Skip to content
Permalink
Browse files

Integrate latest changes to midPoint container

These changes are: Zulu JVM, logging fixes, TIER Beacon.
The crond is now running in foreground to avoid "can't lock
/var/run/crond.pid" messages.
  • Loading branch information
mederly committed Sep 21, 2018
1 parent 96fc61d commit 949d26450ebf578d4e56772d986b19bb9241fac8
@@ -12,3 +12,4 @@ KEYSTORE_PASSWORD_FILE=/run/secrets/m_keystore_password.txt
MEM=2048m
LOGOUT_URL=https://localhost:8443/Shibboleth.sso/Logout
SSO_HEADER=uid
TIER_BEACON_ENABLED=true
@@ -6,19 +6,38 @@ FROM tier/shibboleth_sp

MAINTAINER info@evolveum.com

RUN yum -y install java-1.8.0-openjdk

RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem

RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
RUN curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo
RUN yum -y update
RUN yum -y install \
zulu-8 \
cron \
supervisor \
libcurl \
&& yum clean -y all

RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem \
&& cd /etc/httpd/conf.d/ \
&& rm -f autoindex.conf ssl.conf userdir.conf welcome.conf

COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
COPY container_files/httpd/conf/* /etc/httpd/conf.d/
COPY container_files/shibboleth/* /etc/shibboleth/
COPY container_files/usr-local-bin/* /usr/local/bin/
COPY container_files/opt-tier/* /opt/tier/

RUN chmod 755 /opt/tier/setenv.sh \
&& chmod 755 /usr/local/bin/send-tier-beacon.sh \
&& chmod 755 /usr/local/bin/setup-cron.sh \
&& chmod 755 /usr/local/bin/start-midpoint.sh \
&& chmod 755 /usr/local/bin/start-httpd-shib.sh \
&& chmod 755 /usr/local/bin/start-all.sh

RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
&& sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
&& sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
&& sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
&& sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
&& sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
&& echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf

@@ -67,4 +86,13 @@ ENV LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
ENV KEYSTORE_PASSWORD_FILE /run/secrets/m_keystore_password.txt
ENV MEM 2048m

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
ENV TIER_RELEASE=test-non-release
ENV TIER_MAINTAINER=tier
ENV TIER_BEACON_ENABLED=true

RUN pwd

# requires MP_VERSION and TIER_xyz variables so we have to execute it here
RUN /opt/tier/setenv.sh

CMD ["/usr/local/bin/start-all.sh"]
@@ -0,0 +1,7 @@
#!/bin/bash
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MP_VERSION" > /opt/tier/env.bash
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_RELEASE" >> /opt/tier/env.bash
printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIER_MAINTAINER" >> /opt/tier/env.bash

echo "/opt/tier/env.bash is:"
cat /opt/tier/env.bash
@@ -28,12 +28,12 @@ log4j.category.XMLTooling.libcurl=INFO
# define the appender

log4j.appender.native_log=org.apache.log4j.FileAppender
log4j.appender.native_log.fileName=/tmp/logpipe
log4j.appender.native_log.fileName=/tmp/logshib
log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n

log4j.appender.warn_log=org.apache.log4j.FileAppender
log4j.appender.warn_log.fileName=/tmp/logpipe
log4j.appender.warn_log.fileName=/tmp/logshib
log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
log4j.appender.warn_log.threshold=WARN
@@ -42,18 +42,18 @@ log4j.additivity.Shibboleth-TRANSACTION=false
# define the appenders

log4j.appender.shibd_log=org.apache.log4j.FileAppender
log4j.appender.shibd_log.fileName=/tmp/logpipe
log4j.appender.shibd_log.fileName=/tmp/logshib
log4j.appender.shibd_log.maxFileSize=0
log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n

log4j.appender.tran_log=org.apache.log4j.FileAppender
log4j.appender.tran_log.fileName=/tmp/logpipe
log4j.appender.tran_log.fileName=/tmp/logshib
log4j.appender.tran_log.maxFileSize=0
log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n

log4j.appender.sig_log=org.apache.log4j.FileAppender
log4j.appender.sig_log.fileName=/tmp/logpipe
log4j.appender.sig_log.fileName=/tmp/logshib
log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
@@ -0,0 +1,25 @@
[supervisord]
logfile=/tmp/logsuperd
logfile_maxbytes=0
loglevel=error
nodaemon=true
user=root

[program:httpd-shib]
command=/bin/bash -c "/usr/local/bin/start-httpd-shib.sh"
stdout_logfile=/tmp/loghttpd
stdout_logfile_maxbytes=0
redirect_stderr=true

[program:midpoint]
command=/bin/bash -c "/usr/local/bin/start-midpoint.sh"
stdout_logfile=/dev/fd/2
stdout_logfile_maxbytes=0
redirect_stderr=true

[program:tier-beacon]
command=/usr/sbin/crond -n -i -m off
stdout_logfile=/tmp/logcrond
stdout_logfile_maxbytes=0
redirect_stderr=true
autorestart=false
@@ -0,0 +1,37 @@
#!/bin/bash

LOGHOST="localhost"
LOGPORT="80"

if [ -s /opt/tier/env.bash ]; then
. /opt/tier/env.bash
fi

messagefile="/tmp/beaconmsg"

if [ -z "$TIER_BEACON_OPT_OUT" ]; then
cat > $messagefile <<EOF
{
"msgType" : "TIERBEACON",
"msgName" : "TIER",
"msgVersion" : "1.0",
"tbProduct" : "MIDPOINT",
"tbProductVersion" : "$MP_VERSION",
"tbTIERRelease" : "$TIER_RELEASE",
"tbMaintainer" : "$TIER_MAINTAINER"
}
EOF

# echo `date`": going to send TIER beacon to ${LOGHOST}:${LOGPORT}:"
# cat $messagefile

curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile 1>/dev/null 2>&1
if [ $? -eq 0 ]; then
echo `date`": TIER beacon sent"
else
echo `date`": Failed to send TIER beacon"
fi

rm -f $messagefile 1>/dev/null 2>&1

fi
@@ -0,0 +1,14 @@
#!/bin/bash

CRONFILE=/opt/tier/cronfile

if [ "$TIER_BEACON_ENABLED" == "true" ]; then
echo "#send daily \"beacon\" to central" > ${CRONFILE}
# echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/send-tier-beacon.sh >> /tmp/logcrond 2>&1" >> ${CRONFILE}
echo "* * * * * /usr/local/bin/send-tier-beacon.sh >> /tmp/logcrond 2>&1" >> ${CRONFILE} # for testing
else
echo "#beacon is disabled" > ${CRONFILE}
fi

chmod 644 ${CRONFILE}
crontab ${CRONFILE}
@@ -0,0 +1,28 @@
#!/bin/bash

# normalizing logging variables as required by TIER
export ENV=${ENV//[; ]/_}
export USERTOKEN=${USERTOKEN//[; ]/_}

/usr/local/bin/setup-cron.sh

# generic console logging pipe for anyone
mkfifo -m 666 /tmp/logpipe
cat <> /tmp/logpipe 1>&2 &

mkfifo -m 666 /tmp/loghttpd
(cat <> /tmp/loghttpd | awk '{printf "%s\n", $0; fflush()}' 1>/tmp/logpipe) &

mkfifo -m 666 /tmp/logshib
(cat <> /tmp/logshib | awk '{printf "%s\n", $0; fflush()}' 1>/tmp/logpipe) &

mkfifo -m 666 /tmp/logcrond
(cat <> /tmp/logcrond | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &

mkfifo -m 666 /tmp/logsuperd
(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &

mkfifo -m 666 /tmp/logtomcat
(cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v USERTOKEN="$USERTOKEN" '{printf "tomcat;console;%s;%s;%s\n", ENV, USERTOKEN, $0; fflush()}' 1>/tmp/logpipe) &

/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
@@ -0,0 +1,8 @@
#!/bin/bash

echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
ln -sf /run/secrets/m_sp-key.pem /etc/shibboleth/sp-key.pem
ln -sf /run/secrets/m_host-key.pem /etc/pki/tls/private/host-key.pem
ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf

httpd-shib-foreground
@@ -1,16 +1,5 @@
#!/bin/bash

# normalizing logging variables as required by TIER
export ENV=${ENV//[; ]/_}
export USERTOKEN=${USERTOKEN//[; ]/_}

echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
ln -sf /run/secrets/m_sp-key.pem /etc/shibboleth/sp-key.pem
ln -sf /run/secrets/m_host-key.pem /etc/pki/tls/private/host-key.pem
ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf

httpd-shib-foreground &

if [ "$AUTHENTICATION" = "shibboleth" ]; then
LOGOUT_URL_DIRECTIVE="-Dauth.logout.url=$LOGOUT_URL"
else
@@ -35,4 +24,5 @@ java -Xmx$MEM -Xms2048m -Dfile.encoding=UTF8 \
$LOGOUT_URL_DIRECTIVE \
-Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
-Dserver.tomcat.ajp.port=$AJP_PORT \
-Dlogging.path=/tmp/logtomcat \
-jar $MP_DIR/lib/midpoint.war

0 comments on commit 949d264

Please sign in to comment.
You can’t perform that action at this time.