New java tomcat

Dockerfile

@@ -9,12 +9,12 @@ ENV JAVA_VERSION=8u171 \
     BUILD_VERSION=b11 \
     JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \
 ##tomcat \
-    TOMCAT_MAJOR=8 \
-    TOMCAT_VERSION=8.5.31 \
+    TOMCAT_MAJOR=9 \
+    TOMCAT_VERSION=9.0.8 \
 ##shib-idp \
     VERSION=3.3.3 \
 ##TIER \
-    TIERVERSION=180502 \
+    TIERVERSION=180601 \
 ################## \
 ### OTHER VARS ### \
 ################## \
@@ -23,7 +23,7 @@ ENV JAVA_VERSION=8u171 \
     IMAGENAME=shibboleth_idp \
     MAINTAINER=tier \
 #java \
-    JAVA_HOME=/usr/java/latest \
+    JAVA_HOME=/usr \
     JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m \
 #tomcat \
     CATALINA_HOME=/usr/local/tomcat
@@ -72,9 +72,15 @@ RUN update-ca-trust extract
 #####     ENV TIER_BEACON_OPT_OUT True
 
 
-# Install java/JCE
+# Install Zulu Java
+RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
+	&& curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
+	&& yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
+
+
+# To use Oracle java/JCE
 #
-# Uncomment the following commands to download the JDK to your Shibboleth IDP image.  
+# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image.  
 #     ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
 # RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
 #     yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \
@@ -83,7 +89,7 @@ RUN update-ca-trust extract
 #     alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
 #     alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
 
-# Uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.  
+# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.  
 #     ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
 # RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
 #     http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
@@ -94,9 +100,7 @@ RUN update-ca-trust extract
 #     && chmod -R 640 $JAVA_HOME/jre/lib/security/
 
 # Copy IdP installer properties file(s)
-ADD container_files/idp/idp.installer.properties /tmp/idp.installer.properties
-ADD container_files/idp/idp.merge.properties /tmp/idp.merge.properties
-ADD container_files/idp/ldap.merge.properties /tmp/ldap.merge.properties
+ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/
 
 # Install IdP
 RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
@@ -145,8 +149,9 @@ RUN cd /usr/local/tomcat/; \
     chmod +r bin/log4j-*.jar;
 ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
 ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/
-
-
+RUN mkdir -p /usr/local/tomcat/webapps/ROOT
+ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT
+ADD container_files/tomcat/keystore.jks /opt/certs/
 
 # Copy TIER helper scripts
 ADD container_files/system/startup.sh /usr/bin/
@@ -161,20 +166,23 @@ RUN chmod +x /opt/tier/setenv.sh \
 # setup cron
     && /usr/bin/setupcron.sh
 
+#set cron to not require a login session
+RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
+
 ###############################################
 ### Settings for a mounted config (default) ###
 ###############################################
-VOLUME ["/usr/local/tomcat/conf", \
-	    "/usr/local/tomcat/webapps/ROOT", \
-		"/usr/local/tomcat/logs", \
-		"/opt/certs", \
-		"/opt/shibboleth-idp/conf", \
-		"/opt/shibboleth-idp/credentials", \
-		"/opt/shibboleth-idp/views", \
-		"/opt/shibboleth-idp/edit-webapp", \
-		"/opt/shibboleth-idp/messages", \
-		"/opt/shibboleth-idp/metadata", \
-		"/opt/shibboleth-idp/logs"]
+#VOLUME ["/usr/local/tomcat/conf", \
+#	    "/usr/local/tomcat/webapps/ROOT", \
+#		"/usr/local/tomcat/logs", \
+#		"/opt/certs", \
+#		"/opt/shibboleth-idp/conf", \
+#		"/opt/shibboleth-idp/credentials", \
+#		"/opt/shibboleth-idp/views", \
+#		"/opt/shibboleth-idp/edit-webapp", \
+#		"/opt/shibboleth-idp/messages", \
+#		"/opt/shibboleth-idp/metadata", \
+#		"/opt/shibboleth-idp/logs"]
 
 
 #################################################
@@ -189,17 +197,17 @@ VOLUME ["/usr/local/tomcat/conf", \
 # they represent the folder names/paths on your build host of the relevant config material needed to run the container
 # The paths below must be relative to (subdirectories of) the directory where the Dockerfile is located.
 # The paths below are just the default values.  They are typically overriden by "build-args" in the 'docker build' command.
-ARG TOMCFG=config/tomcat
-ARG TOMLOG=logs/tomcat
-ARG TOMCERT=credentials/tomcat
-ARG TOMWWWROOT=wwwroot
-ARG SHBCFG=config/shib-idp/conf
-ARG SHBCREDS=credentials/shib-idp
-ARG SHBVIEWS=config/shib-idp/views
-ARG SHBEDWAPP=config/shib-idp/edit-webapp
-ARG SHBMSGS=config/shib-idp/messages
-ARG SHBMD=config/shib-idp/metadata
-ARG SHBLOG=logs/shib-idp
+#ARG TOMCFG=config/tomcat
+#ARG TOMLOG=logs/tomcat
+#ARG TOMCERT=credentials/tomcat
+#ARG TOMWWWROOT=wwwroot
+#ARG SHBCFG=config/shib-idp/conf
+#ARG SHBCREDS=credentials/shib-idp
+#ARG SHBVIEWS=config/shib-idp/views
+#ARG SHBEDWAPP=config/shib-idp/edit-webapp
+#ARG SHBMSGS=config/shib-idp/messages
+#ARG SHBMD=config/shib-idp/metadata
+#ARG SHBLOG=logs/shib-idp
 #
 ## ADD ${TOMCFG} /usr/local/tomcat/conf
 ## ADD ${TOMCERT} /opt/certs

Jenkinsfile

@@ -0,0 +1,92 @@
+// Licensed to the University Corporation for Advanced Internet Development,
+// Inc. (UCAID) under one or more contributor license agreements.  See the
+// NOTICE file distributed with this work for additional information regarding
+// copyright ownership. The UCAID licenses this file to You under the Apache
+// License, Version 2.0 (the "License"); you may not use this file except in
+// compliance with the License.  You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+node('docker') {
+
+  stage 'Checkout'
+
+    checkout scm
+
+  stage 'Acquire util'
+
+    sh 'mkdir -p tmp && mkdir -p bin'
+    dir('tmp'){
+      git([ url: "https://github.internet2.edu/docker/util.git",
+          credentialsId: "jenkins-github-access-token" ])
+      sh 'mv ./bin/* ../bin/.'
+    }
+    sh 'rm -rf tmp'
+
+  stage 'Setting build context'
+
+    def maintainer = maintainer()
+    def imagename = imagename()
+    def tag
+
+    // Tag images created on master branch with 'latest'
+    if(env.BRANCH_NAME == "master"){
+      tag = "latest"
+    }else{
+      tag = env.BRANCH_NAME
+    }
+
+    if(!imagename){
+      echo "You must define an imagename in common.bash"
+      currentBuild.result = 'FAILURE'
+     }
+     if(maintainer){
+      echo "Building ${imagename}:${tag} for ${maintainer}"
+     }
+
+  stage 'Build'
+    try{
+      sh 'bin/rebuild.sh &> debug'
+    } catch(error) {
+      def error_details = readFile('./debug');
+      def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+      sh "rm -f ./debug"
+      handleError(message)
+    }
+
+  stage 'Push'
+
+    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
+          def baseImg = docker.build("$maintainer/$imagename")
+          baseImg.push("$tag")
+    }
+
+  stage 'Notify'
+
+    slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+
+}
+
+def maintainer() {
+  def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
+  matcher ? matcher[0][1] : 'tier'
+}
+
+def imagename() {
+  def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
+  matcher ? matcher[0][1] : null
+}
+
+def handleError(String message){
+  echo "${message}"
+  currentBuild.setResult("FAILED")
+  slackSend color: 'danger', message: "${message}"
+  sh 'exit 1'
+}
+

common.bash

@@ -0,0 +1,3 @@
+maintainer="tier"
+imagename="shib-idp"
+

container_files/tomcat/robots.txt

@@ -0,0 +1,3 @@
+User-agent: *
+Disallow: /
+

container_files/tomcat/server.xml

@@ -1,144 +1,26 @@
 <?xml version='1.0' encoding='utf-8'?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
 <Server port="8005" shutdown="SHUTDOWN">
-  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
-  <!-- Security listener. Documentation at /docs/config/listeners.html
-  <Listener className="org.apache.catalina.security.SecurityListener" />
-  -->
-  <!--APR library loader. Documentation at /docs/apr.html -->
   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
   <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-    -->
-    <Connector port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000" scheme="https"
-               redirectPort="8443" URIEncoding="UTF-8"
-               proxyPort="443" />
-
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" />
-    -->
-    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
-         This connector uses the NIO implementation that requires the JSSE
-         style configuration. When using the APR/native implementation, the
-         OpenSSL style configuration is required as described in the APR/native
-         documentation -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
+<Connector
+          protocol="org.apache.coyote.http11.Http11NioProtocol"
+          port="443" maxThreads="200"
+          scheme="https" secure="true" SSLEnabled="true"
+          keystoreFile="/opt/certs/keystore.jks" keystorePass="password"
+          clientAuth="false" sslProtocol="TLS"/>
     <Engine name="Catalina" defaultHost="localhost">
 
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
-           via a brute-force attack -->
-      <Realm className="org.apache.catalina.realm.LockOutRealm">
-        <!-- This Realm uses the UserDatabase configured in the global JNDI
-             resources under the key "UserDatabase".  Any edits
-             that are performed against this UserDatabase are immediately
-             available for use by the Realm.  -->
-        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-               resourceName="UserDatabase"/>
-      </Realm>
-
       <Host name="localhost"  appBase="webapps"
             unpackWARs="true" autoDeploy="true">
 
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html
-             Note: The pattern used is equivalent to using pattern="common" -->
         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log" suffix=".txt"
+               prefix="localhost_access_log." suffix=".txt"
                pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
       </Host>
     </Engine>
   </Service>
-</Server>
+</Server>
+