From 7b6b50bc97ea3900138cc0415dfca6e914f4e111 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 12 May 2017 18:06:50 -0500 Subject: [PATCH 1/2] initial commit --- Dockerfile | 99 +++++++++ setup-config.sh | 562 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 661 insertions(+) create mode 100644 Dockerfile create mode 100644 setup-config.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ba29531 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,99 @@ +FROM tier/shibboleth_idp + +ARG maintainer=tier +ARG imagename=shibboleth_idp +ARG version=3.3.1 +ENV VERSION=$version +ENV IMAGENAME=$imagename +ENV MAINTAINER=$maintainer + +# ensure the following locations are accurate if you plan to burn your configuration into your containers by uncommenting the relevant section below +# they represent the folder names/paths on your build host of the relevant config material needed to run the container +ARG TOMCFG=config/tomcat +ARG TOMLOG=logs/tomcat +ARG TOMCERT=credentials/tomcat +ARG TOMWWWROOT=wwwroot +ARG SHBCFG=config/shib-idp/conf +ARG SHBCREDS=credentials/shib-idp +ARG SHBVIEWS=config/shib-idp/views +ARG SHBEDWAPP=config/shib-idp/edit-webapp +ARG SHBMSGS=config/shib-idp/messages +ARG SHBMD=config/shib-idp/metadata +ARG SHBLOG=logs/shib-idp + + + +# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2. +# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage) and version (3.3.1-17040, etc) +# once daily between midnight and 4am. There is no configuration or private information collected or sent. +# This data helps with the scalaing and funding of TIER. Please do not disable it if you find the TIER tools useful. +# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). +##### ENV TIER_BEACON_OPT_OUT True + + + +# Uncomment the following commands to download the JDK to your Shibboleth IDP image. +# ==> By uncommenting these next 11 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) +ENV JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m +ENV JAVA_VERSION 8u131 +ENV BUILD_VERSION b11 +ENV JAVA_BUNDLE_ID d54c1d3a095b4ff2b6607d096fa80163 +ENV JAVA_HOME /usr/java/latest +RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ + yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ + rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ + alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ + alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ + alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 + +# Uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. +# ==> By uncommenting these next 8 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) +RUN yum -y install unzip \ + && wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ + http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ + && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ + && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ + && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \ + && rm jce_policy-8.zip \ + && chmod -R 640 $JAVA_HOME/jre/lib/security/ + + +RUN chown -R root:root /opt/shibboleth/shibboleth-identity-provider-$version && \ + rm -rf /usr/local/tomcat/webapps/* && \ + ANT_OPTS="-Didp.target.dir=/opt/shibboleth/current" /opt/shibboleth/current/bin/build.sh && \ + ln -s /opt/shibboleth/current /opt/shibboleth-idp && \ + ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war + +# for a mounted config +VOLUME ["/usr/local/tomcat/conf", \ + "/usr/local/tomcat/webapps/ROOT", \ + "/usr/local/tomcat/logs", \ + "/opt/certs", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/conf", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/credentials", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/views", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/edit-webapp", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/messages", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/metadata", \ + "/opt/shibboleth/shibboleth-identity-provider-$VERSION/logs"] + +# +# for a burned config, *uncomment* the COPY lines below and *comment* the lines of the VOLUME command above +# +# consider not doing the volumes below as it creates a run-time dependency and a better solution would be to use syslog from the container +# VOLUME ["/usr/local/tomcat/logs", "/opt/shibboleth-idp/logs"] +# +## COPY ${TOMCFG} /usr/local/tomcat/conf +## COPY ${TOMCERT} /opt/certs +## COPY ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT +## COPY ${SHBCFG} /opt/shibboleth/shibboleth-identity-provider-$VERSION/conf +## COPY ${SHBCREDS} /opt/shibboleth/shibboleth-identity-provider-$VERSION/credentials +## COPY ${SHBVIEWS} /opt/shibboleth/shibboleth-identity-provider-$VERSION/views +## COPY ${SHBEDWAPP} /opt/shibboleth/shibboleth-identity-provider-$VERSION/edit-webapp +## COPY ${SHBMSGS} /opt/shibboleth/shibboleth-identity-provider-$VERSION/messages +## COPY ${SHBMD} /opt/shibboleth/shibboleth-identity-provider-$VERSION/metadata + + +EXPOSE 8443 + +CMD ["/usr/bin/startup.sh"] diff --git a/setup-config.sh b/setup-config.sh new file mode 100644 index 0000000..a915694 --- /dev/null +++ b/setup-config.sh @@ -0,0 +1,562 @@ +#!/bin/bash + +# script config items +SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.3release.zip +TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip +TMP_DIR_S=/tmp/3.3release +TMP_DIR_T=/tmp/tomcfg + +# default directories +TOMCFG=config/tomcat +TOMLOG=logs/tomcat +TOMCERT=credentials/tomcat +TOMWWWROOT=wwwroot +SHBCFG=config/shib-idp/conf +SHBCREDS=credentials/shib-idp +SHBVIEWS=config/shib-idp/views +SHBEDWAPP=config/shib-idp/edit-webapp +SHBMSGS=config/shib-idp/messages +SHBMD=config/shib-idp/metadata +SHBLOG=logs/shib-idp + +# logs +LOGFILE=${PWD}/setup.log + +# script variables (do not edit) +ORACLE_JAVA_APPROVAL=None +FQDN=None +SCOPE=None +LDAPURL=None +LDAPBASEDN=None +LDAPDN=None +LDAPPWD=None +SEALERPWD=None +TIER_TESTBED=None +BURNMOUNT=None + + +################################## +### ensure directory structure ### +################################## +mkdir -p root +mkdir -p config/tomcat +mkdir -p logs/tomcat +mkdir -p credentials/tomcat +mkdir -p wwwroot +mkdir -p config/shib-idp/conf +mkdir -p credentials/shib-idp +mkdir -p config/shib-idp/views +mkdir -p config/shib-idp/edit-webapp +mkdir -p config/shib-idp/messages +mkdir -p config/shib-idp/metadata +mkdir -p logs/shib-idp + + +############################################################## +### download default/TIER config for both shibb and tomcat ### +############################################################## +# +# first, check for wget +command -v wget >/dev/null 2>&1 || { echo >&2 "ERROR: wget is required, but doesn't appear to be installed. Aborting..."; exit 1; } + +wget -q -O ${TMP_DIR_S}.zip ${SHB_CFG_URL} +wget -q -O ${TMP_DIR_T}.zip ${TOM_CFG_URL} + + +###################### +### expand to /tmp ### +###################### +unzip -d ${TMP_DIR_S} ${TMP_DIR_S}.zip > /dev/null 2>&1 +unzip -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1 + +################################################################################ +### cp relevant folders from expanded zip to appropriate locations at $PWD/* ### +################################################################################ +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/conf/* ${SHBCFG} +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/views/* ${SHBVIEWS} +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/edit-webapp/* ${SHBEDWAPP} +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/messages/* ${SHBMSGS} +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/metadata/* ${SHBMD} +cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/credentials/* ${SHBCREDS} +cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG} +cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT} + + +##################################################### +### ask setup questions to aid in config building ### +##################################################### +# +# Get Oracle license agreement from the user +# +echo "" +echo "The Shibboleth IdP requires that you use Oracle Java. The Docker container " +echo "should be configured to download it for you as part of the Docker image build " +echo "process, but, before we proceed, you must agree to the Oracle Binary Code " +echo "License Agreement for Java SE (\"Oracle License\"). Please review:" +echo "" +echo " http://www.oracle.com/technetwork/java/javase/terms/license/index.html" +echo "" +echo "By agreeing to the Oracle License, you acknowledge that Internet2 is not" +echo "distributing the Java software and, to the extent an issue arises" +echo "related to your use of Oracle Java in the TIER software package, you and" +echo "Internet2 agree to hold each other harmless from any third party claims." +echo "" +# +while [ ${ORACLE_JAVA_APPROVAL} == "None" ]; do + echo -n "Do you agree to the terms of the Oracle license [Yes/No]? " + read response + case $response in + Yes) + ORACLE_JAVA_APPROVAL=$response + ;; + No) + ORACLE_JAVA_APPROVAL=$response + ;; + *) + echo "Please respond with Yes or No" + esac +done +if [ ${ORACLE_JAVA_APPROVAL} != "Yes" ]; then + echo "" + echo "In order to use this implementation of the Shibboleth IdP, you must" + echo "use Oracle Java and thus agree to the terms of the Oracle license." + exit 0 +fi +# +# Get the FQDN of the server +# +echo "" +echo "" +echo "Please supply the Fully Qualified Domain Name (FQDN) of your Shibboleth IdP." +echo "We will use the information you enter here to configure your IdP." +echo "Note: for testing without DNS support (a common case), simply enter" +echo " the IPv4 address of your VM at the prompt below" +echo "" +while [ ${FQDN} == "None" ]; do + echo -n "Enter the FQDN or IP address of your server: " + read response + if [ ${#response} -lt 8 ]; then + echo "Remember, you need a FQDN or IP address" + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + FQDN=$response + ;; + esac +done +#echo "FQDN is: $FQDN" + +# +# Get the Scope used for this IdP +# +echo "" +echo "" +echo "Please supply the correct scope for this IdP." +echo "This is typically your base domain: domain.edu" +echo "Enter your IP address if you are just testing." +echo "" +echo "We will use the information you enter here to configure your IdP." +echo "" +while [ ${SCOPE} == "None" ]; do + echo -n "Enter the Scope for your IdP: " + read response + if [ ${#response} -lt 5 ]; then + echo "Remember, you need domain - domain.edu or similar" + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + SCOPE=$response + ;; + esac +done +#echo "Scope is: $SCOPE" + +# +# Get the LDAP URL for this deployment +# +echo "" +echo "" +echo "Please supply the full LDAP URL for your backend authentication and/or " +echo "attribute store used by your Shibboleth IdP. (e.g. ldap://myldap.domain.edu)" +echo "We will use the information you enter here to configure your IdP." +echo "" +while [ ${LDAPURL} == "None" ]; do + echo -n "Enter the LDAP URL used for your IdP: " + read response + if [ ${#response} -lt 10 ]; then + echo "Remember, you need a full LDAP URL (starts with ldap:// or ldaps://)" + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + LDAPURL=$response + ;; + esac +done +#echo "LDAP URL is: $LDAPURL" + +# +# Get the LDAP BaseDN for this deployment +# +echo "" +echo "" +echo "Please supply the LDAP Base DN for your LDAP Server " +echo " (e.g. ou=people,dc=example,dc=org)." +echo "We will use the information you enter here to configure your IdP." +echo "" +while [ ${LDAPBASEDN} == "None" ]; do + echo -n "Enter the LDAP Base DN used for your LDAP Server: " + read response + if [ ${#response} -lt 10 ]; then + echo "Remember, you need the full LDAP Base DN." + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + LDAPBASEDN=$response + ;; + esac +done +#echo "LDAP Base DN is: $LDAPBASEDN" + +# +# Get the LDAP DN for this deployment +# +echo "" +echo "" +echo "Please supply the full LDAP DN (DistinguishedName) for the account " +echo "used to access your LDAP (only read access is necessary). " +echo "(e.g. uid=myservice,ou=system)" +echo "We will use the information you enter here to configure your IdP." +echo "" +while [ ${LDAPDN} == "None" ]; do + echo -n "Enter the LDAP DN for the service account used by your IdP: " + read response + if [ ${#response} -lt 8 ]; then + echo "Remember, you need the full LDAP DN" + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + LDAPDN=$response + ;; + esac +done +#echo "LDAP DN is: $LDAPDN" + +# +# Get the LDAP PWD for this deployment +# +echo "" +echo "" +echo "Please supply the password for the LDAP DN just specified " +echo "for access your LDAP" +echo "" +echo "We will use the information you enter here to configure your IdP." +echo "" +while [ ${LDAPPWD} == "None" ]; do + echo -n "Enter the password for the account just specified: " + read response + if [ ${#response} -lt 2 ]; then + echo "You should use a stronger password." + continue + fi + echo -n "You entered: ${response} Is this correct [Yes/No]? " + read yesno + case $yesno in + Yes|yes|Y|y) + LDAPPWD=$response + ;; + esac +done + + +# +# Ask the installer about burned versus mountedd config +# +echo "" +echo "" +echo "Would you like your Shibboleth IdP containers to utilize a " +echo "Shibboleth config which has been \"burned\" (copied) into each " +echo "container, or would you like your IdP containers to instead " +echo "mount their configuration from the container host's local filesystem?" +echo "" +while [ ${BURNMOUNT} == "None" ]; do + echo -n "Please select your choice (please enter either \"burn\" or \"mount\"): " + read response + case $response in + Mount|mount|M|m) + BURNMOUNT=mount + ;; + Burn|burn|B|b) + BURNMOUNT=burn + ;; + *) + echo "You must choose either \"burn\" or \"mount\"." + esac +done +#echo "Burn/Mount option choice is: $BURNMOUNT" + + +############################################################ +### generate credentials/certs for tomcat and shibboleth ### +############################################################ + +# ensure openssl +command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: openssl is required, but doesn't appear to be installed. Aborting..."; exit 1; } + +echo "" +echo "Generating credentials..." +echo "" +# +mkdir -p crypto-work-tmp +cd crypto-work-tmp +#IdP Signing key/cert +openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-signing.key -out idp-signing.csr >> ${LOGFILE} 2>&1 +echo '[SAN]' > extensions +echo "subjectAltName=DNS:${FQDN},URI:https://${FQDN}/idp/shibboleth" >>extensions +echo "subjectKeyIdentifier=hash" >> extensions +openssl x509 -req -days 1825 -in idp-signing.csr -signkey idp-signing.key -extensions SAN -extfile extensions -out idp-signing.crt >> ${LOGFILE} 2>&1 +# +# IdP Encryption Key +openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-encryption.key -out idp-encryption.csr >> ${LOGFILE} 2>&1 +openssl x509 -req -days 1825 -in idp-encryption.csr -signkey idp-encryption.key -extensions SAN -extfile extensions -out idp-encryption.crt >> ${LOGFILE} 2>&1 +# +cp *.key *.crt ../${SHBCREDS} + +# build self-signed cert for Tomcat to use with https +# +# ensure keytool +command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed. Aborting..."; exit 1; } + +if test -f ssl_keystore.jks; then + mv ssl_keystore.jks ssl_keystore.jks.old +fi + +cat > data.conf << EOF +${FQDN} +SUBJ_OU +SUBJ_O +SUBJ_CITY +SUBJ_STATE +SUBJ_COUNTRY +yes + + +EOF + +STOREPWD=$(uuidgen) +keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1 +cp ssl_keystore.jks ${TOMCERT}/keystore.jks + +# +# OK, next build the shibboleth sealer java keystore +# +echo "" +echo "Creating Shibboleth sealer keystore" +echo "" +# +rm -f mysealer.jks +SEALERPWD=$(uuidgen) +keytool -genseckey -storetype jceks -alias secret1 -providername SunJCE -keyalg AES -keysize 256 -storepass ${SEALERPWD} -keypass ${SEALERPWD} -keystore mysealer.jks >> ${LOGFILE} 2>&1 +cp mysealer.jks ../${SHBCREDS}/sealer.jks + + +# return to previous work directory +cd .. + + + +############################# +### generate new metadata ### +############################# +CERTFILE=${SHBCREDS}/idp-signing.crt +CERT="$(grep -v '^-----' $CERTFILE)" +ENTITYID=https://${FQDN}/idp/shibboleth/ +BASEURL=https://${FQDN} + +cat > ${SHBMD}/idp-metadata.xml < + + $SCOPE + + + + + +$CERT + + + + + + + + + + +EOF + + + +############################################################ +### make needed adjustments to IdP config and Dockerfile ### +############################################################ +# +#ensure sed +command -v sed >/dev/null 2>&1 || { echo >&2 "ERROR: sed is required, but doesn't appear to be installed. Aborting..."; exit 1; } + +# set entityID, sealer pwd in idp.properties +echo "" +echo "Updating your IdP config and Dockerfile to match the info" +echo " you supplied and with the auto-generated key password." +echo "" +IDP_PROP=${SHBCFG}/idp.properties + +if test \! -f ${IDP_PROP}.dist; then + cp ${IDP_PROP} ${IDP_PROP}.dist +fi +sed "s/example.org/${SCOPE}/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp +sed "s#Password= changeit#Password= ${SEALERPWD}#" ${IDP_PROP}.tmp > ${IDP_PROP} +rm -f ${IDP_PROP}.tmp +# + +# set ldap URL, baseDN, svcDN, pwd in ldap.properties +LDAP_PROP=${SHBCFG}/ldap.properties +if test \! -f ${LDAP_PROP}.dist; then + cp ${LDAP_PROP} ${LDAP_PROP}.dist +fi +sed "s#ldap://localhost:10389#${LDAPURL}#" ${LDAP_PROP}.dist > ${LDAP_PROP}.tmp +sed "s#uid=myservice,ou=system#${LDAPDN}#" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2 +sed "s#myServicePassword#${LDAPPWD}#" ${LDAP_PROP}.tmp2 > ${LDAP_PROP}.tmp3 +sed "s#ou=people,dc=example,dc=org#${LDAPBASEDN}#" ${LDAP_PROP}.tmp3 > ${LDAP_PROP} + +rm -f ${LDAP_PROP}.tmp +rm -f ${LDAP_PROP}.tmp2 +rm -f ${LDAP_PROP}.tmp3 + +# adjust Dockerfile for java and for a burned-in config, if needed +# +#java first +if test \! -f Dockerfile.dist; then + cp Dockerfile Dockerfile.dist +fi +cat < docker_edit.sed +s/^# ENV /ENV / +s/^# RUN /RUN / +s/^# yum/ yum/ +s/^# rm/ rm/ +s/^# alternatives/ alternatives/ +s/^# http/ http/ +s/^# \&\&/ \&\&/ +EOF +sed -f docker_edit.sed Dockerfile.dist > Dockerfile +rm -f docker_edit.sed + + +if [ ${BURNMOUNT} == "burn" ]; then + echo "Configuring Docker for burned-in configuration." + + mv -f Dockerfile Dockerfile.setup + cat < docker_edit.sed +s/^## COPY /COPY / +s/^VOLUME /## VOLUME / +EOF + sed -f docker_edit.sed Dockerfile.setup > Dockerfile + rm -f Dockerfile.setup + rm -f docker_edit.sed + +fi + + +############################################################################################################################ +### notify user of next steps (docker build and docker run commands, based on burn/mount and chosen directory locations) ### +############################################################################################################################ +echo "" +echo "Your initial configuration has been successfully setup." +echo "" +echo "" +if [ ${BURNMOUNT} == "burn" ]; then + echo "Since you have elected to use a burned-in config, the steps for " + echo " you to build and run a TIER Shibboleth-IdP container are below." + echo "BUILD" + echo " It will be necessary to specify where to find your config at build-time, " + echo " so that it can be copied into the container." + echo "" + echo " If you are using the default config locations (used by the setup-config.sh script), then the following command would be correct." + echo " (substitute paths for your own environment as apprioriate)" + echo " (optionally substitute any tag name (after -t) that is appropriate) " + echo "" + echo " docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=config/tomcat + --build-arg TOMLOG=logs/tomcat + --build-arg TOMCERT=credentials/tomcat + --build-arg TOMWWWROOT=wwwroot + --build-arg SHBCFG=config/shib-idp/conf + --build-arg SHBCREDS=credentials/shib-idp + --build-arg SHBVIEWS=config/shib-idp/views + --build-arg SHBEDWAPP=config/shib-idp/edit-webapp + --build-arg SHBMSGS=config/shib-idp/messages + --build-arg SHBMD=config/shib-idp/metadata + --build-arg SHBLOG=logs/shib-idp ." + echo "" + echo "" + echo "RUN" + echo "" + echo " docker run -d --name shib-idp -p 8443:8443 my/shibb-idp-tier" + +else + echo "Since you have elected to use a mounted config, the steps for " + echo " you to build and run a TIER Shibboleth-IdP container are below." + echo "BUILD" + echo " You can build an image for a mounted config quite cimply using a command like this:" + echo " (optionally substitute any tag name (after -t) that is appropriate) " + echo "" + echo " docker build --rm -t my/shibb-idp-tier ." + echo "" + echo "" + echo "RUN" + echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)." + echo "" + echo " docker run -d --name shib-test1 -p 8443:8443 -v /home/shibboleth/conf/tomcat-test:/usr/local/tomcat/conf + -v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT + -v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs + -v ${PWD}/${TOMCERT}:/opt/certs + -v ${PWD}/${SHBCFG}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/conf + -v ${PWD}/${SHBCREDS}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/credentials + -v ${PWD}/${SHBVIEWS}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/views + -v ${PWD}/${SHBEDWAPP}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/edit-webapp + -v ${PWD}/${SHBMSGS}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/messages + -v ${PWD}/${SHBMD}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/metadata + -v ${PWD}/${SHBLOG}:/opt/shibboleth/shibboleth-identity-provider-3.3.1/logs + my/shibb-idp-tier" + + +fi + + + +################################# +### cleanup/remove temp files ### +################################# +rm -f ${TMP_DIR_S}.zip +rm -rf ${TMP_DIR_S}/* +rmdir ${TMP_DIR_S} + +rm -f ${TMP_DIR_T}.zip +rm -rf ${TMP_DIR_T}/* +rmdir ${TMP_DIR_T} + +rm -rf crypto-work-tmp/* +rmdir crypto-work-tmp From f82af1937665ff141aed24129686356ed4753ad5 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 12 May 2017 18:09:34 -0500 Subject: [PATCH 2/2] minor detail --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ba29531..a199ebb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -80,7 +80,7 @@ VOLUME ["/usr/local/tomcat/conf", \ # # for a burned config, *uncomment* the COPY lines below and *comment* the lines of the VOLUME command above # -# consider not doing the volumes below as it creates a run-time dependency and a better solution would be to use syslog from the container +# consider not doing the volumes below as it creates a run-time dependency and a better solution might be to use syslog from the container # VOLUME ["/usr/local/tomcat/logs", "/opt/shibboleth-idp/logs"] # ## COPY ${TOMCFG} /usr/local/tomcat/conf