Introduction
The packaged TIER Shibboleth-IdP release is a Docker container-based implementation of the Shibboleth IdP.
What is the TIER Shibboleth IdP release?
A specifically packaged, distributed, instrumented, and operated implementation of the standard Shibboleth IdP.
What is a container?
A lightweight, executable package of an application, which typically includes everything needed to run it. They are not VMs; there is no hypervisor involved, so they are much leaner.
What is Docker?
An ecosystem for building, packaging, and deploying applications using containers.
Why Docker?
Docker is the leader in container development and operations and is supported across a number of platforms!
Things to think about for deploying the TIER Shibb Shib IdP
Config type: burned, mounted, or hybrid
HA/Container Orchestration
Image lifecycle
Concepts:
Build, ship, run...
Docker swarm
Volume mounts
Secrets
Installation
Getting Started
In this training, you’ll build a docker image, store it somewhere else, then setup a service to pull this image and run it in an HA manner.
You’ll need (at least) 2 VMs - call one ‘manager’ and the other ‘worker’
shibboleth/shibbolethIt will be easier for this course to assign appropriate hostnames to your VMs for their respective roles (manager/worker). To do this (substitute below for ‘manager’ as desired/appropriate):
hostname manager
echo manager > /etc/hostname
systemctl restart docker
For all node-to-node communications for this training, you’ll need to use the private IP addresses on the VMs (typically 172.31.*.*). Amazon AWS uses NAT and the training is designed to be constrained completely inside the AWS subnet.
...
idp-signing.key
idp-signing.crt
idp-encryption.key
idp-encryption.crt
keystore.jks (tomcat/SSL)
sealer.jks
sealer.kver
idp.properties
ldap.properties
relying-party.xml
attribute-filter.xml
attribute-resolver.xml
metadata-providers.xml
Build your config
Use the configBuilder.sh script (in the files from github)
After building your IdP config, this script will create a timestamped archive/zipfile with all of your config bits (including sensitive information).
If you choose a ‘hybrid’ build type, then this script also creates a new child directory named ‘ConfigNoSecrets’ which contains your configuration, but with all secrets moved to a separate directory (including some of the more dynamic config files).
Info you’ll need for this script:
FQDN of your IdP
Attribute scope value for your IdP (typically your main domain name)
LDAP info
LDAP URL
LDAP Base DN
LDAP service account DN for the IdP
Password on the above account
Config type (see above)
BUILD your image (run from the same directory as above where the Dockerfile is located)
Mounted (you’ll need to transfer your built config to your manager VM if you built it elsewhere)
docker build --rm -t my/shibb-idp-tier .
Burned (assuming default directories generated by the configBuilder.sh script)
docker build --rm -t my/shibb-idp-tier .
Hybrid (you’ll need to transfer your secrets to your manager VM)
The first command below establishes an alternate location for the config bits (which then gets used in the subsequent ‘docker build’ command). The default directory referenced is produced by the configBuilder.sh script and has the secrets extracted from the main config. This means that the resulting image will be burned with an incomplete config (some files will be missing). That config will be completed at run-time when the predefined secrets are added by docker.
export ALTCFG=ConfigNoSecrets
docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=${ALTCFG}/config/tomcat \
--build-arg TOMLOG=${ALTCFG}/logs/tomcat \
--build-arg TOMCERT=${ALTCFG}/credentials/tomcat \
--build-arg TOMWWWROOT=${ALTCFG}/wwwroot \
--build-arg SHBCFG=${ALTCFG}/config/shib-idp/conf \
--build-arg SHBCREDS=${ALTCFG}/credentials/shib-idp \
--build-arg SHBVIEWS=${ALTCFG}/config/shib-idp/views \
--build-arg SHBEDWAPP=${ALTCFG}/config/shib-idp/edit-webapp \
--build-arg SHBMSGS=${ALTCFG}/config/shib-idp/messages \
--build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \
--build-arg SHBLOG=${ALTCFG}/logs/shib-idp .Tag your new image for shipping to the private repository
docker tag my/shibb-idp-tier repo.training.incommon.org:5000/shib-idp-tier:<your userID>
SHIP your image to the private repo for this training class (an instance of the Docker Private Repo)
First, add an entry to your /etc/hosts file (on both manager and worker nodes)
172.31.10.102 repo.training.incommon.org
docker login repo.training.incommon.org:5000
Username: incommontrain
Password: CheckWithMe
docker push repo.training.incommon.org:5000/shib-idp-tier:<your userID>
Start a new docker swarm with your 2 VMs
If needed, set rules in firewalld on all swarm nodes (and disable selinux, if applicable)
...
Changing the configuration of an existing service
Burned
Update the appropriate config file in the directories setup by the configBuilder.sh script (child directories from the Dockerfile directory). Most Shib-IdP config is in ‘config/shib-idp/conf’.
Re-run the same build command from step 2.b above, with the change below, to build and push a new image.
Modify the build command slightly (apply a tag as in ‘newBuild’ below) to ensure your new build has a unique name
docker build --rm -t my/shibb-idp-tier:newbuild .
docker tag my/shibb-idp-tier:newbuild repo.training.incommon.org:5000/shib-idp-tier-newbuild:<your userID>
docker login repo.training.incommon.org:5000
docker push repo.training.incommon.org:5000/shib-idp-tier-newbuild:<your userID>
Apply a service update to your swarm to roll in the new image
docker service update --update-parallelism 1 --update-delay 60s --image repo.training.incommon.org:5000/shib-idp-tier-newbuild:<your userID> shib-idp
Mounted
Update the appropriate config file in the directories setup by the configBuilder.sh script (child directories from the Dockerfile directory). Most Shib-IdP config is in ‘config/shib-idp/conf’.
Re-run the syncFilesToAllSwarmNodes.sh script (from step 6.b) to push the updated files to the other swarm nodes (this must be done on the manager node).
Apply a service update with the ‘force’ tag to apply a rolling restart of the IdP instances
docker service update --force --update-parallelism 1 --update-delay 60s shib-idp
Hybrid
Secret files
On the manager VM, update the relevant secret file either in the child directories created by the configBuilder.sh script -OR- in the ‘ConfigNoSecrets/SECRETS’ subdirectory
Update the relevant secret within docker
First, edit the relevant secret file.
Then, create a new secret within docker.
Then, update the service, removing the old secret and adding the new one in the same command.
docker secret create idp.properties.new ./config/shib-idp/conf/idp.properties
docker service update \
--secret-rm idp.properties \
--secret-add src=idp.properties.new,target=/opt/shibboleth-idp/conf/idp.properties \
Shib-idpYou may want to then delete the old secret
docker secret rm idp.properties
Regular config files (non-secret)
Use the instructions above for updating a burned config