From 8da773ec6764594864b27c54e5a8c8bc67ed9e9c Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 22 Nov 2022 15:18:28 +0000 Subject: [PATCH 01/11] sync multi-arch and scanning with IdP container --- Dockerfile | 14 +- Jenkinsfile | 288 +++++++++++++-------- container_files/shibboleth/shibboleth.repo | 4 +- tests/clairscan.sh | 73 ------ tests/cleanup.sh | 18 ++ tests/image.bats | 4 - 6 files changed, 207 insertions(+), 194 deletions(-) delete mode 100755 tests/clairscan.sh create mode 100644 tests/cleanup.sh diff --git a/Dockerfile b/Dockerfile index dd92f08..fcfcd4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,17 @@ -FROM centos:centos7 +FROM rockylinux:8.6 +#FROM --platform=$TARGETPLATFORM rockylinux:8.6 # Define args and set a default value ARG maintainer=tier ARG imagename=shibboleth_sp ARG version=3.4.0 -ARG TIERVERSION=20221103 +ARG TIERVERSION=20221104-Rocky8-MA MAINTAINER $maintainer LABEL Vendor="Internet2" LABEL ImageType="Base" LABEL ImageName=$imagename -LABEL ImageOS=centos7 +LABEL ImageOS=rocky8 LABEL Version=$version LABEL Build docker build --rm --tag $maintainer/$imagename . @@ -19,7 +20,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ && echo "NETWORKING=yes" > /etc/sysconfig/network RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \ - yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog httpd mod_ssl dos2unix cronie supervisor && \ yum clean all #install shibboleth, cleanup httpd @@ -37,6 +38,11 @@ RUN export LD_LIBRARY_PATH ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/ ADD ./container_files/shibboleth/* /etc/shibboleth/ +#RUN openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 3650 -out /etc/pki/tls/certs/localhost.crt +RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr +RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt + + # fix httpd logging to tier format RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \ && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \ diff --git a/Jenkinsfile b/Jenkinsfile index dade7c5..ba7b33e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,122 +1,186 @@ -node('docker') { - stage 'Checkout' +pipeline { + agent { node { label 'docker-multi-arch' } } + environment { + maintainer = "t" + imagename = 's' + tag = 'l' + DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') - checkout scm - - stage 'Acquire util' - - sh 'mkdir -p tmp' - dir('tmp'){ - git([ url: "https://github.internet2.edu/docker/util.git", - credentialsId: "jenkins-github-access-token" ]) - sh 'ls' - sh 'rm -rf ../bin/windows/' - sh 'mv bin/* ../bin/.' - } - stage 'Setting build context' - - def maintainer = maintainer() - def previous_maintainer = previous_maintainer() - def imagename = imagename() - def tag - - // Tag images created on master branch with 'latest' - if(env.BRANCH_NAME == "master"){ - tag = "latest" - }else{ - tag = env.BRANCH_NAME } - - if(!imagename){ - echo "You must define an imagename in common.bash" - currentBuild.result = 'FAILURE' - } - if(maintainer){ - echo "Building ${imagename}:${tag} for ${maintainer}" - } - - stage 'Build' - try{ - sh 'bin/rebuild.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - stage 'Start container' - - sh 'bin/ci-run.sh' - - stage 'Tests' - - try{ - sh 'bin/test.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + stages { + stage('Setting build context') { + steps { + script { + maintainer = maintain() + imagename = imagename() + if(env.BRANCH_NAME == "master") { + tag = "latest" + } else { + tag = env.BRANCH_NAME + } + if(!imagename){ + echo "You must define an imagename in common.bash" + currentBuild.result = 'FAILURE' + } + sh 'mkdir -p tmp && mkdir -p bin' + dir('tmp'){ + git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) + sh 'rm -rf ../bin/*' + sh 'mv ./bin/* ../bin/.' + } + // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. + // We don't care if there are more 'tag' assignments there. The latest one wins. + sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" + } + } + } + stage('Clean') { + steps { + script { + try{ + sh 'bin/destroy.sh >> debug' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Build') { + steps { + script { + try{ + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ." + sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Test') { + steps { + script { + try { + echo "Starting tests..." + sh 'bats tests' + // echo "Skipping tests for now" + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Scan') { + steps { + script { + try { + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan-arm.html', + reportName: 'Security Scan (ARM)', + reportTitles: 'Security Scan (ARM)' + ] + // Scan again and fail on CRITICAL vulns + //below can be temporarily commented to prevent build from failing + echo "Scanning for CRITICAL vulnerabilities only (fatal)..." + sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Push') { + steps { + script { + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + echo "Pushing image to dockerhub..." + sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ." + } + } + } + stage('Cleanup') { + steps { + script { + try{ + echo "Cleaning up artifacts from the build..." + sh 'tests/cleanup.sh' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Notify') { + steps{ + echo "$maintainer" + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" + } + } } - - stage 'Scan' - - try { - // Install trivy and HTML template - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1' - sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' - - // Scan container for all vulnerability levels - sh 'mkdir -p reports' - sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest" - publishHTML target : [ - allowMissing: true, - alwaysLinkToLastBuild: true, - keepAll: true, - reportDir: 'reports', - reportFiles: 'container-scan.html', - reportName: 'Security Scan', - reportTitles: 'Security Scan' - ] - - // Scan again and fail on CRITICAL vulns - sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest" - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + post { + always { + echo 'Done Building.' + } + failure { + // slackSend color: 'good', message: "Build failed" + handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") + } } - - stage 'Stop container' - - sh 'bin/ci-stop.sh' - - stage 'Push' - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def baseImg = docker.build("$maintainer/$imagename", "--no-cache .") - baseImg.push("$tag") - } - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def altImg = docker.build("$previous_maintainer/$imagename", "--no-cache .") - altImg.push("$tag") - } - - - stage 'Notify' - - slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" } -def maintainer() { - def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' - matcher ? matcher[0][1] : 'tier' -} -def previous_maintainer() { - def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"' +def maintain() { + def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' matcher ? matcher[0][1] : 'tier' } @@ -129,5 +193,7 @@ def handleError(String message){ echo "${message}" currentBuild.setResult("FAILED") slackSend color: 'danger', message: "${message}" + //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) sh 'exit 1' } + diff --git a/container_files/shibboleth/shibboleth.repo b/container_files/shibboleth/shibboleth.repo index 8994175..65cdd34 100644 --- a/container_files/shibboleth/shibboleth.repo +++ b/container_files/shibboleth/shibboleth.repo @@ -1,8 +1,8 @@ [shibboleth] -name=Shibboleth (CentOS_7) +name=Shibboleth (rockylinux8) # Please report any problems to https://shibboleth.atlassian.net/jira type=rpm-md -mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7 +mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux8 gpgcheck=1 gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key diff --git a/tests/clairscan.sh b/tests/clairscan.sh deleted file mode 100755 index a06ea78..0000000 --- a/tests/clairscan.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash - -startsecs=$(date +'%s') -starttime=$(date +%H:%M:%S) - -echo 'starting:' ${starttime} - -#ensure clair-scanner -if [ ! -s ./clair-scanner ]; then - echo 'downloading curl-scanner...' - curl -s -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 - chmod 755 clair-scanner -else - echo 'using existing clair-scanner...' -fi - -#ensure DB container -echo 'ensuring a fresh clair-db container...' -docker ps | grep clair-db &>/dev/null -if [ $? == "0" ]; then - echo 'removing existing clair-db container...' - docker kill db &>/dev/null - docker rm db &>/dev/null - docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null -else - docker run -p 5432:5432 -d --name db arminc/clair-db:latest &>/dev/null -fi -sleep 30 - -#ensure clair-scan container -echo 'ensuring a fresh clair-scan container...' -docker ps | grep clair-local-scan &>/dev/null -if [ $? == "0" ]; then - echo 'removing existing clair-scan container...' - docker kill clair &>/dev/null - docker rm clair &>/dev/null - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null -else - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 &>/dev/null -fi -sleep 30 - -#get ip where clair-scanner will listen -clairip=$(/sbin/ifconfig docker0 | grep 'inet ' | sed 's/^[[:space:]]*//g' | cut -f 2 -d ' ' | sed 's/^[[:space:]]*//g') -echo 'sending ip addr' ${clairip} 'to clair-scan server...' - -#run scan -echo 'running scan...' -./clair-scanner --ip ${clairip} $1 -retcode=$? - -#eval results -if [ $retcode == '0' ]; then - echo 'scan found nothing.' -else - echo 'scan found issues.' -fi - -#cleanup -echo 'removing temporary containers...' -docker kill clair &>/dev/null -docker rm clair &>/dev/null -docker kill db &>/dev/null -docker rm db &>/dev/null - -endsecs=$(date +'%s') -endtime=$(date +%H:%M:%S) -echo 'finished:' $endtime ' ('$((endsecs - startsecs)) 'seconds)' -echo "" - -#pass along return code from scan -exit $retcode - diff --git a/tests/cleanup.sh b/tests/cleanup.sh new file mode 100644 index 0000000..fabb9d3 --- /dev/null +++ b/tests/cleanup.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +. ./common.bash + +result=$(docker ps -a | grep ${imagename}_${tag}) +if [ ! -z "$result" ]; then + echo "removing existing containers" + docker rm -f $(docker ps -a | grep ${imagename}_${tag} | awk '{print $1}') +fi +docker rmi -f ${imagename}_${tag} + +result2=$(docker ps -a | grep ${imagename}_${tag}:arm64) +if [ ! -z "$result2" ]; then + echo "removing existing containers" + docker rm -f $(docker ps -a | grep ${imagename}_${tag}:arm64 | awk '{print $1}') +fi +docker rmi -f ${imagename}_${tag}:arm64 + diff --git a/tests/image.bats b/tests/image.bats index eaff6b1..66fb0ed 100644 --- a/tests/image.bats +++ b/tests/image.bats @@ -22,7 +22,3 @@ load ../common docker run -i $maintainer/$imagename find /usr/local/bin/startup.sh } -#@test "070 There are no known security vulnerabilities" { -# ./tests/clairscan.sh ${maintainer}/${imagename}:latest -#} - From 1f8ad980980abf09802e78bd8313caeed32e1652 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 22 Nov 2022 15:31:39 +0000 Subject: [PATCH 02/11] fix bug --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index fcfcd4e..a756f7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ -FROM rockylinux:8.6 -#FROM --platform=$TARGETPLATFORM rockylinux:8.6 +FROM --platform=$TARGETPLATFORM rockylinux:8.6 # Define args and set a default value ARG maintainer=tier @@ -25,7 +24,7 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags= #install shibboleth, cleanup httpd COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo -RUN yum -y install shibboleth.x86_64 \ +RUN yum -y install shibboleth \ && yum clean all \ && rm /etc/httpd/conf.d/autoindex.conf \ && rm /etc/httpd/conf.d/userdir.conf \ From 20188dafd21cc036b295bebf61643c8bdfb54392 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 22 Nov 2022 23:56:02 +0000 Subject: [PATCH 03/11] fix tests --- tests/image.bats | 15 ++++++++++----- tests/running.bats | 21 --------------------- 2 files changed, 10 insertions(+), 26 deletions(-) delete mode 100644 tests/running.bats diff --git a/tests/image.bats b/tests/image.bats index 66fb0ed..0731294 100644 --- a/tests/image.bats +++ b/tests/image.bats @@ -3,22 +3,27 @@ load ../common @test "Shibd binary available" { - docker run -i $maintainer/$imagename find /usr/sbin/shibd + docker run -i ${imagename}_${tag} find /usr/sbin/shibd + docker run -i ${imagename}_${tag}:arm64 find /usr/sbin/shibd } @test "Shibboleth root available" { - docker run -i $maintainer/$imagename find /etc/shibboleth + docker run -i ${imagename}_${tag} find /etc/shibboleth + docker run -i ${imagename}_${tag}:arm64 find /etc/shibboleth } @test "Sample attribute map available" { - docker run -i $maintainer/$imagename find /etc/shibboleth/attribute-map.xml + docker run -i ${imagename}_${tag} find /etc/shibboleth/attribute-map.xml + docker run -i ${imagename}_${tag}:arm64 find /etc/shibboleth/attribute-map.xml } @test "Includes InCommon cert" { - docker run -i $maintainer/$imagename find /etc/shibboleth/inc-md-cert.pem + docker run -i ${imagename}_${tag} find /etc/shibboleth/inc-md-cert.pem + docker run -i ${imagename}_${tag}:arm64 find /etc/shibboleth/inc-md-cert.pem } @test "Includes startup script" { - docker run -i $maintainer/$imagename find /usr/local/bin/startup.sh + docker run -i ${imagename}_${tag} find /usr/local/bin/startup.sh + docker run -i ${imagename}_${tag}:arm64 find /usr/local/bin/startup.sh } diff --git a/tests/running.bats b/tests/running.bats deleted file mode 100644 index 781715b..0000000 --- a/tests/running.bats +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env bats - -load ../common - -# These tests assume the pipeline will start and stop the container. - -@test "Leaves running process" { - result="$(docker ps | grep $imagename)" - [ "$result" != '' ] -} - -@test "Exposes running HTTP service" { - result="$(docker exec -i $imagename curl http://localhost/)" - [ "$result" != '' ] -} - -@test "Exposes running SSO process" { - result="$(docker exec -i $imagename curl http://localhost/Shibboleth.sso/Status)" - [ "$result" != '' ] -} - From 72aca48f59e154ef573e98aa8043dd52eeadef25 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 23 Nov 2022 00:05:39 +0000 Subject: [PATCH 04/11] test fix to cleanup --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ba7b33e..030f0a4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -150,7 +150,7 @@ pipeline { script { try{ echo "Cleaning up artifacts from the build..." - sh 'tests/cleanup.sh' + sh 'sudo tests/cleanup.sh' } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" From 2330c708134b3b6018b8f4588801a1d262501c43 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 23 Nov 2022 02:40:05 +0000 Subject: [PATCH 05/11] testing cleanup --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 030f0a4..ba7b33e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -150,7 +150,7 @@ pipeline { script { try{ echo "Cleaning up artifacts from the build..." - sh 'sudo tests/cleanup.sh' + sh 'tests/cleanup.sh' } catch(error) { def error_details = readFile('./debug'); def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" From a5baf5e2551220ed21ba207258b60e47ba6e48e2 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 23 Nov 2022 02:47:47 +0000 Subject: [PATCH 06/11] fix cleanup script --- tests/cleanup.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 tests/cleanup.sh diff --git a/tests/cleanup.sh b/tests/cleanup.sh old mode 100644 new mode 100755 From 6a87cafb83b5c46c4e7f2d63d581f6b5abe93382 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 9 Feb 2023 22:44:19 +0000 Subject: [PATCH 07/11] fixups for httpd error logging and supervisord, pin shibd version --- Dockerfile | 37 +++++++-------------- container_files/httpd/09_i2inc_env.conf | 3 ++ container_files/httpd/09_i2inc_logging.conf | 10 ++++++ container_files/httpd/autoindex.conf | 2 ++ container_files/httpd/userdir.conf | 2 ++ container_files/httpd/welcome.conf | 2 ++ container_files/system/startup.sh | 8 ++++- container_files/system/supervisord.conf | 16 ++++++++- 8 files changed, 53 insertions(+), 27 deletions(-) create mode 100644 container_files/httpd/09_i2inc_env.conf create mode 100644 container_files/httpd/09_i2inc_logging.conf create mode 100644 container_files/httpd/autoindex.conf create mode 100644 container_files/httpd/userdir.conf create mode 100644 container_files/httpd/welcome.conf diff --git a/Dockerfile b/Dockerfile index a756f7a..f0f9ec2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.6 ARG maintainer=tier ARG imagename=shibboleth_sp ARG version=3.4.0 -ARG TIERVERSION=20221104-Rocky8-MA +ARG TIERVERSION=20230209-Rocky8-MA MAINTAINER $maintainer LABEL Vendor="Internet2" @@ -15,6 +15,10 @@ LABEL Version=$version LABEL Build docker build --rm --tag $maintainer/$imagename . +#For logging customization +ENV ENV=dev \ + USERTOKEN=nothing + RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ && echo "NETWORKING=yes" > /etc/sysconfig/network @@ -24,44 +28,26 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags= #install shibboleth, cleanup httpd COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo -RUN yum -y install shibboleth \ - && yum clean all \ - && rm /etc/httpd/conf.d/autoindex.conf \ - && rm /etc/httpd/conf.d/userdir.conf \ - && rm /etc/httpd/conf.d/welcome.conf +RUN yum -y install shibboleth-$version-\*.x86_64 \ + && yum clean all -# Export this variable so that shibd can find its CURL library -RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64" -RUN export LD_LIBRARY_PATH - -ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/ +ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/ ADD ./container_files/shibboleth/* /etc/shibboleth/ -#RUN openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 3650 -out /etc/pki/tls/certs/localhost.crt RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt - - -# fix httpd logging to tier format -RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \ - && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \ - && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ - && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ - && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \ - && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \ - && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf +RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf # add a basic page to shibb's default protected directory RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/ ADD container_files/httpd/index.html /var/www/html/secure/ - # setup crond and supervisord ADD container_files/system/startup.sh /usr/local/bin/ ADD container_files/system/setupcron.sh /usr/local/bin/ ADD container_files/system/setenv.sh /opt/tier/ ADD container_files/system/sendtierbeacon.sh /usr/local/bin/ -ADD container_files/system/supervisord.conf /etc/supervisor/ +ADD container_files/system/supervisord.conf /etc/supervisord.conf RUN mkdir -p /etc/supervisor/conf.d \ && chmod +x /usr/local/bin/setupcron.sh \ && chmod +x /usr/local/bin/sendtierbeacon.sh \ @@ -71,12 +57,13 @@ RUN mkdir -p /etc/supervisor/conf.d \ #set cron to not require a login session RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond +# Link the old location of the file for compatibility +RUN cd /etc/supervisor && ln -s ../supervisord.conf supervisord.conf EXPOSE 80 443 HEALTHCHECK --interval=1m --timeout=30s \ CMD curl -k -f https://127.0.0.1/Shibboleth.sso/Status || exit 1 - CMD ["/usr/local/bin/startup.sh"] diff --git a/container_files/httpd/09_i2inc_env.conf b/container_files/httpd/09_i2inc_env.conf new file mode 100644 index 0000000..7a87fd7 --- /dev/null +++ b/container_files/httpd/09_i2inc_env.conf @@ -0,0 +1,3 @@ +PassEnv ENV +PassEnv USERTOKEN + diff --git a/container_files/httpd/09_i2inc_logging.conf b/container_files/httpd/09_i2inc_logging.conf new file mode 100644 index 0000000..fd69737 --- /dev/null +++ b/container_files/httpd/09_i2inc_logging.conf @@ -0,0 +1,10 @@ +# Redefine LogFormats for I2/InCommon format +# Outputs to logpipe + +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common +LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + +CustomLog "/tmp/logpipe" combined +ErrorLog "/tmp/logpipe" + diff --git a/container_files/httpd/autoindex.conf b/container_files/httpd/autoindex.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/autoindex.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/httpd/userdir.conf b/container_files/httpd/userdir.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/userdir.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/httpd/welcome.conf b/container_files/httpd/welcome.conf new file mode 100644 index 0000000..f157082 --- /dev/null +++ b/container_files/httpd/welcome.conf @@ -0,0 +1,2 @@ +# This file managed by container build. Do Not Modify! + diff --git a/container_files/system/startup.sh b/container_files/system/startup.sh index 9d3a5a2..1a48897 100755 --- a/container_files/system/startup.sh +++ b/container_files/system/startup.sh @@ -6,6 +6,12 @@ export USERTOKEN="${USERTOKEN// /}" export ENV="${ENV//;/:}" export ENV="${ENV// /}" +# Apache httpd's ErrorLogFormat only expands environment variables for messages +# generated in the context of a request, so the only known reliable way to +# include ENV and USERTOKEN is to write the config when the container starts. +echo '# This file is generated in startup.sh. Do Not Modify!' > /etc/httpd/conf.d/10_errorlogformat.conf +echo -e "\nErrorLogFormat \"httpd;error_log;${ENV};${USERTOKEN};[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf.d/10_errorlogformat.conf + # generic console logging pipe for anyone mkfifo -m 666 /tmp/logpipe cat <> /tmp/logpipe 1>&2 & @@ -23,5 +29,5 @@ mkfifo -m 666 /tmp/logshibd (cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) & #launch supervisord -exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf +exec /usr/bin/supervisord -c /etc/supervisord.conf diff --git a/container_files/system/supervisord.conf b/container_files/system/supervisord.conf index 41bb0b1..4444945 100644 --- a/container_files/system/supervisord.conf +++ b/container_files/system/supervisord.conf @@ -5,6 +5,20 @@ loglevel=error nodaemon=true user=root +[unix_http_server] +file=/var/run/supervisor/supervisor.sock +; See https://github.com/Supervisor/supervisor/issues/717 +username = nobody +password = password + +[supervisorctl] +serverurl=unix:///var/run/supervisor/supervisor.sock +username = nobody +password = password + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + [program:cron] command=/usr/sbin/crond -n autostart=true @@ -35,4 +49,4 @@ stderr_logfile_maxbytes=0 environment=LD_LIBRARY_PATH=/opt/shibboleth/lib64 [include] -files=/etc/supervisor/conf.d/* +files=supervisord.d/*.ini /etc/supervisor/conf.d/* From 2dbc7d01cbaf9bff7c210a1f33359b20ce8e660e Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 9 Feb 2023 22:57:30 +0000 Subject: [PATCH 08/11] unpin arch from shib version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f0f9ec2..6d7b232 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,7 +28,7 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags= #install shibboleth, cleanup httpd COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo -RUN yum -y install shibboleth-$version-\*.x86_64 \ +RUN yum -y install shibboleth-$version-\* \ && yum clean all ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/ From 1b51145b510b11380702c36d7b163a1b9dfbca3f Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 12 Jun 2023 08:13:06 -0500 Subject: [PATCH 09/11] bump SP to 3.4.1, update XML Tooling --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6d7b232..e19155c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,8 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.6 # Define args and set a default value ARG maintainer=tier ARG imagename=shibboleth_sp -ARG version=3.4.0 -ARG TIERVERSION=20230209-Rocky8-MA +ARG version=3.4.1 +ARG TIERVERSION=20230612-Rocky8-MA MAINTAINER $maintainer LABEL Vendor="Internet2" From d963c3a5160f6d74f5b65aacc09ea332ffd0cfce Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 8 Mar 2024 15:12:51 -0600 Subject: [PATCH 10/11] update base Rocky Linux to 8.9 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e19155c..9bac25a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$TARGETPLATFORM rockylinux:8.6 +FROM --platform=$TARGETPLATFORM rockylinux:8.9 # Define args and set a default value ARG maintainer=tier From a0b202b3cfdbd17d892fb2717f8ac7a5ec3c53f9 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 8 Mar 2024 15:17:00 -0600 Subject: [PATCH 11/11] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9bac25a..bca525c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.9 ARG maintainer=tier ARG imagename=shibboleth_sp ARG version=3.4.1 -ARG TIERVERSION=20230612-Rocky8-MA +ARG TIERVERSION=20240308-Rocky8-MA MAINTAINER $maintainer LABEL Vendor="Internet2"