From c28f28fd8ecfffd0e573465357a94e3858acc10d Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 12 Jun 2019 20:52:22 +0000 Subject: [PATCH 1/4] switch default java to Corretto, bump tomcat --- Dockerfile | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 391a9ff..2f67926 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ FROM centos:centos7 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.19 \ + TOMCAT_VERSION=9.0.21 \ ##shib-idp \ VERSION=3.4.4 \ ##TIER \ - TIERVERSION=20190502 \ + TIERVERSION=20190601 \ ################## \ ### OTHER VARS ### \ ################## \ @@ -19,7 +19,6 @@ ENV TOMCAT_MAJOR=9 \ IMAGENAME=shibboleth_idp \ MAINTAINER=tier \ #java \ - JAVA_HOME=/usr \ JAVA_OPTS='-Xmx3000m' \ #tomcat \ CATALINA_HOME=/usr/local/tomcat @@ -53,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ # Install base deps RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ - yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \ yum -y clean all && \ mkdir -p /opt/tier && \ # Install Trusted Certificates @@ -70,18 +69,32 @@ RUN update-ca-trust extract # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). ##### ENV TIER_BEACON_OPT_OUT True - -# Install Zulu Java -RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \ - && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \ - && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000 - +# Install Corretto Java JDK +#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html +ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_212.b04-2.x86_64.rpm +ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.212.04.2 +ARG CORRETTO_PUBLIC_KEY=0E50DA5A06C9F82E013C6561A5E4F647D043E83B +# above key comes from running gpg against this file: https://d3pxv6yz143wms.cloudfront.net/8.212.04.2/D043E83B.pub +RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY \ + && gpg --armor --export $CORRETTO_PUBLIC_KEY > corretto.asc \ + && rpm --import corretto.asc \ + && rpm -K $CORRETTO_RPM \ + && rpm -i $CORRETTO_RPM \ + && rm -r $GNUPGHOME corretto.asc $CORRETTO_RPM +ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto + +# To use Zulu Java: +#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \ +# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \ +# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000 #install Zulu JCE -RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \ - && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ - && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ - && rm -rf /tmp/ZuluJCEPolicies.zip - +#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \ +# && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ +# && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ +# && rm -rf /tmp/ZuluJCEPolicies.zip +#ENV JAVA_HOME=/usr \ # To use Oracle java/JCE: # From e995bf8e9df53e9ff87a1e923155ac8f612896e9 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 12 Jun 2019 21:44:52 +0000 Subject: [PATCH 2/4] add additional key servers for Corretto --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2f67926..e67a73f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,7 +77,9 @@ ARG CORRETTO_PUBLIC_KEY=0E50DA5A06C9F82E013C6561A5E4F647D043E83B # above key comes from running gpg against this file: https://d3pxv6yz143wms.cloudfront.net/8.212.04.2/D043E83B.pub RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \ && export GNUPGHOME="$(mktemp -d)" \ - && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY \ + && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY || \ + gpg --batch --keyserver pgp.mit.edu --recv-keys $CORRETTO_PUBLIC_KEY || \ + gpg --batch --keyserver keyserver.pgp.com --recv-keys $CORRETTO_PUBLIC_KEY \ && gpg --armor --export $CORRETTO_PUBLIC_KEY > corretto.asc \ && rpm --import corretto.asc \ && rpm -K $CORRETTO_RPM \ From 17b3d17dfd1e0525c01d79650b6126cd37f15f98 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 13 Jun 2019 04:29:04 +0000 Subject: [PATCH 3/4] try to fix key servers timing out --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e67a73f..1b52a02 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,9 +77,9 @@ ARG CORRETTO_PUBLIC_KEY=0E50DA5A06C9F82E013C6561A5E4F647D043E83B # above key comes from running gpg against this file: https://d3pxv6yz143wms.cloudfront.net/8.212.04.2/D043E83B.pub RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \ && export GNUPGHOME="$(mktemp -d)" \ - && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY || \ - gpg --batch --keyserver pgp.mit.edu --recv-keys $CORRETTO_PUBLIC_KEY || \ - gpg --batch --keyserver keyserver.pgp.com --recv-keys $CORRETTO_PUBLIC_KEY \ + && gpg --batch --keyserver hkp://ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY || \ + gpg --batch --keyserver hkp://pgp.mit.edu --recv-keys $CORRETTO_PUBLIC_KEY || \ + gpg --batch --keyserver hkp://keyserver.pgp.com --recv-keys $CORRETTO_PUBLIC_KEY \ && gpg --armor --export $CORRETTO_PUBLIC_KEY > corretto.asc \ && rpm --import corretto.asc \ && rpm -K $CORRETTO_RPM \ From 209a70c2982cab5fd30420f9d673cba842ab7890 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 13 Jun 2019 14:55:40 +0000 Subject: [PATCH 4/4] remove keyservers from corretto install --- Dockerfile | 12 +++-------- .../java-corretto/corretto-signing-key.pub | 20 +++++++++++++++++++ 2 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 container_files/java-corretto/corretto-signing-key.pub diff --git a/Dockerfile b/Dockerfile index 1b52a02..39eff2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,18 +73,12 @@ RUN update-ca-trust extract #Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_212.b04-2.x86_64.rpm ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.212.04.2 -ARG CORRETTO_PUBLIC_KEY=0E50DA5A06C9F82E013C6561A5E4F647D043E83B -# above key comes from running gpg against this file: https://d3pxv6yz143wms.cloudfront.net/8.212.04.2/D043E83B.pub +COPY container_files/java-corretto/corretto-signing-key.pub . RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --batch --keyserver hkp://ha.pool.sks-keyservers.net --recv-keys $CORRETTO_PUBLIC_KEY || \ - gpg --batch --keyserver hkp://pgp.mit.edu --recv-keys $CORRETTO_PUBLIC_KEY || \ - gpg --batch --keyserver hkp://keyserver.pgp.com --recv-keys $CORRETTO_PUBLIC_KEY \ - && gpg --armor --export $CORRETTO_PUBLIC_KEY > corretto.asc \ - && rpm --import corretto.asc \ + && rpm --import corretto-signing-key.pub \ && rpm -K $CORRETTO_RPM \ && rpm -i $CORRETTO_RPM \ - && rm -r $GNUPGHOME corretto.asc $CORRETTO_RPM + && rm -r corretto-signing-key.pub $CORRETTO_RPM ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto # To use Zulu Java: diff --git a/container_files/java-corretto/corretto-signing-key.pub b/container_files/java-corretto/corretto-signing-key.pub new file mode 100644 index 0000000..d736975 --- /dev/null +++ b/container_files/java-corretto/corretto-signing-key.pub @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQENBFy7d2UBCADO3YKtB7/le47DP4R+x69bzQoAr/o/RI0YS4LRpj012VwlWdu5 +ttr4VJiS5r0d4QcOYrdHKULhkLeljvISODh+alpAW3S48k3XfTR9Fa1YugmGinkx +Xg1aCrT6ap3UAmSGQOWPczajfPjosEYr757G+UPtDyeLho3MMTavDhTBzRcxnJWP +0EXvXjkqeUHiKx4pc+qA3AA6hezKqGqOZvmoZxEqYWBEA2nBES2+PzY20lrDDT6j +WWjfXJZYFyfEKBlWV5z967QPi6v70WwF3FzE9CQAzy60ATDOCC2PuTC1b/s5BVLg +tATO6NtrcvnmhixtWPGLMGyXRDlrXi6APX7XABEBAAG0UkFtYXpvbiBTZXJ2aWNl +cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjEyLjA0LjIgcmVsZWFzZSkgPGNvcnJl +dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAly7d2UCGy8FCQlmAYAHCwkI +BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCl5PZH0EPoO2hYB/40AeZ4z78BKcni +jAv/3y2Zp+n7PH2XyrTHXaJQoKEeR3EC9YKGVkwh3vLJY495Wm1uWoLv6fnhngM3 +6O5bH1pCSy14ib4xAzweIY9fRcjvpgjyXwwe4EgRhzHy41I3g07ym+SkNEE5lST3 +Oie/NJJDDmunovoE/e0a0NJe2pTYPd/DAjJIfdA1QUwcBNXD2nFWFpnrq5T5BFZu +Cy5ih456G/PayPSmsG0JfDqSyWRRlrOGamsYy6ZaxsIrS92XGOlL8O3Y4wz6ELhP +1sGRfI0AVZiOdcxpfuB15mNzgZOHc2rZh3HMxTKCNa13O+xkJEYm51f8cqc1RGmP +XFjxUMQd +=WyaZ +-----END PGP PUBLIC KEY BLOCK-----