Skip to content

3.0.4 03122019 #9

Merged
merged 16 commits into from Mar 26, 2019

This file was deleted.

@@ -1,9 +1,9 @@
FROM tier/centos7base
FROM centos:centos7

# Define args and set a default value
ARG maintainer=tier
ARG imagename=shibboleth_sp
ARG version=2.6.1
ARG version=3.0.4

MAINTAINER $maintainer
LABEL Vendor="Internet2"
@@ -14,31 +14,64 @@ LABEL Version=$version

LABEL Build docker build --rm --tag $maintainer/$imagename .

# Add starters and installers
ADD ./container_files /opt
RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
&& echo "NETWORKING=yes" > /etc/sysconfig/network

RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \
yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \
yum clean all

#install shibboleth, cleanup httpd
RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo \
&& yum -y update \
&& yum -y install \
httpd \
mod_ssl \
shibboleth.x86_64 \
dos2unix \
&& yum -y install shibboleth.x86_64 \
&& yum clean all \
&& rm /etc/httpd/conf.d/autoindex.conf \
&& rm /etc/httpd/conf.d/ssl.conf \
&& rm /etc/httpd/conf.d/userdir.conf \
&& rm /etc/httpd/conf.d/welcome.conf \
&& chmod +x /opt/bin/httpd-shib-foreground \
&& chmod +x /opt/bin/shibboleth_keygen.sh
&& rm /etc/httpd/conf.d/welcome.conf

# Export this variable so that shibd can find its CURL library
RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
RUN export LD_LIBRARY_PATH

#Script to start service, Added ssl default conf, Added shib module apache
RUN ln -s /opt/bin/httpd-shib-foreground /usr/local/bin && ln -s /opt/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf && ln -s /opt/etc/httpd/conf.modules.d/00-shib.conf /etc/httpd/conf.modules.d/00-shib.conf && ln -s /usr/lib64/shibboleth/mod_shib_24.so /etc/httpd/modules/mod_shib_24.so
ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
ADD ./container_files/shibboleth/* /etc/shibboleth/

# fix httpd logging to tier format
RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
&& sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
&& sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
&& echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
&& sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf

# add a basic page to shibb's default protected directory
RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/
ADD container_files/httpd/index.html /var/www/html/secure/


# setup crond and supervisord
ADD container_files/system/startup.sh /usr/local/bin/
ADD container_files/system/setupcron.sh /usr/local/bin/
ADD container_files/system/setenv.sh /opt/tier/
ADD container_files/system/sendtierbeacon.sh /usr/local/bin/
ADD container_files/system/supervisord.conf /etc/supervisor/
RUN mkdir -p /etc/supervisor/conf.d \
&& chmod +x /usr/local/bin/setupcron.sh \
&& chmod +x /usr/local/bin/sendtierbeacon.sh \
# setup cron
&& /usr/local/bin/setupcron.sh

#set cron to not require a login session
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond


EXPOSE 80 443
CMD ["httpd-shib-foreground"]

HEALTHCHECK --interval=1m --timeout=30s \
CMD curl -k -f https://127.0.0.1:8443/Shibboleth.sso/Status || exit 1


CMD ["/usr/local/bin/startup.sh"]

@@ -11,6 +11,7 @@ node('docker') {
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
sh 'ls'
sh 'rm -rf ../bin/windows/'
sh 'mv bin/* ../bin/.'
}
stage 'Setting build context'
@@ -39,7 +40,7 @@ node('docker') {
sh 'bin/rebuild.sh &> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the shibboleth-sp mage. \n\n ${error_details}"
def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
@@ -1,6 +1,36 @@
# shibboleth-sp
# TIER shibboleth-sp

[![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-sp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master)

This image is the parent of COmanage and Grouper containers, as it contains the OpenSUSE repositories for shibboleth package management, and an apache installation.
This is the TIER upstream Shibboleth SP container.

It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP.

Files you must supply/override in your downstream builds:

1. The SP's ***private keys and corresponding certificates*** (very important!), which can be generated in your downstream container like this:
> RUN /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-encrypt -f \
> && /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-signing -f
>
> ...those commands generate/overwrite the following files:
> /etc/shibboleth/sp-encrypt-key.pem
> /etc/shibboleth/sp-encrypt-cert.pem
> /etc/shibboleth/sp-signing-key.pem
> /etc/shibboleth/sp-signing-cert.pem
2. ***/etc/httpd/conf.d/ssl.conf***
> including:
> ServerName fqdn:port
> UseCanonicalName On
3. ***/etc/shibboleth/shibboleth2.xml***
> including:
> entityID
<br /><br />
***New in the 3.0 release:***
* The image is based from the public CentOS7 image
* The TIER logging format has been implemented for shibd and httpd
* Everything now runs under supervisord
* The TIER Beacon has been implemented
* The file */etc/httpd/conf.d/ssl.conf* is now the default CentOS7 file
@@ -3,4 +3,5 @@
# This file will run a container in the background
source common.bash .

docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename

@@ -6,3 +6,4 @@ source common.bash .
echo "Cleaning up Docker image($maintainer/$imagename)"
docker stop $imagename >> /dev/null
docker rm $imagename

@@ -1,3 +1,3 @@
maintainer="tier"
imagename="shibboleth_sp"
version="2.5.1"
version="3.0.3"

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

@@ -0,0 +1,3 @@
<br />
<h3>This page is protected by the Shibboleth SP.</h3>

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.