5.6.0

Dockerfile

@@ -8,8 +8,8 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 
 ARG GROUPER_CONTAINER_VERSION
 
-ENV GROUPER_VERSION=5.5.0 \
-    GROUPER_CONTAINER_VERSION=5.5.0 \
+ENV GROUPER_VERSION=5.6.0 \
+    GROUPER_CONTAINER_VERSION=5.6.0 \
     JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto \
     PATH=$PATH:$JAVA_HOME/bin \
     GROUPER_HOME=/opt/grouper/grouperWebapp/WEB-INF

container_files/usr-local-bin/containerPing

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+prep_daemon
+prep_finish
+setupFiles
+runCommand_unsetAll
+
+export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
+
+# sample command every 10 minutes, just a ping to keep container running, for testing
+/usr/bin/ping -i 600 google.com

container_files/usr-local-bin/gsh

@@ -11,9 +11,9 @@ export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
 set -o pipefail
 
 # openshift cannot do whoami
-if [ "$GROUPER_GSH_CHECK_USER" = "true"  ] && [ "$GROUPER_GSH_USER" != "$(whoami)" ]
+if [ "$GROUPER_GSH_USER" != "$(whoami)" ] && [ $EUID -eq 0 ]
   then
-    echo "grouperContainer; INFO: (gsh file) sudo --preserve-env -u tomcat bin/gsh.sh \"$@\" | tee /tmp/loggrouper"
+    echo "grouperContainer; INFO: (gsh file) sudo --preserve-env -u $GROUPER_GSH_USER bin/gsh.sh \"$@\" | tee /tmp/loggrouper"
     sudo --preserve-env -u tomcat bin/gsh.sh "$@" | tee /tmp/loggrouper
   else 
     echo "grouperContainer; INFO: (gsh file) bin/gsh.sh \"$@\" | tee /tmp/loggrouper"

container_files/usr-local-bin/libraryPrep.sh

@@ -275,8 +275,13 @@ prep_finishBegin() {
     fi
 
     if [ -z "$GROUPER_RUN_PROCESSES_AS_USERS" ]; then 
-      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_RUN_PROCESSES_AS_USERS=true"
-      export GROUPER_RUN_PROCESSES_AS_USERS=true
+      if [[ $EUID -eq 0 ]]; then
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) running as root: export GROUPER_RUN_PROCESSES_AS_USERS=true"
+        export GROUPER_RUN_PROCESSES_AS_USERS=true
+      else
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) not running as root: export GROUPER_RUN_PROCESSES_AS_USERS=false"
+        export GROUPER_RUN_PROCESSES_AS_USERS=false
+      fi
     fi
 
     # do these before the "only" component
@@ -330,10 +335,10 @@ prep_finishBegin() {
     #Replace web.xml session timeout with env variable
     if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
       if [[ "$GROUPER_UI" != 'true' ]] && [[ "$GROUPER_WS" = 'true' ]]; then
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1
       else
-        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600 (10 hours)"
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600"
         export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600
 
       fi

container_files/usr-local-bin/libraryRunCommand.sh

@@ -3,8 +3,8 @@
 runCommand() {
 
   if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then
-    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run"
-    sudo -u tomcat /opt/tomcat/bin/catalina.sh run
+    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo --preserve-env -u tomcat /opt/tomcat/bin/catalina.sh run"
+    sudo --preserve-env -u tomcat /opt/tomcat/bin/catalina.sh run
   else
     echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run"
     /opt/tomcat/bin/catalina.sh run

container_files/usr-local-bin/librarySetupFiles.sh

@@ -24,6 +24,44 @@ setupFiles_rsyncSlashRoot() {
     fi
 }
 
+setupFiles_uid() {
+
+  makeChange=false
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+    makeChange=true
+  elif [ "$GROUPER_TOMCAT_UNIX_GROUP" != "root" ]; then
+    makeChange=true
+  fi
+
+  if [ "$makeChange" = "true" ]; then
+    if [[ $EUID -ne 0 ]]; then
+      echo "grouperContainer; ERROR: (librarySetupFiles.sh-setupFiles_uid) Cannot set tomcat UID/GID/unixGroup if not running the container as root"
+      exit 1
+    fi  
+  fi
+
+  if [ "$GROUPER_TOMCAT_UID" != "996" ]; then
+
+    /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID, result: $returnCode"
+
+  fi
+
+  if [ "$GROUPER_TOMCAT_GID" != "994" ]; then
+
+    /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID, result: $returnCode"
+
+  fi
+
+  # this is called later: setupFiles_chownDirs to set ownership and privs on filesystem
+
+}
+
 setupFiles_localLogging() {
   additionalLoggersFile=/opt/grouper/grouperWebapp/WEB-INF/classes/log4j2.additionalLoggers.xml.txt
   if [ -f $additionalLoggersFile ]; then
@@ -108,9 +146,9 @@ setupFiles_chownDirs() {
     # do this last
     if [ "$GROUPER_CHOWN_DIRS" = "true" ]
       then
-        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root
+        /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP
         returnCode=$?
-        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root, result: $returnCode"
+        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP, result: $returnCode"
         if [ $returnCode != 0 ]; then exit $returnCode; fi
     fi
 }
@@ -282,6 +320,8 @@ setupFiles() {
 
   setupFiles_rsyncSlashRoot
 
+  setupFiles_uid
+
   setupFiles_analyzeOriginalFiles
 
   # do this first
@@ -327,6 +367,7 @@ setupFiles_unsetAll() {
   unset -f setupFiles_originalFile
   unset -f setupFiles_rsyncSlashRoot
   unset -f setupFiles_storeEnvVars
+  unset -f setupFiles_uid
   unset -f setupFiles_unsetAll
   unset -f setupFiles_unsetAllAndFromFiles
 }
@@ -341,6 +382,7 @@ setupFiles_exportAll() {
   export -f setupFiles_originalFile
   export -f setupFiles_rsyncSlashRoot
   export -f setupFiles_storeEnvVars
+  export -f setupFiles_uid
   export -f setupFiles_unsetAll
   export -f setupFiles_unsetAllAndFromFiles
 }

container_files/usr-local-bin/librarySetupFilesTomcat.sh

@@ -239,7 +239,7 @@ setupFilesTomcat_sslCertsAnchors() {
         fi  
 
       else
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so you might need to run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
       fi
 
       chmod u+w $JAVA_HOME/lib/security/cacerts