Lots of changes/clean-up

.dockerignore

@@ -1,3 +1,4 @@
 .git/
 test-compose/
 *.md
+manualBuild.sh

Dockerfile

@@ -92,13 +92,14 @@ COPY --from=cleanup /opt/grouper/ /opt/grouper/
 
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin /usr/local/bin/
-COPY container_files/httpd/grouper-www.conf /etc/httpd/conf.d/
+COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth/* /etc/shibboleth/
 
-RUN cp /dev/null /etc/httpd/conf.d/ssl.conf
+RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+    && touch /etc/pki/tls/certs/cachain.pem
 
 WORKDIR /opt/grouper/grouper.apiBinary/
 
 EXPOSE 80 443
 
-CMD ["/bin/sh", "bin/gsh", "-loader"]
+CMD ["bin/gsh", "-loader"]

README.md

@@ -1 +1,196 @@
 
+# Supported tags
+
+-	latest
+
+# Quick reference
+
+-	**Where to get help**:  
+	[TODO](http://example.com/help)
+
+-	**Where to file issues**:  
+	[https://github.internet2.edu/docker/grouper_noVM/issues](https://github.internet2.edu/docker/grouper_noVM/issues)
+
+-	**Maintained by**:  
+	[TIER Packaging Working Group](https://spaces.internet2.edu/display/TPWG)
+
+-	**Supported Docker versions**:  
+	[the latest release](https://github.com/docker/docker-ce/releases/latest) (down to 1.6 on a best-effort basis)
+
+# What is Grouper?
+
+Grouper is an enterprise access management system designed for the highly distributed management environment and heterogeneous information technology environment common to universities. Operating a central access management system that supports both central and distributed IT reduces risk.
+
+> [www.internet2.edu/products-services/trust-identity/grouper/](https://www.internet2.edu/products-services/trust-identity/grouper/)
+
+![logo](https://www.internet2.edu/media/medialibrary/2013/10/15/image_grouper_logowordmark_bw.png)
+
+# How to use this image
+This image provides support for each of the Grouper components/roles: Grouper Daemon/Loader, Grouper UI, and Grouper Web Services.
+
+## Starting each role
+
+While TIER recommends/supports using Docker Swarm for orchestrating the Grouper environment, these containers can be run directly. Both examples are shown below. It should be noted that these examples will not run independently, but required additional configuration components to be provided before each container will start as expected.
+
+### Daemon/Loader
+
+Run the Grouper Daemon/Loader as a service.
+
+```console
+$ docker service create --detach --name grouper-daemon tier/grouper:latest daemon
+```
+
+Run the Grouper Daemon/Loader as a standalone container.
+
+```console
+$ docker run --detach --name grouper-daemon tier/grouper:latest daemon
+```
+
+### UI
+
+Runs the Grouper UI as a service.
+
+```console
+$ docker service create --detach --publish 443:443 --name grouper-ui tier/grouper:latest ui
+```
+
+Runs the Grouper UI in a standalone container.
+
+```console
+$ docker run --detach --name --publish 443:443 grouper-ui tier/grouper:latest ui
+```
+
+### Web Services
+
+Runs the Grouper Web Services as a service. 
+
+```console
+$ docker service create --detach --publish 8443:443 --name grouper-ws tier/grouper:latest ws
+```
+
+Runs the Grouper Web Services in a standalone container. 
+
+```console
+$ docker run --detach --publish 8443:443 --name grouper-daemon tier/grouper:latest ws
+```
+
+### UI and Web Services
+
+This good when first starting to work with Grouper, but when scaling Grouper UI or Web Services it is advisable to use the individual roles noted above.
+
+Runs the Grouper UI and Web Services as a combined service. (You should really run these as individual roles to take advantage of Docker service replicas.) 
+
+```console
+$ docker service create --detach --publish 443:443 --name grouper-web tier/grouper:latest ui-ws
+```
+
+Runs the Grouper UI and Web Services in a combined container. This good when first starting to work with Grouper, but when scaling Grouper UI or Web Services it is advisable to use the individual roles noted above.
+
+```console
+$ docker run --detach --publish 443:443 --name grouper-web tier/grouper:latest ui-ws
+```
+
+### GSH
+
+Runs the Grouper Shell in a throwaway container. This makes it easy to run Grouper commands and Grouper Shell scripts. Since it is interactive it does not run as a service.
+
+```console
+$ docker run -it --rm tier/grouper:latest bin/gsh <optional GSH args>
+```
+
+# Configuration
+
+## Grouper Configurations
+There are several things that are required for this image to successfully start. At a minimum, the `grouper.hibernate.properties` and `subject.properties` (or the old `sources.xml` equivalent) files need to be customized and available to the container at start-up. 
+
+## Web Apps Configuration
+If starting the container to serve the Grouper UI or Grouper Web Services components, a TLS key and cert(s) need to be applied to those containers. 
+
+The Grouper UI also requires some basic Shibboleth SP configuration. The `/etc/shibboleth/shibboleth2.xml` file should be modified to set:
+- an entityId for the SP
+- load IdP or federation metadata 
+- set the SP's encryption keys
+- the identity attribute of the subject to be passed to Grouper
+
+If encrpytion keys are defined in the `shibboleth2.xml` file, then the key/cert should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibbolrth SP files) can be overlaid/replaced as necessary. 
+
+## General Configuration Mechanism
+There are three primary ways to provide the Grouper and additional configuration to the container: Docker Config/Secrets, customized images, and bind mounts. Depending upon your needs you may use a combination of two or three of these options.
+
+### Secrets/Configs
+
+Docker Config and Docker Secrets is Docker's way of providing configurations files to a container. The primary difference between the Config and Secrets functionality is that Secrets is designed to protect resrouces that sensitive files.
+
+This image will make any secrets (containing a period in the secret name) available to the appropriate Grouper component's conf directory (i.e. `<GROUPER_HOME>/conf` or `WEB-INF/classes`). These file will supercede any in the underlying image.
+
+Secrets can be managed using the `docker secret` command: `docker secret create grouper.hibernate.properties ./grouper.hibernate.properties`. This will securely store the file in the swarm. Secrets can then be assigned to the service `docker service create -d --name daemon --secret grouper.hibernate.properties --secret sources.xml tier/grouper daemon`.
+
+> `docker run` does not support secrets; Bind mounts need to be used instead.
+
+### Bind Mounts
+
+Bind mounts can be used to connect files on the Docker host into the container. When not running in swarm mode, the secrets are supported, so we can use a bind mount to provide the container with the configuration files.
+
+```
+docker run --detach --name daemon \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper.hibernate.properties \
+  --mount type=bind,src=$(pwd)/sources.xml,dst=/run/secrets/sources.xml \
+  tier/grouper daemon
+```
+
+### Customized Images
+
+Deployers will undoubtedly want to add in their files to the container; things like addtional jar files defining Grouper Hooks, or things like own images, css files, anything. This can be accomplished by building custom images. **Deployers should NOT use this method to store sensitive configuration files.**
+
+To add a favicon to the Grouper UI, we use the tier/grouper images as a base and `COPY` our local `favicon.ico` into the image. While we are at it, we define this image as a UI image by specifying the default commnd (i.e `CMD`) of `ui`.
+
+```Dockerfile
+FROM tier/grouper:latest
+
+COPY favicon.ico /opt/grouper/grouper.ui/dist/grouper/
+
+CMD ui
+```
+
+To build our image:
+
+```
+docker build --tag=org/grouper-ui .
+```
+
+This image can now be used locally or pushed to an organization's Docker repository.
+
+
+## Memory Limits
+(TODO)
+
+
+# File System Endpoints
+Significant directories and files that deployers should be aware of.
+
+- `/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
+- `/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
+
+- `/etc/httpd/conf.d/ssl-enabled.conf`: Can be overlaid to change the TLS settings when running Grouper UI or Web Servicse.
+- `/etc/shibboleth/`: location to overlay the Shibboleth SP configuration files used by the image.
+- `/opt/grouper/grouper.apiBinary/`: location to overlay Grouper GSH or Daemon/Loader files.
+- `/opt/grouper/grouper.ui/dist/grouper/`: location to overlay Grouper UI web application files.
+- `/opt/grouper/grouper.ws/dist/grouper-ws/`: location to overlay Grouper Web Services web application files.
+
+To examine baseline image files, one might run `docker run --name=temp -it tier/grouper bash` and browse through these endpoints. While the container is running one may copy files out of the image/container using something like `docker cp temp:/opt/grouper/grouper.api/conf/grouper.properties .`, which will copy the `grouper.properties` to the host's present working directory. These files can then be edited and applied via the mechanisms outlined above.
+
+# Provisioning a Grouper Database
+(TODO)
+
+```
+docker run --detach --rm --name daemon \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper.hibernate.properties \
+  tier/grouper gsh -registry -check -runscript -noprompt
+```
+
+
+# License
+
+View [license information](TODO) for the software contained in this image.
+
+As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

container_files/httpd/grouper-www.conf

@@ -1,28 +1,15 @@
 
-  Timeout 2400
-  ProxyTimeout 2400
-  ProxyBadHeader Ignore
-
-  ProxyPass /Shibboleth.sso !
-  ProxyPass /grouper ajp://localhost:8009/grouper  timeout=2400
-  ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws  timeout=2400
-
-  <Location /grouper>
-     AuthType shibboleth
-     ShibRequestSetting requireSession 1
-     ShibRequireSession on
-     ShibUseHeaders On
-     require shibboleth
-    </Location>
-
-  # modern configuration, tweak to your needs
-  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-  SSLHonorCipherOrder     on
-  SSLCompression          off
-
-  # OCSP Stapling, only in httpd 2.3.3 and later
-  SSLUseStapling          on
-  SSLStaplingResponderTimeout 5
-  SSLStaplingReturnResponderErrors off
-  SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /grouper ajp://localhost:8009/grouper  timeout=2400
+ProxyPass /grouper-ws ajp://localhost:8009/grouper-ws  timeout=2400
+
+<Location /grouper>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  ShibUseHeaders On
+  require shibboleth
+</Location>

container_files/httpd/ssl-enabled.conf

@@ -0,0 +1,28 @@
+# modern configuration, tweak to your needs
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder     on
+SSLCompression          off
+
+# OCSP Stapling, only in httpd 2.3.3 and later
+SSLUseStapling          on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+
+Listen 443 https
+<VirtualHost *:443>
+  RewriteEngine on
+  RewriteRule   "^/$"  "/grouper/"  [R]
+
+  SSLEngine on
+  SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem
+
+  SSLCertificateFile /etc/pki/tls/certs/host-cert.pem
+
+  SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem
+
+  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+  Header always set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
+

container_files/tier-support/grouper-ws.xml

@@ -1 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ws/dist/grouper-ws/" path="/grouper-ws" reloadable="false"/>
+<Context docBase="/opt/grouper/grouper.ws/dist/grouper-ws/" path="/grouper-ws" reloadable="false">
+    <!-- Allow our symlinks to work-->
+    <Resources allowLinking="true" />
+</Context>

container_files/tier-support/grouper.xml

@@ -1,3 +1,4 @@
-<Context docBase="/opt/grouper/grouper.ui/dist/grouper/"
-    path="/grouper"
-    reloadable="false" />
+<Context docBase="/opt/grouper/grouper.ui/dist/grouper/" path="/grouper" reloadable="false">
+    <!-- Allow our symlinks to work-->
+    <Resources allowLinking="true" />
+</Context>

container_files/tier-support/supervisord-web.conf

@@ -1,6 +1,3 @@
-[unix_http_server]
-file=/tmp/supervisor.sock                       ; path to your socket file
-
 [supervisord]
 logfile=/dev/fd/1                               ; supervisord log file
 logfile_maxbytes=0                           ; maximum size of logfile before rotation