Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

COmanage Registry Internet2 TIER

Intended to build a COmanage Registry image using the Shibboleth Native SP for Apache HTTP Server (Shibboleth) as the authentication mechanism and that meets the TIER Docker Container Specification from the Internet2 TIER program.

Build Arguments

Building the image requires the following build arguments:

--build-arg COMANAGE_REGISTRY_VERSION=<version number>
--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=<base image version number>
--build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=<I2 base image version number>

Build Requirements

This image uses a multi-stage build. It requires that the COmanage Registry base image and Internet2 TIER base image be built first.

Building

docker build \
  --build-arg COMANAGE_REGISTRY_VERSION=<COmanage Registry version number> \
  --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=<base image version number> \
  --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=<base image version number> \
  -t comanage-registry:<tag> .

Building Example

export COMANAGE_REGISTRY_VERSION=3.3.3
export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1
export COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=1
export COMANAGE_REGISTRY_I2_IMAGE_VERSION=1
TAG="${COMANAGE_REGISTRY_VERSION}-internet2-tier-${COMANAGE_REGISTRY_I2_IMAGE_VERSION}"
docker build \
  --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \
  --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \
  --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} \
  -t comanage-registry:$TAG .

Volumes and Data Persistence

See COmanage Registry Volumes and Data Persistence.

Environment Variables

See the list of environment variables common to all images including this image.

See also the list of environment variables common to all images using Shibboleth.

Additionally the Internet2 TIER image supports the following environment variables:

ENV

  • Description: Environment
  • Required: No
  • Default: None
  • Example: PROD
  • Note: Usually one of PROD, TEST, or DEV. The value is included in log entries.

USERTOKEN

  • Description: Deployer supplied
  • Required: No
  • Default: None
  • Example: node01
  • Note: The value is included in log entries.

Authentication

This image supports using the Shibboleth Native SP for Apache HTTP Server (Shibboleth) as the authentication mechanism. Deployers should configure Shibboleth so that the desired asserted user attribute is written into REMOTE_USER.

Ports

The image listens for web traffic on ports 80 and 443. All requests on port 80 are redirected to port 443.

Running

See other documentation in this repository for details on how to orchestrate running this image with other images using an orchestration tool like Docker Compose, Docker Swarm, or Kubernetes.

To run this image:

docker run -d \
  --name comanage-registry \
  -e COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Julia \
  -e COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Janseen \
  -e COMANAGE_REGISTRY_ADMIN_USERNAME=julia.janseen@my.org \
  -e SHIBBOLETH_SP_ENTITY_ID=https://myapp.my.org/shibboleth/sp \
  -e SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/etc/shibboleth/my-org-metadata.xml \
  -v /opt/comanage-registry-local:/srv/comanage-registry/local \
  -v /etc/shibboleth/sp-encrypt-cert.pem:/etc/shibboleth/sp-encrypt-cert.pem \
  -v /etc/shibboleth/sp-encrypt-key.pem:/etc/shibboleth/sp-encrypt-key.pem \
  -v /etc/shibboleth/my-org-metadata.xml:/etc/shibboleth/my-org-metadata.xml \
  -p 80:80 \
  -p 443:443 \
  comanage-registry:3.3.3-internet2-tier-1

Logging

Apache HTTP Server, COmanage Registry, Shibboleth, and supervisord all log to the stdout and stderr of the container.

The logging configuration meets version 1 of the TIER Docker Container Specification.

HTTPS Configuration

See the section on environment variables and the HTTPS_CERT_FILE and HTTPS_PRIVKEY_FILE variables.

Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example

COPY cert.pem /etc/httpd/cert.pem
COPY privkey.pem /etc/httpd/privkey.pem