description: database user password, must be same as set for COmanage Registry container
+ * Default: none
+ * Example 1: AFH9OiyuowiY3Wq6qX0j
+ * Example 2: qVcsJPo7$@
+
+### Shibboleth SP
+
+* SHIBBOLETH_SP_CERT
+ * Description: SAML certificate
+ * Default: self-signed per-image, must be copied out to persist
+
+* SHIBBOLETH_SP_ENTITY_ID
+ * Description: entityID for SP
+ * Default: none
+ * Example 1: https://comanage.registry/shibboleth
+ * Example 2: https://my.org/comanage
+
+* SHIBBOLETH_SP_METADATA_PROVIDER_XML
+ * Description: Shibboleth SP metadata provider element
+ * Default: none
+
+* SHIBBOLETH_SP_PRIVKEY
+ * Description: SAML private key
+ * Default: self-signed per-image, must be copied out to persist
+
+* SHIBBOLETH_SP_SAMLDS_URL
+ * Description: URL for SAML IdP discovery service
+ * Default: none
+ * Example 1: https://my.org/registry/pages/eds/index
+ * Exammple 2: https://discovery.my.org
+
+### OpenLDAP slapd
+
+* OLC_ROOT_DN
+ * Description: DN for the administrator
+ * Default: cn=admin,dc=my,dc=org
+ * Exammle 1: cn=admin,dc=some,dc=edu
+ * Example 2: cn=admin,ou=service,dc=my,dc=org
+
+* OLC_ROOT_PW
+ * Description: hashed password for root DN
+ * Default: none
+ * Example 1: See compose file above
+
+* OLC_SUFFIX
+ * Description: Suffix for the directory
+ * Default: dc=my,dc=org
+ * Example 1: dc=some,dc=edu
+ * Example 2: o=unit,dc=my,dc=org
+
+* SLAPD_CERT_FILE
+ * Description: X.509 certificate in PEM format for use with OpenLDAP Server to serve ldaps://
+ * Default: none
+
+* SLAPD_CHAIN_FILE
+ * Description: CA certificate chain in PEM format
+ * Default: none
+
+* SLAPD_KEY_FILE
+ * Description: Associated private key for ldaps:// in PEM format
+ * Default: none
+
+
+## X.509 Certificates and Private Keys
+
+### COmanage Registry
+
+The certificate and private key files used for HTTPS may
+be injected into the COmanage Registry container using environment variables
+to point to files mounted into the container. The certificate file should
+include the server certificate and any intermediate CA signing certificates
+sorted from leaf to root.
+
+Alternatively you can directly mount files in the container to
+
+```
+/etc/apache2/cert.pem
+/etc/apache2/privkey.pem
+```
+
+If no files are configured the containers use self-signed certificates
+for HTTPS by default.
+
+### Shibboleth SP
+
+The SAML certificate and private key used for decryption (and sometimes signing)
+by the Shibboleth SP may be injected into the COmanage Registry container using
+environment variables to point to files mounted into the container.
+
+Alternatively you can directly mount files in the container to
+
+```
+/etc/shibboleth/sp-cert.pem
+/etc/shibboleth/sp-key.pem
+```
+
+If no files are configured the container uses a default self-signed certificate
+*this is the same for all images and not suitable for production*.
+
+### OpenLDAP slapd
+
+The certificate, private key, and CA signing file or chain file used for TLS
+(port 636 by default) may
+be injected into the OpenLDAP slapd container using environment variables
+to point to files mounted into the container.
+
+## ServerName <a name="servername"></a>
+
+The entrypoint scripts will attempt to parse the appropriate value for the
+Apache HTTP Server configuration option `ServerName` from the X.509 certificate
+provided for HTTPS.
+
+To override the parsing a deployer may explicitly set the environment variable
+`SERVER_NAME`.
+
+## Full control <a name="full"></a>
+
+Deployers needing full control may inject configuration and deployment details directly.
+The entrypoint scripts will *not* overwrite any details found so directly injected
+details always override environment variables.
+
+### COmanage Registry
+
+COmanage Registry expects to find all local configuration details
+in the container at `/srv/comanage-registry/local`. A deployer may therefore mount
+a directory at that location to provide any and all configuration details. Note, however,
+that Registry expects to find a particular directory structure under
+`/srv/comanage-registry/local` and will not function properly if the structure is not
+found. The entrypoint script will create the necessary structure if it does not find it
+so it is recommended to mount an empty directory for the first deployment, let the
+entrypoint script create the structure, then later adjust the details as necessary
+for your deployment.
+
+### Shibboleth SP
+
+All Shibboleth SP configuration is available inside the container in
+`/etc/shibboleth`. A deployer may therefore mount into that directory any
+necessary adjustment to the Shibboleth configuration, such as static metadata
+files, metadata signing certificates, or advanced attribute filtering
+configurations.
+
+A default set of all configuration files is available in the image.
+
+### OpenLDAP slapd
+
+Since slapd is configured dynamically using standard LDAP operations on the
+configuration directory (`cn=config`) the most straightforward way to inject
+advanced configuration details at the time the container is *created* is
+to customize the entrypoint script.
diff --git a/comanage-registry-internet2-tier/docker-comanage-entrypoint b/comanage-registry-internet2-tier/docker-comanage-entrypoint
new file mode 100755
index 0000000..901f4fd
--- /dev/null
+++ b/comanage-registry-internet2-tier/docker-comanage-entrypoint
@@ -0,0 +1,284 @@
+#!/bin/bash
+
+# COmanage Registry Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$COMANAGE_DEBUG" ]
+then
+ OUTPUT=/dev/stdout
+else
+ OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+
+injectable_config_vars=(
+ COMANAGE_REGISTRY_DATASOURCE
+ COMANAGE_REGISTRY_DATABASE
+ COMANAGE_REGISTRY_DATABASE_HOST
+ COMANAGE_REGISTRY_DATABASE_USER
+ COMANAGE_REGISTRY_DATABASE_USER_PASSWORD
+ COMANAGE_REGISTRY_EMAIL_FROM
+ COMANAGE_REGISTRY_EMAIL_TRANSPORT
+ COMANAGE_REGISTRY_EMAIL_HOST
+ COMANAGE_REGISTRY_EMAIL_PORT
+ COMANAGE_REGISTRY_EMAIL_ACCOUNT
+ COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD
+ COMANAGE_REGISTRY_SECURITY_SALT
+ COMANAGE_REGISTRY_SECURITY_SEED
+ HTTPS_CERT_FILE
+ HTTPS_PRIVKEY_FILE
+ SERVER_NAME
+)
+
+# If the file associated with a configuration variable is present then
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+ eval file_name=\$"${config_var}_FILE";
+
+ if [ -e "$file_name" ]; then
+ declare "${config_var}"=`cat $file_name`
+ fi
+done
+
+# Make sure the directory structure we need is available
+# in the data volume for $COMANAGE_REGISTRY_DIR/local
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public"
+mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img"
+
+# If the COmanage Registry database configuration file does not exist
+# then try to create it from injected information with reasonable defaults
+# that aid simple evaluation deployments.
+if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then
+ cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" <<EOF
+<?php
+
+class DATABASE_CONFIG {
+
+ public \$default = array(
+ 'datasource' => '${COMANAGE_REGISTRY_DATASOURCE:-Database/Mysql}',
+ 'persistent' => false,
+ 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}',
+ 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}',
+ 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}',
+ 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}',
+ 'prefix' => 'cm_',
+ );
+
+}
+EOF
+fi
+
+# If the COmanage Registry email configuration file does not exist
+# then try to create it from injected information with reasonable defaults
+# that aid simple evaluation deployments.
+email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php"
+
+if [ ! -e "$email_config" ]; then
+ cat > "$email_config" <<EOF
+<?php
+
+class EmailConfig {
+
+ public \$default = array(
+ 'from' => ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')},
+ 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}',
+ 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}',
+ 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465},
+ 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}',
+ 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}'
+ );
+}
+EOF
+fi
+
+# Loop until we are able to open a connection to the database.
+DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php"
+
+cat > $DATABASE_TEST_SCRIPT <<"EOF"
+<?php
+
+App::import('Model', 'ConnectionManager');
+
+class DatabaseTestShell extends AppShell {
+ function main() {
+ try {
+ $db = ConnectionManager::getDataSource('default');
+ } catch (Exception $e) {
+ $this->error("Unable to connect to datasource");
+ }
+ $this->out("Connected to datasource");
+ }
+}
+EOF
+
+pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
+
+until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do
+ >&2 echo "Database is unavailable - sleeping"
+ sleep 1
+done
+
+rm -f "$DATABASE_TEST_SCRIPT"
+
+popd > "$OUTPUT" 2>&1
+
+# We only want to run the setup script once since it creates
+# state in the database. Until COmanage Registry has a better
+# mechanism for telling us if setup has already been run
+# we create an ephemeral CakePHP script to tell us.
+SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php"
+
+cat > $SETUP_ALREADY_SCRIPT <<"EOF"
+<?php
+
+class SetupAlreadyShell extends AppShell {
+ var $uses = array('Co');
+
+ function main() {
+ $args = array();
+ $args['conditions']['Co.name'] = 'COmanage';
+ $args['contain'] = false;
+
+ try {
+ $co = $this->Co->find('first', $args);
+ } catch (CakeException $e) {
+ $this->out('Not setup already');
+ }
+
+ if(empty($co)) {
+ $this->out('Not setup already');
+ } else {
+ $this->error('Setup already');
+ }
+ }
+}
+EOF
+
+pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
+./Console/cake setupAlready > "$OUTPUT" 2>&1
+setup_already=$?
+
+rm -f "$SETUP_ALREADY_SCRIPT"
+
+if [ $setup_already -eq 0 ]; then
+ rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1
+ rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1
+ # Run database twice until issue on develop branch is resolved. Since
+ # the command is idempotent normally it is not a problem to have it run
+ # more than once.
+ ./Console/cake database > "$OUTPUT" 2>&1 && \
+ ./Console/cake database > "$OUTPUT" 2>&1 && \
+ ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \
+ --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \
+ --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \
+ --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1
+ AUTO_GENERATED_SECURITY=1
+fi
+
+popd > "$OUTPUT" 2>&1
+
+# If COmanage Registry CakePHP security salt and seed have been
+# injected and the files do not otherwise exist create them.
+if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then
+ echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt"
+fi
+
+if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then
+ echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed"
+fi
+
+# We always run upgradeVersion since it will not make any changes
+# if the current and target versions are the same or if
+# an upgrade from the current to the target version is not allowed.
+pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
+
+./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1
+
+popd > "$OUTPUT" 2>&1
+
+# Force a datbase update if requested. This is helpful when deploying
+# a new version of the code that does not result in a change in the
+# version number and so upgradeVersion does not fire. An example
+# of this scenario is when new code is introduced in the develop
+# branch but before a release happens.
+if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then
+ echo "Forcing a database schema update..." > "$OUTPUT" 2>&1
+ pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
+ ./Console/cake database > "$OUTPUT" 2>&1
+ popd > "$OUTPUT" 2>&1
+fi
+
+# Enable any supported non-core plugins if requested.
+if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then
+ plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @'`) > "$OUTPUT" 2>&1
+ for plugin in "${plugins[@]}";
+ do
+ echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1
+ pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1
+ ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1
+ popd > "$OUTPUT" 2>&1
+ pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
+ ./Console/cake database > "$OUTPUT" 2>&1
+ popd > "$OUTPUT" 2>&1
+ done
+fi
+
+# Running CakePHP console commands generates cache files so
+# set the ownership of those files appropriately.
+chown -R apache:apache "$COMANAGE_REGISTRY_DIR/app/tmp"
+
+# If defined use configured location of Apache HTTP Server
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
+if [ -n "$HTTPS_CERT_FILE" ]; then
+ rm -f /etc/httpd/cert.pem
+ cp "$HTTPS_CERT_FILE" /etc/httpd/cert.pem
+ chown apache /etc/httpd/cert.pem
+ chmod 0644 /etc/httpd/cert.pem
+fi
+
+if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
+ rm -f /etc/httpd/privkey.pem
+ cp "$HTTPS_PRIVKEY_FILE" /etc/httpd/privkey.pem
+ chown apache /etc/httpd/privkey.pem
+ chmod 0600 /etc/httpd/privkey.pem
+fi
+
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+ SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+ if [ -z "$SERVER_NAME" ]; then
+ SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+ fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/httpd/conf.d/000-comanage.conf
+
+exec /usr/sbin/httpd -DFOREGROUND
diff --git a/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint b/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint
new file mode 100755
index 0000000..a7472bb
--- /dev/null
+++ b/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint
@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# COmanage Registry Shibboleth SP Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$COMANAGE_DEBUG" ]
+then
+ OUTPUT=/dev/stdout
+else
+ OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+#
+# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the
+# same way but because of the presence of special characters in the
+# XML it is handled differently.
+
+injectable_config_vars=(
+ SHIBBOLETH_SP_ENTITY_ID
+ SHIBBOLETH_SP_CERT
+ SHIBBOLETH_SP_PRIVKEY
+ SHIBBOLETH_SP_SAMLDS_URL
+)
+
+# If the file associated with a configuration variable is present then
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+ eval file_name=\$"${config_var}_FILE";
+
+ if [ -e "$file_name" ]; then
+ payload=`cat $file_name`
+ declare "${config_var}"="${payload}"
+ fi
+done
+
+# If no shibboleth2.xml file is present then create one using
+# injected information or defaults that are not particularly
+# useful in a federated context but will allow shibd to start.
+if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then
+ cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml
+ sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml
+ sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml
+
+ # The metadata provider injected input most likely contains special characters
+ # so use a sed script instead of simple substitution on the command line.
+
+ if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then
+ xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE"
+ else
+ xml_content_file=`/bin/mktemp`
+ echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file}
+ fi
+
+ sed_script_file=`/bin/mktemp`
+ cat > ${sed_script_file}<<EOF
+/%%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%/ {
+ r ${xml_content_file}
+ d
+}
+EOF
+
+ sed -i -f ${sed_script_file} /etc/shibboleth/shibboleth2.xml
+
+ chmod 0644 /etc/shibboleth/shibboleth2.xml
+fi
+
+# If defined use configured location of Shibboleth SP SAML certificate and key.
+if [ -n "$SHIBBOLETH_SP_CERT" ]; then
+ cp "$SHIBBOLETH_SP_CERT" /etc/shibboleth/sp-cert.pem
+ chown shibd /etc/shibboleth/sp-cert.pem
+ chmod 0644 /etc/shibboleth/sp-cert.pem
+fi
+
+if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then
+ cp "$SHIBBOLETH_SP_PRIVKEY" /etc/shibboleth/sp-key.pem
+ chown shibd /etc/shibboleth/sp-key.pem
+ chmod 0600 /etc/shibboleth/sp-key.pem
+fi
+
+# Send logging to container stdout.
+pushd /var/log/shibboleth
+/bin/rm -f shibd.log transaction.log shibd_warn.log signature.log
+/bin/ln -sfT /dev/stdout shibd.log
+/bin/ln -sfT /dev/stdout shibd_warn.log
+/bin/ln -sfT /dev/stdout transaction.log
+/bin/ln -sfT /dev/stdout signature.log
+chown shibd:shibd shibd.log transaction.log shibd_warn.log signature.log
+popd
+
+# Start the daemon.
+export LD_LIBRARY_PATH=/opt/shibboleth/lib64
+exec /usr/sbin/shibd -f -u shibd -g shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
diff --git a/comanage-registry-internet2-tier/httpd.conf b/comanage-registry-internet2-tier/httpd.conf
new file mode 100644
index 0000000..67ed694
--- /dev/null
+++ b/comanage-registry-internet2-tier/httpd.conf
@@ -0,0 +1,71 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ServerRoot "/etc/httpd"
+Listen 80
+Include conf.modules.d/*.conf
+User apache
+Group apache
+ServerAdmin root@localhost
+
+<Directory />
+ AllowOverride none
+ Require all denied
+</Directory>
+
+DocumentRoot "/var/www/html"
+
+<Directory "/var/www">
+ AllowOverride None
+ # Allow open access:
+ Require all granted
+</Directory>
+
+<Directory "/var/www/html">
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+</Directory>
+
+DirectoryIndex index.html
+
+<Files ".ht*">
+ Require all denied
+</Files>
+
+ErrorLogFormat "httpd error_log [%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+ErrorLog "logs/error_log"
+LogLevel warn
+
+LogFormat "httpd access_log %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+CustomLog "logs/access_log" combined
+
+TypesConfig /etc/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+AddType text/html .shtml
+AddOutputFilter INCLUDES .shtml
+
+AddDefaultCharset UTF-8
+
+MIMEMagicFile conf/magic
+
+EnableSendfile on
+
+IncludeOptional conf.d/*.conf
diff --git a/comanage-registry-internet2-tier/native.logger b/comanage-registry-internet2-tier/native.logger
new file mode 100644
index 0000000..07efe77
--- /dev/null
+++ b/comanage-registry-internet2-tier/native.logger
@@ -0,0 +1,39 @@
+# set overall behavior
+log4j.rootCategory=INFO, native_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.FileAppender
+log4j.appender.native_log.fileName=/var/log/shibboleth-www/native.log
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=shibd native.log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.FileAppender
+log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=shibd native_warn.log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
diff --git a/comanage-registry-internet2-tier/php.conf b/comanage-registry-internet2-tier/php.conf
new file mode 100644
index 0000000..ffda6de
--- /dev/null
+++ b/comanage-registry-internet2-tier/php.conf
@@ -0,0 +1,10 @@
+<FilesMatch \.php$>
+ SetHandler application/x-httpd-php
+</FilesMatch>
+
+AddType text/html .php
+
+DirectoryIndex index.php
+
+#php_value session.save_handler "files"
+#php_value session.save_path "/var/lib/php/session"
diff --git a/comanage-registry-internet2-tier/shibboleth.repo b/comanage-registry-internet2-tier/shibboleth.repo
new file mode 100644
index 0000000..393aa48
--- /dev/null
+++ b/comanage-registry-internet2-tier/shibboleth.repo
@@ -0,0 +1,7 @@
+[security_shibboleth]
+name=Shibboleth (CentOS_7)
+type=rpm-md
+baseurl=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/
+gpgcheck=1
+gpgkey=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key
+enabled=1
diff --git a/comanage-registry-internet2-tier/shibd.logger b/comanage-registry-internet2-tier/shibd.logger
new file mode 100644
index 0000000..bcfae12
--- /dev/null
+++ b/comanage-registry-internet2-tier/shibd.logger
@@ -0,0 +1,63 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.FileAppender
+log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd shibd.log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.FileAppender
+log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=shibd shibd_warn.log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.FileAppender
+log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=shibd transaction.log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=shibd signature.log %m
diff --git a/comanage-registry-internet2-tier/supervisord.conf b/comanage-registry-internet2-tier/supervisord.conf
new file mode 100644
index 0000000..1fbc238
--- /dev/null
+++ b/comanage-registry-internet2-tier/supervisord.conf
@@ -0,0 +1,36 @@
+; COmanage Registry Docker supervisord configuration
+;
+; Portions licensed to the University Corporation for Advanced Internet
+; Development, Inc. ("UCAID") under one or more contributor license agreements.
+; See the NOTICE file distributed with this work for additional information
+; regarding copyright ownership.
+;
+; UCAID licenses this file to you under the Apache License, Version 2.0
+; (the "License"); you may not use this file except in compliance with the
+; License. You may obtain a copy of the License at:
+;
+; http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+
+[supervisord]
+nodaemon=true
+user=root
+
+[program:httpd]
+command=/usr/local/bin/docker-comanage-entrypoint
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:shibd]
+command=/usr/local/bin/docker-comanage-shibboleth-sp-entrypoint
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0