From 21f416a350b341df1783b1d9837a8bfe55a24915 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 3 Apr 2018 17:29:16 -0400 Subject: [PATCH] merge noVM container --- BINSCRIPTS.md | 41 --- Dockerfile | 316 ++++++++++++------ Jenkinsfile | 90 ----- README.md | 19 +- bin/setNewSealerKey.sh | 66 ++++ bin/syncFilesToAllSwarmNodes.sh | 87 +++++ common.bash | 5 - .../bin/sendtierbeacon.sh | 0 {files => container_files}/bin/setenv.sh | 3 +- .../bin/setupcron.sh | 6 +- container_files/cert/InCommon.crt | 91 +++++ container_files/idp/idp.installer.properties | 9 + container_files/idp/idp.merge.properties | 5 + container_files/idp/idp.xml | 4 + container_files/idp/ldap.merge.properties | 2 + container_files/system/startup.sh | 49 +++ container_files/system/supervisord.conf | 25 ++ container_files/tomcat/log4j2.xml | 27 ++ {files => container_files/tomcat}/server.xml | 2 +- container_files/tomcat/setenv.sh | 4 + files/idp.xml | 4 - tests/shibboleth-idp.bats | 48 --- 22 files changed, 595 insertions(+), 308 deletions(-) delete mode 100644 BINSCRIPTS.md delete mode 100644 Jenkinsfile create mode 100644 bin/setNewSealerKey.sh create mode 100644 bin/syncFilesToAllSwarmNodes.sh delete mode 100644 common.bash rename {files => container_files}/bin/sendtierbeacon.sh (100%) rename {files => container_files}/bin/setenv.sh (95%) rename files/bin/startup.sh => container_files/bin/setupcron.sh (75%) create mode 100644 container_files/cert/InCommon.crt create mode 100644 container_files/idp/idp.installer.properties create mode 100644 container_files/idp/idp.merge.properties create mode 100644 container_files/idp/idp.xml create mode 100644 container_files/idp/ldap.merge.properties create mode 100644 container_files/system/startup.sh create mode 100644 container_files/system/supervisord.conf create mode 100644 container_files/tomcat/log4j2.xml rename {files => container_files/tomcat}/server.xml (99%) create mode 100644 container_files/tomcat/setenv.sh delete mode 100644 files/idp.xml delete mode 100644 tests/shibboleth-idp.bats diff --git a/BINSCRIPTS.md b/BINSCRIPTS.md deleted file mode 100644 index f5949ba..0000000 --- a/BINSCRIPTS.md +++ /dev/null @@ -1,41 +0,0 @@ -# util - -This repository is intended to be downloaded into a container repository during development for convenience purposes. Since the major mechanisms of developing to the Docker container construction lifecycle are identical across container images, this repository allows for consistency and additional ease of use across all container images. - -## Install - -If you are reading this file in BINSCRIPTS.md, your container project is likely to be util-enabled. - -To use these scripts yourself, issue this command: - -``` -curl "https://github.internet2.edu/raw/docker/util/master/bin/install.sh?token=AAAAETsVKUnOEAMM8TvUUZccPYi13wsnks5Xq46jwA%3D%3D" | bash -``` - -### common.bash - -The installation process will create a common.bash file. This file should be the central, canonical authority for management of environment variables. While a subprocess may override them, the files in common.bash should be treated as authoritative defaults. Processes (e.g. `docker build`, `bats`, inside `Jenkinsfile`) can read this file and process the results therein. - -You should edit this file to change the image name, and add any other helpful environment variables. - -### Jenkinsfile - -This will also install a Jenkinsfile to your repository, if it doesn't have one. This will ensure that your Jenkins pipeline can leverage these scripts in the way intended. Ensuring the commands that you issue on your laptop match the commands issued by the build pipeline is critical to ensure predictable, reliable results. - -## Use - - -### Building - -#### build.sh -`bin/build.sh ` -#### destroy.sh -#### rebuild.sh - -### Running -### rerun.sh -### run.sh - - -### Testing -#### test.sh \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 901966a..86a094a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,106 +1,224 @@ -FROM tier/centos7base - -# Establish a default value for critical variables -# These values are not used by bin scripts or the pipeline. -# Those values are set in common.bash -ARG registry=docker.io -ARG maintainer=tier -ARG imagename=shibboleth_idp -ARG version=3.3.1 -ARG tierversion=180401 -ARG tierbuild=$tierbuild -ENV VERSION=$version -ENV TIERVERSION=$tierversion -ENV TIERBUILD=$tierbuild -ENV IMAGENAME=$imagename -ENV MAINTAINER=$maintainer - -LABEL Vendor="Internet2" -LABEL ImageType="Shibboleth IDP Release" -LABEL ImageName=$imagename -LABEL ImageOS=centos7 -LABEL Version=$VERSION - -RUN yum -y install \ - apr-devel \ - httpd \ - krb5-workstation \ - mod_ssl 50 openssl-devel \ - wget \ - && yum -y clean all - -ENV SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION -ENV SHIB_PREFIX=shibboleth-identity-provider-$VERSION -ENV JAVA_HOME /usr/java/latest +FROM centos:centos7 +######################## +### VERSION SETTINGS ### +######################## +# +##java +ENV JAVA_VERSION=8u162 \ + BUILD_VERSION=b12 \ + JAVA_BUNDLE_ID=0da788060d494f5095bf8624735fa2f1 \ +##tomcat + TOMCAT_MAJOR=8 \ + TOMCAT_VERSION=8.5.29 \ +##shib-idp + VERSION=3.3.2 \ +##TIER + TIERVERSION=180401 \ + +################## +### OTHER VARS ### +################## +# +#global + IMAGENAME=shibboleth_idp \ + MAINTAINER=tier \ +#java + JAVA_HOME=/usr/java/latest \ + JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m \ +#tomcat + CATALINA_HOME=/usr/local/tomcat +ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz \ + PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH \ +#shib-idp + SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \ + SHIB_PREFIX=shibboleth-identity-provider-$VERSION + + +ENV ENV=dev \ + USERTOKEN=nothing + + +#set labels +LABEL Vendor="Internet2" \ + ImageType="Shibboleth IDP Release" \ + ImageName=$imagename \ + ImageOS=centos7 \ + Version=$VERSION + +######################### +### BEGIN IMAGE BUILD ### +######################### +# +# Set UTC Timezone & Networking +RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ + && echo "NETWORKING=yes" > /etc/sysconfig/network + +# Install base deps +RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget supervisor && \ + yum -y clean all && \ + mkdir -p /opt/tier && \ +# Install Trusted Certificates + update-ca-trust force-enable + +ADD container_files/cert/InCommon.crt /etc/pki/ca-trust/source/anchors/ +RUN update-ca-trust extract + +# TIER Beacon Opt-out +# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2. +# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage) and version (3.3.1-17040, etc) +# once daily between midnight and 4am. There is no configuration or private information collected or sent. +# This data helps with the scalaing and funding of TIER. Please do not disable it if you find the TIER tools useful. +# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). +##### ENV TIER_BEACON_OPT_OUT True + + +# Install java/JCE +# +# Uncomment the following commands to download the JDK to your Shibboleth IDP image. +# ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) +# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ +# yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ +# rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ +# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ +# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ +# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 + +# Uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. +# ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) +# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ +# http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ +# && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ +# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ +# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \ +# && rm jce_policy-8.zip \ +# && chmod -R 640 $JAVA_HOME/jre/lib/security/ + +# Copy IdP installer properties file(s) +ADD container_files/idp/idp.installer.properties /tmp/idp.installer.properties +ADD container_files/idp/idp.merge.properties /tmp/idp.merge.properties +ADD container_files/idp/ldap.merge.properties /tmp/ldap.merge.properties + +# Install IdP RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ - wget -q https://shibboleth.net/downloads/PGP_KEYS \ + wget -q https://shibboleth.net/downloads/PGP_KEYS \ $SHIB_RELDIR/$SHIB_PREFIX.tar.gz \ - $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc \ - $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.sha256 && \ + $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc && \ # Perform verifications - gpg --import PGP_KEYS && \ - gpg $SHIB_PREFIX.tar.gz.asc && \ - sha256sum --check $SHIB_PREFIX.tar.gz.sha256 && \ -# Prepare filesystem - tar xf $SHIB_PREFIX.tar.gz && \ - mkdir -p /opt/shibboleth && \ - mv $SHIB_PREFIX /opt/shibboleth/. && \ - ln -s /opt/shibboleth/$SHIB_PREFIX /opt/shibboleth/current && \ + gpg --import PGP_KEYS && \ + gpg $SHIB_PREFIX.tar.gz.asc && \ + gpg --batch --verify $SHIB_PREFIX.tar.gz.asc $SHIB_PREFIX.tar.gz && \ +# Unzip + tar xf $SHIB_PREFIX.tar.gz && \ +# Install + cd /tmp/shibboleth/$SHIB_PREFIX && \ + ./bin/install.sh \ + -Didp.noprompt=true \ + -Didp.property.file=/tmp/idp.installer.properties && \ # Cleanup - rm -rf /tmp/shibboleth - -ENV CATALINA_HOME /usr/local/tomcat -ENV PATH $CATALINA_HOME/bin:$PATH -RUN mkdir -p "$CATALINA_HOME" - -# Not having trouble with this locally [JVF] -# see https://www.apache.org/dist/tomcat/tomcat-8/KEYS -# RUN set -ex \ -# && for key in \ -# 05AB33110949707C93A279E3D3EFE6B686867BA6 \ -# 07E48665A34DCAFAE522E5E6266191C37C037D42 \ -# 47309207D818FFD8DCD3F83F1931D684307A10A5 \ -# 541FBE7D8F78B25E055DDEE13C370389288584E7 \ -# 61B832AC2F1C5A90F0F9B00A1C506407564C17A3 \ -# 713DA88BE50911535FE716F5208B0AB1D63011C7 \ -# 79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED \ -# 9BA44C2621385CB966EBA586F72C284D731FABEE \ -# A27677289986DB50844682F8ACB77FC2E86E29AC \ -# A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 \ -# DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 \ -# F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE \ -# F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23 \ -# ; do \ -# gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \ -# done - -ENV TOMCAT_MAJOR 8 -ENV TOMCAT_VERSION 8.0.50 -ENV TOMCAT_TGZ_URL https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz - -WORKDIR $CATALINA_HOME -RUN set -x \ - \ - && wget -q -O tomcat.tar.gz "$TOMCAT_TGZ_URL" \ - && wget -q -O tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ -# && gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz \ - && tar -xvf tomcat.tar.gz --strip-components=1 \ - && rm bin/*.bat \ - && rm tomcat.tar.gz* \ - && mkdir -p conf/Catalina \ - && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar - -ADD files/idp.xml conf/Catalina/idp.xml -ADD files/server.xml conf/server.xml - -ADD files/bin/setenv.sh /opt/tier/setenv.sh -RUN chmod +x /opt/tier/setenv.sh -ADD files/bin/startup.sh /usr/bin/startup.sh -RUN chmod +x /usr/bin/startup.sh -ADD files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh -RUN chmod +x /usr/bin/sendtierbeacon.sh - -ENV PATH $CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH + cd ~ && \ + rm -rf /tmp/shibboleth + +# Install tomcat +RUN mkdir -p "$CATALINA_HOME" && set -x \ + && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ + && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ + && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ + && gpg --import $CATALINA_HOME/KEYS \ + && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ + && gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \ + && tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \ + && rm $CATALINA_HOME/bin/*.bat \ + && rm $CATALINA_HOME/tomcat.tar.gz* \ + && mkdir -p $CATALINA_HOME/conf/Catalina \ + && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \ + && rm -rf /usr/local/tomcat/webapps/* \ + && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war + +ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml +ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml + +#use log4j for tomcat logging +ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/ +ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/ +ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/ +RUN cd /usr/local/tomcat/; \ + chmod +r bin/log4j-*.jar; \ +ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/ +ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/ + + + +# Copy TIER helper scripts +ADD container_files/system/startup.sh /usr/bin/ +ADD container_files/bin/setenv.sh /opt/tier/setenv.sh +ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh +ADD container_files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh +ADD container_files/system/supervisord.conf /etc/supervisor/conf.d/supervisord.conf +RUN chmod +x /opt/tier/setenv.sh \ + && chmod +x /usr/bin/setupcron.sh \ + && chmod +x /usr/bin/startup.sh \ + && chmod +x /usr/bin/sendtierbeacon.sh \ +# setup cron + && /usr/bin/setupcron.sh + +############################################### +### Settings for a mounted config (default) ### +############################################### +VOLUME ["/usr/local/tomcat/conf", \ + "/usr/local/tomcat/webapps/ROOT", \ + "/usr/local/tomcat/logs", \ + "/opt/certs", \ + "/opt/shibboleth-idp/conf", \ + "/opt/shibboleth-idp/credentials", \ + "/opt/shibboleth-idp/views", \ + "/opt/shibboleth-idp/edit-webapp", \ + "/opt/shibboleth-idp/messages", \ + "/opt/shibboleth-idp/metadata", \ + "/opt/shibboleth-idp/logs"] + + +################################################# +### Settings for a burned-in config (default) ### +################################################# +# Conversely, for a burned config, *uncomment* the ADD lines below and *comment* the lines of the VOLUME command above +# +# consider not doing the volumes below as it creates a run-time dependency and a better solution might be to use syslog from the container +# VOLUME ["/usr/local/tomcat/logs", "/opt/shibboleth-idp/logs"] +# +# ensure the following locations are accurate if you plan to burn your configuration into your containers by uncommenting the relevant section below +# they represent the folder names/paths on your build host of the relevant config material needed to run the container +# The paths below must be relative to (subdirectories of) the directory where the Dockerfile is located. +# The paths below are just the default values. They are typically overriden by "build-args" in the 'docker build' command. +ARG TOMCFG=config/tomcat +ARG TOMLOG=logs/tomcat +ARG TOMCERT=credentials/tomcat +ARG TOMWWWROOT=wwwroot +ARG SHBCFG=config/shib-idp/conf +ARG SHBCREDS=credentials/shib-idp +ARG SHBVIEWS=config/shib-idp/views +ARG SHBEDWAPP=config/shib-idp/edit-webapp +ARG SHBMSGS=config/shib-idp/messages +ARG SHBMD=config/shib-idp/metadata +ARG SHBLOG=logs/shib-idp +# +## ADD ${TOMCFG} /usr/local/tomcat/conf +## ADD ${TOMCERT} /opt/certs +## ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT +## ADD ${SHBCFG} /opt/shibboleth-idp/conf +## ADD ${SHBCREDS} /opt/shibboleth-idp/credentials +## ADD ${SHBVIEWS} /opt/shibboleth-idp/views +## ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp +## ADD ${SHBMSGS} /opt/shibboleth-idp/messages +## ADD ${SHBMD} /opt/shibboleth-idp/metadata + +# Expose the port tomcat will be serving on +EXPOSE 443 +#establish a healthcheck command so that docker might know the container's true state +HEALTHCHECK --interval=2m --timeout=30s \ + CMD curl -k -f https://127.0.0.1/idp/status || exit 1 + +CMD ["/usr/bin/startup.sh"] diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index a4bf331..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,90 +0,0 @@ -node('docker') { - - stage 'Checkout' - - checkout scm - - stage 'Acquire util' - - sh 'mkdir -p tmp && mkdir -p bin' - dir('tmp'){ - git([ url: "https://github.internet2.edu/docker/util.git", - credentialsId: "jenkins-github-access-token" ]) - sh 'mv ./bin/* ../bin/.' - } - sh 'rm -rf tmp' - - stage 'Setting build context' - - def maintainer = maintainer() - def imagename = imagename() - def tag - def tierbuild=env.BUILD_NUMBER - - // Tag images created on master branch with 'latest' - if(env.BRANCH_NAME == "master"){ - tag = "latest" - }else{ - tag = env.BRANCH_NAME - } - - if(!imagename){ - echo "You must define an imagename in common.bash" - currentBuild.result = 'FAILURE' - } - if(maintainer){ - echo "Building ${imagename}:${tag} for ${maintainer}" - } - - stage 'Build' - - try{ - sh 'bin/rebuild.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - - stage 'Tests' - - try{ - sh 'bin/test.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - - stage 'Push' - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") { - def baseImg = docker.build("$maintainer/$imagename") - baseImg.push("$tag") - } - - stage 'Notify' - - slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" - -} - -def maintainer() { - def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' - matcher ? matcher[0][1] : 'tier' -} - -def imagename() { - def matcher = readFile('common.bash') =~ 'imagename="(.+)"' - matcher ? matcher[0][1] : null -} - -def handleError(String message){ - echo "${message}" - currentBuild.setResult("FAILED") - slackSend color: 'danger', message: "${message}" - //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'chris.bynum@levvel.io', sendToIndividuals: true]) - sh 'exit 1' -} \ No newline at end of file diff --git a/README.md b/README.md index 2276d83..0e2bf3c 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,8 @@ -# Shibboleth IDP Container Images +# TIER "Standalone" Shibboleth-IdP +Used for building/running a TIER Shibb-IdP container without the TIER VM or the TIER intermediate docker image. -[![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-idp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/job/shib-idp/job/master/) +To use it, see the notes in the following document: +https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit?usp=sharing -This repository creates and distributes Shibboleth IDP images to Dockerhub. +Or the InCommon Training class guide here: https://spaces.internet2.edu/x/OQ79Bg -## Supported Images - -### Release image - -These images track official releases of the software. The `master` branch produces these images, and the build pipeline distributes the results to Dockerhub. - -## Development - -### Configuration - -To alter project configuration details (e.g. which version of the Shibboleth IDP software is the latest), refer to common.bash-- a file referenced by many places. \ No newline at end of file diff --git a/bin/setNewSealerKey.sh b/bin/setNewSealerKey.sh new file mode 100644 index 0000000..dccbbf9 --- /dev/null +++ b/bin/setNewSealerKey.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# This script generates a new sealer keystore with a new random password and configures the IdP to use it. +# It is designed to be run when the shibboleth_idp container is built/rebuilt, which would ensure that multiple containers reamin in sync (same key, same pwd) +# + +# default directories +TOMCFG=config/tomcat +TOMLOG=logs/tomcat +TOMCERT=credentials/tomcat +TOMWWWROOT=wwwroot +SHBCFG=config/shib-idp/conf +SHBCREDS=credentials/shib-idp +SHBVIEWS=config/shib-idp/views +SHBEDWAPP=config/shib-idp/edit-webapp +SHBMSGS=config/shib-idp/messages +SHBMD=config/shib-idp/metadata +SHBLOG=logs/shib-idp + +STARTDIR=$(pwd) +CRYPTODIR=tmp_crypto +LOGFILE=sealer-gen.log +IDP_PROP=${SHBCFG}/idp.properties +IDP_SEALER_FILE=${SHBCREDS}/sealer.jks + +# +# build the shibboleth sealer java keystore +# +echo "" +echo "Creating new Shibboleth sealer keystore..." +echo "" +# +mkdir -p ${CRYPTODIR} +cd ${CRYPTODIR} +SEALERPWD=$(uuidgen) +keytool -genseckey -storetype jceks -alias secret1 -providername SunJCE -keyalg AES -keysize 256 -storepass ${SEALERPWD} -keypass ${SEALERPWD} -keystore mysealer.jks >> ${LOGFILE} 2>&1 +cp -f mysealer.jks ${IDP_SEALER_FILE} +cd ${STARTDIR} +# +# +# updates to idp.properties to configure the auto-generated sealer password +# +echo "" +echo "Updating idp.properties with new sealer keystore password." +echo "" + +cp -f ${IDP_PROP} ${IDP_PROP}.tmp + +sed '/idp.sealer.storePassword/c\ +idp.sealer.storePassword= '${SEALERPWD} ${IDP_PROP}.tmp > ${IDP_PROP}.tmp2 + +sed '/idp.sealer.keyPassword/c\ +idp.sealer.keyPassword= '${SEALERPWD} ${IDP_PROP}.tmp2 > ${IDP_PROP} + +rm -f ${IDP_PROP}.tmp2 +rm -f ${IDP_PROP}.tmp + +rm -rf ${CRYPTODIR}/* +rmdir ${CRYPTODIR} +echo "" +echo "The new sealer key was successfully generated and a new random password configured in idp.properties." +echo "" +echo "If you utilize a burned-in config, then you can now build a new image from this config." +echo "" + + diff --git a/bin/syncFilesToAllSwarmNodes.sh b/bin/syncFilesToAllSwarmNodes.sh new file mode 100644 index 0000000..0e1b523 --- /dev/null +++ b/bin/syncFilesToAllSwarmNodes.sh @@ -0,0 +1,87 @@ +#!/bin/bash +# +# This script will sync specified directories of files to all nodes in the docker swarm. +# It must be run from a/the manager node. +# + + +IDfile=`realpath $4` + + + +DisplayUsage() +{ + echo "Usage:" + echo "syncFilesToAllNodes | --help" >&2 + echo "" +} + +#ensure docker is avail +command -v docker >/dev/null 2>&1 || { echo >&2 "ERROR: docker is required, but doesn't appear to be installed. Aborting..."; exit 1; } + + +#check if running on a manager node +docker node ls > /dev/null 2>&1 +if [ $? = 1 ]; then + echo "This script must be run from a manager node. You do not appear to be on a manager node. Terminating." + exit 1 +fi + + +if [ $1 = '--help' ]; then + DisplayUsage + exit 1 +fi + + +#sanity checks +if [[ $# -ne 4 ]]; then + DisplayUsage + exit 1 +fi + +#more checks +if ! [ -e "$1" ]; then + echo "ERROR: $1 not found, terminating." >&2 + echo "" + exit 1 +fi +if ! [ -d "$1" ]; then + echo "ERROR: $1 is not a directory, terminating." >&2 + echo "" + exit 1 +fi +if ! [ -e "$4" ]; then + echo "ERROR: $4 not found, terminating." >&2 + echo "" + exit 1 +fi + + +#cd to specified dir (so that scp -r works as intended) +pushd $1 > /dev/null + + +#check if specified config dir contains the needed sub-directories +if ! [ -d "$PWD/config/shib-idp/conf" ]; then + echo "ERROR: the specified directory does not appear to contain a valid IdP config structure, terminating." + exit 1 +fi +if ! [ -d "$PWD/config/tomcat" ]; then + echo "ERROR: the specified directory does not appear to contain a valid Tomcat config, terminating." + exit 1 +fi + + +# transfer files +# get list of other nodes in the swarm + for n in `docker node ls | sed -n '1!p' | cut -f 1 -d ' '`; do + #echo $n + s=$(docker node inspect --pretty $n | grep Address | cut -f 2 -d ':' | sed -n '2!p') + thisNode=${s//[[:blank:]]/} + echo "Connecting to ${thisNode} (`dig +noall +answer -x ${thisNode} | awk '{ print $(NF) }'`)....`scp -q -i ${IDfile} -r . $3@${thisNode}:/home/$3/$2 > /dev/null 2>&1`OK" + done + + +#return to previous directory +popd > /dev/null diff --git a/common.bash b/common.bash deleted file mode 100644 index 3a38851..0000000 --- a/common.bash +++ /dev/null @@ -1,5 +0,0 @@ -registry="docker.io" -maintainer="tier" -basename="shibboleth_idp" -imagename="shibboleth_idp" -version="3.3.1" diff --git a/files/bin/sendtierbeacon.sh b/container_files/bin/sendtierbeacon.sh similarity index 100% rename from files/bin/sendtierbeacon.sh rename to container_files/bin/sendtierbeacon.sh diff --git a/files/bin/setenv.sh b/container_files/bin/setenv.sh similarity index 95% rename from files/bin/setenv.sh rename to container_files/bin/setenv.sh index 1305645..55c8c89 100644 --- a/files/bin/setenv.sh +++ b/container_files/bin/setenv.sh @@ -2,4 +2,5 @@ printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGE" >> /opt/tier/env.bash -printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash \ No newline at end of file +printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash + diff --git a/files/bin/startup.sh b/container_files/bin/setupcron.sh similarity index 75% rename from files/bin/startup.sh rename to container_files/bin/setupcron.sh index ff771bf..ee1ec96 100644 --- a/files/bin/startup.sh +++ b/container_files/bin/setupcron.sh @@ -2,6 +2,7 @@ CRONFILE=/opt/tier/tier-cron #set env vars for cron job +# this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile /opt/tier/setenv.sh #build crontab file with random start time between midnight and 3:59am @@ -15,8 +16,3 @@ crontab ${CRONFILE} #create cron logfile touch /var/log/cron.log -#start crond -/usr/sbin/crond - -#start tomcat -/usr/local/tomcat/bin/catalina.sh run diff --git a/container_files/cert/InCommon.crt b/container_files/cert/InCommon.crt new file mode 100644 index 0000000..edcc20e --- /dev/null +++ b/container_files/cert/InCommon.crt @@ -0,0 +1,91 @@ +-----BEGIN CERTIFICATE----- +MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx +MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE +CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw +DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD +QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e +xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v +HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP +iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl +qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT +eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML +fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL +MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw +EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB +hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh +dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo +dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j +cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI +hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU +11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0 ++Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR +5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72 +hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo +RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED +Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i +eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa +nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b +oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH +OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv +MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk +ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF +eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow +gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK +ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD +VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt +UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC +tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf +jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM +8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm +AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV +Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9 +N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF +qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9 +HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ ++gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX +HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv +A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/ +BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud +HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 +dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0 +dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD +lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn +RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ +YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8 +Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf +Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p +0fKtirOMxyHNwu8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU +MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs +IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 +MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux +FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h +bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt +H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 +uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX +mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX +a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN +E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 +WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD +VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 +Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU +cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx +IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN +AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH +YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC +Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX +c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a +mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/container_files/idp/idp.installer.properties b/container_files/idp/idp.installer.properties new file mode 100644 index 0000000..72cd83c --- /dev/null +++ b/container_files/idp/idp.installer.properties @@ -0,0 +1,9 @@ +idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-3.3.2 +idp.target.dir=/opt/shibboleth-idp +idp.host.name=idp.example.org +idp.sealer.password=changeit +idp.sealer.alias=secret +idp.keystore.password=changeit +idp.scope=example.org +idp.merge.properties=/tmp/idp.merge.properties +ldap.merge.properties=/tmp/ldap.merge.properties diff --git a/container_files/idp/idp.merge.properties b/container_files/idp/idp.merge.properties new file mode 100644 index 0000000..830b59f --- /dev/null +++ b/container_files/idp/idp.merge.properties @@ -0,0 +1,5 @@ +idp.entityID=https://idp.example.org/idp/shibboleth +idp.sealer.storePassword=changeit +idp.sealer.keyPassword=changeit +idp.scope=example.org + diff --git a/container_files/idp/idp.xml b/container_files/idp/idp.xml new file mode 100644 index 0000000..8b6d092 --- /dev/null +++ b/container_files/idp/idp.xml @@ -0,0 +1,4 @@ + \ No newline at end of file diff --git a/container_files/idp/ldap.merge.properties b/container_files/idp/ldap.merge.properties new file mode 100644 index 0000000..139597f --- /dev/null +++ b/container_files/idp/ldap.merge.properties @@ -0,0 +1,2 @@ + + diff --git a/container_files/system/startup.sh b/container_files/system/startup.sh new file mode 100644 index 0000000..19eecc1 --- /dev/null +++ b/container_files/system/startup.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +#for passed-in env vars, remove spaces and replace any ; with : in usertoken env var since we will use ; as a delimiter +export USERTOKEN="${USERTOKEN//;/:}" +export USERTOKEN="${USERTOKEN// /}" +export ENV="${ENV//;/:}" +export ENV="${ENV// /}" + +# generic console logging pipe for anyone +mkfifo -m 666 /tmp/logpipe +cat <> /tmp/logpipe 1>&2 & + +mkfifo -m 666 /tmp/logcrond +(cat <> /tmp/logcrond | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logtomcat +(cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "tomcat;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logsuperd +(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logidp-process +(cat <> /tmp/logidp-process | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-process.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logidp-warn +(cat <> /tmp/logidp-warn | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-warn.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logidp-audit +(cat <> /tmp/logidp-audit | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-audit.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + +mkfifo -m 666 /tmp/logidp-consent-audit +(cat <> /tmp/logidp-consent-audit | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-consent-audit.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & + + +# fix IdP's logback.xml to log to use above pipe +IDP_LOG_CFG_FILE=/opt/shibboleth-idp/conf/logback.xml +if test \! -f ${IDP_LOG_CFG_FILE}.dist; then + cp ${IDP_LOG_CFG_FILE} ${IDP_LOG_CFG_FILE}.dist +fi +sed "s#\${idp.logfiles}/idp-process.log#/tmp/logidp-process#" ${IDP_LOG_CFG_FILE}.dist > ${IDP_LOG_CFG_FILE}.tmp +sed "s#\${idp.logfiles}/idp-warn.log#/tmp/logidp-warn#" ${IDP_LOG_CFG_FILE}.tmp > ${IDP_LOG_CFG_FILE}.tmp2 +sed "s#\${idp.logfiles}/idp-audit.log#/tmp/logidp-audit#" ${IDP_LOG_CFG_FILE}.tmp2 > ${IDP_LOG_CFG_FILE}.tmp3 +sed "s#\${idp.logfiles}/idp-consent-audit.log#/tmp/logidp-consent-audit#" ${IDP_LOG_CFG_FILE}.tmp3 > ${IDP_LOG_CFG_FILE} +rm -f ${IDP_LOG_CFG_FILE}.tmp +rm -f ${IDP_LOG_CFG_FILE}.tmp2 +rm -f ${IDP_LOG_CFG_FILE}.tmp + +#launch supervisord +/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf diff --git a/container_files/system/supervisord.conf b/container_files/system/supervisord.conf new file mode 100644 index 0000000..0fcff1f --- /dev/null +++ b/container_files/system/supervisord.conf @@ -0,0 +1,25 @@ +[supervisord] +logfile=/tmp/logsuperd +logfile_maxbytes=0 +loglevel=error +nodaemon=true +user=root + +[program:cron] +command=/usr/sbin/crond -n +autostart=true +autorestart=true +stdout_logfile=/tmp/logcrond +stdout_logfile_maxbytes=0 +stderr_logfile=/tmp/logcrond +stderr_logfile_maxbytes=0 +directory=/usr/bin + +[program:tomcat] +command=/usr/local/tomcat/bin/catalina.sh run +autostart=true +autorestart=true +stdout_logfile=/tmp/logtomcat +stdout_logfile_maxbytes=0 +stderr_logfile=/tmp/logtomcat +stderr_logfile_maxbytes=0 diff --git a/container_files/tomcat/log4j2.xml b/container_files/tomcat/log4j2.xml new file mode 100644 index 0000000..0ecbc07 --- /dev/null +++ b/container_files/tomcat/log4j2.xml @@ -0,0 +1,27 @@ + + + + %d [%t] %-5p %c- %m%n + + + + + + + + + + + + + + + + + + + + diff --git a/files/server.xml b/container_files/tomcat/server.xml similarity index 99% rename from files/server.xml rename to container_files/tomcat/server.xml index 8fa2540..8272b19 100644 --- a/files/server.xml +++ b/container_files/tomcat/server.xml @@ -141,4 +141,4 @@ - + \ No newline at end of file diff --git a/container_files/tomcat/setenv.sh b/container_files/tomcat/setenv.sh new file mode 100644 index 0000000..adf08bf --- /dev/null +++ b/container_files/tomcat/setenv.sh @@ -0,0 +1,4 @@ +CLASSPATH=/usr/local/tomcat/bin/* +JAVA_OPTS="-Dlog4j.configurationFile=/usr/local/tomcat/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN" +LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager + diff --git a/files/idp.xml b/files/idp.xml deleted file mode 100644 index 19c24db..0000000 --- a/files/idp.xml +++ /dev/null @@ -1,4 +0,0 @@ - \ No newline at end of file diff --git a/tests/shibboleth-idp.bats b/tests/shibboleth-idp.bats deleted file mode 100644 index b58d36d..0000000 --- a/tests/shibboleth-idp.bats +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bats - -load ../common - -@test "Creates non-root Shib IDP home" { - result="$(docker run -i $maintainer/$imagename ls /opt/shibboleth/current/bin/)" - [ "$result" != '' ] -} - -@test "Retains first-run experience" { - result="$(docker run -i $maintainer/$imagename ls /tmp/firsttimerunning)" - [ "$result" != '' ] -} - -@test "Tomcat will start Shibboleth IDP when started" { - result="$(docker run -i $maintainer/$imagename find conf/Catalina/idp.xml)" - [ "$result" != '' ] -} - -@test "Does not contain java" { - run docker run -i $maintainer/$imagename which java - [ "$status" -eq 1 ] -} - -@test "Contains tomcat" { - run docker run -i $maintainer/$imagename which startup.sh - [ "$status" -eq 0 ] -} - -@test "Contains JSTL jar" { - run docker run -i $maintainer/$imagename find /usr/local/tomcat/lib/jstl1.2.jar - [ "$status" -eq 0 ] -} - -@test "exports JAVA_HOME" { - result="$(docker run -i $maintainer/$imagename env | grep JAVA_HOME)" - [ "$result" != "" ] -} - -@test "exports CATALINA_HOME" { - result="$(docker run -i $maintainer/$imagename env | grep CATALINA_HOME)" - [ "$result" != "" ] -} - -#@test "Defers configuration via ONBUILD" { -# run grep ONBUILD Dockerfile -# [ "$status" -eq 0 ] -#}