Merge pull request #25 from docker/201911

updating master with latest from 201911 temple training

.gitignore

@@ -1,3 +1,7 @@
 localManualBuild.sh
 runContainer.sh
-tmp
+tmp
+.vscode/spellright.dict
+.vscode/settings.json
+.DS_Store
+_build

Jenkinsfile

@@ -9,15 +9,15 @@
 
 
 /** Each class has a set of modules with a set of steps. 
- *  For examples, ex101.1.1, ex101.1.2, ex101.1.3, ex101.2.1, ex101.2.2, etc.
- *  Each step is an image.
- *  The exceriseSets has the class name and an array of the number of steps for module.     
+ *  For examples, 101.1.1, 101.1.2, 101.1.3, 101.2.1, 101.2.2, etc.
+ *  Each step is an associated docker image.
+ *  exceriseSets has the class name and an array of the number of steps for module.     
 **/
 exceriseSets = [
-//    'ex101' : [3, 2],
-    'ex201' : [1, 1, 1, 1, 1],
-//    'ex301' : [2, 2, 5, 6], manually built with a single image
-    'ex401' : [6, 9, 7, 1]
+//    '101' : [3, 2],
+    '201' : [1, 1, 1, 1, 1],
+//    '301' : [2, 2, 5, 6], manually built with a single image
+    '401' : [1, 1, 1, 1]
 ]
 
 pipeline {
@@ -33,22 +33,21 @@ pipeline {
                 script {
                     maintainer = maintain()
                     imagename = imagename()
-/*                    if(env.BRANCH_NAME == "master") {
+                    if(env.BRANCH_NAME == "master") {
                        tag = "latest"
                     } else {
                        tag = env.BRANCH_NAME
                     }
-*/
+
                     if(!imagename){
                         echo "You must define an imagename in common.bash"
                         currentBuild.result = 'FAILURE'
                      }
-                    sh 'mkdir -p bin'
-                    sh 'mkdir -p tmp'
+                    sh 'mkdir -p tmp && mkdir -p bin'
                     dir('tmp'){
                       git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
-                      sh 'ls'
-                      sh 'mv bin/* ../bin/.'
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
                     }
                 }  
              }
@@ -71,8 +70,8 @@ pipeline {
             steps {
                 script {
                     docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-${maintainer}") {
-                        def baseImg = docker.build("${maintainer}/${imagename}:base", "--no-cache --pull base")
-                        baseImg.push("base")
+                        def baseImg = docker.build("${maintainer}/${imagename}:base-${tag}", "--no-cache --pull base")
+                        baseImg.push("base-${tag}")
                     }
                 }
             }
@@ -84,37 +83,33 @@ pipeline {
                         def tagSet = generateTagSet()
                         def builds = build(tagSet)
 
-                        if(env.BRANCH_NAME == "master") {
+                        if(env.BRANCH_NAME == "201911") {
                             //builds.each{ k, v -> echo ("push ${k}") } //for local testing
                             builds.each{ k, v -> v.push(k) }
+
+	                        def build = docker.build("${maintainer}/${imagename}:101.1.1-${tag}", "--no-cache --pull --build-arg VERSION_TAG=${tag} ex101/ex101.1.1")
+	                        build.push("101.1.1-${tag}")
 
-                        } else {
-                            echo 'skipping push, since the SCM branch is not master'
-                        }
-                    }
-                }
-            }
-        }
-        stage('Build Oddballs') {
-            steps {
-                script {
-                    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-${maintainer}") {
-                        def baseImg = docker.build("${maintainer}/${imagename}:ex101.1.1", "--no-cache --pull ex101/ex101.1.1")
-                        baseImg.push("ex101.1.1")
+	                        build = docker.build("${maintainer}/${imagename}:211.1.1-${tag}", "--no-cache --pull --build-arg VERSION_TAG=${tag} ex211/ex211.1.1")
+	                        build.push("211.1.1-${tag}")
 
-                        baseImg = docker.build("${maintainer}/${imagename}:ex211.1.1", "--no-cache --pull ex211/ex211.1.1")
-                        baseImg.push("ex211.1.1")
+	                        build = docker.build("${maintainer}/${imagename}:301.4.1-${tag}", "--no-cache --pull --build-arg VERSION_TAG=${tag} ex301/ex301.4.1")
+	                        build.push("301.4.1-${tag}")
+
+	                        build = docker.build("${maintainer}/${imagename}:full_demo-${tag}", "--no-cache --pull --build-arg VERSION_TAG=${tag} full-demo")
+	                        build.push("full_demo-${tag}")
 
-                        baseImg = docker.build("${maintainer}/${imagename}:ex301.4.1", "--no-cache --pull ex301/ex301.4.1")
-                        baseImg.push("ex301.4.1")
+                        } else {
+                            echo 'not building images, since the SCM branch is not 201911'
+                        }
                     }
                 }
             }
         }
         stage('Notify') {
             steps{
                 echo "$maintainer"
-                slackSend color: 'good', message: "${maintainer}/${imagename} set pushed to DockerHub"
+                slackSend color: 'good', message: "${maintainer}/${imagename} version ${tag} pushed to DockerHub"
             }
         }
     }
@@ -124,7 +119,7 @@ pipeline {
         }
         failure {
             // slackSend color: 'good', message: "Build failed"
-            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename} version ${tag}.")
         }
     }
 }
@@ -159,10 +154,10 @@ def generateTagSet() {
 def build(tagSet) {
     def builds = [:]
 
-    for (String tag : tagSet) {
-        def baseImg = docker.build("${maintainer}/${imagename}:${tag}", "--no-cache ${tag.tokenize('.')[0]}/${tag}")
-        echo "built ${tag}; adding to the push queue"
-        builds.put(tag, baseImg);
+    for (String tags : tagSet) {
+        def baseImg = docker.build("${maintainer}/${imagename}:${tags}-${tag}", "--no-cache --build-arg VERSION_TAG=${tag} ex${tags.tokenize('.')[0]}/ex${tags}")
+        echo "built ${tags}-${tag}; adding to the push queue"
+        builds.put("${tags}-${tag}", baseImg);
     }
 
     builds

README.md

@@ -1,97 +1,72 @@
-# grouper_training
-A set of Grouper images that are used during I2/TIER training.
+# Grouper Training Environment
 
-# Images
+The Grouper Training Environment (gte) is a set of docker images that contain
+all the software components, configuration, and setup necessary to complete the
+InCommon Grouper Training course. Each docker image tag coincides with a
+particular course, exercise, step, and the overall gte version. For example,
+the gte image tag for Grouper Basics 101 is 101.1.1-201906. The docker command
+to run the image for the 101 course is:
 
-## Full Demo
+``` bash
+
+docker run -d -p 80:80 -p 389:389 -p 8443:443 -p 3306:3306 \
+  --name 101.1.1 tier/gte:101.1.1-201906
 
 ```
-docker run -d -p 389:389 -p 8443:443 -p 3306:3306 \
-  --name grouper-demo tier/grouper-training-env:full_demo
+
+This will start Grouper, a Shibboleth IdP, OpenLDAP, mySQL, and other components. It will take a little while for the container to be ready. You can watch the logs as the various components are coming up with this command:
+
+``` bash
+docker logs -f 101.1.1
 ```
 
-Browse to `https://localhost/grouper`
+Once the container is ready, browse to <https://localhost:8443/grouper> to access the Grouper UI and log in with one of the following:
 
-## Exercises
+- Grouper Administrator
+  - username: `banderson`, password: `password`
+- Normal User
+  - username: `jsmith`, password: `password`
 
-```
+The container has a few other applications running. phpMyAdmin provides an admin interface to the Grouper mySQL database. phpLDAPadmin provides an admin interface to OpenLDAP. Finally, there is a sample application that displays subject attributes for the user that is logged in.
+
+- phpMyAdmin <https://localhost:8443/phpmyadmin/>
+  - username: `root`, password: (blank)
+- phpLDAPadmin <https://localhost:8443/phpldapadmin/>
+  - username: `cn=root,dc=internet2,dc=edu`, password: `password`
+- Shibboleth SP subject attributes <https://localhost:8443/app>
+
+All of the gte image tags are published to <https://hub.docker.com/r/tier/gte>. To use a particular image tag, run:
+
+``` bash
 docker run -d -p 80:80 -p 389:389 -p 8443:443 -p 3306:3306 \
-  --name gte tier/grouper-training-env:exXXX
+  --name {coures}.{exercise}.{step} tier/gte:{VERSION_TAG}
 ```
 
-Current tags:
-- ex101.1.1
-- ex201.1.1
-- ex201.1.end
-- ex201.2.1
-- ex201.2.end
-- ex201.3.1
-- ex201.3.end
-- ex201.4.1
-- ex201.4.end
-- ex201.5.1
-- ex201.5.end
-- ex211.1.1
-- ex301.4.1
-- ex401.1.1
-- ex401.1.2
-- ex401.1.3
-- ex401.1.4
-- ex401.1.5
-- ex401.1.6
-- ex401.1.end
-- ex401.2.1
-- ex401.2.2
-- ex401.2.3
-- ex401.2.4
-- ex401.2.5
-- ex401.2.6
-- ex401.2.7
-- ex401.2.8
-- ex401.2.9
-- ex401.2.end
-- ex401.3.1
-- ex401.3.2
-- ex401.3.3
-- ex401.3.4
-- ex401.3.5
-- ex401.3.6
-- ex401.3.7
-- ex401.3.end
-- ex401.4.1
-- ex401.4.end
-
-Browse to `https://localhost:8443/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost:8443/app`.
-
-# Users
-- `banderson`/`password`: Grouper Administrator
-- `jsmith`/`password`: standard user
-- additional users can be found in <https://github.internet2.edu/docker/grouper_training/blob/master/base/container_files/seed-data/users.ldif#L56>
-
-# Help apps
-
-- phpMyAdmin - https://localhost:8443/phpmyadmin/ - username: `root`, password: (blank)
-- phpLDAPadmin - https://localhost:8443/phpldapadmin/ - username: `cn=root,dc=internet2,dc=edu`, password: `password`
-
-
-# Course specific notes
-
-## Notes for the exercises in 401
-
-Before connecting to your SSH server, be sure to port forward a local port to the server's port `15672` as well.
-
-These exercises require Rabbit MQ to be started. Before starting the ex401 Grouper container, run:
+Where {VERSION_TAG} takes the form of {course}.{exercise}.{step}-{version}. For example:
 
+``` bash
+docker run -d -p 80:80 -p 389:389 -p 8443:443 -p 3306:3306 \
+  --name 101.1.1 tier/gte:101.1.1-201906
 ```
-docker run -d -p 15672:15672 --env RABBITMQ_NODENAME=docker-rabbit --hostname rabbitmq --name=rabbitmq rabbitmq:management
+
+More information about Grouper Training can be found on the Internet2 wiki: 
+<https://spaces.at.internet2.edu/display/Grouper/Grouper+Training+Environment>.
+
+## RabbitMQ for 401 exercises
+
+The 401 exercises require RabbitMQ. Before starting the 401 docker images,
+start RabbitMQ and a queue named `grouper`.
+
+``` bash
+docker run -d -p 15672:15672 --env RABBITMQ_NODENAME=docker-rabbit \
+  --hostname rabbitmq --name=rabbitmq rabbitmq:management
 ```
 
-Now browse to http://localhost:15672/ and login with `guest`/`guest`, and create a new queue named `grouper`.
+Then browse to <http://localhost:15672/> and login with `guest`/`guest`, and create a new queue named `grouper`.
 
-Now start the ex401 Grouper with this slightly modified command:
+Finally, start the 401 series gte with this slightly modified command:
 
-```bash
+``` bash
 docker run -d -p 389:389 -p 8443:443 -p 3306:3306 \
-  --link rabbitmq:rabbitmq --name gte tier/grouper-training-env:exXXX
-
+  --link rabbitmq:rabbitmq --name {coures}.{exercise}.{step} tier/gte:{VERSION_TAG}
 ```

base/Dockerfile

@@ -1,6 +1,10 @@
-FROM unicon/shibboleth-idp:3.3.3 as idp 
+FROM tier/shib-idp:3.4.3_20190201 as idp
 
-FROM tier/grouper:2.4.0-a2-u0-w0-p0-test
+# Grouper version for the entire GTE
+FROM tier/grouper:2.4.0-a80-u51-w10-p11-20191031-rc1
+
+# Disable docker HEALTHCHECK inherited from tier/shib-sp
+HEALTHCHECK NONE
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \
@@ -9,15 +13,15 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       ImageOS=centos7
 
 ENV ENV=training \
-    USERTOKEN=3.2.0_base
+    USERTOKEN=gte-base
 
 RUN yum install -y epel-release \
     && yum install -y emacs mariadb mariadb-server nano openldap openldap-clients openldap-servers phpMyAdmin phpldapadmin \
     && yum clean all
 
 COPY container_files/seed-data/ /seed-data/
 
-RUN mysql_install_db \
+RUN mysql_install_db --force \
     && chown -R mysql:mysql /var/lib/mysql/ \
     && sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/my.cnf \
     && sed -i 's/^\(log_error\s.*\)/# \1/' /etc/my.cnf \
@@ -79,8 +83,9 @@ COPY container_files/var-www-html/ /var/www/html/
 RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
     && chown -R tomcat /opt/shibboleth-idp/ \
     && chmod -R 700 /opt/shibboleth-idp/ \
-    && chmod +rx /var/www/html/app/index.py
+    && chmod +rx /var/www/html/app/index.py \
+    && /opt/shibboleth-idp/bin/build.sh
 
 EXPOSE 389 3306 4443
 
-CMD ["grouper"]
+CMD ["grouper"]

base/container_files/conf/grouper-ui.properties

@@ -0,0 +1,5 @@
+# The configuration editor in grouper is very sensitive.  If you can only allow certain source IP addresses
+# it will add another layer of security.  Otherwise allow 0.0.0.0/0 and all will be allowed
+# If this configuration item is not filled in, then none are allowed
+# you can configure multiple CIDR addresses or networks comma separated, e.g. 1.2.3.4/32, 2.3.4.5/24
+grouperUi.configurationEditor.sourceIpAddresses = 0.0.0.0/0

base/container_files/conf/grouper.properties

@@ -23,3 +23,33 @@ groups.wheel.group                    = etc:sysadmingroup
 # Used to allow Include Exclude groups
 grouperIncludeExclude.use = true
 grouperIncludeExclude.requireGroups.use = true
+
+##################################
+## Lockout groups.  Could be used for other things, but used for policy group templates at least
+## if there is no allowed group, then anyone could use it
+##################################
+
+# group name of a lockout group
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
+grouper.lockoutGroup.name.0 = ref:iam:global_deny
+
+# allowed to use this lockout group.  If not configured, anyone could use
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
+# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse
+
+##################################
+## Require groups.  Could be used for other things, but used for policy group templates at least
+## if there is no allowed group, then anyone could use it
+##################################
+
+# group name of a require group
+# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
+grouper.requireGroup.name.0 = ref:iam:active
+
+# group name of a require group
+# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
+grouper.requireGroup.name.0 = ref:employee:fac_staff
+
+# allowed to use this require group.  If not configured, anyone could use
+# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"}
+# grouper.requireGroup.allowedToUse.0 = ref:activeCanUse

base/container_files/shibboleth-idp/messages/messages.properties

@@ -0,0 +1,6 @@
+# You can define message properties here to override messages defined in
+# system/messages/ or to add your own messages.
+idp.title = InCommon Trusted Access Platform - Grouper Training Environment
+idp.logo = /images/Grouper_204px.png
+idp.logo.alt-text = Grouper
+idp.footer = InCommon Trusted Access Platform - Grouper Training Environment

base/container_files/tomcat/conf/Catalina/localhost/idp.xml

@@ -1,4 +1,4 @@
-<Context docBase="/opt/shibboleth-idp/webapp"
+<Context docBase="/opt/shibboleth-idp/war/idp.war"
          privileged="true"
          antiResourceLocking="false"
          path="/idp">