...
| Argument | Description | ||
|---|---|---|---|
| ui | will set env vars: | ||
| ws | will set env vars: GROUPER_WS='true' GROUPER_RUN_APACHE='true' GROUPER_RUN_TOMEE='true' | ||
| scim | will set env vars: GROUPER_SCIM='true' GROUPER_RUN_APACHE='true' GROUPER_RUN_TOMEE='true' | ||
| daemon | will set env vars: GROUPER_DAEMON='true' GROUPER_RUN_TOMEE='true' | ||
bin/gsh <gshScriptFileName> -or- | will just run gsh commands from docker command line e.g.
Note: this will not work with a quickstart container. Shell into the quickstart container and run gsh.sh | ||
| ui-ws | will set env vars (if not overridden): GROUPER_UI='true' GROUPER_WS='true' GROUPER_RUN_APACHE='true' GROUPER_RUN_SHIB_SP='true' GROUPER_RUN_TOMEE='true' | ||
| quickstart (v2.5.27+) | will set env vars (if not overridden): | ||
| <no command> | do nothing, so GSH can be used in bash in container, or pass in ENV vars to run something not with command above | ||
| -e GROUPER_UI=true | env var will tell grouper to allow ui calls via grouper.hibernate.base.properties (default false) grouper.is.ui.elConfig = ${java.lang.System.getenv().get('GROUPER_UI')} | ||
| -e GROUPER_WS=true | env var will tell grouper to allow ws calls via grouper.hibernate.base.properties (default false) grouper.is.ws.elConfig = ${java.lang.System.getenv().get('GROUPER_WS')} | ||
| -e GROUPER_SCIM=true | env var will tell grouper to allow ws calls via grouper.hibernate.base.properties (default false) grouper.is.scim.elConfig = ${java.lang.System.getenv().get('GROUPER_SCIM')} | ||
| -e GROUPER_DAEMON=true | env var will tell grouper to kick of daemon thread in tomee (default false) grouper.is.daemon.elConfig = ${java.lang.System.getenv().get('GROUPER_DAEMON')} | ||
| -e GROUPER_QUICKSTART=true (v2.5.28+) | env var will setup quickstart components (default false) | ||
| -e GROUPER_RUN_APACHE=true | env var will tell supervisor to kick off apache in container. Note, apache is not needed (default false) for Grouper. You could hook up an external web server to tomee or run from tomee itself (not recommended) | ||
| -e GROUPER_RUN_SHIB_SP=true (RUN_SHIB_SP up to v2.5.27) | env var will tell supervisor to kick off shib sp in container. Note if you dont use shib this is not needed. (default false) Note: you can also run shib outside the grouper container (e.g. in another container or from reverse proxy) Note: if RUN_SHIB_SP is false, it will take the shib apache directive out of grouper-www.conf | ||
| -e GROUPER_SHIB_LOG_USE_PIPE (v2.5.30+) | env var to not setup a pipe for shib. defaults to true. Set to false if should just log stdout and stderr of shib to /tmp/logshibd Might want to mount /tmp/logshibd to the external host, or other shib log files | ||
| -e GROUPER_RUN_TOMEE=true (RUN_TOMEE up to v2.5.27) | env var will tell supervisor to kick off tomee. Note you must have this to true if you are doing anything (default false) but a GSH env. The WS/UI/scim/daemon must run tomee in container. | ||
-e GROUPER_RUN_HSQLDB=true (v2.5.27+) | env var will tell supervisor to start hsqldb, storing data files to /opt/hsqldb and listening in container on port 9001 (default false) | ||
| -e GROUPER_SELF_SIGNED_CERT=true (SELF_SIGNED_CERT up to v2.5.27) | will overlay /etc/httpd/conf.d/ssl-enabled.conf so that apache uses a self-signed cert for quick starts (default false) | ||
| -e GROUPER_APACHE_SERVER_NAME=https://a.b.c:443 (v2.5.28+) | will set server name in grouper-www.conf and will set use canonical name on | ||
| -e GROUPER_APACHE_NONSSL_PORT=80 (v2.5.28+) | will change the non-ssl port of apache. default is 80. | ||
| -e GROUPER_APACHE_SSL_PORT=443 (v2.5.28+) | will change the ssl port of apache. default is 443. | ||
| -e GROUPER_APACHE_AJP_TIMEOUT_SECONDS (v2.5.28+) | defaults to 3600 (one hour), customize here | ||
| -e GROUPER_APACHE_DIRECTORY_INDEXES (v2.5.30+) | defaults to false. set to true to have apache directory indexes on | ||
| -e GROUPER_TOMCAT_HTTP_PORT (v2.5.28+) | defaults to 8080 | ||
| -e GROUPER_TOMCAT_AJP_PORT (v2.5.28+) | defaults to 8009 | ||
| -e GROUPER_TOMCAT_SHUTDOWN_PORT (v2.5.28+) | defaults to 8005 | ||
| -e GROUPER_TOMCAT_LOG_ACCESS=true (v2.5.29+) | default to false. if you want tomcat to log access. Apache does this too. | ||
| -e GROUPER_USE_SSL=false (v2.5.28+) | if you do not want apache listening on 443 ssl. If apache is running, default is true | ||
| -e GROUPER_MAX_MEMORY='3g' | set memory of java to 3 gigs. recommended 2 or 3 gig for WS and UI, and 12gig for daemon
Note: MEM_MAX is still used for GSH | ||
| -e GROUPER_EXTRA_CATALINA_OPTS='-XX:+PrintGCDetails' | add additional JVM options. default is blank | ||
| -e CATALINA_OPTS='whatever' | Generally you should not set this, unless you want to override all the default tomee Grouper customizations | ||
| -e GROUPER_AUTO_DDL_UPTOVERSION='v2.5.*' (v2.5.27+) | If you want Grouper to automatically install and update the database DDL when it starts up, and dont go to another minor version, anything for v2.5.* You can instead configure this in the grouper.hibernate.properties config file with key: registry.auto.ddl.upToVersion. Default blank | ||
| -e GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES=0.0.0.0/0 | Allow the configuration editor in the UI only from this IP address. Put in a cidr, or comma separated cidrs. Or open up and trust your authn/MFA and set to 0.0.0.0/0 You can instead configure this in the grouper-ui.properties config file with key: grouperUi.configurationEditor.sourceIpAddresses Default is 127.0.0.1/32 | ||
| -e GROUPER_START_DELAY_SECONDS=10 (v.2.5.27+) | If you want Grouper to delay on startup, e.g. if waiting for the database to start. Default is 0 You can instead configure this in the grouper.hibernate.properties config file with key: grouper.start.delay.seconds | ||
| -e GROUPER_UI_GROUPER_AUTH=true (v.2.5.27+) | If you want to use built-in Grouper authentication for the UI before you integrate Grouper with your SSO (default false) You can instead configure this in the grouper.hibernate.properties config file with key: grouper.is.ui.basicAuthn | ||
| -e GROUPER_WS_GROUPER_AUTH=true (v.2.5.27+) | If you want to use built-in Grouper authentication for the WS (default false) You can instead configure this in the grouper.hibernate.properties config file with key: grouper.is.ws.basicAuthn | ||
| -e GROUPER_WS_TOMCAT_AUTHN=true (v.2.5.27+) | Will setup the /opt/grouper/grouperWebapp/WEB-INF/web.xml and /opt/tomee/conf/server.xml to use tomcat authentication for web services. Note you should consider using Grouper LDAP or built in authentication instead. (default false) | ||
| -e GROUPER_SCIM_GROUPER_AUTH=true (v.2.5.27+) | If you want to use built-in Grouper authentication for SCIM (default false) You can instead configure this in the grouper.hibernate.properties config file with key: grouper.is.scim.basicAuthn | ||
| -e GROUPER_MORPHSTRING_ENCRYPT_KEY_FILE=/a/b/c (v.2.5.28+) | Location of morphString encryption key. Note the file just has the value inside (not name=value) You can instead configure this in the morphString.properties config file with key: encrypt.key | ||
| -e GROUPER_MORPHSTRING_ENCRYPT_KEY=myUnsecureKey (v.2.5.27+) | morphString encryption key. Note, passwords in environment variables or Docker commands are security risks You can instead configure this in the morphString.properties config file with key: encrypt.key | ||
| -e GROUPER_DATABASE_URL_FILE=/a/b/c (v.2.5.28+) | Location of the database jdbc url. Note the file just has the value inside (not name=value)
You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.url | ||
| -e GROUPER_DATABASE_URL='jdbc:postgresql://localhost:5432/database' (v.2.5.27+) | Database URL (if not provided from file) You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.url (default jdbc:hsqldb:hsql://localhost:9001/grouper) | ||
| -e GROUPER_DATABASE_USERNAME_FILE=/a/b/c (v.2.5.28+) | Database username from file. Note the file just has the value inside (not name=value) You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.username | ||
-e GROUPER_DATABASE_USERNAME=grouperSchema | Database username (if not provided by file) You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.username (default is: sa) | ||
| -e GROUPER_DATABASE_PASSWORD_FILE=/a/b/c (v.2.5.28+) | Database password, should be encrypted in file. Note the file just has the value or encrypted value (recommended) inside (not name=value) You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.password | ||
| -e GROUPER_DATABASE_PASSWORD=myUnsecurePass (v.2.5.27+) | Database password (if not provided by file). Note, passwords in environment variables or Docker commands are security risks You can instead configure this in the grouper.hibernate.properties config file with key: hibernate.connection.password | ||
| -e GROUPERSYSTEM_QUICKSTART_PASS=myUnsecurePass (v.2.5.27+) | If you are running the quickstart command on the container, and you set this env var, and you are doing grouper built in authentication in the UI and/or WS, then this password will log in GrouperSystem in the UI and/or WS. Note, this is a HUGE security problem if this is available in a production system. GrouperSystem should not be able to log in to Grouper via WS or UI. | ||
| -e GROUPER_CHOWN_DIRS=false (v.2.5.27+) | If you do not want the container to chown dirs that it needs owned by certain users. If you are making a subimage, if you can RUN chown -R tomcat:tomcat /opt/grouper \ && chown -R tomcat:tomcat /opt/tomee Then the startup of the image will be quicker (whether or not you pass in this variable). Docker subimages can COPY as root which negatively affects Grouper. (default is true) | ||
| -e GROUPER_LOG_TO_HOST=true (v.2.5.27+) | If you do not want Grouper to log to container pipes (for Maturity level 0) and you want Grouper to log to files and mount the /opt/grouper/logs dir to a host directory (default: false) | ||
-e GROUPER_USE_GROUPER_CONTEXT=true | Just use /grouper as the tomcat context no matter what (see "tomcat contexts" below) (default: false) | ||
| -e GROUPER_TOMCAT_CONTEXT=myGrouper (v2.5.28+) | Will rename the grouper.xml to be myGrouper.xml and use /myGrouper as context as far as tomcat is concerned. If running a single component (UI/WS/SCIM), then this should match the *_URL_CONTEXT (default: grouper unless only running WS or SCIM) | ||
| -e GROUPER_URL_CONTEXT=myGrouper (v2.5.28+) | The first part of URL for the grouper UI, defaults to "grouper" | ||
| -e GROUPERWS_URL_CONTEXT=myGrouper (v2.5.28+) | The first part of URL for the grouper WS, defaults to "grouper-ws" | ||
| -e GROUPERSCIM_URL_CONTEXT=myGrouper (v2.5.28+) | The first part of URL for the grouper SCIM, defaults to "grouper-ws-scim" | ||
| -e GROUPERUI_LOGOUT_REDIRECTTOURL=/some/path (v2.5.28+) | Set to grouper-ui.properties: grouperUi.logout.redirectToUrl This will be set to /Shibboleth.sso/Logout if the shib env var is set | ||
| -e GROUPER_LOG_PREFIX=grouper (v2.5.28+) | Log prefix. By default it is "grouper-ui' for ui-only container. grouper-ws for ws-only. grouper-scim for scim-only. grouper-daemon for daemon-only. Or "grouper" if not set to something else. | ||
| -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true (v2.5.28+) | Will run the tomee process as the only process in the container, not supervisor. Note, this is advanced, and should be run as the tomcat user. | ||
| -e GROUPER_RUN_PROCESSES_AS_USERS=false (v2.5.28+) | Set to false if you do not want to run processes as their default users (e.g. httpd runs as apache, tomcat runs as tomcat, shibboleth runs as shibd (this is advanced). (default: true) | ||
| -e GROUPER_GSH_CHECK_USER=false (v2.5.28+) | If you want other users to be able to run gsh.sh other than "tomcat" (default: true) |
...