Skip to content

Commit

Permalink
GRP-4026: ability for container to add ssl anchor cert for OS/java
Browse files Browse the repository at this point in the history
  • Loading branch information
@mchyzer
mchyzer committed May 5, 2022
1 parent 16e3492 commit f180d77
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 54 deletions.
155 changes: 102 additions & 53 deletions container_files/api/log4j2.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,125 +2,174 @@
<Configuration status="info">
<Properties>
<Property name="layout">%d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n</Property>
<Property name="env">__ENV__</Property>
<Property name="usertoken">__USERTOKEN__</Property>
<Property name="grouplogprefix">__GROUPER_LOG_PREFIX__</Property>
</Properties>
<Appenders>
<File name="CATALINA" fileName="/tmp/logpipe">
<PatternLayout pattern="tomee;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
</File>
<Console name="stderr" target="SYSTEM_ERR">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;${ENV};${USERTOKEN};${layout}"/>
<PatternLayout pattern="${grouplogprefix};${env}${usertoken}${layout}"/>
</Console>
<File name="__LOGPIPE__grouper_error" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_error.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_error" fileName="/opt/grouper/logs/grouper.log" filePattern="/opt/grouper/logs/grouper.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_error.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_catalina" fileName="/opt/grouper/logs/catalina.out" filePattern="/opt/grouper/logs/catalina.out.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};catalina.out;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>
<File name="__LOGPIPE__grouper_daemon" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouperDaemon.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_daemon" fileName="/opt/grouper/logs/grouperDaemon.log" filePattern="/opt/grouper/logs/grouperDaemon.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouperDaemon.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_grouper_error" fileName="/opt/grouper/logs/grouper.log" filePattern="/opt/grouper/logs/grouper.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};grouper_error.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>
<File name="__LOGPIPE__grouper_pspng" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;pspng.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_pspng" fileName="/opt/grouper/logs/pspng.log" filePattern="/opt/grouper/logs/pspng.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;pspng.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_grouper_daemon" fileName="/opt/grouper/logs/grouperDaemon.log" filePattern="/opt/grouper/logs/grouperDaemon.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};grouperDaemon.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>
<File name="__LOGPIPE__grouper_provisioning" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;provisioning.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_provisioning" fileName="/opt/grouper/logs/provisioning.log" filePattern="/opt/grouper/logs/provisioning.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;provisioning.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_grouper_pspng" fileName="/opt/grouper/logs/pspng.log" filePattern="/opt/grouper/logs/pspng.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};pspng.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>

<File name="__LOGPIPE__grouper_ws" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_ws" fileName="/opt/grouper/logs/grouper_ws.log" filePattern="/opt/grouper/logs/grouper_ws.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_grouper_provisioning" fileName="/opt/grouper/logs/provisioning.log" filePattern="/opt/grouper/logs/provisioning.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};provisioning.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>

<File name="__LOGPIPE__grouper_ws_longRunning" fileName="/tmp/logpipe">
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws_longRunning.log;${ENV};${USERTOKEN};${layout}"/>
</File>
<RollingFile name="__FILE__grouper_ws_longRunning" fileName="/opt/grouper/logs/grouper_ws_longRunning.log" filePattern="/opt/grouper/logs/grouper_ws_longRunning.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws_longRunning.log;${ENV};${USERTOKEN};${layout}"/>
<RollingFile name="file_grouper_ws" fileName="/opt/grouper/logs/grouper_ws.log" filePattern="/opt/grouper/logs/grouper_ws.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};grouper_ws.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>
<RollingFile name="file_grouper_ws_longRunning" fileName="/opt/grouper/logs/grouper_ws_longRunning.log" filePattern="/opt/grouper/logs/grouper_ws_longRunning.log.%d{yyyy-MM-dd}" >
<PatternLayout pattern="${grouplogprefix};grouper_ws_longRunning.log;${env}${usertoken}${layout}"/>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<DefaultRolloverStrategy max="30" />
</RollingFile>
<File name="logpipe_catalina" fileName="/tmp/logpipe">
<PatternLayout pattern="tomee;catalina.out;${sys:ENV}${sys:USERTOKEN}${layout}"/>
</File>
<File name="logpipe_grouper_error" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};grouper_error.log;${env}${usertoken}${layout}"/>
</File>
<File name="logpipe_grouper_daemon" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};grouperDaemon.log;${env}${usertoken}${layout}"/>
</File>
<File name="logpipe_grouper_pspng" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};pspng.log;${env}${usertoken}${layout}"/>
</File>
<File name="logpipe_grouper_provisioning" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};provisioning.log;${env}${usertoken}${layout}"/>
</File>
<File name="logpipe_grouper_ws" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};grouper_ws.log;${env}${usertoken}${layout}"/>
</File>
<File name="logpipe_grouper_ws_longRunning" fileName="/tmp/logpipe">
<PatternLayout pattern="${grouplogprefix};grouper_ws_longRunning.log;${env}${usertoken}${layout}"/>
</File>

<!--MOREAPPENDERS-->

</Appenders>
<Loggers>
<Root level="error">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Root>
<Logger name="org.apache.catalina" level="info" additivity="false">
<AppenderRef ref="CATALINA"/>
<AppenderRef ref="logpipe_catalina" />
<AppenderRef ref="file_catalina"/>
</Logger>
<Logger name="edu.internet2.middleware" level="warn" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.loader.GrouperLoaderLog" level="debug" additivity="false">
<AppenderRef ref="grouper_daemon"/>
<AppenderRef ref="logpipe_grouper_daemon"/>
<AppenderRef ref="file_grouper_daemon"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.pspng" level="info" additivity="false">
<AppenderRef ref="grouper_pspng"/>
<Logger name="edu.internet2.middleware.grouper.pspng" level="warn" additivity="false">
<AppenderRef ref="logpipe_grouper_pspng"/>
<AppenderRef ref="file_grouper_pspng"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningObjectLog" level="debug" additivity="false">
<AppenderRef ref="grouper_provisioning"/>
<AppenderRef ref="logpipe_grouper_provisioning"/>
<AppenderRef ref="file_grouper_provisioning"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.syncToGrouper.SyncToGrouperFromSqlDaemon" level="debug" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogCommands" level="debug" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.stem.StemViewPrivilegeEsbListener" level="debug" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.stem.StemViewPrivilegeFullDaemonLogic" level="debug" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="org.apache.tools.ant" level="warn" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.util.PerformanceLogger" level="info" additivity="false">
<AppenderRef ref="grouper_error"/>
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>

<Logger name="edu.internet2.middleware.grouper.ws.util.GrouperWsLog" level="off" additivity="false">
<AppenderRef ref="grouper_ws"/>
<AppenderRef ref="logpipe_grouper_ws"/>
<AppenderRef ref="file_grouper_ws"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.ws.util.GrouperWsLongRunningLog" level="off" additivity="false">
<AppenderRef ref="grouper_ws_longRunning"/>
<AppenderRef ref="logpipe_grouper_ws_longRunning"/>
<AppenderRef ref="file_grouper_ws_longRunning"/>
</Logger>

<Logger name="edu.internet2.middleware.grouper.ui.customUi.CustomUiEngine" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.upenn.isc.pennGrouper.o365" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.remedy.GrouperRemedyLog" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_provisioning"/>
<AppenderRef ref="file_grouper_provisioning"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.remedy.digitalMarketplace.GrouperDigitalMarketplaceLog" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_provisioning"/>
<AppenderRef ref="file_grouper_provisioning"/>
</Logger>
<Logger name="edu.internet2.middleware.grouperBox.GrouperBoxLog" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_provisioning"/>
<AppenderRef ref="file_grouper_provisioning"/>
</Logger>
<Logger name="edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncLog" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_error"/>
<AppenderRef ref="file_grouper_error"/>
</Logger>
<Logger name="edu.internet2.middleware.grouper.app.zoom" level="debug" additivity="false">
<AppenderRef ref="logpipe_grouper_provisioning"/>
<AppenderRef ref="file_grouper_provisioning"/>
</Logger>

<!--MORELOGGERS-->
</Loggers>
</Configuration>
2 changes: 1 addition & 1 deletion container_files/tomee/bin/setenv.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
CLASSPATH=/opt/tomee/bin/*
#JAVA_OPTS="-Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
CATALINA_OPTS="-Xmx$GROUPER_MAX_MEMORY -XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN -Dfile.encoding=UTF-8 $GROUPER_EXTRA_CATALINA_OPTS"
CATALINA_OPTS="-Xmx$GROUPER_MAX_MEMORY -XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN -Dfile.encoding=UTF-8 -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts $GROUPER_EXTRA_CATALINA_OPTS"
LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
5 changes: 5 additions & 0 deletions container_files/usr-local-bin/libraryPrep.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,11 @@ prep_finishBegin() {
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_APACHE_STATUS_PATH=/status_grouper/status"
export GROUPER_APACHE_STATUS_PATH=/status_grouper/status
fi

if [ -z "$GROUPER_GSH_JVMARGS" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_GSH_JVMARGS=\"-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts\""
export GROUPER_GSH_JVMARGS="-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts"
fi

#Replace web.xml session timeout with env variable
if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
Expand Down
34 changes: 34 additions & 0 deletions container_files/usr-local-bin/librarySetupFilesTomcat.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ setupFilesTomcat() {
setupFilesTomcat_accessLogs
setupFilesTomcat_sessionTimeout
setupFilesTomcat_ssl
setupFilesTomcat_sslCertsAnchors
}


Expand Down Expand Up @@ -235,6 +236,37 @@ setupFilesTomcat_ssl() {
fi
}

setupFilesTomcat_sslCertsAnchors() {

# the container user (we arent sure who this is) should be able to update root certs
# echo 'ALL ALL=NOPASSWD: /bin/update-ca-trust' | sudo EDITOR='tee -n' visudo


if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then

amiroot=`whoami`
if [ "$amiroot" = "root" ]; then

echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process"
/bin/update-ca-trust
returnCode=$?
echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /bin/update-ca-trust , result=$returnCode"
if [ $returnCode != 0 ]
then
exit $returnCode
fi

else
echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in subimage: /bin/update-ca-trust"
fi

else
echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are no anchor certs in /opt/grouper/certs/anchors/ to process"
fi

fi
}


setupFilesTomcat_unsetAll() {

Expand All @@ -243,6 +275,7 @@ setupFilesTomcat_unsetAll() {
unset -f setupFilesTomcat_context
unset -f setupFilesTomcat_ports
unset -f setupFilesTomcat_ssl
unset -f setupFilesTomcat_sslCertsAnchors
unset -f setupFilesTomcat_supervisor
unset -f setupFilesTomcat_unsetAll
unset -f setupFilesTomcat_accessLogs
Expand All @@ -258,6 +291,7 @@ setupFilesTomcat_exportAll() {
export -f setupFilesTomcat_context
export -f setupFilesTomcat_ports
export -f setupFilesTomcat_ssl
export -f setupFilesTomcat_sslCertsAnchors
export -f setupFilesTomcat_supervisor
export -f setupFilesTomcat_unsetAll
export -f setupFilesTomcat_accessLogs
Expand Down

0 comments on commit f180d77

Please sign in to comment.