fixups for httpd error logging and supervisord, pin shibd version

Dockerfile

@@ -4,7 +4,7 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.6
 ARG maintainer=tier
 ARG imagename=shibboleth_sp
 ARG version=3.4.0
-ARG TIERVERSION=20221104-Rocky8-MA
+ARG TIERVERSION=20230209-Rocky8-MA
 
 MAINTAINER $maintainer
 LABEL Vendor="Internet2"
@@ -15,6 +15,10 @@ LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
 
+#For logging customization
+ENV ENV=dev \
+    USERTOKEN=nothing
+
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
@@ -24,44 +28,26 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
 
 #install shibboleth, cleanup httpd
 COPY container_files/shibboleth/shibboleth.repo /etc/yum.repos.d/security:shibboleth.repo
-RUN yum -y install shibboleth \
-      && yum clean all \
-      && rm /etc/httpd/conf.d/autoindex.conf \
-      && rm /etc/httpd/conf.d/userdir.conf \
-      && rm /etc/httpd/conf.d/welcome.conf
+RUN yum -y install shibboleth-$version-\*.x86_64 \
+      && yum clean all
 
-# Export this variable so that shibd can find its CURL library
-RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
-RUN export LD_LIBRARY_PATH
-
-ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
+ADD ./container_files/httpd/*.conf /etc/httpd/conf.d/
 ADD ./container_files/shibboleth/* /etc/shibboleth/
 
-#RUN openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 3650 -out /etc/pki/tls/certs/localhost.crt
 RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
 RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
-
-
-# fix httpd logging to tier format
-RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
-    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
-    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf
+RUN sed -i '/^[[:space:]]*CustomLog/s/^/#/' /etc/httpd/conf/httpd.conf
 
 # add a basic page to shibb's default protected directory
 RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/
 ADD container_files/httpd/index.html /var/www/html/secure/
 
-
 # setup crond and supervisord
 ADD container_files/system/startup.sh /usr/local/bin/
 ADD container_files/system/setupcron.sh /usr/local/bin/
 ADD container_files/system/setenv.sh /opt/tier/
 ADD container_files/system/sendtierbeacon.sh /usr/local/bin/
-ADD container_files/system/supervisord.conf /etc/supervisor/
+ADD container_files/system/supervisord.conf /etc/supervisord.conf
 RUN mkdir -p /etc/supervisor/conf.d  \
     && chmod +x /usr/local/bin/setupcron.sh \
     && chmod +x /usr/local/bin/sendtierbeacon.sh \
@@ -71,12 +57,13 @@ RUN mkdir -p /etc/supervisor/conf.d  \
 #set cron to not require a login session
 RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
 
+# Link the old location of the file for compatibility
+RUN cd /etc/supervisor && ln -s ../supervisord.conf supervisord.conf
 
 EXPOSE 80 443
 
 HEALTHCHECK --interval=1m --timeout=30s \
   CMD curl -k -f https://127.0.0.1/Shibboleth.sso/Status || exit 1
 
-
 CMD ["/usr/local/bin/startup.sh"]
 

container_files/httpd/09_i2inc_env.conf

@@ -0,0 +1,3 @@
+PassEnv ENV
+PassEnv USERTOKEN
+

container_files/httpd/09_i2inc_logging.conf

@@ -0,0 +1,10 @@
+# Redefine LogFormats for I2/InCommon format
+# Outputs to logpipe
+
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common
+LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+CustomLog "/tmp/logpipe" combined
+ErrorLog "/tmp/logpipe"
+

container_files/httpd/autoindex.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+

container_files/httpd/userdir.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+

container_files/httpd/welcome.conf

@@ -0,0 +1,2 @@
+# This file managed by container build. Do Not Modify!
+

container_files/system/startup.sh

@@ -6,6 +6,12 @@ export USERTOKEN="${USERTOKEN// /}"
 export ENV="${ENV//;/:}"
 export ENV="${ENV// /}"
 
+# Apache httpd's ErrorLogFormat only expands environment variables for messages
+# generated in the context of a request, so the only known reliable way to
+# include ENV and USERTOKEN is to write the config when the container starts.
+echo '# This file is generated in startup.sh. Do Not Modify!' > /etc/httpd/conf.d/10_errorlogformat.conf
+echo -e "\nErrorLogFormat \"httpd;error_log;${ENV};${USERTOKEN};[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf.d/10_errorlogformat.conf
+
 # generic console logging pipe for anyone
 mkfifo -m 666 /tmp/logpipe
 cat <> /tmp/logpipe 1>&2 &
@@ -23,5 +29,5 @@ mkfifo -m 666 /tmp/logshibd
 (cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
 
 #launch supervisord
-exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+exec /usr/bin/supervisord -c /etc/supervisord.conf
 

container_files/system/supervisord.conf

@@ -5,6 +5,20 @@ loglevel=error
 nodaemon=true
 user=root
 
+[unix_http_server]
+file=/var/run/supervisor/supervisor.sock
+; See https://github.com/Supervisor/supervisor/issues/717
+username = nobody
+password = password
+
+[supervisorctl]
+serverurl=unix:///var/run/supervisor/supervisor.sock
+username = nobody
+password = password
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
 [program:cron]
 command=/usr/sbin/crond -n
 autostart=true
@@ -35,4 +49,4 @@ stderr_logfile_maxbytes=0
 environment=LD_LIBRARY_PATH=/opt/shibboleth/lib64
 
 [include]
-files=/etc/supervisor/conf.d/*
+files=supervisord.d/*.ini /etc/supervisor/conf.d/*