From 7547d31a1596818f9d76d585f4c6aede1cc92212 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 4 Jan 2018 09:43:01 -0600 Subject: [PATCH 1/3] supervisord, updates --- Dockerfile | 46 +++++++++---------------- container_files/bin/setupcron.sh | 23 +++++++++++++ container_files/bin/startup.sh | 7 ++-- container_files/system/supervisord.conf | 23 +++++++++++++ 4 files changed, 67 insertions(+), 32 deletions(-) create mode 100644 container_files/bin/setupcron.sh create mode 100644 container_files/system/supervisord.conf diff --git a/Dockerfile b/Dockerfile index 4063f1d..89fe300 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,11 +10,11 @@ ENV BUILD_VERSION=b16 ENV JAVA_BUNDLE_ID=aa0333dd3019491ca4f6ddbe78cdb6d0 ##tomcat ENV TOMCAT_MAJOR=8 -ENV TOMCAT_VERSION=8.0.47 +ENV TOMCAT_VERSION=8.5.24 ##shib-idp ENV VERSION=3.3.2 ##TIER -ENV TIERVERSION=17110 +ENV TIERVERSION=18011 ################## ### OTHER VARS ### @@ -52,8 +52,8 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ && echo "NETWORKING=yes" > /etc/sysconfig/network # Install base deps -RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \ - yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget && \ +RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget supervisor && \ yum -y clean all && \ mkdir -p /opt/tier @@ -103,10 +103,11 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ wget -q https://shibboleth.net/downloads/PGP_KEYS \ $SHIB_RELDIR/$SHIB_PREFIX.tar.gz \ $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc \ - $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.sha256 && \ + $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.q && \ # Perform verifications gpg --import PGP_KEYS && \ gpg $SHIB_PREFIX.tar.gz.asc && \ + gpg --batch --verify $SHIB_PREFIX.tar.gz.asc $SHIB_PREFIX.tar.gz sha256sum --check $SHIB_PREFIX.tar.gz.sha256 && \ # Unzip tar xf $SHIB_PREFIX.tar.gz && \ @@ -122,32 +123,14 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ # Install tomcat RUN mkdir -p "$CATALINA_HOME" -## Not having trouble with this locally [JVF] -## see https://www.apache.org/dist/tomcat/tomcat-8/KEYS -## RUN set -ex \ -## && for key in \ -## 05AB33110949707C93A279E3D3EFE6B686867BA6 \ -## 07E48665A34DCAFAE522E5E6266191C37C037D42 \ -## 47309207D818FFD8DCD3F83F1931D684307A10A5 \ -## 541FBE7D8F78B25E055DDEE13C370389288584E7 \ -## 61B832AC2F1C5A90F0F9B00A1C506407564C17A3 \ -## 713DA88BE50911535FE716F5208B0AB1D63011C7 \ -## 79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED \ -## 9BA44C2621385CB966EBA586F72C284D731FABEE \ -## A27677289986DB50844682F8ACB77FC2E86E29AC \ -## A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 \ -## DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 \ -## F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE \ -## F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23 \ -## ; do \ -## gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \ -## done - #WORKDIR $CATALINA_HOME RUN set -x \ && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ -# && gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \ + && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ + && gpg --import $CATALINA_HOME/KEYS \ + && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ + && gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \ && tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \ && rm $CATALINA_HOME/bin/*.bat \ && rm $CATALINA_HOME/tomcat.tar.gz* \ @@ -163,11 +146,14 @@ RUN rm -rf /usr/local/tomcat/webapps/* && \ # Copy TIER helper scripts ADD container_files/bin/setenv.sh /opt/tier/setenv.sh RUN chmod +x /opt/tier/setenv.sh -ADD container_files/bin/startup.sh /usr/bin/startup.sh -RUN chmod +x /usr/bin/startup.sh +ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh +RUN chmod +x /usr/bin/setupcron.sh ADD container_files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh RUN chmod +x /usr/bin/sendtierbeacon.sh +ADD container_files/system/supervisord.conf /etc/supervisor/conf.d/supervisord.conf +# setup cron +RUN /usr/bin/setupcron.sh ############################################### ### Settings for a mounted config (default) ### @@ -228,4 +214,4 @@ HEALTHCHECK --interval=2m --timeout=30s \ # Start tomcat/crond -CMD ["/usr/bin/startup.sh"] +CMD ["/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"] diff --git a/container_files/bin/setupcron.sh b/container_files/bin/setupcron.sh new file mode 100644 index 0000000..ef83b84 --- /dev/null +++ b/container_files/bin/setupcron.sh @@ -0,0 +1,23 @@ +#!/bin/bash +CRONFILE=/opt/tier/tier-cron + +#set env vars for cron job +# this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile +/opt/tier/setenv.sh + +#build crontab file with random start time between midnight and 3:59am +echo "#send daily beacon to TIER Central" > ${CRONFILE} +echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} +chmod 644 ${CRONFILE} + +#install crontab +crontab ${CRONFILE} + +#create cron logfile +touch /var/log/cron.log + +#start crond +#/usr/sbin/crond -n +#if crond args are needed, then: +#source /etc/sysconfig/crond && exec /usr/sbin/crond -n $CRONDARGS +#the above will be handled by supervisord diff --git a/container_files/bin/startup.sh b/container_files/bin/startup.sh index ff771bf..9916e74 100644 --- a/container_files/bin/startup.sh +++ b/container_files/bin/startup.sh @@ -16,7 +16,10 @@ crontab ${CRONFILE} touch /var/log/cron.log #start crond -/usr/sbin/crond +/usr/sbin/crond -n +#if crond args are needed, then: +#source /etc/sysconfig/crond && exec /usr/sbin/crond -n $CRONDARGS + #start tomcat -/usr/local/tomcat/bin/catalina.sh run +#/usr/local/tomcat/bin/catalina.sh run diff --git a/container_files/system/supervisord.conf b/container_files/system/supervisord.conf new file mode 100644 index 0000000..6af4ba5 --- /dev/null +++ b/container_files/system/supervisord.conf @@ -0,0 +1,23 @@ +[supervisord] +nodaemon=true + +[program:cron] +command=/usr/sbin/crond -n +autostart=true +autorestart=true +redirect_stderr=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +directory=/usr/bin + +[program:tomcat] +command=/usr/local/tomcat/bin/catalina.sh run +autostart=true +autorestart=true +redirect_stderr=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 From f2a8448ae33f64c965a170023f1668a04347fdca Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 5 Jan 2018 17:00:58 -0600 Subject: [PATCH 2/3] a few minor fixes --- Dockerfile | 108 ++++++++++++++----------------- container_files/bin/setupcron.sh | 5 -- 2 files changed, 49 insertions(+), 64 deletions(-) diff --git a/Dockerfile b/Dockerfile index 89fe300..1dafb08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,43 +5,41 @@ FROM centos:centos7 ######################## # ##java -ENV JAVA_VERSION=8u152 -ENV BUILD_VERSION=b16 -ENV JAVA_BUNDLE_ID=aa0333dd3019491ca4f6ddbe78cdb6d0 +ENV JAVA_VERSION=8u152 \ + BUILD_VERSION=b16 \ + JAVA_BUNDLE_ID=aa0333dd3019491ca4f6ddbe78cdb6d0 \ ##tomcat -ENV TOMCAT_MAJOR=8 -ENV TOMCAT_VERSION=8.5.24 + TOMCAT_MAJOR=8 \ + TOMCAT_VERSION=8.5.24 \ ##shib-idp -ENV VERSION=3.3.2 + VERSION=3.3.2 \ ##TIER -ENV TIERVERSION=18011 + TIERVERSION=18011 \ ################## ### OTHER VARS ### ################## # #global -ENV IMAGENAME=shibboleth_idp -ENV MAINTAINER=tier + IMAGENAME=shibboleth_idp \ + MAINTAINER=tier \ #java -ENV JAVA_HOME=/usr/java/latest -ENV JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m + JAVA_HOME=/usr/java/latest \ + JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m \ #tomcat -ENV CATALINA_HOME=/usr/local/tomcat -ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz -ENV PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH + CATALINA_HOME=/usr/local/tomcat +ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz \ + PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH \ #shib-idp -ENV SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION -ENV SHIB_PREFIX=shibboleth-identity-provider-$VERSION + SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \ + SHIB_PREFIX=shibboleth-identity-provider-$VERSION #set labels -LABEL Vendor="Internet2" -LABEL ImageType="Shibboleth IDP Release" -LABEL ImageName=$imagename -LABEL ImageOS=centos7 -LABEL Version=$VERSION - - +LABEL Vendor="Internet2" \ + ImageType="Shibboleth IDP Release" \ + ImageName=$imagename \ + ImageOS=centos7 \ + Version=$VERSION ######################### ### BEGIN IMAGE BUILD ### @@ -55,10 +53,10 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget supervisor && \ yum -y clean all && \ - mkdir -p /opt/tier - + mkdir -p /opt/tier && \ # Install Trusted Certificates -RUN update-ca-trust force-enable + update-ca-trust force-enable + ADD container_files/cert/InCommon.crt /etc/pki/ca-trust/source/anchors/ RUN update-ca-trust extract @@ -84,8 +82,7 @@ RUN update-ca-trust extract # Uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. # ==> By uncommenting these next 8 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN yum -y install unzip \ -# && wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ +# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ # http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ # && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ # && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ @@ -100,31 +97,26 @@ ADD container_files/idp/ldap.merge.properties /tmp/ldap.merge.properties # Install IdP RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ - wget -q https://shibboleth.net/downloads/PGP_KEYS \ + wget -q https://shibboleth.net/downloads/PGP_KEYS \ $SHIB_RELDIR/$SHIB_PREFIX.tar.gz \ - $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc \ - $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.q && \ + $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc && \ # Perform verifications - gpg --import PGP_KEYS && \ - gpg $SHIB_PREFIX.tar.gz.asc && \ - gpg --batch --verify $SHIB_PREFIX.tar.gz.asc $SHIB_PREFIX.tar.gz - sha256sum --check $SHIB_PREFIX.tar.gz.sha256 && \ + gpg --import PGP_KEYS && \ + gpg $SHIB_PREFIX.tar.gz.asc && \ + gpg --batch --verify $SHIB_PREFIX.tar.gz.asc $SHIB_PREFIX.tar.gz && \ # Unzip - tar xf $SHIB_PREFIX.tar.gz && \ + tar xf $SHIB_PREFIX.tar.gz && \ # Install - cd /tmp/shibboleth/$SHIB_PREFIX && \ - ./bin/install.sh \ - -Didp.noprompt=true \ - -Didp.property.file=/tmp/idp.installer.properties && \ + cd /tmp/shibboleth/$SHIB_PREFIX && \ + ./bin/install.sh \ + -Didp.noprompt=true \ + -Didp.property.file=/tmp/idp.installer.properties && \ # Cleanup - rm -rf /tmp/shibboleth - + cd ~ && \ + rm -rf /tmp/shibboleth -# Install tomcat -RUN mkdir -p "$CATALINA_HOME" - -#WORKDIR $CATALINA_HOME -RUN set -x \ +# Install tomcat +RUN mkdir -p "$CATALINA_HOME" && set -x \ && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ @@ -135,25 +127,23 @@ RUN set -x \ && rm $CATALINA_HOME/bin/*.bat \ && rm $CATALINA_HOME/tomcat.tar.gz* \ && mkdir -p $CATALINA_HOME/conf/Catalina \ - && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar + && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \ + && rm -rf /usr/local/tomcat/webapps/* \ + && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war + ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml -RUN rm -rf /usr/local/tomcat/webapps/* && \ - ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war - - # Copy TIER helper scripts ADD container_files/bin/setenv.sh /opt/tier/setenv.sh -RUN chmod +x /opt/tier/setenv.sh ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh -RUN chmod +x /usr/bin/setupcron.sh ADD container_files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh -RUN chmod +x /usr/bin/sendtierbeacon.sh ADD container_files/system/supervisord.conf /etc/supervisor/conf.d/supervisord.conf - +RUN chmod +x /opt/tier/setenv.sh \ + && chmod +x /usr/bin/setupcron.sh \ + && chmod +x /usr/bin/sendtierbeacon.sh \ # setup cron -RUN /usr/bin/setupcron.sh + && /usr/bin/setupcron.sh ############################################### ### Settings for a mounted config (default) ### @@ -213,5 +203,5 @@ HEALTHCHECK --interval=2m --timeout=30s \ CMD curl -k -f https://127.0.0.1/idp/status || exit 1 -# Start tomcat/crond -CMD ["/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"] +# Start tomcat/crond via supervisor +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] diff --git a/container_files/bin/setupcron.sh b/container_files/bin/setupcron.sh index ef83b84..ee1ec96 100644 --- a/container_files/bin/setupcron.sh +++ b/container_files/bin/setupcron.sh @@ -16,8 +16,3 @@ crontab ${CRONFILE} #create cron logfile touch /var/log/cron.log -#start crond -#/usr/sbin/crond -n -#if crond args are needed, then: -#source /etc/sysconfig/crond && exec /usr/sbin/crond -n $CRONDARGS -#the above will be handled by supervisord From 870ee25546d9d93a006a59e588d9896a09f693f4 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 22 Jan 2018 15:45:10 -0600 Subject: [PATCH 3/3] bump Java version --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1dafb08..16d51e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,9 +5,9 @@ FROM centos:centos7 ######################## # ##java -ENV JAVA_VERSION=8u152 \ - BUILD_VERSION=b16 \ - JAVA_BUNDLE_ID=aa0333dd3019491ca4f6ddbe78cdb6d0 \ +ENV JAVA_VERSION=8u162 \ + BUILD_VERSION=b12 \ + JAVA_BUNDLE_ID=0da788060d494f5095bf8624735fa2f1 \ ##tomcat TOMCAT_MAJOR=8 \ TOMCAT_VERSION=8.5.24 \