updates, supervisord

Dockerfile

@@ -5,43 +5,41 @@ FROM centos:centos7
 ########################
 #
 ##java
-ENV JAVA_VERSION=8u152
-ENV BUILD_VERSION=b16
-ENV JAVA_BUNDLE_ID=aa0333dd3019491ca4f6ddbe78cdb6d0
+ENV JAVA_VERSION=8u162 \
+    BUILD_VERSION=b12 \
+    JAVA_BUNDLE_ID=0da788060d494f5095bf8624735fa2f1 \
 ##tomcat
-ENV TOMCAT_MAJOR=8
-ENV TOMCAT_VERSION=8.0.47
+    TOMCAT_MAJOR=8 \
+    TOMCAT_VERSION=8.5.24 \
 ##shib-idp
-ENV VERSION=3.3.2
+    VERSION=3.3.2 \
 ##TIER
-ENV TIERVERSION=17110
+    TIERVERSION=18011 \
 
 ##################
 ### OTHER VARS ###
 ##################
 #
 #global
-ENV IMAGENAME=shibboleth_idp
-ENV MAINTAINER=tier
+    IMAGENAME=shibboleth_idp \
+    MAINTAINER=tier \
 #java
-ENV JAVA_HOME=/usr/java/latest
-ENV JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m
+    JAVA_HOME=/usr/java/latest \
+    JAVA_OPTS=-Xmx3000m -XX:MaxPermSize=256m \
 #tomcat
-ENV CATALINA_HOME=/usr/local/tomcat
-ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz
-ENV PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH
+    CATALINA_HOME=/usr/local/tomcat
+ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz \
+    PATH=$CATALINA_HOME/bin:$JAVA_HOME/bin:$PATH \
 #shib-idp
-ENV SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION
-ENV SHIB_PREFIX=shibboleth-identity-provider-$VERSION
+    SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \
+    SHIB_PREFIX=shibboleth-identity-provider-$VERSION
 
 #set labels
-LABEL Vendor="Internet2"
-LABEL ImageType="Shibboleth IDP Release"
-LABEL ImageName=$imagename
-LABEL ImageOS=centos7
-LABEL Version=$VERSION
-
-
+LABEL Vendor="Internet2" \
+      ImageType="Shibboleth IDP Release" \
+      ImageName=$imagename \
+      ImageOS=centos7 \
+      Version=$VERSION
 
 #########################
 ### BEGIN IMAGE BUILD ###
@@ -52,13 +50,13 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
 # Install base deps
-RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \
-    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget && \
+RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \
+    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cron krb5-workstation openssl-devel wget supervisor && \
     yum -y clean all && \
-    mkdir -p /opt/tier
-
+    mkdir -p /opt/tier && \
 # Install Trusted Certificates
-RUN update-ca-trust force-enable
+    update-ca-trust force-enable
+
 ADD container_files/cert/InCommon.crt /etc/pki/ca-trust/source/anchors/
 RUN update-ca-trust extract
 
@@ -84,8 +82,7 @@ RUN update-ca-trust extract
 
 # Uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.  
 #     ==> By uncommenting these next 8 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
-# RUN yum -y install unzip \
-#     && wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
+# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \
 #     http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
 #     && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59  jce_policy-8.zip" | sha256sum -c - \
 #     && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \
@@ -100,74 +97,53 @@ ADD container_files/idp/ldap.merge.properties /tmp/ldap.merge.properties
 
 # Install IdP
 RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
-      wget -q https://shibboleth.net/downloads/PGP_KEYS \
+    wget -q https://shibboleth.net/downloads/PGP_KEYS \
            $SHIB_RELDIR/$SHIB_PREFIX.tar.gz \ 
-           $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc \
-           $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.sha256 && \
+           $SHIB_RELDIR/$SHIB_PREFIX.tar.gz.asc && \
 # Perform verifications
-           gpg --import PGP_KEYS && \
-           gpg $SHIB_PREFIX.tar.gz.asc && \
-           sha256sum --check $SHIB_PREFIX.tar.gz.sha256 && \
+    gpg --import PGP_KEYS && \
+    gpg $SHIB_PREFIX.tar.gz.asc && \
+	gpg --batch --verify $SHIB_PREFIX.tar.gz.asc $SHIB_PREFIX.tar.gz && \
 # Unzip
-           tar xf $SHIB_PREFIX.tar.gz && \
+    tar xf $SHIB_PREFIX.tar.gz && \
 # Install
-           cd /tmp/shibboleth/$SHIB_PREFIX && \
-		   ./bin/install.sh \
-               -Didp.noprompt=true \
-			   -Didp.property.file=/tmp/idp.installer.properties && \
+    cd /tmp/shibboleth/$SHIB_PREFIX && \
+	./bin/install.sh \
+        -Didp.noprompt=true \
+	    -Didp.property.file=/tmp/idp.installer.properties && \
 # Cleanup
-           rm -rf /tmp/shibboleth
-
-
-# Install tomcat           
-RUN mkdir -p "$CATALINA_HOME"
-
-## Not having trouble with this locally [JVF]
-## see https://www.apache.org/dist/tomcat/tomcat-8/KEYS
-## RUN set -ex \
-##     && for key in \
-##         05AB33110949707C93A279E3D3EFE6B686867BA6 \
-##         07E48665A34DCAFAE522E5E6266191C37C037D42 \
-##         47309207D818FFD8DCD3F83F1931D684307A10A5 \
-##         541FBE7D8F78B25E055DDEE13C370389288584E7 \
-##         61B832AC2F1C5A90F0F9B00A1C506407564C17A3 \
-##         713DA88BE50911535FE716F5208B0AB1D63011C7 \
-##         79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED \
-##         9BA44C2621385CB966EBA586F72C284D731FABEE \
-##         A27677289986DB50844682F8ACB77FC2E86E29AC \
-##         A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 \
-##         DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 \
-##         F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE \
-##         F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23 \
-##     ; do \
-##         gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
-##     done
-
-#WORKDIR $CATALINA_HOME
-RUN set -x \
+    cd ~ && \
+    rm -rf /tmp/shibboleth
+
+# Install tomcat
+RUN mkdir -p "$CATALINA_HOME" && set -x \
 	&& wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
 	&& wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
-#	&& gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \
+	&& wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
+    && gpg --import $CATALINA_HOME/KEYS \
+    && gpg $CATALINA_HOME/tomcat.tar.gz.asc \
+	&& gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \
 	&& tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \
 	&& rm $CATALINA_HOME/bin/*.bat \
 	&& rm $CATALINA_HOME/tomcat.tar.gz* \
     && mkdir -p $CATALINA_HOME/conf/Catalina \
-    && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar
+    && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \
+	&& rm -rf /usr/local/tomcat/webapps/* \
+	&& ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
+
 ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
 ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml
-RUN rm -rf /usr/local/tomcat/webapps/* && \
-    ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
-
-
 
 # Copy TIER helper scripts
 ADD container_files/bin/setenv.sh /opt/tier/setenv.sh
-RUN chmod +x /opt/tier/setenv.sh
-ADD container_files/bin/startup.sh /usr/bin/startup.sh
-RUN chmod +x /usr/bin/startup.sh
+ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh
 ADD container_files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh
-RUN chmod +x /usr/bin/sendtierbeacon.sh
-
+ADD container_files/system/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+RUN chmod +x /opt/tier/setenv.sh \
+    && chmod +x /usr/bin/setupcron.sh \
+    && chmod +x /usr/bin/sendtierbeacon.sh \
+# setup cron
+    && /usr/bin/setupcron.sh
 
 ###############################################
 ### Settings for a mounted config (default) ###
@@ -227,5 +203,5 @@ HEALTHCHECK --interval=2m --timeout=30s \
   CMD curl -k -f https://127.0.0.1/idp/status || exit 1
 
 
-# Start tomcat/crond
-CMD ["/usr/bin/startup.sh"]
+# Start tomcat/crond via supervisor
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

container_files/bin/setupcron.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+CRONFILE=/opt/tier/tier-cron
+
+#set env vars for cron job
+#  this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile
+/opt/tier/setenv.sh
+
+#build crontab file with random start time between midnight and 3:59am
+echo "#send daily beacon to TIER Central" > ${CRONFILE}
+echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE}
+chmod 644 ${CRONFILE}
+
+#install crontab
+crontab ${CRONFILE}
+
+#create cron logfile
+touch /var/log/cron.log
+

container_files/bin/startup.sh

@@ -16,7 +16,10 @@ crontab ${CRONFILE}
 touch /var/log/cron.log
 
 #start crond
-/usr/sbin/crond
+/usr/sbin/crond -n
+#if crond args are needed, then:
+#source /etc/sysconfig/crond && exec /usr/sbin/crond -n $CRONDARGS
+
 
 #start tomcat
-/usr/local/tomcat/bin/catalina.sh run
+#/usr/local/tomcat/bin/catalina.sh run

container_files/system/supervisord.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+
+[program:cron]
+command=/usr/sbin/crond -n
+autostart=true
+autorestart=true
+redirect_stderr=true 
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+directory=/usr/bin
+
+[program:tomcat]
+command=/usr/local/tomcat/bin/catalina.sh run
+autostart=true
+autorestart=true
+redirect_stderr=true 
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0