Registry using Shibboleth SP and PostgreSQL with Docker Compose

This example demonstrates deploying Registry using a container that implements the SAML Shibboleth Service Provider (SP) for authentication and PostgreSQL as the database. The example uses a container to deploy PostgreSQL but it is not a requirement to do so.

The instructions use Docker Compose and assume a Linux environment. We recommend not using Docker Desktop and instead using Docker Engine and Docker CLI with the Compose plugin installed (Scenario two).

1. Create a directory to store database state:

   mkdir -p var/lib/postgresql/data

2. Create a directory to hold a database initialization script:
   

   mkdir docker-entrypoint-initdb.d

3. Create the database initialization script file init-user-db.sh in the directory you just created with contents
   

   #!/bin/bash
   set -e
     
   psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
       CREATE USER ${COMANAGE_REGISTRY_DATABASE_USER} PASSWORD '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD}';
       CREATE DATABASE ${COMANAGE_REGISTRY_DATABASE};
       GRANT ALL PRIVILEGES ON DATABASE ${COMANAGE_REGISTRY_DATABASE} TO ${COMANAGE_REGISTRY_DATABASE_USER};
   EOSQL

4. Create a directory to hold an X.509 certificate and private key for HTTPS (This approach uses the slashRoot mechanism. An alternative is to bind mount or COPY the files into the container/image and use the HTTPS_CERT_FILE and HTTPS_PRIVKEY_FILE environment variables):
   

   mkdir -p opt/registry/slashRoot/etc/apache2
   cp fullchain.pem opt/registry/slashRoot/etc/apache2/cert.pem
   cp privkey.pem opt/registry/slashRoot/etc/apache2/privkey.pem
   sudo chown 33 opt/registry/slashRoot/etc/apache2/*.pem
   sudo chmod 0600 opt/registry/slashRoot/etc/apache2/privkey.pem

5. Create a directory to hold Shibboleth SP configuration files (This approach uses the slashRoot mechanism. An alternative is to bind mount or COPY the files into the container/image and/or use environment variables to specify Shibboleth SP configuration details):
   

   mkdir -p opt/registry/slashRoot/etc/shibboleth
   cp shibboleth2.xml opt/registry/slashRoot/etc/shibboleth/shibboleth2.xml
   cp attribute-map.xml opt/registry/slashRoot/etc/shibboleth/attribute-map.xml
   cp sp-encrypt-cert.pem opt/registry/slashRoot/etc/shibboleth/sp-encrypt-cert.pem
   cp sp-encrypt-key.pem opt/registry/slashRoot/etc/shibboleth/sp-encrypt-key.pem
   cp sp-signing-cert.pem opt/registry/slashRoot/etc/shibboleth/sp-signing-cert.pem
   cp sp-signing-key.pem opt/registry/slashRoot/etc/shibboleth/sp-signing-key.pem
   sudo chown 999 opt/registry/slashRoot/etc/shibboleth/*.pem
   sudo chmod 0600 opt/registry/slashRoot/etc/shibboleth/*-key.pem

   
   

6. Create the Compose YAML file docker-compose.yml with contents (note that the value for COMANAGE_REGISTRY_ADMIN_USERNAME should be the value that your Shibboleth SP configuration will write into the Apache HTTP Server $REMOTE_USER CGI environment variable)

   services:
       comanage-registry-database:
           image: postgres:14
           volumes:
               - ${PWD}/var/lib/postgresql/data:/var/lib/postgresql/data
               - ${PWD}/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
           environment:
               - POSTGRES_PASSWORD=aHTVzRj7y4fLrXyYIG97
               - COMANAGE_REGISTRY_DATABASE=registry
               - COMANAGE_REGISTRY_DATABASE_USER=registry_user
               - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=GoHElRGInSwx1mQJlPdw
   
       comanage-registry:
           image: comanageproject/comanage-registry:4.1.2-shibboleth-sp-supervisor-1
           volumes:
               - ${PWD}/opt/registry/slashRoot:/opt/registry/slashRoot
           environment:
               - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Scott
               - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Koranda
               - COMANAGE_REGISTRY_ADMIN_USERNAME=scott.koranda@cilogon.org
               - COMANAGE_REGISTRY_DATASOURCE=Database/Postgres
               - COMANAGE_REGISTRY_DATABASE=registry
               - COMANAGE_REGISTRY_DATABASE_HOST=comanage-registry-database
               - COMANAGE_REGISTRY_DATABASE_USER=registry_user
               - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=GoHElRGInSwx1mQJlPdw
               - COMANAGE_REGISTRY_EMAIL_FROM_EMAIL=registry@example.com
               - COMANAGE_REGISTRY_EMAIL_FROM_NAME=Registry
               - COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp
               - COMANAGE_REGISTRY_EMAIL_HOST=tls://smtp.gmail.com
               - COMANAGE_REGISTRY_EMAIL_PORT=465
               - COMANAGE_REGISTRY_EMAIL_ACCOUNT=registry@example.com
               - COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD=Pr3gP6PvaTlxusMMhHEp
               - COMANAGE_REGISTRY_SECURITY_SALT=HH5WyMJIZ81uwHkPWpalUHSt9sAMIKHILDmNX8pI
               - COMANAGE_REGISTRY_SECURITY_SEED=076674830359094113871495332036
               - COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN=registry.example.com
           ports:
               - "80:80"
               - "443:443"

7. Start the containers:

   docker compose up -d

8. Wait for the images to be pulled and the containers to start.
9. Browse to the value you used for COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN.

10. To stop the containers:
    

    docker compose down