3.0.4 03122019

Dockerfile

@@ -1,9 +1,9 @@
-FROM tier/centos7base
+FROM centos:centos7
 
 # Define args and set a default value
 ARG maintainer=tier
 ARG imagename=shibboleth_sp
-ARG version=2.6.1
+ARG version=3.0.4
 
 MAINTAINER $maintainer
 LABEL Vendor="Internet2"
@@ -14,31 +14,64 @@ LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
 
-# Add starters and installers
-ADD ./container_files /opt
+RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
+    && echo "NETWORKING=yes" > /etc/sysconfig/network
 
+RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && yum -y update && \
+    yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man vim rsyslog cron httpd mod_ssl dos2unix cronie supervisor && \
+    yum clean all
+
+#install shibboleth, cleanup httpd
 RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
       http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo \
-      && yum -y update \
-      && yum -y install \
-        httpd \
-        mod_ssl \
-        shibboleth.x86_64 \
-        dos2unix \
+      && yum -y install shibboleth.x86_64 \
       && yum clean all \
       && rm /etc/httpd/conf.d/autoindex.conf \
-      && rm /etc/httpd/conf.d/ssl.conf \
       && rm /etc/httpd/conf.d/userdir.conf \
-      && rm /etc/httpd/conf.d/welcome.conf \
-      && chmod +x /opt/bin/httpd-shib-foreground \
-      && chmod +x /opt/bin/shibboleth_keygen.sh
+      && rm /etc/httpd/conf.d/welcome.conf
 
 # Export this variable so that shibd can find its CURL library
 RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
 RUN export LD_LIBRARY_PATH
 
-#Script to start service, Added ssl default conf, Added shib module apache
-RUN ln -s /opt/bin/httpd-shib-foreground  /usr/local/bin && ln -s /opt/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf && ln -s /opt/etc/httpd/conf.modules.d/00-shib.conf /etc/httpd/conf.modules.d/00-shib.conf && ln -s /usr/lib64/shibboleth/mod_shib_24.so /etc/httpd/modules/mod_shib_24.so
+ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
+ADD ./container_files/shibboleth/* /etc/shibboleth/
+
+# fix httpd logging to tier format
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
+    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf
+
+# add a basic page to shibb's default protected directory
+RUN mkdir -p /var/www/html/secure/; mkdir -p /opt/tier/
+ADD container_files/httpd/index.html /var/www/html/secure/
+
+
+# setup crond and supervisord
+ADD container_files/system/startup.sh /usr/local/bin/
+ADD container_files/system/setupcron.sh /usr/local/bin/
+ADD container_files/system/setenv.sh /opt/tier/
+ADD container_files/system/sendtierbeacon.sh /usr/local/bin/
+ADD container_files/system/supervisord.conf /etc/supervisor/
+RUN mkdir -p /etc/supervisor/conf.d  \
+    && chmod +x /usr/local/bin/setupcron.sh \
+    && chmod +x /usr/local/bin/sendtierbeacon.sh \
+# setup cron
+    && /usr/local/bin/setupcron.sh
+
+#set cron to not require a login session
+RUN sed -i '/session    required   pam_loginuid.so/c\#session    required   pam_loginuid.so' /etc/pam.d/crond
+
 
 EXPOSE 80 443
-CMD ["httpd-shib-foreground"]
+
+HEALTHCHECK --interval=1m --timeout=30s \
+  CMD curl -k -f https://127.0.0.1:8443/Shibboleth.sso/Status || exit 1
+
+
+CMD ["/usr/local/bin/startup.sh"]
+

Jenkinsfile

@@ -11,6 +11,7 @@ node('docker') {
       git([ url: "https://github.internet2.edu/docker/util.git",
           credentialsId: "jenkins-github-access-token" ])
       sh 'ls'
+      sh 'rm -rf ../bin/windows/'
       sh 'mv bin/* ../bin/.'
     }
   stage 'Setting build context'
@@ -39,7 +40,7 @@ node('docker') {
       sh 'bin/rebuild.sh &> debug'
     } catch(error) {
       def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building the shibboleth-sp mage. \n\n ${error_details}"
+      def message = "BUILD ERROR: There was a problem building the shibboleth-sp image. \n\n ${error_details}"
       sh "rm -f ./debug"
       handleError(message)
     }

README.md

@@ -1,6 +1,36 @@
-# shibboleth-sp
+# TIER shibboleth-sp
 
 [![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-sp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master)
 
-This image is the parent of COmanage and Grouper containers, as it contains the OpenSUSE repositories for shibboleth package management, and an apache installation.
+This is the TIER upstream Shibboleth SP container.   
+
+It is based from CentOS 7 and includes httpd, mod_ssl, and the current shibboleth SP.   
+
+Files you must supply/override in your downstream builds:   
+
+1. The SP's ***private keys and corresponding certificates*** (very important!), which can be generated in your downstream container like this:   
+>     RUN /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-encrypt -f \
+>          && /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-signing -f
+>   
+>           ...those commands generate/overwrite the following files:   
+>                       /etc/shibboleth/sp-encrypt-key.pem   
+>                       /etc/shibboleth/sp-encrypt-cert.pem   
+>                       /etc/shibboleth/sp-signing-key.pem   
+>                       /etc/shibboleth/sp-signing-cert.pem   
+   
+2. ***/etc/httpd/conf.d/ssl.conf***
+>     including:   
+>      ServerName fqdn:port   
+>      UseCanonicalName On   
+   
+3. ***/etc/shibboleth/shibboleth2.xml***
+>     including:   
+>      entityID   
+ <br /><br />
+  ***New in the 3.0 release:***
+* The image is based from the public CentOS7 image
+* The TIER logging format has been implemented for shibd and httpd
+* Everything now runs under supervisord
+* The TIER Beacon has been implemented
+* The file */etc/httpd/conf.d/ssl.conf* is now the default CentOS7 file
 

bin/ci-run.sh

@@ -3,4 +3,5 @@
 # This file will run a container in the background
 source common.bash .
 
-docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
+docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
+

bin/ci-stop.sh

@@ -6,3 +6,4 @@ source common.bash .
 echo "Cleaning up Docker image($maintainer/$imagename)"
 docker stop $imagename >> /dev/null
 docker rm $imagename
+

common.bash

@@ -1,3 +1,3 @@
 maintainer="tier"
 imagename="shibboleth_sp"
-version="2.5.1"
+version="3.0.3"

container_files/httpd/index.html

@@ -0,0 +1,3 @@
+<br />
+<h3>This page is protected by the Shibboleth SP.</h3>
+