diff --git a/NOTICE b/NOTICE index 55cd844..0cf66c7 100644 --- a/NOTICE +++ b/NOTICE @@ -1,6 +1,6 @@ Docker for COmanage Registry -Copyright (C) 2010-2017 +Copyright (C) 2010-2019 University Corporation for Advanced Internet Development, Inc. Licensed under the Apache License, Version 2.0 (the "License"); @@ -30,6 +30,6 @@ to the University Corporation for Advanced Internet Development, Inc. as per the Contributer License Agreement by, Spherical Cow Group - https://sphericalcowgroup.com + http://sphericalcowgroup.com --------------------------------------------------------------------------- diff --git a/README.md b/README.md index f609062..7bec94c 100644 --- a/README.md +++ b/README.md @@ -21,130 +21,94 @@ limitations under the License. # COmanage Registry Docker -## What it is -Docker version of [COmanage -Registry](https://spaces.internet2.edu/display/COmanage/Home). +This repository contains Dockerfiles, documenation, and other files necessary to +build and deploy a Dockerized version of +[COmanage Registry](https://spaces.internet2.edu/display/COmanage/Home), as well as +other infrastructure commonly deployed with COmanage Registry. -COmanage Registry is a web application that requires a relational database +Since COmanage Registry is a web application that requires a relational database and an authentication mechanism such as -[Shibboleth](http://shibboleth.net/products/service-provider.html), -[SimpleSAMLphp](https://simplesamlphp.org/), -[mod_auth_openidc](https://github.com/pingidentity/mod_auth_openidc), -or just simple [Basic Authentication](https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html). -Since COmanage Registry itself is agnostic about the database and authentication -mechanism used this repository includes multiple Dockerfiles to build images that use various +[Shibboleth](https://www.shibboleth.net/products/service-provider/), +[mod\_auth\_openidc](https://github.com/zmartzone/mod_auth_openidc), +or just simple [Basic Authentication](https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html), +this repository includes multiple Dockerfiles to build images that use various combinations of tools. -## How To - -* Install Docker. These instructions require version 17.03.1 or higher. - -* Install [Docker Compose](https://docs.docker.com/compose/). These instructions require -version 1.13.0 or higher. - -* Clone this repository: - -``` -git clone https://github.com/Internet2/comanage-registry-docker.git -cd comanage-registry-docker -``` - -* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version -of COmanage Registry you want to deploy. See the -[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) -wiki page for the list of releases. We recommend using the latest release. - -Here is an example (but please check the wiki page for the latest release number): - -``` -export COMANAGE_REGISTRY_VERSION=3.1.1 -``` - -* Build a local image for COmanage Registry: - -``` -pushd comanage-registry-basic-auth -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . -popd -``` - -* Build a local image of PostgreSQL for COmanage Registry: -``` -pushd comanage-registry-postgres -docker build -t comanage-registry-postgres . -popd -``` -* Create a template docker-compose.yml file: -``` -version: '3.1' - -services: - - comanage-registry-database: - image: comanage-registry-postgres - - comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-basic-auth - ports: - - "80:80" - - "443:443" -``` - -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - -* Start the services: -``` -docker-compose up -d -``` - -* Browse to port 443 on the host, for example `https://localhost/`. You will have to - click through the warning from your browser about the self-signed certificate used - for HTTPS. - -* Click `Login` and when prompted enter `registry.admin` as the username and `password` -for the password. - -See [Advanced Configuration](docs/advanced-configuration.md) -for details on setting a non-default administrator username and password. - -* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) -to learn how to create your first collaborative organization (CO) and begin using -the platform. - -* To stop the services: -``` -docker-compose stop -``` - -* To remove the containers and networks: -``` -docker-compose down -``` - -### Important Notes -The instructions above are *not suitable for a production deployment* for two reasons: - -1. The deployed services use default and easily guessed passwords. -2. No data is persisted. When the containers are destroyed so is your data. - -## Next Steps -To evolve your COmanage Registry deployment examine the documentation -in the [docs directory](docs/README.md) or follow these direct links: - -* [Persist data using host-mounted volumes](docs/basic-auth-postgres-persist.md) -* [Use MariaDB instead of PostgreSQL](docs/basic-auth-mariadb-persist.md) -* [Add OpenLDAP slapd for provisioning](docs/openldap-slapd.md) -* [Advanced configuration](docs/advanced-configuration.md) -* [Complete example recipe for production deployment](docs/shibboleth-sp-postgres-compose.md) -* [Using Docker service stacks and Docker secrets](docs/mod-auth-oidc-mariadb-stacks.md) - - - - - +## Evaluate COmanage Registry + +If you are new to COmanage Registry follow [these instructions](docs/evaluation.md) to build +and run a simple deployment suitable for evaluating COmanage Registry. + +## Building Images + +The following link to detailed instructions for building each individual image. See the next +section for links to documentation on how to deploy the images as services. + +* [COmanage Registry base image](comanage-registry-base/README.md) +* [COmanage Registry with Basic Authentication](comanage-registry-basic-auth/README.md) +* [COmanage Registry with Shibboleth SP base image](comanage-registry-shibboleth-sp-base/README.md) +* [COmanage Registry with Shibboleth SP](comanage-registry-shibboleth-sp/README.md) +* [COmanage Registry with mod\_auth\_openidc](comanage-registry-mod-auth-openidc/README.md) +* [COmanage Registry for Internet2 TIER base](comanage-registry-internet2-tier-base/README.md) +* [COmanage Registry for Internet2 TIER](comanage-registry-internet2-tier/README.md) +* [PostgreSQL for COmanage Registry](comanage-registry-postgres/README.md) +* [OpenLDAP slapd base for COmanage Registry](comanage-registry-slapd-base/README.md) +* [OpenLDAP slapd for COmanage Registry](comanage-registry-slapd/README.md) +* [OpenLDAP slapd proxy for COmanage Registry](comanage-registry-slapd-proxy/README.md) + +## Deploying Images and Running Services + +Since COmanage Registry requires a relational database, and because it is often deployed with +other tools like an LDAP directory, multiple images need to be simultanesouly instantiated +as containers. Orchestrating multiple containers to create services is easiest using +tools such as [Docker Compose](https://docs.docker.com/compose/), +[Docker Swarm](https://docs.docker.com/engine/swarm/), or +[Kubernetes](https://kubernetes.io/). + +The images built from Dockerfiles in this repository may be used with any container +orchestration platform but the documentation demonstrates how to deploy with +Docker Swarm (the simple evaluation scenario above uses Docker Compose). + +The following link to detailed instructions for a number of deployment scenarios. + +* [COmanage Registry using the Shibboleth SP and PostgreSQL database](docs/shibboleth-sp-postgresql.md) +* [COmanage Registry using the Shibboleth SP and MariaDB database](docs/shibboleth-sp-mariadb.md) +* [COmanage Registry using mod\_auth\_openidc and MariaDB database](docs/mod-auth-openidc-mariadb.md) +* [COmanage Registry using the Internet2 TIER image](docs/comanage-registry-internet2-tier.md) +* [Adding an OpenLDAP Directory](docs/adding-openldap.md) +* [Adding an OpenLDAP proxy server](docs/adding-openldap-proxy.md) + +## All Documentation + +### Building Images + +* [COmanage Registry base image](comanage-registry-base/README.md) +* [COmanage Registry with Basic Authentication](comanage-registry-basic-auth/README.md) +* [COmanage Registry with Shibboleth SP base image](comanage-registry-shibboleth-sp-base/README.md) +* [COmanage Registry with Shibboleth SP](comanage-registry-shibboleth-sp/README.md) +* [COmanage Registry with mod\_auth\_openidc](comanage-registry-mod-auth-openidc/README.md) +* [COmanage Registry for Internet2 TIER base](comanage-registry-internet2-tier-base/README.md) +* [COmanage Registry for Internet2 TIER](comanage-registry-internet2-tier/README.md) +* [PostgreSQL for COmanage Registry](comanage-registry-postgres/README.md) +* [OpenLDAP slapd base for COmanage Registry](comanage-registry-slapd-base/README.md) +* [OpenLDAP slapd for COmanage Registry](comanage-registry-slapd/README.md) +* [OpenLDAP slapd proxy for COmanage Registry](comanage-registry-slapd-proxy/README.md) + +### Deploying Services + +* [COmanage Registry using the Shibboleth SP and PostgreSQL database](docs/shibboleth-sp-postgresql.md) +* [COmanage Registry using the Shibboleth SP and MariaDB database](docs/shibboleth-sp-mariadb.md) +* [COmanage Registry using mod\_auth\_openidc and MariaDB database](docs/mod-auth-openidc-mariadb.md) +* [COmanage Registry using the Internet2 TIER image](docs/comanage-registry-internet2-tier.md) +* [Adding an OpenLDAP Directory](docs/adding-openldap.md) +* [Adding an OpenLDAP proxy server](docs/adding-openldap-proxy.md) + +### Other + +* [COmanage Registry Volumes and Data Persistence](docs/volumes-and-data-persistence.md) +* [Evaluating COmanage Registry using Docker](docs/evaluation.md) +* [Environment Variables Common to All Images](docs/comanage-registry-common-environment-variables.md) +* [Environment Variables Common to Images using Shibboleth SP for Authentication](docs/comanage-registry-common-shibboleth-environment-variables.md) +* [Environment Variables Common to All slapd Images](docs/slapd-common-environment-variables.md) +* [Executing LDIF Files](docs/slapd-ldif.md) +* [OpenLDAP slapd for COmanage Registry Volumes and Data Persistence](docs/openldap-volumes-and-data-persistence.md) diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..c9c5dc6 --- /dev/null +++ b/build.sh @@ -0,0 +1,320 @@ +#!/bin/bash + +set -e + +show_help() { + echo "Usage: $0 [option...]" >&2 + echo + echo " -h, --help show this usage message" + echo " -r, --registry_version COmanage Registry version" + echo " --registry_base_image_version" + echo " --basic_auth_image_version" + echo " --shibboleth_sp_version" + echo " --shibboleth_sp_base_image_version" + echo " --shibboleth_sp_image_version" + echo " --mod_auth_openidc_image_version" + echo " --i2_base_image_version" + echo " --i2_image_version" + echo " --postgres_image_version" + echo " --slapd_base_image_version" + echo " --slapd_image_version" + echo " --slapd_proxy_image_version" + echo " -d, --docker_registry Docker registry to push into" + echo +} + +# Default values. +COMANAGE_REGISTRY_VERSION="3.2.1" +COMANAGE_REGISTRY_BASE_IMAGE_VERSION="1" +COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION="1" +COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION="3.0.4" +COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION="1" +COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION="1" +COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION="1" +COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION="1" +COMANAGE_REGISTRY_I2_IMAGE_VERSION="1" +COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION="1" +COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION="2" +COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION="2" +COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION="2" +DOCKER_REGISTRY= + +POSITIONAL=() +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -h|--help) + show_help + exit 0 + ;; + -r|--registry_version) + COMANAGE_REGISTRY_VERSION="$2" + shift # past argument + shift # past value + ;; + --registry_base_image_version) + COMANAGE_REGISTRY_BASE_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --basic_auth_image_version) + COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --shibboleth_sp_version) + COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION="$2" + shift # past argument + shift # past value + ;; + --shibboleth_sp_base_image_version) + COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --shibboleth_sp_image_version) + COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --mod_auth_openidc_image_version) + COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --i2_base_image_version) + COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --i2_image_version) + COMANAGE_REGISTRY_I2_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --postgres_image_version) + COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --slapd_base_image_version) + COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --slapd_image_version) + COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + --slapd_proxy_image_version) + COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION="$2" + shift # past argument + shift # past value + ;; + -d|--docker_registry) + DOCKER_REGISTRY="$2" + shift # past argument + shift # past value + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done +set -- "${POSITIONAL[@]}" # restore positional parameters + +declare -a inputs=( +"COMANAGE_REGISTRY_VERSION" +"COMANAGE_REGISTRY_BASE_IMAGE_VERSION" +"COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION" +"COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION" +"COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION" +"COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION" +"COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION" +"COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION" +"COMANAGE_REGISTRY_I2_IMAGE_VERSION" +"COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION" +"COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION" +"COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION" +"COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION" +"DOCKER_REGISTRY" +) + +for input in "${inputs[@]}" +do + eval value=\$"${input}"; + echo "Using $input $value" +done + +pushd comanage-registry-base +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-base:${TAG} \ + ${DOCKER_REGISTRY}/comanage-registry-base:${TAG} + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-base:${TAG} +fi +popd + +pushd comanage-registry-basic-auth +TAG="${COMANAGE_REGISTRY_VERSION}-basic-auth-${COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG +fi +popd + +pushd comanage-registry-shibboleth-sp-base +TAG="${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION}-${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-shibboleth-sp-base:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-shibboleth-sp-base:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry-shibboleth-sp-base:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-shibboleth-sp-base:$TAG +fi +popd + +pushd comanage-registry-shibboleth-sp +TAG="${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG +fi +popd + +pushd comanage-registry-mod-auth-openidc +TAG="${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc-${COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG +fi +popd + +pushd comanage-registry-internet2-tier-base +TAG="${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-internet2-tier-base:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-internet2-tier-base:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry-internet2-tier-base:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-internet2-tier-base:$TAG +fi +popd + +pushd comanage-registry-internet2-tier +TAG="${COMANAGE_REGISTRY_VERSION}-internet2-tier-${COMANAGE_REGISTRY_I2_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry:$TAG \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG + docker push \ + ${DOCKER_REGISTRY}/comanage-registry:$TAG +fi +popd + +pushd comanage-registry-postgres +TAG="${COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION}" +docker build \ + -t comanage-registry-postgres:${TAG} . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-postgres:${TAG} \ + ${DOCKER_REGISTRY}/comanage-registry-postgres:${TAG} + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-postgres:${TAG} +fi +popd + +pushd comanage-registry-slapd-base +TAG="${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-slapd-base:${TAG} . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-slapd-base:${TAG} \ + ${DOCKER_REGISTRY}/comanage-registry-slapd-base:${TAG} + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-slapd-base:${TAG} +fi +popd + +pushd comanage-registry-slapd +TAG="${COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-slapd:${TAG} . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-slapd:${TAG} \ + ${DOCKER_REGISTRY}/comanage-registry-slapd:${TAG} + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-slapd:${TAG} +fi +popd + +pushd comanage-registry-slapd-proxy +TAG="${COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-slapd-proxy:${TAG} . +if [[ -n "${DOCKER_REGISTRY}" ]]; +then + docker tag \ + comanage-registry-slapd-proxy:${TAG} \ + ${DOCKER_REGISTRY}/comanage-registry-slapd-proxy:${TAG} + docker push \ + ${DOCKER_REGISTRY}/comanage-registry-slapd-proxy:${TAG} +fi +popd + diff --git a/comanage-registry-base/.dockerignore b/comanage-registry-base/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-base/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-basic-auth/Dockerfile.template b/comanage-registry-base/Dockerfile similarity index 54% rename from comanage-registry-basic-auth/Dockerfile.template rename to comanage-registry-base/Dockerfile index af8d757..2498df8 100644 --- a/comanage-registry-basic-auth/Dockerfile.template +++ b/comanage-registry-base/Dockerfile @@ -1,4 +1,4 @@ -# COmanage Registry Dockerfile template +# COmanage Registry Dockerfile # # Portions licensed to the University Corporation for Advanced Internet # Development, Inc. ("UCAID") under one or more contributor license agreements. @@ -16,13 +16,18 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM php:7.0-apache-jessie +FROM php:7.3.4-apache-stretch +# Official PHP image with Apache HTTPD includes +# --with-openssl +# --with-mbstring +# but xls, pdo, pdo_mysql, pdo_pgsql, mysqli, pgsql, +# and ldap extensions must be built. RUN apt-get update && apt-get install -y \ libldap-2.4-2 \ libldap2-dev \ - libmysqlclient18 \ - libmysqlclient-dev \ + libmariadbclient18 \ + libmariadbclient-dev \ libpq-dev \ libxml2 \ libxslt1-dev \ @@ -33,8 +38,8 @@ RUN apt-get update && apt-get install -y \ libpcre3-dev \ && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \ && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ - && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \ - && docker-php-ext-install xsl pdo_mysql pdo_pgsql mysqli pgsql ldap \ + && docker-php-ext-configure mysqli \ + && docker-php-ext-install xsl pdo pdo_mysql pdo_pgsql mysqli pgsql ldap \ && docker-php-source delete \ && apt-get purge -y \ libldap2-dev \ @@ -42,62 +47,65 @@ RUN apt-get update && apt-get install -y \ libpq-dev \ && apt-get clean -ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%% -ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz - -LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION -LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL +ARG COMANAGE_REGISTRY_VERSION +ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION:-develop} +LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION} -ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry +ENV COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz -COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf +ARG COMANAGE_REGISTRY_DIR +ENV COMANAGE_REGISTRY_DIR ${COMANAGE_REGISTRY_DIR:-/srv/comanage-registry} +LABEL comanage_registry_dir=${COMANAGE_REGISTRY_DIR} -WORKDIR "$COMANAGE_REGISTRY_DIR" +WORKDIR $COMANAGE_REGISTRY_DIR -RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ - && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \ - && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \ +RUN mkdir -p ${COMANAGE_REGISTRY_DIR} \ + && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \ + && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \ && rm -f comanage.tar.gz \ - && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \ + && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \ + && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \ + && chown -R www-data:www-data ${COMANAGE_REGISTRY_DIR}/app/tmp \ && cd /var/www/html \ - && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \ - && rm -rf "$COMANAGE_REGISTRY_DIR/local/*" \ - && ln -s "$COMANAGE_REGISTRY_DIR/local" /local \ - && a2enmod headers \ + && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \ + && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* + +RUN a2enmod headers \ && a2enmod ssl \ && a2enmod rewrite \ && a2dissite 000-default.conf \ - && a2ensite 000-comanage.conf \ && a2disconf other-vhosts-access-log \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ - && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" - -COPY docker-comanage-entrypoint /usr/local/bin/ + && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem -# expose COmanage Registry local directory -VOLUME ["/local"] +COPY apache-include-directory-registry /etc/apache2/ +COPY apache-include-virtual-host-port443-base /etc/apache2/ +COPY apache-include-virtual-host-port80-redirect /etc/apache2/ -ENTRYPOINT ["docker-comanage-entrypoint"] +COPY comanage_utils.sh /usr/local/lib/ +COPY comanage_shibboleth_sp_utils.sh /usr/local/lib/ +COPY docker-comanage-entrypoint /usr/local/bin/ -WORKDIR /var/www/html +VOLUME ${COMANAGE_REGISTRY_DIR}/local EXPOSE 80 443 -# Default values for first administrator bootstrapped -# into the platform, most likely overridden at build time -# using build arguments. +# Allow values for first administrator bootstrapped into the +# platform to be specified at image build time, in addition to +# being injected at run time through the entrypoint script. ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ARG COMANAGE_REGISTRY_ADMIN_USERNAME ARG COMANAGE_REGISTRY_ENABLE_POOLING +# Set simple defaults for first administrator bootstrapped into the +# platform to make simple evaluation of the platform easier. ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry} ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin} ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} +ENTRYPOINT ["docker-comanage-entrypoint"] + CMD ["apache2-foreground"] diff --git a/comanage-registry-base/README.md b/comanage-registry-base/README.md new file mode 100644 index 0000000..615a9bf --- /dev/null +++ b/comanage-registry-base/README.md @@ -0,0 +1,62 @@ + + +# COmanage Registry Base Image + +Intended to build a COmanage Registry base image +using the official PHP with Apache image as the foundation. + +By itself the image built from this Dockerfile does **not** provide any +method for authentication and is not suitable for deployment. + +The image built from this Dockerfile is used as the base +for images that include an authentication mechanism. +See other documentation in this +repository for examples on how to build images on this +one that include authentication methods like Basic Auth, +Shibboleth SP, and mod\_auth\_openidc. + +## Build Arguments + +Building the image requires the following build argument: + +``` +--build-arg COMANAGE_REGISTRY_VERSION= +``` + +## Building + +``` +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION= \ + -t comanage-registry-base: . +``` + +## Building Example + +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +``` diff --git a/comanage-registry-base/apache-include-directory-registry b/comanage-registry-base/apache-include-directory-registry new file mode 100644 index 0000000..b76eee4 --- /dev/null +++ b/comanage-registry-base/apache-include-directory-registry @@ -0,0 +1,6 @@ + +Options Indexes FollowSymLinks +DirectoryIndex index.php +AllowOverride All +Require all granted + diff --git a/comanage-registry-base/apache-include-virtual-host-port443-base b/comanage-registry-base/apache-include-virtual-host-port443-base new file mode 100644 index 0000000..999d08f --- /dev/null +++ b/comanage-registry-base/apache-include-virtual-host-port443-base @@ -0,0 +1,14 @@ +ServerName https://${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN}:443 + +DocumentRoot /var/www/html + +RedirectMatch ^/$ /registry/ + +LogLevel warn + +Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + +SSLEngine on +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +SSLHonorCipherOrder on diff --git a/comanage-registry-base/apache-include-virtual-host-port80-redirect b/comanage-registry-base/apache-include-virtual-host-port80-redirect new file mode 100644 index 0000000..0e61457 --- /dev/null +++ b/comanage-registry-base/apache-include-virtual-host-port80-redirect @@ -0,0 +1,6 @@ + +ServerName http://${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN}:80 +RewriteEngine On +RewriteCond %{HTTPS} off +RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] + diff --git a/comanage-registry-base/comanage_shibboleth_sp_utils.sh b/comanage-registry-base/comanage_shibboleth_sp_utils.sh new file mode 100755 index 0000000..dd9cacf --- /dev/null +++ b/comanage-registry-base/comanage_shibboleth_sp_utils.sh @@ -0,0 +1,317 @@ +#!/bin/bash + +# COmanage Registry Shibboleth SP Dockerfile entrypoint +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ -n "$COMANAGE_DEBUG" ] +then + OUTPUT=/dev/stdout +else + OUTPUT=/dev/null +fi + +########################################## +# Consume injected environment variables +# Globals: +# See function +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_shibboleth_sp_utils::consume_injected_environment() { + + echo "Examining environment variables for Shibboleth SP..." > "$OUTPUT" + + # Configuration details that may be injected through environment + # variables or the contents of files. + # + # SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the + # same way but because of the presence of special characters in the + # XML it is handled differently. + + injectable_config_vars=( + SHIBBOLETH_SP_ENTITY_ID + SHIBBOLETH_SP_CERT + SHIBBOLETH_SP_PRIVKEY + SHIBBOLETH_SP_SIGNING_CERT + SHIBBOLETH_SP_SIGNING_PRIVKEY + SHIBBOLETH_SP_ENCRYPT_CERT + SHIBBOLETH_SP_ENCRYPT_PRIVKEY + SHIBBOLETH_SP_SAMLDS_URL + ) + + # If the file associated with a configuration variable is present then + # read the value from it into the appropriate variable. So for example + # if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its + # value points to a file on the file system then read the contents + # of that file into the variable COMANAGE_REGISTRY_DATASOURCE. + + for config_var in "${injectable_config_vars[@]}" + do + eval file_name=\$"${config_var}_FILE"; + + if [ -e "$file_name" ]; then + payload=`cat $file_name` + declare "${config_var}"="${payload}" + fi + done + + echo "Done examining environment variables" > "$OUTPUT" +} + +########################################## +# Prepare shibboleth2.xml configuration file +# Globals: +# OUTPUT +# SHIBBOLETH_SP_ENTITY_ID +# SHIBBOLETH_SP_SAMLDS_URL +# SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_shibboleth_sp_utils::prepare_shibboleth2xml() { + + local shib_file + local xml_content_file + local sed_script_file + + # If no shibboleth2.xml file is present then create one using + # injected information or defaults that are not particularly + # useful in a federated context but will allow shibd to start. + shib_file='/etc/shibboleth/shibboleth2.xml' + + if [[ ! -e "${shib_file}" ]]; then + cp "${shib_file}.template" "${shib_file}" > "${OUTPUT}" 2>&1 + sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ "${shib_file}" > "${OUTPUT}" 2>&1 + sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ "${shib_file}" > "${OUTPUT}" 2>&1 + + # The metadata provider injected input most likely contains special characters + # so use a sed script instead of simple substitution on the command line. + + if [[ -n "${SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE}" ]]; then + xml_content_file="${SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE}" + else + xml_content_file=`/bin/mktemp` + echo "${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-}" > "${xml_content_file}" + fi + + sed_script_file=`/bin/mktemp` + cat > ${sed_script_file}< "${OUTPUT}" 2>&1 + + chmod 0644 "${shib_file}" > "${OUTPUT}" 2>&1 + + rm -f "${xml_content_file}" > "${OUTPUT}" 2>&1 + rm -f "${sed_script_file}" > "${OUTPUT}" 2>&1 + + fi +} + +########################################## +# Prepare SAML certs and keys +# Globals: +# SHIBBOLETH_SP_CERT +# SHIBBOLETH_SP_PRIVKEY +# SHIBBOLETH_SP_SIGNING_CERT +# SHIBBOLETH_SP_SIGNING_PRIVKEY +# SHIBBOLETH_SP_ENCRYPT_CERT +# SHIBBOLETH_SP_ENCRYPT_PRIVKEY +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_shibboleth_sp_utils::prepare_saml_cert_key() { + + local saml_file + local owner + + if [[ -e '/etc/debian_version' ]]; then + owner='_shibd' + elif [[ -e '/etc/centos-release' ]]; then + owner='shibd' + fi + + # If defined use configured location of Shibboleth SP SAML certificate and key. + saml_file='/etc/shibboleth/sp-cert.pem' + if [[ -n "${SHIBBOLETH_SP_CERT}" ]]; then + cp "${SHIBBOLETH_SP_CERT}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0644 "${saml_file}" + fi + + saml_file='/etc/shibboleth/sp-key.pem' + if [[ -n "${SHIBBOLETH_SP_PRIVKEY}" ]]; then + cp "${SHIBBOLETH_SP_PRIVKEY}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0600 "${saml_file}" + fi + + saml_file='/etc/shibboleth/sp-signing-cert.pem' + if [[ -n "${SHIBBOLETH_SP_SIGNING_CERT}" ]]; then + cp "${SHIBBOLETH_SP_SIGNING_CERT}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0644 "${saml_file}" + fi + + saml_file='/etc/shibboleth/sp-signing-key.pem' + if [[ -n "${SHIBBOLETH_SP_SIGNING_PRIVKEY}" ]]; then + cp "${SHIBBOLETH_SP_SIGNING_PRIVKEY}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0600 "${saml_file}" + fi + + saml_file='/etc/shibboleth/sp-encrypt-cert.pem' + if [[ -n "${SHIBBOLETH_SP_ENCRYPT_CERT}" ]]; then + cp "${SHIBBOLETH_SP_ENCRYPT_CERT}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0644 "${saml_file}" + fi + + saml_file='/etc/shibboleth/sp-encrypt-key.pem' + if [[ -n "${SHIBBOLETH_SP_ENCRYPT_PRIVKEY}" ]]; then + cp "${SHIBBOLETH_SP_ENCRYPT_PRIVKEY}" "${saml_file}" + chown "${owner}" "${saml_file}" + chmod 0600 "${saml_file}" + fi +} + +########################################## +# Manage UID and GID on files +# Globals: +# None +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_shibboleth_sp_utils::manage_uid_gid() { + + local owner + local ownership + local not_readable + + # A deployer may make their own mapping between the shibd username + # and the UID, and between the shibd group and GID, so before starting + # make sure files have the correct ownership and group. + + not_readable='/tmp/shibd-not-readable' + + if [[ -e '/etc/debian_version' ]]; then + owner='_shibd' + ownership="${owner}:${owner}" + + chown "${ownership}" /etc/shibboleth/sp-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-key.pem > /dev/null 2>&1 + + chown "${ownership}" /etc/shibboleth/sp-signing-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-signing-key.pem > /dev/null 2>&1 + + chown "${ownership}" /etc/shibboleth/sp-encrypt-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-encrypt-key.pem > /dev/null 2>&1 + + chown "${ownership}" /opt/shibboleth-sp/var > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/run > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/cache > /dev/null 2>&1 + chown "${ownership}" /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1 + elif [[ -e '/etc/centos-release' ]]; then + owner='shibd' + ownership="${owner}:${owner}" + + chown "${ownership}" /etc/shibboleth/sp-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-key.pem > /dev/null 2>&1 + + chown "${ownership}" /etc/shibboleth/sp-signing-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-signing-key.pem > /dev/null 2>&1 + + chown "${ownership}" /etc/shibboleth/sp-encrypt-cert.pem > /dev/null 2>&1 + chown "${ownership}" /etc/shibboleth/sp-encrypt-key.pem > /dev/null 2>&1 + fi + + # Warn about any files the shibd user cannot read. + sudo -u "${owner}" find /etc/shibboleth ! -readable > "${not_readable}" 2>/dev/null + if [[ -s "${not_readable}" ]]; then + echo "WARNING: the following files are not readable by ${owner}" + cat "${not_readable}" + echo "" + fi + + rm -f "${not_readable}" > /dev/null 2>&1 +} + +########################################## +# Exec to start and become Shibboleth SP shibd +# Globals: +# None +# Arguments: +# Command and arguments to exec +# Returns: +# Does not return +########################################## +function comanage_shibboleth_sp_utils::exec_shibboleth_sp_daemon() { + + local user + local group + local shibd_daemon + local config + local pidfile + + comanage_shibboleth_sp_utils::consume_injected_environment + + comanage_shibboleth_sp_utils::prepare_shibboleth2xml + + comanage_shibboleth_sp_utils::prepare_saml_cert_key + + comanage_shibboleth_sp_utils::manage_uid_gid + + config='/etc/shibboleth/shibboleth2.xml' + pidfile='/var/run/shibboleth/shibd.pid' + + if [[ -e '/etc/debian_version' ]]; then + user='_shibd' + group='_shibd' + shibd_daemon='/opt/shibboleth-sp/sbin/shibd' + elif [[ -e '/etc/centos-release' ]]; then + user='shibd' + group='shibd' + shibd_daemon='/usr/sbin/shibd' + export LD_LIBRARY_PATH=/opt/shibboleth/lib64 + fi + + exec "${shibd_daemon}" -f -u "${user}" -g "${group}" -c "${config}" -p "${pidfile}" -F +} diff --git a/comanage-registry-base/comanage_utils.sh b/comanage-registry-base/comanage_utils.sh new file mode 100644 index 0000000..a7d48f1 --- /dev/null +++ b/comanage-registry-base/comanage_utils.sh @@ -0,0 +1,703 @@ +#!/bin/bash + +# COmanage Registry bash shell utilities +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ -n "$COMANAGE_DEBUG" ] +then + OUTPUT=/dev/stdout +else + OUTPUT=/dev/null +fi + +########################################## +# Configure console (stdout) logging +# Globals: +# COMANAGE_REGISTRY_DIR +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::configure_console_logging() { + sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" +} + +########################################## +# Configure TIER logging +# Globals: +# ENV +# USERTOKEN +# OUTPUT +# Arguments: +# NONE +# Returns: +# None +########################################## +function comanage_utils::configure_tier_logging() { + + comanage_utils::manage_tier_environment + + # Create pipes to use for COmanage Registry instead of standard log files. + rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1 + rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1 + mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1 + mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1 + + # Format any output from COmanange Registry into standard TIER form. + (cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;error.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)& + (cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;debug.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)& +} + +########################################## +# Consume injected environment variables +# Globals: +# See function +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::consume_injected_environment() { + + echo "Examining environment variables..." > "$OUTPUT" + + # Configuration details that may be injected through environment + # variables or the contents of files. + local injectable_config_vars + + injectable_config_vars=( + COMANAGE_REGISTRY_ADMIN_GIVEN_NAME + COMANAGE_REGISTRY_ADMIN_FAMILY_NAME + COMANAGE_REGISTRY_ADMIN_USERNAME + COMANAGE_REGISTRY_DATASOURCE + COMANAGE_REGISTRY_DATABASE + COMANAGE_REGISTRY_DATABASE_HOST + COMANAGE_REGISTRY_DATABASE_USER + COMANAGE_REGISTRY_DATABASE_USER_PASSWORD + COMANAGE_REGISTRY_EMAIL_FROM + COMANAGE_REGISTRY_EMAIL_TRANSPORT + COMANAGE_REGISTRY_EMAIL_HOST + COMANAGE_REGISTRY_EMAIL_PORT + COMANAGE_REGISTRY_EMAIL_ACCOUNT + COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD + COMANAGE_REGISTRY_SECURITY_SALT + COMANAGE_REGISTRY_SECURITY_SEED + COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN + HTTPS_CERT_FILE + HTTPS_PRIVKEY_FILE + SERVER_NAME + ) + + # If the file associated with a configuration variable is present then + # read the value from it into the appropriate variable. So for example + # if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its + # value points to a file on the file system then read the contents + # of that file into the variable COMANAGE_REGISTRY_DATASOURCE. + + local config_var + for config_var in "${injectable_config_vars[@]}" + do + local file_name + eval file_name=\$"${config_var}_FILE"; + + if [[ -e "$file_name" ]]; then + declare -g "${config_var}"=`cat $file_name` + echo "Set ${config_var} to be contents of ${file_name}" > "$OUTPUT" + fi + done + + echo "Done examining environment variables" > "$OUTPUT" +} + +########################################## +# Enable non-core plugins +# Globals: +# COMANAGE_REGISTRY_DIR +# COMANAGE_REGISTRY_ENABLE_PLUGIN +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::enable_plugins() { + + # Enable any supported non-core plugins if requested. + if [[ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]]; then + local plugins + local plugin + plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 + for plugin in "${plugins[@]}"; + do + echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 + pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 + ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 + popd > "$OUTPUT" 2>&1 + pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 + ./Console/cake database > "$OUTPUT" 2>&1 + popd > "$OUTPUT" 2>&1 + done + + # Clear the caches. + comanage_utils::registry_clear_cache + fi +} + +########################################## +# Exec to start and become Apache HTTP Server +# Globals: +# None +# Arguments: +# Command and arguments to exec +# Returns: +# Does not return +########################################## +function comanage_utils::exec_apache_http_server() { + + comanage_utils::consume_injected_environment + + comanage_utils::configure_console_logging + + comanage_utils::prepare_local_directory + + comanage_utils::prepare_database_config + + comanage_utils::prepare_email_config + + comanage_utils::prepare_https_cert_key + + comanage_utils::prepare_server_name + + comanage_utils::wait_database_connectivity + + comanage_utils::registry_setup + + comanage_utils::registry_upgrade + + comanage_utils::enable_plugins + + comanage_utils::registry_clear_cache + + comanage_utils::tmp_ownership + + # first arg is `-f` or `--some-option` + if [ "${1#-}" != "$1" ]; then + set -- apache2-foreground "$@" + fi + + exec "$@" +} + +########################################## +# Manage TIER environment variables +# Globals: +# None +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::manage_tier_environment() { + + # If ENV or USERTOKEN as injected by the deployer contain a semi-colon remove it. + if [[ ${ENV} =~ .*";".* ]]; then + ENV=`echo ${ENV} | tr -d ';'` + export ENV + fi + + if [[ ${USERTOKEN} =~ .*";".* ]]; then + USERTOKEN=`echo ${USERTOKEN} | tr -d ';'` + export USERTOKEN + fi + + # If ENV or USERTOKEN as injected by the deployer contain a space remove it. + if [[ ${ENV} =~ [[:space:]] ]]; then + ENV=`echo ${ENV} | tr -d [:space:]` + export ENV + fi + + if [[ ${USERTOKEN} =~ [[:space:]] ]]; then + USERTOKEN=`echo ${USERTOKEN} | tr -d [:space:]` + export USERTOKEN + fi +} + +########################################## +# Prepare database configuration +# Globals: +# COMANAGE_REGISTRY_DATABASE +# COMANAGE_REGISTRY_DATABASE_HOST +# COMANAGE_REGISTRY_DATABASE_USER +# COMANAGE_REGISTRY_DATABASE_USER_PASSWORD +# COMANAGE_REGISTRY_DATASOURCE +# COMANAGE_REGISTRY_DIR +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::prepare_database_config() { + + # If the COmanage Registry database configuration file does not exist + # then try to create it from injected information with reasonable defaults + # that aid simple evaluation deployments. + local database_config + database_config="$COMANAGE_REGISTRY_DIR/local/Config/database.php" + + if [[ ! -e "$database_config" ]]; then + cat > "$database_config" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Postgres}', + 'persistent' => false, + 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', + 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', + 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', + 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', + 'prefix' => 'cm_', + ); + +} +EOF + echo "Wrote new database configuration file ${database_config}" > "$OUTPUT" + fi +} + +########################################## +# Prepare email configuration +# Globals: +# COMANAGE_REGISTRY_EMAIL_ACCOUNT +# COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD +# COMANAGE_REGISTRY_EMAIL_FROM +# COMANAGE_REGISTRY_EMAIL_HOST +# COMANAGE_REGISTRY_EMAIL_PORT +# COMANAGE_REGISTRY_EMAIL_TRANSPORT +# COMANAGE_REGISTRY_DIR +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::prepare_email_config() { + + # If the COmanage Registry email configuration file does not exist + # then try to create it from injected information with reasonable defaults + # that aid simple evaluation deployments. + local email_config + email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" + + if [ ! -e "$email_config" ]; then + cat > "$email_config" < ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')}, + 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', + 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', + 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, + 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}', + 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}' + ); +} +EOF + echo "Wrote new email configuration file ${email_config}" > "$OUTPUT" + fi +} + +########################################## +# Prepare cert and key for HTTPS +# Globals: +# HTTPS_CERT_FILE +# HTTPS_PRIVKEY_FILE +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::prepare_https_cert_key() { + + local cert_path + local privkey_path + local web_user + + if [[ -e '/etc/debian_version' ]]; then + cert_path='/etc/apache2/cert.pem' + privkey_path='/etc/apache2/privkey.pem' + web_user='www-data' + elif [[ -e '/etc/centos-release' ]]; then + cert_path='/etc/httpd/cert.pem' + privkey_path='/etc/httpd/privkey.pem' + web_user='apache' + fi + + # If defined use configured location of Apache HTTP Server + # HTTPS certificate and key files. The certificate file may also + # include intermediate CA certificates, sorted from leaf to root. + if [[ -n "${HTTPS_CERT_FILE}" ]]; then + rm -f "${cert_path}" + cp "${HTTPS_CERT_FILE}" "${cert_path}" + chown "${web_user}" "${cert_path}" + chmod 0644 "${cert_path}" + echo "Copied HTTPS certificate file ${HTTPS_CERT_FILE} to ${cert_path}" > "$OUTPUT" + echo "Set ownership of ${cert_path} to ${web_user}" > "$OUTPUT" + fi + + if [[ -n "${HTTPS_PRIVKEY_FILE}" ]]; then + rm -f "${privkey_path}" + cp "${HTTPS_PRIVKEY_FILE}" "${privkey_path}" + chown "${web_user}" "${privkey_path}" + chmod 0600 "${privkey_path}" + echo "Copied HTTPS private key file ${HTTPS_PRIVKEY_FILE} to ${privkey_path}" > "$OUTPUT" + echo "Set ownership of ${privkey_path} to ${web_user}" > "$OUTPUT" + fi +} + +########################################## +# Prepare local directory structure +# Globals: +# COMANAGE_REGISTRY_DIR +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::prepare_local_directory() { + + # Make sure the directory structure we need is available + # in the data volume for $COMANAGE_REGISTRY_DIR/local + local directories + + declare -a directories=("Config" + "Plugin" + "View/Pages/public" + "webroot/img" + ) + + local dir + local full_path + for dir in "${directories[@]}" + do + full_path="${COMANAGE_REGISTRY_DIR}/local/${dir}" + if [[ ! -d "${full_path}" ]]; then + mkdir -p "${full_path}" > "$OUTPUT" 2>&1 + echo "Created directory ${full_path}" + fi + done +} + +########################################## +# Prepare web server name +# Globals: +# SERVER_NAME +# COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::prepare_server_name() { + + # SERVER_NAME is deprecated in favor of COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN + # and will not be supported in a future version. + if [[ -n "$SERVER_NAME" ]]; then + echo "SERVER_NAME is deprecated and will not be supported in a future version" + echo "Use COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN instead of SERVER_NAME" + if [[ -z "$COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN" ]]; then + COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN="${SERVER_NAME}" + echo "SERVER_NAME=${SERVER_NAME} has been injected" > "$OUTPUT" + echo "Setting COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN}" + fi + fi + + # If COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN has not been injected try to determine + # it from the HTTPS_CERT_FILE. + if [[ -z "$COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN" ]]; then + COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=$(openssl x509 -in /etc/apache2/cert.pem -text -noout | + sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | + sed -E 's/.*DNS:(.*)\s*$/\1/') + if [[ -n "$COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN" ]]; then + echo "Set COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} using Subject Alternative Name from x509 certificate" > "$OUTPUT" + else + COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=$(openssl x509 -in /etc/apache2/cert.pem -subject -noout | + sed -E 's/subject=.*CN=(.*)\s*/\1/') + if [[ -n "$COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN" ]]; then + echo "Set COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} using CN from x509 certificate" > "$OUTPUT" + fi + fi + fi + + # Configure Apache HTTP Server with the server name. + # This configures the server name for the default Debian + # Apache HTTP Server configuration but not the server name used + # by any virtual hosts. + if [[ -e '/etc/debian_version' ]]; then + cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 + fi + + # Export the server name so that it may be used by + # Apache HTTP Server virtual host configurations. + export COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN +} + +########################################## +# Clear CakePHP cache files +# Globals: +# None +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::registry_clear_cache() { + + local cache_dir + cache_dir="$COMANAGE_REGISTRY_DIR/app/tmp/cache" + + if [[ -d $cache_dir ]]; then + find $cache_dir -type f -exec rm -f {} \; + echo "Cleared COmanage Registry CakePHP cache files in ${cache_dir}" > "$OUTPUT" + fi + +} + +########################################## +# Run COmanage Registry setup shell command +# Globals: +# COMANAGE_REGISTRY_ADMIN_GIVEN_NAME +# COMANAGE_REGISTRY_ADMIN_FAMILY_NAME +# COMANAGE_REGISTRY_ADMIN_USERNAME +# COMANAGE_REGISTRY_DIR +# COMANAGE_REGISTRY_ENABLE_POOLING +# COMANAGE_REGISTRY_SECURITY_SALT +# COMANAGE_REGISTRY_SECURITY_SEED +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::registry_setup() { + + # We only want to run the setup script once since it creates + # state in the database. Until COmanage Registry has a better + # mechanism for telling us if setup has already been run + # we create an ephemeral CakePHP script to tell us. + local setup_already_script + setup_already_script="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" + + cat > $setup_already_script <<"EOF" +Co->find('first', $args); + } catch (CakeException $e) { + $this->out('Not setup already'); + } + + if(empty($co)) { + $this->out('Not setup already'); + } else { + $this->error('Setup already'); + } + } +} +EOF + + local setup_already + pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 + echo "Testing if COmanage Registry setup has been done previously..." > "$OUTPUT" + ./Console/cake setupAlready > "$OUTPUT" 2>&1 + setup_already=$? + + rm -f "$setup_already_script" + + local auto_generated_security + + if [ $setup_already -eq 0 ]; then + echo "COmanage Registry setup has not been done previously" > "$OUTPUT" + rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 + rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 + echo "Running ./Console/cake database..." > "$OUTPUT" + ./Console/cake database > "$OUTPUT" 2>&1 + echo "Running ./Console/cake setup..." > "$OUTPUT" + ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ + --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ + --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ + --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 + echo "Set admin given name ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" > "$OUTPUT" + echo "Set admin family name ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" > "$OUTPUT" + echo "Set admin username ${COMANAGE_REGISTRY_ADMIN_USERNAME}" > "$OUTPUT" + echo "Set enable pooling to ${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" + auto_generated_security=1 + fi + + popd > "$OUTPUT" 2>&1 + + # If COmanage Registry CakePHP security salt and seed have been + # injected and the files do not otherwise exist create them. + if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$auto_generated_security" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then + echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" + fi + + if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$auto_generated_security" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then + echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" + fi +} + +########################################## +# Run COmanage Registry upgradeVersion shell command +# Globals: +# COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE +# COMANAGE_REGISTRY_DIR +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::registry_upgrade() { + + # We always run upgradeVersion since it will not make any changes + # if the current and target versions are the same or if + # an upgrade from the current to the target version is not allowed. + + # First clear the caches. + comanage_utils::registry_clear_cache + + pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 + echo "Running ./Console/cake upgradeVersion..." > "$OUTPUT" + ./Console/cake upgradeVersion > "$OUTPUT" 2>&1 + echo "Done running ./Console/cake upgradeVersion" > "$OUTPUT" + echo "You may ignore errors reported above if the Current and Target versions are the same" > "$OUTPUT" + popd > "$OUTPUT" 2>&1 + + # Force a datbase update if requested. This is helpful when deploying + # a new version of the code that does not result in a change in the + # version number and so upgradeVersion does not fire. An example + # of this scenario is when new code is introduced in the develop + # branch but before a release happens. + if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then + echo "Forcing a database schema update..." > "$OUTPUT" + pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 + ./Console/cake database > "$OUTPUT" 2>&1 + echo "Done forcing database schema update" > "$OUTPUT" + popd > "$OUTPUT" 2>&1 + fi + + # Clear the caches again. + comanage_utils::registry_clear_cache +} + +########################################## +# Set tmp directory file ownership +# Globals: +# COMANAGE_REGISTRY_DIR +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::tmp_ownership() { + + # Ensure that the web server user owns the tmp directory + # and all children. + local tmp_dir + local ownership + + if [[ -e '/etc/debian_version' ]]; then + ownership='www-data:www-data' + elif [[ -e '/etc/centos-release' ]]; then + ownership='apache:apache' + fi + + tmp_dir="${COMANAGE_REGISTRY_DIR}/app/tmp" + + chown -R "${ownership}" "${tmp_dir}" + + echo "Recursively set ownership of ${tmp_dir} to ${ownership}" > "$OUTPUT" + +} + +########################################## +# Wait until able to connect to database +# Globals: +# COMANAGE_REGISTRY_DIR +# OUTPUT +# Arguments: +# None +# Returns: +# None +########################################## +function comanage_utils::wait_database_connectivity() { + + # Create a CakePHP shell to test database connectivity. + local database_test_script + database_test_script="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php" + + cat > $database_test_script <<"EOF" +error("Unable to connect to datasource"); + } + $this->out("Connected to datasource"); + } +} +EOF + + pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 + + # Loop until we are able to open a connection to the database. + echo "Testing database availability..." > "$OUTPUT" + until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do + >&2 echo "Database is unavailable - sleeping" + sleep 1 + done + + rm -f "$database_test_script" + + echo "Database is available" > "$OUTPUT" + + popd > "$OUTPUT" 2>&1 +} diff --git a/comanage-registry-shibboleth-sp/shib2.load b/comanage-registry-base/docker-comanage-entrypoint old mode 100644 new mode 100755 similarity index 85% rename from comanage-registry-shibboleth-sp/shib2.load rename to comanage-registry-base/docker-comanage-entrypoint index b518d60..3ffc233 --- a/comanage-registry-shibboleth-sp/shib2.load +++ b/comanage-registry-base/docker-comanage-entrypoint @@ -1,4 +1,6 @@ -# COmanage Registry Apache HTTP Server configuration +#!/bin/bash + +# COmanage Registry Dockerfile entrypoint # # Portions licensed to the University Corporation for Advanced Internet # Development, Inc. ("UCAID") under one or more contributor license agreements. @@ -17,4 +19,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so +source /usr/local/lib/comanage_utils.sh + +comanage_utils::exec_apache_http_server "$@" diff --git a/comanage-registry-basic-auth/.dockerignore b/comanage-registry-basic-auth/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-basic-auth/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-basic-auth/000-comanage.conf b/comanage-registry-basic-auth/000-comanage.conf index 4db2262..1973469 100644 --- a/comanage-registry-basic-auth/000-comanage.conf +++ b/comanage-registry-basic-auth/000-comanage.conf @@ -17,48 +17,26 @@ # See the License for the specific language governing permissions and # limitations under the License. - - ServerName http://%%SERVER_NAME%%:80 - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - +Include apache-include-virtual-host-port80-redirect - ServerName https://%%SERVER_NAME%%:443 - - DocumentRoot /var/www/html - - RedirectMatch ^/$ /registry/ - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - LogLevel warn +Include apache-include-virtual-host-port443-base - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" +SSLCertificateFile /etc/apache2/cert.pem +SSLCertificateKeyFile /etc/apache2/privkey.pem - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLHonorCipherOrder on +ErrorLog ${APACHE_LOG_DIR}/error.log +CustomLog ${APACHE_LOG_DIR}/access.log combined - SSLCertificateFile /etc/apache2/cert.pem - SSLCertificateKeyFile /etc/apache2/privkey.pem - - - Options Indexes FollowSymLinks - DirectoryIndex index.php - AllowOverride All - Require all granted - +Include apache-include-directory-registry - - AuthType Basic - AuthName "COmanage Registry Login" - AuthBasicProvider file - AuthUserFile "/etc/apache2/passwords" - Require valid-user - + +AuthType Basic +AuthName "COmanage Registry Login" +AuthBasicProvider file +AuthUserFile "/etc/apache2/basic-auth" +Require valid-user + diff --git a/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf b/comanage-registry-basic-auth/Dockerfile similarity index 56% rename from comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf rename to comanage-registry-basic-auth/Dockerfile index 497ecde..6423fb2 100644 --- a/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf +++ b/comanage-registry-basic-auth/Dockerfile @@ -1,4 +1,4 @@ -# COmanage Registry Apache HTTP Server configuration +# COmanage Registry Dockerfile template # # Portions licensed to the University Corporation for Advanced Internet # Development, Inc. ("UCAID") under one or more contributor license agreements. @@ -16,29 +16,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +ARG COMANAGE_REGISTRY_VERSION=develop +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +FROM comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} - - ServerName https://%%SERVER_NAME%%:80 - UseCanonicalName On +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} +LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} - DocumentRoot /var/www/html +COPY basic-auth /etc/apache2/ +COPY 000-comanage.conf /etc/apache2/sites-available/ - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - LogLevel warn - - - SetHandler shib - - - - AuthType shibboleth - Require shibboleth - - - RewriteEngine On - RewriteCond %{QUERY_STRING} !after_redirect - RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R] - - +RUN a2ensite 000-comanage diff --git a/comanage-registry-basic-auth/README.md b/comanage-registry-basic-auth/README.md index 22685ff..8c0b7f3 100644 --- a/comanage-registry-basic-auth/README.md +++ b/comanage-registry-basic-auth/README.md @@ -21,136 +21,110 @@ limitations under the License. # COmanage Registry Basic Auth -Intended to build a COmanage Registry image -using the official PHP 7 with Apache image as the foundation -and providing Apache HTTP Server Basic Auth as the authentication -mechanism. +Intended to build a COmanage Registry image using Apache HTTP Server Basic Auth +(Basic Auth) as the authentication mechanism. Basic Auth is only suitable for COmanage Registry deployments not operating in a federated identity context, or for an introduction to COmanage Registry. -See other templates in this repository for examples on how to build images +See other documentation in this repository for examples on how to build images that support federated identity deployments. -## Build +## Build Arguments + +Building the image requires the following build arguments: ``` -export COMANAGE_REGISTRY_VERSION=develop -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . +--build-arg COMANAGE_REGISTRY_VERSION= +--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= ``` -You can (and should) use build arguments to bootstrap the first -platform administrator. The administrator username is the value -COmanage Registry expects to read from $REMOTE\_USER after -the administrator authenticates using whichever authentication -method is provided: +## Build Requirements + +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/) +and requires that the [COmanage Registry base image](../comanage-registry-base/README.md) be built first. + +## Building + ``` -export COMANAGE_REGISTRY_VERSION=develop +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION= \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= \ + -t comanage-registry: . +``` -export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel -export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak -export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +## Building Example -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_VERSION}-basic-auth-${COMANAGE_REGISTRY_BASIC_AUTH_IMAGE_VERSION}" docker build \ - --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \ - -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . ``` -## Run -### Database +## Volumes and Data Persistence -COmanage Registry requires a relational database. See the -[PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md). +See [COmanage Registry Volumes and Data Persistence](../docs/volumes-and-data-persistence.md). -### Network +## Environment Variables -Create a user-defined network bridge with +See the [list of environment variables common to all images](../docs/comanage-registry-common-environment-variables.md) +including this image. -``` -docker network create --driver=bridge \ - --subnet=192.168.0.0/16 \ - --gateway=192.168.0.100 \ - comanage-registry-internal-network -``` +## Authentication -### Configuration +This image supports using Apache HTTP Server Basic Auth (Basic Auth) as the +authentication mechanism. To aid simple deployments for evaluating and +learning COmanage Registry a password file with a single user and password +is included. See the section above on environment variables. -Create a directory to hold persistent COmanage Registry configuration and -other state such as local plugins and other customizations. In that directory -create a `Config` directory and in it place a `database.php` and `email.php` -configuration file: +To override the default bind mount or COPY in a password file created +with the `htpasswd` command line tool. For example ``` -mkdir -p /opt/comanage-registry/Config - -cat > /opt/comanage-registry/Config/database.php <<"EOF" - 'Database/Postgres', - 'persistent' => false, - 'host' => 'comanage-registry-database', - 'login' => 'registry_user', - 'password' => 'password', - 'database' => 'registry', - 'prefix' => 'cm_', - ); - -} -EOF - -cat > /opt/comanage-registry/Config/email.php <<"EOF" - 'Smtp', - 'host' => 'tls://smtp.gmail.com', - 'port' => 465, - 'username' => 'account@gmail.com', - 'password' => 'password' - ); -} -EOF +COPY passwords /etc/apache2/passwords ``` -### Container +## Ports -``` -docker run -d --name comanage-registry \ - -v /opt/comanage-registry:/local \ - -v /opt/passwords:/etc/apache2/passwords \ - --network comanage-registry-internal-network \ - -p 80:80 -p 443:443 \ - comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth -``` +The image listens for web traffic on ports 80 and 443. All requests +on port 80 are redirected to port 443. -### Authentication +## Running -Mount or COPY in a password file created with `htpasswd`. +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: ``` -COPY passwords /etc/apache2/passwords +docker run -d \ + --name comanage-registry \ + -v /opt/comanage-registry-local:/srv/comanage-registry/local \ + -p 80:80 \ + -p 443:443 \ + comanage-registry:3.2.1-basic-auth-1 ``` -### Logging +## Logging Both Apache HTTP Server and COmanage Registry log to the stdout and stderr of the container. -### HTTPS Configuration +## HTTPS Configuration + +See the section on environment variables and the `HTTPS_CERT_FILE` and +`HTTPS_PRIVKEY_FILE` variables. -Mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) -and associated private key file. +Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) +and associated private key file. For example ``` COPY cert.pem /etc/apache2/cert.pem diff --git a/comanage-registry-basic-auth/basic-auth b/comanage-registry-basic-auth/basic-auth new file mode 100644 index 0000000..250651e --- /dev/null +++ b/comanage-registry-basic-auth/basic-auth @@ -0,0 +1 @@ +registry.admin:$apr1$qqrvav7G$nSHYErU4ljDPmO1wNBG6e0 diff --git a/comanage-registry-basic-auth/docker-comanage-entrypoint b/comanage-registry-basic-auth/docker-comanage-entrypoint deleted file mode 100755 index 0b4081e..0000000 --- a/comanage-registry-basic-auth/docker-comanage-entrypoint +++ /dev/null @@ -1,304 +0,0 @@ -#!/bin/bash - -# COmanage Registry Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. - -injectable_config_vars=( - COMANAGE_REGISTRY_DATASOURCE - COMANAGE_REGISTRY_DATABASE - COMANAGE_REGISTRY_DATABASE_HOST - COMANAGE_REGISTRY_DATABASE_USER - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - COMANAGE_REGISTRY_EMAIL_FROM - COMANAGE_REGISTRY_EMAIL_TRANSPORT - COMANAGE_REGISTRY_EMAIL_HOST - COMANAGE_REGISTRY_EMAIL_PORT - COMANAGE_REGISTRY_EMAIL_ACCOUNT - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - COMANAGE_REGISTRY_SECURITY_SALT - COMANAGE_REGISTRY_SECURITY_SEED - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done - -# Make sure the directory structure we need is available -# in the data volume for $COMANAGE_REGISTRY_DIR/local -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img" - -# If the COmanage Registry database configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then - cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Postgres}', - 'persistent' => false, - 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', - 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', - 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', - 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', - 'prefix' => 'cm_', - ); - -} -EOF -fi - -# If the COmanage Registry email configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" - -if [ ! -e "$email_config" ]; then - cat > "$email_config" < ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')}, - 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', - 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', - 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, - 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}', - 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}' - ); -} -EOF -fi - -# Loop until we are able to open a connection to the database. -DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php" - -cat > $DATABASE_TEST_SCRIPT <<"EOF" -error("Unable to connect to datasource"); - } - $this->out("Connected to datasource"); - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do - >&2 echo "Database is unavailable - sleeping" - sleep 1 -done - -rm -f "$DATABASE_TEST_SCRIPT" - -popd > "$OUTPUT" 2>&1 - -# We only want to run the setup script once since it creates -# state in the database. Until COmanage Registry has a better -# mechanism for telling us if setup has already been run -# we create an ephemeral CakePHP script to tell us. -SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" - -cat > $SETUP_ALREADY_SCRIPT <<"EOF" -Co->find('first', $args); - } catch (CakeException $e) { - $this->out('Not setup already'); - } - - if(empty($co)) { - $this->out('Not setup already'); - } else { - $this->error('Setup already'); - } - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 -./Console/cake setupAlready > "$OUTPUT" 2>&1 -setup_already=$? - -rm -f "$SETUP_ALREADY_SCRIPT" - -if [ $setup_already -eq 0 ]; then - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 - # Run database twice until issue on develop branch is resolved. Since - # the command is idempotent normally it is not a problem to have it run - # more than once. - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ - --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ - --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ - --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 - AUTO_GENERATED_SECURITY=1 -fi - -popd > "$OUTPUT" 2>&1 - -# If COmanage Registry CakePHP security salt and seed have been -# injected and the files do not otherwise exist create them. -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" -fi - -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" -fi - -# We always run upgradeVersion since it will not make any changes -# if the current and target versions are the same or if -# an upgrade from the current to the target version is not allowed. -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1 - -popd > "$OUTPUT" 2>&1 - -# Force a datbase update if requested. This is helpful when deploying -# a new version of the code that does not result in a change in the -# version number and so upgradeVersion does not fire. An example -# of this scenario is when new code is introduced in the develop -# branch but before a release happens. -if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then - echo "Forcing a database schema update..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 -fi - -# Enable any supported non-core plugins if requested. -if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then - plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 - for plugin in "${plugins[@]}"; - do - echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 - ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - done -fi - -# Running CakePHP console commands generates cache files so -# set the ownership of those files appropriately. -chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/apache2/cert.pem - cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem - chown www-data /etc/apache2/cert.pem - chmod 0644 /etc/apache2/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/apache2/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem - chown www-data /etc/apache2/privkey.pem - chmod 0600 /etc/apache2/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf - -cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 - -# If the basic auth password file does not exist create a simple version to -# aid people evaluating the tool. -if [ ! -f "/etc/apache2/passwords" ]; then - cat > /etc/apache2/passwords <<"EOF" -registry.admin:$apr1$qqrvav7G$nSHYErU4ljDPmO1wNBG6e0 -EOF - -fi - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" -fi - -exec "$@" diff --git a/comanage-registry-internet2-tier-base/.dockerignore b/comanage-registry-internet2-tier-base/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-internet2-tier-base/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-internet2-tier-base/Dockerfile b/comanage-registry-internet2-tier-base/Dockerfile new file mode 100644 index 0000000..893ede5 --- /dev/null +++ b/comanage-registry-internet2-tier-base/Dockerfile @@ -0,0 +1,106 @@ +# COmanage Registry Dockerfile +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM centos:centos7 AS php-build + +ARG PHP_VERSION=7.3.2 +ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz + +RUN yum -y install epel-release \ + && yum clean all + +RUN yum -y update \ + && yum -y install \ + autoconf \ + bison \ + gcc \ + httpd-devel \ + libargon2-devel \ + libcurl-devel \ + libedit-devel \ + libsodium-devel \ + libxml2-devel \ + libxslt-devel \ + make \ + mariadb-devel \ + openldap-devel \ + openssl-devel \ + postgresql-devel \ + re2c \ + wget \ + && yum clean all + +WORKDIR /usr/local/src + +RUN mkdir php-src \ + && wget -O php-src.tar.gz ${PHP_SRC_URL} \ + && tar zxf php-src.tar.gz -C php-src --strip-components=1 \ + && rm php-src.tar.gz + +ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2" +ENV PHP_CPPFLAGS="$PHP_CFLAGS" +ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie" + +RUN cd php-src \ + && ./buildconf --force \ + && ./configure \ + --disable-cgi \ + --enable-mbstring \ + --enable-mysqlnd \ + --with-apxs2=/usr/bin/apxs \ + --with-config-file-path=/usr/local/etc/php \ + --with-config-file-scan-dir=/usr/local/etc/php/conf.d \ + --with-curl \ + --with-ldap \ + --with-libdir=lib64 \ + --with-libedit \ + --with-mysqli \ + --with-openssl \ + --with-password-argon2 \ + --with-pdo-mysql \ + --with-pdo-pgsql \ + --with-pgsql \ + --with-sodium \ + --with-xsl \ + --with-zlib \ + && export CFLAGS="$PHP_CFLAGS" \ + && export CPPFLAGS="$PHP_CPPFLAGS" \ + && export LDFLAGS="$PHP_LDFLAGS" \ + && make -j "$(nproc)" \ + && make install + +RUN rm -rf php-src \ + && yum -y remove \ + autoconf \ + bison \ + gcc \ + httpd-devel \ + libargon2-devel \ + libcurl-devel \ + libedit-devel \ + libsodium-devel \ + libxml2-devel \ + libxslt-devel \ + make \ + mariadb-devel \ + openldap-devel \ + openssl-devel \ + postgresql-devel \ + re2c \ + wget \ + && yum clean all diff --git a/comanage-registry-internet2-tier-base/README.md b/comanage-registry-internet2-tier-base/README.md new file mode 100644 index 0000000..f468874 --- /dev/null +++ b/comanage-registry-internet2-tier-base/README.md @@ -0,0 +1,58 @@ + + +# COmanage Registry Internet2 TIER Base Image + +Intended to build a COmanage Registry for Internet2 TIER base image +using CentOS 7 as the operating system and building PHP from source. + +By itself the image built from this Dockerfile does **not** provide +COmanage Registry. + +The image built from this Dockerfile is used as the base +for the Internet2 TIER image that includes COmanage Registry +with the Shibboleth Native SP for Apache HTTP Server (Shibboleth) +as the authentication mechanism. + +## Build Arguments + +No arguments are required for the build but the following argument +may be provided to override the default: + +``` +--build-arg PHP_VERSION= +``` + +## Building + +``` +docker build \ + -t comanage-registry-internet2-tier-base: . +``` + +## Building Example + +``` +export COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-internet2-tier-base:${TAG} . +``` diff --git a/comanage-registry-internet2-tier/000-comanage.conf b/comanage-registry-internet2-tier/000-comanage.conf index b198062..5ad4912 100644 --- a/comanage-registry-internet2-tier/000-comanage.conf +++ b/comanage-registry-internet2-tier/000-comanage.conf @@ -18,28 +18,22 @@ # limitations under the License. Listen 443 -ServerName %%SERVER_NAME%% +ServerName ${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} PassEnv ENV PassEnv USERTOKEN - -ServerName http://%%SERVER_NAME%%:80 -RewriteEngine On -RewriteCond %{HTTPS} off -RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - +Include apache-include-virtual-host-port80-redirect -ServerName https://%%SERVER_NAME%%:443 +Include apache-include-virtual-host-port443-base + +SSLCertificateFile /etc/httpd/cert.pem +SSLCertificateKeyFile /etc/httpd/privkey.pem PassEnv ENV PassEnv USERTOKEN -DocumentRoot /var/www/html - -RedirectMatch ^/$ /registry/ - ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" ErrorLog /tmp/logpipe LogLevel warn @@ -47,22 +41,7 @@ LogLevel warn LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined CustomLog /tmp/logpipe ssl_combined -Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" - -SSLEngine on -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH -SSLHonorCipherOrder on - -SSLCertificateFile /etc/httpd/cert.pem -SSLCertificateKeyFile /etc/httpd/privkey.pem - - -Options Indexes FollowSymLinks -DirectoryIndex index.php -AllowOverride All -Require all granted - +Include apache-include-directory-registry SetHandler shib @@ -81,6 +60,6 @@ Require shibboleth RewriteEngine On RewriteCond %{QUERY_STRING} !after_redirect -RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R] +RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R] diff --git a/comanage-registry-internet2-tier/Dockerfile b/comanage-registry-internet2-tier/Dockerfile index 6abb497..c4006c1 100644 --- a/comanage-registry-internet2-tier/Dockerfile +++ b/comanage-registry-internet2-tier/Dockerfile @@ -16,73 +16,32 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM centos:centos7 AS php-build +ARG COMANAGE_REGISTRY_VERSION=develop +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=1 -RUN yum -y install epel-release +FROM comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage -RUN yum -y update && yum -y install \ - autoconf \ - bison \ - gcc \ - httpd-devel \ - libargon2-devel \ - libcurl-devel \ - libedit-devel \ - libsodium-devel \ - libxml2-devel \ - libxslt-devel \ - make \ - mariadb-devel \ - openldap-devel \ - openssl-devel \ - postgresql-devel \ - re2c \ - wget - -WORKDIR /usr/local/src - -ARG PHP_VERSION=7.2.5 -ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz - -RUN mkdir php-src \ - && wget -O php-src.tar.gz ${PHP_SRC_URL} \ - && tar zxf php-src.tar.gz -C php-src --strip-components=1 \ - && rm php-src.tar.gz - -ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2" -ENV PHP_CPPFLAGS="$PHP_CFLAGS" -ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie" - -RUN cd php-src \ - && ./buildconf --force \ - && ./configure \ - --disable-cgi \ - --enable-mbstring \ - --enable-mysqlnd \ - --with-apxs2=/usr/bin/apxs \ - --with-config-file-path=/usr/local/etc/php \ - --with-config-file-scan-dir=/usr/local/etc/php/conf.d \ - --with-curl \ - --with-ldap \ - --with-libdir=lib64 \ - --with-libedit \ - --with-mysqli \ - --with-openssl \ - --with-password-argon2 \ - --with-pdo-mysql \ - --with-pdo-pgsql \ - --with-pgsql \ - --with-sodium \ - --with-xsl \ - --with-zlib \ - && export CFLAGS="$PHP_CFLAGS" \ - && export CPPFLAGS="$PHP_CPPFLAGS" \ - && export LDFLAGS="$PHP_LDFLAGS" \ - && make -j "$(nproc)" \ - && make install +FROM comanage-registry-internet2-tier-base:${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} AS php-build FROM centos:centos7 +ARG COMANAGE_REGISTRY_VERSION +ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION} +LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION} + +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} +LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} + +ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} +LABEL comanage_registry_i2_base_image_version=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} + +ARG COMANAGE_REGISTRY_DIR +ENV COMANAGE_REGISTRY_DIR ${COMANAGE_REGISTRY_DIR:-/srv/comanage-registry} +LABEL comanage_registry_dir=${COMANAGE_REGISTRY_DIR} + RUN yum -y install epel-release COPY shibboleth.repo /etc/yum.repos.d/ @@ -101,6 +60,7 @@ RUN yum -y update && yum -y install \ postgresql \ python-pip \ shibboleth \ + sudo \ wget \ zlib \ && pip install --upgrade pip \ @@ -112,28 +72,13 @@ COPY --from=php-build /usr/local/lib/php /usr/local/lib/php/ COPY --from=php-build /usr/local/include/php /usr/local/include/php/ COPY --from=php-build /usr/local/bin /usr/local/bin/ -ARG COMANAGE_REGISTRY_VERSION -ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz -ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION} - -LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION} -LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL} - -ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry - -WORKDIR "$COMANAGE_REGISTRY_DIR" - -RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \ - && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \ - && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \ - && rm -f comanage.tar.gz \ - && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \ - && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \ - && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \ - && cd /var/www/html \ - && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \ - && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \ - && ln -s ${COMANAGE_REGISTRY_DIR}/local /local +COPY --from=comanage ${COMANAGE_REGISTRY_DIR} ${COMANAGE_REGISTRY_DIR}/ +COPY --from=comanage /etc/apache2/apache-include-directory-registry /etc/httpd/ +COPY --from=comanage /etc/apache2/apache-include-virtual-host-port443-base /etc/httpd/ +COPY --from=comanage /etc/apache2/apache-include-virtual-host-port80-redirect /etc/httpd/ +COPY --from=comanage /usr/local/lib/comanage_utils.sh /usr/local/lib/ +COPY --from=comanage /usr/local/lib/comanage_shibboleth_sp_utils.sh /usr/local/lib/ +COPY --from=comanage /usr/local/bin/docker-comanage-entrypoint /usr/local/bin/ COPY 000-comanage.conf /etc/httpd/conf.d/ COPY 10-php7.conf /etc/httpd/conf.modules.d/ @@ -144,6 +89,9 @@ COPY native.logger /etc/shibboleth/ COPY httpd.conf /etc/httpd/conf/ COPY sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh COPY setupcron.sh /usr/local/bin/setupcron.sh +COPY docker-comanage-entrypoint /usr/local/bin/ +COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/ +COPY docker-supervisord-entrypoint /usr/local/bin/ RUN cd /etc/httpd/conf.d \ && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf \ @@ -152,7 +100,11 @@ RUN cd /etc/httpd/conf.d \ && ln -s /etc/pki/tls/private/localhost.key privkey.pem \ && chmod 755 /usr/local/bin/sendtierbeacon.sh \ && chmod 755 /usr/local/bin/setupcron.sh \ - && /usr/local/bin/setupcron.sh + && /usr/local/bin/setupcron.sh \ + && cd /var/www/html \ + && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \ + && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \ + && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp # Allow values for first administrator bootstrapped into the # platform to be specified at image build time, in addition to @@ -169,15 +121,9 @@ ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-A ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} -EXPOSE 80 443 +VOLUME ${COMANAGE_REGISTRY_DIR}/local /etc/shibboleth -VOLUME ["/srv/comanage-registry/local"] - -VOLUME ["/etc/shibboleth"] - -COPY docker-comanage-entrypoint /usr/local/bin/ -COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/ -COPY docker-supervisord-entrypoint /usr/local/bin/ +EXPOSE 80 443 # TIER Beacon Opt-out # diff --git a/comanage-registry-internet2-tier/README.md b/comanage-registry-internet2-tier/README.md index 50d0a06..b4abaa9 100644 --- a/comanage-registry-internet2-tier/README.md +++ b/comanage-registry-internet2-tier/README.md @@ -1,556 +1,159 @@ -# COmanage Registry Internet2 TIER Docker - -## What it is -Docker version of [COmanage -Registry](https://spaces.internet2.edu/display/COmanage/Home) packaged to meet -the specifications of the + + +# COmanage Registry Internet2 TIER + +Intended to build a COmanage Registry image using the Shibboleth Native SP +for Apache HTTP Server (Shibboleth) as the authentication mechanism and that +meets the +[TIER Docker Container Specification](https://spaces.at.internet2.edu/x/m4ZyBw) +from the [Internet2 TIER](https://www.internet2.edu/vision-initiatives/initiatives/trust-identity-education-research/) program. -COmanage Registry is a web application that requires a relational database -and an authentication mechanism such as -[Shibboleth](http://shibboleth.net/products/service-provider.html). - -## How To +## Build Arguments -* Install Docker. These instructions require version 17.03.1 or higher. - -* Clone this repository: +Building the image requires the following build arguments: ``` -git clone https://github.com/Internet2/comanage-registry-docker.git -cd comanage-registry-docker +--build-arg COMANAGE_REGISTRY_VERSION= +--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= +--build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION= ``` -* Define `COMANAGE_REGISTRY_VERSION`. Currently we recommend +## Build Requirements -``` -export COMANAGE_REGISTRY_VERSION=3.1.0 -``` +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/). +It requires that the [COmanage Registry base image](../comanage-registry-base/README.md) +and [Internet2 TIER base image](../comanage-registry-internet2-tier-base/README.md) be built first. -* Build a local image for COmanage Registry: +## Building ``` -pushd comanage-registry-internet2-tier docker build \ - --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ - -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-internet2-tier . -popd + --build-arg COMANAGE_REGISTRY_VERSION= \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= \ + --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION= \ + -t comanage-registry: . ``` -* Create directories to store local state files: +## Building Example ``` -sudo mkdir -p /srv/docker/internet2-tier/srv/comanage-registry/local -sudo mkdir -p /srv/docker/internet2-tier/var/lib/mysql -sudo mkdir -p /srv/docker/internet2-tier/var/lib/ldap -sudo mkdir -p /srv/docker/internet2-tier/etc/ldap/slapd.d +export COMANAGE_REGISTRY_VERSION=3.2.1 +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_I2_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_VERSION}-internet2-tier-${COMANAGE_REGISTRY_I2_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . ``` -* Initialize Docker Swarm: - -``` -docker swarm init -``` +## Volumes and Data Persistence -* Hash a password to use as the LDAP admin password: +See [COmanage Registry Volumes and Data Persistence](../docs/volumes-and-data-persistence.md). -``` -/usr/sbin/slappasswd -c '$6$rounds=5000$%.86s' -``` -* Create Docker Swarm secrets (please be sure to substitute your own secrets): +## Environment Variables +See the [list of environment variables common to all images](../docs/comanage-registry-common-environment-variables.md) +including this image. -``` -echo "88cdfwOgQ1OblrHPNTyY" | docker secret create mysql_root_password - +See also the +[list of environment variables common to all images using Shibboleth](../docs/comanage-registry-common-shibboleth-environment-variables.md). -echo "5zY87knHxbP3sVQstRW2" | docker secret create mysql_password - +Additionally the Internet2 TIER image supports the following environment variables: -echo "5zY87knHxbP3sVQstRW2" | docker secret create comanage_registry_database_user_password - +`ENV` -echo "qselvrfaomxktlra" | docker secret create comanage_registry_email_account_password - +* Description: Environment +* Required: No +* Default: None +* Example: PROD +* Note: Usually one of PROD, TEST, or DEV. The value is included in log entries. -docker secret create https_cert_file fullchain.pem +`USERTOKEN` -docker secret create https_privkey_file privkey.pem +* Description: Deployer supplied +* Required: No +* Default: None +* Example: node01 +* Note: The value is included in log entries. -docker secret create shibboleth_sp_cert sp-cert.pem +## Authentication -docker secret create shibboleth_sp_privkey sp-key.pem +This image supports using the Shibboleth Native SP for Apache HTTP Server (Shibboleth) as the +authentication mechanism. Deployers should configure Shibboleth so that the desired +asserted user attribute is written into `REMOTE_USER`. -echo '{CRYPT}$6$rounds=5000$HHDyV7yz4yn4FH/d$eAg9uXbSnxvCCTZ8GstprFryip3Br111tArqsIaBDCF2Rm7tciEivDLCjpcMVT7OL.Lg5QKjEUM.C5UA2DNuf1' \ - | docker secret create olc_root_pw - +## Ports -docker secret create slapd_cert_file cert.pem +The image listens for web traffic on ports 80 and 443. All requests +on port 80 are redirected to port 443. -docker secret create slapd_privkey_file privkey.pem +## Running -docker secret create slapd_chain_file chain.pem -``` +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. -* Create a Docker compose file: +To run this image: ``` -version: '3.1' - -services: - comanage-registry: - image: comanage-registry:3.1.0-internet2-tier - volumes: - - /srv/docker/internet2-tier/srv/comanage-registry/local:/srv/comanage-registry/local - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE=registry - - COMANAGE_REGISTRY_DATABASE_HOST=comanage-registry-database - - COMANAGE_REGISTRY_DATABASE_USER=registry_user - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password - - COMANAGE_REGISTRY_EMAIL_FROM=registry@some.org - - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp - - COMANAGE_REGISTRY_EMAIL_HOST=tls://smtp.some.org - - COMANAGE_REGISTRY_EMAIL_PORT=465 - - COMANAGE_REGISTRY_EMAIL_ACCOUNT=registry@some.org - - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD_FILE=/run/secrets/comanage_registry_email_account_password - - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Emma - - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Sanchez - - COMANAGE_REGISTRY_ADMIN_USERNAME=emma.sanchez@some.org - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - SERVER_NAME=registry.some.org - - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert - - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey - secrets: - - comanage_registry_database_user_password - - comanage_registry_email_account_password - - https_cert_file - - https_privkey_file - - shibboleth_sp_cert - - shibboleth_sp_privkey - networks: - - default - ports: - - "80:80" - - "443:443" - logging: - driver: syslog - options: - tag: "comanage_registry" - deploy: - replicas: 1 - - comanage-registry-database: - image: mariadb:10.2 - volumes: - - /srv/docker/internet2-tier/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - secrets: - - mysql_root_password - - mysql_password - networks: - - default - logging: - driver: syslog - options: - tag: "mariadb" - deploy: - replicas: 1 - - comanage-registry-ldap: - image: sphericalcowgroup/comanage-registry-slapd - command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:/// ldaps:///", "-u", "openldap", "-g", "openldap"] - volumes: - - /srv/docker/development/var/lib/ldap:/var/lib/ldap - - /srv/docker/development/etc/ldap/slapd.d:/etc/ldap/slapd.d - environment: - - SLAPD_CERT_FILE=/run/secrets/slapd_cert_file - - SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file - - SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file - - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw - - OLC_SUFFIX=dc=sphericalcowgroup,dc=com - - OLC_ROOT_DN=cn=admin,dc=sphericalcowgroup,dc=com - secrets: - - slapd_cert_file - - slapd_privkey_file - - slapd_chain_file - - olc_root_pw - networks: - - default - logging: - driver: syslog - options: - tag: "openldap" - ports: - - "636:636" - - "389:389" - deploy: - replicas: 1 - -secrets: - mysql_root_password: - external: true - mysql_password: - external: true - comanage_registry_database_user_password: - external: true - comanage_registry_email_account_password: - external: true - https_cert_file: - external: true - https_privkey_file: - external: true - shibboleth_sp_cert: - external: true - shibboleth_sp_privkey: - external: true - slapd_cert_file: - external: true - slapd_privkey_file: - external: true - slapd_chain_file: - external: true - olc_root_pw: - external: true - +docker run -d \ + --name comanage-registry \ + -e COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Julia \ + -e COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Janseen \ + -e COMANAGE_REGISTRY_ADMIN_USERNAME=julia.janseen@my.org \ + -e SHIBBOLETH_SP_ENTITY_ID=https://myapp.my.org/shibboleth/sp \ + -e SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/etc/shibboleth/my-org-metadata.xml \ + -v /opt/comanage-registry-local:/srv/comanage-registry/local \ + -v /etc/shibboleth/sp-encrypt-cert.pem:/etc/shibboleth/sp-encrypt-cert.pem \ + -v /etc/shibboleth/sp-encrypt-key.pem:/etc/shibboleth/sp-encrypt-key.pem \ + -v /etc/shibboleth/my-org-metadata.xml:/etc/shibboleth/my-org-metadata.xml \ + -p 80:80 \ + -p 443:443 \ + comanage-registry:3.2.1-internet2-tier-1 ``` -* Start the services: +## Logging -``` -docker stack deploy comanage-registry -``` - -* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) -to learn how to create your first collaborative organization (CO) and begin using -the platform. - -* To stop the services: -``` -docker stack rm comanage-registry -``` - -## Advanced Configuration Options +Apache HTTP Server, COmanage Registry, Shibboleth, and supervisord all log to the stdout and +stderr of the container. -* [Environment Variables](#environ) -* [Apache HTTP ServerName](#servername) -* [X.509 Certificates and Private Keys](#certskeys) -* [Full Control](#full) +The logging configuration meets version 1 of the +[TIER Docker Container Specification](https://spaces.at.internet2.edu/x/m4ZyBw). -## Environment Variables - -All deployment details for COmanage Registry may be configured using environment variables set for the container. -The set of possible environment variables is listed below. - -The entrypoint scripts will attempt to use values from environment variables and if not -present reasonable defaults will be used. *Note that some defaults like passwords are -easily guessable and not suitable for production deployments*. - -For secrets such as passwords you may wish to use the environment variable with -`_FILE` appended and set the value to a path. The entrypoint scripts will read the -file to find the value to use. For example to set the database user password to the -value `dEodxlXQE2dKl8own7T2` you can for the container either set the environment variable - -``` -COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=dEodxlXQE2dKl8own7T2 -``` +## HTTPS Configuration -or instead ensure that inside the container the file -`/db_password` contains -on a single line the value `dEodxlXQE2dKl8own7T2` and then set the -environment variable +See the section on environment variables and the `HTTPS_CERT_FILE` and +`HTTPS_PRIVKEY_FILE` variables. -*When present an environment variable pointing to a file inside the container overrides -an otherwise configured environment variable*. +Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) +and associated private key file. For example ``` -COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/db_password +COPY cert.pem /etc/httpd/cert.pem +COPY privkey.pem /etc/httpd/privkey.pem ``` - -Some deployment details for the Shibboleth SP may be set using environment variables, but most -deployments will prefer to mount or COPY in `/etc/shibboleth/shibboleth2.xml` to be able -to configure SAML federation details. - -### COmanage Registry - -* COMANAGE_REGISTRY_ADMIN_GIVEN_NAME: - * Description: platform admin given name - * Default: Registry - * Example 1: Scott - * Example 2: Himari - -* COMANAGE_REGISTRY_ADMIN_FAMILY_NAME: - * Description: platform admin family name - * Default: Admin - * Example 1: Koranda - * Example 2: Tanaka - -* COMANAGE_REGISTRY_ADMIN_USERNAME: - * Description: platform admin username identifier (often eduPersonPrincipalName) - * Default: registry.admin - * Example 1: scott.koranda@sphericalcowgroup.com - * Example 2: himaritanaka@some.org - -* COMANAGE_REGISTRY_DATASOURCE - * Description: database type - * Default: Database/Postgres - * Example 1: Database/Mysql - * Example 2: Database/Postgres - -* COMANAGE_REGISTRY_DATABASE - * Description: name of the database - * Default: registry - * Example 1: comanage_registry - * Example 2: COmanageRegistryDB - -* COMANAGE_REGISTRY_DATABASE_HOST - * Description: hostname of the database server - * Default: comanage-registry-database - * Example 1: comanage-registry-database - * Example 2: my-db-container - -* COMANAGE_REGISTRY_DATABASE_USER - * Description: database username - * Default: registry_user - * Example 1: comanage - * Example 2: comanage_user - -* COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - * Description: database user password - * Default: password - * Example 1: AFH9OiyuowiY3Wq6qX0j - * Example 2: qVcsJPo7$@ - -* COMANAGE_REGISTRY_EMAIL_FROM - * Description: default From used by Registry for sending email - * Default: none - * Example 1: registry@some.org - * Example 2: skoranda@gmail.com - -* COMANAGE_REGISTRY_EMAIL_TRANSPORT - * Description: email transport mechanism - * Default: Smtp - * Example 1: Smtp - * Example 2: MyCustom - -* COMANAGE_REGISTRY_EMAIL_PORT - * Description: email transport port - * Default: 465 - * Example 1: 465 - * Example 2: 25 - -* COMANAGE_REGISTRY_EMAIL_HOST - * Description: email server host - * Default: tls://smtp.gmail.com - * Example 1: smtp.my.org - * Example 2: mail.some.org - -* COMANAGE_REGISTRY_EMAIL_ACCOUNT - * Description: email server account - * Default: none - * Example 1: skoranda@gmail.com - * Example 2: registry_email_sender - -* COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - * Description: email server account password - * Default: none - * Example 1: 82P3mt1T0PByZRHNQ6he - * Example 2: ak&&u1$@ - -* COMANAGE_REGISTRY_SECURITY_SALT - * Description: security salt value - * Default: auto-generated at initial deployment if not specified - * Example 1: wciEjD1KbX9Q8nB3YdWItFuzEoRdf6l5BpoCuTHm - * Example 2: JpmKTdO88NX6RsCIVnru6hV79zKOfvjGk0tTG0Cb - -* COMANAGE_REGISTRY_SECURITY_SEED - * Description: security seed value - * Default: auto-generated at initial deployment if not specified - * Example 1: 32616298446590535751260992683 - * Example 2: 21812581423282761029813528278 - -* HTTPS_CERT_FILE - * Description: X.509 certificate and CA chain in PEM format for use with Apache HTTP Server to serve HTTPS - * Default: self-signed auto-generated certificate - -* HTTPS_KEY_FILE - * Description: Associated private key for HTTPS in PEM format - * Default: private key for self-signed auto-generated certificate - -* SERVER_NAME - * Description: ServerName for Apache HTTP Server virtual host configuration - * Default: none, parsed from X.509 certificate if not defined - * Example 1: registry.some.org - * Example 2: comanage.my.edu - -### MariaDB - -* MYSQL_ROOT_PASSWORD - * Description: password for root user - * Default: none - * Example 1: ukZd7IZDRfOqgF82938A - * Example 2: 28hvua3%,2 - -* MYSQL_DATABASE - * Description: name of the database, must be same as set for COmanage Registry container - * Default: none - * Example 1: comanage_registry - * Example 2: COmanageRegistryDB - -* MYSQL_USER: - * Description: database username, must be same as set for COmanage Registry container - * Default: none - * Example 1: comanage - * Example 2: comanage_user - -* MYSQL_PASSWORD_FILE: - * Description: database user password, must be same as set for COmanage Registry container - * Default: none - * Example 1: AFH9OiyuowiY3Wq6qX0j - * Example 2: qVcsJPo7$@ - -### Shibboleth SP - -* SHIBBOLETH_SP_CERT - * Description: SAML certificate - * Default: self-signed per-image, must be copied out to persist - -* SHIBBOLETH_SP_ENTITY_ID - * Description: entityID for SP - * Default: none - * Example 1: https://comanage.registry/shibboleth - * Example 2: https://my.org/comanage - -* SHIBBOLETH_SP_METADATA_PROVIDER_XML - * Description: Shibboleth SP metadata provider element - * Default: none - -* SHIBBOLETH_SP_PRIVKEY - * Description: SAML private key - * Default: self-signed per-image, must be copied out to persist - -* SHIBBOLETH_SP_SAMLDS_URL - * Description: URL for SAML IdP discovery service - * Default: none - * Example 1: https://my.org/registry/pages/eds/index - * Exammple 2: https://discovery.my.org - -### OpenLDAP slapd - -* OLC_ROOT_DN - * Description: DN for the administrator - * Default: cn=admin,dc=my,dc=org - * Exammle 1: cn=admin,dc=some,dc=edu - * Example 2: cn=admin,ou=service,dc=my,dc=org - -* OLC_ROOT_PW - * Description: hashed password for root DN - * Default: none - * Example 1: See compose file above - -* OLC_SUFFIX - * Description: Suffix for the directory - * Default: dc=my,dc=org - * Example 1: dc=some,dc=edu - * Example 2: o=unit,dc=my,dc=org - -* SLAPD_CERT_FILE - * Description: X.509 certificate in PEM format for use with OpenLDAP Server to serve ldaps:// - * Default: none - -* SLAPD_CHAIN_FILE - * Description: CA certificate chain in PEM format - * Default: none - -* SLAPD_KEY_FILE - * Description: Associated private key for ldaps:// in PEM format - * Default: none - -## X.509 Certificates and Private Keys - -### COmanage Registry - -The certificate and private key files used for HTTPS may -be injected into the COmanage Registry container using environment variables -to point to files mounted into the container. The certificate file should -include the server certificate and any intermediate CA signing certificates -sorted from leaf to root. - -Alternatively you can directly mount files in the container to - -``` -/etc/apache2/cert.pem -/etc/apache2/privkey.pem -``` - -If no files are configured the containers use self-signed certificates -for HTTPS by default. - -### Shibboleth SP - -The SAML certificate and private key used for decryption (and sometimes signing) -by the Shibboleth SP may be injected into the COmanage Registry container using -environment variables to point to files mounted into the container. - -Alternatively you can directly mount files in the container to - -``` -/etc/shibboleth/sp-cert.pem -/etc/shibboleth/sp-key.pem -``` - -If no files are configured the container uses a default self-signed certificate -*this is the same for all images and not suitable for production*. - -### OpenLDAP slapd - -The certificate, private key, and CA signing file or chain file used for TLS -(port 636 by default) may -be injected into the OpenLDAP slapd container using environment variables -to point to files mounted into the container. - -## ServerName - -The entrypoint scripts will attempt to parse the appropriate value for the -Apache HTTP Server configuration option `ServerName` from the X.509 certificate -provided for HTTPS. - -To override the parsing a deployer may explicitly set the environment variable -`SERVER_NAME`. - -## Full control - -Deployers needing full control may inject configuration and deployment details directly. -The entrypoint scripts will *not* overwrite any details found so directly injected -details always override environment variables. - -### COmanage Registry - -COmanage Registry expects to find all local configuration details -in the container at `/srv/comanage-registry/local`. A deployer may therefore mount -a directory at that location to provide any and all configuration details. Note, however, -that Registry expects to find a particular directory structure under -`/srv/comanage-registry/local` and will not function properly if the structure is not -found. The entrypoint script will create the necessary structure if it does not find it -so it is recommended to mount an empty directory for the first deployment, let the -entrypoint script create the structure, then later adjust the details as necessary -for your deployment. - -### Shibboleth SP - -All Shibboleth SP configuration is available inside the container in -`/etc/shibboleth`. A deployer may therefore mount into that directory any -necessary adjustment to the Shibboleth configuration, such as static metadata -files, metadata signing certificates, or advanced attribute filtering -configurations. - -A default set of all configuration files is available in the image. - -### OpenLDAP slapd - -Since slapd is configured dynamically using standard LDAP operations on the -configuration directory (`cn=config`) the most straightforward way to inject -advanced configuration details at the time the container is *created* is -to customize the entrypoint script. diff --git a/comanage-registry-internet2-tier/docker-comanage-entrypoint b/comanage-registry-internet2-tier/docker-comanage-entrypoint index d1b63cb..f275bc8 100755 --- a/comanage-registry-internet2-tier/docker-comanage-entrypoint +++ b/comanage-registry-internet2-tier/docker-comanage-entrypoint @@ -19,332 +19,34 @@ # See the License for the specific language governing permissions and # limitations under the License. -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi -# Configuration details that may be injected through environment -# variables or the contents of files. +source /usr/local/lib/comanage_utils.sh -injectable_config_vars=( - COMANAGE_REGISTRY_DATASOURCE - COMANAGE_REGISTRY_DATABASE - COMANAGE_REGISTRY_DATABASE_HOST - COMANAGE_REGISTRY_DATABASE_USER - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - COMANAGE_REGISTRY_EMAIL_FROM - COMANAGE_REGISTRY_EMAIL_TRANSPORT - COMANAGE_REGISTRY_EMAIL_HOST - COMANAGE_REGISTRY_EMAIL_PORT - COMANAGE_REGISTRY_EMAIL_ACCOUNT - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - COMANAGE_REGISTRY_SECURITY_SALT - COMANAGE_REGISTRY_SECURITY_SEED - ENV - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME - USERTOKEN -) +comanage_utils::consume_injected_environment -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. +comanage_utils::prepare_local_directory -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; +comanage_utils::configure_tier_logging - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done +comanage_utils::prepare_database_config -# Make sure the directory structure we need is available -# in the data volume for $COMANAGE_REGISTRY_DIR/local -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img" +comanage_utils::prepare_email_config -# If the COmanage Registry database configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then - cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Mysql}', - 'persistent' => false, - 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', - 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', - 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', - 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', - 'prefix' => 'cm_', - ); +comanage_utils::wait_database_connectivity -} -EOF -fi +comanage_utils::registry_setup -# If the COmanage Registry email configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" +comanage_utils::registry_upgrade -if [ ! -e "$email_config" ]; then - # If the deployer has injected an email for from then use it, - # otherwise set a default purely as a template that can edited - # easier later. - if [ -n "$COMANAGE_REGISTRY_EMAIL_FROM" ]; then - email_from="$COMANAGE_REGISTRY_EMAIL_FROM" - else - email_from="array('account@gmail.com' => 'Registry')" - fi +comanage_utils::enable_plugins - # If the injected email from does not include a single quote (') - # then add them to make it a PHP string. - if [[ ! $email_from =~ .*"'".* ]]; then - email_from="'$email_from'" - fi +comanage_utils::registry_clear_cache - cat > "$email_config" < $email_from, - 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', - 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', - 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, -EOF - - # If the deployer has injected a username then add it to the configuration. - if [ -n "$COMANAGE_REGISTRY_EMAIL_ACCOUNT" ]; then - cat >> "$email_config" < '$COMANAGE_REGISTRY_EMAIL_ACCOUNT', -EOF - fi - - # If the deployer has injected a password then add it to the configuration. - if [ -n "$COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD" ]; then - cat >> "$email_config" < '$COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD', -EOF - fi - - # Complete the PHP array. - cat >> "$email_config" < $DATABASE_TEST_SCRIPT <<"EOF" -error("Unable to connect to datasource"); - } - $this->out("Connected to datasource"); - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do - >&2 echo "Database is unavailable - sleeping" - sleep 1 -done - -rm -f "$DATABASE_TEST_SCRIPT" - -popd > "$OUTPUT" 2>&1 - -# We only want to run the setup script once since it creates -# state in the database. Until COmanage Registry has a better -# mechanism for telling us if setup has already been run -# we create an ephemeral CakePHP script to tell us. -SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" - -cat > $SETUP_ALREADY_SCRIPT <<"EOF" -Co->find('first', $args); - } catch (CakeException $e) { - $this->out('Not setup already'); - } - - if(empty($co)) { - $this->out('Not setup already'); - } else { - $this->error('Setup already'); - } - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 -./Console/cake setupAlready > "$OUTPUT" 2>&1 -setup_already=$? - -rm -f "$SETUP_ALREADY_SCRIPT" - -if [ $setup_already -eq 0 ]; then - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 - # Run database twice until issue on develop branch is resolved. Since - # the command is idempotent normally it is not a problem to have it run - # more than once. - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ - --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ - --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ - --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 - AUTO_GENERATED_SECURITY=1 -fi - -popd > "$OUTPUT" 2>&1 - -# If COmanage Registry CakePHP security salt and seed have been -# injected and the files do not otherwise exist create them. -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" -fi - -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" -fi - -# We always run upgradeVersion since it will not make any changes -# if the current and target versions are the same or if -# an upgrade from the current to the target version is not allowed. -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1 - -popd > "$OUTPUT" 2>&1 - -# Force a datbase update if requested. This is helpful when deploying -# a new version of the code that does not result in a change in the -# version number and so upgradeVersion does not fire. An example -# of this scenario is when new code is introduced in the develop -# branch but before a release happens. -if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then - echo "Forcing a database schema update..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 -fi - -# Enable any supported non-core plugins if requested. -if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then - plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 - for plugin in "${plugins[@]}"; - do - echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 - ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - done -fi - -# Remove any cache files generated thus far. -find "$COMANAGE_REGISTRY_DIR/app/tmp/cache" -type f -exec rm -f {} \; - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/httpd/cert.pem - cp "$HTTPS_CERT_FILE" /etc/httpd/cert.pem - chown apache /etc/httpd/cert.pem - chmod 0644 /etc/httpd/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/httpd/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/httpd/privkey.pem - chown apache /etc/httpd/privkey.pem - chmod 0600 /etc/httpd/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/httpd/conf.d/000-comanage.conf - -# If ENV or USERTOKEN as injected by the deployer contain a semi-colon remove it. -if [[ $ENV =~ .*";".* ]]; then - ENV=`echo $ENV | tr -d ';'` - export ENV -fi - -if [[ $USERTOKEN =~ .*";".* ]]; then - USERTOKEN=`echo $USERTOKEN | tr -d ';'` - export USERTOKEN -fi - -# If ENV or USERTOKEN as injected by the deployer contain a space remove it. -if [[ $ENV =~ [[:space:]] ]]; then - ENV=`echo $ENV | tr -d [:space:]` - export ENV -fi - -if [[ $USERTOKEN =~ [[:space:]] ]]; then - USERTOKEN=`echo $USERTOKEN | tr -d [:space:]` - export USERTOKEN -fi - -# Create pipes to use for COmanage Registry instead of standard log files. -rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1 -rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1 -mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1 -mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1 - -# Format any output from COmanange Registry into standard TIER form. -(cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;error.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)& -(cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;debug.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)& +comanage_utils::tmp_ownership # Start Apache HTTP Server exec /usr/sbin/httpd -DFOREGROUND diff --git a/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint b/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint index 11527b8..62c27a1 100755 --- a/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint +++ b/comanage-registry-internet2-tier/docker-comanage-shibboleth-sp-entrypoint @@ -19,109 +19,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi +source /usr/local/lib/comanage_utils.sh -# Configuration details that may be injected through environment -# variables or the contents of files. -# -# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the -# same way but because of the presence of special characters in the -# XML it is handled differently. - -injectable_config_vars=( - SHIBBOLETH_SP_ENTITY_ID - SHIBBOLETH_SP_CERT - SHIBBOLETH_SP_PRIVKEY - SHIBBOLETH_SP_SAMLDS_URL -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - payload=`cat $file_name` - declare "${config_var}"="${payload}" - fi -done - -# If no shibboleth2.xml file is present then create one using -# injected information or defaults that are not particularly -# useful in a federated context but will allow shibd to start. -if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then - cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml - - # The metadata provider injected input most likely contains special characters - # so use a sed script instead of simple substitution on the command line. - - if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then - xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" - else - xml_content_file=`/bin/mktemp` - echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file} - fi - - sed_script_file=`/bin/mktemp` - cat > ${sed_script_file}< "$OUTPUT" 2>&1 @@ -61,7 +36,7 @@ mkfifo -m 666 /tmp/loghttpd > "$OUTPUT" 2>&1 # Format any console output from shibd into standard TIER form. rm -f /tmp/logshibd > "$OUTPUT" 2>&1 mkfifo -m 666 /tmp/logshibd > "$OUTPUT" 2>&1 -(cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe 2>&1)& +(cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe 2>&1)& # Format any console output from supervisord into standard TIER form. rm -f /tmp/logsuperd > "$OUTPUT" 2>&1 diff --git a/comanage-registry-internet2-tier/sendtierbeacon.sh b/comanage-registry-internet2-tier/sendtierbeacon.sh index 63e27f9..ebc8a34 100755 --- a/comanage-registry-internet2-tier/sendtierbeacon.sh +++ b/comanage-registry-internet2-tier/sendtierbeacon.sh @@ -19,13 +19,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -LOGHOST="collector.testbed.tier.internet2.edu" -LOGPORT="5001" +LOGHOST='collector.testbed.tier.internet2.edu' +LOGPORT='5001' -messagefile="/tmp/beaconmsg" +messagefile='/tmp/beaconmsg' -if [ -z "$TIER_BEACON_OPT_OUT" ]; then - cat > $messagefile < ${messagefile} </dev/null 2>&1 - if [ $? -eq 0 ]; then + curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T ${messagefile} 1>/dev/null 2>&1 + if [[ $? -eq 0 ]]; then echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent" else echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon" fi - rm -f $messagefile 1>/dev/null 2>&1 + rm -f ${messagefile} 1>/dev/null 2>&1 fi diff --git a/comanage-registry-internet2-tier/setupcron.sh b/comanage-registry-internet2-tier/setupcron.sh index 3f45f05..4c99e55 100755 --- a/comanage-registry-internet2-tier/setupcron.sh +++ b/comanage-registry-internet2-tier/setupcron.sh @@ -19,11 +19,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -CRONFILE=/tmp/cronfile +CRONFILE='/tmp/cronfile' # Build and install crontab file with random start time # between midnight and 3:59am. -echo "#send daily beacon to TIER Central" > ${CRONFILE} -echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logpipe 2>&1" >> ${CRONFILE} -chmod 644 ${CRONFILE} -crontab ${CRONFILE} +echo '#send daily beacon to TIER Central' > "${CRONFILE}" +echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logpipe 2>&1" >> "${CRONFILE}" +chmod 644 "${CRONFILE}" +crontab "${CRONFILE}" diff --git a/comanage-registry-internet2-tier/shibboleth.repo b/comanage-registry-internet2-tier/shibboleth.repo index 393aa48..02877bb 100644 --- a/comanage-registry-internet2-tier/shibboleth.repo +++ b/comanage-registry-internet2-tier/shibboleth.repo @@ -1,7 +1,8 @@ -[security_shibboleth] +[shibboleth] name=Shibboleth (CentOS_7) +# Please report any problems to https://issues.shibboleth.net type=rpm-md -baseurl=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/ +mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7 gpgcheck=1 -gpgkey=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key +gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key enabled=1 diff --git a/comanage-registry-mailman/.dockerignore b/comanage-registry-mailman/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-mailman/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-mod-auth-openidc/.dockerignore b/comanage-registry-mod-auth-openidc/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-mod-auth-openidc/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-mod-auth-openidc/000-comanage.conf b/comanage-registry-mod-auth-openidc/000-comanage.conf index 2d19f86..0b03d75 100644 --- a/comanage-registry-mod-auth-openidc/000-comanage.conf +++ b/comanage-registry-mod-auth-openidc/000-comanage.conf @@ -17,50 +17,39 @@ # See the License for the specific language governing permissions and # limitations under the License. - - ServerName http://%%SERVER_NAME%%:80 - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - +Include apache-include-virtual-host-port80-redirect - ServerName https://%%SERVER_NAME%%:443 - - DocumentRoot /var/www/html - - RedirectMatch ^/$ /registry/ - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined +Include apache-include-virtual-host-port443-base - LogLevel warn +SSLCertificateFile /etc/apache2/cert.pem +SSLCertificateKeyFile /etc/apache2/privkey.pem - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" +ErrorLog ${APACHE_LOG_DIR}/error.log +CustomLog ${APACHE_LOG_DIR}/access.log combined - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLHonorCipherOrder on +Include apache-include-directory-registry - SSLCertificateFile /etc/apache2/cert.pem - SSLCertificateKeyFile /etc/apache2/privkey.pem - - IncludeOptional /etc/apache2/conf-enabled/mod-auth-openidc.conf +IncludeOptional /etc/apache2/conf-enabled/mod-auth-openidc.conf - - Options Indexes FollowSymLinks - DirectoryIndex index.php - AllowOverride All - AuthType openid-connect - OIDCUnAuthAction pass - Require valid-user - - - - AuthType openid-connect - OIDCUnAuthAction auth - Require valid-user - + +Options Indexes FollowSymLinks +DirectoryIndex index.php +AllowOverride All +AuthType openid-connect +OIDCUnAuthAction pass +Require valid-user + + + +AuthType openid-connect +OIDCUnAuthAction auth +Require valid-user + + +RewriteEngine On +RewriteCond %{QUERY_STRING} !after_redirect +RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/secure/redirect?logout=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R] diff --git a/comanage-registry-mod-auth-openidc/Dockerfile b/comanage-registry-mod-auth-openidc/Dockerfile new file mode 100644 index 0000000..01eab3b --- /dev/null +++ b/comanage-registry-mod-auth-openidc/Dockerfile @@ -0,0 +1,75 @@ +# COmanage Registry Dockerfile template +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +ARG COMANAGE_REGISTRY_VERSION=develop +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +ARG MOD_AUTH_OPENIDC_SRC_URL=https://github.com/zmartzone/mod_auth_openidc/archive/v2.3.10.1.tar.gz + +FROM comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage + +FROM debian:stretch AS building + +ARG MOD_AUTH_OPENIDC_SRC_URL +ENV MOD_AUTH_OPENIDC_SRC_URL ${MOD_AUTH_OPENIDC_SRC_URL} + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + apache2 \ + apache2-dev \ + automake \ + ca-certificates \ + libcjose0 \ + libcjose-dev \ + libcurl4-openssl-dev \ + libjansson-dev \ + libpcre3-dev \ + libssl-dev \ + pkg-config \ + wget \ + && mkdir -p /tmp/mod_auth_openidc \ + && wget -O mod_auth_openidc.tar.gz "$MOD_AUTH_OPENIDC_SRC_URL" \ + && tar -zxf mod_auth_openidc.tar.gz -C /tmp/mod_auth_openidc --strip-components=1 \ + && cd /tmp/mod_auth_openidc \ + && ./autogen.sh \ + && ./configure --with-apxs2=`which apxs2` \ + && make \ + && make install + +FROM comanage + +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} +LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} + +ARG MOD_AUTH_OPENIDC_SRC_URL +ENV MOD_AUTH_OPENIDC_SRC_URL ${MOD_AUTH_OPENIDC_SRC_URL} +LABEL mod_auth_openidc_src_url ${MOD_AUTH_OPENIDC_SRC_URL} + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + libcjose0 + +COPY --from=building /usr/lib/apache2/modules/mod_auth_openidc.so /usr/lib/apache2/modules/mod_auth_openidc.so + +RUN echo "LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so" > /etc/apache2/mods-available/auth_openidc.load \ + && a2enmod auth_openidc + +COPY 000-comanage.conf /etc/apache2/sites-available/ +RUN a2ensite 000-comanage + +COPY htaccess /srv/comanage-registry/app/webroot/.htaccess diff --git a/comanage-registry-mod-auth-openidc/Dockerfile.template b/comanage-registry-mod-auth-openidc/Dockerfile.template deleted file mode 100644 index d10a3ae..0000000 --- a/comanage-registry-mod-auth-openidc/Dockerfile.template +++ /dev/null @@ -1,144 +0,0 @@ -# COmanage Registry Dockerfile template -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM php:7.0-apache-jessie - -RUN apt-get update && apt-get install -y \ - libldap-2.4-2 \ - libldap2-dev \ - libmysqlclient18 \ - libmysqlclient-dev \ - libpq-dev \ - libxml2 \ - libxslt1-dev \ - libxslt1.1 \ - ssl-cert \ - wget \ - zlib1g \ - libpcre3-dev \ - && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \ - && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ - && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \ - && docker-php-ext-install xsl pdo_mysql pdo_pgsql mysqli pgsql ldap \ - && docker-php-source delete \ - && apt-get purge -y \ - libldap2-dev \ - libmysqlclient-dev \ - libpq-dev \ - && apt-get clean - -ENV MOD_AUTH_OPENIDC_SRC_URL https://github.com/pingidentity/mod_auth_openidc/archive/v2.1.6.tar.gz -ENV MOD_AUTH_OPENIDC_SRC /opt/OIDC_SRC - -RUN awk '$1 ~ "^deb" { $3 = $3 "-backports"; print; exit }' /etc/apt/sources.list > /etc/apt/sources.list.d/backports.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - apache2-dev \ - libcjose0 \ - libcjose-dev \ - libssl-dev \ - libcurl4-openssl-dev \ - libjansson-dev \ - libpcre3-dev \ - pkg-config \ - automake \ - && mkdir -p "$MOD_AUTH_OPENIDC_SRC" \ - && wget -O mod_auth_openidc.tar.gz "$MOD_AUTH_OPENIDC_SRC_URL" \ - && tar -zxf mod_auth_openidc.tar.gz -C "$MOD_AUTH_OPENIDC_SRC" --strip-components=1 \ - && cd "$MOD_AUTH_OPENIDC_SRC" \ - && ./autogen.sh \ - && ./configure --with-apxs2=`which apxs2` \ - && make \ - && make install \ - && rm -f mod_auth_openidc.tar.gz \ - && cd \ - && rm -rf "$MOD_AUTH_OPENIDC_SRC" \ - && echo "LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so" > /etc/apache2/mods-available/auth_openidc.load \ - && a2enmod auth_openidc \ - && apt-get purge -y \ - apache2-dev \ - libcjose-dev \ - libssl-dev \ - libcurl4-openssl-dev \ - libjansson-dev \ - libpcre3-dev \ - pkg-config \ - automake \ - && apt-get clean - -ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%% -ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz - -LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION -LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL - -ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry - -WORKDIR "$COMANAGE_REGISTRY_DIR" - -COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf - -RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ - && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \ - && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \ - && rm -f comanage.tar.gz \ - && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cd /var/www/html \ - && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \ - && rm -rf "$COMANAGE_REGISTRY_DIR/local/*" \ - && ln -s "$COMANAGE_REGISTRY_DIR/local" /local \ - && a2enmod headers \ - && a2enmod ssl \ - && a2enmod rewrite \ - && a2dissite 000-default.conf \ - && a2ensite 000-comanage.conf \ - && a2disconf other-vhosts-access-log \ - && cd /etc/apache2 \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ - && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" - -COPY docker-comanage-entrypoint /usr/local/bin/ - -COPY htaccess /srv/comanage-registry/app/webroot/.htaccess - -# expose COmanage Registry local directory -VOLUME ["/local"] - -WORKDIR /var/www/html - -EXPOSE 80 443 - -# Default values for first administrator bootstrapped -# into the platform, most likely overridden at build time -# using build arguments. -ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME -ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME -ARG COMANAGE_REGISTRY_ADMIN_USERNAME -ARG COMANAGE_REGISTRY_ENABLE_POOLING - -ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry} -ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin} -ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} -ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} - -ENTRYPOINT ["docker-comanage-entrypoint"] - -CMD ["apache2-foreground"] diff --git a/comanage-registry-mod-auth-openidc/README.md b/comanage-registry-mod-auth-openidc/README.md index f071674..790d00d 100644 --- a/comanage-registry-mod-auth-openidc/README.md +++ b/comanage-registry-mod-auth-openidc/README.md @@ -19,154 +19,131 @@ See the License for the specific language governing permissions and limitations under the License. --> -# COmanage Registry mod\_auth\_openidc +# COmanage Registry mod_auth_openidc -Intended to build a COmanage Registry image -using the official PHP 7 with Apache image as the foundation -and providing mod\_auth\_openidc for Apache HTTP Server -as the authentication mechanism. +Intended to build a COmanage Registry image using the mod_auth_openidc +module for Apache HTTP Server as the authentication mechanism. -## Build +## Build Arguments + +Building the image requires the following build arguments: ``` -export COMANAGE_REGISTRY_VERSION=develop -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc . +--build-arg COMANAGE_REGISTRY_VERSION= +--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= ``` -You can (and should) use build arguments to bootstrap the first -platform administrator. The administrator username is the value -COmanage Registry expects to read from $REMOTE\_USER after -the administrator authenticates using whichever authentication -method is provided: +Additionally the following build argument may be specified: ``` -export COMANAGE_REGISTRY_VERSION=develop +--build-arg MOD_AUTH_OPENIDC_SRC_URL= +``` + +## Build Requirements -export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel -export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak -export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/). +It requires that the [COmanage Registry base image](../comanage-registry-base/README.md) +be built first. -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile +## Building + +``` docker build \ - --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \ - -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc . + --build-arg COMANAGE_REGISTRY_VERSION= \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= \ + -t comanage-registry: . ``` -## Run -### Database +## Building Example -COmanage Registry requires a relational database. See the -[PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md). +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc-${COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION}" -### Network +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +``` -Create a user-defined network bridge with +## Volumes and Data Persistence -``` -docker network create --driver=bridge \ - --subnet=192.168.0.0/16 \ - --gateway=192.168.0.100 \ - comanage-registry-internal-network -``` +See [COmanage Registry Volumes and Data Persistence](../docs/volumes-and-data-persistence.md). -### COmanage Registry Configuration -Create a directory to hold persistent COmanage Registry configuration and -other state such as local plugins and other customizations. In that directory -create a `Config` directory and in it place a `database.php` and `email.php` -configuration file: +## Environment Variables -``` -mkdir -p /opt/comanage-registry/Config - -cat > /opt/comanage-registry/Config/database.php <<"EOF" - 'Database/Postgres', - 'persistent' => false, - 'host' => 'comanage-registry-database', - 'login' => 'registry_user', - 'password' => 'password', - 'database' => 'registry', - 'prefix' => 'cm_', - ); - -} -EOF - -cat > /opt/comanage-registry/Config/email.php <<"EOF" - 'Smtp', - 'host' => 'tls://smtp.gmail.com', - 'port' => 465, - 'username' => 'account@gmail.com', - 'password' => 'password' - ); -} -EOF -``` +See the [list of environment variables common to all images](../docs/comanage-registry-common-environment-variables.md) +including this image. -### mod\_auth\_openidc Configuration +## Authentication -Mount or COPY mod\_auth\_openidc configuration into the file -`/etc/apache2/conf-enabled/mod-auth-openidc.conf`. The configuration -will usually include +This image supports using the mod_auth_openidc module for Apache HTTP Server as the +authentication mechanism. Deployers should bind mount or COPY in the Apache HTTP Server +configuration file `/etc/apache2/conf-enabled/mod-auth-openidc.conf` that contains +the necessary OIDC client, secret, redirect URI, and other mod_auth_openidc +integration details. + +An example `mod-auth-openidc.conf` configuration is ``` -OIDCProviderMetadataURL -OIDCRemoteUserClaim -OIDCClientID -OIDCClientSecret -OIDCScope -OIDCCryptoPassphrase -OIDCRedirectURI -``` +OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration +OIDCRemoteUserClaim sub -It should also include a `` directive to identify the -`OIDCRedirectURI`. +OIDCClientID cilogon:/client_id/3815e327237181f2ca55e39c305a5706 +OIDCClientSecret w5TmBFgrLEZVl7P3VYw5 + +OIDCScope "openid email profile org.cilogon.userinfo" +OIDCCryptoPassphrase X7iAVpP9c3vr3WTsxrd7 + +OIDCRedirectURI https://registry.cilogon.org/secure/redirect -``` AuthType openid-connect Require valid-user ``` -You may also want to enable logout. For example +## Ports -``` -Redirect /registry/users/logout https:///secure/redirect?logout=https%3A%2F%2F%2Fregistry%2F -``` +The image listens for web traffic on ports 80 and 443. All requests +on port 80 are redirected to port 443. + +## Running -### Container +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: ``` -docker run -d --name comanage-registry \ - -v /opt/comanage-registry:/srv/comanage-registry/local \ - --network comanage-registry-internal-network \ - -p 80:80 -p 443:443 \ - comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc +docker run -d \ + --name comanage-registry \ + -e COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Julia \ + -e COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Janseen \ + -e COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981 + -v /opt/comanage-registry-local:/srv/comanage-registry/local \ + -v mod-auth-openidc.conf:/etc/apache2/conf-enabled/mod-auth-openidc.conf \ + -p 80:80 \ + -p 443:443 \ + comanage-registry:3.2.1-mod-auth-openidc-1 ``` -### Logging +## Logging -Both Apache HTTP Server and COmanage Registry log to the stdout and +Apache HTTP Server and COmanage Registry log to the stdout and stderr of the container. -### HTTPS Configuration +## HTTPS Configuration + +See the section on environment variables and the `HTTPS_CERT_FILE` and +`HTTPS_PRIVKEY_FILE` variables. -Mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) -and associated private key file. +Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) +and associated private key file. For example ``` COPY cert.pem /etc/apache2/cert.pem diff --git a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint deleted file mode 100755 index c988d8c..0000000 --- a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint +++ /dev/null @@ -1,294 +0,0 @@ -#!/bin/bash - -# COmanage Registry Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. - -injectable_config_vars=( - COMANAGE_REGISTRY_DATASOURCE - COMANAGE_REGISTRY_DATABASE - COMANAGE_REGISTRY_DATABASE_HOST - COMANAGE_REGISTRY_DATABASE_USER - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - COMANAGE_REGISTRY_EMAIL_FROM - COMANAGE_REGISTRY_EMAIL_TRANSPORT - COMANAGE_REGISTRY_EMAIL_HOST - COMANAGE_REGISTRY_EMAIL_PORT - COMANAGE_REGISTRY_EMAIL_ACCOUNT - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - COMANAGE_REGISTRY_SECURITY_SALT - COMANAGE_REGISTRY_SECURITY_SEED - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done - -# Make sure the directory structure we need is available -# in the data volume for $COMANAGE_REGISTRY_DIR/local -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img" - -# If the COmanage Registry database configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then - cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Postgres}', - 'persistent' => false, - 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', - 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', - 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', - 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', - 'prefix' => 'cm_', - ); - -} -EOF -fi - -# If the COmanage Registry email configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" - -if [ ! -e "$email_config" ]; then - cat > "$email_config" < ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')}, - 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', - 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', - 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, - 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}', - 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}' - ); -} -EOF -fi - -# Loop until we are able to open a connection to the database. -DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php" - -cat > $DATABASE_TEST_SCRIPT <<"EOF" -error("Unable to connect to datasource"); - } - $this->out("Connected to datasource"); - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do - >&2 echo "Database is unavailable - sleeping" - sleep 1 -done - -rm -f "$DATABASE_TEST_SCRIPT" - -popd > "$OUTPUT" 2>&1 - -# We only want to run the setup script once since it creates -# state in the database. Until COmanage Registry has a better -# mechanism for telling us if setup has already been run -# we create an ephemeral CakePHP script to tell us. -SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" - -cat > $SETUP_ALREADY_SCRIPT <<"EOF" -Co->find('first', $args); - } catch (CakeException $e) { - $this->out('Not setup already'); - } - - if(empty($co)) { - $this->out('Not setup already'); - } else { - $this->error('Setup already'); - } - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 -./Console/cake setupAlready > "$OUTPUT" 2>&1 -setup_already=$? - -rm -f "$SETUP_ALREADY_SCRIPT" - -if [ $setup_already -eq 0 ]; then - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 - # Run database twice until issue on develop branch is resolved. Since - # the command is idempotent normally it is not a problem to have it run - # more than once. - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ - --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ - --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ - --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 - AUTO_GENERATED_SECURITY=1 -fi - -popd > "$OUTPUT" 2>&1 - -# If COmanage Registry CakePHP security salt and seed have been -# injected and the files do not otherwise exist create them. -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" -fi - -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" -fi - -# We always run upgradeVersion since it will not make any changes -# if the current and target versions are the same or if -# an upgrade from the current to the target version is not allowed. -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1 - -popd > "$OUTPUT" 2>&1 - -# Force a datbase update if requested. This is helpful when deploying -# a new version of the code that does not result in a change in the -# version number and so upgradeVersion does not fire. An example -# of this scenario is when new code is introduced in the develop -# branch but before a release happens. -if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then - echo "Forcing a database schema update..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 -fi - -# Enable any supported non-core plugins if requested. -if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then - plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 - for plugin in "${plugins[@]}"; - do - echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 - ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - done -fi - -# Remove any cache files generated thus far. -find "$COMANAGE_REGISTRY_DIR/app/tmp/cache" -type f -exec rm -f {} \; - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/apache2/cert.pem - cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem - chown www-data /etc/apache2/cert.pem - chmod 0644 /etc/apache2/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/apache2/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem - chown www-data /etc/apache2/privkey.pem - chmod 0600 /etc/apache2/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf - -cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" -fi - -exec "$@" diff --git a/comanage-registry-postgres/.dockerignore b/comanage-registry-postgres/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-postgres/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-postgres/README.md b/comanage-registry-postgres/README.md index 903bb8e..0adab5e 100644 --- a/comanage-registry-postgres/README.md +++ b/comanage-registry-postgres/README.md @@ -18,53 +18,108 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> - # PostgreSQL for COmanage Registry -A simple example demonstrating how to create an image and container -based on PostgreSQL to use with COmanage Registry containers. +Intended to build a PostgreSQL image for use with COmanage Registry. + +## Build Arguments + +No arguments are required for building the image. -## Build +The following arguments may be supplied during the build: ``` -docker build -t comanage-registry-postgres . +--build-arg COMANAGE_REGISTRY_POSTGRES_DATABASE= +--build-arg COMANAGE_REGISTRY_POSTGRES_USER= +--build-arg COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD= ``` -## Run - -Create a user-defined network bridge with +## Building ``` -docker network create --driver=bridge \ - --subnet=192.168.0.0/16 \ - --gateway=192.168.0.100 \ - comanage-registry-internal-network +docker build \ + -t comanage-registry-postgres: . ``` -and then mount a host directory such as `/tmp/postgres-data` -to `/var/lib/postgresql/data` inside the container to persist -data, eg. +## Building Example ``` -docker run -d --name comanage-registry-database \ - --network comanage-registry-internal-network \ - -v /tmp/postgres-data:/var/lib/postgresql/data \ - comanage-registry-postgres +export COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION}" +docker build \ + -t comanage-registry-postgres:$TAG . ``` -You can use the following environment variables with the image: +## Volumes and Data Persistence + +You must provide a volume or bind mount that mounts to `/var/lib/postgresql/data` +inside the container to persist data saved to the relational database. + +## Environment Variables + +The image supports the environment variables below and the `_FILE` +[convention](../docs/comanage-registry-common-environment-variables.md): + +`POSTGRES_USER` + +* Description: superuser +* Required: yes +* Default: `postgres` +* Example: `db_user` +* Note: Most deployers use the default. + +`POSTGRES_PASSWORD` -* `POSTGRES_USER`: superuser (default is `postgres`) -* `POSTGRES_PASSWORD`: password for superuser (no default) -* `COMANAGE_REGISTRY_POSTGRES_DATABASE`: COmanage Registry database (default is `registry`) -* `COMANAGE_REGISTRY_POSTGRES_USER`: COmanage Registry database user (default is `registry_user`) -* `COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD`: password for database user (no default) +* Description: password for superuser +* Required: no +* Default: none +* Example: `l7cX28O3mt03y41EndjM` +* Note: If you do not set a password for the superuser then +any client with access to the container may connect to the database. + +`COMANAGE_REGISTRY_POSTGRES_DATABASE` + +* Description: COmanage Registry database +* Required: yes +* Default: `registry` +* Example: `comanage_registry` + +`COMANAGE_REGISTRY_POSTGRES_USER` + +* Description: COmanage Registry database user +* Required: yes +* Default: `registry_user` +* Example: `comanage_registry_user` + +`COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD` + +* Description: password for database user +* Required: no +* Default: none +* Example: `5Aw9SzS4xqYi7daHw57c` +* Note: If you do not set a password for the COmanage Registry user then +any client with access to the container may connect to the database. + +## Authentication + +If you do not set a password for the superuser or the COmanage Registry user then +any client with access to the container may connect to the database. -For example: +## Ports + +The image listens for traffic on port 5432. + +## Running + +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: ``` -docker run -d --name comanage-registry-database \ - --network comanage-registry-internal-network \ +docker run -d \ + --name comanage-registry-database \ -v /tmp/postgres-data:/var/lib/postgresql/data \ -e POSTGRES_USER=postgres \ -e POSTGRES_PASSWORD=superuser_password \ @@ -74,20 +129,51 @@ docker run -d --name comanage-registry-database \ comanage-registry-postgres ``` -You may also set environment variables that point to files from which to read -the same details, for example +## Logging + +PostgreSQL logs to the stdout and stderr of the container. + +## Connecting + +After breaking into the container you may connect to the +COmanage Registry database as the COmanage Registry database +user by running ``` -docker run -d --name comanage-registry-database \ - --network comanage-registry-internal-network \ - -v /tmp/postgres-data:/var/lib/postgresql/data \ - -e POSTGRES_USER_FILE=/run/secrets/postgres_user \ - -e POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \ - -e COMANAGE_REGISTRY_POSTGRES_DATABASE_FILE=/run/secrets/comanage_registry_postgres_database \ - -e COMANAGE_REGISTRY_POSTGRES_USER_FILE=/run/secrets/comanage_registry_postgres_user \ - -e COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD_FILE=/run/secrets/comanage_registry_postgres_user_password \ - comanage-registry-postgres +psql -h 127.0.0.1 ${COMANAGE_REGISTRY_POSTGRES_DATABASE} ${COMANAGE_REGISTRY_POSTGRES_USER} ``` -If you do not set a password for the superuser or the COmanage Registry user then -any client with access to the container may connect to the database. +For example + +``` +# psql -h 127.0.0.1 registry registry_user +Password for user registry_user: +psql (9.6.12) +Type "help" for help. + +registry=> +``` + +## Backups + +A common strategy for backing up the database is to run another temporary +container that executes the `pg_dump` command. You need to be sure that the +temporary container and the database container use the same network. + +An example is + +``` +docker run \ + -it \ + --rm \ + --network temp_default \ + comanage-registry-postgres \ + pg_dump \ + -h comanage-registry-database \ + -U registry_user \ + registry +``` + +The output from the `pg_dump` command is sent to the stdout of the temporary +container and may be redirected to a file. + diff --git a/comanage-registry-shibboleth-sp-base/.dockerignore b/comanage-registry-shibboleth-sp-base/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-shibboleth-sp-base/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-shibboleth-sp-base/000-site.conf b/comanage-registry-shibboleth-sp-base/000-site.conf deleted file mode 100644 index 1377e62..0000000 --- a/comanage-registry-shibboleth-sp-base/000-site.conf +++ /dev/null @@ -1,62 +0,0 @@ -# COmanage Registry Apache HTTP Server configuration -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - ServerName http://%%SERVER_NAME%%:80 - UseCanonicalName On - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - - - - ServerName https://%%SERVER_NAME%%:443 - UseCanonicalName On - - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - LogLevel warn - - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" - - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLHonorCipherOrder on - - SSLCertificateFile /etc/apache2/cert.pem - SSLCertificateKeyFile /etc/apache2/privkey.pem - - - SetHandler shib - - - - AuthType shibboleth - Require shibboleth - - - RewriteEngine On - RewriteCond %{QUERY_STRING} !after_redirect - RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R] - - diff --git a/comanage-registry-shibboleth-sp-base/Dockerfile b/comanage-registry-shibboleth-sp-base/Dockerfile index c5fa417..2f45921 100644 --- a/comanage-registry-shibboleth-sp-base/Dockerfile +++ b/comanage-registry-shibboleth-sp-base/Dockerfile @@ -16,7 +16,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM debian:9 +FROM debian:stretch RUN apt-get update \ && apt-get install -y --no-install-recommends \ @@ -30,10 +30,11 @@ RUN apt-get update \ libssl1.0-dev \ libssl1.0.2 \ make \ + pkg-config \ wget \ zlib1g-dev -ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz +ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/2.0.0/log4shib-2.0.0.tar.gz RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \ && mkdir -p src \ @@ -49,7 +50,7 @@ RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \ && cd .. \ && rm -r src -ARG XERCESC_URL=http://ftp.wayne.edu/apache//xerces/c/3/sources/xerces-c-3.2.0.tar.gz +ARG XERCESC_URL=http://ftp.wayne.edu/apache//xerces/c/3/sources/xerces-c-3.2.2.tar.gz RUN wget -O xerces.tar.gz "${XERCESC_URL}" \ && mkdir -p src \ @@ -62,15 +63,14 @@ RUN wget -O xerces.tar.gz "${XERCESC_URL}" \ && cd .. \ && rm -r src -ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-1.7.3.tar.gz +ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-2.0.2.tar.gz RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \ && mkdir -p src \ && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \ && rm -f xmlsecc.tar.gz \ && cd src \ - && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \ - --with-xerces=/opt/shibboleth-sp \ + && CXXFLAGS="-std=gnu++98" PKG_CONFIG_PATH=/opt/shibboleth-sp/lib/pkgconfig ./configure --prefix=/opt/shibboleth-sp \ --with-openssl=/usr \ --disable-static \ --without-xalan \ @@ -79,14 +79,16 @@ RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \ && cd .. \ && rm -r src -ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.6.2.tar.gz +ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/3.0.1/xmltooling-3.0.4.tar.gz RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \ && mkdir -p src \ && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \ && rm -f xmltooling.tar.gz \ && cd src \ - && CXXFLAGS="-fPIC -std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \ + && CXXFLAGS="-fPIC -std=gnu++98" \ + PKG_CONFIG_PATH=/opt/shibboleth-sp/lib/pkgconfig \ + ./configure --prefix=/opt/shibboleth-sp \ --with-log4shib=/opt/shibboleth-sp \ -C \ && make -j 2 \ @@ -94,14 +96,16 @@ RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \ && cd .. \ && rm -r src -ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.6.1.tar.gz +ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/3.0.1/opensaml-3.0.1.tar.gz RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \ && mkdir -p src \ && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \ && rm -f opensamlc.tar.gz \ && cd src \ - && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \ + && CXXFLAGS="-std=gnu++98" \ + PKG_CONFIG_PATH=/opt/shibboleth-sp/lib/pkgconfig \ + ./configure --prefix=/opt/shibboleth-sp \ --with-log4shib=/opt/shibboleth-sp \ -C \ && make -j 2 \ @@ -109,14 +113,16 @@ RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \ && cd .. \ && rm -r src -ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.6.1.tar.gz +ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/3.0.4/shibboleth-sp-3.0.4.tar.gz RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \ && mkdir -p src \ && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \ && rm -f shibboleth-sp.tar.gz \ && cd src \ - && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \ + && CXXFLAGS="-std=gnu++98 -Wno-unused-parameter" \ + PKG_CONFIG_PATH=/opt/shibboleth-sp/lib/pkgconfig \ + ./configure --prefix=/opt/shibboleth-sp \ --with-log4shib=/opt/shibboleth-sp \ --with-saml=/opt/shibboleth-sp \ --with-xerces=/opt/shibboleth-sp \ @@ -131,22 +137,8 @@ RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \ && cd .. \ && rm -r src -COPY shib2.load /etc/apache2/mods-available - -RUN /usr/sbin/useradd --system _shibd \ - && mkdir -p /var/run/shibboleth \ - && chown _shibd:_shibd /var/run/shibboleth \ - && chown -R _shibd:_shibd /opt/shibboleth-sp/var \ - && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \ - && rm -f /etc/shibboleth/shibboleth2.xml \ - && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \ - && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \ - && cd /opt/shibboleth-sp/etc \ - && rm -rf shibboleth \ - && ln -s /etc/shibboleth shibboleth \ - && a2enmod shib2 \ - && apt-get install -y --no-install-recommends supervisor \ - && mkdir -p /var/log/supervisor +COPY shib2.load /opt/shibboleth-sp/etc/shibboleth/shib2.load +COPY shibboleth2.xml.template /opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml.template RUN apt-get update && apt-get install -y \ && apt-get purge -y \ @@ -158,30 +150,5 @@ RUN apt-get update && apt-get install -y \ libcurl4-openssl-dev \ libssl-dev \ make \ + pkg-config \ && apt-get clean - -COPY 000-site.conf /etc/apache2/sites-available/000-site.conf -COPY 000-site-behind-proxy.conf /etc/apache2/sites-available/000-site-behind-proxy.conf - -RUN a2enmod headers \ - && a2enmod ssl \ - && a2enmod rewrite \ - && a2dissite 000-default.conf \ - && a2ensite 000-site.conf \ - && a2disconf other-vhosts-access-log \ - && cd /etc/apache2 \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ - && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem - -COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template -COPY supervisord.conf /usr/local/etc/supervisord.conf - -COPY docker-apache-entrypoint /usr/local/bin/ -COPY docker-shibd-entrypoint /usr/local/bin/ -COPY apache2-foreground /usr/local/bin/ - -WORKDIR /var/www - -EXPOSE 80 443 - -ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"] diff --git a/comanage-registry-shibboleth-sp-base/README.md b/comanage-registry-shibboleth-sp-base/README.md index a3a06dd..e623e86 100644 --- a/comanage-registry-shibboleth-sp-base/README.md +++ b/comanage-registry-shibboleth-sp-base/README.md @@ -21,102 +21,40 @@ limitations under the License. # COmanage Registry Shibboleth SP Base -## What it is -This Dockerfile and associated files are used to build a Shibboleth SP -for Apache HTTP Server image intended to be used with +Intended to build a Shibboleth SP for Apache HTTP Server image intended to be used with [COmanage Registry](https://spaces.internet2.edu/display/COmanage/Home). The image built from this Dockerfile is primarily intended to be used as a base for building other COmanage Registry images using Dockerfile multi-stage build functionality. -It may, however, be used by itself and includes functional entrypoint -scripts for the Apache HTTP Server and Shibboleth shibd daemon. The -image uses Supervisord for managing the Apache and shibd daemon -processes. +## Build Arguments -## How To +The following arguments *may* be provided when building but are not required +since the Dockerfile uses the latest recommended values: -* Clone this repository: - -``` -git clone https://github.com/Internet2/comanage-registry-docker.git -cd comanage-registry-docker ``` - -* Build a local image: - +--build-arg LOG4SHIB_URL= +--build-arg OPENSAMLC_URL= +--build-arg SHIBBOLETH_SP_URL= +--build-arg XERCESC_URL= +--build-arg XMLSECC_URL= +--build-arg XMLTOOLING_URL= ``` -pushd comanage-registry-basic-shibboleth-sp-base -docker build -t comanage-registry-shibboleth-sp-base -popd -``` - -* Run: - -Without any additional configuration the container will run and the Apache -and shibd daemons will start, but because the Shibboleth SP requires federation -with a SAML Identity Provider (IdP) a proper SAML Web SSO flow until the SP -has been fully configured. -To configure the Shibboleth SP and Apache the following environment variables may -bet set at container start time: - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| HTTPS_CERT_FILE | path to certificate | self-signed image default | /var/run/secrets/https_cert_file | /cert.pem | -| HTTPS_PRIVKEY_FILE | path to private key | self-signed image default | /var/run/secrets/https_privkey_file | /key.pem | -| SERVER_NAME | FQDN | unknown | registry.my.org | comanage.my.org | -| SHIBBOLETH_SP_ENTITY_ID | SAML entityID | https://comanage.registry/shibboleth | https://registry.my.org/shibboleth | https://comanage.my.org/shibboleth | -| SHIBBOLETH_SP_CERT | path to SAML cert | image default | /var/run/secrets/shibboleth_cert_file | /sp-cert.pem | -| SHIBBOLETH_SP_PRIVKEY | path to SAML private key | image default | /var/run/secrets/shibboleth_privkey_file | /sp-key.pem | -| SHIBBOLETH_SP_SAMLDS_URL | URL for SAML DS | https://localhost/registry/pages/eds/index | https://registry.my.org/registry/pages/eds/index | https://my.org/disco | -| SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE | path to Shibboleth SP metadata XML config stanza | none | /var/run/secrets/shibboleth_metadata_config | /metdata.xml | - -For more complex Shibboleth SP configurations mount in the necessary -configuration files into the directory `/etc/shibboleth` -instead of setting environment variables. - -Here is an example `docker run` to start a container using an X.509 -certificate and private key for HTTPS from Let's Encrypt and a -previously generated SAML SP certificate and private key: +## Building ``` -docker run -d --name comanage-registry-shibboleth-sp-base \ - -v ${PWD}/fullchain.pem:/tmp/https_cert_file \ - -v ${PWD}/privkey.pem:/tmp/https_privkey_file \ - -v ${PWD}/sp-cert.pem:/tmp/sp-cert.pem \ - -v ${PWD}/sp-key.pem:/tmp/sp-key.pem \ - -e HTTPS_CERT_FILE=/tmp/https_cert_file \ - -e HTTPS_PRIVKEY_FILE=/tmp/https_privkey_file \ - -e SHIBBOLETH_SP_ENTITY_ID=https://registry.my.org/shibboleth \ - -e SHIBBOLETH_SP_CERT=/tmp/sp-cert.pem \ - -e SHIBBOLETH_SP_KEY=/tmp/sp-key.pem \ - -p 80:80 -p 443:443 \ - comanage-registry-shibboleth-sp-base +docker build \ + -t comanage-registry-shibboleth-sp-base: . ``` -Here is an example of how to use the image in a multi-stage build: +## Building Example ``` -FROM comanage-registry-shibboleth-sp-base as shibboleth-sp - -COPY --from=shibboleth-sp /opt/shibboleth-sp /opt/shibboleth-sp/ -COPY --from=shibboleth-sp /etc/shibboleth /etc/shibboleth/ -COPY --from=shibboleth-sp /etc/apache2/mods-available/shib2.load /etc/apache2/mods-available/shib2.load -COPY --from=shibboleth-sp /usr/local/bin/docker-apache-entrypoint /usr/local/bin/docker-apache-entrypoint -COPY --from=shibboleth-sp /usr/local/bin/docker-shibd-entrypoint /usr/local/bin/docker-shibd-entrypoint -COPY --from=shibboleth-sp /usr/local/bin/apache2-foreground /usr/local/bin/apache2-foreground - -RUN /usr/sbin/useradd --system _shibd \ - && mkdir -p /var/run/shibboleth \ - && chown _shibd:_shibd /var/run/shibboleth \ - && chown -R _shibd:_shibd /opt/shibboleth-sp/var \ - && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \ - && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \ - && mkdir -p /var/log/supervisor - -RUN a2enmod shib2 \ - && a2enmod rewrite \ +export COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION=3.0.3 +export COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION}-${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-shibboleth-sp-base:$TAG . ``` - diff --git a/comanage-registry-shibboleth-sp-base/apache2-foreground b/comanage-registry-shibboleth-sp-base/apache2-foreground deleted file mode 100755 index 5fe22e2..0000000 --- a/comanage-registry-shibboleth-sp-base/apache2-foreground +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -set -e - -# Note: we don't just use "apache2ctl" here because it itself is just a shell-script wrapper around apache2 which provides extra functionality like "apache2ctl start" for launching apache2 in the background. -# (also, when run as "apache2ctl ", it does not use "exec", which leaves an undesirable resident shell process) - -: "${APACHE_CONFDIR:=/etc/apache2}" -: "${APACHE_ENVVARS:=$APACHE_CONFDIR/envvars}" -if test -f "$APACHE_ENVVARS"; then - . "$APACHE_ENVVARS" -fi - -# Apache gets grumpy about PID files pre-existing -: "${APACHE_RUN_DIR:=/var/run/apache2}" -: "${APACHE_PID_FILE:=$APACHE_RUN_DIR/apache2.pid}" -rm -f "$APACHE_PID_FILE" - -# create missing directories -# (especially APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR) -for e in "${!APACHE_@}"; do - if [[ "$e" == *_DIR ]] && [[ "${!e}" == /* ]]; then - # handle "/var/lock" being a symlink to "/run/lock", but "/run/lock" not existing beforehand, so "/var/lock/something" fails to mkdir - # mkdir: cannot create directory '/var/lock': File exists - dir="${!e}" - while [ "$dir" != "$(dirname "$dir")" ]; do - dir="$(dirname "$dir")" - if [ -d "$dir" ]; then - break - fi - absDir="$(readlink -f "$dir" 2>/dev/null || :)" - if [ -n "$absDir" ]; then - mkdir -p "$absDir" - fi - done - - mkdir -p "${!e}" - fi -done - -exec apache2 -DFOREGROUND "$@" diff --git a/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint b/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint deleted file mode 100755 index 572a53a..0000000 --- a/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash - -# Apache HTTP Server Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. - -injectable_config_vars=( - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/apache2/cert.pem - cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem - chown www-data /etc/apache2/cert.pem - chmod 0644 /etc/apache2/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/apache2/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem - chown www-data /etc/apache2/privkey.pem - chmod 0600 /etc/apache2/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/apache2/sites-available/000-site.conf - -cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" -fi - -exec "$@" diff --git a/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint b/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint deleted file mode 100755 index 374d93f..0000000 --- a/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint +++ /dev/null @@ -1,137 +0,0 @@ -#!/bin/bash - -# Shibboleth SP Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. -# -# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the -# same way but because of the presence of special characters in the -# XML it is handled differently. - -injectable_config_vars=( - SHIBBOLETH_SP_ENTITY_ID - SHIBBOLETH_SP_CERT - SHIBBOLETH_SP_PRIVKEY - SHIBBOLETH_SP_SAMLDS_URL -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - payload=`cat $file_name` - declare "${config_var}"="${payload}" - fi -done - -# If no shibboleth2.xml file is present then create one using -# injected information or defaults that are not particularly -# useful in a federated context but will allow shibd to start. -if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then - cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml - - # The metadata provider injected input most likely contains special characters - # so use a sed script instead of simple substitution on the command line. - - if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then - xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" - else - xml_content_file=`/bin/mktemp` - echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file} - fi - - sed_script_file=`/bin/mktemp` - cat > ${sed_script_file}< /dev/null 2>&1 -chown _shibd:_shibd /etc/shibboleth/sp-key.pem > /dev/null 2>&1 - -chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/cache > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1 - -# Warn about any files in /etc/shibboleth that the _shibd user cannot read. -su _shibd -c 'find /etc/shibboleth ! -readable' > /tmp/shibd-not-readable 2>/dev/null - -if [ -s /tmp/shibd-not-readable ]; then - echo "WARNING: the following files are not readable by _shibd" - cat /tmp/shibd-not-readable - echo "" -fi - -rm -f /tmp/shibd-not-readable > /dev/null 2>&1 - -# Start the daemon. -exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F diff --git a/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template index dda4d13..173e405 100644 --- a/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template +++ b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template @@ -1,13 +1,15 @@ - + + + REMOTE_USER="eppn persistent-id targeted-id" + cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" + > @@ -36,11 +38,12 @@ - - - + + diff --git a/comanage-registry-shibboleth-sp-base/supervisord.conf b/comanage-registry-shibboleth-sp-base/supervisord.conf deleted file mode 100644 index f39f3b0..0000000 --- a/comanage-registry-shibboleth-sp-base/supervisord.conf +++ /dev/null @@ -1,36 +0,0 @@ -; COmanage Registry Docker supervisord configuration -; -; Portions licensed to the University Corporation for Advanced Internet -; Development, Inc. ("UCAID") under one or more contributor license agreements. -; See the NOTICE file distributed with this work for additional information -; regarding copyright ownership. -; -; UCAID licenses this file to you under the Apache License, Version 2.0 -; (the "License"); you may not use this file except in compliance with the -; License. You may obtain a copy of the License at: -; -; http://www.apache.org/licenses/LICENSE-2.0 -; -; Unless required by applicable law or agreed to in writing, software -; distributed under the License is distributed on an "AS IS" BASIS, -; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -; See the License for the specific language governing permissions and -; limitations under the License. - -[supervisord] -nodaemon=true -user=root - -[program:apache2] -command=/usr/local/bin/docker-apache-entrypoint apache2-foreground -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 - -[program:shibd] -command=/usr/local/bin/docker-shibd-entrypoint -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 diff --git a/comanage-registry-shibboleth-sp/.dockerignore b/comanage-registry-shibboleth-sp/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-shibboleth-sp/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-shibboleth-sp/000-comanage.conf b/comanage-registry-shibboleth-sp/000-comanage.conf index 26310a6..41c3bcc 100644 --- a/comanage-registry-shibboleth-sp/000-comanage.conf +++ b/comanage-registry-shibboleth-sp/000-comanage.conf @@ -17,59 +17,37 @@ # See the License for the specific language governing permissions and # limitations under the License. - - ServerName http://%%SERVER_NAME%%:80 - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - +Include apache-include-virtual-host-port80-redirect - ServerName https://%%SERVER_NAME%%:443 - - DocumentRoot /var/www/html - - RedirectMatch ^/$ /registry/ - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - LogLevel warn +Include apache-include-virtual-host-port443-base - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" +SSLCertificateFile /etc/apache2/cert.pem +SSLCertificateKeyFile /etc/apache2/privkey.pem - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLHonorCipherOrder on +ErrorLog ${APACHE_LOG_DIR}/error.log +CustomLog ${APACHE_LOG_DIR}/access.log combined - SSLCertificateFile /etc/apache2/cert.pem - SSLCertificateKeyFile /etc/apache2/privkey.pem - - - Options Indexes FollowSymLinks - DirectoryIndex index.php - AllowOverride All - Require all granted - +Include apache-include-directory-registry - - SetHandler shib - + +SetHandler shib + - - AuthType shibboleth - ShibRequestSetting requireSession 1 - Require valid-user - + +AuthType shibboleth +ShibRequestSetting requireSession 1 +Require valid-user + - - AuthType shibboleth - Require shibboleth - + +AuthType shibboleth +Require shibboleth + - RewriteEngine On - RewriteCond %{QUERY_STRING} !after_redirect - RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R] +RewriteEngine On +RewriteCond %{QUERY_STRING} !after_redirect +RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R] diff --git a/comanage-registry-shibboleth-sp/Dockerfile b/comanage-registry-shibboleth-sp/Dockerfile new file mode 100644 index 0000000..1a96d00 --- /dev/null +++ b/comanage-registry-shibboleth-sp/Dockerfile @@ -0,0 +1,73 @@ +# COmanage Registry Dockerfile +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +ARG COMANAGE_REGISTRY_VERSION=develop +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION="3.0.3" +ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1 + +FROM comanage-registry-shibboleth-sp-base:${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION}-${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} AS shib-base + +FROM comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage + +ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} +LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} + +ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION +ENV COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION ${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION} +LABEL comanage_registry_shibboleth_sp_version=${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION} + +ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} +LABEL comanage_registry_shibboleth_sp_base_image_version ${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} + +RUN apt-get install -y --no-install-recommends supervisor \ + && mkdir -p /var/log/supervisor + +COPY --from=shib-base /opt/shibboleth-sp /opt/shibboleth-sp/ +COPY --from=shib-base /opt/shibboleth-sp/etc/shibboleth/shib2.load /etc/apache2/mods-available/ + +RUN /usr/sbin/useradd --system _shibd \ + && mkdir -p /var/run/shibboleth \ + && chown _shibd:_shibd /var/run/shibboleth \ + && chown -R _shibd:_shibd /opt/shibboleth-sp/var \ + && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \ + && rm -f /etc/shibboleth/shibboleth2.xml \ + && chown _shibd:_shibd /etc/shibboleth/sp-signing-cert.pem \ + && chown _shibd:_shibd /etc/shibboleth/sp-signing-key.pem \ + && chown _shibd:_shibd /etc/shibboleth/sp-encrypt-cert.pem \ + && chown _shibd:_shibd /etc/shibboleth/sp-encrypt-key.pem \ + && cd /opt/shibboleth-sp/etc \ + && rm -rf shibboleth \ + && ln -s /etc/shibboleth shibboleth \ + && a2enmod shib2 + +COPY --chown=_shibd:_shibd shibd.logger /etc/shibboleth/shibd.logger +COPY --chown=_shibd:_shibd native.logger /etc/shibboleth/native.logger + +COPY supervisord.conf /usr/local/etc/supervisord.conf + +COPY 000-comanage.conf /etc/apache2/sites-available/ +RUN a2ensite 000-comanage + +COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/ + +VOLUME /etc/shibboleth + +ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"] diff --git a/comanage-registry-shibboleth-sp/Dockerfile.template b/comanage-registry-shibboleth-sp/Dockerfile.template deleted file mode 100644 index 3558e75..0000000 --- a/comanage-registry-shibboleth-sp/Dockerfile.template +++ /dev/null @@ -1,251 +0,0 @@ -# COmanage Registry Dockerfile template -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Official PHP image with Apache HTTPD includes -# --with-openssl -# --with-mbstring -# and includes pdo -# but xls, pdo_mysql, pdo_pgsql, mysqli, pgsql, -# and ldap extensions must be built. -FROM php:7.0-apache-jessie - -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - apache2-dev \ - file \ - gcc \ - g++ \ - libboost-dev \ - libcurl4-openssl-dev \ - libssl-dev \ - libssl1.0.0 \ - make \ - wget - -ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/1.0.9/log4shib-1.0.9.tar.gz - -RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \ - && mkdir -p src \ - && tar -zxf log4shib.tar.gz -C src --strip-components=1 \ - && rm -f log4shib.tar.gz \ - && cd src \ - && LD_FLAGS=-lpthread CXXFLAGS=-fPIC ./configure --disable-static \ - --disable-doxygen \ - --prefix=/opt/shibboleth-sp \ - --build=x86_64 \ - && LD_FLAGS=-lpthread make \ - && make -j 2 install \ - && cd .. \ - && rm -r src - -ARG XERCESC_URL=http://www.apache.org/dist/xerces/c/3/sources/xerces-c-3.2.2.tar.gz - -RUN wget -O xerces.tar.gz "${XERCESC_URL}" \ - && mkdir -p src \ - && tar -zxf xerces.tar.gz -C src --strip-components=1 \ - && rm -f xerces.tar.gz \ - && cd src \ - && ./configure --prefix=/opt/shibboleth-sp \ - && make -j 2 \ - && make install \ - && cd .. \ - && rm -r src - -ARG XMLSECC_URL=http://archive.apache.org/dist/santuario/c-library/xml-security-c-1.7.3.tar.gz - -RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \ - && mkdir -p src \ - && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \ - && rm -f xmlsecc.tar.gz \ - && cd src \ - && ./configure --prefix=/opt/shibboleth-sp \ - --with-xerces=/opt/shibboleth-sp \ - --with-openssl=/usr \ - --disable-static \ - --without-xalan \ - && make -j 2 \ - && make install \ - && cd .. \ - && rm -r src - -ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/2.6.1/xmltooling-1.6.4.tar.gz - -RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \ - && mkdir -p src \ - && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \ - && rm -f xmltooling.tar.gz \ - && cd src \ - && CXXFLAGS=-fPIC ./configure --prefix=/opt/shibboleth-sp \ - --with-log4shib=/opt/shibboleth-sp \ - -C \ - && make -j 2 \ - && make install \ - && cd .. \ - && rm -r src - -ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/2.6.1/opensaml-2.6.1.tar.gz - -RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \ - && mkdir -p src \ - && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \ - && rm -f opensamlc.tar.gz \ - && cd src \ - && ./configure --prefix=/opt/shibboleth-sp \ - --with-log4shib=/opt/shibboleth-sp \ - -C \ - && make -j 2 \ - && make install \ - && cd .. \ - && rm -r src - -ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/2.6.1/shibboleth-sp-2.6.1.tar.gz - -RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \ - && mkdir -p src \ - && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \ - && rm -f shibboleth-sp.tar.gz \ - && cd src \ - && ./configure --prefix=/opt/shibboleth-sp \ - --with-log4shib=/opt/shibboleth-sp \ - --with-saml=/opt/shibboleth-sp \ - --with-xerces=/opt/shibboleth-sp \ - --with-xmlsec=/opt/shibboleth-sp \ - --with-xmltooling=/opt/shibboleth-sp \ - --enable-apache-24 \ - --with-apxs24=/usr/bin/apxs \ - --disable-adfs \ - --disable-obc \ - && make -j 2 \ - && make install \ - && cd .. \ - && rm -r src - -COPY shib2.load /etc/apache2/mods-available - -RUN /usr/sbin/useradd --system _shibd \ - && mkdir -p /var/run/shibboleth \ - && chown _shibd:_shibd /var/run/shibboleth \ - && chown -R _shibd:_shibd /opt/shibboleth-sp/var \ - && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \ - && rm -f /etc/shibboleth/shibboleth2.xml \ - && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \ - && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \ - && cd /opt/shibboleth-sp/etc \ - && rm -rf shibboleth \ - && ln -s /etc/shibboleth shibboleth \ - && a2enmod shib2 \ - && apt-get install -y --no-install-recommends supervisor \ - && mkdir -p /var/log/supervisor - -RUN apt-get update && apt-get install -y \ - libldap-2.4-2 \ - libldap2-dev \ - libmysqlclient18 \ - libmysqlclient-dev \ - libpq-dev \ - libxml2 \ - libxslt1-dev \ - libxslt1.1 \ - ssl-cert \ - wget \ - zlib1g \ - libpcre3-dev \ - && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \ - && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ - && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \ - && docker-php-ext-install xsl pdo_mysql pdo_pgsql mysqli pgsql ldap \ - && docker-php-source delete \ - && apt-get purge -y \ - libldap2-dev \ - libmysqlclient-dev \ - libpq-dev \ - apache2-dev \ - file \ - gcc \ - g++ \ - libboost-dev \ - libcurl4-openssl-dev \ - libssl-dev \ - make \ - && apt-get clean - -ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%% -ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz - -LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION -LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL - -ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry - -WORKDIR "$COMANAGE_REGISTRY_DIR" - -COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf - -RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ - && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \ - && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \ - && rm -f comanage.tar.gz \ - && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cd /var/www/html \ - && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \ - && rm -rf "$COMANAGE_REGISTRY_DIR/local/*" \ - && ln -s "$COMANAGE_REGISTRY_DIR/local" /local \ - && a2enmod headers \ - && a2enmod ssl \ - && a2enmod rewrite \ - && a2dissite 000-default.conf \ - && a2ensite 000-comanage.conf \ - && a2disconf other-vhosts-access-log \ - && cd /etc/apache2 \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ - && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" - -COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template -COPY supervisord.conf /usr/local/etc/supervisord.conf - -COPY docker-comanage-entrypoint /usr/local/bin/ -COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/ - -# expose COmanage Registry local directory -VOLUME ["/local"] - -WORKDIR /var/www/html - -EXPOSE 80 443 - -# Default values for first administrator bootstrapped -# into the platform, most likely overridden at build time -# using build arguments. -ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME -ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME -ARG COMANAGE_REGISTRY_ADMIN_USERNAME -ARG COMANAGE_REGISTRY_ENABLE_POOLING - -ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry} -ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin} -ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} -ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} - -# expose Shibboleth SP configuration files -VOLUME ["/etc/shibboleth"] - -ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"] diff --git a/comanage-registry-shibboleth-sp/README.md b/comanage-registry-shibboleth-sp/README.md index c419285..8ecb33a 100644 --- a/comanage-registry-shibboleth-sp/README.md +++ b/comanage-registry-shibboleth-sp/README.md @@ -21,145 +21,115 @@ limitations under the License. # COmanage Registry Shibboleth -Intended to build a COmanage Registry image -using the official PHP 7 with Apache image as the foundation -and providing the Shibboleth Native SP for Apache HTTP Server -as the authentication mechanism. +Intended to build a COmanage Registry image using the Shibboleth Native SP +for Apache HTTP Server (Shibboleth) as the authentication mechanism. -## Build +## Build Arguments + +Building the image requires the following build arguments: ``` -export COMANAGE_REGISTRY_VERSION=develop -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp . +--build-arg COMANAGE_REGISTRY_VERSION= +--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= +--build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION= +--build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION= ``` -You can (and should) use build arguments to bootstrap the first -platform administrator. The administrator username is the value -COmanage Registry expects to read from $REMOTE\_USER after -the administrator authenticates using whichever authentication -method is provided: +## Build Requirements + +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/). +It requires that the [COmanage Registry base image](../comanage-registry-base/README.md) +and [Shibboleth SP base image](../comanage-registry-shibboleth-sp-base/README.md) be built first. +## Building + +``` +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION= \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION= \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION= \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION= \ + -t comanage-registry: . ``` -export COMANAGE_REGISTRY_VERSION=develop -export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel -export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak -export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +## Building Example -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION=3.0.3 +export COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION}" docker build \ - --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \ - --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \ - -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp . + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . ``` -## Run -### Database +## Volumes and Data Persistence -COmanage Registry requires a relational database. See the -[PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md). +See [COmanage Registry Volumes and Data Persistence](../docs/volumes-and-data-persistence.md). -### Network -Create a user-defined network bridge with +## Environment Variables -``` -docker network create --driver=bridge \ - --subnet=192.168.0.0/16 \ - --gateway=192.168.0.100 \ - comanage-registry-internal-network -``` +See the [list of environment variables common to all images](../docs/comanage-registry-common-environment-variables.md) +including this image. -### COmanage Registry Configuration +See also the +[list of environment variables common to all images using Shibboleth](../docs/comanage-registry-common-shibboleth-environment-variables.md). -Create a directory to hold persistent COmanage Registry configuration and -other state such as local plugins and other customizations. In that directory -create a `Config` directory and in it place a `database.php` and `email.php` -configuration file: +## Authentication -``` -mkdir -p /opt/comanage-registry/Config - -cat > /opt/comanage-registry/Config/database.php <<"EOF" - 'Database/Postgres', - 'persistent' => false, - 'host' => 'comanage-registry-database', - 'login' => 'registry_user', - 'password' => 'password', - 'database' => 'registry', - 'prefix' => 'cm_', - ); - -} -EOF - -cat > /opt/comanage-registry/Config/email.php <<"EOF" - 'Smtp', - 'host' => 'tls://smtp.gmail.com', - 'port' => 465, - 'username' => 'account@gmail.com', - 'password' => 'password' - ); -} -EOF -``` +This image supports using the Shibboleth Native SP for Apache HTTP Server (Shibboleth) as the +authentication mechanism. Deployers should configure Shibboleth so that the desired +asserted user attribute is written into `REMOTE_USER`. -### Shibboleth SP Configuration +## Ports -Mount or COPY Shibboleth SP configuration files into the directory -`/etc/shibboleth`. A standard set of default files is already present -in the image. +The image listens for web traffic on ports 80 and 443. All requests +on port 80 are redirected to port 443. -``` -COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml -COPY sp-cert.pem /etc/shibboleth/sp-cert.pem -COPY sp-key.pem /etc/shibboleth/sp-key.pem -``` +## Running -### Container +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: ``` -docker run -d --name comanage-registry \ - -v /opt/comanage-registry:/srv/comanage-registry/local \ - --network comanage-registry-internal-network \ - -p 80:80 -p 443:443 \ - comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp +docker run -d \ + --name comanage-registry \ + -e COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Julia \ + -e COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Janseen \ + -e COMANAGE_REGISTRY_ADMIN_USERNAME=julia.janseen@my.org \ + -e SHIBBOLETH_SP_ENTITY_ID=https://myapp.my.org/shibboleth/sp \ + -e SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/etc/shibboleth/my-org-metadata.xml \ + -v /opt/comanage-registry-local:/srv/comanage-registry/local \ + -v /etc/shibboleth/sp-encrypt-cert.pem:/etc/shibboleth/sp-encrypt-cert.pem \ + -v /etc/shibboleth/sp-encrypt-key.pem:/etc/shibboleth/sp-encrypt-key.pem \ + -v /etc/shibboleth/my-org-metadata.xml:/etc/shibboleth/my-org-metadata.xml \ + -p 80:80 \ + -p 443:443 \ + comanage-registry:3.2.1-shibboleth-sp-1 ``` -### Logging +## Logging -Both Apache HTTP Server and COmanage Registry log to the stdout and +Apache HTTP Server, COmanage Registry, Shibboleth, and supervisord all log to the stdout and stderr of the container. -The Shibboleth SP can also log to the stdout and stderr of the container -by setting the `logger` configuration option in `shibboleth2.xml`. - -``` - -``` +## HTTPS Configuration -### HTTPS Configuration +See the section on environment variables and the `HTTPS_CERT_FILE` and +`HTTPS_PRIVKEY_FILE` variables. -Mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) -and associated private key file. +Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) +and associated private key file. For example ``` COPY cert.pem /etc/apache2/cert.pem diff --git a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint deleted file mode 100755 index 2d7e2ef..0000000 --- a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint +++ /dev/null @@ -1,294 +0,0 @@ -#!/bin/bash - -# COmanage Registry Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. - -injectable_config_vars=( - COMANAGE_REGISTRY_DATASOURCE - COMANAGE_REGISTRY_DATABASE - COMANAGE_REGISTRY_DATABASE_HOST - COMANAGE_REGISTRY_DATABASE_USER - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - COMANAGE_REGISTRY_EMAIL_FROM - COMANAGE_REGISTRY_EMAIL_TRANSPORT - COMANAGE_REGISTRY_EMAIL_HOST - COMANAGE_REGISTRY_EMAIL_PORT - COMANAGE_REGISTRY_EMAIL_ACCOUNT - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - COMANAGE_REGISTRY_SECURITY_SALT - COMANAGE_REGISTRY_SECURITY_SEED - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done - -# Make sure the directory structure we need is available -# in the data volume for $COMANAGE_REGISTRY_DIR/local -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img" - -# If the COmanage Registry database configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then - cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Postgres}', - 'persistent' => false, - 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', - 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', - 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', - 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', - 'prefix' => 'cm_', - ); - -} -EOF -fi - -# If the COmanage Registry email configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" - -if [ ! -e "$email_config" ]; then - cat > "$email_config" < ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')}, - 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', - 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', - 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, - 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}', - 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}' - ); -} -EOF -fi - -# Loop until we are able to open a connection to the database. -DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php" - -cat > $DATABASE_TEST_SCRIPT <<"EOF" -error("Unable to connect to datasource"); - } - $this->out("Connected to datasource"); - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do - >&2 echo "Database is unavailable - sleeping" - sleep 1 -done - -rm -f "$DATABASE_TEST_SCRIPT" - -popd > "$OUTPUT" 2>&1 - -# We only want to run the setup script once since it creates -# state in the database. Until COmanage Registry has a better -# mechanism for telling us if setup has already been run -# we create an ephemeral CakePHP script to tell us. -SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" - -cat > $SETUP_ALREADY_SCRIPT <<"EOF" -Co->find('first', $args); - } catch (CakeException $e) { - $this->out('Not setup already'); - } - - if(empty($co)) { - $this->out('Not setup already'); - } else { - $this->error('Setup already'); - } - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 -./Console/cake setupAlready > "$OUTPUT" 2>&1 -setup_already=$? - -rm -f "$SETUP_ALREADY_SCRIPT" - -if [ $setup_already -eq 0 ]; then - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 - # Run database twice until issue on develop branch is resolved. Since - # the command is idempotent normally it is not a problem to have it run - # more than once. - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ - --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ - --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ - --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 - AUTO_GENERATED_SECURITY=1 -fi - -popd > "$OUTPUT" 2>&1 - -# If COmanage Registry CakePHP security salt and seed have been -# injected and the files do not otherwise exist create them. -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" -fi - -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" -fi - -# We always run upgradeVersion since it will not make any changes -# if the current and target versions are the same or if -# an upgrade from the current to the target version is not allowed. -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1 - -popd > "$OUTPUT" 2>&1 - -# Force a datbase update if requested. This is helpful when deploying -# a new version of the code that does not result in a change in the -# version number and so upgradeVersion does not fire. An example -# of this scenario is when new code is introduced in the develop -# branch but before a release happens. -if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then - echo "Forcing a database schema update..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 -fi - -# Enable any supported non-core plugins if requested. -if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then - plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 - for plugin in "${plugins[@]}"; - do - echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 - ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - done -fi - -# Remove any cache files generated thus far. -find "$COMANAGE_REGISTRY_DIR/app/tmp/cache" -type f -exec rm -f {} \; - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/apache2/cert.pem - cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem - chown www-data /etc/apache2/cert.pem - chmod 0644 /etc/apache2/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/apache2/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem - chown www-data /etc/apache2/privkey.pem - chmod 0600 /etc/apache2/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/apache2/sites-available/000-comanage.conf - -cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" -fi - -exec "$@" diff --git a/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint index a95a0a6..28dc7b6 100755 --- a/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint +++ b/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint @@ -19,119 +19,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi +source /usr/local/lib/comanage_shibboleth_sp_utils.sh -# Configuration details that may be injected through environment -# variables or the contents of files. -# -# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the -# same way but because of the presence of special characters in the -# XML it is handled differently. - -injectable_config_vars=( - SHIBBOLETH_SP_ENTITY_ID - SHIBBOLETH_SP_CERT - SHIBBOLETH_SP_PRIVKEY - SHIBBOLETH_SP_SAMLDS_URL -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - payload=`cat $file_name` - declare "${config_var}"="${payload}" - fi -done - -# If no shibboleth2.xml file is present then create one using -# injected information or defaults that are not particularly -# useful in a federated context but will allow shibd to start. -if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then - cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml - sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml - - # The metadata provider injected input most likely contains special characters - # so use a sed script instead of simple substitution on the command line. - - if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then - xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" - else - xml_content_file=`/bin/mktemp` - echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file} - fi - - sed_script_file=`/bin/mktemp` - cat > ${sed_script_file}< /dev/null 2>&1 -chown _shibd:_shibd /etc/shibboleth/sp-key.pem > /dev/null 2>&1 - -chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/cache > /dev/null 2>&1 -chown _shibd:_shibd /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1 - -# Warn about any files in /etc/shibboleth that the _shibd user cannot read. -su _shibd -c 'find /etc/shibboleth ! -readable' > /tmp/shibd-not-readable 2>/dev/null - -if [ -s /tmp/shibd-not-readable ]; then - echo "WARNING: the following files are not readable by _shibd" - cat /tmp/shibd-not-readable - echo "" -fi - -rm -f /tmp/shibd-not-readable > /dev/null 2>&1 - -# Start the daemon. -exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F +comanage_shibboleth_sp_utils::exec_shibboleth_sp_daemon diff --git a/comanage-registry-shibboleth-sp/native.logger b/comanage-registry-shibboleth-sp/native.logger new file mode 100644 index 0000000..f8300c8 --- /dev/null +++ b/comanage-registry-shibboleth-sp/native.logger @@ -0,0 +1,32 @@ +# set overall behavior +log4j.rootCategory=INFO, native_log + +# fairly verbose for DEBUG, so generally leave at WARN/INFO +log4j.category.XMLTooling.XMLObject=WARN +log4j.category.XMLTooling.KeyInfoResolver=WARN +log4j.category.Shibboleth.IPRange=WARN +log4j.category.Shibboleth.PropertySet=WARN + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=WARN + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# define the appender + +log4j.appender.native_log=org.apache.log4j.ConsoleAppender +log4j.appender.native_log.layout=org.apache.log4j.PatternLayout +log4j.appender.native_log.layout.ConversionPattern=native_log %p %c %x: %m%n diff --git a/comanage-registry-shibboleth-sp/shibboleth2.xml.template b/comanage-registry-shibboleth-sp/shibboleth2.xml.template deleted file mode 100644 index dda4d13..0000000 --- a/comanage-registry-shibboleth-sp/shibboleth2.xml.template +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - - - SAML2 - - - Local - - - - - - - - - - - - - %%SHIBBOLETH_SP_METADATA_PROVIDER_XML%% - - - - - - - - - - - - - - - - diff --git a/comanage-registry-shibboleth-sp/shibd.logger b/comanage-registry-shibboleth-sp/shibd.logger new file mode 100644 index 0000000..5fd332b --- /dev/null +++ b/comanage-registry-shibboleth-sp/shibd.logger @@ -0,0 +1,57 @@ +# set overall behavior +log4j.rootCategory=INFO, shibd_log + +# fairly verbose for DEBUG, so generally leave at INFO +log4j.category.XMLTooling.XMLObject=INFO +log4j.category.XMLTooling.KeyInfoResolver=INFO +log4j.category.Shibboleth.IPRange=INFO +log4j.category.Shibboleth.PropertySet=INFO + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=INFO + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +#log4j.category.XMLTooling.SOAPClient=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# logs XML being signed or verified if set to DEBUG +log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log +log4j.additivity.XMLTooling.Signature.Debugger=false +log4j.ownAppenders.XMLTooling.Signature.Debugger=true + +# the tran log blocks the "default" appender(s) at runtime +# Level should be left at INFO for this category +log4j.category.Shibboleth-TRANSACTION=INFO, tran_log +log4j.additivity.Shibboleth-TRANSACTION=false +log4j.ownAppenders.Shibboleth-TRANSACTION=true + +# uncomment to suppress particular event types +#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN +#log4j.category.Shibboleth-TRANSACTION.Login=WARN +#log4j.category.Shibboleth-TRANSACTION.Logout=WARN + +# define the appenders + +log4j.appender.shibd_log=org.apache.log4j.ConsoleAppender +log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout +log4j.appender.shibd_log.layout.ConversionPattern=shibd_log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + +log4j.appender.tran_log=org.apache.log4j.ConsoleAppender +log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout +log4j.appender.tran_log.layout.ConversionPattern=tran_log %d{%Y-%m-%d %H:%M:%S}|%c|%m%n + +log4j.appender.sig_log=org.apache.log4j.ConsoleAppender +log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout +log4j.appender.sig_log.layout.ConversionPattern=sig_log %m diff --git a/comanage-registry-slapd-base/.dockerignore b/comanage-registry-slapd-base/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-slapd-base/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-slapd-base/Dockerfile b/comanage-registry-slapd-base/Dockerfile index 10d1209..1cfcb62 100644 --- a/comanage-registry-slapd-base/Dockerfile +++ b/comanage-registry-slapd-base/Dockerfile @@ -16,7 +16,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM debian:jessie +FROM debian:stretch RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ diff --git a/comanage-registry-slapd-base/README.md b/comanage-registry-slapd-base/README.md new file mode 100644 index 0000000..9a39d61 --- /dev/null +++ b/comanage-registry-slapd-base/README.md @@ -0,0 +1,54 @@ + +# OpenLDAP slapd base for COmanage Registry + +Intended to build an OpenLDAP slapd base image used by other +images in this repository as part of a +[multi-stage](https://docs.docker.com/develop/develop-images/multistage-build/) +build. + +## Build Arguments + +No arguments are required for building the image. + +The following arguments may be supplied during the build: + +``` +--build-arg OLC_SUFFIX= +--build-arg OLC_ROOT_DN= +--build-arg OLC_ROOT_PW= +``` + +## Building + +``` +docker build \ + -t comanage-registry-slapd-base: . +``` + +## Building Example + +``` +export COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-slapd-base:$TAG . +``` diff --git a/comanage-registry-slapd-base/voperson.ldif b/comanage-registry-slapd-base/voperson.ldif index aeb5dce..bdce11e 100644 --- a/comanage-registry-slapd-base/voperson.ldif +++ b/comanage-registry-slapd-base/voperson.ldif @@ -28,7 +28,17 @@ olcAttributeTypes: {7}( 1.3.6.1.4.1.34998.3.3.1.8 NAME 'voPersonSoRID' DESC 'v olcAttributeTypes: {8}( 1.3.6.1.4.1.34998.3.3.1.9 NAME 'voPersonStatus' DESC ' voPerson Status' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1. 15' ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.34998.3.3.1.10 NAME 'voPersonAffiliation' + DESC 'voPerson Affiliation Within Local Scope' EQUALITY caseIgnoreMatch SYNTA + X '1.3.6.1.4.1.1466.115.121.1.15' ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.34998.3.3.1.11 NAME 'voPersonExternalAffi + liation' DESC 'voPerson Scoped External Affiliation' EQUALITY caseIgnoreMatch + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.34998.3.3.1.12 NAME 'voPersonScopedAffili + ation' DESC 'voPerson Affiliation With Explicit Local Scope' EQUALITY caseIgn + oreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) olcObjectClasses: {0}( 1.3.6.1.4.1.34998.3.3.1 NAME 'voPerson' AUXILIARY MAY ( - voPersonApplicationUID $ voPersonAuthorName $ voPersonCertificateDN $ voPers - onCertificateIssuerDN $ voPersonExternalID $ voPersonID $ voPersonPolicyAgree - ment $ voPersonSoRID $ voPersonStatus ) ) + voPersonAffiliation $ voPersonApplicationUID $ voPersonAuthorName $ voPerson + CertificateDN $ voPersonCertificateIssuerDN $ voPersonExternalAffiliation $ v + oPersonExternalID $ voPersonID $ voPersonPolicyAgreement $ voPersonScopedAffi + liation $ voPersonSoRID $ voPersonStatus ) ) diff --git a/comanage-registry-slapd-proxy/.dockerignore b/comanage-registry-slapd-proxy/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-slapd-proxy/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-slapd-proxy/Dockerfile b/comanage-registry-slapd-proxy/Dockerfile index 5bbd531..8f9e894 100644 --- a/comanage-registry-slapd-proxy/Dockerfile +++ b/comanage-registry-slapd-proxy/Dockerfile @@ -16,7 +16,12 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM sphericalcowgroup/comanage-registry-slapd-base +ARG COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=2 +FROM comanage-registry-slapd-base:${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} + +ARG COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} +LABEL comanage_registry_slapd_base_image_version=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} COPY docker-slapd-entrypoint /usr/local/bin/ diff --git a/comanage-registry-slapd-proxy/README.md b/comanage-registry-slapd-proxy/README.md new file mode 100644 index 0000000..ed3317b --- /dev/null +++ b/comanage-registry-slapd-proxy/README.md @@ -0,0 +1,123 @@ + +# OpenLDAP slapd proxy for COmanage Registry + +Intended to build an OpenLDAP slapd image configured to run as +an LDAP proxy server. + +## Build Arguments + +No arguments are required for building the image. + +The following arguments may be supplied during the build: + +``` +--build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION= +``` + +## Build Requirements + +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/). +It requires that the [OpenLDAP slapd base image](../comanage-registry-slapd-base/README.md) +be built first. + +## Building + +``` +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION= \ + -t comanage-registry-slapd-proxy: . +``` + +## Building Example + +``` +export COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-slapd-proxy:$TAG . +``` + +## Volumes and Data Persistence + +This image does not require volume or data persistence when used soley as an LDAP proxy +server and all necessary configuration is injected at run time. + +More complicated deployments may wish to persist some data or configuration. For such deployments +see [OpenLDAP slapd for COmanage Registry Volumes and Data Persistence](../docs/openldap-volumes-and-data-persistence.md). + +## Environment Variables + +See the [list of environment variables common to slapd images](../docs/slapd-common-environment-variables.md) +including this image. + +## Ports + +By default the container instantiated from the image binds to 127.0.0.1 and +listens for LDAP protocol traffic on port 389 only. To bind to other or all +network interfaces and listen on port 636 as well override the default +command for the image (see below for details). + +## Running + +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: + +``` +docker run -d \ + --name ldapgateway \ + -e SLAPD_CERT_FILE=/run/secrets/slapd_cert_file \ + -e SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file \ + -e SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file \ + -v /opt/docker/ldif/proxy_config.ldif:/ldif/config/ldap_gateway_proxy_config.ldif \ + -p 389:389 \ + -p 636:636 \ + comanage-registry-slapd-proxy:2 \ + slapd -d 0 -h 'ldapi:/// ldap:/// ldaps:///' -u openldap -g openldap +``` + +## Executing LDIF Files + +See [Executing LDIF Files](../docs/slapd-ldif.md). + +## Logging + +The slapd daemon logs to the stdout and +stderr of the container. + +## TLS Configuration + +See the section on environment variables and the `SLAPD_CERT_FILE`, `SLAPD_CHAIN_FILE`, +and `SLAPD_PRIVKEY_FILE` variables. + +Additionally you may bind mount or COPY in an X.509 certificate file, CA chain file, +and associated private key file. For example + +``` +COPY cert.pem /etc/ldap/slapd.crt +COPY chain.pem /etc/ldap/slapd.ca.crt +COPY privkey.pem /etc/ldap/slapd.key +``` diff --git a/comanage-registry-slapd-proxy/docker-slapd-entrypoint b/comanage-registry-slapd-proxy/docker-slapd-entrypoint index 30c6d32..9555009 100755 --- a/comanage-registry-slapd-proxy/docker-slapd-entrypoint +++ b/comanage-registry-slapd-proxy/docker-slapd-entrypoint @@ -19,8 +19,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e - source /usr/local/lib/comanage_ldap_utils.sh comanage_ldap_utils::exec_slapd_proxy "$@" diff --git a/comanage-registry-slapd/.dockerignore b/comanage-registry-slapd/.dockerignore new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/comanage-registry-slapd/.dockerignore @@ -0,0 +1 @@ +README.md diff --git a/comanage-registry-slapd/Dockerfile b/comanage-registry-slapd/Dockerfile index dcc408d..faa23c8 100644 --- a/comanage-registry-slapd/Dockerfile +++ b/comanage-registry-slapd/Dockerfile @@ -16,7 +16,12 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM sphericalcowgroup/comanage-registry-slapd-base +ARG COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=2 +FROM comanage-registry-slapd-base:${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} + +ARG COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION +ENV COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} +LABEL comanage_registry_slapd_base_image_version=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} COPY docker-slapd-entrypoint /usr/local/bin/ diff --git a/comanage-registry-slapd/README.md b/comanage-registry-slapd/README.md index 3909fd2..34af467 100644 --- a/comanage-registry-slapd/README.md +++ b/comanage-registry-slapd/README.md @@ -18,96 +18,121 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> - # OpenLDAP slapd for COmanage Registry -A simple example demonstrating how to create an image and container -based on OpenLDAP slapd to use with COmanage Registry containers. +Intended to build an OpenLDAP slapd image to use with COmanage Registry. + +## Build Arguments + +No arguments are required for building the image. -## Build +The following arguments may be supplied during the build: ``` -docker build -t comanage-registry-slapd . +--build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION= ``` -## Run +## Build Requirements -Create a user-defined network bridge with +This image uses a [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/). +It requires that the [OpenLDAP slapd base image](../comanage-registry-slapd-base/README.md) +be built first. + +## Building ``` -docker network create --driver=bridge \ - --subnet=192.168.0.0/16 \ - --gateway=192.168.0.100 \ - comanage-registry-internal-network +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION= \ + -t comanage-registry-slapd: . ``` -and then mount a directory such as `/tmp/slapd-data` -to `/var/lib/ldap` inside the container to persist -data and `/tmp/slapd-config` to `/etc/ldap/slapd.d` -inside the container to persist the configuration, eg. +## Building Example ``` -docker run -d --name comanage-registry-slapd \ - -v /tmp/slapd-data:/var/lib/ldap \ - -v /tmp/slapd-config:/etc/ldap/slapd.d \ - --network comanage-registry-internal-network \ - -p 389:389 \ - sphericalcowgroup/comanage-registry-slapd - +export COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=1 +export COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION=1 +TAG="${COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-slapd:$TAG . ``` -The following environment variables can be set: +## Volumes and Data Persistence + +See [OpenLDAP slapd for COmanage Registry Volumes and Data Persistence](../docs/openldap-volumes-and-data-persistence.md). + + +## Environment Variables -* `OLC_SUFFIX`: Directory suffix (default is `dc=my,dc=org`) -* `OLC_ROOT_DN`: DN for the directory admin (default is `cn=admin,dc=my,dc=org`) -* `OLC_ROOT_PW`: Password for the root DN (default is `password`) +See the [list of environment variables common to slapd images](../docs/slapd-common-environment-variables.md) +including this image. -For example +## Ports + +By default the container instantiated from the image binds to 127.0.0.1 and +listens for LDAP protocol traffic on port 389 only. To bind to other or all +network interfaces and listen on port 636 as well override the default +command for the image (see below for details). + +## Running + +See other documentation in this repository for details on how to orchestrate +running this image with other images using an orchestration tool like +Docker Compose, Docker Swarm, or Kubernetes. + +To run this image: ``` -docker run -d --name comanage-registry-slapd \ - -v /tmp/slapd-data:/var/lib/ldap \ - -v /tmp/slapd-config:/etc/ldap/slapd.d \ - --network comanage-registry-internal-network \ - -e OLC_SUFFIX=dc=my,dc=org \ +docker run -d \ + --name comanage-registry-ldap \ -e OLC_ROOT_DN=cn=admin,dc=my,dc=org \ - -e OLC_ROOT_PW=password \ + -e OLC_SUFFIX=dc=my,dc=org \ + -e OLC_ROOT_PW={SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks \ + -v /opt/docker/var/lib/ldap:/var/lib/ldap \ + -v /opt/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d \ -p 389:389 \ - comanage-registry-slapd + comanage-registry-slapd:2 \ + slapd -d 256 -h 'ldapi:/// ldap:///' -u openldap -g openldap ``` -To support TLS mount or copy in an X.509 certificate, private key, -and CA signing certificate or chain file like this: +To run this image with slapd using TLS and listening on port 636 ``` -docker run -d --name comanage-registry-slapd \ - -v /tmp/slapd-data:/var/lib/ldap \ - -v /tmp/slapd-config:/etc/ldap/slapd.d \ - -v my.crt:/etc/ldap/slapd.crt \ - -v my.key:/etc/ldap/slapd.key \ - -v chain.pem:/etc/ldap/slapd.ca.crt \ - --network comanage-registry-internal-network \ - -e OLC_SUFFIX=dc=my,dc=org \ +docker run -d \ + --name comanage-registry-ldap \ -e OLC_ROOT_DN=cn=admin,dc=my,dc=org \ - -e OLC_ROOT_PW=password \ - -p 389:389 -p 636:636 \ - sphericalcowgroup/comanage-registry-slapd + -e OLC_SUFFIX=dc=my,dc=org \ + -e OLC_ROOT_PW={SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks \ + -e SLAPD_CERT_FILE=/run/secrets/slapd_cert_file \ + -e SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file \ + -e SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file \ + -v /opt/docker/var/lib/ldap:/var/lib/ldap \ + -v /opt/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d \ + -p 389:389 \ + -p 636:636 \ + comanage-registry-slapd:2 \ + slapd -d 256 -h 'ldapi:/// ldap:/// ldaps:///' -u openldap -g openldap ``` -You may also use environment variables that point to files, for example +## Executing LDIF Files + +See [Executing LDIF Files](../docs/slapd-ldif.md). + +## Logging + +The slapd daemon logs to the stdout and +stderr of the container. + +## TLS Configuration + +See the section on environment variables and the `SLAPD_CERT_FILE`, `SLAPD_CHAIN_FILE`, +and `SLAPD_PRIVKEY_FILE` variables. + +Additionally you may bind mount or COPY in an X.509 certificate file, CA chain file, +and associated private key file. For example ``` -docker run -d --name comanage-registry-slapd \ - --network comanage-registry-internal-network \ - -v /tmp/slapd-data:/var/lib/ldap \ - -v /tmp/slapd-config:/etc/ldap/slapd.d \ - -e SLAPD_CERT_FILE=/run/secrets/slapd_cert_file \ - -e SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file \ - -e SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file \ - -e OLC_SUFFIX=dc=my,dc=org \ - -e OLC_ROOT_DN=cn=admin,dc=my,dc=org \ - -e OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw \ - -p 389:389 -p 636:636 \ - sphericalcowgroup/comanage-registry-slapd +COPY cert.pem /etc/ldap/slapd.crt +COPY chain.pem /etc/ldap/slapd.ca.crt +COPY privkey.pem /etc/ldap/slapd.key ``` - diff --git a/comanage-registry-slapd/docker-slapd-entrypoint b/comanage-registry-slapd/docker-slapd-entrypoint index 55171b7..0a503d5 100755 --- a/comanage-registry-slapd/docker-slapd-entrypoint +++ b/comanage-registry-slapd/docker-slapd-entrypoint @@ -19,8 +19,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e - source /usr/local/lib/comanage_ldap_utils.sh comanage_ldap_utils::exec_slapd "$@" diff --git a/comanage-registry/000-comanage.conf b/comanage-registry/000-comanage.conf deleted file mode 100644 index 9ce97b3..0000000 --- a/comanage-registry/000-comanage.conf +++ /dev/null @@ -1,56 +0,0 @@ -# COmanage Registry Apache HTTP Server configuration -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - ServerName http://%%SERVER_NAME%%:80 - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] - - - - ServerName https://%%SERVER_NAME%%:443 - - DocumentRoot /var/www/html - - RedirectMatch ^/$ /registry/ - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - LogLevel warn - - Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" - - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLHonorCipherOrder on - - SSLCertificateFile /etc/apache2/cert.pem - SSLCertificateKeyFile /etc/apache2/privkey.pem - - - Options Indexes FollowSymLinks - DirectoryIndex index.php - AllowOverride All - Require all granted - - - diff --git a/comanage-registry/Dockerfile.template b/comanage-registry/Dockerfile.template deleted file mode 100644 index af8d757..0000000 --- a/comanage-registry/Dockerfile.template +++ /dev/null @@ -1,103 +0,0 @@ -# COmanage Registry Dockerfile template -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM php:7.0-apache-jessie - -RUN apt-get update && apt-get install -y \ - libldap-2.4-2 \ - libldap2-dev \ - libmysqlclient18 \ - libmysqlclient-dev \ - libpq-dev \ - libxml2 \ - libxslt1-dev \ - libxslt1.1 \ - ssl-cert \ - wget \ - zlib1g \ - libpcre3-dev \ - && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \ - && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ - && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \ - && docker-php-ext-install xsl pdo_mysql pdo_pgsql mysqli pgsql ldap \ - && docker-php-source delete \ - && apt-get purge -y \ - libldap2-dev \ - libmysqlclient-dev \ - libpq-dev \ - && apt-get clean - -ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%% -ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz - -LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION -LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL - -ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry - -COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf - -WORKDIR "$COMANAGE_REGISTRY_DIR" - -RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ - && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \ - && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \ - && rm -f comanage.tar.gz \ - && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \ - && cd /var/www/html \ - && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \ - && rm -rf "$COMANAGE_REGISTRY_DIR/local/*" \ - && ln -s "$COMANAGE_REGISTRY_DIR/local" /local \ - && a2enmod headers \ - && a2enmod ssl \ - && a2enmod rewrite \ - && a2dissite 000-default.conf \ - && a2ensite 000-comanage.conf \ - && a2disconf other-vhosts-access-log \ - && cd /etc/apache2 \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ - && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" - -COPY docker-comanage-entrypoint /usr/local/bin/ - -# expose COmanage Registry local directory -VOLUME ["/local"] - -ENTRYPOINT ["docker-comanage-entrypoint"] - -WORKDIR /var/www/html - -EXPOSE 80 443 - -# Default values for first administrator bootstrapped -# into the platform, most likely overridden at build time -# using build arguments. -ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME -ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME -ARG COMANAGE_REGISTRY_ADMIN_USERNAME -ARG COMANAGE_REGISTRY_ENABLE_POOLING - -ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry} -ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin} -ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin} -ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No} - -CMD ["apache2-foreground"] diff --git a/comanage-registry/README.md b/comanage-registry/README.md deleted file mode 100644 index b0c5348..0000000 --- a/comanage-registry/README.md +++ /dev/null @@ -1,125 +0,0 @@ - - -# COmanage Registry Base - -Intended to build a COmanage Registry base image -using the official PHP 7 with Apache image as the foundation. - -The image built from this template does **not** provide any -method for authentication. See other templates in this -repository for examples on how to build images on this -one that include authentication methods like Basic Auth, -Shibboleth Native SP for Apache, and OIDC. - -## Configuration - -### Environment Variables - -The following environment variables may be set to inject deployment -details into a container built from this image: - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| COMANAGE_REGISTRY_ADMIN_FAMILY_NAME | Registry admin family name | Admin | Novak | Sanchez | -| COMANAGE_REGISTRY_ADMIN_GIVEN_NAME | Registry admin given name | Registry | Karel | Michelle | -| COMANAGE_REGISTRY_ADMIN_USERNAME | Registry admin login name | registry.admin | admin | karel.novak@my.org | -| COMANAGE_REGISTRY_DATABASE | database name | registry | registry_db | comanage | -| COMANAGE_REGISTRY_DATABASE_HOST | database server hostname | comanage-registry-database | | | -| COMANAGE_REGISTRY_DATABASE_USER| database user | registry_user | comanage | comanage_user | -| COMANAGE_REGISTRY_DATABASE_USER_PASSWORD | database user password | password | AFH9OiyuowiY3Wq6qX0j | qVcsJPo7$@ | -| COMANAGE_REGISTRY_DATASOURCE | database type | Database/Postgres | Database/Postgres | Database/Mysql | -| COMANAGE_REGISTRY_EMAIL_FROM | From: address | array('account@gmail.com' => 'Registry') | 'registry@my.org' | array('registry@my.org' => 'My Org Registry') | -| COMANAGE_REGISTRY_EMAIL_TRANSPORT | mail transport | Smtp | | | -| COMANAGE_REGISTRY_EMAIL_HOST | mail host | tls://smtp.gmail.com | smtp.my.org | mail.my.org | -| COMANAGE_REGISTRY_EMAIL_PORT | mail port | 465 | 25 | 587 | -| COMANAGE_REGISTRY_EMAIL_ACCOUNT | mail server account | account@gmail.com | mail_bot | registry | -| COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD | mail server password | password | d6WE2fpwAw | xp790Mu3q6 | -| COMANAGE_REGISTRY_SECURITY_SALT | CakePHP security salt | automatically generated | e8RrE9X3pVnozrupHSHo4GTLqL380LuU7X7LKj42 | | -| COMANAGE_REGISTRY_SECURITY_SEED | CakePHP security seed | automatically generated | 62259808467736132961503540721 | | -| HTTPS_CERT_FILE | HTTPS X.509 certificate | automatically generated self-signed | | | -| HTTPS_PRIVKEY_FILE | HTTPS private key | automatically generated self-signed | | | -| SERVER_NAME | web server name | parsed from HTTPS X.509 certificate | | | - - -### Finer Control - -For finer control over the configuration of COmanage Registry and the -CakePHP framework create a directory to hold persistent COmanage Registry configuration and -other state such as local plugins and other customizations. In that directory -create a `Config` directory and in it place a `database.php` and `email.php` -configuration file: - -``` -mkdir -p /docker/srv/comanage-registry/local/Config - -cat > /docker/srv/comanage-registry/local/Config/database.php <<"EOF" - 'Database/Postgres', - 'persistent' => false, - 'host' => 'comanage-registry-database', - 'login' => 'registry_user', - 'password' => 'password', - 'database' => 'registry', - 'prefix' => 'cm_', - ); - -} -EOF - -cat > /docker/srv/comanage-registry/local/Config/email.php <<"EOF" - 'Smtp', - 'host' => 'tls://smtp.gmail.com', - 'port' => 465, - 'username' => 'account@gmail.com', - 'password' => 'password' - ); -} -EOF -``` - -When creating the container mount the directory you created, eg. - -``` -docker run -d --name comanage-registry \ - -v /docker/srv/comanage-registry/local:/srv/comanage-registry/local - -p 80:80 -p 443:443 \ - comanage-registry:${COMANAGE_REGISTRY_VERSION} -``` - -### HTTPS Configuration - -In preferred you may mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) -and associated private key file. - -``` -COPY cert.pem /etc/apache2/cert.pem -COPY privkey.pem /etc/apache2/privkey.pem -``` diff --git a/comanage-registry/docker-comanage-entrypoint b/comanage-registry/docker-comanage-entrypoint deleted file mode 100755 index d409d42..0000000 --- a/comanage-registry/docker-comanage-entrypoint +++ /dev/null @@ -1,295 +0,0 @@ -#!/bin/bash - -# COmanage Registry Dockerfile entrypoint -# -# Portions licensed to the University Corporation for Advanced Internet -# Development, Inc. ("UCAID") under one or more contributor license agreements. -# See the NOTICE file distributed with this work for additional information -# regarding copyright ownership. -# -# UCAID licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with the -# License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$COMANAGE_DEBUG" ] -then - OUTPUT=/dev/stdout -else - OUTPUT=/dev/null -fi - -# Configuration details that may be injected through environment -# variables or the contents of files. - -injectable_config_vars=( - COMANAGE_REGISTRY_DATASOURCE - COMANAGE_REGISTRY_DATABASE - COMANAGE_REGISTRY_DATABASE_HOST - COMANAGE_REGISTRY_DATABASE_USER - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD - COMANAGE_REGISTRY_EMAIL_FROM - COMANAGE_REGISTRY_EMAIL_TRANSPORT - COMANAGE_REGISTRY_EMAIL_HOST - COMANAGE_REGISTRY_EMAIL_PORT - COMANAGE_REGISTRY_EMAIL_ACCOUNT - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD - COMANAGE_REGISTRY_SECURITY_SALT - COMANAGE_REGISTRY_SECURITY_SEED - HTTPS_CERT_FILE - HTTPS_PRIVKEY_FILE - SERVER_NAME -) - -# If the file associated with a configuration variable is present then -# read the value from it into the appropriate variable. So for example -# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its -# value points to a file on the file system then read the contents -# of that file into the variable COMANAGE_REGISTRY_DATASOURCE. - -for config_var in "${injectable_config_vars[@]}" -do - eval file_name=\$"${config_var}_FILE"; - - if [ -e "$file_name" ]; then - declare "${config_var}"=`cat $file_name` - fi -done - -# Make sure the directory structure we need is available -# in the data volume for $COMANAGE_REGISTRY_DIR/local -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public" -mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img" - -# If the COmanage Registry database configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then - cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" < '${COMANAGE_REGISTRY_DATASOURCE:-Database/Postgres}', - 'persistent' => false, - 'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}', - 'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}', - 'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}', - 'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}', - 'prefix' => 'cm_', - ); - -} -EOF -fi - -# If the COmanage Registry email configuration file does not exist -# then try to create it from injected information with reasonable defaults -# that aid simple evaluation deployments. -email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php" - -if [ ! -e "$email_config" ]; then - cat > "$email_config" < ${COMANAGE_REGISTRY_EMAIL_FROM:-array('account@gmail.com' => 'Registry')}, - 'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}', - 'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}', - 'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465}, - 'username' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT:-account@gmail.com}', - 'password' => '${COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD:-password}' - ); -} -EOF -fi - -# Loop until we are able to open a connection to the database. -DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php" - -cat > $DATABASE_TEST_SCRIPT <<"EOF" -error("Unable to connect to datasource"); - } - $this->out("Connected to datasource"); - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do - >&2 echo "Database is unavailable - sleeping" - sleep 1 -done - -rm -f "$DATABASE_TEST_SCRIPT" - -popd > "$OUTPUT" 2>&1 - -# We only want to run the setup script once since it creates -# state in the database. Until COmanage Registry has a better -# mechanism for telling us if setup has already been run -# we create an ephemeral CakePHP script to tell us. -SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php" - -cat > $SETUP_ALREADY_SCRIPT <<"EOF" -Co->find('first', $args); - } catch (CakeException $e) { - $this->out('Not setup already'); - } - - if(empty($co)) { - $this->out('Not setup already'); - } else { - $this->error('Setup already'); - } - } -} -EOF - -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 -./Console/cake setupAlready > "$OUTPUT" 2>&1 -setup_already=$? - -rm -f "$SETUP_ALREADY_SCRIPT" - -if [ $setup_already -eq 0 ]; then - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1 - rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1 - # Run database twice until issue on develop branch is resolved. Since - # the command is idempotent normally it is not a problem to have it run - # more than once. - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake database > "$OUTPUT" 2>&1 && \ - ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \ - --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \ - --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \ - --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1 - AUTO_GENERATED_SECURITY=1 -fi - -popd > "$OUTPUT" 2>&1 - -# If COmanage Registry CakePHP security salt and seed have been -# injected and the files do not otherwise exist create them. -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" -fi - -if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then - echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" -fi - -# We always run upgradeVersion since it will not make any changes -# if the current and target versions are the same or if -# an upgrade from the current to the target version is not allowed. -pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - -./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1 - -popd > "$OUTPUT" 2>&1 - -# Force a datbase update if requested. This is helpful when deploying -# a new version of the code that does not result in a change in the -# version number and so upgradeVersion does not fire. An example -# of this scenario is when new code is introduced in the develop -# branch but before a release happens. -if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then - echo "Forcing a database schema update..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 -fi - -# Enable any supported non-core plugins if requested. -if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then - plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @g'`) > "$OUTPUT" 2>&1 - for plugin in "${plugins[@]}"; - do - echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1 - ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1 - ./Console/cake database > "$OUTPUT" 2>&1 - popd > "$OUTPUT" 2>&1 - done -fi - -# Running CakePHP console commands generates cache files so -# set the ownership of those files appropriately. -chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" - -# If defined use configured location of Apache HTTP Server -# HTTPS certificate and key files. The certificate file may also -# include intermediate CA certificates, sorted from leaf to root. -if [ -n "$HTTPS_CERT_FILE" ]; then - rm -f /etc/apache2/cert.pem - cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem - chown www-data /etc/apache2/cert.pem - chmod 0644 /etc/apache2/cert.pem -fi - -if [ -n "$HTTPS_PRIVKEY_FILE" ]; then - rm -f /etc/apache2/privkey.pem - cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem - chown www-data /etc/apache2/privkey.pem - chmod 0600 /etc/apache2/privkey.pem -fi - -# If SERVER_NAME has not been injected try to determine -# it from the HTTPS_CERT_FILE. -if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'` - if [ -z "$SERVER_NAME" ]; then - SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'` - fi -fi - -# Configure Apache HTTP Server with the server name. -sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf - -cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1 - -# first arg is `-f` or `--some-option` -if [ "${1#-}" != "$1" ]; then - set -- apache2-foreground "$@" -fi - -exec "$@" diff --git a/docs/README.md b/docs/README.md index 171019d..cff4ba8 100644 --- a/docs/README.md +++ b/docs/README.md @@ -21,10 +21,5 @@ limitations under the License. # COmanage Registry Docker Documentation -* [Persist data using host-mounted volumes](./basic-auth-postgres-persist.md) -* [Use MariaDB instead of PostgreSQL](./basic-auth-mariadb-persist.md) -* [Add OpenLDAP slapd for provisioning](./openldap-slapd.md) -* [Advanced configuration](./advanced-configuration.md) -* [Complete example recipe for production deployment](./shibboleth-sp-postgres-compose.md) -* [Using Docker service stacks and Docker secrets](./mod-auth-oidc-mariadb-stacks.md) - +See the [main README.md](../README.md) file for a list of +all COmanage Registry Docker Documentation. diff --git a/docs/adding-openldap-proxy.md b/docs/adding-openldap-proxy.md new file mode 100644 index 0000000..084e35e --- /dev/null +++ b/docs/adding-openldap-proxy.md @@ -0,0 +1,128 @@ + + +# Adding OpenLDAP Proxy for COmanage Registry + +Follow these steps to build and add an OpenLDAP slapd +proxy as a managed service to an existing COmanage Registry service stack. +An OpenLDAP slapd proxy is often deployed with slapd servers configured +for high availability using either "multi-master" or "mirror mode" +approaches. See the [slapd-ldap](https://linux.die.net/man/5/slapd-ldap) +man page for details on the LDAP backend used to instantiate a slapd +proxy and the OpenLDAP documentation on [replication](http://www.openldap.org/doc/admin24/replication.html) +for details on both the multi-master and mirror mode architectures. + +* Define the shell variable `COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=1 +``` + +* Build the base image: + +``` +pushd comanage-registry-slapd-base +TAG="${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-slapd-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION=1 +``` + +* Build the slapd image: + +``` +pushd comanage-registry-slapd-proxy +TAG="${COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-shibboleth-slapd-proxy:$TAG . +popd +``` + +* Edit the Docker Swarm services stack description (compose) file you previously +created and add the following service description after the existing services: + +``` +comanage-registry-ldap-proxy: + image: comanage-registry-slapd-proxy:${COMANAGE_REGISTRY_SLAPD_PROXY_IMAGE_VERSION} + command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"] + networks: + - default + deploy: + replicas: 1 +``` + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +You may monitor the progress of the slapd proxy container using + +``` +docker service logs -f comanage-registry-ldap-proxy +``` + +When run as a proxy slapd does not require any state be saved but +the deployer must configure the LDAP backend before slapd will +proxy any requests. + +To have the container create the necessary +LDAP backend configuration for your deployment see [Executing LDIF Files](slapd-ldif.md) +and use a LDIF file like (be sure to modify as necessary for your own +deployment, and pay special attention to the olcAccess configuration you +wish to use) + +``` +dn: olcDatabase=ldap,cn=config +changetype: add +objectClass: olcDatabaseConfig +objectClass: olcLDAPConfig +olcDatabase: ldap +olcSuffix: dc=mycampus,dc=org +olcDbURI: "ldap://ldap-01 ldap://ldap-02" +olcDbQuarantine: 60,+ +olcAccess: {0}to * by * write +``` + +To use TLS for connections to slapd (either on port 636 using ldaps:// +or via `START_TLS` on port 389) define the environment variables +`SLAPD_CERT_FILE`, `SLAPD_CHAIN_FILE`, and `SLAPD_PRIVKEY_FILE` +and then change the `command` above to be + +``` +command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:/// ldaps:///", "-u", "openldap", "-g", "openldap"] +``` + +Also change the LDAP backend configuration to include + +``` +olcSecurity: tls=256 +``` diff --git a/docs/adding-openldap.md b/docs/adding-openldap.md new file mode 100644 index 0000000..cd053be --- /dev/null +++ b/docs/adding-openldap.md @@ -0,0 +1,143 @@ + + +# Adding OpenLDAP for COmanage Registry + +Follow these steps to build and add OpenLDAP slapd +as a managed service to an existing COmanage Registry service stack. + +* Complete the instructions for deploying COmanage Registry with +a relational database. Choose one of + * [COmanage Registry using the Shibboleth SP and PostgreSQL database](shibboleth-sp-postgresql.md), + * [COmanage Registry using the Shibboleth SP and MariaDB database](shibboleth-sp-mariadb.md), + * [COmanage Registry using mod\_auth\_openidc and MariaDB database](mod-auth-openidc-mariadb.md), + * [COmanage Registry using the Internet2 TIER image](comanage-registry-internet2-tier.md). + +* Define the shell variable `COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=1 +``` + +* Build the base image: + +``` +pushd comanage-registry-slapd-base +TAG="${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-slapd-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION=1 +``` + +* Build the slapd image: + +``` +pushd comanage-registry-slapd +TAG="${COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SLAPD_BASE_IMAGE_VERSION} \ + -t comanage-registry-slapd:$TAG . +popd +``` + +* Use the [slappasswd OpenLDAP password utility](https://linux.die.net/man/8/slappasswd) +to create a hashed password value. + +* Create a secret to store the hashed password value you just created +(be sure to use your own value and not the example below): + +``` +echo "{SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks" | docker secret create olc_root_pw +``` + +* Create directories on the Docker engine host(s) for state files: + +``` +sudo mkdir -p /srv/docker/var/lib/ldap +sudo mkdir -p /srv/docker/etc/slapd.d +``` + +* Define shell variables for the directory suffix and root DN, + for example: + +``` +export OLC_SUFFIX=dc=my,dc=org +export OLC_ROOT_DN=cn=admin,dc=my,dc=org +``` + +* Edit the Docker Swarm services stack description (compose) file you previously +created and add the following service description after the existing services: + +``` +comanage-registry-ldap: + image: comanage-registry-slapd:${COMANAGE_REGISTRY_SLAPD_IMAGE_VERSION} + command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"] + volumes: + - /srv/docker/var/lib/ldap:/var/lib/ldap + - /srv/docker/etc/slapd.d:/etc/ldap/slapd.d + environment: + - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw + - OLC_SUFFIX=${OLC_SUFFIX} + - OLC_ROOT_DN=${OLD_ROOT_DN} + secrets: + - olc_root_pw + networks: + - default + deploy: + replicas: 1 +``` + +* Be sure to also edit the services stack description file and add +the `olc_root_pw` secret to the list of secrets. + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +You may monitor the progress of the slapd container using + +``` +docker service logs -f comanage-registry-ldap +``` + +The container does not bootstrap any structure in the directory, i.e. it +does not create any `ou=people` or `ou=groups` branches that are usually +used with COmanage Registry. To have the container create the necessary +structure for your deployment see [Executing LDIF Files](slapd-ldif.md). + +To use TLS for connections to slapd (either on port 636 using ldaps:// +or via `START_TLS` on port 389) define the environment variables +`SLAPD_CERT_FILE`, `SLAPD_CHAIN_FILE`, and `SLAPD_PRIVKEY_FILE` +and then change the `command` above to be + +``` +command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:/// ldaps:///", "-u", "openldap", "-g", "openldap"] +``` diff --git a/docs/advanced-configuration.md b/docs/advanced-configuration.md deleted file mode 100644 index 239d746..0000000 --- a/docs/advanced-configuration.md +++ /dev/null @@ -1,365 +0,0 @@ - - -# COmanage Registry Docker -## Advanced Configuration Options - -The services deployed in containers instantiated using images built from this repository may be -configured in a number of different ways. - -##### Table of Contents -* [Environment Variables](#environ) -* [Secrets](#secrets) -* [Apache HTTP ServerName](#servername) -* [Full Control](#full) - -## Environment Variables - -Most deployment details may be set using environment variables set for the container. -The entrypoint scripts will attempt to use values from environment variables and if not -present reasonable defaults will be used. *Note that some defaults like passwords are -easily guessable and not suitable for production deployments*. - -The complete list of environment variables available for configuration is listed in -the documentation for each image. See each image directory in this repository for -details. - -Below are some examples of common environment variables deployers choose to set for each -component. - -### COmanage Registry - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| COMANAGE_REGISTRY_DATASOURCE | database type | Database/Postgres | Database/Postgres | Database/Mysql | -| COMANAGE_REGISTRY_DATABASE_USER| database user | registry_user | comanage | comanage_user | -| COMANAGE_REGISTRY_DATABASE_USER_PASSWORD | database user password | password | AFH9OiyuowiY3Wq6qX0j | qVcsJPo7$@ | -| COMANAGE_REGISTRY_ADMIN_USERNAME | Registry admin login name | registry.admin | admin | karel.novak@my.org | - -### PostgreSQL - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| POSTGRES_PASSWORD | database admin password | none | $cu9@2!qp&3R | 4vGb10sI#AI | -| COMANAGE_REGISTRY_POSTGRES_USER | registry database user | registry_user | comanage | comanage_user | -| COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD | registry database user password | password | AFH9OiyuowiY3Wq6qX0j | qVcsJPo7$@ | - -### MariaDB - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| MYSQL_ROOT_PASSWORD | database admin password | none | JaMKH5xAB64E9 | 6XET#82NFm& | -| MYSQL_USER | registry database user | registry_user | comanage | comanage_user | -| MYSQL_PASSWORD | registry database user password | none | 9vmKxJGwD!iU | o8rhqq4Sr%R | - -### Shibboleth SP - -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| SHIBBOLETH_SP_ENTITY_ID | entityID for SP | https://comanage.registry/shibboleth | https://my.org/comanage | https://registry.my.org/shibboleth | -| SHIBBOLETH_SP_SAMLDS_URL | URL for SAML IdP discovery service | https://localhost/registry/pages/eds/index | https://my.org/registry/pages/eds/index | https://discovery.my.org | -| SHIBBOLETH_SP_CERT | SAML certificate | self-signed per-image default ||| -| SHIBBOLETH_SP_PRIVKEY | SAML private key | self-signed per-image default ||| -| SHIBBOLETH_SP_METADATA_PROVIDER_XML | \ element | none (empty) | see [Shib SP documenation]() | | - -### mod_auth_oidc -Coming soon... - -### OpenLDAP slapd -| Environment Variable | Description | Default | Example 1 | Example 2 | -| -------------------- | ----------- | --------- | --------- | ------- | -| OLC_SUFFIX | Suffix for the directory | dc=my,dc=org | dc=some,dc=edu | o=unit,dc=my,dc=org | -| OLC_ROOT_DN | DN for the administrator | cn=admin,dc=my,dc=org | cn=admin,dc=some,dc=edu | cn=admin,ou=service,dc=my,dc=org | -| OLC_ROOT_PW | password for root DN | password | ow&lveo13tH | eaFXZeOs7AK3iJ9w9d0a | akw13%!UU83 | - -## Secrets - -Some deployers prefer not to use environment variables to inject secrets to avoid having -secrets in YAML files saved for example in a code repository. - -An alternative is to put the secret in a file mounted into the container and point -to the file location using an environment variable. For example if the file - -``` -/run/secrets/comanage_registry_postgres_user_password -``` - -is mounted in the container and holds the password and the container environment contains - -``` -COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD_FILE=/run/secrets/comanage_registry_postgres_user_password -``` - -then the entrypoint script will set the password to the value read from the file. - -Here is an example compose file that uses secrets read from files mounted in -the containers: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - - comanage-registry: - image: comanage-registry:hotfix-2.0.x-basic-auth - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - ports: - - "80:80" - - "443:443" -``` - -*All configuration details that may be set using an environment variable can also be set -using a file and environment variable of the same name appended with `_FILE`*. - -*When present an environment variable pointing to a file inside the container overrides -an otherwise configured environment variable*. - -## X.509 Certificates and Private Keys - -### COmanage Registry - -The certificate and private key files used for HTTPS may -be injected into the COmanage Registry container using environment variables -to point to files mounted into the container. The certificate file should -include the server certificate and any intermediate CA signing certificates -sorted from leaf to root. - -For example: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - - comanage-registry: - image: comanage-registry:hotfix-2.0.x-basic-auth - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - ports: - - "80:80" - - "443:443" -``` - -Alternatively you can directly mount files in the container to - -``` -/etc/apache2/cert.pem -/etc/apache2/privkey.pem -``` - -If no files are configured the containers use "snakeoil" self-signed certificates -for HTTPS by default. - -### Shibboleth SP - -The SAML certificate and private key used for decryption (and sometimes signing) -by the Shibboleth SP may be injected into the COmanage Registry container using -environment variables to point to files mounted into the container. - -For example: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - - comanage-registry: - image: comanage-registry:3.1.1-basic-auth - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert - - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey - ports: - - "80:80" - - "443:443" -``` - -Alternatively you can directly mount files in the container to - -``` -/etc/shibboleth/sp-cert.pem -/etc/shibboleth/sp-key.pem -``` - -If no files are configured the container uses a default self-signed certificate -*this is the same for all images and not suitable for production*. - -### OpenLDAP slapd - -The certificate, private key, and CA signing file or chain file used for TLS -(port 636 by default) may -be injected into the OpenLDAP slapd container using environment variables -to point to files mounted into the container. - -For example: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - - comanage-registry-ldap: - image: comanage-registry-slapd - volumes: - - /docker/var/lib/ldap:/var/lib/ldap - - /docker/etc/ldap/slapd.d:/etc/ldap/slapd.d - environment: - - SLAPD_CERT_FILE=/run/secrets/slapd_cert_file - - SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file - - SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file - - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw - - OLC_SUFFIX=dc=my,dc=org - - OLC_ROOT_DN=cn=admin,dc=my,dc=org - ports: - - "636:636" - - "389:389" - - comanage-registry: - image: comanage-registry:3.1.1-basic-auth - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - ports: - - "80:80" - - "443:443" -``` -## ServerName - -The entrypoint scripts will attempt to parse the appropriate value for the -Apache HTTP Server configuration option `ServerName` from the X.509 certificate -provided for HTTPS. - -To override the parsing a deployer may explicitly set the environment variable -`SERVER_NAME`. For example - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password - - comanage-registry: - image: comanage-registry:3.1.1-basic-auth - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - SERVER_NAME=registry.my.org - ports: - - "80:80" - - "443:443" -``` - -## Full control - -Deployers needing full control may inject configuration and deployment details directly. -The entrypoint scripts will *not* overwrite any details found so directly injected -details always override environment variables. - -### COmanage Registry - -COmanage Registry expects to find all local configuration details -in the container at `/srv/comanage-registry/local`. A deployer may therefore mount -a directory at that location to provide any and all configuration details. Note, however, -that Registry expects to find a particular directory structure under -`/srv/comanage-registry/local` and will not function properly if the structure is not -found. The entrypoint script will create the necessary structure if it does not find it -so it is recommended to mount an empty directory for the first deployment, let the -entrypoint script create the structure, then later adjust the details as necessary -for your deployment. - -### Shibboleth SP - -All Shibboleth SP configuration is available inside the container in -`/etc/shibboleth`. A deployer may therefore mount into that directory any -necessary adjustment to the Shibboleth configuration, such as static metadata -files, metadata signing certificates, or advanced attribute filtering -configurations. - -A default set of all configuration files is available in the image. - -### OpenLDAP slapd - -Since slapd is configured dynamically using standard LDAP operations on the -configuration directory (`cn=config`) the most straightforward way to inject -advanced configuration details at the time the container is *created* is -to customize the entrypoint script. - diff --git a/docs/basic-auth-mariadb-persist.md b/docs/basic-auth-mariadb-persist.md deleted file mode 100644 index 6d728eb..0000000 --- a/docs/basic-auth-mariadb-persist.md +++ /dev/null @@ -1,127 +0,0 @@ - - -# COmanage Registry Docker -## With Basic Authentication, MariaDB, and persisted data - -* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version -of COmanage Registry you want to deploy. See the -[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) -wiki page for the list of releases. We recommend using the latest release. - -Here is an example (but please check the wiki page for the latest release number): - -``` -export COMANAGE_REGISTRY_VERSION=3.1.1 -``` - -* Build a local image for COmanage Registry if you have not already: - -``` -pushd comanage-registry-basic-auth -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . -popd -``` - -* It is not necessary to build a local image of MariaDB for COmanage Registry. You can -use the [official MariaDB image from Docker Hub](https://hub.docker.com/_/mariadb/). - - -* Create a directory to persist data in the relational database: -``` -mkdir -p /docker/var/lib/mysql -mkdir -p /docker/srv/comanage-registry/local -``` - -* Create a docker-compose.yml template file. Be sure to replace the password examples -below with your own choices. -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD=tkrT3MI4H2otxGMuxqoE - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD=vy4O6XF58gl1fMpf6rRg - - comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-basic-auth - volumes: - - /docker/srv/comanage-registry/local:/srv/comanage-registry/local - environment: - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - # Password below must be same as for MYSQL_PASSWORD above - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=vy4O6XF58gl1fMpf6rRg - ports: - - "80:80" - - "443:443" -``` - -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - -* Start the services: -``` -docker-compose up -d -``` - -* Browse to port 443 on the host, for example `https://localhost/` - -* Click `Login` and when prompted enter `registry.admin` as the username and `password` -for the password. - -See [Advanced Configuration](./advanced-configuration.md) -for details on setting a non-default administrator username and password. - -* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) -to learn how to create your first collaborative organization (CO) and begin using -the platform. - -* To stop the services: -``` -docker-compose stop -``` - -* To remove the containers and networks: -``` -docker-compose down -``` - -Even though the containers have been removed the data is persisted. You may -bring up the services again and resume where you left off. - -### Important Notes -The instructions above are *not suitable for a production deployment* -because the deployed services use default and easily guessed passwords. - -See [Advanced Configuration](./advanced-configuration.md) -for details on setting a non-default administrator username and password. diff --git a/docs/comanage-registry-common-environment-variables.md b/docs/comanage-registry-common-environment-variables.md new file mode 100644 index 0000000..b29b017 --- /dev/null +++ b/docs/comanage-registry-common-environment-variables.md @@ -0,0 +1,232 @@ + + +# Environment Variables Common to All Images + +The environment variables detailed below apply to all COmanage +Registry images in this repository. + +## Using Files to Inject Secrets + +The COmanage Registry images support the convention of an associated +environment variable ending with ```_FILE``` to indicate a path +relative to the container from which the value for an environment +variable should be read. + +For example if the environment variable ```COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE``` +exists and its value is the path to a readable file, then the contents of the +file will be read into the environment variable ```COMANAGE_REGISTRY_DATABASE_USER_PASSWORD```. + +If both an environment variable and the associated ```_FILE``` environment variable +are defined the associated ```_FILE``` environment variable takes precedence, +provided that the file it points to exists and is readable. + +## Environment Variables + +```COMANAGE_REGISTRY_ADMIN_GIVEN_NAME``` + +* Description: Given name for first platform administrator +* Required: yes +* Default: Registry +* Example: Julia +* Note: \[[1](#note01)\] + +```COMANAGE_REGISTRY_ADMIN_FAMILY_NAME``` + +* Description: Family name for first platform administrator +* Required: yes +* Default: Admin +* Example: Janssen +* Note: \[[1](#note01)\] + +```COMANAGE_REGISTRY_ADMIN_USERNAME``` + +* Description: Username name for first platform administrator +* Required: yes +* Default: registry.admin +* Example: julia.janseen@my.org +* Note: \[[1](#note01)\] + +```COMANAGE_REGISTRY_DATASOURCE``` + +* Description: database type +* Required: yes +* Default: Database/Postgres +* Example: Database/Mysql +* Note: \[[2](#note02)\] + +```COMANAGE_REGISTRY_DATABASE``` + +* Description: database name +* Required: yes +* Default: registry +* Example: comanage_registry +* Note: \[[2](#note02)\] + +```COMANAGE_REGISTRY_DATABASE_HOST``` + +* Description: database server host +* Required: yes +* Default: comanage-registry-database +* Example: database-server.my.org +* Note: \[[2](#note02)\] + +```COMANAGE_REGISTRY_DATABASE_USER``` + +* Description: database username +* Required: yes +* Default: registry_user +* Example: comanage-user +* Note: \[[2](#note02)\] + +```COMANAGE_REGISTRY_DATABASE_USER_PASSWORD``` + +* Description: database user password +* Required: yes +* Default: password +* Example: O5Yhtt6TLOxNjo93fmB9 +* Note: \[[2](#note02)\] + +```COMANAGE_REGISTRY_EMAIL_FROM``` + +* Description: Default email "From" for emails sent by COmanage Registry +* Required: yes +* Default: ```array('account@gmail.com' => 'Registry')``` +* Example: registry@my.org +* Note: \[[3](#note03)\] +* Note: This is a [CakePHP email configuration value](https://book.cakephp.org/2.0/en/core-utility-libraries/email.html). + +```COMANAGE_REGISTRY_EMAIL_TRANSPORT``` + +* Description: Email transport +* Required: yes +* Default: Smtp +* Example: Smtp +* Note: \[[3](#note03)\] + +```COMANAGE_REGISTRY_EMAIL_HOST``` + +* Description: Email server host +* Required: yes +* Default: ```tls://smtp.gmail.com``` +* Example: smtp.my.org +* Note: \[[3](#note03)\] + +```COMANAGE_REGISTRY_EMAIL_PORT``` + +* Description: Email server port +* Required: yes +* Default: 465 +* Example: 25 +* Note: \[[3](#note03)\] + +```COMANAGE_REGISTRY_EMAIL_ACCOUNT``` + +* Description: Email server account +* Required: no +* Default: account@gmail.com +* Example: comanage-registry-smtp@my.org +* Note: \[[3](#note03)\] + +```COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD``` + +* Description: Email server account password +* Required: no +* Default: password +* Example: Sw5x71ToBHBEr4VqpRxD +* Note: \[[3](#note03)\] + +```COMANAGE_REGISTRY_ENABLE_PLUGIN``` + +* Description: Comma separated list of non-core plugins to enable +* Required: no +* Default: none +* Example: IdentifierEnroller,LdapIdentifierValidator,MailmanProvisioner + + +```COMANAGE_REGISTRY_SECURITY_SALT``` + +* Description: Security salt used when hashing. Must be 40 or more characters from the set [0-9a-zA-Z]. +* Required: no +* Default: automatically generated if not provided +* Example: VuUq2mnXC0Cco8uKcjO1rDdP2lVC3lgP970QP2XY +* Note: If present the environment variable is read the first time the container is +started and written to the persistent volume (or bind mount) in the +configuration file ```security.salt```. Later changes to the environment +variable are *not* reflected in the file which must be +edited directly. + +```COMANAGE_REGISTRY_SECURITY_SEED``` + +* Description: Security seed used for encrypt/decrypt +* Required: no +* Default: automatically generated if not provided +* Example: 47072649794709969916818407654 +* Note: If present the environment variable is read the first time the container is +started and written to the persistent volume (or bind mount) in the +configuration file ```security.seed```. Later changes to the environment +variable are *not* reflected in the file which must be +edited directly. + +```COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN``` + +* Description: Apache HTTP Server virtual host name +* Required: no +* Default: Obtained from inspecting HTTPS x509 certificate file if present, otherwise "unknown" +* Example: registry.my.org + +```HTTPS_CERT_FILE``` + +* Description: path to file containing x509 certificate for HTTPS +* Required: no +* Default: automatically generated self-signed certificate +* Example: /run/secrets/https_cert_file +* Note: The path is relative to the running container. + +```HTTPS_PRIVKEY_FILE``` + +* Description: path to file containing x509 private key for HTTPS +* Required: no +* Default: automatically generated private key +* Example: /run/secrets/https_privkey_file +* Note: The path is relative to the running container. + + +```SERVER_NAME``` + +* Deprecated. Use ```COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN```. + +\[1\]: The environment variable is read the first time the container is +started and saved to the COmanage Registry database. Later changes to the environment +variable are *not* reflected in the database state. + +\[2\]: The environment variable is read the first time the container is +started and written to the persistent volume (or bind mount) in the +configuration file ```database.php```. Later changes to the environment +variable are *not* reflected in the configuration file which must be +edited directly. + +\[3\]: The environment variable is read the first time the container is +started and written to the persistent volume (or bind mount) in the +configuration file ```email.php```. Later changes to the environment +variable are *not* reflected in the configuration file which must be +edited directly. + diff --git a/docs/comanage-registry-common-shibboleth-environment-variables.md b/docs/comanage-registry-common-shibboleth-environment-variables.md new file mode 100644 index 0000000..37e8ba2 --- /dev/null +++ b/docs/comanage-registry-common-shibboleth-environment-variables.md @@ -0,0 +1,113 @@ + + +# Environment Variables Common to Images using Shibboleth SP for Authentication + +The environment variables detailed below apply to all COmanage +Registry images in this repository that use the Shibboleth Native SP for +Apache HTTP Server (Shibboleth) for authentication. + +## Using Files to Inject Secrets + +The image supports the environment variables below and the `_FILE` +[convention](../docs/comanage-registry-common-environment-variables.md): + +## Environment Variables + +`SHIBBOLETH_SP_CERT` + +* Deprecated: Use `SHIBBOLETH_SP_ENCRYPT_CERT`. + +`SHIBBOLETH_SP_ENCRYPT_CERT` + +* Description: PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: See note below. +* Note: \[[1](#note01)\] + +`SHIBBOLETH_SP_ENCRYPT_PRIVKEY` + +* Description: Private key associated with the PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: See note below. +* Note: \[[1](#note01)\] + +`SHIBBOLETH_SP_ENTITY_ID` + +* Description: SAML entityID for the SP. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: https://myapp.my.org/shibboleth/sp +* Note: \[[2](#note02)\] + + +`SHIBBOLETH_SP_METADATA_PROVIDER_XML` + +* Description: XML stanza for configuring Shibboleth SP metadata consumption. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: See note below. +* Note: Due to the complex syntax which makes escaping some characters tedious, +most deployers write the configuration into a file and specify the variable +`SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE`. See also \[[2](#note02)\]. + +`SHIBBOLETH_SP_PRIVKEY` + +* Deprecated: Use `SHIBBOLETH_SP_ENCRYPT_PRIVKEY`. + +`SHIBBOLETH_SP_SAMLDS_URL` + +* Description: URL for SAML IdP discovery service. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: https://login-chooser.my.org +* Note: \[[2](#note02)\] + +`SHIBBOLETH_SP_SIGNING_CERT` + +* Description: PEM encoded X.509 certificate used by the SP for signing authentication requests. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: See note below. +* Note: \[[1](#note01)\] + + +`SHIBBOLETH_SP_SIGNING_PRIVKEY` + +* Description: Private key associated with the PEM encoded X.509 certificate used by the SP for signing authentication requests. +* Required: Yes +* Default: Image default, not suitable for production use. +* Example: See note below. +* Note: \[[1](#note01)\] + +\[1\]: Many deployers start a container without specifying the variable and then +break into the running container and use the `/etc/shibboleth/keygen.sh` script +to generate the persistent cert and private key pair and copy them out of the container. +Later after escrowing the cert and private key they are injected into the container +using the variable(s). + +\[2\]: While the image allows some Shibboleth SP configurations to be directly +injected using environment variables, most deployers bind mount or COPY the necessary +Shibboleth SP configuration files with local deployment details into the directory `/etc/shibboleth/`. +The image includes the standard example and template configuration files experienced +Shibboleth SP deployers expect to find. diff --git a/docs/comanage-registry-internet2-tier.md b/docs/comanage-registry-internet2-tier.md new file mode 100644 index 0000000..3845ec0 --- /dev/null +++ b/docs/comanage-registry-internet2-tier.md @@ -0,0 +1,302 @@ + + +# COmanage Registry Internet2 TIER + +Follow these steps to build and run the Internet2 TIER COmanage Registry +image. The image uses CentOS as the base operating system and the +Shibboleth SP for authentication. + +* Install Docker. These instructions require version 17.05 or higher. + +* Clone this repository: + +``` +git clone https://github.com/Internet2/comanage-registry-docker.git +cd comanage-registry-docker +``` + +* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version +of COmanage Registry you want to deploy. See the +[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) +wiki page for the list of releases. We recommend using the latest release. + +Here is an example (but please check the wiki page for the latest release number): + +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +``` + +* Define the shell variable `COMANAGE_REGISTRY_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +``` + +* Build the base COmanage Registry image: + +``` +pushd comanage-registry-base +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION` +to be the version of the base Internet2 image you are about to build: + +``` +export COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=1 +``` + +* Build the base Internet2 image: + +``` +pushd comanage-registry-internet2-tier-base +TAG="${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-internet2-tier-base:$TAG . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_I2_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_I2_IMAGE_VERSION=1 +``` + +* Build the Internet2 image for COmanage Registry: + +``` +pushd comanage-registry-internet2-tier +TAG="${COMANAGE_REGISTRY_VERSION}-internet2-tier-${COMANAGE_REGISTRY_I2_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +popd +``` + +* Initialize the Docker Swarm: + +``` +docker swarm init +``` + +* Create secrets for the database root password, the COmanage Registry database +password, the HTTPS certificate (and CA signing chain) and private key files, +and the Shibboleth SP encryption certificate and private key files (be sure +to choose your own values and do not use the examples below): + +``` +echo "jPkrc3TUijfmT3vi1ZKw" | docker secret create mariadb_root_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create mariadb_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create comanage_registry_database_user_password - + +docker secret create https_cert_file fullchain.cert.pem + +docker secret create https_privkey_file privkey.pem + +docker secret create shibboleth_sp_encrypt_cert sp-encrypt-cert.pem + +docker secret create shibboleth_sp_encrypt_privkey sp-encrypt-key.pem +``` + +* Create directories on the Docker engine host(s) for state files +and other files including the Shibboleth SP configuration files: + +``` +sudo mkdir -p /srv/docker/var/lib/mysql +sudo mkdir -p /srv/docker/srv/comanage-registry/local +sudo mkdir -p /srv/docker/etc/shibboleth +``` + +* Copy Shibboleth SP configuration files into place to be mounted +into the running container. Your Shibboleth SP configuration should +result in the primary identifier attribute you expect to be asserted by the SAML +IdP(s) to populate `REMOTE_USER` so that it can be read by COmanage Registry. +A common choice is to populate `REMOTE_USER` with eduPersonPrincipalName, but +the details will depend on your SAML federation choices. + + +``` +cp shibboleth2.xml /srv/docker/etc/shibboleth/ +cp attribute-map.xml /srv/docker/etc/shibboleth/ +cp saml-metadata.xml /srv/docker/etc/shibboleth/ +``` + +* Define shell variables for the first COmanage Registry platform + administrator, for example: + +``` +export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel +export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak +export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +``` + +The username should be the value you expect to be asserted by the +SAML IdP for the first platform administrator. The Shibboleth SP +configuration should be such that the value is populated into +`REMOTE_USER` where it will be read when the first platform +administrator logs into COmanage Registry. + +* Define a shell variable with the fully-qualified domain name for +the virtual host from which COmanage Registry will be served. For +example + +``` +export COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.my.org +``` + +* Create a Docker Swarm services stack description (compose) file in YAML format: + +``` +version: '3.1' + +services: + + comanage-registry-database: + image: mariadb:10.2 + volumes: + - /srv/docker/var/lib/mysql:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root_password + - MYSQL_DATABASE=registry + - MYSQL_USER=registry_user + - MYSQL_PASSWORD_FILE=/run/secrets/mariadb_password + secrets: + - mariadb_root_password + - mariadb_password + networks: + - default + deploy: + replicas: 1 + + comanage-registry: + image: comanage-registry:${COMANAGE_REGISTRY_VERSION}-internet2-tier-${COMANAGE_REGISTRY_I2_IMAGE_VERSION} + volumes: + - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local + - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml + - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml + - /srv/docker/etc/shibboleth/saml-metadata.xml:/etc/shibboleth/saml-metadata.xml + environment: + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} + - COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} + - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql + - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password + - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} + - HTTPS_CERT_FILE=/run/secrets/https_cert_file + - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file + - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert + - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey + secrets: + - comanage_registry_database_user_password + - https_cert_file + - https_privkey_file + - shibboleth_sp_encrypt_cert + - shibboleth_sp_encrypt_privkey + networks: + - default + ports: + - "80:80" + - "443:443" + deploy: + replicas: 1 + +secrets: + comanage_registry_database_user_password: + external: true + mariadb_root_password: + external: true + mariadb_password: + external: true + shibboleth_sp_encrypt_cert: + external: true + shibboleth_sp_encrypt_privkey: + external: true + https_cert_file: + external: true + https_privkey_file: + external: true +``` + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +Since this is the first initialization of the containers it will take some +time for the database tables to be created. The Apache HTTP Server and +Shibboleth SP daemons will not be started until the entrypoint scripts +detect that the database has been initialized. + +Check that both the comanage-registry-database and comanage-registry images are running with +``` +docker service ls +``` + +You may monitor the progress of the database container using + +``` +docker service logs -f comanage-registry_comanage-registry-database +``` + +and the progress of the COmanage Registry container using + +``` +docker service logs -f comanage-registry_comanage-registry +``` + +* After the Apache HTTP Server has started browse to port 443 on the host. + +* Click `Login` to initiate a SAML authentication flow. After authenticating at + the SAML IdP the Shibboleth SP should consume the SAML assertion and populate + `REMOTE_USER` with the value for the username for the first platform + administrator. + +* During the first instantiation of the COmanage Registry service the entrypoint +script will have created the template file + +``` +Config/email.php +``` + +in the directory `/srv/docker/srv/comanage-registry/local` on the Docker engine +host. Edit that file to configure how COmanage Registry should connect to an +SMTP server to send outgoing email. + +* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) +to learn how to create your first collaborative organization (CO) and begin using +the platform. + +* To stop the services: +``` +docker stack rm comanage-registry +``` diff --git a/docs/basic-auth-postgres-persist.md b/docs/evaluation.md similarity index 56% rename from docs/basic-auth-postgres-persist.md rename to docs/evaluation.md index 81da39c..b44dc32 100644 --- a/docs/basic-auth-postgres-persist.md +++ b/docs/evaluation.md @@ -19,8 +19,22 @@ See the License for the specific language governing permissions and limitations under the License. --> -# COmanage Registry Docker -## With Basic Authentication, PostgreSQL, and persisted data +# Evaluating COmanage Registry using Docker + +Follow these steps to build and run a simple deployment of COmanage Registry +suitable for evaluation purposes. + +* Install Docker. These instructions require version 17.05 or higher. + +* Install [Docker Compose](https://docs.docker.com/compose/). These instructions require +version 1.13.0 or higher. + +* Clone this repository: + +``` +git clone https://github.com/Internet2/comanage-registry-docker.git +cd comanage-registry-docker +``` * Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version of COmanage Registry you want to deploy. See the @@ -30,34 +44,39 @@ wiki page for the list of releases. We recommend using the latest release. Here is an example (but please check the wiki page for the latest release number): ``` -export COMANAGE_REGISTRY_VERSION=3.1.1 +export COMANAGE_REGISTRY_VERSION=3.2.1 +``` + +* Build the base COmanage Registry image: + +``` +pushd comanage-registry-base +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-1 . +popd ``` -* Build a local image for COmanage Registry if you have not already: +* Build an image for COmanage Registry that uses basic authentication: ``` pushd comanage-registry-basic-auth -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . popd ``` -* Build a local image of PostgreSQL for COmanage Registry if you have not already: +* Build a local image of PostgreSQL for COmanage Registry: + ``` pushd comanage-registry-postgres docker build -t comanage-registry-postgres . popd ``` -* Create directories to persist the relational database and COmanage Registry -local configuration: -``` -mkdir -p /docker/var/lib/postgresql/data -mkdir -p /docker/srv/comanage-registry/local -``` +* Create a docker-compose.yml file: -* Create a template docker-compose.yml file that mounts the directories you created -as volumes in the database container: ``` version: '3.1' @@ -65,36 +84,25 @@ services: comanage-registry-database: image: comanage-registry-postgres - volumes: - - /docker/var/lib/postgresql/data:/var/lib/postgresql/data comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-basic-auth - volumes: - - /docker/srv/comanage-registry/local:/srv/comanage-registry/local + image: "comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth" ports: - "80:80" - "443:443" ``` -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - * Start the services: ``` docker-compose up -d ``` -* Browse to port 443 on the host, for example `https://localhost/` +* Browse to port 443 on the host, for example `https://localhost/`. You will have to + click through the warning from your browser about the self-signed certificate used + for HTTPS. * Click `Login` and when prompted enter `registry.admin` as the username and `password` -for the password. See [Advanced Configuration](docs/advanced-configuration.md) -for details on setting a non-default administrator username and -password. +for the password. * Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) to learn how to create your first collaborative organization (CO) and begin using @@ -110,12 +118,14 @@ docker-compose stop docker-compose down ``` -Even though the containers have been removed the data is persisted. You may -bring up the services again and resume where you left off. - ### Important Notes -The instructions above are *not suitable for a production deployment* -because the deployed services use default and easily guessed passwords. +The instructions above are *not suitable for a production deployment* for two reasons: + +1. The deployed services use default and easily guessed passwords. +2. No data is persisted. When the containers are destroyed so is your data. + +## Next Steps +To evolve your COmanage Registry deployment examine the documentation +in the [docs directory](./README.md). + -See [Advanced Configuration](docs/advanced-configuration.md) -for details on setting a non-default administrator username and password. diff --git a/docs/mod-auth-oidc-mariadb-stacks.md b/docs/mod-auth-oidc-mariadb-stacks.md deleted file mode 100644 index 7c605eb..0000000 --- a/docs/mod-auth-oidc-mariadb-stacks.md +++ /dev/null @@ -1,290 +0,0 @@ - - -# COmanage Registry Docker for Production with mod\_auth\_openidc and MariaDB using Docker stacks, swarm, and secrets - -Follow this recipe as an example production deployment of COmanage Registry -with mod\_auth\_openidc for authentication, a MariaDB database, and -an OpenLDAP slapd directory server. - -This recipe uses Docker service stacks, swarm, and secrets rather than docker-compose. - -## Recipe - -* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version -of COmanage Registry you want to deploy. See the -[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) -wiki page for the list of releases. We recommend using the latest release. - -Here is an example (but please check the wiki page for the latest release number): - -``` -export COMANAGE_REGISTRY_VERSION=3.1.1 -``` - -* Build a local image for COmanage Registry if you have not already: - -``` -pushd comanage-registry-mod-auth-openidc -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc . -popd -``` - -* It is not necessary to build a local image for the MariaDB container. The official MariaDB image -is sufficient. - -* Build a local image of OpenLDAP slapd for COmanage Registry if you have not already: - -``` -pushd comanage-registry-slapd -docker build -t comanage-registry-slapd . -popd -``` - -* Create directories to persist the relational database, COmanage Registry -local configuration, slapd configuration, slapd directory data: -``` -mkdir -p /docker/var/lib/mysql -mkdir -p /docker/srv/comanage-registry/local -mkdir -p /docker/var/lib/ldap -mkdir -p /docker/etc/ldap/slapd.d -``` - -* Create a single node swarm: -``` -docker swarm init -``` - -Store secrets and inject other deployment details using Docker secrets. -Be sure to create your own secrets and do not reuse the examples -below. - - -Create a root password for the MariaDB database: -``` -echo "4vdecnEHzwUNKA1FlvgE" | docker secret create mysql_root_password - -``` - -Create a password, used by MariaDB, for the COmanage Registry database user: - -``` -echo "34MF72AyBWgaTm3OLbc9" | \ - docker secret create mysql_registry_user_password - -``` - -Store that same password again to be used by the COmanage Registry container: - -``` -echo "202ZIBSipiP2cOhoTDFK" | \ - docker secret create comanage_registry_database_user_password - -``` - -Obtain the OIDC client secret and the mod\_auth\_openidc OIDC crypto -passphrase and store them as secrets: - -``` -echo "myproxy:oa4mp,2012:/client_id/630031683213792271192646355167031832" \ - | docker secret create oidc_client_id - - - -echo "g4bu5n0jTfHnwKvf2itz" | docker secret create oidc_crypto_passphrase - -``` - -Use the slappasswd tool (package `slapd` on Debian) to create a strong hash for a strong -password for the directory root DN: - -``` -slappasswd -c '$6$rounds=5000$%.86s' -``` - -Store the hash in a file: - -``` -echo '{CRYPT}$6$rounds=5000$kER6wkUF91t4.r79$7OLbtO0qF9K9tQlVJAxpWFem.0KmnyWn1/1K0sVSEQELRuj87sc7GtJT7HpWBr8JfZHlbsG9ifrqN6EmJchQ8/' \ - > /docker/run/secrets/olc_root_pw -``` - -Put the X.509 certificate, private key, and chain files in place for slapd: - -``` -docker secret create slapd_cert_file cert.pem -docker secret create slapd_privkey_file privkey.pem -docker secret create slapd_chain_file chain.pem -``` - -Put the X.509 certificate and private key files in place -for Apache HTTP Server for HTTPS. The certificate file should -include the server certificate and any intermediate CA signing -certificates sorted from leaf to root: - -``` -docker secret create https_cert_file fullchain.pem -docker secret create https_privkey_file privkey.pem -``` - -* Create a template docker-compose.yml by adjusting the example below: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: mariadb - volumes: - - /srv/docker/var/lib/mysql:/var/lib/mysql - environment: - - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - - MYSQL_DATABASE=registry - - MYSQL_USER=registry_user - - MYSQL_PASSWORD_FILE=/run/secrets/mysql_registry_user_password - secrets: - - mysql_root_password - - mysql_registry_user_password - networks: - - default - deploy: - replicas: 1 - - comanage-registry-ldap: - image: comanage-registry-slapd - volumes: - - /srv/docker/var/lib/ldap:/var/lib/ldap - - /srv/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d - environment: - - SLAPD_CERT_FILE=/run/secrets/slapd_cert_file - - SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file - - SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file - - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw - - OLC_SUFFIX=dc=my,dc=org - - OLC_ROOT_DN=cn=admin,dc=my,dc=org - secrets: - - slapd_cert_file - - slapd_privkey_file - - slapd_chain_file - - olc_root_pw - networks: - - default - ports: - - "636:636" - - "389:389" - deploy: - replicas: 1 - - comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-mod-auth-openidc - volumes: - - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local - environment: - - OIDC_CLIENT_ID=myproxy:oa4mp,2012:/client_id/zC8kr2KG5wBxWIQ6YLu0 - - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret - - OIDC_PROVIDER_METADATA_URL=https://cilogon.org/.well-known/openid-configuration - - OIDC_CRYPTO_PASSPHRASE_FILE=/run/secrets/oidc_crypto_passphrase - - REGISTRY_HOST=registry.my.org - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981 - - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password - - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp - - COMANAGE_REGISTRY_EMAIL_HOST=smtp.ncsa.uiuc.edu - - COMANAGE_REGISTRY_EMAIL_PORT=25 - secrets: - - comanage_registry_database_user_password - - oidc_client_secret - - oidc_crypto_passphrase - - https_cert_file - - https_privkey_file - networks: - - default - ports: - - "80:80" - - "443:443" - deploy: - replicas: 1 - -secrets: - comanage_registry_database_user_password: - external: true - mysql_root_password: - external: true - mysql_registry_user_password: - external: true - slapd_cert_file: - external: true - slapd_privkey_file: - external: true - slapd_chain_file: - external: true - olc_root_pw: - external: true - oidc_client_secret: - external: true - oidc_crypto_passphrase: - external: true - https_cert_file: - external: true - https_privkey_file: - external: true -``` - -Note especially the value for `COMANAGE_REGISTRY_ADMIN_USERNAME`. -This is the value that mod\_auth\_openidc expects to consume in the -ID token from the OP that authenticates the first platform administrator. -By default mod\_auth\_openidc will expect to consume that identifier -from the sub claim asserted for the admin by the OP. - -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - -Bring up the services using docker stack deploy: - -``` -docker stack deploy --compose-file docker-compose.yml comanage-registry -``` - -COmanage Registry will be exposed on port 443 (HTTP). Use a web browser -to browse, for example, to - -``` -https://localhost/registry/ -``` - -If you have properly federated the OIDC client with the OP that the -first platform administrator will use you can click on "Login" and be -redirected to the OP for authentication. - -Production deployments need to send email, usually using an authenticated -account on a SMTP server. You may configure the details for your SMTP server -by editing the file `email.php` that the entrypoint script automatically -creates in `/docker/srv/comanage-registry/local/Config`. - -To stop the services and tear down the stack run - -``` -docker stack rm comanage-registry -``` - diff --git a/docs/mod-auth-openidc-mariadb.md b/docs/mod-auth-openidc-mariadb.md new file mode 100644 index 0000000..62fe152 --- /dev/null +++ b/docs/mod-auth-openidc-mariadb.md @@ -0,0 +1,280 @@ + + +# COmanage Registry with mod\_auth\_openidc and MariaDB + +Follow these steps to build and run COmanage Registry +using mod\_auth\_openidc for authentication and MariaDB +as the relational database. + +* Install Docker. These instructions require version 17.05 or higher. + +* Clone this repository: + +``` +git clone https://github.com/Internet2/comanage-registry-docker.git +cd comanage-registry-docker +``` + +* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version +of COmanage Registry you want to deploy. See the +[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) +wiki page for the list of releases. We recommend using the latest release. + +Here is an example (but please check the wiki page for the latest release number): + +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +``` + +* Define the shell variable `COMANAGE_REGISTRY_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +``` + +* Build the base COmanage Registry image: + +``` +pushd comanage-registry-base +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION=1 +``` + +* Build an image for COmanage Registry that uses mod\_auth\_openidc +for authentication: + +``` +pushd comanage-registry-mod-auth-openidc +TAG="${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc-${COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +popd +``` + +* Initialize the Docker Swarm: + +``` +docker swarm init +``` + +* Create secrets for the database root password, the COmanage Registry database +password, the HTTPS certificate (and CA signing chain) and private key files, +(be sure to choose your own values and do not use the examples below): + +``` +echo "jPkrc3TUijfmT3vi1ZKw" | docker secret create mariadb_root_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create mariadb_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create comanage_registry_database_user_password - + +docker secret create https_cert_file fullchain.cert.pem + +docker secret create https_privkey_file privkey.pem + +``` + +* Create directories on the Docker engine host(s) for database, +COmanage Registry, and mod\_auth\_openidc files. + +``` +sudo mkdir -p /srv/docker/var/lib/mysql +sudo mkdir -p /srv/docker/srv/comanage-registry/local +sudo mkdir -p /srv/docker/etc/apache2/conf-enabled +``` + +* Create the mod\_auth\_openidc configuration file +`/srv/docker/etc/apache2/conf-enabled/mod-auth-openidc.conf` +with the necessary OIDC client, secret, redirect URI, and other +mod\_auth\_openidc integration details. + +An example mod-auth-openidc.conf configuration is (be sure to choose +your own values and do not use the examples below): + +``` +OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration +OIDCRemoteUserClaim sub + +OIDCClientID cilogon:/client_id/3815e327237181f2ca55e39c305a5706 +OIDCClientSecret w5TmBFgrLEZVl7P3VYw5 + +OIDCScope "openid email profile org.cilogon.userinfo" +OIDCCryptoPassphrase X7iAVpP9c3vr3WTsxrd7 + +OIDCRedirectURI https://registry.cilogon.org/secure/redirect + + + AuthType openid-connect + Require valid-user + +``` + +* Define shell variables for the first COmanage Registry platform + administrator, for example: + +``` +export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel +export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak +export COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981 +``` + +The username should be the value you expect to be asserted by the +OIDC OP for the first platform administrator. The mod\_auth\_openidc +configuration should be such that the value is populated into +`REMOTE_USER` where it will be read when the first platform +administrator logs into COmanage Registry. The default +for mod\_auth\_openidc is to populate `REMOTE_USER` with the +OIDC sub claim. + +* Define a shell variable with the fully-qualified domain name for +the virtual host from which COmanage Registry will be served. For +example + +``` +export COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.my.org +``` + +* Create a Docker Swarm services stack description (compose) file in YAML format: + +``` +version: '3.1' + +services: + + comanage-registry-database: + image: mariadb:10.2 + volumes: + - /srv/docker/var/lib/mysql:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root_password + - MYSQL_DATABASE=registry + - MYSQL_USER=registry_user + - MYSQL_PASSWORD_FILE=/run/secrets/mariadb_password + secrets: + - mariadb_root_password + - mariadb_password + networks: + - default + deploy: + replicas: 1 + + comanage-registry: + image: comanage-registry:${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc-${COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION} + volumes: + - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local + - /srv/docker/etc/apache2/conf-enabled/mod-auth-openidc.conf:/etc/apache2/conf-enabled/mod-auth-openidc.conf + environment: + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} + - COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} + - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql + - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password + - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} + - HTTPS_CERT_FILE=/run/secrets/https_cert_file + - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file + secrets: + - comanage_registry_database_user_password + - https_cert_file + - https_privkey_file + networks: + - default + ports: + - "80:80" + - "443:443" + deploy: + replicas: 1 + +secrets: + comanage_registry_database_user_password: + external: true + mariadb_root_password + external: true + mariadb_password + external: true + https_cert_file: + external: true + https_privkey_file: + external: true +``` + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +Since this is the first initialization of the containers it will take some +time for the database tables to be created. The Apache HTTP Server +will not be started until the entrypoint scripts detect that the +database has been initialized. + +You may monitor the progress of the database container using + +``` +docker service logs -f comanage-registry-database +``` + +and the progress of the COmanage Registry container using + +``` +docker service logs -f comanage-registry +``` + +* After the Apache HTTP Server has started browse to port 443 on the host. + +* Click `Login` to initiate an OIDC authentication flow. After authenticating at + the OIDC OP the mod\_auth\_openidc module should consume the OIDC identity token and populate + `REMOTE_USER` with the value for the username for the first platform + administrator. + +* During the first instantiation of the COmanage Registry service the entrypoint +script will have created the template file + +``` +Config/email.php +``` + +in the directory `/srv/docker/srv/comanage-registry/local` on the Docker engine +host. Edit that file to configure how COmanage Registry should connect to an +SMTP server to send outgoing email. + +* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) +to learn how to create your first collaborative organization (CO) and begin using +the platform. + +* To stop the services: +``` +docker stack rm comanage-registry +``` diff --git a/docs/openldap-slapd.md b/docs/openldap-slapd.md deleted file mode 100644 index 3c488b9..0000000 --- a/docs/openldap-slapd.md +++ /dev/null @@ -1,148 +0,0 @@ - - -# COmanage Registry Docker -## With Basic Authentication, PostgreSQL, and OpenLDAP slapd - -* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version -of COmanage Registry you want to deploy. See the -[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) -wiki page for the list of releases. We recommend using the latest release. - -Here is an example (but please check the wiki page for the latest release number): - -``` -export COMANAGE_REGISTRY_VERSION=3.1.1 -``` - -* Build a local image for COmanage Registry if you have not already: - -``` -pushd comanage-registry-basic-auth -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-basic-auth . -popd -``` - -* Build a local image of PostgreSQL for COmanage Registry if you have not already: -``` -pushd comanage-registry-postgres -docker build -t comanage-registry-postgres . -popd -``` - -* Build a local image of OpenLDAP slapd for COmanage Registry if you - have not already: - -``` -pushd comanage-registry-slapd -docker build -t comanage-registry-slapd . -popd -``` - -* Create directories to persist the relational database, COmanage Registry -local configuration, OpenLDAP slapd directory data, and slapd -configuration: -``` -mkdir -p /docker/var/lib/postgresql/data -mkdir -p /docker/srv/comanage-registry/local -mkdir -p /docker/var/lib/ldap -mkdir -p /docker/etc/ldap/slapd.d -``` - -* Create a template docker-compose.yml file that mounts the directories you created -as volumes in the database container: -``` -version: '3.1' - -services: - - comanage-registry-database: - image: comanage-registry-postgres - volumes: - - /docker/var/lib/postgresql/data:/var/lib/postgresql/data - - comanage-registry-ldap: - image: comanage-registry-slapd - volumes: - - /docker/var/lib/ldap:/var/lib/ldap - - /docker/etc/ldap/slapd.d:/etc/ldap/slapd.d - ports: - - "389:389" - - comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-basic-auth - volumes: - - /docker/srv/comanage-registry/local:/srv/comanage-registry/local - ports: - - "80:80" - - "443:443" -``` - -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - -* Start the services: -``` -docker-compose up -d -``` - -* Browse to port 443 on the host, for example `https://localhost/` - -* Click `Login` and when prompted enter `registry.admin` as the username and `password` -for the password. - -See [Advanced Configuration](./advanced-configuration.md) -for details on setting a non-default administrator username and password. - -* The default suffix for the LDAP directory is `dc=my,dc=org`. The - default directory administrator DN is `cn=admin,dc=my,dc=org`. The - default password for the default administrator DN is `password`. - See [Advanced Configuration](docs/advanced-configuration.md) for - details on how to configure the suffix, administrator DN, and - password. - -* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage) -for details on configuring the COmanage Registry LDAP Provisioner. - -* To stop the services: -``` -docker-compose stop -``` - -* To remove the containers and networks: -``` -docker-compose down -``` - -Even though the containers have been removed the data is persisted. You may -bring up the services again and resume where you left off. - -### Important Notes -The instructions above are *not suitable for a production deployment* -because the deployed services use default and easily guessed passwords. - -See [Advanced Configuration](./advanced-configuration.md) for -details on setting non-default passwords. diff --git a/docs/openldap-volumes-and-data-persistence.md b/docs/openldap-volumes-and-data-persistence.md new file mode 100644 index 0000000..dcd4d0b --- /dev/null +++ b/docs/openldap-volumes-and-data-persistence.md @@ -0,0 +1,76 @@ + + +# OpenLDAP slapd for COmanage Registry Volumes and Data Persistence + +The OpenLDAP for COmanage Registry image *requires* two persistent directories into which +state files will be written. + +*The persistent directories must be provided either using Docker volumes +or bind mounts.* + +Note that when the image is only used as an LDAP proxy the persistent directories +are not strictly necessary, provided all necessary configuration is injected +at run time. + +The paths for the directories inside the container that must be mounted +are + +``` +/var/lib/ldap +``` + +and + +``` +/etc/ldap/slapd.d +``` + +For example to use bind mounts from the local Docker engine host: + +``` +sudo mkdir -p /opt/docker/var/lib/ldap +sudo mkdir -p /opt/docker/etc/ldap/slapd.d +``` + +and then when instantiating the container + +``` +docker run -d \ + --name comanage-registry-ldap \ + -v /opt/docker/var/lib/ldap:/var/lib/ldap \ + -v /opt/docker/etc/ldap/slapd.d:/etc/ldap/slapd.d \ + -p 389:389 \ + -p 636:636 \ + comanage-registry-slapd:2 +``` + +After the image is instantiated into a container for the first time +the entrypoint script will create the necessary base configuration, +schema, and LMBD files for storing directory state, and bootstrap the directory +using the values for the suffix, root DN, and root DN password +injected at runtime using environment variables. + +*After the first instantiation of the container later restarts will not overwrite +the suffix, root DN, and root DN password even if the +values for the environment variables change*. + + diff --git a/docs/shibboleth-sp-mariadb.md b/docs/shibboleth-sp-mariadb.md new file mode 100644 index 0000000..d4ae348 --- /dev/null +++ b/docs/shibboleth-sp-mariadb.md @@ -0,0 +1,298 @@ + + +# COmanage Registry with Shibboleth SP and MariaDB + +Follow these steps to build and run COmanage Registry +using the Shibboleth SP for authentication and MariaDB +as the relational database. + +* Install Docker. These instructions require version 17.05 or higher. + +* Clone this repository: + +``` +git clone https://github.com/Internet2/comanage-registry-docker.git +cd comanage-registry-docker +``` + +* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version +of COmanage Registry you want to deploy. See the +[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) +wiki page for the list of releases. We recommend using the latest release. + +Here is an example (but please check the wiki page for the latest release number): + +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +``` + +* Define the shell variable `COMANAGE_REGISTRY_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +``` + +* Build the base COmanage Registry image: + +``` +pushd comanage-registry-base +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION` +to be the version of the base Shibboleth SP image you are about to build: + +``` +export COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1 +``` + +* Build the base Shibboleth SP image: + +``` +pushd comanage-registry-shibboleth-sp-base +TAG="${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-shibboleth-sp-base:$TAG . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION=1 +``` + +* Build an image for COmanage Registry that uses the Shibboleth SP +for authentication: + +``` +pushd comanage-registry-shibboleth-sp +TAG="${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +popd +``` + +* Initialize the Docker Swarm: + +``` +docker swarm init +``` + +* Create secrets for the database root password, the COmanage Registry database +password, the HTTPS certificate (and CA signing chain) and private key files, +and the Shibboleth SP encryption certificate and private key files (be sure +to choose your own values and do not use the examples below): + +``` +echo "jPkrc3TUijfmT3vi1ZKw" | docker secret create mariadb_root_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create mariadb_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create comanage_registry_database_user_password - + +docker secret create https_cert_file fullchain.cert.pem + +docker secret create https_privkey_file privkey.pem + +docker secret create shibboleth_sp_encrypt_cert sp-encrypt-cert.pem + +docker secret create shibboleth_sp_encrypt_privkey sp-encrypt-key.pem +``` + +* Create directories on the Docker engine host(s) for state files +and other files including the Shibboleth SP configuration files: + +``` +sudo mkdir -p /srv/docker/var/lib/mysql +sudo mkdir -p /srv/docker/srv/comanage-registry/local +sudo mkdir -p /srv/docker/etc/shibboleth +``` + +* Copy Shibboleth SP configuration files into place to be mounted +into the running container. Your Shibboleth SP configuration should +result in the primary identifier attribute you expect to be asserted by the SAML +IdP(s) to populate `REMOTE_USER` so that it can be read by COmanage Registry. +A common choice is to populate `REMOTE_USER` with eduPersonPrincipalName, but +the details will depend on your SAML federation choices. + + +``` +cp shibboleth2.xml /srv/docker/etc/shibboleth/ +cp attribute-map.xml /srv/docker/etc/shibboleth/ +cp saml-metadata.xml /src/docker/etc/shibboleth/ +``` + +* Define shell variables for the first COmanage Registry platform + administrator, for example: + +``` +export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel +export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak +export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +``` + +The username should be the value you expect to be asserted by the +SAML IdP for the first platform administrator. The Shibboleth SP +configuration should be such that the value is populated into +`REMOTE_USER` where it will be read when the first platform +administrator logs into COmanage Registry. + +* Define a shell variable with the fully-qualified domain name for +the virtual host from which COmanage Registry will be served. For +example + +``` +export COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.my.org +``` + +* Create a Docker Swarm services stack description (compose) file in YAML format: + +``` +version: '3.1' + +services: + + comanage-registry-database: + image: mariadb:10.2 + volumes: + - /srv/docker/var/lib/mysql:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root_password + - MYSQL_DATABASE=registry + - MYSQL_USER=registry_user + - MYSQL_PASSWORD_FILE=/run/secrets/mariadb_password + secrets: + - mariadb_root_password + - mariadb_password + networks: + - default + deploy: + replicas: 1 + + comanage-registry: + image: comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION} + volumes: + - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local + - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml + - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml + - /srv/docker/etc/shibboleth/saml-metadata.xml:/etc/shibboleth/saml-metadata.xml + environment: + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} + - COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} + - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql + - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password + - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} + - HTTPS_CERT_FILE=/run/secrets/https_cert_file + - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file + - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert + - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey + secrets: + - comanage_registry_database_user_password + - https_cert_file + - https_privkey_file + - shibboleth_sp_encrypt_cert + - shibboleth_sp_encrypt_privkey + networks: + - default + ports: + - "80:80" + - "443:443" + deploy: + replicas: 1 + +secrets: + comanage_registry_database_user_password: + external: true + mariadb_root_password + external: true + mariadb_password + external: true + shibboleth_sp_encrypt_cert: + external: true + shibboleth_sp_encrypt_privkey: + external: true + https_cert_file: + external: true + https_privkey_file: + external: true +``` + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +Since this is the first initialization of the containers it will take some +time for the database tables to be created. The Apache HTTP Server and +Shibboleth SP daemons will not be started until the entrypoint scripts +detect that the database has been initialized. + +You may monitor the progress of the database container using + +``` +docker service logs -f comanage-registry-database +``` + +and the progress of the COmanage Registry container using + +``` +docker service logs -f comanage-registry +``` + +* After the Apache HTTP Server has started browse to port 443 on the host. + +* Click `Login` to initiate a SAML authentication flow. After authenticating at + the SAML IdP the Shibboleth SP should consume the SAML assertion and populate + `REMOTE_USER` with the value for the username for the first platform + administrator. + +* During the first instantiation of the COmanage Registry service the entrypoint +script will have created the template file + +``` +Config/email.php +``` + +in the directory `/srv/docker/srv/comanage-registry/local` on the Docker engine +host. Edit that file to configure how COmanage Registry should connect to an +SMTP server to send outgoing email. + +* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) +to learn how to create your first collaborative organization (CO) and begin using +the platform. + +* To stop the services: +``` +docker stack rm comanage-registry +``` diff --git a/docs/shibboleth-sp-postgres-compose.md b/docs/shibboleth-sp-postgres-compose.md deleted file mode 100644 index 238a822..0000000 --- a/docs/shibboleth-sp-postgres-compose.md +++ /dev/null @@ -1,259 +0,0 @@ - - -# COmanage Registry Docker for Production with Shibboleth SP and PostgreSQL using docker-compose - -Follow this recipe as an example production deployment of COmanage Registry -with the Shibboleth SP for authentication, a PostgreSQL database, and -an OpenLDAP slapd directory server. - -This recipe uses docker-compose rather than Docker service stacks. Version -1.13.0 or higher of docker-compose is required: - -``` -$ docker-compose --version -docker-compose version 1.13.0, build 1719ceb -``` - -## Recipe - -* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version -of COmanage Registry you want to deploy. See the -[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) -wiki page for the list of releases. We recommend using the latest release. - -Here is an example (but please check the wiki page for the latest release number): - -``` -export COMANAGE_REGISTRY_VERSION=3.1.1 -``` - -* Build a local image for COmanage Registry if you have not already (building the - Shibboleth SP from source takes time): - -``` -pushd comanage-registry-shibboleth-sp -sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile -docker build -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp . -popd -``` - -* Build a local image of PostgreSQL for COmanage Registry if you have not already: - -``` -pushd comanage-registry-postgres -docker build -t comanage-registry-postgres . -popd -``` - -* Build a local image of OpenLDAP slapd for COmanage Registry if you have not already: - -``` -pushd comanage-registry-slapd -docker build -t comanage-registry-slapd . -popd -``` - -* Create directories to persist the relational database, COmanage Registry -local configuration, slapd configuration, slapd directory data, and to -hold secrets and other injected details: -``` -mkdir -p /docker/var/lib/postgresql/data -mkdir -p /docker/srv/comanage-registry/local -mkdir -p /docker/var/lib/ldap -mkdir -p /docker/etc/ldap/slapd.d -mkdir -p /docker/run/secrets -``` - -Below we create and store secrets in files using simple commands but you -could use any configuration management or deployment orchestration tool -you like such as Puppet, Chef, Ansible, Salt, or whichever tool is your -favorite. Be sure to create your own secrets and do not reuse the examples -below. - -Create a file with the password for the postgres user (that is, the -equivalent of a "root" password for the database): - -``` -echo 'xyt8Op3BCwdI5ETcVfQM' \ - > /docker/run/secrets/postgres_password -``` - -Create a file with the password for the COmanage Registry database user: - -``` -echo 'DqiMMWjzVOotAHX8WL9J' \ - > /docker/run/secrets/comanage_registry_postgres_user_password -``` - -Use the slappasswd tool (package `slapd` on Debian) to create a strong hash for a strong -password for the directory root DN: - -``` -slappasswd -c '$6$rounds=5000$%.86s' -``` - -Store the hash in a file: - -``` -echo '{CRYPT}$6$rounds=5000$kER6wkUF91t4.r79$7OLbtO0qF9K9tQlVJAxpWFem.0KmnyWn1/1K0sVSEQELRuj87sc7GtJT7HpWBr8JfZHlbsG9ifrqN6EmJchQ8/' \ - > /docker/run/secrets/olc_root_pw -``` - -Put the X.509 certificate, private key, and chain files in place for slapd: - -``` -cp cert.pem /docker/run/secrets/slapd_cert_file -cp privkey.pem /docker/run/secrets/slapd_privkey_file -cp chain.pem /docker/run/secrets/slapd_chain_file -``` - -Put the X.509 certificate and private key files in place -for Apache HTTP Server for HTTPS. The certificate file should -include the server certificate and any intermediate CA signing -certificates sorted from leaf to root: - -``` -cp cert.pem /docker/run/secrets/https_cert_file -cp privkey.pem /docker/run/secrets/https_privkey_file -``` - -Put the Shibboleth SP SAML certificate and key files in place: - -``` -cp sp-cert.pem /docker/run/secrets/shibboleth_sp_cert_file -cp sp-key.pem /docker/run/secrets/shibboleth_sp_privkey_file -``` - -Create a file with the Shibboleth SP metadata configuration. This example -creates an XML comment which allows the Shibboleth daemon shibd to start, -but for a production scenario you will want to create a file with any -valid `` configuration. See the Shibboleth SP documentation -for details. - -``` -echo '' \ - > /docker/run/secrets/shibboleth_sp_metadata_provider_xml -``` - -* Create a template docker-compose.yml by adjusting the example below: - -``` -version: '3.1' - -services: - - comanage-registry-database: - image: comanage-registry-postgres - volumes: - - /docker/var/lib/postgresql/data:/var/lib/postgresql/data - - /docker/run/secrets:/run/secrets - environment: - - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password - - COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD_FILE=/run/secrets/comanage_registry_postgres_user_password - - comanage-registry-ldap: - image: comanage-registry-slapd - volumes: - - /docker/var/lib/ldap:/var/lib/ldap - - /docker/etc/ldap/slapd.d:/etc/ldap/slapd.d - - /docker/run/secrets:/run/secrets - environment: - - SLAPD_CERT_FILE=/run/secrets/slapd_cert_file - - SLAPD_PRIVKEY_FILE=/run/secrets/slapd_privkey_file - - SLAPD_CHAIN_FILE=/run/secrets/slapd_chain_file - - OLC_ROOT_PW_FILE=/run/secrets/olc_root_pw - - OLC_SUFFIX=dc=my,dc=org - - OLC_ROOT_DN=cn=admin,dc=my,dc=org - ports: - - "636:636" - - "389:389" - - comanage-registry: - image: comanage-registry:COMANAGE_REGISTRY_VERSION-shibboleth-sp - volumes: - - /docker/srv/comanage-registry/local:/srv/comanage-registry/local - - /docker/run/secrets:/run/secrets - environment: - - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel - - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak - - COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org - - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_postgres_user_password - - SHIBBOLETH_SP_ENTITY_ID=https://my.org/shibboleth - - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert_file - - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey_file - - SHIBBOLETH_SP_SAMLDS_URL=https://my.org/registry/pages/eds/index - - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml - - HTTPS_CERT_FILE=/run/secrets/https_cert_file - - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - ports: - - "80:80" - - "443:443" -``` - -Note especially the value for `COMANAGE_REGISTRY_ADMIN_USERNAME`. -This is the value that the Shibboleth SP expects to consume in a SAML -assertion from the IdP that authenticates the first platform administrator. -By default the Shibboleth SP will expect to consume that identifier -from the eduPersonPrincipalName attribute asserted for the admin by the IdP. - -* Use sed to set the COmanage Registry version for the image in the -docker-compose.yml file: - -``` -sed -i s/COMANAGE_REGISTRY_VERSION/$COMANAGE_REGISTRY_VERSION/ docker-compose.yml -``` - -Bring up the services using docker-compose: - -``` -docker-compose up -d -``` - -COmanage Registry will be exposed on port 443 (HTTP). Use a web browser -to browse, for example, to - -``` -https://localhost/registry/ -``` - -If you have properly federated the Shibboleth SP with the IdP that the -first platform administrator will use you can click on "Login" and be -redirected to the IdP for authentication. - -Production deployments need to send email, usually using an authenticated -account on a SMTP server. You may configure the details for your SMTP server -by editing the file `email.php` that the entrypoint script automatically -creates in `/docker/srv/comanage-registry/local/Config`. - -To stop the services run - -``` -docker-compose stop -``` - -To remove the containers run - -``` -docker-compose down -``` - diff --git a/docs/shibboleth-sp-postgresql.md b/docs/shibboleth-sp-postgresql.md new file mode 100644 index 0000000..1ce4b20 --- /dev/null +++ b/docs/shibboleth-sp-postgresql.md @@ -0,0 +1,313 @@ + + +# COmanage Registry with Shibboleth SP and PostgreSQL + +Follow these steps to build and run COmanage Registry +using the Shibboleth SP for authentication and PostgreSQL +as the relational database. + +* Install Docker. These instructions require version 17.05 or higher. + +* Clone this repository: + +``` +git clone https://github.com/Internet2/comanage-registry-docker.git +cd comanage-registry-docker +``` + +* Define the shell variable `COMANAGE_REGISTRY_VERSION` to be the version +of COmanage Registry you want to deploy. See the +[COmanage Registry Release History](https://spaces.internet2.edu/display/COmanage/Release+History) +wiki page for the list of releases. We recommend using the latest release. + +Here is an example (but please check the wiki page for the latest release number): + +``` +export COMANAGE_REGISTRY_VERSION=3.2.1 +``` + +* Define the shell variable `COMANAGE_REGISTRY_BASE_IMAGE_VERSION` to be the +version of the base image you are about to build: + +``` +export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1 +``` + +* Build the base COmanage Registry image: + +``` +pushd comanage-registry-base +TAG="${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + -t comanage-registry-base:${TAG} . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION` +to be the version of the base Shibboleth SP image you are about to build: + +``` +export COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1 +``` + +* Build the base Shibboleth SP image: + +``` +pushd comanage-registry-shibboleth-sp-base +TAG="${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION}" +docker build \ + -t comanage-registry-shibboleth-sp-base:$TAG . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION=1 +``` + +* Build an image for COmanage Registry that uses the Shibboleth SP +for authentication: + +``` +pushd comanage-registry-shibboleth-sp +TAG="${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION}" +docker build \ + --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \ + --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \ + --build-arg COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} \ + -t comanage-registry:$TAG . +popd +``` + +* Define the shell variable `COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION` +to be the version of the image you are about to build: + +``` +export COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION=1 +``` + +* Build an image for PostgreSQL for COmanage Registry: + +``` +pushd comanage-registry-postgres +TAG="${COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION}" +docker build \ + -t comanage-registry-postgres:${TAG} . +popd +``` + +* Initialize the Docker Swarm: + +``` +docker swarm init +``` + +* Create secrets for the database root password, the COmanage Registry database +password, the HTTPS certificate (and CA signing chain) and private key files, +and the Shibboleth SP encryption certificate and private key files (be sure +to choose your own values and do not use the examples below): + +``` +echo "jPkrc3TUijfmT3vi1ZKw" | docker secret create postgres_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create comanage_registry_postgres_user_password - + +echo "ayFjKFHTre74A0k8k1mq" | docker secret create comanage_registry_database_user_password - + +docker secret create https_cert_file fullchain.cert.pem + +docker secret create https_privkey_file privkey.pem + +docker secret create shibboleth_sp_encrypt_cert sp-encrypt-cert.pem + +docker secret create shibboleth_sp_encrypt_privkey sp-encrypt-key.pem +``` + +* Create directories on the Docker engine host(s) for state files +and other files including the Shibboleth SP configuration files: + +``` +sudo mkdir -p /srv/docker/var/lib/postgresql/data +sudo mkdir -p /srv/docker/srv/comanage-registry/local +sudo mkdir -p /srv/docker/etc/shibboleth +``` + +* Copy Shibboleth SP configuration files into place to be mounted +into the running container. Your Shibboleth SP configuration should +result in the primary identifier attribute you expect to be asserted by the SAML +IdP(s) to populate `REMOTE_USER` so that it can be read by COmanage Registry. +A common choice is to populate `REMOTE_USER` with eduPersonPrincipalName, but +the details will depend on your SAML federation choices. + + +``` +cp shibboleth2.xml /srv/docker/etc/shibboleth/ +cp attribute-map.xml /srv/docker/etc/shibboleth/ +cp saml-metadata.xml /src/docker/etc/shibboleth/ +``` + +* Define shell variables for the first COmanage Registry platform + administrator, for example: + +``` +export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel +export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak +export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org +``` + +The username should be the value you expect to be asserted by the +SAML IdP for the first platform administrator. The Shibboleth SP +configuration should be such that the value is populated into +`REMOTE_USER` where it will be read when the first platform +administrator logs into COmanage Registry. + +* Define a shell variable with the fully-qualified domain name for +the virtual host from which COmanage Registry will be served. For +example + +``` +export COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.my.org +``` + +* Create a Docker Swarm services stack description (compose) file in YAML format: + +``` +version: '3.1' + +services: + + comanage-registry-database: + image: comanage-registry-postgres:${COMANAGE_REGISTRY_POSTGRES_IMAGE_VERSION} + volumes: + - /srv/docker/var/lib/postgresql/data:/var/lib/postgresql/data + environment: + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + - COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD_FILE=/run/secrets/comanage_registry_postgres_user_password + secrets: + - postgres_password + - comanage_registry_postgres_user_password + networks: + - default + deploy: + replicas: 1 + + comanage-registry: + image: comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp-${COMANAGE_REGISTRY_SHIBBOLETH_SP_IMAGE_VERSION} + volumes: + - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local + - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml + - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml + - /srv/docker/etc/shibboleth/saml-metadata.xml:/etc/shibboleth/saml-metadata.xml + environment: + - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} + - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} + - COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} + - COMANAGE_REGISTRY_DATASOURCE=Database/Postgres + - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_registry_database_user_password + - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN} + - HTTPS_CERT_FILE=/run/secrets/https_cert_file + - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file + - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert + - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey + secrets: + - comanage_registry_database_user_password + - https_cert_file + - https_privkey_file + - shibboleth_sp_encrypt_cert + - shibboleth_sp_encrypt_privkey + networks: + - default + ports: + - "80:80" + - "443:443" + deploy: + replicas: 1 + +secrets: + comanage_registry_database_user_password: + external: true + comanage_registry_postgres_user_password: + external: true + postgres_password: + external: true + shibboleth_sp_encrypt_cert: + external: true + shibboleth_sp_encrypt_privkey: + external: true + https_cert_file: + external: true + https_privkey_file: + external: true +``` + +* Deploy the COmanage Registry service stack: + +``` +docker stack deploy --compose-file comanage-registry-stack.yml comanage-registry +``` + +Since this is the first initialization of the containers it will take some +time for the database tables to be created. The Apache HTTP Server and +Shibboleth SP daemons will not be started until the entrypoint scripts +detect that the database has been initialized. + +You may monitor the progress of the database container using + +``` +docker service logs -f comanage-registry-database +``` + +and the progress of the COmanage Registry container using + +``` +docker service logs -f comanage-registry +``` + +* After the Apache HTTP Server has started browse to port 443 on the host. + +* Click `Login` to initiate a SAML authentication flow. After authenticating at + the SAML IdP the Shibboleth SP should consume the SAML assertion and populate + `REMOTE_USER` with the value for the username for the first platform + administrator. + +* During the first instantiation of the COmanage Registry service the entrypoint +script will have created the template file + +``` +Config/email.php +``` + +in the directory `/srv/docker/srv/comanage-registry/local` on the Docker engine +host. Edit that file to configure how COmanage Registry should connect to an +SMTP server to send outgoing email. + +* Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Setting+Up+Your+First+CO) +to learn how to create your first collaborative organization (CO) and begin using +the platform. + +* To stop the services: +``` +docker stack rm comanage-registry +``` diff --git a/docs/slapd-common-environment-variables.md b/docs/slapd-common-environment-variables.md new file mode 100644 index 0000000..e3256dc --- /dev/null +++ b/docs/slapd-common-environment-variables.md @@ -0,0 +1,122 @@ + + +# Environment Variables Common to All slapd Images + +The environment variables detailed below apply to all OpenLDAP slapd for +COmanage Registry images in this repository. + +## Using Files to Inject Secrets + +The COmanage Registry images support the convention of an associated +environment variable ending with ```_FILE``` to indicate a path +relative to the container from which the value for an environment +variable should be read. + +For example if the environment variable ```OLC_ROOT_DN_PASSWORD_FILE``` +exists and its value is the path to a readable file, then the contents of the +file will be read into the environment variable ```OLC_ROOT_DN_PASSWORD```. + +If both an environment variable and the associated ```_FILE``` environment variable +are defined the associated ```_FILE``` environment variable takes precedence, +provided that the file it points to exists and is readable. + +## Environment Variables + +``` +OLC_ROOT_DN +``` + +* Description: DN for the directory root user +* Required: yes +* Default: cn=admin,dc=my,dc=org +* Example: cn=directoryAdministrator,dc=some,dc=university,dc=org +* Note: \[[1](#note01)\] + +``` +OLC_ROOT_DN_PASSWORD +``` + +* Description: Unhashed password for the root DN used by the entrypoint script to execute + any injected LDIF as the root DN user +* Required: no +* Default: none +* Example: KaVJ1FIH5IrRr6R5LElX +* Note: The environment variable `OLC_ROOT_DN` is used to set the hashed password for the root +DN during the bootstrapping of the directory. This environment variable is used to inject +the unhashed password so that the entrypoint script can execute injected LDIF as the root DN +user. If no LDIF is injected that needs to be executed as the root DN than this environment +variable is not necessary. + + +``` +OLC_ROOT_PW +``` + +* Description: Password (usually hashed) for the root DN +* Required: yes +* Default: password +* Example: {SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks +* Note: See the [slappasswd OpenLDAP password utility](https://linux.die.net/man/8/slappasswd) for details on how to + create a hashed password value. See also \[[1](#note01)\]. + +``` +OLC_SUFFIX +``` + +* Description: Suffix for the directory +* Required: yes +* Default: dc=my,dc=org +* Example: dc=some,dc=university,dc=edu +* Note: \[[1](#note01)\] + +``` +SLAPD_CERT_FILE +``` + +* Description: Path inside the container to an X.509 certificate to use for TLS +* Required: no +* Default: none +* Example: /run/secrets/slapd_cert_file + +``` +SLAPD_CHAIN_FILE +``` + +* Description: Path inside the container to the certificate authority signing certificate corresponding to the X.509 + certificate to use for TLS +* Required: no +* Default: none +* Example: /run/secrets/slapd_chain_file + +``` +SLAPD_PRIVKEY_FILE +``` + +* Description: Path inside the container to the private key associated with the X.509 certificate for TLS +* Required: no +* Default: none +* Example: /run/secrets/slapd_privkey_file + + +\[1\]: The environment variable is read the first time the container is +started and used to bootstrap the directory. Later changes to the environment +variable are *not* reflected in the directory state. diff --git a/docs/slapd-ldif.md b/docs/slapd-ldif.md new file mode 100644 index 0000000..f24a0b5 --- /dev/null +++ b/docs/slapd-ldif.md @@ -0,0 +1,78 @@ + +## Executing LDIF Files + +The entrypoint script for the slapd images will use the `ldapmodify` command to execute LDIF files +with a `.ldif` extension found under the path `/ldif/` inside the container. +More specifically: + +* Files found under `/ldif/admin/` will be executed using simple authentication +as the directory root user and the unhashed directory root user password injected using +the environment variable `OLC_ROOT_PASSWORD` in order to affect the directory, such +as bootstrapping a tree structure or adding system accounts. + +* Files found under `/ldif/admin/first/` will be executed as above but only +during the first bootstrap or startup of the container and not on subsequent +startup. + +* Files found under `/ldif/config/` will be executed using SASL authentication as +the container root user in order to affect slapd configuration, such as adjusting +access control and configuring modules. + +* Files found under `/ldif/config/first/` will be executed as above but only +during the first bootstrap or startup of the container and not on subsequent +startup. + +Any variables of the form `%%.+%%` in the LDIF will be substituted with the +value from an injected environment variable without the `%%` characters. The +`_FILE` convention is respected. For example if the LDIF file contains + +``` +dn: uid=syncrepl,o=system,dc=my,dc=org +changetype: add +uid: syncrepl +ou: system +description: special account for SyncRepl +objectClass: account +objectClass: simpleSecurityObject +userPassword: %%SYNCREPL_USER_PASSWORD_HASH_FILE%% +``` + +and the environment variable `SYNCREPL_USER_PASSWORD_HASH_FILE` is defined +and points to the file `/var/run/secrets/syncrepl_user_password_hash` with +contents + +``` +{SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks +``` + +then the LDIF executed will be + +``` +dn: uid=syncrepl,o=system,dc=my,dc=org +changetype: add +uid: syncrepl +ou: system +description: special account for SyncRepl +objectClass: account +objectClass: simpleSecurityObject +userPassword: {SSHA}emcy1JA+mxbHH0PMPcnasE9apBStAMks +``` diff --git a/docs/volumes-and-data-persistence.md b/docs/volumes-and-data-persistence.md new file mode 100644 index 0000000..ce32c1f --- /dev/null +++ b/docs/volumes-and-data-persistence.md @@ -0,0 +1,66 @@ + + +# COmanage Registry Volumes and Data Persistence + +COmanage Registry requires a relational database. See other documentation in +this repository for examples of how to orchestrate a COmanage Registry container +together with an container providing a relational database service, and for details on how +to configure the COmanage Registry container to connect to the database. + +Additionally COmanage Registry *requires* a persistent directory into which +a few files and a specific directory structure needed by COmanage Registry +will be written. + +*The persistent directory must be provided either using a Docker volume +or a bind mount.* + +The directory path inside the container that must be mounted +is `/src/comanage-registry/local`. + +For example to use a bind mount from the local Docker engine host: + +``` +sudo mkdir -p /opt/comanage-registry-local +``` + +and then when instantiating the container + +``` +docker run -d \ + --name comanage-registry \ + -v /opt/comanage-registry-local:/srv/comanage-registry/local \ + -p 80:80 \ + -p 443:443 \ + comanage-registry:3.2.1-shibboleth-sp-1 +``` + +After the image is instantiated into a container for the first time +the entrypoint script will create the necessary directory structure +along with the `database.php`, `email.php`, and other necessary configuration files using +database, email server, and other details found in +[environment variables](./comanage-registry-common-environment-variables.md). + +*After the first instantiation of the container later restarts will not overwrite +database, email, or any other details in the persistent directory, even if the +values for the environment variables change*. + +