...
The following is a Dockerfile that is used by the above build script that layers in the necessary local configurations for running Grouper needed by the Internet2 Collaboration Platform that houses spaces.internet2.edu. The files that contain secrets are located in an encrypted S3 bucket and the build host runs with an IAM role that allows it to access this bucket. This example is for a Grouper UI container. The AWS RDS (Relational Database Service) is used by this service.
Code Block | ||
---|---|---|
| ||
FROM tier/grouper:2.4.0-a27-u11-w2-p2-20190211 ARG s3url ARG SHORTENV ENV ENV=$SHORTENV ENV CONFIG_BUCKET=$s3url/grouper.at.internet2.edu ENV CATALINA_OPTS="-XX:+UseG1GC -Xmx3000m" RUN yum update -y && \ yum -y install epel-release && \ pip install awscli && pip install --upgrade pip RUN aws s3 cp $CONFIG_BUCKET/shib/sp-cert.pem /etc/shibboleth && \ aws s3 cp $CONFIG_BUCKET/shib/sp-key.pem /etc/shibboleth && \ aws s3 cp $CONFIG_BUCKET/shib/attribute-map.xml /etc/shibboleth && \ aws s3 cp s3://comanage-dev-host-configs/general_metadata/login.at.internet2.edu-metadata.xml /etc/shibboleth && \ cp /dev/null /etc/httpd/conf.d/ssl-enabled.conf && \ mkdir /opt/grouper/grouper.apiBinary/ddlScripts && \ chown tomcat:tomcat /opt/grouper/grouper.apiBinary/ddlScripts COPY container_files/shibboleth/shibboleth2.xml /etc/shibboleth/ COPY container_files/httpd/grouper.conf /etc/httpd/conf.d # uncomment next line to turn on shibd debug COPY container_files/shibboleth/shibd.logger /etc/shibboleth/shibd.logger ENV LD_LIBRARY_PATH=/opt/shibboleth/lib64 ADD https://s3.us-east-2.amazonaws.com/comanage-metadata-public/certs/icmp_signing.crt /etc/pki/tls/certs/ COPY container_files/tomcat/server.xml /opt/tomcat/conf/ # Configuration files for Grouper RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper.hibernate.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/ldap.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/grouper.client.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/grouper.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/subject.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/log4j.properties /opt/grouper/conf/ && \ aws s3 cp $CONFIG_BUCKET/grouper/grouper-loader.properties /opt/grouper/conf/ # update local text configurations RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper.text.en.us.properties /opt/grouper/grouper.ui/WEB-INF/classes/grouperText/ RUN aws s3 cp $CONFIG_BUCKET/grouper/grouper-ui.properties /opt/grouper/grouper.ui/WEB-INF/classes/grouper-ui.properties |
...
Code Block | ||
---|---|---|
| ||
ServerName https://grouper.at.internet2.edu:443 UseCanonicalName On RemoteIPHeader X-Forwarded-For RewriteEngine On RewriteCond %{X-Forwarded-Proto}i http RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA] RewriteEngine on RewriteRule "^/$" "/grouper/" [R] # log the X-Forwarded-For (the real client IP) header if present LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog "/tmp/logpipe" combined env=!forwarded CustomLog "/tmp/logpipe" proxy env=forwarded ErrorLogFormat "httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" |
Note: Since TLS termination typically happens at the ELB, inform Tomcat that it should create URLs of the form https by specifying
secure="true" in the Connector declaration.