Penn runs Grouper in AWS ECS. Our container is fairly simple and straightforward. Currently we have a subimage for each environment service. This document describes the UI
Since we are in ECS (with no host access) we want to be able to SSH in, so we run SSHD in supervisord. We also keep secrets in AWS secrets manager and the container will load those in to env variables
Dockerfile
# this matches the version you decided on from release notes ARG GROUPER_VERSION=2.5.35 FROM i2incommon/grouper:${GROUPER_VERSION} LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" # emacs \ RUN yum update -y \ && yum install -y \ openssh-server \ supervisor \ jq \ && yum clean all #aws cli to get secrets from secretsmanager RUN pip install awscli COPY /slashRoot/ / #Parse json from secretsmanager RUN chmod u+x /src/script/creds.sh \ && chmod u+x /etc/profile.d/awsvars.sh \ && chown -R tomcat:tomcat /opt/tomee \ && chown -R tomcat:tomcat /opt/grouper \ && dos2unix /usr/local/bin/grouper*.sh \ && dos2unix /src/script/*.sh \ && dos2unix /etc/profile.d/*.sh \ && chmod +x /opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh \ && dos2unix /opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh #pass environmental vars ENV TZ=America/New_York ENV GROUPER_MAX_MEMORY=1200m ENV GROUPER_UI=true ENV GROUPER_RUN_APACHE=true ENV GROUPER_RUN_SHIB_SP=true ENV GROUPER_RUN_TOMEE=true ENV GROUPER_SELF_SIGNED_CERT=true #config ssh RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' EXPOSE 443 EXPOSE 22
File list from git
mchyzer@ISC20-0637-WL:/mnt/c/git/upenn-isc-penngroups/grouper-ui-test$ find . ./.git ./.gitignore ./Dockerfile ./Jenkinsfile ./README.md ./slashRoot/etc/httpd/conf/httpd.conf.penn ./slashRoot/etc/httpd/conf.d/grouper-www_penn.conf ./slashRoot/etc/httpd/conf.d/shib_penn.conf ./slashRoot/etc/profile.d/awsvars.sh ./slashRoot/etc/shibboleth/attribute-map.xml.penn ./slashRoot/etc/shibboleth/idp-metadata.xml ./slashRoot/etc/shibboleth/idp-test.net.isc.upenn.edu-metadata.xml ./slashRoot/etc/shibboleth/shibboleth2.xml.grouperOrig ./slashRoot/etc/shibboleth/shibboleth2.xml.penn ./slashRoot/etc/shibboleth/sp-cert.pem ./slashRoot/etc/shibboleth/sp-key.pem ./slashRoot/etc/shibboleth/sp-metadata.xml ./slashRoot/opt/grouper/grouperWebapp/grouperExternal/public/assets/images/favicon.ico ./slashRoot/opt/grouper/grouperWebapp/grouperExternal/public/penn/images/logo.gif ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/bin/ip4.sh ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/morphString.properties ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/lib/ojdbc8.jar ./slashRoot/opt/grouper/grouperWebapp/WEB-INF/lib/proxyWrapper.jar ./slashRoot/opt/grouper/logs/grouper/temp.txt ./slashRoot/opt/tier-support/supervisord_penn.conf ./slashRoot/src/script/creds.sh ./slashRoot/usr/local/bin/grouperScriptHooks.sh ./slashRoot/var/www/html/ip4.shtml ./slashRoot/var/www/html/temp.txt mchyzer@ISC20-0637-WL:/mnt/c/git/upenn-isc-penngroups/grouper-ui-test$
/usr/local/bin/grouperScriptHooks.sh file
#!/bin/sh ### DO NOT EDIT OR OVERLAY THIS FILE # These definitions are here to define the functions. # You can overlay the grouperScriptHooks.sh file with any definitions of these functions # called after the setupFiles functions is called, almost before the process starts grouperScriptHooks_setupFilesPost() { echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) starting..." # append sshd to supervisord cp -v /opt/tier-support/supervisord.conf /opt/tier-support/supervisord.conf.origGrouper echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp /opt/tier-support/supervisord.conf /opt/tier-support/supervisord.conf.origGrouper, result=$?" cat /opt/tier-support/supervisord_penn.conf >> /opt/tier-support/supervisord.conf echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cat /opt/tier-support/supervisord_penn.conf >> /opt/tier-support/supervisord.conf, result=$?" # setup env vars from secrets manager source /src/script/creds.sh echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) /src/script/creds.sh , result=$?" source /etc/profile.d/awsvars.sh echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) /src/script/awsvars.sh , result=$?" echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ DB_HOST=$DB_HOST, $ SHIBBVAR=$SHIBBVAR" # might not be a good security pattern but set the ssh password from secrets manager if [[ -z "${PASS}" ]]; then echo "pennContainer; ERROR: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ PASS is not set!" else echo "root:${PASS}" | chpasswd echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) echo root:$ { PASS } s | chpasswd , result=$?" fi # customize the log format and some other things in apache cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.origGrouper echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.origGrouper , result=$?" cp -v /etc/httpd/conf/httpd.conf.penn /etc/httpd/conf/httpd.conf echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp -v /etc/httpd/conf/httpd.conf.penn /etc/httpd/conf/httpd.conf , result=$?" # penn shibboleth file with variables in there mv -f /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.grouperOrig echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.grouperOrig , result=$?" cp /etc/shibboleth/shibboleth2.xml.penn /etc/shibboleth/shibboleth2.xml echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/shibboleth2.xml.penn /etc/shibboleth/shibboleth2.xml , result=$?" #Replace entityID with parameter from secrets manager env variable if [[ -z "${SHIBBVAR}" ]]; then echo "pennContainer; ERROR: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) $ SHIBBVAR is not set!" else # dont blank this out if the var isnt there sed -i "s|replace_me_entitiyID|$SHIBBVAR|g" /etc/shibboleth/shibboleth2.xml echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) sed -i ''s|replace_me_entitiyID|$SHIBBVAR|g'' /etc/shibboleth/shibboleth2.xml , result=$?" fi mv -f /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.grouperOrig echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) mv -f /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.grouperOrig , result=$?" cp /etc/shibboleth/attribute-map.xml.penn /etc/shibboleth/attribute-map.xml echo "pennContainer; INFO: (grouperScriptHooks.sh-grouperScriptHooks_setupFilesPost) cp /etc/shibboleth/attribute-map.xml.penn /etc/shibboleth/attribute-map.xml , result=$?" } export -f grouperScriptHooks_setupFilesPost echo "pennContainer; INFO: (grouperScriptHooks.sh-body) export -f grouperScriptHooks_setupFilesPost, result=$?"