Dockerfile

@@ -1,63 +1,55 @@
-FROM centos:centos7
+FROM --platform=$TARGETPLATFORM rockylinux/rockylinux:9.5
 
 # Define args and set a default value
-ARG maintainer=tier
+ARG maintainer=i2incommon
 ARG imagename=shibboleth_sp
-ARG version=3.2.2
-ARG TIERVERSION=20210427
+ARG version=3.5.0
+ARG TIERVERSION=20250313-Rocky9-MA
 
 MAINTAINER $maintainer
 LABEL Vendor="Internet2"
 LABEL ImageType="Base"
 LABEL ImageName=$imagename
-LABEL ImageOS=centos7
+LABEL ImageOS=rocky9
 LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
 
+#For logging customization
+ENV ENV=dev \
+    USERTOKEN=nothing
+
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
-RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \
-    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \
-    yum clean all
+RUN rm -fr /var/cache/dnf/* && dnf clean all && dnf -y install --setopt=tsflags=nodocs epel-release && dnf -y update && \
+    dnf -y install net-tools wget tar unzip mlocate logrotate strace telnet man vim rsyslog httpd mod_ssl dos2unix cronie supervisor && \
+    dnf -y --allowerasing install curl && \
+    dnf clean all
 
 #install shibboleth, cleanup httpd
-RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
-      http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo \
-      && yum -y install shibboleth.x86_64 \
-      && yum clean all \
-      && rm /etc/httpd/conf.d/autoindex.conf \
-      && rm /etc/httpd/conf.d/userdir.conf \
-      && rm /etc/httpd/conf.d/welcome.conf
+COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo
+RUN dnf -y install shibboleth-$version\* \
+      && dnf clean all
 
-# Export this variable so that shibd can find its CURL library
-RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
-RUN export LD_LIBRARY_PATH
-
-ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
+ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/
 ADD ./container_files/shibboleth/* /etc/shibboleth/
 
-# fix httpd logging to tier format
-RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
-    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
-    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf
+RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
+RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
+
+RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf
 
 # add a basic page to shibb's default protected directory
 RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/
 ADD container_files/httpd/index.html /var/www/html/secure/
 
-
 # setup crond and supervisord
 ADD container_files/system/startup.sh /usr/local/bin/
 ADD container_files/system/setupcron.sh /usr/local/bin/
 ADD container_files/system/setenv.sh /opt/tier/
 ADD container_files/system/sendtierbeacon.sh /usr/local/bin/
-ADD container_files/system/supervisord.conf /etc/supervisor/
+ADD container_files/system/supervisord.conf /etc/supervisord.conf
 RUN mkdir -p /etc/supervisor/conf.d  \
     && chmod +x /usr/local/bin/setupcron.sh \
     && chmod +x /usr/local/bin/sendtierbeacon.sh \
@@ -67,12 +59,13 @@ RUN mkdir -p /etc/supervisor/conf.d  \
 #set cron to not require a login session
 RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
 
+# Link the old location of the file for compatibility
+RUN cd /etc/supervisor && ln -s ../supervisord.conf supervisord.conf
 
 EXPOSE 80 443
 
 HEALTHCHECK --interval=1m --timeout=30s \
   CMD curl -k -f https://127.0.0.1/Shibboleth.sso/Status || exit 1
 
-
 CMD ["/usr/local/bin/startup.sh"]
 

Jenkinsfile

@@ -1,80 +1,185 @@
-node('docker') {
 
-  stage 'Checkout'
+pipeline {
+    agent { node { label 'docker-multi-arch' } }
+    environment { 
+        maintainer = "t"
+        imagename = 's'
+        tag = 'l'
+        DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
 
-    checkout scm
-
-  stage 'Acquire util'
-
-    sh 'mkdir -p tmp'
-    dir('tmp'){
-      git([ url: "https://github.internet2.edu/docker/util.git",
-          credentialsId: "jenkins-github-access-token" ])
-      sh 'ls'
-      sh 'rm -rf ../bin/windows/'
-      sh 'mv bin/* ../bin/.'
-    }
-  stage 'Setting build context'
-
-    def maintainer = maintainer()
-    def imagename = imagename()
-    def tag
-
-    // Tag images created on master branch with 'latest'
-    if(env.BRANCH_NAME == "master"){
-      tag = "latest"
-    }else{
-      tag = env.BRANCH_NAME
     }
-
-    if(!imagename){
-      echo "You must define an imagename in common.bash"
-      currentBuild.result = 'FAILURE'
-     }
-     if(maintainer){
-      echo "Building ${imagename}:${tag} for ${maintainer}"
-     }
+    stages {
+        stage('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    if(env.BRANCH_NAME == "master") {
+                       tag = "latest"
+                    } else {
+                       tag = env.BRANCH_NAME
+                    }
+                    if(!imagename){
+                        echo "You must define an imagename in common.bash"
+                        currentBuild.result = 'FAILURE'
+                     }
+                    sh 'mkdir -p tmp && mkdir -p bin'
+                    dir('tmp'){
+                      git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }  
+             }
+        }    
+        stage('Clean') {
+            steps {
+                script {
+                   try{
+                     sh 'bin/destroy.sh >> debug'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        } 
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
+                        sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                      def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                   try {
+                     echo "Starting tests..."
+                     sh 'bats tests'
+                     // echo "Skipping tests for now"
+                   } catch (error) {
+                     def error_details = readFile('./debug')
+                     def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   } 
+                }    
+             }
+        }
+        stage('Scan') {
+            steps {
+                script {
+                   try {
+                         echo "Starting security scan..."
+                         // Install trivy and HTML template
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
 
-  stage 'Build'
-    try{
-      sh 'bin/rebuild.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+                         // Scan container for all vulnerability levels
+                         echo "Scanning for all vulnerabilities..."
+                         sh 'mkdir -p reports'
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan.html',
+                             reportName: 'Security Scan',
+                             reportTitles: 'Security Scan'
+                          ]
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan-arm.html',
+                             reportName: 'Security Scan (ARM)',
+                             reportTitles: 'Security Scan (ARM)'
+                          ]
+                         // Scan again and fail on CRITICAL vulns
+                         //below can be temporarily commented to prevent build from failing
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+                         sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+                         //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+                   } catch(error) {
+                           def error_details = readFile('./debug');
+                           def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+                           sh "rm -f ./debug"
+                           handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Push') {
+            steps {
+                script {
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        echo "Pushing image to dockerhub..."
+                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
+                 }
+            }
+        }
+        stage('Cleanup') {
+            steps {
+                script {
+                   try{
+		     echo "Cleaning up artifacts from the build..."
+                     sh 'tests/cleanup.sh'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Notify') {
+            steps{
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
     }
-  stage 'Start container'
-
-    sh 'bin/ci-run.sh'
-
-  stage 'Tests'
-
-    try{
-      sh 'bin/test.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+    post { 
+        always { 
+            echo 'Done Building.'
+        }
+        failure {
+            // slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
     }
-
-  stage 'Stop container'
-
-    sh 'bin/ci-stop.sh'
-
-  stage 'Push'
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-          def baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
-          baseImg.push("$tag")
-    }
-
-  stage 'Notify'
-
-    slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
 }
 
-def maintainer() {
+
+def maintain() {
   def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
   matcher ? matcher[0][1] : 'tier'
 }
@@ -88,5 +193,7 @@ def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
   slackSend color: 'danger', message: "${message}"
+  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
   sh 'exit 1'
 }
+

common.bash

@@ -1,3 +1,4 @@
-maintainer="tier"
+maintainer="i2incommon"
+previous_maintainer="tier"
 imagename="shibboleth_sp"
-version="3.2.2"
+version="3.5.0"

container_files/httpd/09_i2inc_env.conf

@@ -0,0 +1,3 @@
+PassEnv ENV
+PassEnv USERTOKEN
+

container_files/httpd/09_i2inc_logging.conf

@@ -0,0 +1,10 @@
+# Redefine LogFormats for I2/InCommon format
+# Outputs to logpipe
+
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+CustomLog "/tmp/logpipe" combined
+ErrorLog "/tmp/logpipe"
+

container_files/httpd/autoindex.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+

container_files/httpd/userdir.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+

container_files/httpd/welcome.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+