rework

Dockerfile

@@ -1,40 +1,83 @@
 FROM centos:centos8
 
-RUN dnf install -y @freeradius freeradius-utils freeradius-mysql net-tools
+#run-time settings and defaults
+ENV DB_LOCATION=local \
+    DB_DRIVER=rlm_sql_mysql \
+    DB_DIALECT=mysql \
+    DB_HOST=localhost \
+    DB_PORT=3306 \
+    DB_ROOT_PWD=SuperStrongPassword \
+    DB_USER=radius \
+    DB_USER_PWD=SuperStrongPassword \
+    DB_NAME=radius \
+    ENV=dev \
+    USERTOKEN=nothing \
+################## \
+### OTHER VARS ### \
+################## \
+    VERSION=3.0.x \
+    TIERVERSION=20200222 \
+    IMAGENAME=radius \
+    MAINTAINER=tier 
+# TIER Beacon Opt-out
+# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2.
+# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage) and version (3.3.1-17040, etc) 
+#   once daily between midnight and 4am.  There is no configuration or private information collected or sent.  
+# This data helps with the scalaing and funding of TIER.  Please do not disable it if you find the TIER tools useful.
+# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
+#####     ENV TIER_BEACON_OPT_OUT True
 
-RUN ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/ && chgrp -h radiusd /etc/raddb/mods-enabled/sql
+#install/enable required packages
+RUN dnf install -y epel-release
+RUN dnf install -y \
+    @freeradius freeradius-utils freeradius-mysql \
+    net-tools unzip cronie curl openssl supervisor \
+    @httpd @php php-{cli,curl,mysqlnd,devel,gd,pear,mbstring,xml,pear} 
+RUN pear install MDB2 DB && ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/ && chgrp -h radiusd /etc/raddb/mods-enabled/sql
+RUN dnf module install -y mariadb
 
-#commands to apply local config to radius' sql config
-#RUN sed -i 's/\"rlm_sql_null\"/\"rlm_sql_mysql\"/' /etc/raddb/mods-available/sql \
-#&& sed -i 's/\"sqlite\"/\"mysql\"/' /etc/raddb/mods-available/sql \
-#&& sed -i '/server = \"localhost\"/s/^#*//g' /etc/raddb/mods-available/sql \
-#&& sed -i 's/\"localhost\"/\"${DB_HOST}\"/' /etc/raddb/mods-available/sql \
-#&& sed -i '/port = \"3306\"/s/^#*//g' /etc/raddb/mods-available/sql \
-#&& sed -i 's/\"3306\"/\"${DB_PORT}\"/' /etc/raddb/mods-available/sql \
-#&& sed -i '/login = \"radius\"/s/^#*//g' /etc/raddb/mods-available/sql \
-#&& sed -i 's/login = \"radius\"/login = \"${DB_USER}\"/' /etc/raddb/mods-available/sql \
-#&& sed -i '/password = \"SuperStrongPassword\"/s/^#*//g' /etc/raddb/mods-available/sql \
-#&& sed -i 's/\"SuperStrongPassword\"/\"${DB_PWD}\"/' /etc/raddb/mods-available/sql \
-#&& sed -i 's/radius_db = \"radius\"/radius_db = \"${DB_NAME}\"/' /etc/raddb/mods-available/sql
+#install/configure Daloradius UI
+RUN curl -L -O 'https://github.com/lirantal/daloradius/archive/master.zip' \
+    && unzip master.zip \
+    && rm master.zip \
+    && mv daloradius-master/ /opt/daloradius \
+    && rm -rf /var/www/html \
+    && cp -r /opt/daloradius /var/www/html \
+    && chown -R apache:apache /var/www/html/ \
+    && mkdir -p /run/php-fpm/
 
+#configure supervisord and crond
+RUN mkdir -p /opt/tier/
+ADD container_files/setenv.sh /opt/tier/setenv.sh
+ADD container_files/setupcron.sh /usr/local/bin/setupcron.sh
+ADD container_files/sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh
+ADD container_files/supervisord_with_db.conf /etc/supervisor/
+ADD container_files/supervisord_no_db.conf /etc/supervisor/
+ADD container_files/startup.sh /usr/local/bin/
+RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
+    && chmod +x /usr/local/bin/setupcron.sh \
+    && chmod +x /usr/local/bin/sendtierbeacon.sh \
+    && chmod +x /usr/local/bin/startup.sh \
+# setup cron
+    && /usr/local/bin/setupcron.sh \
+# set cron to not require a login session
+    && sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
 
+#setup logging
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
+    && touch /tmp/daloradius.log && chmod 755 /var/log/radius/ && touch /var/log/radius/radius.log && chmod 644 /var/log/radius/radius.log
 
-#install httpd and php
+VOLUME /var/lib/mysql
 
-
-
-#install Daloradius
-
-
-
-#script for use in starting radius only when dependent services are available
-#  example for downstream Dockerfile: CMD ["/wait-for-it.sh","-q","db:3306","--","/usr/sbin/radiusd","-fl","stdout"]
-COPY container_files/wait-for-it.sh /
-RUN chmod 755 /wait-for-it.sh
-
-EXPOSE 1812/udp 1813/udp
+EXPOSE 1812/udp 1813/udp 443
 
 #healthcheck command so that the container's state is known
 HEALTHCHECK CMD netstat -an | grep udp | grep 1812 > /dev/null; if [ 0 != $? ]; then exit 1; fi;
 
-CMD ["/usr/sbin/radiusd","-fl","stdout"]
+CMD /usr/local/bin/startup.sh
+

container_files/sendtierbeacon.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+LOGHOST="collector.testbed.tier.internet2.edu"
+LOGPORT="5001"
+if [ -s /opt/tier/env.bash ]; then
+  . /opt/tier/env.bash
+fi
+
+#below for syslog, F-TICKS style
+#LOGTEXT="TIERBEACON/TIER/1.0#IM=$IMAGENAME#PV=$VERSION#TR=$TIERVERSION#MT=$MAINTAINER#"
+
+#below for JSON/REST style
+LOGTEXT="{ \"msgType\" : \"TIERBEACON\", \"msgName\" : \"TIER\", \"msgVersion\" : \"1.0\", \"tbProduct\" : \"$IMAGENAME\", \"tbProductVersion\" : \"$VERSION\", \"tbTIERRelease\" : \"$TIERVERSION\", \"tbMaintainer\" : \"$MAINTAINER\" }"
+
+
+if [ -z "$TIER_BEACON_OPT_OUT" ]; then
+  #send JSON
+  echo $LOGTEXT > msgjson.txt
+  curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T msgjson.txt 1>/dev/null
+  if [ $? -eq 0 ]; then
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent"
+  else
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon"
+  fi
+
+  rm -f msgjson.txt
+
+  #below is for syslog, F-TICKS style
+  #`logger -n $LOGHOST -P $LOGPORT -t TIERBEACON $LOGTEXT`
+
+fi
+

container_files/setenv.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGENAME" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_BEACON_OPT_OUT" >> /opt/tier/env.bash
+

container_files/setupcron.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+CRONFILE=/opt/tier/tier-cron
+
+#set env vars for cron job
+#  this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile
+/opt/tier/setenv.sh
+
+#build crontab file with random start time between midnight and 3:59am
+echo "#send daily beacon to TIER Central" > ${CRONFILE}
+echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE}
+chmod 644 ${CRONFILE}
+
+#install crontab
+crontab ${CRONFILE}
+
+#create cron logfile
+touch /var/log/cron.log
+

container_files/startup.sh

@@ -0,0 +1,90 @@
+
+
+#configure radius for DB
+sed -i 's/\"rlm_sql_null\"/\"'${DB_DRIVER}'\"/' /etc/raddb/mods-available/sql
+sed -i 's/\"sqlite\"/\"'${DB_DIALECT}'\"/' /etc/raddb/mods-available/sql
+sed -i '/server = \"localhost\"/s/^#*//g' /etc/raddb/mods-available/sql
+sed -i 's/\"localhost\"/\"'${DB_HOST}'\"/' /etc/raddb/mods-available/sql
+sed -i '/port = 3306/s/^#*//g' /etc/raddb/mods-available/sql
+sed -i 's/3306/'${DB_PORT}'/' /etc/raddb/mods-available/sql
+sed -i '/login = \"radius\"/s/^#*//g' /etc/raddb/mods-available/sql
+sed -i 's/login = \"radius\"/login = \"'${DB_USER}'\"/' /etc/raddb/mods-available/sql
+sed -i '/password = \"radpass\"/s/^#*//g' /etc/raddb/mods-available/sql
+sed -i 's/\"radpass\"/\"'${DB_USER_PWD}'\"/' /etc/raddb/mods-available/sql
+sed -i 's/radius_db = \"radius\"/radius_db = \"'${DB_NAME}'\"/' /etc/raddb/mods-available/sql
+sed -i 's/${dialect}/'${DB_DIALECT}'/' /etc/raddb/mods-available/sql
+
+#setup MariaDB, if desired
+if [ ${DB_LOCATION} = "local" ]; then
+    mysql_install_db
+    chown -R mysql:mysql /var/lib/mysql/
+    sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf
+    sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf
+    sed -i 's/\[mysqld\]/\[mysqld\]\ncharacter_set_server = utf8/' /etc/my.cnf
+    sed -i 's/\[mysqld\]/\[mysqld\]\ncollation_server = utf8_general_ci/' /etc/my.cnf
+    sed -i 's/\[mysqld\]/\[mysqld\]\nport = 3306/' /etc/my.cnf
+    echo "/usr/bin/mysqld_safe &" > /tmp/config
+    echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config
+    echo "mysql -e 'UPDATE mysql.user SET Password=PASSWORD(\"'${DB_ROOT_PWD}'\") WHERE User=\"root\";'" >> /tmp/config
+    echo "mysql -e 'DELETE FROM mysql.user WHERE User=\"\";'" >> /tmp/config
+    echo "mysql -e 'DELETE FROM mysql.user WHERE User=\"root\" AND Host NOT IN (\"localhost\", \"127.0.0.1\", \"::1\");'" >> /tmp/config
+    echo "mysql -e 'DROP DATABASE IF EXISTS test;'" >> /tmp/config
+    echo "mysql -e 'DELETE FROM mysql.db WHERE Db=\"test\" OR Db=\"test\\_%\";'" >> /tmp/config
+    echo "mysql -e 'CREATE DATABASE '${DB_NAME}';'" >> /tmp/config
+    echo "mysql -e 'CREATE USER \"'${DB_USER}'\"@\"localhost\" IDENTIFIED BY \"'${DB_USER_PWD}'\";'" >> /tmp/config
+    echo "mysql -e 'GRANT ALL ON '${DB_NAME}'.* TO \"root\"@\"localhost\";'" >> /tmp/config
+    echo "mysql -e 'GRANT ALL ON '${DB_NAME}'.* TO \"'${DB_USER}'\"@\"localhost\";'" >> /tmp/config
+    echo "mysql -u root ${DB_NAME} < /etc/raddb/mods-config/sql/main/mysql/schema.sql" >> /tmp/config
+    echo "mysql -u root ${DB_NAME} < /opt/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql" >> /tmp/config
+    echo "mysql -u root ${DB_NAME} < /opt/daloradius/contrib/db/mysql-daloradius.sql" >> /tmp/config
+    echo "mysql -e 'FLUSH PRIVILEGES;'" >> /tmp/config
+    bash /tmp/config
+    rm -f /tmp/config 
+fi
+
+#configure Daloradius
+sed -i "s/\['CONFIG_DB_USER'] = 'root'/\['CONFIG_DB_USER'] = '"${DB_USER}"'/" /var/www/html/library/daloradius.conf.php
+sed -i "s/\['CONFIG_DB_PASS'] = ''/\['CONFIG_DB_PASS'] = '"${DB_USER_PWD}"'/" /var/www/html/library/daloradius.conf.php
+sed -i "s/\['CONFIG_DB_NAME'] = 'radius'/\['CONFIG_DB_NAME'] = '"${DB_NAME}"'/" /var/www/html/library/daloradius.conf.php
+sed -i "s/\['CONFIG_DB_HOST'] = 'localhost'/\['CONFIG_DB_HOST'] = '"${DB_HOST}"'/" /var/www/html/library/daloradius.conf.php
+sed -i "s/\['CONFIG_DB_PORT'] = '3306'/\['CONFIG_DB_PORT'] = '"${DB_PORT}"'/" /var/www/html/library/daloradius.conf.php
+
+#generate self-signed SSL cert
+openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
+echo '[SAN]' > extensions
+echo "subjectAltName=DNS:localhost,URI:https://localhost/" >>extensions
+echo "subjectKeyIdentifier=hash" >> extensions
+openssl x509 -req -days 1095 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -extensions SAN -extfile extensions -out /etc/pki/tls/certs/localhost.crt
+rm -f extensions localhost.csr
+
+#setup pipes for logging
+export USERTOKEN="${USERTOKEN//;/:}"
+export USERTOKEN="${USERTOKEN// /}"
+export ENV="${ENV//;/:}"
+export ENV="${ENV// /}"
+mkfifo -m 666 /tmp/logpipe
+cat <> /tmp/logpipe 1>&2 &
+mkfifo -m 666 /tmp/logcrond
+(cat <> /tmp/logcrond  | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logradius
+(cat <> /tmp/logradius | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "radius;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logsuperd
+(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logmysql
+(cat <> /tmp/logmysql | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "mysql;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logmysqldb
+(cat <> /tmp/logmysqldb | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "mysql;mysql.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/loghttpd
+(cat <> /tmp/loghttpd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logphpfpm
+(cat <> /tmp/logphpfpm | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "phpfpm;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+mkfifo -m 666 /tmp/logidp-consent-audit
+(cat <> /tmp/logidp-consent-audit | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-consent-audit.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+#launch supervisord
+if [ ${DB_LOCATION} = "local" ]; then
+  /usr/bin/supervisord -c /etc/supervisor/supervisord_with_db.conf
+else
+  /usr/bin/supervisord -c /etc/supervisor/supervisord_no_db.conf
+fi
+

container_files/supervisord_no_db.conf

@@ -0,0 +1,43 @@
+[supervisord]
+logfile=/tmp/logsuperd
+logfile_maxbytes=0
+loglevel=error
+nodaemon=true
+user=root
+
+[program:cron]
+command=/usr/sbin/crond -n
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/logcrond
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logcrond
+stderr_logfile_maxbytes=0
+directory=/usr/local/bin
+
+[program:radius]
+command=/usr/sbin/radiusd -f
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/logradius
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logradius
+stderr_logfile_maxbytes=0
+
+[program:httpd]
+command=httpd -D FOREGROUND
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/loghttpd
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+
+[program:php-fpm]
+command=/usr/sbin/php-fpm -c /etc/php.ini
+stdout_logfile=/tmp/logphpfpm
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logphpfpm
+stderr_logfile_maxbytes=0
+
+[include]
+files=/etc/supervisor/conf.d/*

container_files/supervisord_with_db.conf

@@ -0,0 +1,52 @@
+[supervisord]
+logfile=/tmp/logsuperd
+logfile_maxbytes=0
+loglevel=error
+nodaemon=true
+user=root
+
+[program:cron]
+command=/usr/sbin/crond -n
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/logcrond
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logcrond
+stderr_logfile_maxbytes=0
+directory=/usr/local/bin
+
+[program:radius]
+command=/usr/sbin/radiusd -f
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/logradius
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logradius
+stderr_logfile_maxbytes=0
+
+[program:mariadb]
+command=mysqld_safe
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/logmysql
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logmysql
+stderr_logfile_maxbytes=0
+
+[program:httpd]
+command=httpd -D FOREGROUND
+autostart=true
+autorestart=true
+stdout_logfile=/tmp/loghttpd
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+
+[program:php-fpm]
+command=/usr/sbin/php-fpm -c /etc/php.ini
+stdout_logfile=/tmp/logphpfpm
+stdout_logfile_maxbytes=0
+stderr_logfile=/tmp/logphpfpm
+stderr_logfile_maxbytes=0
+
+[include]
+files=/etc/supervisor/conf.d/*