Option 1 - Just run tomcat in container, do web server/authn externally (2.5.28+)
You will start docker as a user and group. So establish that outside of the container. This will just use an existing user. You can create a new user if you like
grouperContainer $ id uid=501(mchyzer) gid=20(staff)
In your dockerfile, change tomcat user and group in container to match the uid/gid.
# Note, since the gid 20 is in container and not used: "games", it will be removed RUN groupdel games RUN /usr/local/bin/changeUid.sh tomcat 501 \ && /usr/local/bin/changeGid.sh tomcat 20 # chown is needed if copying files, dont want them owned by other than the user RUN chown -R 501:20 /opt/grouper \ && chown -R 501:20 /opt/tomee
Start container as a user or uid, and tell grouper to start tomcat instead of supervisord
$ docker build -t my-grouper-2.5.28 /Users/mchyzer/grouper/docker/grouperContainer $ docker run --detach --name grouper-ui -u 501 -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true --publish 8080:8080 my-grouper-2.5.28:latest ui
See the processes inside
$ docker exec -it -u 501 grouper-ui /bin/bash
[tomcat@a1c5ce3cb8eb WEB-INF]$ ps -ef
UID PID PPID C STIME TTY TIME CMD
tomcat 1 0 0 18:27 ? 00:00:00 /bin/bash /usr/local/bin/ui
tomcat 8 1 0 18:27 ? 00:00:00 cat
tomcat 10 1 0 18:27 ? 00:00:00 /bin/sh /usr/local/bin/entrypoint.sh ui
tomcat 11 10 0 18:27 ? 00:00:00 cat
tomcat 12 10 0 18:27 ? 00:00:00 awk -v ENV= -v UT= {printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
tomcat 14 1 0 18:27 ? 00:00:00 /bin/sh /usr/local/bin/entrypoint.sh ui
tomcat 15 14 0 18:27 ? 00:00:00 cat
tomcat 16 14 0 18:27 ? 00:00:00 awk -v ENV= -v UT= {printf "grouper;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
tomcat 28 1 0 18:27 ? 00:00:00 /bin/bash /usr/local/bin/ui
tomcat 29 28 0 18:27 ? 00:00:00 cat
tomcat 30 28 0 18:27 ? 00:00:00 awk -v ENV= -v UT= {printf "tomee;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
tomcat 40 1 99 18:27 ? 00:00:38 /usr/lib/jvm/java-1.8.0-amazon-corretto/bin/java -Dnop -Djava.util.logging.manager=org.apache.logging.log4j.jul.Lo
tomcat 86 0 0 18:27 pts/0 00:00:00 /bin/bash
tomcat 174 86 0 18:28 pts/0 00:00:00 ps -ef
[tomcat@a1c5ce3cb8eb WEB-INF]$ id
uid=501(tomcat) gid=20(tomcat) groups=20(tomcat)
[tomcat@a1c5ce3cb8eb WEB-INF]$
Option 2 - Run all processes as another user with supervisor
This is not really recommended but it is a way to go.
Dockerfile should add a user and group with uid and gid, chown a bunch of files, and all apache to listen on privileged ports. (note, private keys are included here which is a security issue)
[root@ip-172-30-3-152 grouperContainer]# more Dockerfile
# this matches the version you decided on from release notes
ARG GROUPER_VERSION=2.5.28
FROM i2incommon/grouper:${GROUPER_VERSION}
# this will overlay all the files from /opt/grouperContainer/slashRoot on to /
COPY slashRoot /
# this means run all processes as the user running the container
ENV GROUPER_RUN_PROCESSES_AS_USERS=false
# create the user to use
RUN groupadd -g 834 i2grouper
RUN useradd -u 834 -g i2grouper i2grouper
# we know certain owners need to change
RUN chown -R i2grouper:i2grouper /opt/tier-support
RUN chown -R i2grouper:i2grouper /opt/grouper
RUN chown -R i2grouper:i2grouper /opt/tomee
RUN chown -R i2grouper:i2grouper /var/log/supervisor
RUN chown -R i2grouper:i2grouper /etc/pki/tls/certs
RUN chown -R i2grouper:i2grouper /etc/pki/tls/private
RUN chown -R i2grouper:i2grouper /etc/httpd/conf.d
RUN chown -R i2grouper:i2grouper /run/httpd
RUN chown -R i2grouper:i2grouper /run/supervisor
# search for more files to change ownership. Note, dont search / since it looks in procs and gives errors. These dirs should be sufficient
RUN find /var -user shibd -exec chown i2grouper:i2grouper {} \;
RUN find /run -user shibd -exec chown i2grouper:i2grouper {} \;
RUN find /etc -user shibd -exec chown i2grouper:i2grouper {} \;
RUN find /opt -user shibd -exec chown i2grouper:i2grouper {} \;
RUN find /var -user apache -exec chown i2grouper:i2grouper {} \;
RUN find /run -user apache -exec chown i2grouper:i2grouper {} \;
RUN find /etc -user apache -exec chown i2grouper:i2grouper {} \;
RUN find /opt -user apache -exec chown i2grouper:i2grouper {} \;
RUN find /var -user tomcat -exec chown i2grouper:i2grouper {} \;
RUN find /run -user tomcat -exec chown i2grouper:i2grouper {} \;
RUN find /etc -user tomcat -exec chown i2grouper:i2grouper {} \;
RUN find /opt -user tomcat -exec chown i2grouper:i2grouper {} \;
# allow apache to listen on privileged ports in container
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/httpd
Build the container
# docker build -t sub-grouper-2.5.28 /opt/grouperContainer
Create the i2grouper user and group on host
# groupadd -g 834 i2grouper # useradd -u 834 -g i2grouper i2grouper
Run it, note SSL on 443 works
# docker run --detach --user i2grouper --mount type=bind,src=/opt/grouperContainer/logs,dst=/opt/grouper/logs --mount type=bind,src=/opt/grouperContainer/slashRoot,dst=/opt/grouper/slashRoot -e SELF_SIGNED_CERT='true' --publish 443:443 --name grouper-ui2 sub-grouper-2.5.28:latest ui
Go in as root and see what processes are running, note they are all running as non root (except the shell to go in and check)
[root@ip-172-30-3-152 grouperContainer]# docker exec -it --user root grouper-ui2 /bin/bash
[root@4a5c3134f1cd WEB-INF]# ps -ef
UID PID PPID C STIME TTY TIME CMD
i2group+ 1 0 0 07:19 ? 00:00:00 /usr/bin/python /usr/bin/supervisord -c /opt/tier-support/supervisord.conf
i2group+ 17 1 0 07:19 ? 00:00:00 cat
i2group+ 19 1 0 07:19 ? 00:00:00 /bin/bash /usr/local/bin/ui
i2group+ 21 19 0 07:19 ? 00:00:00 cat
i2group+ 22 19 0 07:19 ? 00:00:00 awk -v ENV= -v UT= {printf "grouper;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
i2group+ 23 1 0 07:19 ? 00:00:00 /bin/bash /usr/local/bin/ui
i2group+ 24 23 0 07:19 ? 00:00:00 cat
i2group+ 26 23 0 07:19 ? 00:00:00 awk -v ENV= -v UT= {printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
i2group+ 27 1 0 07:19 ? 00:00:00 /bin/bash /usr/local/bin/ui
i2group+ 29 27 0 07:19 ? 00:00:00 cat
i2group+ 30 27 0 07:19 ? 00:00:00 awk -v ENV= -v UT= {printf "shibd;console;%s;%s;%s", ENV, UT, $0; fflush()}
i2group+ 31 1 0 07:19 ? 00:00:00 /bin/bash /usr/local/bin/ui
i2group+ 33 31 0 07:19 ? 00:00:00 cat
i2group+ 34 31 0 07:19 ? 00:00:00 awk -v ENV= -v UT= {printf "tomee;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
i2group+ 35 1 0 07:19 ? 00:00:00 /bin/bash /usr/local/bin/ui
i2group+ 37 35 0 07:19 ? 00:00:00 cat
i2group+ 38 35 0 07:19 ? 00:00:00 awk -v ENV= -v UT= {printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}
i2group+ 47 1 0 07:19 ? 00:00:00 httpd -DFOREGROUND
i2group+ 48 1 84 07:19 ? 00:00:26 /usr/lib/jvm/java-1.8.0-amazon-corretto/bin/java -Dnop -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager -javaagent:/opt/tomee/lib/openej
i2group+ 49 1 0 07:19 ? 00:00:00 /usr/sbin/shibd -f -F
i2group+ 67 47 0 07:19 ? 00:00:00 httpd -DFOREGROUND
i2group+ 68 47 0 07:19 ? 00:00:00 httpd -DFOREGROUND
i2group+ 70 47 0 07:19 ? 00:00:00 httpd -DFOREGROUND
i2group+ 71 47 0 07:19 ? 00:00:00 httpd -DFOREGROUND
i2group+ 72 47 0 07:19 ? 00:00:00 httpd -DFOREGROUND
root 162 0 1 07:19 pts/0 00:00:00 /bin/bash
root 179 162 0 07:19 pts/0 00:00:00 ps -ef
[root@4a5c3134f1cd WEB-INF]# exit
Try the UI, it works!
