diff --git a/Dockerfile b/Dockerfile index 1bf2555..161cbef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,11 +16,11 @@ ENV GROUPER_VERSION=5.5.0 \ # net-tools curl mlocate strace telnet man vim rsyslog cron mod_ssl cronie RUN yum update -y \ - && yum install -y logrotate python3-pip rsync sudo patch wget tar unzip dos2unix file net-tools diffutils curl mlocate logrotate strace telnet man vim rsyslog cronie findutils \ + && yum install -y logrotate python3-pip rsync sudo patch wget tar unzip dos2unix file net-tools diffutils curl mlocate logrotate strace telnet man vim rsyslog cronie findutils procps \ && pip3 install --upgrade setuptools \ && yum clean -y all \ - && groupadd -r tomcat \ - && useradd -r -m -s /sbin/nologin -g tomcat tomcat \ + && groupadd -g 994 -r tomcat \ + && useradd -u 996 -r -m -s /sbin/nologin -g tomcat tomcat \ && mkdir -p /opt/container_files # Install Corretto Java JDK diff --git a/container_files/usr-local-bin/changeGid.sh b/container_files/usr-local-bin/changeGid.sh index 6d55d94..e3aaeea 100755 --- a/container_files/usr-local-bin/changeGid.sh +++ b/container_files/usr-local-bin/changeGid.sh @@ -13,6 +13,11 @@ newGid=$2 getentOutput="$(getent group "$groupname")" oldGid="$( echo "$getentOutput" |cut -d\: -f3 )" groupmod -g "$newGid" "$groupname" -echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi + find / -xdev -group "$oldGid" -exec chgrp -h "$groupname" {} \; -echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi diff --git a/container_files/usr-local-bin/changeUid.sh b/container_files/usr-local-bin/changeUid.sh index 2dcf8a8..343d487 100755 --- a/container_files/usr-local-bin/changeUid.sh +++ b/container_files/usr-local-bin/changeUid.sh @@ -12,6 +12,11 @@ username=$1 newUid=$2 oldUid="$(id -u "$username")" usermod -u "$newUid" "$username" -echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi + find / -xdev -user "$oldUid" -exec chown -h "$username" {} \; -echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh index d57b1e7..71890f5 100644 --- a/container_files/usr-local-bin/libraryPrep.sh +++ b/container_files/usr-local-bin/libraryPrep.sh @@ -172,6 +172,18 @@ prep_finishBegin() { echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_UI=false" export GROUPER_UI=false fi + if [ -z "$GROUPER_TOMCAT_UID" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UID=996" + export GROUPER_TOMCAT_UID=996 + fi + if [ -z "$GROUPER_TOMCAT_GID" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_GID=994" + export GROUPER_TOMCAT_GID=994 + fi + if [ -z "$GROUPER_TOMCAT_UNIX_GROUP" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UNIX_GROUP=root" + export GROUPER_TOMCAT_UNIX_GROUP=root + fi if [ -z "$GROUPER_WS" ] ; then echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_WS=false" export GROUPER_WS=false diff --git a/container_files/usr-local-bin/libraryRunCommand.sh b/container_files/usr-local-bin/libraryRunCommand.sh index 0f70bcc..cb01466 100644 --- a/container_files/usr-local-bin/libraryRunCommand.sh +++ b/container_files/usr-local-bin/libraryRunCommand.sh @@ -2,8 +2,14 @@ runCommand() { - echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat" - /opt/tomcat/bin/catalina.sh run + if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then + echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run" + sudo -u tomcat /opt/tomcat/bin/catalina.sh run + else + echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run" + /opt/tomcat/bin/catalina.sh run + fi + } runCommand_unsetAll() { diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh index 9f98282..62d8814 100644 --- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh +++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh @@ -211,13 +211,15 @@ setupFilesTomcat_sslCertsAnchors() { # the container user (we arent sure who this is) should be able to update root certs # echo 'ALL ALL=NOPASSWD: /bin/update-ca-trust' | sudo EDITOR='tee -n' visudo + # generate anchor: + # openssl genrsa -out rootCAKey.pem 2048 + # openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then + # if root + if [[ $EUID -eq 0 ]]; then - amiroot=`whoami` - if [ "$amiroot" = "root" ]; then - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process" /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors @@ -237,9 +239,42 @@ setupFilesTomcat_sslCertsAnchors() { fi else - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in subimage: /bin/update-ca-trust" + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust" fi + chmod u+w $JAVA_HOME/lib/security/cacerts + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + for fileName in /opt/grouper/certs/anchors/*.pem; do + [ -f "$fileName" ] || continue + + fileNameNoExtension=$(basename -- "$fileName") + fileNameNoExtension="${fileNameNoExtension%.*}" + /usr/lib/jvm/java/bin/keytool -import -trustcacerts -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias "$fileNameNoExtension" -file "$fileName" + + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /usr/lib/jvm/java/bin/keytool -import -trustcacerts -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + done + + chmod u-w $JAVA_HOME/lib/security/cacerts + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + else echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are no anchor certs in /opt/grouper/certs/anchors/ to process" fi @@ -252,21 +287,21 @@ setupFilesTomcat_sslCertsClient() { chmod u+w $JAVA_HOME/lib/security/cacerts returnCode=$? - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode" + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode" if [ $returnCode != 0 ] then exit $returnCode fi for fileName in /opt/grouper/certs/client/*.pem; do - [ -f "$fileName" ] || break + [ -f "$fileName" ] || continue fileNameNoExtension=$(basename -- "$fileName") fileNameNoExtension="${fileNameNoExtension%.*}" /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias "$fileNameNoExtension" -file "$fileName" returnCode=$? - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode" + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode" if [ $returnCode != 0 ] then exit $returnCode @@ -276,7 +311,7 @@ setupFilesTomcat_sslCertsClient() { chmod u-w $JAVA_HOME/lib/security/cacerts returnCode=$? - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode" + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode" if [ $returnCode != 0 ] then exit $returnCode