Permalink
Showing
with
246 additions
and 37 deletions.
- +25 −7 Dockerfile
- +29 −23 README.md
- +0 −7 container_files/system/httpd-shib-foreground
- +28 −0 container_files/system/sendtierbeacon.sh
- +6 −0 container_files/system/setenv.sh
- +18 −0 container_files/system/setupcron.sh
- +27 −0 container_files/system/startup.sh
- +37 −0 container_files/system/supervisord.conf
- +73 −0 tests/clairscan.sh
- +3 −0 tests/image.bats
@@ -1,28 +1,34 @@ | ||
# shibboleth-sp | ||
# TIER shibboleth-sp | ||
|
||
[](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master) | ||
|
||
This is the TIER upstream Shibboleth SP container. | ||
|
||
It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP. | ||
|
||
Files you must supply/override in your downstream builds: | ||
|
||
The SP's private key and corresponding certificate (very important!) can be generated in your downstream container like this: | ||
RUN /usr/local/bin/shibboleth_keygen.sh -o /etc/shibboleth -f | ||
|
||
...that command generates/overwrites the following files: | ||
/etc/shibboleth/sp-key.pem | ||
|
||
/etc/shibboleth/sp-cert.pem | ||
|
||
/etc/httpd/conf.d/ssl.conf | ||
including: | ||
ServerName fqdn:port | ||
UseCanonicalName On | ||
|
||
/etc/shibboleth/shibboleth2.xml | ||
including: | ||
entityID | ||
This is the TIER upstream Shibboleth SP container. | ||
|
||
It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP. | ||
|
||
Files you must supply/override in your downstream builds: | ||
|
||
1. The SP's ***private key and corresponding certificate*** (very important!), which can be generated in your downstream container like this: | ||
> RUN /usr/local/bin/shibboleth_keygen.sh -o /etc/shibboleth -f | ||
> | ||
> ...that command generates/overwrites the following files: | ||
> /etc/shibboleth/sp-key.pem | ||
> /etc/shibboleth/sp-cert.pem | ||
2. ***/etc/httpd/conf.d/ssl.conf*** | ||
> including: | ||
> ServerName fqdn:port | ||
> UseCanonicalName On | ||
3. ***/etc/shibboleth/shibboleth2.xml*** | ||
> including: | ||
> entityID | ||
<br /><br /> | ||
***New in the 3.0 release:*** | ||
>The image is based from the public CentOS7 image | ||
>The TIER logging format has been implemented for shibd and httpd | ||
>Everything now runs under supervisord | ||
>The TIER Beacon has been implemented | ||
>The file */etc/httpd/conf.d/ssl.conf* is now the default CentOS7 file | ||
|
@@ -0,0 +1,28 @@ | ||
#!/bin/bash | ||
LOGHOST="collector.testbed.tier.internet2.edu" | ||
LOGPORT="5001" | ||
if [ -s /opt/tier/env.bash ]; then | ||
. /opt/tier/env.bash | ||
fi | ||
|
||
#JSON/REST style | ||
LOGTEXT="{ \"msgType\" : \"TIERBEACON\", \"msgName\" : \"TIER\", \"msgVersion\" : \"1.0\", \"tbProduct\" : \"$IMAGENAME\", \"tbProductVersion\" : \"$VERSION\", \"tbTIERRelease\" : \"$TIERVERSION\", \"tbMaintainer\" : \"$MAINTAINER\" }" | ||
|
||
|
||
if [ -z "$TIER_BEACON_OPT_OUT" ]; then | ||
#send JSON | ||
echo $LOGTEXT > msgjson.txt | ||
curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T msgjson.txt 1>/dev/null | ||
if [ $? -eq 0 ]; then | ||
echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent" | ||
else | ||
echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon" | ||
fi | ||
|
||
rm -f msgjson.txt | ||
|
||
#below is for syslog, F-TICKS style | ||
#`logger -n $LOGHOST -P $LOGPORT -t TIERBEACON $LOGTEXT` | ||
|
||
fi | ||
|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash | ||
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash | ||
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGE" >> /opt/tier/env.bash | ||
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash | ||
|
@@ -0,0 +1,18 @@ | ||
#!/bin/bash | ||
CRONFILE=/opt/tier/tier-cron | ||
|
||
#set env vars for cron job | ||
# this script creates /opt/tier/env.bash which is sourced by the cron job's script, which was not seeing the environment set by the Dockerfile | ||
/opt/tier/setenv.sh | ||
|
||
#build crontab file with random start time between midnight and 3:59am | ||
echo "#send daily beacon to TIER Central" > ${CRONFILE} | ||
echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} | ||
chmod 644 ${CRONFILE} | ||
|
||
#install crontab | ||
crontab ${CRONFILE} | ||
|
||
#create cron logfile | ||
touch /var/log/cron.log | ||
|
@@ -0,0 +1,27 @@ | ||
#!/bin/sh | ||
|
||
#for passed-in env vars, remove spaces and replace any ; with : in usertoken env var since we will use ; as a delimiter | ||
export USERTOKEN="${USERTOKEN//;/:}" | ||
export USERTOKEN="${USERTOKEN// /}" | ||
export ENV="${ENV//;/:}" | ||
export ENV="${ENV// /}" | ||
|
||
# generic console logging pipe for anyone | ||
mkfifo -m 666 /tmp/logpipe | ||
cat <> /tmp/logpipe 1>&2 & | ||
|
||
mkfifo -m 666 /tmp/logcrond | ||
(cat <> /tmp/logcrond | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
||
mkfifo -m 666 /tmp/loghttpd | ||
(cat <> /tmp/loghttpd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
||
mkfifo -m 666 /tmp/logsuperd | ||
(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
||
mkfifo -m 666 /tmp/logshibd | ||
(cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & | ||
|
||
#launch supervisord | ||
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf | ||
|
@@ -0,0 +1,37 @@ | ||
[supervisord] | ||
logfile=/tmp/logsuperd | ||
logfile_maxbytes=0 | ||
loglevel=error | ||
nodaemon=true | ||
user=root | ||
|
||
[program:cron] | ||
command=/usr/sbin/crond -n | ||
autostart=true | ||
autorestart=true | ||
stdout_logfile=/tmp/logcrond | ||
stdout_logfile_maxbytes=0 | ||
stderr_logfile=/tmp/logcrond | ||
stderr_logfile_maxbytes=0 | ||
directory=/usr/bin | ||
|
||
[program:httpd] | ||
command=httpd -DFOREGROUND | ||
autostart=true | ||
autorestart=true | ||
stdout_logfile=/tmp/loghttpd | ||
stdout_logfile_maxbytes=0 | ||
stderr_logfile=/tmp/loghttpd | ||
stderr_logfile_maxbytes=0 | ||
|
||
[program:shibd] | ||
command=/usr/sbin/shibd | ||
autostart=true | ||
autorestart=true | ||
stdout_logfile=/tmp/logshibd | ||
stdout_logfile_maxbytes=0 | ||
stderr_logfile=/tmp/logshibd | ||
stderr_logfile_maxbytes=0 | ||
|
||
[include] | ||
files=/etc/supervisor/conf.d/* |
@@ -0,0 +1,73 @@ | ||
#!/bin/bash | ||
|
||
startsecs=$(date +'%s') | ||
starttime=$(date +%H:%M:%S) | ||
|
||
echo 'starting:' ${starttime} | ||
|
||
#ensure clair-scanner | ||
if [ ! -s ./clair-scanner ]; then | ||
echo 'downloading curl-scanner...' | ||
curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 | ||
chmod 755 clair-scanner | ||
else | ||
echo 'using existing clair-scanner...' | ||
fi | ||
|
||
#ensure DB container | ||
echo 'ensuring a fresh clair-db container...' | ||
docker ps | grep clair-db &>/dev/null | ||
if [ $? == "0" ]; then | ||
echo 'removing existing clair-db container...' | ||
docker kill db &>/dev/null | ||
docker rm db &>/dev/null | ||
docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null | ||
else | ||
docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null | ||
fi | ||
sleep 30 | ||
|
||
#ensure clair-scan container | ||
echo 'ensuring a fresh clair-scan container...' | ||
docker ps | grep clair-local-scan &>/dev/null | ||
if [ $? == "0" ]; then | ||
echo 'removing existing clair-scan container...' | ||
docker kill clair &>/dev/null | ||
docker rm clair &>/dev/null | ||
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null | ||
else | ||
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null | ||
fi | ||
sleep 30 | ||
|
||
#get ip where clair-scanner will listen | ||
clairip=$(/sbin/ifconfig docker0 | grep 'inet ' | sed 's/^[[:space:]]*//g' | cut -f 2 -d ' ' | sed 's/^[[:space:]]*//g') | ||
echo 'sending ip addr' ${clairip} 'to clair-scan server...' | ||
|
||
#run scan | ||
echo 'running scan...' | ||
./clair-scanner --ip ${clairip} $1 | ||
retcode=$? | ||
|
||
#eval results | ||
if [ $retcode == '0' ]; then | ||
echo 'scan found nothing.' | ||
else | ||
echo 'scan found issues.' | ||
fi | ||
|
||
#cleanup | ||
echo 'removing temporary containers...' | ||
docker kill clair &>/dev/null | ||
docker rm clair &>/dev/null | ||
docker kill db &>/dev/null | ||
docker rm db &>/dev/null | ||
|
||
endsecs=$(date +'%s') | ||
endtime=$(date +%H:%M:%S) | ||
echo 'finished:' $endtime ' ('$((endsecs - startsecs)) 'seconds)' | ||
echo "" | ||
|
||
#pass along return code from scan | ||
exit $retcode | ||
|