Update images for Grouper v4

* Use Shib IDP v4
* Installed package changes to support Rocky Linux 8
* Additional php packages and configuration to support php apps and fcgi
* mysql max_connections 750
* Openldap defaults to mdb instead of hdb
* Curl does not have built-in ldap support, so use netcat for ping tests

base/Dockerfile

@@ -1,8 +1,8 @@
-FROM tier/shib-idp:latest4 as idp
+FROM tier/shib-idp:4.3.1_20230818 as idp
 # latest 3.x is tier/shib-idp:3.4.7_20200702
 
 # Grouper version for the entire GTE
-FROM i2incommon/grouper:4.5.2
+FROM i2incommon/grouper:4.5.5
 
 # Disable docker HEALTHCHECK inherited from tier/shib-sp
 HEALTHCHECK NONE
@@ -16,84 +16,100 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 ENV ENV=training \
     USERTOKEN=gte-base
 
-# 2021-01-13 the phpldapadmin in epel is 1.2.5 which is incompatible with php 5.4.x
-RUN yum install -y epel-release \
-    && yum install -y mariadb mariadb-server nano openldap openldap-clients openldap-servers phpMyAdmin golang \
-          https://archive.fedoraproject.org/pub/archive/epel/7.2020-10-05/x86_64/Packages/p/phpldapadmin-1.2.3-10.el7.noarch.rpm \
-    && yum clean all
+RUN dnf install -y procps-ng nano nc mariadb mariadb-server openldap-clients php php-json php-mysqlnd golang https://archive.fedoraproject.org/pub/archive/epel/8.7/Everything/x86_64/Packages/p/phpldapadmin-1.2.6.3-1.el8.noarch.rpm \
+    && dnf install -y 'dnf-command(config-manager)' \
+    && dnf config-manager --set-enabled powertools \
+    && dnf install -y openldap-servers \
+    && dnf clean all
+
+RUN mkdir -p /tmp/phpmyadmin \
+    && cd /tmp/phpmyadmin \
+    && wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.zip \
+    && unzip phpMyAdmin-*.zip \
+    && mv phpMyAdmin-*-all-languages /usr/share/phpmyadmin \
+    && mkdir -p /run/php-fpm/ /usr/share/phpmyadmin/tmp/
 
 COPY container_files/seed-data/ /seed-data/
 
+# TODO get the my.cnf from the old server. These files are in cnf.d and don't have a lot of variables
 RUN mysql_install_db --force \
-    && chown -R mysql:mysql /var/lib/mysql/ \
-    && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf \
+    && chown -R mysql:mysql /var/lib/mysql/ /var/log/mariadb \
+    && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf.d/mariadb-server.cnf \
     && sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\ncharacter_set_server = utf8/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\ncollation_server = utf8_general_ci/' /etc/my.cnf \
     && sed -i 's/\[mysqld\]/\[mysqld\]\nport = 3306/' /etc/my.cnf \
     && cat  /etc/my.cnf \
     && echo "/usr/bin/mysqld_safe &" > /tmp/config \
     && echo "mysqladmin --silent --wait=30 ping || exit 1" >> /tmp/config \
-    && echo "mysql -e 'GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION;'" >> /tmp/config \
+    && echo "mysql -e 'CREATE USER \"root\"@\"%\"; GRANT ALL PRIVILEGES ON *.* TO \"root\"@\"%\" WITH GRANT OPTION; FLUSH PRIVILEGES'" >> /tmp/config \
     && echo "mysql -e 'CREATE DATABASE grouper CHARACTER SET utf8 COLLATE utf8_bin;'" >> /tmp/config \
     && bash /tmp/config \
     && rm -f /tmp/config
 #    && mysql grouper < /seed-data/sisData.sql
 
+# TODO error ERROR 1133 (28000) at line 1: Can't find any matching row in the user table
+
+# On Rocky Linux, slapd defaults to mdg not hdb
+# use `ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn` to config
+
+# On Rocky, don't need to import module memberOf (`cat /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif`)
+
 RUN cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG \
     && mkdir -p /var/ldap/example \
     && chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d /var/ldap \
     && (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
-    ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done \
+    && ldapmodify -Y EXTERNAL -H ldapi:/// -f /seed-data/domain.ldif \
     && ldapadd -H ldapi:/// -f /etc/openldap/schema/cosine.ldif \
     && ldapadd -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif \
     && ldapadd -H ldapi:/// -f /seed-data/memberOf.ldif \
     && ldapadd -H ldapi:/// -f /seed-data/eduPerson.ldif \
     && ldapadd -x -D cn=root,dc=internet2,dc=edu -w password -f /seed-data/users.ldif \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done
 
 RUN go install github.com/mailhog/MailHog@v1.0.1
 
 COPY container_files/conf/* /opt/grouper/grouperWebapp/WEB-INF/classes/
-COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/
+#COPY container_files/conf/grouperText/* /opt/grouper/grouperWebapp/WEB-INF/classes/grouperText/
 
 RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
+    && while ! nc -z localhost 389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     (mysqld_safe & ) \
-    && while ! curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
+    && while ! nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to start; sleep 3; done; \
     cd /opt/grouper/grouperWebapp/WEB-INF/bin \
     && ./gsh.sh -registry -check -runscript -noprompt \
-    && ./gsh.sh /seed-data/bootstrap.gsh \
     && pkill -HUP slapd \
-    && while curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
+    && while nc -z localhost 389 > /dev/null; do echo waiting for ldap to stop; sleep 1; done; \
     pkill -u mysql mysqld \
-    && while curl -s localhost:3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
+    && while nc -z localhost 3306 > /dev/null; do echo waiting for mysqld to stop; sleep 1; done
 
 COPY --from=idp /opt/shibboleth-idp/ /opt/shibboleth-idp/
 
 COPY container_files/etc/ /etc/
 COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth-idp/ /opt/shibboleth-idp/
 COPY container_files/shibboleth-sp/* /etc/shibboleth/
-COPY container_files/tomcat/ /opt/tomee/
+COPY container_files/tomcat/ /opt/tomcat/
 COPY container_files/tier-support/* /opt/tier-support/
 COPY container_files/tls/host-key.pem  /etc/pki/tls/private/
 COPY container_files/tls/* /etc/pki/tls/certs/
 COPY container_files/usr-local-bin/* /usr/local/bin/
 COPY container_files/var-www-html/ /var/www/html/
+COPY container_files/usr/share/ /usr/share/
 
-#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomee/conf/Catalina/localhost/ \
+#RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
 RUN chown -R tomcat /opt/shibboleth-idp/ \
     && chmod -R 700 /opt/shibboleth-idp/ \
     && chmod +rx /var/www/html/app/index.py \
-    && /opt/shibboleth-idp/bin/build.sh \
-    && chmod go-w /etc/phpMyAdmin/config.inc.php
+    && ANT_OPTS="-Didp.noprompt=true -Didp.target.dir=/opt/shibboleth-idp" /opt/shibboleth-idp/bin/build.sh \
+    && chmod go-w /usr/share/phpmyadmin/config.inc.php
 
 
 RUN chown -R tomcat:tomcat /opt/grouper/grouperWebapp
-RUN chown -R tomcat:tomcat /opt/tomee
+RUN chown -R tomcat:tomcat /opt/tomcat
+RUN chown -R apache:apache /usr/share/phpmyadmin/tmp/
 
 ENV GROUPER_START_DELAY_SECONDS=10 \
     GROUPER_WS_GROUPER_AUTH=true

base/container_files/conf/grouper.hibernate.properties

@@ -28,4 +28,4 @@ hibernate.connection.username         = root
 # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
 hibernate.connection.password         = 
 
-registry.auto.ddl.upToVersion = 2.5.*
+registry.auto.ddl.upToVersion = 4.*.*

base/container_files/conf/log4j2.xml

@@ -5,7 +5,7 @@
     </Properties>
     <Appenders>
         <File name="CATALINA" fileName="/tmp/logpipe">
-            <PatternLayout pattern="tomee;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
+            <PatternLayout pattern="tomcat;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
         </File>
         <Console name="stderr" target="SYSTEM_ERR">
           <PatternLayout pattern="grouper;${ENV};${USERTOKEN};${layout}"/>

base/container_files/etc/my.cnf.d/mariadb-server.cnf

@@ -0,0 +1,56 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql/
+#
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+# Settings user and group are ignored when systemd is used.
+# If you need to run mysqld under a different user or group,
+# customize your systemd unit file for mysqld/mariadb according to the
+# instructions in http://fedoraproject.org/wiki/Systemd
+[mysqld]
+datadir=/var/lib/mysql
+socket=/var/lib/mysql/mysql.sock
+log-error=/var/log/mariadb/mariadb.log
+pid-file=/run/mariadb/mariadb.pid
+max_connections = 750
+
+
+#
+# * Galera-related settings
+#
+[galera]
+# Mandatory settings
+#wsrep_on=ON
+#wsrep_provider=
+#wsrep_cluster_address=
+#binlog_format=row
+#default_storage_engine=InnoDB
+#innodb_autoinc_lock_mode=2
+#
+# Allow server to accept connections on all interfaces.
+#
+bind-address=0.0.0.0
+#
+# Optional setting
+#wsrep_slave_threads=1
+#innodb_flush_log_at_trx_commit=0
+
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+# This group is only read by MariaDB-10.3 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.3]
+