diff --git a/Dockerfile b/Dockerfile
index 6fdf32bd..d23c0f80 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,99 +1,57 @@
FROM centos:centos7 as installing
-
RUN yum update -y \
&& yum install -y wget tar unzip dos2unix \
&& yum clean all
+RUN yum install -y wget tar unzip dos2unix
+
ARG GROUPER_CONTAINER_VERSION
-
-ENV GROUPER_VERSION=2.4.0 \
- JAVA_HOME=/usr/lib/jvm/zulu-8/ \
+ENV GROUPER_VERSION=2.5.23 \
GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
-# use Zulu package
-RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
- && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
- && yum -y install zulu-8
-
-#RUN java_version=8.0.172; \
-# zulu_version=8.30.0.1; \
-# echo 'Downloading the OpenJDK Zulu...' \
-# && wget -q http://cdn.azul.com/zulu/bin/zulu$zulu_version-jdk$java_version-linux_x64.tar.gz \
-# && echo "0a101a592a177c1c7bc63738d7bc2930 zulu$zulu_version-jdk$java_version-linux_x64.tar.gz" | md5sum -c - \
-# && tar -zxvf zulu$zulu_version-jdk$java_version-linux_x64.tar.gz -C /opt \
-# && ln -s /opt/zulu$zulu_version-jdk$java_version-linux_x64 $JAVA_HOME
-
-#RUN java_version=8u151; \
-# java_bnumber=12; \
-# java_semver=1.8.0_151; \
-# java_hash=123b1d755416aa7579abc03f01ab946e612e141b6f7564130f2ada00ed913f1d; \
-# echo 'Downloading the Oracle Java...' \
-# && wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
-# http://download.oracle.com/otn-pub/java/jdk/$java_version-b$java_bnumber/e758a0de34e24606bca991d704f6dcbf/server-jre-$java_version-linux-x64.tar.gz \
-# && echo "$java_hash server-jre-$java_version-linux-x64.tar.gz" | sha256sum -c - \
-# && tar -zxvf server-jre-$java_version-linux-x64.tar.gz -C /opt \
-# && ln -s /opt/jdk$java_semver/ $JAVA_HOME
+# Install Corretto Java JDK
+#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html
+ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-8-x64-linux-jdk.rpm
+ARG CORRETTO_RPM=amazon-corretto-8-x64-linux-jdk.rpm
+COPY container_files/java-corretto/corretto-signing-key.pub .
+RUN curl -O -L $CORRETTO_URL_PERM \
+ && rpm --import corretto-signing-key.pub \
+ && rpm -K $CORRETTO_RPM \
+ && rpm -i $CORRETTO_RPM \
+ && rm -r corretto-signing-key.pub $CORRETTO_RPM
+ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto
RUN echo 'Downloading Grouper Installer...' \
&& mkdir -p /opt/grouper/$GROUPER_VERSION \
- && wget -q -O /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar http://software.internet2.edu/grouper/release/$GROUPER_VERSION/grouperInstaller.jar
-
+ && wget -q -O /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar https://oss.sonatype.org/service/local/repositories/releases/content/edu/internet2/middleware/grouper/grouper-installer/$GROUPER_VERSION/grouper-installer-$GROUPER_VERSION.jar
COPY container_files/grouper.installer.properties /opt/grouper/$GROUPER_VERSION
# Temporary morphString file used for building, not used in production
COPY container_files/morphString.properties /opt/grouper/$GROUPER_VERSION
-
-
RUN echo 'Installing Grouper'; \
PATH=$PATH:$JAVA_HOME/bin; \
cd /opt/grouper/$GROUPER_VERSION/ \
&& $JAVA_HOME/bin/java -cp :grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller
-
-
-
FROM centos:centos7 as cleanup
-
-ENV GROUPER_VERSION=2.4.0 \
- TOMCAT_VERSION=8.5.42 \
+ENV GROUPER_VERSION=2.5.23 \
TOMEE_VERSION=7.0.0
-
+RUN mkdir -p /opt/grouper/grouperWebapp/
+RUN mkdir -p /opt/tomee/
COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar /opt/grouper/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.apiBinary-$GROUPER_VERSION/ /opt/grouper/grouper.apiBinary/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ui-$GROUPER_VERSION/dist/grouper/ /opt/grouper/grouper.ui/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws/build/dist/grouper-ws/ /opt/grouper/grouper.ws/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws-scim/targetBuiltin/grouper-ws-scim/ /opt/grouper/grouper.scim/
-#COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.clientBinary-$GROUPER_VERSION/ /opt/grouper/grouper.clientBinary/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat/
-COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomee-webprofile-$TOMEE_VERSION/ /opt/tomee/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/container/tomee/ /opt/tomee/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/container/webapp/ /opt/grouper/grouperWebapp/
+RUN ls /opt/grouper/grouperWebapp/
COPY --from=installing /etc/alternatives/java /etc/alternatives/java
-
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomcat/bin
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomcat/bin
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomcat/bin
-
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomee/bin
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomee/bin
-ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomee/bin
-
-RUN cd /opt/grouper/grouper.apiBinary/; \
- rm -fr ddlScripts/ grouper.properties grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/
-
-RUN cd /opt/tomcat/; \
- chmod +r bin/log4j-*.jar; \
- rm -fr webapps/docs/ webapps/examples/ webapps/host-manager/ webapps/manager/ webapps/ROOT/ logs/* temp/* work/* conf/logging.properties
-
+RUN ls /opt/grouper/
+RUN ls /opt/grouper/grouperWebapp/WEB-INF
+#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /opt/tomee/bin
+#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /opt/tomee/bin
+#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /opt/tomee/bin
RUN cd /opt/tomee/; \
- chmod +r bin/log4j-*.jar; \
rm -fr webapps/docs/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/* conf/logging.properties
-
-COPY container_files/api/* /opt/grouper/grouper.apiBinary/conf/
-COPY container_files/ui/ /opt/grouper/grouper.ui/WEB-INF/
-COPY container_files/ws/ /opt/grouper/grouper.ws/WEB-INF/
-COPY container_files/tomcat/ /opt/tomcat/
+COPY container_files/api/* /opt/grouper/grouperWebapp/WEB-INF/classes/
+COPY container_files/ui/ /opt/grouper/grouperWebapp/WEB-INF/classes/
COPY container_files/tomee/ /opt/tomee/
-
-
FROM tier/shibboleth_sp:3.0.4_03122019
-
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
Vendor="TIER" \
ImageType="Grouper" \
@@ -101,54 +59,35 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
ImageOS=centos7
ARG GROUPER_CONTAINER_VERSION
-
-ENV JAVA_HOME=/usr/lib/jvm/zulu-8/ \
- PATH=$PATH:$JAVA_HOME/bin \
- GROUPER_HOME=/opt/grouper/grouper.apiBinary \
+ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto
+ENV PATH=$PATH:$JAVA_HOME/bin \
+ GROUPER_HOME=/opt/grouper/grouperWebapp/WEB-INF \
GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
-
RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime
-
RUN yum update -y \
- && yum install -y cron logrotate python-pip \
+ && yum install -y cron logrotate python-pip rsync sudo \
&& pip install --upgrade pip \
&& pip install supervisor \
&& yum clean -y all
-
COPY --from=installing $JAVA_HOME $JAVA_HOME
-COPY --from=cleanup /opt/tomcat/ /opt/tomcat/
COPY --from=cleanup /opt/tomee/ /opt/tomee/
COPY --from=cleanup /opt/grouper/ /opt/grouper/
-
RUN groupadd -r tomcat \
&& useradd -r -m -s /sbin/nologin -g tomcat tomcat \
- && mkdir -p /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
- && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
- && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/ \
- && ln -s $JAVA_HOME/bin/java /etc/alternatives/java
+ && chown -R tomcat:tomcat /opt/tomee \
+ && ln -s $JAVA_HOME/bin/java /etc/alternatives/java \
+ && mkdir -p /opt/tomee/conf/Catalina/localhost/ \
+ && chown -R tomcat:tomcat /opt/grouper/grouperWebapp
-# does shib sp3 not generate these files?
-# RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
COPY container_files/tier-support/ /opt/tier-support/
COPY container_files/usr-local-bin/ /usr/local/bin/
COPY container_files/httpd/* /etc/httpd/conf.d/
COPY container_files/shibboleth/* /etc/shibboleth/
+RUN cp /dev/null /etc/httpd/conf.d/ssl.conf
-RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
- && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
- && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
- && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
- && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
- && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
- && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
-
-WORKDIR /opt/grouper/grouper.apiBinary/
-
+WORKDIR /opt/grouper/grouperWebapp/WEB-INF/
EXPOSE 80 443
-
HEALTHCHECK NONE
-
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
-
-CMD ["bin/gsh", "-loader"]
+# CMD ["bin/gsh.sh", "-loader"]
diff --git a/Jenkinsfile b/Jenkinsfile
index 3ed439e5..98b3afb7 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -51,12 +51,13 @@ pipeline {
steps {
script {
try{
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") {
+ // statically defining jenkins credential value dockerhub-tier
+ docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-tier") {
baseImg = docker.build("$maintainer/$imagename", "--build-arg GROUPER_CONTAINER_VERSION=$tag --no-cache .")
}
} catch(error) {
def error_details = readFile('./debug');
- def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+ def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
@@ -70,7 +71,7 @@ pipeline {
sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
} catch (error) {
def error_details = readFile('./debug')
- def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
+ def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
@@ -81,21 +82,8 @@ pipeline {
stage('Push') {
steps {
script {
- //// scan the image with clair
- // sh 'docker run -p 5432:5432 -d --name clairdb arminc/clair-db:latest'
- // sh 'docker run -p 6060:6060 --link clairdb:postgres -d --name clair arminc/clair-local-scan:v2.0.5'
- // sh 'curl -L -o clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64'
- // sh 'chmod 755 clair-scanner'
- // sh "./clair-scanner --ip 172.17.0.1 -r test.out $maintainer/$imagename:latest"
- //// test the environment
- // sh 'docker kill clairdb'
- // sh 'docker rm clairdb'
- // sh 'docker kill clair'
- // sh 'docker rm clair'
- // sh 'cd test-compose && ./compose.sh'
- //// bring down after testing
- //sh 'cd test-compose && docker-compose down'
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") {
+ // statically defining jenkins credential value dockerhub-tier
+ docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-tier") {
baseImg.push("$tag")
}
}
diff --git a/README.md b/README.md
index 691033e4..5861fdc2 100644
--- a/README.md
+++ b/README.md
@@ -1,371 +1,8 @@
-[](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/grouper/master)
+Documentation for this container is located at the following URL:
+https://spaces.at.internet2.edu/pages/viewpage.action?pageId=163119272
-
-This repository contains the source code used to create the InCommon Trusted Access Platform Grouper container. This standalone container is pushed to Dockerhub, various tags are available at the following URL: https://hub.docker.com/r/tier/grouper/tags. This repo can also be cloned and the container built locally.
-
-The test-compose directory contains an example Grouper environment that starts up the various Grouper components. This example demonstrates how one might go about customizing and deploying their Grouper containers, using the TIER Grouper image as a base image. If evaluating Grouper, this is a good place to start.
-
-
-# Upgrading from 2.3 to 2.4
-
-If upgrading from Grouper version 2.3 to 2.4 and using LDAP, modifications will be needed in subject.properties and grouper-loaders.proprties. Further details about this can be found at the following URL:
-https://spaces.at.internet2.edu/display/Grouper/vt-ldap+to+ldaptive+migration+for+LDAP+access
-
-In particular, in subject.properties, *.param.base.value should be adjusted to only contain the RDN (Relative Distinguished Name), not the full DN. For example, "OU=People", not "OU=People,DC=domain,DC=edu"
-
-Additional upgrade information can be found at the following URL: https://spaces.at.internet2.edu/display/Grouper/v2.4+Upgrade+Instructions+from+v2.3
-
-
-
-# Supported tags
-
-- latest
-- patch specific tags with date timestamp* (i.e. 2.4.0-80-u51-w10-p11-20191118)
-
-\* Patch builds are routinely produced, but not necessarily for each patch release. The following monikers are used to construct the tag name:
-
-- a = api patch number
-- u = ui patch number
-- w = ws patch number
-- p = pspng patch number
-- last field = the year, month and day the image was built
-
-# Quick reference
-
-- **Where to get help**:
- [tier-packaging@internet2.edu](mailto:tier-packaging@internet2.edu?subject=Grouper%20Image%20Help)
-
-- **Where to file issues**:
- [https://github.internet2.edu/docker/grouper/issues](https://github.internet2.edu/docker/grouper/issues)
-
-- **Maintained by**:
- [TIER Packaging Working Group](https://spaces.internet2.edu/display/TPWG)
-
-- **Supported Docker versions**:
- [the latest release](https://github.com/docker/docker-ce/releases/latest) (down to 1.6 on a best-effort basis)
-
-# What is Grouper?
-
-Grouper is an enterprise access management system designed for the highly distributed management environment and heterogeneous information technology environment common to universities. Operating a central access management system that supports both central and distributed IT reduces risk.
-
-> [www.internet2.edu/products-services/trust-identity/grouper/](https://www.internet2.edu/products-services/trust-identity/grouper/)
-
-
-
-# How to use this image
-
-This image provides support for each of the Grouper components/roles: Grouper Daemon/Loader, Grouper UI, Grouper Web Services, and Grouper SCIM Server.
-
-## Starting each role
-
-While TIER recommends/supports using Docker Swarm for orchestrating the Grouper environment, these containers can be run directly (or with other orchestration products). Both examples are shown below. It should be noted that these examples will not run independently, but required additional configuration to be provided before each container will start as expected.
-
-### Daemon/Loader
-
-Run the Grouper Daemon/Loader as a service. If the daemon/loader container dies unexpectedly, it may be due to memory contraints. Refer to the "Grouper Shell/Loader" section below for information on how to tweak memory settings.
-
-```console
-$ docker service create --detach --name grouper-daemon tier/grouper:latest daemon
-```
-
-Run the Grouper Daemon/Loader as a standalone container.
-
-```console
-$ docker run --detach --name grouper-daemon tier/grouper:latest daemon
-```
-
-### SCIM Server
-
-Runs the Grouper SCIM Server as a service.
-
-```console
-$ docker service create --detach --publish 9443:443 --name grouper-ws tier/grouper:latest scim
-```
-
-Runs the Grouper Web Services in a standalone container.
-
-```console
-$ docker run --detach --publish 9443:443 --name grouper-daemon tier/grouper:latest scim
-```
-
-### UI
-
-Runs the Grouper UI as a service.
-
-```console
-$ docker service create --detach --publish 443:443 --name grouper-ui tier/grouper:latest ui
-```
-
-Runs the Grouper UI in a standalone container.
-
-```console
-$ docker run --detach --name --publish 443:443 grouper-ui tier/grouper:latest ui
-```
-
-### Web Services
-
-Runs the Grouper Web Services as a service.
-
-```console
-$ docker service create --detach --publish 8443:443 --name grouper-ws tier/grouper:latest ws
-```
-
-Runs the Grouper Web Services in a standalone container.
-
-```console
-$ docker run --detach --publish 8443:443 --name grouper-daemon tier/grouper:latest ws
-```
-
-### UI and Web Services
-
-> This method is good when first starting to work with Grouper, but when scaling Grouper UI or Web Services it is advisable to use the individual roles noted above.
-
-Runs the Grouper UI and Web Services as a combined service. (You should really run these as individual roles to take advantage of Docker service replicas.)
-
-```console
-$ docker service create --detach --publish 443:443 --name grouper-web tier/grouper:latest ui-ws
-```
-
-Runs the Grouper UI and Web Services in a combined container. This good when first starting to work with Grouper, but when scaling Grouper UI or Web Services it is advisable to use the individual roles noted above.
-
-```console
-$ docker run --detach --publish 443:443 --name grouper-web tier/grouper:latest ui-ws
-```
-
-### GSH
-
-Runs the Grouper Shell in a throwaway container. This makes it easy to run Grouper commands and Grouper Shell scripts. Since it is interactive it does not run as a service.
-
-```console
-$ docker run -it --rm tier/grouper:latest bin/gsh <optional GSH args>
-```
-
-# Configuration
-
-## Grouper Configurations
-
-There are several things that are required for this image to successfully start. At a minimum, the `grouper.hibernate.properties` and `subject.properties` (or the old `sources.xml` equivalent) files need to be customized and available to the container at start-up.
-
-Grouper config files maybe placed into `/opt/grouper/conf` and these files will be put into the appropriate location based on the role the container assumes. Docker Secrets starting with the name `grouper_` should take precedence over these files. (See below.)
-
-## Web Apps Configuration
-
-If starting the container to serve the Grouper UI, Grouper Web Services, Grouper SCIM Server components, a TLS key and cert(s) need to be applied to those containers.
-
-The Grouper UI also requires some basic Shibboleth SP configuration. The `/etc/shibboleth/shibboleth2.xml` file should be modified to set:
-- an entityId for the SP
-- load IdP or federation metadata
-- set the SP's encryption keys
-- the identity attribute of the subject to be passed to Grouper
-
-If encryption keys are defined in the `shibboleth2.xml` file, then the key/cert files should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibboleth SP files) can be overlaid/replaced as necessary.
-
-(See the section below.)
-
-## General Configuration Mechanism
-
-There are three primary ways to provide Grouper and additional configuration files to the container: Docker Config/Secrets, customized images, and bind mounts. Depending upon your needs you may use a combination of two or three of these options.
-
-### Secrets/Configs
-
-Docker Config and Docker Secrets are Docker's way of providing configurations files to a container at runtime. The primary difference between the Config and Secrets functionality is that Secrets is designed to protect resources/files that are sensitive.
-
-For passing full files into the container, this container will make any secrets with secret names prepended with `grouper_` available to the appropriate Grouper component's conf directory (i.e. `<GROUPER_HOME>/conf` or `WEB-INF/classes`). Any secrets with secret names starting with `shib_` will be available in the Shibboleth SP `/etc/shibboleth/` directory. Any secrets with secret names starting with `httpd_` will be available to `/etc/httpd/conf.d` directory. Finally, if a secret with the name of `host-key.pem` will be mapped to the httpd TLS cert used by Grouper UI, Grouper WS, and Grouper SCIM Server containers. These files will supercede any found in the underlying image.
-
-Docker Secrets can also be used to pass in strings, such as a database connection string password, into the component config. To pass in the Grouper database connection string, one might set the property and value as such:
-
-```text
-hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(new("java.io.File", java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE')), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
-```
-
-Note that the default property name has been changed by appending `.elConfig`. (This causes Grouper to evaluate the string before saving the value.) The expression allows deployers to use a file containing only the database password as a Docker Secret and reference the file name via the `GROUPER_DATABASE_PASSWORD_FILE` environment property. This allows the config files to be baked into the image, if desired. Also, but not recommended, the database password could just be set in the Docker Service definition as an environment variable, `GROUPER_DATABASE_PASSWORD`. (Technically the expression can be broken up and just the desired functionality used.) Of course, using Grouper's MorphString functionality is supported and likely is the best option, but does require more effort in setting it up.
-
-Secrets can be managed using the `docker secret` command: `docker secret create grouper_grouper.hibernate.properties ./grouper.hibernate.properties`. This will securely store the file in the swarm. Secrets can then be assigned to the service `docker service create -d --name daemon --secret grouper_grouper.hibernate.properties --secret grouper_sources.xml tier/grouper daemon`.
-
-> `docker run` does not support secrets; Bind mounts need to be used instead, which is technically what Docker Compose does when not running against a Swarm.
-
-### Bind Mounts
-
-Bind mounts can be used to connect files/folders on the Docker host into the container's file system. Unless running in swarm mode, Docker Secrets are not supported, so we can use a bind mount to provide the container with the configuration files.
-
-```console
-$ docker run --detach --name daemon \
- --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
- --mount type=bind,src=$(pwd)/sources.xml,dst=/run/secrets/grouper_sources.xml \
- tier/grouper daemon
-```
-
-### Customized Images
-
-Deployers will undoubtedly want to add in their files to the container. Things like additional jar files defining Grouper Hooks, or things like images and css files. This can be accomplished by building custom images. **Deployers should NOT use this method to store sensitive configuration files.**
-
-To add a favicon to the Grouper UI, we use the tier/grouper images as a base and `COPY` our local `favicon.ico` into the image. While we are at it, we define this image as a UI image by specifying the default commnd (i.e `CMD`) of `ui`.
-
-```Dockerfile
-FROM tier/grouper:latest
-
-COPY favicon.ico /opt/grouper/grouper.ui/
-
-CMD ui
-```
-
-To build our image:
-
-```console
-$ docker build --tag=org/grouper-ui .
-```
-
-This image can now be used locally or pushed to an organization's Docker repository.
-
-
-## Environment Variables
-
-Deployers can set runtime variables to both the Grouper Shell and Loader/Daemon and to Tomcat/Tomcat EE using environment variables. These can be set using the `docker run` and `docker service creates`'s `--env` paramater.
-
-### Grouper Shell/Loader
-
-The following environment variables are used by the Grouper Shell/Loader:
-- MEM_START: corresponds to the java's `-Xms`. (default is 64m)
-- MEM_MAX: corresponds to java's `-Xmx`. (default is 750m)
-
-### Tomcat/TomEE
-
-Amongst others variables defined in the `catalina.sh`, the following variables would like be useful for deployers:
-- CATALINA_OPTS: Java runtime options to only be used by Tomcat itself.
-
-# File System Endpoints
-
-Here is a list of significant directories and files that deployers should be aware of:
-
-- `/opt/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
-- `/opt/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
-- `/opt/grouper/grouper.apiBinary/`: location to overlay Grouper GSH or Daemon/Loader files.
-`/opt/grouper/grouper.scim/`: location for overlaying Grouper SCIM Server web application files (expanded `grouper-ws-scim.war`).
-- `/opt/grouper/grouper.ui/`: location for overlaying Grouper UI web application files (expanded `grouper.war`).
-- `/opt/grouper/grouper.ws/`: location for overlaying Grouper Web Services web application files (expanded `grouper-ws.war`).
-- `/etc/httpd/conf.d/ssl-enabled.conf`: Can be overlaid to change the TLS settings when running Grouper UI or Web Servicse.
-- `/etc/shibboleth/`: location to overlay the Shibboleth SP configuration files used by the image.
-- `/opt/tomcat/`: used to run Grouper UI and Grouper WS
-- `/opt/tomee/`: used to run the Grouper SCIM Server.
-- `/var/run/secrets`: location where Docker Secrets are mounted into the container. Secrets starting with `grouper_`, `shib_`, and `httpd_` have special meaning. See `Secrets/Configs` above.
-- `/usr/lib/jvm/zulu-8/jre/lib/security/cacerts`: location of the Java trust store.
-
-To examine baseline image files, one might run `docker run --name=temp -it tier/grouper bash` and browse through these file system endpoints. While the container is running one may copy files out of the image/container using something like `docker cp containerId:/opt/grouper/grouper.api/conf/grouper.properties .`, which will copy the `grouper.properties` to the Docker client's present working directory. These files can then be edited and applied via the mechanisms outlined above.
-
-# Web Application Endpoints
-
-Here is a list of significant web endpoints that deployers should be aware of:
-
-- `/grouper/`: location of the Grouper UI application
-- `grouper-ws/`: location of the Grouper WS application.
-- `/grouper-ws-scim/`: location of the Grouper SCIM Server application.
-
-The endpoint that is available is dependent upon the role of the container.
-
-# Provisioning a Grouper Database
-
-Using standard methods, create a MariaDb Server and an empty Grouper database. Create a database user with privileges to create and populate schema objects. Set the appropriate database connection properties in `grouper.hibernate.properties`. Be sure to the user created with schema manipulation privileges as the db user.
-
-Next populate the database by using the following command.
-
-```console
-$ docker run -it --rm \
- --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
- tier/grouper gsh -registry -check -runscript -noprompt
-```
-
-Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
-
-# Provisioning a Grouper Database
-
-Using standard methods, create a MariaDb Server and an empty Grouper database. Create a database user with privileges to create and populate schema objects. Set the appropriate database connection properties in `grouper.hibernate.properties`. Be sure that the user is created with schema manipulation privileges.
-
-Next populate the database by using the following command.
-
-```console
-$ docker container run -it --rm \
- --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
- tier/grouper gsh -registry -check -runscript -noprompt
-```
-
-Also, it is possible to just connect directly to the container, create the DDL, and copy it out. This is necessary if your DBAs would prefer to manually execute the DDL to create the schema objects:
-
-```console
-$ docker container run -it --name grouper \
- --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
- tier/grouper
-
- gsh -registry -check
-
- exit
-
-$ docker container cp grouper:/opt/grouper/grouper.apiBinary/ddlScripts/ .
-$ docker container rm -f grouper
-```
-The generated DDL will be on the host in the `ddlScripts` directory.
-
-Note: A less privileged database user maybe used when running the typical Grouper roles. This user just needs SELECT, INSERT, UPDATE, and DELETE privileges on the tables and views. Running in this configuration requires DBAs to manually run the DDL scripts.
-
-# Configuring the embedded Shibboleth SP
-
-The Shibboleth SP needs to be configured to integrate with one or more SAML IdPs. Reference the Shibboleth SP documentation for specific instructions, but here is information on generating an encryption key/cert pair and mounting them (all of which are environment specific) and the shibboleth2.xml into the container.
-
-1. Start a temporary container and generate the key/cert pair:
- ```
- $ docker container run -it --name grouper \
- tier/grouper bash
-
- cd /etc/shibboleth
- ./keygen.sh -f -h <public_hostname>
- exit
- ```
-
-1. Copy the key, cert, and `shibboleth2.xml` files out of the container (and remove the container)
- ```console
- $ docker container cp grouper:/etc/shibboleth/shibboleth2.xml .
- $ docker container cp grouper:/etc/shibboleth/sp-cert.pem .
- $ docker container cp grouper:/etc/shibboleth/sp-key.pem .
-
- $ docker container rm grouper
- ```
-
-1. After updating the `shibboleth2.xml` file, save the key, cert, and shibboleth2.xml as secrets/config:
- ```console
- $ docker secret create sp-key.pem sp-key.pem
- $ docker config create sp-cert.pem sp-cert.pem
- $ docker config create shibboleth2.xml shibboleth2.xml
- ```
-
-1. Add the following to the UI service creation command to mount the environment specific settings:
- ```
- --secret source=sp-key.pem.pem,target=shib_sp-key.pem \
- --config source=sp-cert.pem,target=/etc/shibboleth/sp-cert.pem \
- --config source=shibboleth2.xml,target=/etc/shibboleth/shibboleth2.xml \
- ```
-
-# Logging
-
-This image outputs logs in a manner that is consistent with Docker Logging. Each log entry is prefaced with the submodule name (e.g. shibd, httpd, tomcat, grouper), the logfile name (e.g. access_log, grouper_error.log, catalina.out) and user definable environment name and a user definable token. Content found after the preface will be specific to the application ands its logging configuration.
-
-> Note: If customizing a particular component's logging, it is recommended that the file be source from the image (`docker container cp`) or from the image's source repository.
-
-To assign the "environment" string, set the environment variable `ENV` when defining the Docker service. For the "user defined token" string, use the environment variable of `USERTOKEN`.
-
-An example might look like the following, with the env of "dev" and the usertoken of "build-2"
-
-```text
-shibd shibd.log dev build-2 2018-03-27 20:42:22 INFO Shibboleth.Listener : listener service starting
-grouper-api grouper_event.log dev build-2 2018-03-27 21:10:00,046: [DefaultQuartzScheduler_Worker-1] INFO EventLog.info(156) - - [fdbb0099fe9e46e5be4371eb11250d39,'GrouperSystem','application'] session: start (0ms)
-tomcat console dev build-2 Grouper starting up: version: 2.3.0, build date: null, env: <no label configured>
-```
-
-# Misc Notes
-
-- [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is enabled on the Apache HTTP Server.
-- morphStrings functionality in Grouper is supported. It is recommended that the various morphString files be associated with the containers as Docker Secrets. Set the configuration file properties to use `/var/run/secrets/secretname`.
-- Grouper UI has been pre-configured to authenticate users via Shibboleth SP.
-- By default, Grouper WS (hosted by `/opt/tomcat/`) and the Grouper SCIM Server (hosted by `/opt/tomee/`) use tomcat-users.xml for authentication, but by default no users are enabled. LDAP-backed authentication or other methods can be used and must be configured by the deployer.
+[](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/grouper/2.5.22)
# License
diff --git a/common.bash b/common.bash
index 22fbc6a9..cc96a899 100644
--- a/common.bash
+++ b/common.bash
@@ -1,2 +1,2 @@
-maintainer="tier"
+maintainer="i2incommon"
imagename="grouper"
diff --git a/container_files/grouper.installer.properties b/container_files/grouper.installer.properties
index c63c9d5f..78b76fe8 100644
--- a/container_files/grouper.installer.properties
+++ b/container_files/grouper.installer.properties
@@ -1,46 +1,5 @@
-# this should be before the version number
download.server.url = https://software.internet2.edu/grouper
-# default version to install
-grouper.version = 2.4.0
-# print out autorun keys in prompts so you can easily see how to configure the autorun
-grouperInstaller.print.autorunKeys = true
-# default to install or upgrade (default is install)
-grouperInstaller.default.installOrUpgrade = install
-
-##############################
-## Autorun properties
-##
-## If you uncomment one of these properties it will be used as empty, only uncomment to use
-##
-##############################
-
-grouperInstaller.autorun.forceInstallPatch = t
-grouperInstaller.autorun.installAllPatches = false
-grouperInstaller.autorun.installPatchesUpToACertainPatchLevel = true
-# 2.4.0-a91-u56-w11-p12-20200210-rc1
-grouperInstaller.autorun.installPatchesUpToThesePatchLevels = grouper_v2_4_0_api_patch_91,grouper_v2_4_0_ui_patch_56,grouper_v2_4_0_ws_patch_11,grouper_v2_4_0_pspng_patch_12
-
-
-#### set this to true to try to use defaults for everything. Only things without default values will need to be set
+grouperInstaller.default.installOrUpgrade = buildContainer
grouperInstaller.autorun.useDefaultsAsMuchAsAvailable = true
-########## AUTORUN PROPERTIES WITH NO DEFAULT OR ARE COMMONLY CHANGED
-## Note: not all of them need to be filled out for all operations
-# autorun grouper system password (its not secure to have a plain text pass in a config file)
-grouperInstaller.autorun.grouperSystemPassword = XXXXXXXXXX
-
-grouperInstaller.autorun.deleteAndInitDatabase = t
-grouperInstaller.autorun.addQuickstartData = f
-grouperInstaller.autorun.installClient = f
-
-grouperInstaller.autorun.installGrouperActiveMqMessaging = f
-grouperInstaller.autorun.activeMqWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
-
-grouperInstaller.autorun.installGrouperAwsSqsMessaging = t
-grouperInstaller.autorun.AwsSqsWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
-
-grouperInstaller.autorun.installGrouperRabbitMqMessaging = t
-grouperInstaller.autorun.rabbitMqWhereInstalled = /opt/grouper/2.4.0/grouper.apiBinary-2.4.0/
-
-# disable installing pspng, for now
-grouperInstaller.autorun.installPspng = t
-grouperInstaller.autorun.installPsp = f
+grouperInstaller.webAppWillBeInContainer = /opt/grouper/grouperWebapp
+grouperInstaller.autorun.buildContainerUseExistingJarIfExists = false
diff --git a/container_files/httpd/grouper-www.conf b/container_files/httpd/grouper-www.conf
index 562e47c6..16787d84 100644
--- a/container_files/httpd/grouper-www.conf
+++ b/container_files/httpd/grouper-www.conf
@@ -4,17 +4,9 @@ ProxyTimeout 2400
ProxyBadHeader Ignore
ProxyPass /grouper ajp://localhost:8009/grouper timeout=2400
-ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws timeout=2400
-ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper-ws-scim timeout=2400
+ProxyPass /grouper-ws ajp://localhost:8009/grouper timeout=2400
+ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper timeout=2400
RewriteEngine on
RewriteCond %{REQUEST_URI} "^/$"
RewriteRule . %{REQUEST_SCHEME}://%{HTTP_HOST}/grouper/ [R=301,L]
-
-<Location /grouper>
- AuthType shibboleth
- ShibRequestSetting requireSession 1
- ShibRequireSession on
- ShibUseHeaders On
- require shibboleth
-</Location>
diff --git a/container_files/java-corretto/corretto-signing-key.pub b/container_files/java-corretto/corretto-signing-key.pub
new file mode 100644
index 00000000..b0198ed7
--- /dev/null
+++ b/container_files/java-corretto/corretto-signing-key.pub
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBF3pShkBEADJzglehQDFlc1+9VFubVPzpq8ZYtzmJkNjf09scOUzaKZOm3Ar
+mPh9Rufk4mB7t1LP4JeHAKAS17ggCHGVxRGXAAQ9Laf8ibX4SiFO3Ehyyl3smuFf
+ZhexBnvc7vRc4EUlKqarCQRUlaraDOrmq7WbhXdvCgc4u2uBLwUjAd3PHQUByAZw
+lsEQzpQnehNomjrE0pO6ms9AhmpbXlf/yr14EXvlo4lTd8QUdvS+AOCYfrHb9WGO
+IEsyyDuzuf2grV/QFpoi0VBhTCyiNYXla2AfCreMGlOCYsjw1nU93OyAqF3SaTOC
+o52yrzcb2NpbBDwRXOHNwe1md+DbRwEfkaWr5I91FqRpgEeawqyxY1miJRHduhsz
+WTgTMBF/EQfmTspD2YBX/BjNJTrdDXYvACX8slVV/vBnpi+dEpVEK3hh21ij991S
+lv8YoFnoC7XP44C7WNpVQpGW9ZWpnjLCvm3DMKW0r3Vfb3XDYhnHI1Q14Pxn0cwf
+x1L2RA4doyWd1TRZBFBe2f0vSkZT0YFaibKaKi6AkDIMU/+u+/e3wWbYXqzsSITj
+ffMkpMMNSwxbm8JqnsudjuzdEsYAiBUcFMwWysQDcyu63un2OmLKLfKxy19vCpS1
+8mkNy95JuO4jZtu+IiinvSSjlbJmslu3uK3/cTRsWaB7BRtHewE7SugMOwARAQAB
+tEhBbWF6b24gU2VydmljZXMgTExDIChBbWF6b24gQ29ycmV0dG8gcmVsZWFzZSkg
+PGNvcnJldHRvLXRlYW1AYW1hem9uLmNvbT6JAjEEEwECABsFAl3pShkCGy8FCQlm
+AYAFFQgKCQsCHgECF4AACgkQoSJUKrBPJOOJDg/6AqmntaxDWX6qfR++0qwtD9Lp
+vgONFvA+9AYQeGt7OX79O/SSPy97Kvn6DYRBdelShTAH60DbXCUs42sIRFqRjmHY
+HfIgOkUJjWoJz9oQnY+mzAKbOohCrR+YIvyCegFb0dboDaqSQ4w68+d1is7L84pz
+ZB2j0nrQDbFihPmR+epfHkLUGGywuZHCdEFfD8nXMOJeVbgSzf7Vhl8ZrydIkZTI
+7aASG5MkDO/GuVpEGQYAnH9h/jzJlfUKndswC6UFcM5Ol07pDPdHVBAi9q1SyxDe
+uSS1NgDW7OW7zgpB+4/PrZKKiEP/fBAWa9nFSLwTaMdsoaAuQAmmgbqYfy3XXKK7
+IBaKSnJpQDvNb0vmXJEY3qX2Bfh0p1KCeaQhYwIJi8rPQWC24fiLY9bdCIlkbbPQ
+CSNOEq9nUWRg9KbUGmd/PWSkT6Jheyq3BZBF1YPYEt8o/l437HHd08lREqH0sana
+Hb72GZTi2RUrNBBp5C1e8MqllXE6RKmri2m0TSBHR5C4ZLII9duyA839dYIA4KGU
+nmetZckuRuwHFmd3/YWtMEfn47UedzhVT16z3OvBipHU1BKzLGcvUFXrUKvpJQlh
+dNPUQh+wb91EzItjkJ96m+N+81iQdN3yd8cE38NTA8b+Qc7tmTYxwNZxcv16FxLA
+y2VhKc09A8RwSI69vDs=
+=ZNRH
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/container_files/tier-support/grouper-ws-scim.xml b/container_files/tier-support/grouper-ws-scim.xml
deleted file mode 100644
index bb15b17a..00000000
--- a/container_files/tier-support/grouper-ws-scim.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<Context docBase="/opt/grouper/grouper.scim/" path="/grouper-ws-scim" reloadable="false">
- <!-- Allow our symlinks to work-->
- <Resources allowLinking="true" />
-</Context>
-
-
diff --git a/container_files/tier-support/grouper-ws.xml b/container_files/tier-support/grouper-ws.xml
deleted file mode 100644
index b9aa6478..00000000
--- a/container_files/tier-support/grouper-ws.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<Context docBase="/opt/grouper/grouper.ws/" path="/grouper-ws" reloadable="false">
- <!-- Allow our symlinks to work-->
- <Resources allowLinking="true" />
-</Context>
diff --git a/container_files/tier-support/grouper.xml b/container_files/tier-support/grouper.xml
deleted file mode 100644
index 22cfbd8a..00000000
--- a/container_files/tier-support/grouper.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<Context docBase="/opt/grouper/grouper.ui/" path="/grouper" reloadable="false">
- <!-- Allow our symlinks to work-->
- <Resources allowLinking="true" />
-</Context>
diff --git a/container_files/tier-support/httpd-shib.conf b/container_files/tier-support/httpd-shib.conf
new file mode 100644
index 00000000..134c70bd
--- /dev/null
+++ b/container_files/tier-support/httpd-shib.conf
@@ -0,0 +1,7 @@
+<Location /grouper>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibRequireSession on
+ ShibUseHeaders On
+ require shibboleth
+</Location>
diff --git a/container_files/tier-support/ssl-enabled.conf b/container_files/tier-support/ssl-enabled.conf
new file mode 100644
index 00000000..09aa34c7
--- /dev/null
+++ b/container_files/tier-support/ssl-enabled.conf
@@ -0,0 +1,20 @@
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder on
+SSLCompression off
+# OCSP Stapling, only in httpd 2.3.3 and later
+SSLUseStapling on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache shmcb:/var/run/ocsp(128000)
+Listen 443 https
+<VirtualHost *:443>
+ RewriteEngine on
+ RewriteRule "^/$" "/grouper/" [R]
+ SSLEngine on
+ #SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt
+ SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+ # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+ Header always set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
diff --git a/container_files/tier-support/supervisord-base.conf b/container_files/tier-support/supervisord-base.conf
new file mode 100644
index 00000000..0d2d974b
--- /dev/null
+++ b/container_files/tier-support/supervisord-base.conf
@@ -0,0 +1,16 @@
+[supervisord]
+logfile=/tmp/logsuperd ; supervisord log file
+logfile_maxbytes=0 ; maximum size of logfile before rotation
+loglevel=error ; info, debug, warn, trace
+nodaemon=true ; run supervisord as a daemon
+user=tomcat ; default user
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket
+
+; Our processes
+; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
+
diff --git a/container_files/tier-support/supervisord-httpd.conf b/container_files/tier-support/supervisord-httpd.conf
new file mode 100644
index 00000000..9e293b84
--- /dev/null
+++ b/container_files/tier-support/supervisord-httpd.conf
@@ -0,0 +1,7 @@
+[program:httpd]
+command=httpd -DFOREGROUND
+stderr_logfile = /tmp/loghttpd
+stderr_logfile_maxbytes=0
+stdout_logfile = /tmp/loghttpd
+stdout_logfile_maxbytes=0
+
diff --git a/container_files/tier-support/supervisord-shibsp.conf b/container_files/tier-support/supervisord-shibsp.conf
new file mode 100644
index 00000000..81150d96
--- /dev/null
+++ b/container_files/tier-support/supervisord-shibsp.conf
@@ -0,0 +1,9 @@
+[program:shibbolethsp]
+user=shibd
+command=/usr/sbin/shibd -f -F
+stderr_logfile = /tmp/logshibd
+stderr_logfile_maxbytes=0
+stdout_logfile = /tmp/logshibd
+stdout_logfile_maxbytes=0
+
+
diff --git a/container_files/tier-support/supervisord-tomcat.conf b/container_files/tier-support/supervisord-tomcat.conf
deleted file mode 100644
index 30631e41..00000000
--- a/container_files/tier-support/supervisord-tomcat.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-[supervisord]
-logfile=/tmp/logsuperd ; supervisord log file
-logfile_maxbytes=0 ; maximum size of logfile before rotation
-loglevel=error ; info, debug, warn, trace
-nodaemon=true ; run supervisord as a daemon
-user=root ; default user
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket
-
-; Our processes
-; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
-
-[program:httpd]
-command=httpd -DFOREGROUND
-stderr_logfile = /tmp/loghttpd
-stderr_logfile_maxbytes=0
-stdout_logfile = /tmp/loghttpd
-stdout_logfile_maxbytes=0
-
-[program:shibbolethsp]
-user=shibd
-command=/usr/sbin/shibd -f -F
-stderr_logfile = /tmp/logshidb
-stderr_logfile_maxbytes=0
-stdout_logfile = /tmp/logshidb
-stdout_logfile_maxbytes=0
-
-[program:tomcat]
-user=tomcat
-command=/opt/tomcat/bin/catalina.sh run
-stderr_logfile = /tmp/logtomcat
-stderr_logfile_maxbytes=0
-stdout_logfile = /tmp/logtomcat
-stdout_logfile_maxbytes=0
-
diff --git a/container_files/tier-support/supervisord-tomee.conf b/container_files/tier-support/supervisord-tomee.conf
index 35e19488..9003fad4 100644
--- a/container_files/tier-support/supervisord-tomee.conf
+++ b/container_files/tier-support/supervisord-tomee.conf
@@ -1,26 +1,3 @@
-[supervisord]
-logfile=/tmp/logsuperd ; supervisord log file
-logfile_maxbytes=0 ; maximum size of logfile before rotation
-loglevel=error ; info, debug, warn, trace
-nodaemon=true ; run supervisord as a daemon
-user=root ; default user
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket
-
-; Our processes
-; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
-
-[program:httpd]
-command=httpd -DFOREGROUND
-stderr_logfile = /tmp/loghttpd
-stderr_logfile_maxbytes=0
-stdout_logfile = /tmp/loghttpd
-stdout_logfile_maxbytes=0
-
[program:tomee]
user=tomcat
command=/opt/tomee/bin/catalina.sh run
@@ -29,3 +6,4 @@ stderr_logfile_maxbytes=0
stdout_logfile = /tmp/logtomcat
stdout_logfile_maxbytes=0
+
diff --git a/container_files/tier-support/supervisord.conf b/container_files/tier-support/supervisord.conf
new file mode 100644
index 00000000..4b8a396b
--- /dev/null
+++ b/container_files/tier-support/supervisord.conf
@@ -0,0 +1,15 @@
+[supervisord]
+logfile=/tmp/logsuperd ; supervisord log file
+logfile_maxbytes=0 ; maximum size of logfile before rotation
+loglevel=error ; info, debug, warn, trace
+nodaemon=true ; run supervisord as a daemon
+user=tomcat ; default user
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket
+
+; Our processes
+; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
diff --git a/container_files/tomcat/bin/setenv.sh b/container_files/tomcat/bin/setenv.sh
deleted file mode 100755
index c6130b5c..00000000
--- a/container_files/tomcat/bin/setenv.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-CLASSPATH=/opt/tomcat/bin/*
-JAVA_OPTS="-Dlog4j.configurationFile=/opt/tomcat/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
-LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
\ No newline at end of file
diff --git a/container_files/tomcat/conf/log4j2.xml b/container_files/tomcat/conf/log4j2.xml
deleted file mode 100644
index 673de68c..00000000
--- a/container_files/tomcat/conf/log4j2.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Configuration status="info">
- <Properties>
- <Property name="layout">%d [%t] %-5p %c- %m%n</Property>
- </Properties>
- <Appenders>
- <File name="CATALINA"
- fileName="/tmp/logpipe">
- <PatternLayout pattern="tomcat;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
- </File>
- <File name="LOCALHOST"
- fileName="/tmp/logpipe">
- <PatternLayout pattern="tomcat;localhost.log;${env:ENV};${env:USERTOKEN};${layout}"/>
- </File>
-
- </Appenders>
- <Loggers>
- <Root level="info">
- <AppenderRef ref="CATALINA"/>
- </Root>
- <Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost]"
- level="info" additivity="false">
- <AppenderRef ref="LOCALHOST"/>
- </Logger>
- </Loggers>
-</Configuration>
\ No newline at end of file
diff --git a/container_files/tomcat/conf/server.xml b/container_files/tomcat/conf/server.xml
deleted file mode 100644
index 9610fc7d..00000000
--- a/container_files/tomcat/conf/server.xml
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<!-- Note: A "Server" is not itself a "Container", so you may not
- define subcomponents such as "Valves" at this level.
- Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
- <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
- <!-- Security listener. Documentation at /docs/config/listeners.html
- <Listener className="org.apache.catalina.security.SecurityListener" />
- -->
- <!--APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
- <!-- Prevent memory leaks due to use of particular java/javax APIs-->
- <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
- <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
- <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-
- <!-- Global JNDI resources
- Documentation at /docs/jndi-resources-howto.html
- -->
- <GlobalNamingResources>
- <!-- Editable user database that can also be used by
- UserDatabaseRealm to authenticate users
- -->
-<!--
- <Resource name="UserDatabase" auth="Container"
- type="org.apache.catalina.UserDatabase"
- description="User database that can be updated and saved"
- factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
- pathname="conf/tomcat-users.xml" />
--->
- </GlobalNamingResources>
-
- <!-- A "Service" is a collection of one or more "Connectors" that share
- a single "Container" Note: A "Service" is not itself a "Container",
- so you may not define subcomponents such as "Valves" at this level.
- Documentation at /docs/config/service.html
- -->
- <Service name="Catalina">
-
- <!--The connectors can use a shared executor, you can define one or more named thread pools-->
- <!--
- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
- maxThreads="150" minSpareThreads="4"/>
- -->
-
-
- <!-- A "Connector" represents an endpoint by which requests are received
- and responses are returned. Documentation at :
- Java HTTP Connector: /docs/config/http.html
- Java AJP Connector: /docs/config/ajp.html
- APR (HTTP/AJP) Connector: /docs/apr.html
- Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
- -->
- <Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8"
- connectionTimeout="20000"
- redirectPort="8443" />
- <!-- A "Connector" using the shared thread pool-->
- <!--
- <Connector executor="tomcatThreadPool"
- port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" />
- -->
- <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
- This connector uses the NIO implementation. The default
- SSLImplementation will depend on the presence of the APR/native
- library and the useOpenSSL attribute of the
- AprLifecycleListener.
- Either JSSE or OpenSSL style configuration may be used regardless of
- the SSLImplementation selected. JSSE style configuration is used below.
- -->
- <!--
- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150" SSLEnabled="true">
- <SSLHostConfig>
- <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
- type="RSA" />
- </SSLHostConfig>
- </Connector>
- -->
- <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
- This connector uses the APR/native implementation which always uses
- OpenSSL for TLS.
- Either JSSE or OpenSSL style configuration may be used. OpenSSL style
- configuration is used below.
- -->
- <!--
- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
- maxThreads="150" SSLEnabled="true" >
- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
- <SSLHostConfig>
- <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
- certificateFile="conf/localhost-rsa-cert.pem"
- certificateChainFile="conf/localhost-rsa-chain.pem"
- type="RSA" />
- </SSLHostConfig>
- </Connector>
- -->
-
- <!-- Define an AJP 1.3 Connector on port 8009 -->
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" URIEncoding="UTF-8" />
-
-
- <!-- An Engine represents the entry point (within Catalina) that processes
- every request. The Engine implementation for Tomcat stand alone
- analyzes the HTTP headers included with the request, and passes them
- on to the appropriate Host (virtual host).
- Documentation at /docs/config/engine.html -->
-
- <!-- You should set jvmRoute to support load-balancing via AJP ie :
- <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
- -->
- <Engine name="Catalina" defaultHost="localhost">
-
- <!--For clustering, please take a look at documentation at:
- /docs/cluster-howto.html (simple how to)
- /docs/config/cluster.html (reference documentation) -->
- <!--
- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
- -->
-
- <!-- Use the LockOutRealm to prevent attempts to guess user passwords
- via a brute-force attack -->
- <Realm className="org.apache.catalina.realm.LockOutRealm">
- <!-- This Realm uses the UserDatabase configured in the global JNDI
- resources under the key "UserDatabase". Any edits
- that are performed against this UserDatabase are immediately
- available for use by the Realm. -->
-<!--
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
--->
- </Realm>
-
- <Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="true">
-
- <!-- SingleSignOn valve, share authentication between web applications
- Documentation at: /docs/config/valve.html -->
- <!--
- <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
- -->
-
- <!-- Access log processes all example.
- Documentation at: /docs/config/valve.html
- Note: The pattern used is equivalent to using pattern="common" -->
- <!-- Managing through Apache HTTPD Server config
- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
- prefix="localhost_access_log" suffix=".txt"
- pattern="%h %l %u %t "%r" %s %b" />
- -->
-
- </Host>
- </Engine>
- </Service>
-</Server>
diff --git a/container_files/tomcat/conf/tomcat-users.xml b/container_files/tomcat/conf/tomcat-users.xml
deleted file mode 100644
index cef36cd4..00000000
--- a/container_files/tomcat/conf/tomcat-users.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<tomcat-users xmlns="http://tomcat.apache.org/xml"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
- version="1.0">
-<role rolename="grouper_user"/>
-<!--<user username="GrouperSystem" password="XXXXXXXXXX" roles="grouper_user"/> -->
-<!--
- NOTE: By default, no user is included in the "manager-gui" role required
- to operate the "/manager/html" web application. If you wish to use this app,
- you must define such a user - the username and password are arbitrary. It is
- strongly recommended that you do NOT use one of the users in the commented out
- section below since they are intended for use with the examples web
- application.
--->
-<!--
- NOTE: The sample user and role entries below are intended for use with the
- examples web application. They are wrapped in a comment and thus are ignored
- when reading this file. If you wish to configure these users for use with the
- examples web application, do not forget to remove the <!.. ..> that surrounds
- them. You will also need to set the passwords to something appropriate.
--->
-<!--
- <role rolename="tomcat"/>
- <role rolename="role1"/>
- <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
- <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
- <user username="role1" password="<must-be-changed>" roles="role1"/>
--->
-</tomcat-users>
\ No newline at end of file
diff --git a/container_files/tomee/bin/setenv.sh b/container_files/tomee/bin/setenv.sh
index 2387d613..5245f238 100755
--- a/container_files/tomee/bin/setenv.sh
+++ b/container_files/tomee/bin/setenv.sh
@@ -1,3 +1,4 @@
CLASSPATH=/opt/tomee/bin/*
-JAVA_OPTS="-Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
-LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
\ No newline at end of file
+#JAVA_OPTS="-Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
+CATALINA_OPTS="-Xmx$GROUPER_MAX_MEMORY -XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN $GROUPER_EXTRA_CATALINA_OPTS"
+LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
diff --git a/container_files/tomee/conf/server.xml b/container_files/tomee/conf/server.xml.disabled
similarity index 99%
rename from container_files/tomee/conf/server.xml
rename to container_files/tomee/conf/server.xml.disabled
index e5c89967..e09ea6fc 100644
--- a/container_files/tomee/conf/server.xml
+++ b/container_files/tomee/conf/server.xml.disabled
@@ -161,4 +161,4 @@
</Host>
</Engine>
</Service>
-</Server>
\ No newline at end of file
+</Server>
diff --git a/container_files/ui/web.xml b/container_files/ui/web.xml
deleted file mode 100644
index f3aa302f..00000000
--- a/container_files/ui/web.xml
+++ /dev/null
@@ -1,89 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
- version="2.4">
- <filter>
- <filter-name>GrouperUi</filter-name>
- <filter-class>edu.internet2.middleware.grouper.ui.GrouperUiFilter</filter-class>
- </filter>
- <filter>
- <filter-name>CSRFGuard</filter-name>
- <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>*.jsp</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>/grouperUi/app/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>/grouperUi/appHtml/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>/grouperExternal/app/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>/grouperExternal/public/UiV2Public.index</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>GrouperUi</filter-name>
- <url-pattern>/grouperExternal/public/UiV2Public.postIndex</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>CSRFGuard</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <listener>
- <listener-class>edu.internet2.middleware.grouper.ui.GrouperSessionAttributeListener</listener-class>
- </listener>
- <listener>
- <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
- </listener>
- <listener>
- <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
- </listener>
- <servlet>
- <servlet-name>StatusServlet</servlet-name>
- <display-name>Status Servlet</display-name>
- <servlet-class>edu.internet2.middleware.grouper.j2ee.status.GrouperStatusServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet>
- <servlet-name>UiServlet</servlet-name>
- <servlet-class>edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet>
- <servlet-name>OwaspJavaScriptServlet</servlet-name>
- <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
- </servlet>
- <servlet-mapping>
- <servlet-name>StatusServlet</servlet-name>
- <url-pattern>/status</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>UiServlet</servlet-name>
- <url-pattern>/grouperUi/app/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>UiServlet</servlet-name>
- <url-pattern>/grouperExternal/app/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>UiServlet</servlet-name>
- <url-pattern>/grouperExternal/public/UiV2Public.index</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>UiServlet</servlet-name>
- <url-pattern>/grouperExternal/public/UiV2Public.postIndex</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>OwaspJavaScriptServlet</servlet-name>
- <url-pattern>/grouperExternal/public/OwaspJavaScriptServlet</url-pattern>
- </servlet-mapping>
-</web-app>
diff --git a/container_files/usr-local-bin/daemon b/container_files/usr-local-bin/daemon
index da40d1e6..7488460d 100755
--- a/container_files/usr-local-bin/daemon
+++ b/container_files/usr-local-bin/daemon
@@ -6,4 +6,4 @@ prepDaemon
export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
-exec bin/gsh -loader > /tmp/loggrouper
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
diff --git a/container_files/usr-local-bin/entrypoint.sh b/container_files/usr-local-bin/entrypoint.sh
index 83e985d6..4c4a9099 100755
--- a/container_files/usr-local-bin/entrypoint.sh
+++ b/container_files/usr-local-bin/entrypoint.sh
@@ -3,4 +3,12 @@
. /usr/local/bin/library.sh
prepConf
-exec "$@"
\ No newline at end of file
+if [ "$#" -eq 0 ];
+ then
+ echo no component set to run
+ finishPrep
+ exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
+else
+ echo executing $@
+ exec "$@"
+fi
diff --git a/container_files/usr-local-bin/gsh b/container_files/usr-local-bin/gsh
index e65979ab..1473da7e 100755
--- a/container_files/usr-local-bin/gsh
+++ b/container_files/usr-local-bin/gsh
@@ -6,4 +6,4 @@ prepDaemon
export GSH_JVMARGS="$GSH_JVMARGS -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
-exec bin/gsh "$@" | tee /tmp/loggrouper
+exec bin/gsh.sh "$@" | tee /tmp/loggrouper
diff --git a/container_files/usr-local-bin/library.sh b/container_files/usr-local-bin/library.sh
index 5d3790af..3f650faa 100755
--- a/container_files/usr-local-bin/library.sh
+++ b/container_files/usr-local-bin/library.sh
@@ -1,5 +1,16 @@
#!/bin/sh
+dest=/opt/grouper/grouperWebapp/WEB-INF/
+
+if [ -d "/opt/grouper/slashRoot" ]; then
+ # Copy any files into the root filesystem
+ rsync -l -r -v /opt/grouper/slashRoot/ /
+fi
+
+if [ -d "/opt/grouper/lib" ]; then
+ cp -r /opt/grouper/lib/* $dest/libUiAndDaemon/
+fi
+
setupPipe() {
if [ -e $1 ]; then
rm $1
@@ -31,7 +42,7 @@ setupShibdLogPipe() {
setupTomcatLogPipe() {
setupPipe /tmp/logtomcat
- (cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "tomcat;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' &>/tmp/logpipe) &
+ (cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "tomee;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' &>/tmp/logpipe) &
}
setupSupervisordLogPipe() {
@@ -45,7 +56,7 @@ linkGrouperSecrets() {
local file=$(echo $label_file| cut -d'_' -f 2)
if [[ $label_file == grouper_* ]]; then
- ln -sf /run/secrets/$label_file $1/$file
+ ln -sf /run/secrets/$label_file $dest/classes/$file
elif [[ $label_file == shib_* ]]; then
ln -sf /run/secrets/$label_file /etc/shibboleth/$file
elif [[ $label_file == httpd_* ]]; then
@@ -57,45 +68,37 @@ linkGrouperSecrets() {
}
prepDaemon() {
+
+ if [ -z "$GROUPER_DAEMON" ]; then export GROUPER_DAEMON=true; fi
+ if [ -z "$RUN_TOMEE" ]; then export RUN_TOMEE=true; fi
+
setupLoggingPipe
setupGrouperLogPipe
-}
-
-prepDaemonConf() {
- local dest=/opt/grouper/grouper.apiBinary
- linkGrouperSecrets $dest/conf
-
- if [ -d "/opt/grouper/conf" ]; then
- cp -r /opt/grouper/conf/* $dest/conf/
- fi
- if [ -d "/opt/grouper/lib" ]; then
- cp -r /opt/grouper/lib/* $dest/lib/custom/
- fi
+ #cp /opt/tier-support/grouper.xml /opt/tomee/conf/Catalina/localhost/
+ finishPrep
}
prepSCIM() {
+ if [ -z "$GROUPER_SCIM" ]; then export GROUPER_SCIM=true; fi
+ if [ -z "$RUN_APACHE" ]; then export RUN_APACHE=true; fi
+ if [ -z "$RUN_TOMEE" ]; then export RUN_TOMEE=true; fi
+
setupLoggingPipe
setupGrouperLogPipe
setupHttpdLogPipe
setupTomcatLogPipe
- cp /opt/tier-support/grouper-ws-scim.xml /opt/tomee/conf/Catalina/localhost/
-}
-
-prepSCIMConf() {
- local dest=/opt/grouper/grouper.scim/WEB-INF
- linkGrouperSecrets $dest/classes
-
- if [ -d "/opt/grouper/conf" ]; then
- cp -r /opt/grouper/conf/* $dest/classes/
- fi
- if [ -d "/opt/grouper/lib" ]; then
- cp -r /opt/grouper/lib/* $dest/lib/
- fi
+ #cp /opt/tier-support/grouper.xml /opt/tomee/conf/Catalina/localhost/
+ finishPrep
}
prepUI() {
+ if [ -z "$GROUPER_UI" ]; then export GROUPER_UI=true; fi
+ if [ -z "$RUN_APACHE" ]; then export RUN_APACHE=true; fi
+ if [ -z "$RUN_SHIB_SP" ]; then export RUN_SHIB_SP=true; fi
+ if [ -z "$RUN_TOMEE" ]; then export RUN_TOMEE=true; fi
+
setupLoggingPipe
setupGrouperLogPipe
setupHttpdLogPipe
@@ -103,47 +106,79 @@ prepUI() {
setupTomcatLogPipe
setupSupervisordLogPipe
- cp /opt/tier-support/grouper.xml /opt/tomcat/conf/Catalina/localhost/
-}
-
-prepUIConf() {
- local dest=/opt/grouper/grouper.ui/WEB-INF
- linkGrouperSecrets $dest/classes
-
- if [ -d "/opt/grouper/conf" ]; then
- cp -r /opt/grouper/conf/* $dest/classes/
- fi
- if [ -d "/opt/grouper/lib" ]; then
- cp -r /opt/grouper/lib/* $dest/lib/
- fi
+ #cp /opt/tier-support/grouper.xml /opt/tomee/conf/Catalina/localhost/
+ finishPrep
}
prepWS() {
+
+ if [ -z "$GROUPER_WS" ]; then export GROUPER_WS=true; fi
+ if [ -z "$RUN_APACHE" ]; then export RUN_APACHE=true; fi
+ if [ -z "$RUN_TOMEE" ]; then export RUN_TOMEE=true; fi
setupLoggingPipe
setupGrouperLogPipe
setupHttpdLogPipe
setupTomcatLogPipe
setupSupervisordLogPipe
- cp /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/
+ #cp /opt/tier-support/grouper.xml /opt/tomee/conf/Catalina/localhost/
+ finishPrep
}
-prepWSConf() {
- local dest=/opt/grouper/grouper.ws/WEB-INF
+
+prepConf() {
linkGrouperSecrets $dest/classes
-
- if [ -d "/opt/grouper/conf" ]; then
- cp -r /opt/grouper/conf/* $dest/classes/
+}
+
+
+finishPrep() {
+
+ # clear out existing supervisord config
+ cat /opt/tier-support/supervisord-base.conf > /opt/tier-support/supervisord.conf
+
+ # construct the supervisord file based on FLAGS passed in or what was in CMD
+ if [ "$RUN_APACHE" = "true" ]
+ then
+ cat /opt/tier-support/supervisord-httpd.conf >> /opt/tier-support/supervisord.conf
fi
- if [ -d "/opt/grouper/lib" ]; then
- cp -r /opt/grouper/lib/* $dest/lib/
+
+
+ if [ "$RUN_TOMEE" = "true" ]
+ then
+ cat /opt/tier-support/supervisord-tomee.conf >> /opt/tier-support/supervisord.conf
fi
-}
+ if [ "$RUN_SHIB_SP" = "true" ]
+ then
+ cat /opt/tier-support/supervisord-shibsp.conf >> /opt/tier-support/supervisord.conf
+ cp /opt/tier-support/httpd-shib.conf /etc/httpd/conf.d/
+ fi
-prepConf() {
- prepDaemonConf
- prepSCIMConf
- prepUIConf
- prepWSConf
-}
\ No newline at end of file
+ # copy files to their appropriate locations based on passed in flags
+ if [ "$GROUPER_WS" = "true" ]
+ then
+ cp -r $dest/libWs/* $dest/lib/
+ fi
+
+ if [ "$GROUPER_SCIM" = "true" ]
+ then
+ cp -r $dest/libScim/* $dest/lib/
+ fi
+
+ if [ "$GROUPER_UI" = "true" ] || [ "$GROUPER_DAEMON" = "true" ]
+ then
+ cp -r $dest/libUiAndDaemon/* $dest/lib/
+ fi
+
+ if [ "$SELF_SIGNED_CERT" = "true" ]
+ then
+ cp /opt/tier-support/ssl-enabled.conf /etc/httpd/conf.d/
+ fi
+
+ if [ -z "$GROUPER_MAX_MEMORY" ]
+ then
+ export GROUPER_MAX_MEMORY=1500m
+ fi
+
+
+}
diff --git a/container_files/usr-local-bin/scim b/container_files/usr-local-bin/scim
index ffe12b37..9ab7c7b4 100755
--- a/container_files/usr-local-bin/scim
+++ b/container_files/usr-local-bin/scim
@@ -4,4 +4,4 @@
prepSCIM
-exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomee.conf
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
diff --git a/container_files/usr-local-bin/ui b/container_files/usr-local-bin/ui
index a03ed585..59994da0 100755
--- a/container_files/usr-local-bin/ui
+++ b/container_files/usr-local-bin/ui
@@ -6,4 +6,4 @@ prepUI
export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
-exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
diff --git a/container_files/usr-local-bin/ui-ws b/container_files/usr-local-bin/ui-ws
index de1384c4..3eee072e 100755
--- a/container_files/usr-local-bin/ui-ws
+++ b/container_files/usr-local-bin/ui-ws
@@ -7,4 +7,4 @@ prepWS
export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
-/usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
diff --git a/container_files/usr-local-bin/ws b/container_files/usr-local-bin/ws
index 0e10b688..99f893ee 100755
--- a/container_files/usr-local-bin/ws
+++ b/container_files/usr-local-bin/ws
@@ -4,4 +4,4 @@
prepWS
-exec /usr/bin/supervisord -c /opt/tier-support/supervisord-tomcat.conf
+exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
diff --git a/manualBuild.sh b/manualBuild.sh
index 67b7d8a8..16fcc3f4 100755
--- a/manualBuild.sh
+++ b/manualBuild.sh
@@ -1,4 +1,4 @@
-docker build --pull --tag=tier/grouper:latest . \
+docker build --pull --tag=itap/grouper:latest . \
if [[ "$OSTYPE" == "darwin"* ]]; then
say build complete
diff --git a/test-compose/configs-and-secrets/grouper/morphString.properties b/test-compose/configs-and-secrets/grouper/morphString.properties
new file mode 100644
index 00000000..52479216
--- /dev/null
+++ b/test-compose/configs-and-secrets/grouper/morphString.properties
@@ -0,0 +1 @@
+encrypt.key=fh43IRJ4Nf5
diff --git a/test-compose/daemon/Dockerfile b/test-compose/daemon/Dockerfile
index f6203505..92b58121 100644
--- a/test-compose/daemon/Dockerfile
+++ b/test-compose/daemon/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
diff --git a/test-compose/data/Dockerfile b/test-compose/data/Dockerfile
index e4ffb7f8..bf1e104a 100644
--- a/test-compose/data/Dockerfile
+++ b/test-compose/data/Dockerfile
@@ -1,9 +1,9 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
COPY container_files/seed-data/ /seed-data/
-COPY container_files/conf/ /opt/grouper/grouper.apiBinary/conf/
+COPY container_files/conf/ /opt/grouper/grouperWebapp/WEB-INF/classes/
RUN yum install -y epel-release \
&& yum update -y \
@@ -44,8 +44,8 @@ RUN (/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir &) \
&& while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
(mysqld_safe & ) \
&& while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 1; done; \
- bin/gsh -registry -check -runscript -noprompt \
- && bin/gsh /seed-data/bootstrap.gsh
+ /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh -registry -check -runscript -noprompt \
+ && /opt/grouper/grouperWebapp/WEB-INF/bin/gsh.sh /seed-data/bootstrap.gsh
EXPOSE 389 3306
diff --git a/test-compose/data/container_files/conf/grouper.client.properties b/test-compose/data/container_files/conf/grouper.client.properties
new file mode 100644
index 00000000..dcc50ae7
--- /dev/null
+++ b/test-compose/data/container_files/conf/grouper.client.properties
@@ -0,0 +1,112 @@
+#
+# Copyright 2014 Internet2
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Grouper client configuration
+# $Id: grouper.client.example.properties,v 1.24 2009-12-30 04:23:02 mchyzer Exp $
+#
+
+# The grouper client uses Grouper Configuration Overlays (documented on wiki)
+# By default the configuration is read from grouper.client.base.properties
+# (which should not be edited), and the grouper.client.properties overlays
+# the base settings. See the grouper.client.base.properties for the possible
+# settings that can be applied to the grouper.client.properties
+
+########################################
+## LDAP connection settings
+########################################
+
+# url of directory, including the base DN (distinguished name)
+# e.g. ldap://server.school.edu/dc=school,dc=edu
+# e.g. ldaps://server.school.edu/dc=school,dc=edu
+grouperClient.ldap.url =
+
+# kerberos principal used to connect to ldap
+grouperClient.ldap.login =
+
+# password for shared secret authentication to ldap
+# or you can put a filename with an encrypted password
+grouperClient.ldap.password =
+
+########################################
+## Web service Connection settings
+########################################
+
+# url of web service, should include everything up to the first resource to access
+# e.g. http://groups.school.edu:8090/grouper-ws/servicesRest
+# e.g. https://groups.school.edu/grouper-ws/servicesRest
+grouperClient.webService.url = https://ws/grouper-ws/servicesRest
+
+# kerberos principal used to connect to web service
+grouperClient.webService.login = banderson
+
+# password for shared secret authentication to web service
+# or you can put a filename with an encrypted password
+grouperClient.webService.password.elConfig = ${java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD') }
+
+
+################################
+## Grouper Messaging System
+################################
+
+# name of messaging system which is the default
+grouper.messaging.default.name.of.messaging.system = rabbitmq
+
+# name of a messaging system. note, "grouperBuiltinMessaging" can be arbitrary
+# grouper.messaging.system.grouperBuiltinMessaging.name = grouperBuiltinMessaging
+
+# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
+# grouper.messaging.system.grouperBuiltinMessaging.class = edu.internet2.middleware.grouper.messaging.GrouperBuiltinMessagingSystem
+
+# name of a messaging system. note, "grouperBuiltinMessaging" can be arbitrary
+grouper.messaging.system.rabbitmqSystem.name = rabbitmqSystem
+
+# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
+grouper.messaging.system.rabbitmqSystem.class = edu.internet2.middleware.grouperMessagingRabbitmq.GrouperMessagingRabbitmqSystem
+
+# host address of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.host = rabbitmq
+
+# virtual host of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.virtualhost =
+
+# port of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.port =
+
+grouper.messaging.system.rabbitmqSystem.defaultPageSize = 10
+
+grouper.messaging.system.rabbitmqSystem.maxPageSize = 50
+
+
+# name of a messaging system, required
+grouper.messaging.system.rabbitmq.name = rabbitmq
+
+# default system settings to this messaging system, note, there is only one level of inheritance
+grouper.messaging.system.rabbitmq.defaultSystemName = rabbitmqSystem
+
+grouper.messaging.system.rabbitmq.user = guest
+
+#pass
+grouper.messaging.system.rabbitmq.password.elConfig = ${java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('RABBITMQ_PASSWORD') }
+# set the following three properties if you want to use TLS connection to rabbitmq. All three need to be populated.
+# TLS Version
+#grouper.messaging.system.rabbitmqSystem.tlsVersion = TLSv1.1
+
+# path to trust store file
+#grouper.messaging.system.rabbitmqSystem.pathToTrustStore =
+
+# trust passphrase
+#grouper.messaging.system.rabbitmqSystem.trustPassphrase =
\ No newline at end of file
diff --git a/test-compose/data/container_files/conf/morphString.properties b/test-compose/data/container_files/conf/morphString.properties
new file mode 100644
index 00000000..52479216
--- /dev/null
+++ b/test-compose/data/container_files/conf/morphString.properties
@@ -0,0 +1 @@
+encrypt.key=fh43IRJ4Nf5
diff --git a/test-compose/docker-compose.yml b/test-compose/docker-compose.yml
index c0e21ed3..e4eb940f 100644
--- a/test-compose/docker-compose.yml
+++ b/test-compose/docker-compose.yml
@@ -207,6 +207,8 @@ services:
target: grouper_grouper-loader.properties
- source: subject.properties
target: grouper_subject.properties
+ - source: morphString.properties
+ target: grouper_morphString.properties
volumes:
- type: bind
source: ./configs-and-secrets/grouper/grouper.properties
@@ -267,6 +269,9 @@ secrets:
file: ./configs-and-secrets/grouper/subject.properties
sp-key.pem:
file: ./configs-and-secrets/shibboleth/sp-key.pem
+ morphString.properties:
+ file: ./configs-and-secrets/grouper/morphString.properties
+
volumes:
diff --git a/test-compose/gsh/Dockerfile b/test-compose/gsh/Dockerfile
index 33023280..aeabcdd6 100644
--- a/test-compose/gsh/Dockerfile
+++ b/test-compose/gsh/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
MAINTAINER tier-packaging@internet2.edu <tier-packaging@internet2.edu>
diff --git a/test-compose/scim/Dockerfile b/test-compose/scim/Dockerfile
index 6b62e1fc..99843d2b 100644
--- a/test-compose/scim/Dockerfile
+++ b/test-compose/scim/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
diff --git a/test-compose/ui/Dockerfile b/test-compose/ui/Dockerfile
index 8fec2ae0..5a8a6431 100644
--- a/test-compose/ui/Dockerfile
+++ b/test-compose/ui/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
diff --git a/test-compose/ws/Dockerfile b/test-compose/ws/Dockerfile
index f5c06b96..ef4802c1 100644
--- a/test-compose/ws/Dockerfile
+++ b/test-compose/ws/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/grouper:latest
+FROM i2incommon/grouper:latest
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
diff --git a/tests/main.bats b/tests/main.bats
index 0c18d122..c5910c52 100644
--- a/tests/main.bats
+++ b/tests/main.bats
@@ -11,6 +11,6 @@ load ../common
}
-@test "070 There are no known security vulnerabilities" {
- ./tests/clairscan.sh ${maintainer}/${imagename}:latest
-}
+#@test "070 There are no known security vulnerabilities" {
+# ./tests/clairscan.sh ${maintainer}/${imagename}:latest
+#}