Permalink
Showing
with
246 additions
and 37 deletions.
- +25 −7 Dockerfile
- +29 −23 README.md
- +0 −7 container_files/system/httpd-shib-foreground
- +28 −0 container_files/system/sendtierbeacon.sh
- +6 −0 container_files/system/setenv.sh
- +18 −0 container_files/system/setupcron.sh
- +27 −0 container_files/system/startup.sh
- +37 −0 container_files/system/supervisord.conf
- +73 −0 tests/clairscan.sh
- +3 −0 tests/image.bats
| @@ -1,28 +1,34 @@ | ||
| # shibboleth-sp | ||
| # TIER shibboleth-sp | ||
|
|
||
| [](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master) | ||
|
|
||
| This is the TIER upstream Shibboleth SP container. | ||
|
|
||
| It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP. | ||
|
|
||
| Files you must supply/override in your downstream builds: | ||
|
|
||
| The SP's private key and corresponding certificate (very important!) can be generated in your downstream container like this: | ||
| RUN /usr/local/bin/shibboleth_keygen.sh -o /etc/shibboleth -f | ||
|
|
||
| ...that command generates/overwrites the following files: | ||
| /etc/shibboleth/sp-key.pem | ||
|
|
||
| /etc/shibboleth/sp-cert.pem | ||
|
|
||
| /etc/httpd/conf.d/ssl.conf | ||
| including: | ||
| ServerName fqdn:port | ||
| UseCanonicalName On | ||
|
|
||
| /etc/shibboleth/shibboleth2.xml | ||
| including: | ||
| entityID | ||
| This is the TIER upstream Shibboleth SP container. | ||
|
|
||
| It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP. | ||
|
|
||
| Files you must supply/override in your downstream builds: | ||
|
|
||
| 1. The SP's ***private key and corresponding certificate*** (very important!), which can be generated in your downstream container like this: | ||
| > RUN /usr/local/bin/shibboleth_keygen.sh -o /etc/shibboleth -f | ||
| > | ||
| > ...that command generates/overwrites the following files: | ||
| > /etc/shibboleth/sp-key.pem | ||
| > /etc/shibboleth/sp-cert.pem | ||
| 2. ***/etc/httpd/conf.d/ssl.conf*** | ||
| > including: | ||
| > ServerName fqdn:port | ||
| > UseCanonicalName On | ||
| 3. ***/etc/shibboleth/shibboleth2.xml*** | ||
| > including: | ||
| > entityID | ||
| <br /><br /> | ||
| ***New in the 3.0 release:*** | ||
| >The image is based from the public CentOS7 image | ||
| >The TIER logging format has been implemented for shibd and httpd | ||
| >Everything now runs under supervisord | ||
| >The TIER Beacon has been implemented | ||
| >The file */etc/httpd/conf.d/ssl.conf* is now the default CentOS7 file | ||
|
|
| @@ -0,0 +1,28 @@ | ||
| #!/bin/bash | ||
| LOGHOST="collector.testbed.tier.internet2.edu" | ||
| LOGPORT="5001" | ||
| if [ -s /opt/tier/env.bash ]; then | ||
| . /opt/tier/env.bash | ||
| fi | ||
|
|
||
| #JSON/REST style | ||
| LOGTEXT="{ \"msgType\" : \"TIERBEACON\", \"msgName\" : \"TIER\", \"msgVersion\" : \"1.0\", \"tbProduct\" : \"$IMAGENAME\", \"tbProductVersion\" : \"$VERSION\", \"tbTIERRelease\" : \"$TIERVERSION\", \"tbMaintainer\" : \"$MAINTAINER\" }" | ||
|
|
||
|
|
||
| if [ -z "$TIER_BEACON_OPT_OUT" ]; then | ||
| #send JSON | ||
| echo $LOGTEXT > msgjson.txt | ||
| curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T msgjson.txt 1>/dev/null | ||
| if [ $? -eq 0 ]; then | ||
| echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent" | ||
| else | ||
| echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon" | ||
| fi | ||
|
|
||
| rm -f msgjson.txt | ||
|
|
||
| #below is for syslog, F-TICKS style | ||
| #`logger -n $LOGHOST -P $LOGPORT -t TIERBEACON $LOGTEXT` | ||
|
|
||
| fi | ||
|
|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
| printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash | ||
| printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash | ||
| printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGE" >> /opt/tier/env.bash | ||
| printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash | ||
|
|
| @@ -0,0 +1,18 @@ | ||
| #!/bin/bash | ||
| CRONFILE=/opt/tier/tier-cron | ||
|
|
||
| #set env vars for cron job | ||
| # this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile | ||
| /opt/tier/setenv.sh | ||
|
|
||
| #build crontab file with random start time between midnight and 3:59am | ||
| echo "#send daily beacon to TIER Central" > ${CRONFILE} | ||
| echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} | ||
| chmod 644 ${CRONFILE} | ||
|
|
||
| #install crontab | ||
| crontab ${CRONFILE} | ||
|
|
||
| #create cron logfile | ||
| touch /var/log/cron.log | ||
|
|
| @@ -0,0 +1,27 @@ | ||
| #!/bin/sh | ||
|
|
||
| #for passed-in env vars, remove spaces and replace any ; with : in usertoken env var since we will use ; as a delimiter | ||
| export USERTOKEN="${USERTOKEN//;/:}" | ||
| export USERTOKEN="${USERTOKEN// /}" | ||
| export ENV="${ENV//;/:}" | ||
| export ENV="${ENV// /}" | ||
|
|
||
| # generic console logging pipe for anyone | ||
| mkfifo -m 666 /tmp/logpipe | ||
| cat <> /tmp/logpipe 1>&2 & | ||
|
|
||
| mkfifo -m 666 /tmp/logcrond | ||
| (cat <> /tmp/logcrond | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
|
||
| mkfifo -m 666 /tmp/loghttpd | ||
| (cat <> /tmp/loghttpd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
|
||
| mkfifo -m 666 /tmp/logsuperd | ||
| (cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
|
||
| mkfifo -m 666 /tmp/logshibd | ||
| (cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
|
||
| #launch supervisord | ||
| /usr/bin/supervisord -c /etc/supervisor/supervisord.conf | ||
|
|
| @@ -0,0 +1,37 @@ | ||
| [supervisord] | ||
| logfile=/tmp/logsuperd | ||
| logfile_maxbytes=0 | ||
| loglevel=error | ||
| nodaemon=true | ||
| user=root | ||
|
|
||
| [program:cron] | ||
| command=/usr/sbin/crond -n | ||
| autostart=true | ||
| autorestart=true | ||
| stdout_logfile=/tmp/logcrond | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile=/tmp/logcrond | ||
| stderr_logfile_maxbytes=0 | ||
| directory=/usr/bin | ||
|
|
||
| [program:httpd] | ||
| command=httpd -DFOREGROUND | ||
| autostart=true | ||
| autorestart=true | ||
| stdout_logfile=/tmp/loghttpd | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile=/tmp/loghttpd | ||
| stderr_logfile_maxbytes=0 | ||
|
|
||
| [program:shibd] | ||
| command=/usr/sbin/shibd | ||
| autostart=true | ||
| autorestart=true | ||
| stdout_logfile=/tmp/logshibd | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile=/tmp/logshibd | ||
| stderr_logfile_maxbytes=0 | ||
|
|
||
| [include] | ||
| files=/etc/supervisor/conf.d/* |
| @@ -0,0 +1,73 @@ | ||
| #!/bin/bash | ||
|
|
||
| startsecs=$(date +'%s') | ||
| starttime=$(date +%H:%M:%S) | ||
|
|
||
| echo 'starting:' ${starttime} | ||
|
|
||
| #ensure clair-scanner | ||
| if [ ! -s ./clair-scanner ]; then | ||
| echo 'downloading curl-scanner...' | ||
| curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 | ||
| chmod 755 clair-scanner | ||
| else | ||
| echo 'using existing clair-scanner...' | ||
| fi | ||
|
|
||
| #ensure DB container | ||
| echo 'ensuring a fresh clair-db container...' | ||
| docker ps | grep clair-db &>/dev/null | ||
| if [ $? == "0" ]; then | ||
| echo 'removing existing clair-db container...' | ||
| docker kill db &>/dev/null | ||
| docker rm db &>/dev/null | ||
| docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null | ||
| else | ||
| docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null | ||
| fi | ||
| sleep 30 | ||
|
|
||
| #ensure clair-scan container | ||
| echo 'ensuring a fresh clair-scan container...' | ||
| docker ps | grep clair-local-scan &>/dev/null | ||
| if [ $? == "0" ]; then | ||
| echo 'removing existing clair-scan container...' | ||
| docker kill clair &>/dev/null | ||
| docker rm clair &>/dev/null | ||
| docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null | ||
| else | ||
| docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null | ||
| fi | ||
| sleep 30 | ||
|
|
||
| #get ip where clair-scanner will listen | ||
| clairip=$(/sbin/ifconfig docker0 | grep 'inet ' | sed 's/^[[:space:]]*//g' | cut -f 2 -d ' ' | sed 's/^[[:space:]]*//g') | ||
| echo 'sending ip addr' ${clairip} 'to clair-scan server...' | ||
|
|
||
| #run scan | ||
| echo 'running scan...' | ||
| ./clair-scanner --ip ${clairip} $1 | ||
| retcode=$? | ||
|
|
||
| #eval results | ||
| if [ $retcode == '0' ]; then | ||
| echo 'scan found nothing.' | ||
| else | ||
| echo 'scan found issues.' | ||
| fi | ||
|
|
||
| #cleanup | ||
| echo 'removing temporary containers...' | ||
| docker kill clair &>/dev/null | ||
| docker rm clair &>/dev/null | ||
| docker kill db &>/dev/null | ||
| docker rm db &>/dev/null | ||
|
|
||
| endsecs=$(date +'%s') | ||
| endtime=$(date +%H:%M:%S) | ||
| echo 'finished:' $endtime ' ('$((endsecs - startsecs)) 'seconds)' | ||
| echo "" | ||
|
|
||
| #pass along return code from scan | ||
| exit $retcode | ||
|
|