Dockerfile

@@ -1,95 +1,84 @@
-ARG from=centos:centos7
-FROM ${from} as build
+FROM centos:centos8
+
+#run-time settings and defaults
+ENV DB_LOCATION=local \
+    DB_DRIVER=rlm_sql_mysql \
+    DB_DIALECT=mysql \
+    DB_ENGINE=mysqli \
+    DB_HOST=localhost \
+    DB_PORT=3306 \
+    DB_ROOT_PWD=SuperStrongPassword \
+    DB_USER=radius \
+    DB_USER_PWD=SuperStrongPassword \
+    DB_NAME=radius \
+    ENV=dev \
+    USERTOKEN=nothing \
+################## \
+### OTHER VARS ### \
+################## \
+    VERSION=3.0.x \
+    TIERVERSION=20210506 \
+    IMAGENAME=radius \
+    MAINTAINER=tier 
+# TIER Beacon Opt-out
+# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2.
+# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage) and version (3.3.1-17040, etc) 
+#   once daily between midnight and 4am.  There is no configuration or private information collected or sent.  
+# This data helps with the scalaing and funding of TIER.  Please do not disable it if you find the TIER tools useful.
+# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
+#####     ENV TIER_BEACON_OPT_OUT True
+
+#install/enable required packages
+RUN dnf install -y epel-release
+RUN dnf update -y && dnf install -y \
+    @freeradius freeradius-utils freeradius-mysql freeradius-postgresql \
+    net-tools unzip cronie curl openssl supervisor php-pgsql \
+    @httpd @php php-{cli,curl,mysqlnd,devel,gd,pear,mbstring,xml,pear} 
+RUN pear install MDB2 DB && ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/ && chgrp -h radiusd /etc/raddb/mods-enabled/sql
+RUN dnf module install -y mariadb
+
+#install/configure Daloradius UI
+RUN curl -L -O 'https://github.com/lirantal/daloradius/archive/master.zip' \
+    && unzip master.zip \
+    && rm master.zip \
+    && mv daloradius-master/ /opt/daloradius \
+    && rm -rf /var/www/html \
+    && cp -r /opt/daloradius /var/www/html \
+    && chown -R apache:apache /var/www/html/ \
+    && mkdir -p /run/php-fpm/
+
+#configure supervisord and crond
+RUN mkdir -p /opt/tier/
+ADD container_files/setenv.sh /opt/tier/setenv.sh
+ADD container_files/setupcron.sh /usr/local/bin/setupcron.sh
+ADD container_files/sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh
+ADD container_files/supervisord_with_db.conf /etc/supervisor/
+ADD container_files/supervisord_no_db.conf /etc/supervisor/
+ADD container_files/startup.sh /usr/local/bin/
+RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
+    && chmod +x /usr/local/bin/setupcron.sh \
+    && chmod +x /usr/local/bin/sendtierbeacon.sh \
+    && chmod +x /usr/local/bin/startup.sh \
+# setup cron
+    && /usr/local/bin/setupcron.sh \
+# set cron to not require a login session
+    && sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
+
+#setup logging
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
+    && touch /tmp/daloradius.log && chmod 755 /var/log/radius/ && touch /var/log/radius/radius.log && chmod 644 /var/log/radius/radius.log
+
+VOLUME /var/lib/mysql
+
+EXPOSE 1812/udp 1813/udp 443
+
+#healthcheck command so that the container's state is known
+HEALTHCHECK CMD netstat -an | grep udp | grep 1812 > /dev/null; if [ 0 != $? ]; then exit 1; fi;
+
+CMD /usr/local/bin/startup.sh
 
-#
-#  Install build tools
-#
-RUN yum groupinstall -y "Development Tools"
-RUN yum install -y rpmdevtools
-RUN yum install -y openssl
-
-#
-#  Create build directory
-#
-RUN mkdir -p /usr/local/src/repositories
-WORKDIR /usr/local/src/repositories
-
-#
-#  Shallow clone the FreeRADIUS source
-#
-ARG source=https://github.com/FreeRADIUS/freeradius-server.git
-ARG release=v3.0.x
-
-RUN git clone --depth 1 --single-branch --branch ${release} ${source}
-WORKDIR freeradius-server
-
-#
-#  Other requirements
-#
-
-# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS
-RUN echo $'[ltb-project]\n\
-name=LTB project packages\n\
-baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\
-enabled=1\n\
-gpgcheck=1\n\
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\
-> /etc/yum.repos.d/ltb-project.repo
-RUN rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
-
-# EPEL repository for freetds and hiredis
-RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-
-#
-#  Install build dependencies
-#
-RUN [ -e redhat/freeradius.spec ] && yum-builddep -y redhat/freeradius.spec
-
-#
-#  Create RPM build environment
-#
-ENV BUILDDIR=/root/rpmbuild
-RUN rpmdev-setuptree
-
-RUN ./configure
-RUN make freeradius-server-$(cat VERSION).tar.bz2
-RUN cp freeradius-server-$(cat VERSION).tar.bz2 $BUILDDIR/SOURCES/
-RUN cp -r redhat/* $BUILDDIR/SOURCES/
-RUN cp -r redhat/freeradius.spec $BUILDDIR/SPECS/
-WORKDIR $BUILDDIR
-
-#
-#  Build the server
-#
-ENV QA_RPATHS=0x0003
-RUN rpmbuild -bb --define '_release $release' "$BUILDDIR/SPECS/freeradius.spec"
-
-RUN mkdir /root/rpms
-RUN mv $BUILDDIR/RPMS/*/*.rpm /root/rpms/
-
-#
-#  Clean environment and run the server
-#
-FROM ${from}
-COPY --from=build /root/rpms /tmp/
-
-# Use LTB's openldap packages intead of the distribution version to avoid linking against NSS
-RUN echo $'[ltb-project]\n\
-name=LTB project packages\n\
-baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\
-enabled=1\n\
-gpgcheck=1\n\
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\
-> /etc/yum.repos.d/ltb-project.repo \
-    && rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project \
-    \
-# EPEL repository for freetds and hiredis
-    && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
-    \
-    && yum install -y /tmp/*.rpm
-
-COPY docker-entrypoint.sh /
-
-EXPOSE 1812/udp 1813/udp
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["radiusd"]

Jenkinsfile

@@ -12,7 +12,7 @@ pipeline {
                 script {
                     maintainer = maintain()
                     imagename = imagename()
-                    if(env.BRANCH_NAME == "master") {
+                    if(env.BRANCH_NAME == "main") {
                        tag = "latest"
                     } else {
                        tag = env.BRANCH_NAME
@@ -48,8 +48,8 @@ pipeline {
             steps {
                 script {
                   try{
-                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-                        baseImg = docker.build("$maintainer/$imagename", "--build-arg GROUPER_CONTAINER_VERSION=$tag --no-cache .")
+                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-tier") {
+                        baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
                       }
                   } catch(error) {
                      def error_details = readFile('./debug');
@@ -64,7 +64,7 @@ pipeline {
         stage('Push') {
             steps {
                 script {
-                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
+                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-tier") {
                         baseImg.push("$tag")
                       }
                   }
@@ -91,7 +91,7 @@ pipeline {
 
 def maintain() {
   def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
-  matcher ? matcher[0][1] : 'tier'
+  matcher ? matcher[0][1] : 'i2incommon'
 }
 
 def imagename() {
@@ -103,6 +103,6 @@ def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
   slackSend color: 'danger', message: "${message}"
-  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'chubing@internet2.edu', sendToIndividuals: true])
   sh 'exit 1'
 }
+

README.md

@@ -1 +1,28 @@
-# eduroam-freeradius
+# eduroam-freeradius
+
+### How to deploy the eduroam FreeRadius docker container on a docker-enabled host:
+
+## Run the container directly:
+    docker run -d -p 443:443 -p 1812:1812/udp -p 1813:1813/udp tier/eduroam-freeradius:3.0-20200221
+
+## Below are settings for the container and their default values, which can be overridden at run-time:
+    DB_LOCATION=local
+    DB_DRIVER=rlm_sql_mysql
+    DB_DIALECT=mysql
+    DB_ENGINE=mysqli
+    DB_HOST=localhost
+    DB_PORT=3306
+    DB_ROOT_PWD=SuperStrongPassword
+    DB_USER=radius
+    DB_USER_PWD=SuperStrongPassword
+    DB_NAME=radius
+    ENV=dev
+    USERTOKEN=nothing
+
+## The Daloradius UI should now be accessible on port 443 (https) of the host (with a self-signed cert). Default creds are:
+    username: administrator
+    password: radius
+
+## Notes
+DB_DIALECT is for freeradius and DB_ENGINE is for Daloradius
+

common.bash

@@ -1,2 +1,2 @@
-maintainer="tier"
+maintainer="i2incommon"
 imagename="eduroam-freeradius"

container_files/sendtierbeacon.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+LOGHOST="collector.testbed.tier.internet2.edu"
+LOGPORT="5001"
+if [ -s /opt/tier/env.bash ]; then
+  . /opt/tier/env.bash
+fi
+
+#below for syslog, F-TICKS style
+#LOGTEXT="TIERBEACON/TIER/1.0#IM=$IMAGENAME#PV=$VERSION#TR=$TIERVERSION#MT=$MAINTAINER#"
+
+#below for JSON/REST style
+LOGTEXT="{ \"msgType\" : \"TIERBEACON\", \"msgName\" : \"TIER\", \"msgVersion\" : \"1.0\", \"tbProduct\" : \"$IMAGENAME\", \"tbProductVersion\" : \"$VERSION\", \"tbTIERRelease\" : \"$TIERVERSION\", \"tbMaintainer\" : \"$MAINTAINER\" }"
+
+
+if [ -z "$TIER_BEACON_OPT_OUT" ]; then
+  #send JSON
+  echo $LOGTEXT > msgjson.txt
+  curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T msgjson.txt 1>/dev/null
+  if [ $? -eq 0 ]; then
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent"
+  else
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon"
+  fi
+
+  rm -f msgjson.txt
+
+  #below is for syslog, F-TICKS style
+  #`logger -n $LOGHOST -P $LOGPORT -t TIERBEACON $LOGTEXT`
+
+fi
+

container_files/setenv.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGENAME" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash
+printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_BEACON_OPT_OUT" >> /opt/tier/env.bash
+

container_files/setupcron.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+CRONFILE=/opt/tier/tier-cron
+
+#set env vars for cron job
+#  this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile
+/opt/tier/setenv.sh
+
+#build crontab file with random start time between midnight and 3:59am
+echo "#send daily beacon to TIER Central" > ${CRONFILE}
+echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE}
+chmod 644 ${CRONFILE}
+
+#install crontab
+crontab ${CRONFILE}
+
+#create cron logfile
+touch /var/log/cron.log
+