Penn runs Grouper in AWS ECS. Our container is fairly simple and straightforward. Currently we have a subimage for each environment service. This document describes the UI
Since we are in ECS (with no host access) we want to be able to SSH in, so we run SSHD in supervisord. We also keep secrets in AWS secrets manager and the container will load those in to env variables
Dockerfile
# this matches the version you decided on from release notes
ARG GROUPER_VERSION=2.5.35
FROM i2incommon/grouper:${GROUPER_VERSION}
LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
# emacs \
RUN yum update -y \
&& yum install -y \
openssh-server \
supervisor \
jq \
&& yum clean all
#aws cli to get secrets from secretsmanager
RUN pip install awscli
COPY /slashRoot/ /
#Parse json from secretsmanager
RUN chmod u+x /src/script/creds.sh \
&& chmod u+x /etc/profile.d/awsvars.sh \
&& chown -R tomcat:tomcat /opt/tomee \
&& chown -R tomcat:tomcat /opt/grouper \
&& dos2unix /usr/local/bin/grouper*.sh \
&& dos2unix /src/script/*.sh \
&& dos2unix /etc/profile.d/*.sh \
&& chmod +x /opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh \
&& dos2unix /opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh
#pass environmental vars
ENV TZ=America/New_York
ENV GROUPER_MAX_MEMORY=1200m
ENV GROUPER_UI=true
ENV GROUPER_RUN_APACHE=true
ENV GROUPER_RUN_SHIB_SP=true
ENV GROUPER_RUN_TOMEE=true
ENV GROUPER_SELF_SIGNED_CERT=true
#config ssh
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
EXPOSE 443
EXPOSE 22
File list from git
mchyzer@ISC20-0637-WL:/mnt/c/git/upenn-isc-penngroups/grouper-ui-test$ find . ./.git ./.gitignore ./Dockerfile ./Jenkinsfile ./README.md ./slashRoot/etc/httpd/conf/httpd.conf.penn ./slashRoot/etc/httpd/conf.d/grouper-www_penn.conf ./slashRoot/etc/httpd/conf.d/shib_penn.conf ./slashRoot/etc/profile.d/awsvars.sh ./slashRoot/etc/shibboleth/attribute-map.xml.penn ./slashRoot/etc/shibboleth/idp-metadata.xml ./slashRoot/etc/shibboleth/idp-test.net.isc.upenn.edu-metadata.xml ./slashRoot/etc/shibboleth/shibboleth2.xml.grouperOrig ./slashRoot/etc/shibboleth/shibboleth2.xml.penn ./slashRoot/etc/shibboleth/sp-cert.pem ./slashRoot/etc/shibboleth/sp-key.pem ./slashRoot/etc/shibboleth/sp-metadata.xml ./slashRoot/opt/grouper/grouperWebapp/grouperExternal/public/assets/images/favicon.ico ./slashRoot/opt/grouper/grouperWebapp/grouperExternal/public/penn/images/logo.gif ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/morphString.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/lib/ojdbc8.jar ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/lib/proxyWrapper.jar ./slashRoot/opt/grouper/logs/grouper/temp.txt ./slashRoot/opt/tier-support/supervisord_penn.conf ./slashRoot/src/script/creds.sh ./slashRoot/usr/local/bin/grouperScriptHooks.sh ./slashRoot/var/www/html/ip4.shtml ./slashRoot/var/www/html/temp.txt mchyzer@ISC20-0637-WL:/mnt/c/git/upenn-isc-penngroups/grouper-ui-test$
/usr/local/bin/grouperScriptHooks.sh file
#!/bin/sh
### DO NOT EDIT OR OVERLAY THIS FILE
# These definitions are here to define the functions.
# You can overlay the grouperScriptHooks.sh file with any definitions of these functions
# called after the setupFiles functions is called, almost before the process starts
grouperScriptHooks_setupFilesPost() {
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) starting..."
# append sshd to supervisord
cp -v /opt/tier-support/supervisord.conf /opt/tier-support/supervisord.conf.origGrouper
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp /opt/tier-support/supervisord.conf /opt/tier-support/supervisord.conf.origGrouper, result=$?"
cat /opt/tier-support/supervisord_penn.conf >> /opt/tier-support/supervisord.conf
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cat /opt/tier-support/supervisord_penn.conf >> /opt/tier-support/supervisord.conf, result=$?"
# setup env vars from secrets manager
source /src/script/creds.sh
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) /src/script/creds.sh , result=$?"
source /etc/profile.d/awsvars.sh
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) /src/script/awsvars.sh , result=$?"
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ DB_HOST=$DB_HOST, $ SHIBBVAR=$SHIBBVAR"
# might not be a good security pattern but set the ssh password from secrets manager
if [[ -z "${PASS}" ]]; then
echo "pennContainer; ERROR: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ PASS is not set!"
else
echo "root:${PASS}" | chpasswd
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) echo root:$ { PASS } s | chpasswd , result=$?"
fi
# customize the log format and some other things in apache
cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.origGrouper
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.origGrouper , result=$?"
cp -v /etc/httpd/conf/httpd.conf.penn /etc/httpd/conf/httpd.conf
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp -v /etc/httpd/conf/httpd.conf.penn /etc/httpd/conf/httpd.conf , result=$?"
# penn shibboleth file with variables in there
mv -f /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.grouperOrig
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.grouperOrig , result=$?"
cp /etc/shibboleth/shibboleth2.xml.penn /etc/shibboleth/shibboleth2.xml
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/shibboleth2.xml.penn /etc/shibboleth/shibboleth2.xml , result=$?"
#Replace entityID with parameter from secrets manager env variable
if [[ -z "${SHIBBVAR}" ]]; then
echo "pennContainer; ERROR: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ SHIBBVAR is not set!"
else
# dont blank this out if the var isnt there
sed -i "s|replace_me_entitiyID|$SHIBBVAR|g" /etc/shibboleth/shibboleth2.xml
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i ''s|replace_me_entitiyID|$SHIBBVAR|g'' /etc/shibboleth/shibboleth2.xml , result=$?"
fi
mv -f /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.grouperOrig
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.grouperOrig , result=$?"
cp /etc/shibboleth/attribute-map.xml.penn /etc/shibboleth/attribute-map.xml
echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp /etc/shibboleth/attribute-map.xml.penn /etc/shibboleth/attribute-map.xml , result=$?"
}
export -f grouperScriptHooks_setupFilesPost
echo "pennContainer; INFO: (grouperScriptHooks.sh-body) export -f grouperScriptHooks_setupFilesPost, result=$?"