Dockerfile

@@ -3,17 +3,25 @@ FROM centos:centos7 as installing
 RUN yum update -y \
     && yum install -y wget tar unzip dos2unix \
     && yum clean all
-
-ENV GROUPER_VERSION=2.3.0 \
-    JAVA_HOME=/opt/java
-
-RUN java_version=8.0.131; \
-    zulu_version=8.21.0.1; \
-    echo 'Downloading the OpenJDK Zulu...' \
-    && wget -q http://cdn.azul.com/zulu/bin/zulu$zulu_version-jdk$java_version-linux_x64.tar.gz \
-    && echo "1931ed3beedee0b16fb7fd37e069b162  zulu$zulu_version-jdk$java_version-linux_x64.tar.gz" | md5sum -c - \
-    && tar -zxvf zulu$zulu_version-jdk$java_version-linux_x64.tar.gz -C /opt \
-    && ln -s /opt/zulu$zulu_version-jdk$java_version-linux_x64 $JAVA_HOME
+
+ARG GROUPER_CONTAINER_VERSION
+
+ENV GROUPER_VERSION=2.4.0 \
+     JAVA_HOME=/usr/lib/jvm/zulu-8/ \
+     GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
+
+# use Zulu package
+RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
+       && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
+       && yum -y install zulu-8 
+
+#RUN java_version=8.0.172; \
+#    zulu_version=8.30.0.1; \
+#    echo 'Downloading the OpenJDK Zulu...' \
+#    && wget -q http://cdn.azul.com/zulu/bin/zulu$zulu_version-jdk$java_version-linux_x64.tar.gz \
+#    && echo "0a101a592a177c1c7bc63738d7bc2930  zulu$zulu_version-jdk$java_version-linux_x64.tar.gz" | md5sum -c - \
+#    && tar -zxvf zulu$zulu_version-jdk$java_version-linux_x64.tar.gz -C /opt \
+#    && ln -s /opt/zulu$zulu_version-jdk$java_version-linux_x64 $JAVA_HOME
 
 #RUN java_version=8u151; \
 #    java_bnumber=12; \
@@ -31,6 +39,9 @@ RUN echo 'Downloading Grouper Installer...' \
     && wget -q -O /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar http://software.internet2.edu/grouper/release/$GROUPER_VERSION/grouperInstaller.jar
 
 COPY container_files/grouper.installer.properties /opt/grouper/$GROUPER_VERSION
+# Temporary morphString file used for building, not used in production
+COPY container_files/morphString.properties /opt/grouper/$GROUPER_VERSION
+
 
 RUN echo 'Installing Grouper'; \
     PATH=$PATH:$JAVA_HOME/bin; \
@@ -41,8 +52,8 @@ RUN echo 'Installing Grouper'; \
 
 FROM centos:centos7 as cleanup
 
-ENV GROUPER_VERSION=2.3.0 \
-    TOMCAT_VERSION=8.5.12 \    
+ENV GROUPER_VERSION=2.4.0 \
+    TOMCAT_VERSION=8.5.42 \    
     TOMEE_VERSION=7.0.0
 
 COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar /opt/grouper/
@@ -53,21 +64,22 @@ COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION
 #COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.clientBinary-$GROUPER_VERSION/ /opt/grouper/grouper.clientBinary/
 COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat/
 COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomee-webprofile-$TOMEE_VERSION/ /opt/tomee/
+COPY --from=installing /etc/alternatives/java /etc/alternatives/java
 
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomcat/bin
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomcat/bin
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomcat/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomcat/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomcat/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomcat/bin
 
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomee/bin
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomee/bin
-ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomee/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomee/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomee/bin
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomee/bin
 
 RUN cd /opt/grouper/grouper.apiBinary/; \
-    rm -fr ddlScripts/ grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/
+    rm -fr ddlScripts/ grouper.properties grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/
 
 RUN cd /opt/tomcat/; \
     chmod +r bin/log4j-*.jar; \
-    rm -fr webapps/docs/ webapps/examples/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/* conf/logging.properties
+    rm -fr webapps/docs/ webapps/examples/ webapps/host-manager/ webapps/manager/ webapps/ROOT/ logs/* temp/* work/* conf/logging.properties
 
 RUN cd /opt/tomee/; \
     chmod +r bin/log4j-*.jar; \
@@ -80,17 +92,20 @@ COPY container_files/tomcat/ /opt/tomcat/
 COPY container_files/tomee/ /opt/tomee/
 
 
-FROM tier/shibboleth_sp
+FROM tier/shibboleth_sp:3.0.4_03122019
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \
       ImageType="Grouper" \
       ImageName=$imagename \
       ImageOS=centos7
+
+ARG GROUPER_CONTAINER_VERSION
 
-ENV JAVA_HOME=/opt/java \
+ENV JAVA_HOME=/usr/lib/jvm/zulu-8/ \
     PATH=$PATH:$JAVA_HOME/bin \
-    GROUPER_HOME=/opt/grouper/grouper.apiBinary
+    GROUPER_HOME=/opt/grouper/grouper.apiBinary \
+    GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
 
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 
@@ -109,9 +124,11 @@ RUN groupadd -r tomcat \
     && useradd -r -m -s /sbin/nologin -g tomcat tomcat \
     && mkdir -p /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
     && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
-    && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/
+    && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/ \
+    && ln -s $JAVA_HOME/bin/java /etc/alternatives/java
 
-RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
+# does shib sp3 not generate these files?
+# RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
 
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin/ /usr/local/bin/
@@ -130,4 +147,8 @@ WORKDIR /opt/grouper/grouper.apiBinary/
 
 EXPOSE 80 443
 
+HEALTHCHECK NONE
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
 CMD ["bin/gsh", "-loader"]

Jenkinsfile

@@ -21,17 +21,19 @@ pipeline {
                         echo "You must define an imagename in common.bash"
                         currentBuild.result = 'FAILURE'
                      }
-                    sh 'mkdir -p bin'
-                    sh 'mkdir -p tmp'
+                    sh 'mkdir -p tmp && mkdir -p bin'
                     dir('tmp'){
                       git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
-                      sh 'ls'
-                      sh 'mv bin/* ../bin/.'
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
                     }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
                 }  
              }
         }    
-        stage('Build') {
+        stage('Clean') {
             steps {
                 script {
                    try{
@@ -45,14 +47,58 @@ pipeline {
                 }
             }
         } 
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
+                        baseImg = docker.build("$maintainer/$imagename", "--build-arg GROUPER_CONTAINER_VERSION=$tag --no-cache .")
+                      }
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                   try {
+                     sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
+                   } catch (error) {
+                     def error_details = readFile('./debug')
+                     def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   } 
+                }    
+             }
+        }
+
         stage('Push') {
             steps {
                 script {
-                   docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-                      def baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
-                      baseImg.push("$tag")
-                   }
-               }
+                      //// scan the image with clair
+                      // sh 'docker run -p 5432:5432 -d --name clairdb arminc/clair-db:latest'
+                      // sh 'docker run -p 6060:6060 --link clairdb:postgres -d --name clair arminc/clair-local-scan:v2.0.5'
+                      // sh 'curl -L -o clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64'
+                      // sh 'chmod 755 clair-scanner'
+                      // sh "./clair-scanner --ip 172.17.0.1 -r test.out $maintainer/$imagename:latest"
+                      //// test the environment
+                      // sh 'docker kill clairdb'
+                      // sh 'docker rm clairdb'
+                      // sh 'docker kill clair'
+                      // sh 'docker rm clair'
+                      // sh 'cd test-compose && ./compose.sh'
+                      //// bring down after testing
+                      //sh 'cd test-compose && docker-compose down'
+                      docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
+                        baseImg.push("$tag")
+                      }
+                  }
             }
         }
         stage('Notify') {

README.md

@@ -1,15 +1,35 @@
+[![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/grouper/master)](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/grouper/master)
+
+
+
+This repository contains the source code used to create the InCommon Trusted Access Platform Grouper container. This standalone container is pushed to Dockerhub, various tags are available at the following URL: https://hub.docker.com/r/tier/grouper/tags. This repo can also be cloned and the container built locally. 
+
+The test-compose directory contains an example Grouper environment that starts up the various Grouper components. This example demonstrates how one might go about customizing and deploying their Grouper containers, using the TIER Grouper image as a base image. If evaluating Grouper, this is a good place to start. 
+
+
+# Upgrading from 2.3 to 2.4
+
+If upgrading from Grouper version 2.3 to 2.4 and using LDAP, modifications will be needed in subject.properties and grouper-loaders.proprties. Further details about this can be found at the following URL:
+https://spaces.at.internet2.edu/display/Grouper/vt-ldap+to+ldaptive+migration+for+LDAP+access
+
+In particular, in subject.properties, *.param.base.value should be adjusted to only contain the RDN (Relative Distinguished Name), not the full DN.  For example, "OU=People", not "OU=People,DC=domain,DC=edu"
+
+Additional upgrade information can be found at the following URL: https://spaces.at.internet2.edu/display/Grouper/v2.4+Upgrade+Instructions+from+v2.3
+
+
 
 # Supported tags
 
 -	latest
--   patch specific tags* (i.e. 2.3.0-a97-u41-w11-p16)
+-   patch specific tags with date timestamp* (i.e. 2.4.0-80-u51-w10-p11-20191118)
 
 \* Patch builds are routinely produced, but not necessarily for each patch release. The following monikers are used to construct the tag name:
 
 - a = api patch number
 - u = ui patch number
 - w = ws patch number
 - p = pspng patch number
+- last field = the year, month and day the image was built
 
 # Quick reference
 
@@ -43,7 +63,7 @@ While TIER recommends/supports using Docker Swarm for orchestrating the Grouper
 
 ### Daemon/Loader
 
-Run the Grouper Daemon/Loader as a service.
+Run the Grouper Daemon/Loader as a service. If the daemon/loader container dies unexpectedly, it may be due to memory contraints. Refer to the "Grouper Shell/Loader" section below for information on how to tweak memory settings.   
 
 ```console
 $ docker service create --detach --name grouper-daemon tier/grouper:latest daemon
@@ -156,7 +176,7 @@ For passing full files into the container, this container will make any secrets
 Docker Secrets can also be used to pass in strings, such as a database connection string password, into the component config. To pass in the Grouper database connection string, one might set the property and value as such:
 
 ```text
-hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
+hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(new("java.io.File", java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE')), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
 ```
 
 Note that the default property name has been changed by appending `.elConfig`. (This causes Grouper to evaluate the string before saving the value.) The expression allows deployers to use a file containing only the database password as a Docker Secret and reference the file name via the `GROUPER_DATABASE_PASSWORD_FILE` environment property. This allows the config files to be baked into the image, if desired. Also, but not recommended, the database password could just be set in the Docker Service definition as an environment variable, `GROUPER_DATABASE_PASSWORD`. (Technically the expression can be broken up and just the desired functionality used.) Of course, using Grouper's MorphString functionality is supported and likely is the best option, but does require more effort in setting it up.
@@ -206,8 +226,8 @@ Deployers can set runtime variables to both the Grouper Shell and Loader/Daemon
 ### Grouper Shell/Loader
 
 The following environment variables are used by the Grouper Shell/Loader: 
-- MEM_START: corresponds to the java's `-Xms`.
-- MEM_MAX: corresponds to java's `-Xmx`.
+- MEM_START: corresponds to the java's `-Xms`. (default is 64m)
+- MEM_MAX: corresponds to java's `-Xmx`. (default is 750m)
 
 ### Tomcat/TomEE
 
@@ -229,6 +249,7 @@ Here is a list of significant directories and files that deployers should be awa
 - `/opt/tomcat/`: used to run Grouper UI and Grouper WS
 - `/opt/tomee/`: used to run the Grouper SCIM Server.
 - `/var/run/secrets`: location where Docker Secrets are mounted into the container. Secrets starting with `grouper_`, `shib_`, and `httpd_` have special meaning. See `Secrets/Configs` above.
+- `/usr/lib/jvm/zulu-8/jre/lib/security/cacerts`: location of the Java trust store.
 
 To examine baseline image files, one might run `docker run --name=temp -it tier/grouper bash` and browse through these file system endpoints. While the container is running one may copy files out of the image/container using something like `docker cp containerId:/opt/grouper/grouper.api/conf/grouper.properties .`, which will copy the `grouper.properties` to the Docker client's present working directory. These files can then be edited and applied via the mechanisms outlined above.
 

container_files/grouper.installer.properties

@@ -1,7 +1,7 @@
 # this should be before the version number
 download.server.url = https://software.internet2.edu/grouper
 # default version to install
-grouper.version = 2.3.0
+grouper.version = 2.4.0
 # print out autorun keys in prompts so you can easily see how to configure the autorun
 grouperInstaller.print.autorunKeys = true
 # default to install or upgrade (default is install)
@@ -14,9 +14,12 @@ grouperInstaller.default.installOrUpgrade = install
 ##
 ##############################
 
+grouperInstaller.autorun.forceInstallPatch = t
 grouperInstaller.autorun.installAllPatches = false
 grouperInstaller.autorun.installPatchesUpToACertainPatchLevel = true
-grouperInstaller.autorun.installPatchesUpToThesePatchLevels = grouper_v2_3_0_api_patch_104,grouper_v2_3_0_ui_patch_42,grouper_v2_3_0_ws_patch_12,grouper_v2_3_0_pspng_patch_16
+# 2.4.0-a93-u56-w11-p12-20200214-rc1
+grouperInstaller.autorun.installPatchesUpToThesePatchLevels = grouper_v2_4_0_api_patch_93,grouper_v2_4_0_ui_patch_56,grouper_v2_4_0_ws_patch_11,grouper_v2_4_0_pspng_patch_12
+
 
 #### set this to true to try to use defaults for everything.  Only things without default values will need to be set
 grouperInstaller.autorun.useDefaultsAsMuchAsAvailable = true
@@ -29,11 +32,15 @@ grouperInstaller.autorun.deleteAndInitDatabase = t
 grouperInstaller.autorun.addQuickstartData = f
 grouperInstaller.autorun.installClient = f
 
-grouperInstaller.autorun.installGrouperActiveMqMessaging = t
-grouperInstaller.autorun.activeMqWhereInstalled = /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/
+grouperInstaller.autorun.installGrouperActiveMqMessaging = f
+grouperInstaller.autorun.activeMqWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
 
 grouperInstaller.autorun.installGrouperAwsSqsMessaging = t
-grouperInstaller.autorun.AwsSqsWhereInstalled = /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/
+grouperInstaller.autorun.AwsSqsWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
 
 grouperInstaller.autorun.installGrouperRabbitMqMessaging = t
-grouperInstaller.autorun.rabbitMqWhereInstalled = /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/
+grouperInstaller.autorun.rabbitMqWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
+
+# disable installing pspng, for now
+grouperInstaller.autorun.installPspng = t
+grouperInstaller.autorun.installPsp = f

container_files/httpd/grouper-www.conf

@@ -7,6 +7,10 @@ ProxyPass /grouper ajp://localhost:8009/grouper  timeout=2400
 ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws  timeout=2400
 ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper-ws-scim  timeout=2400
 
+RewriteEngine on
+RewriteCond %{REQUEST_URI} "^/$"
+RewriteRule . %{REQUEST_SCHEME}://%{HTTP_HOST}/grouper/ [R=301,L]
+
 <Location /grouper>
   AuthType shibboleth
   ShibRequestSetting requireSession 1

container_files/morphString.properties

@@ -0,0 +1 @@
+encrypt.key=fh43IRJ4Nf5