...
The following is a Dockerfile that is used by the above build script that layers in the necessary local configurations for running Grouper needed by the Internet2 Collaboration Platform that houses spaces.internet2.edu. The files that contain secrets are located in an encrypted S3 bucket and the build host runs with an IAM role that allows it to access this bucket. This example is for a Grouper UI container. The AWS RDS (Relational Database Service) is used by this service.
| Code Block | ||
|---|---|---|
| ||
FROM tier/grouper:2.4.0-a27-u11-w2-p2-20190211
ARG s3url
ARG SHORTENV
ENV ENV=$SHORTENV
ENV CONFIG_BUCKET=$s3url/grouper.at.internet2.edu
ENV CATALINA_OPTS="-XX:+UseG1GC -Xmx3000m"
RUN yum update -y && \
yum -y install epel-release && \
pip install awscli && pip install --upgrade pip
RUN aws s3 cp $CONFIG_BUCKET/shib/sp-cert.pem /etc/shibboleth && \
aws s3 cp $CONFIG_BUCKET/shib/sp-key.pem /etc/shibboleth && \
aws s3 cp $CONFIG_BUCKET/shib/attribute-map.xml /etc/shibboleth && \
aws s3 cp s3://comanage-dev-host-configs/general_metadata/login.at.internet2.edu-metadata.xml /etc/shibboleth && \
cp /dev/null /etc/httpd/conf.d/ssl-enabled.conf && \
mkdir /opt/grouper/grouper.apiBinary/ddlScripts && \
chown tomcat:tomcat /opt/grouper/grouper.apiBinary/ddlScripts
COPY container_files/shibboleth/shibboleth2.xml /etc/shibboleth/
COPY container_files/httpd/grouper.conf /etc/httpd/conf.d
# uncomment next line to turn on shibd debug
COPY container_files/shibboleth/shibd.logger /etc/shibboleth/shibd.logger
ENV LD_LIBRARY_PATH=/opt/shibboleth/lib64
ADD https://s3.us-east-2.amazonaws.com/comanage-metadata-public/certs/icmp_signing.crt /etc/pki/tls/certs/
COPY container_files/tomcat/server.xml /opt/tomcat/conf/
# Configuration files for Grouper
RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper.hibernate.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/ldap.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/grouper.client.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/grouper.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/subject.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/log4j.properties /opt/grouper/conf/ && \
aws s3 cp $CONFIG_BUCKET/grouper/grouper-loader.properties /opt/grouper/conf/
# update local text configurations
RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper.text.en.us.properties /opt/grouper/grouper.ui/WEB-INF/classes/grouperText/
RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper-ui.properties /opt/grouper/grouper.ui/WEB-INF/classes/grouper-ui.properties
|
...
| Code Block | ||
|---|---|---|
| ||
ServerName https://grouper.at.internet2.edu:443
UseCanonicalName On
RemoteIPHeader X-Forwarded-For
RewriteEngine On
RewriteCond %{X-Forwarded-Proto}i http
RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
RewriteEngine on
RewriteRule "^/$" "/grouper/" [R]
# log the X-Forwarded-For (the real client IP) header if present
LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "/tmp/logpipe" combined env=!forwarded
CustomLog "/tmp/logpipe" proxy env=forwarded
ErrorLogFormat "httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
|
Note: Since TLS termination typically happens at the ELB, inform Tomcat that it should create URLs of the form https by specifying
secure="true" in the Connector declaration.