Lots of clean-up: scim/tomee working; setuid added for Tomcat and Shibd;

.dockerignore

@@ -1,4 +1,5 @@
 .git/
 test-compose/
 *.md
-manualBuild.sh
+manualBuild.sh
+LICENSE

Dockerfile

@@ -4,14 +4,11 @@ RUN yum update -y \
     && yum install -y wget tar unzip dos2unix \
     && yum clean all
 
-ENV ANT_VERSION="1.10.1" \
-    GROUPER_VERSION=2.3.0 \
-    JAVA_HOME=/opt/openjdk8 \
-    TOMCAT_MAJOR=8 \
-    TOMCAT_VERSION="8.5.23"
-
-RUN java_version=8.0.131; \ 
-    zulu_version=8.21.0.1; \   
+ENV GROUPER_VERSION=2.3.0 \
+    JAVA_HOME=/opt/java
+
+RUN java_version=8.0.131; \
+    zulu_version=8.21.0.1; \
     echo 'Downloading the OpenJDK Zulu...' \
     && wget -q http://cdn.azul.com/zulu/bin/zulu$zulu_version-jdk$java_version-linux_x64.tar.gz \
     && echo "1931ed3beedee0b16fb7fd37e069b162  zulu$zulu_version-jdk$java_version-linux_x64.tar.gz" | md5sum -c - \
@@ -40,30 +37,40 @@ RUN echo 'Installing Grouper'; \
     cd /opt/grouper/$GROUPER_VERSION/ \
     && $JAVA_HOME/bin/java -cp :grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller
 
-#The Grouper Installer is corrupting the Messaging Jar files.
-RUN cp /opt/grouper/2.3.0/grouper.rabbitMq-2.3.0/lib/* /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/lib/grouper/ \
-    && cp /opt/grouper/2.3.0/grouper.activeMq-2.3.0/lib/* /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/lib/grouper/
 
 
 FROM centos:centos7 as cleanup
 
-COPY --from=installing /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/ /opt/grouper/grouper.apiBinary
-COPY --from=installing /opt/grouper/2.3.0/grouper.ui-2.3.0/dist/grouper/ /opt/grouper/grouper.ui/dist/grouper/
-COPY --from=installing /opt/grouper/2.3.0/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/ /opt/grouper/grouper.ws/dist/grouper-ws/
-COPY --from=installing /opt/grouper/2.3.0/apache-tomcat-8.5.12/ /opt/tomcat/
-COPY --from=installing /opt/grouper/2.3.0/apache-tomee-webprofile-7.0.0/ /opt/tomee/
-COPY --from=installing /opt/grouper/2.3.0/grouper.clientBinary-2.3.0/ /opt/grouper/grouper.clientBinary/
+ENV GROUPER_VERSION=2.3.0 \
+    TOMCAT_VERSION=8.5.12 \    
+    TOMEE_VERSION=7.0.0
+
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouperInstaller.jar /opt/grouper/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.apiBinary-$GROUPER_VERSION/ /opt/grouper/grouper.apiBinary/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ui-$GROUPER_VERSION/dist/grouper/ /opt/grouper/grouper.ui/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws/build/dist/grouper-ws/ /opt/grouper/grouper.ws/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.ws-$GROUPER_VERSION/grouper-ws-scim/targetBuiltin/grouper-ws-scim/ /opt/grouper/grouper.scim/
+#COPY --from=installing /opt/grouper/$GROUPER_VERSION/grouper.clientBinary-$GROUPER_VERSION/ /opt/grouper/grouper.clientBinary/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat/
+COPY --from=installing /opt/grouper/$GROUPER_VERSION/apache-tomee-webprofile-$TOMEE_VERSION/ /opt/tomee/
 
 RUN cd /opt/grouper/grouper.apiBinary/; \
-    rm -fr ddlScripts/ grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/ 
+    rm -fr ddlScripts/ grouper.lck grouper.log grouper.script grouper.tmp/ gshAddGrouperSystemWsGroup.gsh logs/
+
+RUN cd /opt/tomcat/; \
+    rm -fr webapps/docs/ webapps/examples/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/* \
+    && mkdir -p logs/grouperUi logs/grouperWs
 
-RUN cd /opt/tomcat/webapps/; \
-    rm -fr docs/ examples/ host-manager/ manager/ logs/*
+RUN cd /opt/tomee/; \
+    rm -fr webapps/docs/ webapps/host-manager/ webapps/manager/ logs/* temp/* work/*
 
-RUN cd /opt/tomee/webapps/; \
-    rm -fr docs/ host-manager/ manager/ 
+RUN sed -i "s/\/opt\/grouper\/$GROUPER_VERSION\/apache-tomcat-$TOMCAT_VERSION/\/opt\/tomcat/g" /opt/grouper/grouper.ui/WEB-INF/classes/log4j.properties \
+    && sed -i "s/\/opt\/grouper\/$GROUPER_VERSION\/apache-tomcat-$TOMCAT_VERSION/\/opt\/tomcat/g" /opt/grouper/grouper.ws/WEB-INF/classes/log4j.properties \
+    && sed -i 's/${grouper.home}/\/opt\/tomee\//g' /opt/grouper/grouper.scim/WEB-INF/classes/log4j.properties
+
+COPY container_files/tomcat/ /opt/tomcat/
+COPY container_files/tomee/ /opt/tomee/
 
-COPY container_files/server.xml /opt/tomcat/conf/
 
 
 FROM tier/shibboleth_sp
@@ -74,8 +81,9 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       ImageName=$imagename \
       ImageOS=centos7
 
-ENV JAVA_HOME=/opt/openjdk8 \
-    PATH=$PATH:$JAVA_HOME/bin
+ENV JAVA_HOME=/opt/java \
+    PATH=$PATH:$JAVA_HOME/bin \
+    GROUPER_HOME=/opt/grouper/grouper.apiBinary
 
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 
@@ -84,12 +92,18 @@ RUN yum update -y \
     && pip install --upgrade pip \
     && pip install supervisor \
     && yum clean -y all
-   
+
 COPY --from=installing $JAVA_HOME $JAVA_HOME
 COPY --from=cleanup /opt/tomcat/ /opt/tomcat/
 COPY --from=cleanup /opt/tomee/ /opt/tomee/
 COPY --from=cleanup /opt/grouper/ /opt/grouper/
 
+RUN groupadd -r tomcat \
+    && useradd -r -m -s /sbin/nologin -g tomcat tomcat \
+    && mkdir -p /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
+    && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
+    && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/
+
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin /usr/local/bin/
 COPY container_files/httpd/* /etc/httpd/conf.d/

README.md

@@ -168,8 +168,8 @@ This image can now be used locally or pushed to an organization's Docker reposit
 # File System Endpoints
 Significant directories and files that deployers should be aware of.
 
-- `/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
-- `/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
+- `/opt/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
+- `/opt/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
 
 - `/etc/httpd/conf.d/ssl-enabled.conf`: Can be overlaid to change the TLS settings when running Grouper UI or Web Servicse.
 - `/etc/shibboleth/`: location to overlay the Shibboleth SP configuration files used by the image.
@@ -183,7 +183,7 @@ To examine baseline image files, one might run `docker run --name=temp -it tier/
 (TODO)
 
 ```
-docker run --detach --rm --name daemon \
+docker run --rm \
   --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper.hibernate.properties \
   tier/grouper gsh -registry -check -runscript -noprompt
 ```

container_files/grouper.installer.properties

@@ -6,10 +6,7 @@ grouper.version = 2.3.0
 grouperInstaller.print.autorunKeys = true
 # default to install or upgrade (default is install)
 grouperInstaller.default.installOrUpgrade = install
-# where to get grouper source from, the variable $BRANCH_NAME$ will be substituted for the branch
-download.source.url = https://github.com/Internet2/grouper/archive/$BRANCH_NAME$.zip
-# where to get grouper psp source from, the variable $BRANCH_NAME$ will be substituted for the branch
-download.pspSource.url = https://github.com/Internet2/grouper-psp/archive/$BRANCH_NAME$.zip
+
 ##############################
 ## Autorun properties
 ##
@@ -23,23 +20,10 @@ grouperInstaller.autorun.useDefaultsAsMuchAsAvailable = true
 ## Note: not all of them need to be filled out for all operations
 # autorun grouper system password (its not secure to have a plain text pass in a config file)
 grouperInstaller.autorun.grouperSystemPassword = XXXXXXXXXX
-# autorun Enter the database URL
-grouperInstaller.autorun.dbUrl = jdbc:mysql://localhost:3306/grouper
-# autorun database user
-grouperInstaller.autorun.dbUser = grouper
-# autorun database pass (note, it is not good security to have plaintext passwords in text config files)
-grouperInstaller.autorun.dbPass = XXXXXXXXXX
-# autorun Do you want to init the database (delete all existing grouper tables, add new ones) (t|f)?
-grouperInstaller.autorun.deleteAndInitDatabase = t
-
-# [jvf] The 'fake' run-through of 
-# While running the installer, we don't have access to the database
-#grouperInstaller.autorun.deleteAndInitDatabase = f
 
-# While running the installer, we don't have access to the database
-#grouperInstaller.autorun.addQuickstartSubjectsToDb = f
-
-# grouperInstaller.autorun.addQuickstartData = f
+grouperInstaller.autorun.deleteAndInitDatabase = t
+grouperInstaller.autorun.addQuickstartData = f
+grouperInstaller.autorun.installClient = f
 
 grouperInstaller.autorun.installGrouperActiveMqMessaging = t
 grouperInstaller.autorun.activeMqWhereInstalled = /opt/grouper/2.3.0/grouper.apiBinary-2.3.0/

container_files/httpd/grouper-www.conf

@@ -5,6 +5,7 @@ ProxyBadHeader Ignore
 
 ProxyPass /grouper ajp://localhost:8009/grouper  timeout=2400
 ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws  timeout=2400
+ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper-ws-scim  timeout=2400
 
 <Location /grouper>
   AuthType shibboleth

container_files/tier-support/grouper-ws-scim.xml

@@ -0,0 +1,6 @@
+<Context docBase="/opt/grouper/grouper.scim/" path="/grouper-ws-scim" reloadable="false">
+    <!-- Allow our symlinks to work-->
+    <Resources allowLinking="true" />
+</Context>
+
+

container_files/tier-support/grouper-ws.xml

@@ -1,4 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ws/dist/grouper-ws/" path="/grouper-ws" reloadable="false">
+<Context docBase="/opt/grouper/grouper.ws/" path="/grouper-ws" reloadable="false">
     <!-- Allow our symlinks to work-->
     <Resources allowLinking="true" />
 </Context>

container_files/tier-support/grouper.xml

@@ -1,4 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ui/dist/grouper/" path="/grouper" reloadable="false">
+<Context docBase="/opt/grouper/grouper.ui/" path="/grouper" reloadable="false">
     <!-- Allow our symlinks to work-->
     <Resources allowLinking="true" />
 </Context>

container_files/tier-support/supervisord-web.conf → container_files/tier-support/supervisord-tomcat.conf

@@ -3,7 +3,7 @@ logfile=/dev/fd/1                               ; supervisord log file
 logfile_maxbytes=0                           ; maximum size of logfile before rotation
 loglevel=error                                  ; info, debug, warn, trace
 nodaemon=true                                  ; run supervisord as a daemon
-;user=root                                       ; default user
+user=root                                       ; default user
 
 [rpcinterface:supervisor]
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
@@ -22,13 +22,15 @@ stdout_logfile = /dev/fd/1
 stdout_logfile_maxbytes=0
 
 [program:shibbolethsp]
-command=/usr/sbin/shibd -f
+user=shibd
+command=/usr/sbin/shibd -f -F
 stderr_logfile = /dev/fd/2
 stderr_logfile_maxbytes=0
 stdout_logfile = /dev/fd/1
 stdout_logfile_maxbytes=0
 
 [program:tomcat]
+user=tomcat
 command=/opt/tomcat/bin/catalina.sh run 
 stderr_logfile = /dev/fd/2
 stderr_logfile_maxbytes=0

container_files/tier-support/supervisord-tomee.conf

@@ -0,0 +1,31 @@
+[supervisord]
+logfile=/dev/fd/1                               ; supervisord log file
+logfile_maxbytes=0                           ; maximum size of logfile before rotation
+loglevel=error                                  ; info, debug, warn, trace
+nodaemon=true                                  ; run supervisord as a daemon
+user=root                                       ; default user
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock         ; use a unix:// URL  for a unix socket
+
+; Our processes
+; writing output to stdout (1) and err (2) (for Docker logging) and disabling log rotation
+
+[program:httpd]
+command=httpd -DFOREGROUND
+stderr_logfile = /dev/fd/2
+stderr_logfile_maxbytes=0
+stdout_logfile = /dev/fd/1
+stdout_logfile_maxbytes=0
+
+[program:tomee]
+user=tomcat
+command=/opt/tomee/bin/catalina.sh run 
+stderr_logfile = /dev/fd/2
+stderr_logfile_maxbytes=0
+stdout_logfile = /dev/fd/1
+stdout_logfile_maxbytes=0
+