...
- See which version of Grouper to run
Pull the image
Code Block bin $ docker pull i2incommon/grouper:2.5.XX
Make sure the digest is correct (from release notes page)
Code Block [root@ip-172-30-3-152 ~]# docker image inspect i2incommon/grouper:2.5.XX | grep i2incommon/grouper@sha256 "i2incommon/grouper@sha256:b675bb410bf873483497b9b231e7a5db208645e58a3a42a8048381a33b79fd19"
Create a directory to hold files to put in your subcontainer. You might have one of these directories that is shared for ws/ui/daemon.
Code Block 2.5 $ mkdir -p /opt/grouperContainer 2.5 $ mkdir -p /opt/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes
Set grouper.hibernate.properties. Note, for DB URL, "localhost" is the container itself, not the enclosing server. You need to use an IP address that the container can communicate with. Look in the grouper.hibernate.properties for documentation on setting up the url.
Code Block 2.5 $ vi /opt/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties hibernate.connection.url = jdbc:mysql://192.168.86.71:3306/grouper_v2_5?useSSL=false hibernate.connection.username = grouper_v2_5 hibernate.connection.password = ************ # what version should we auto install DDL up to. You should put the major and minor version here (e.g. 2.5.*). Or you could go to a build number if you like, # or nothing to not auto DDL. e.g. 2.5.32 or 2.5.* # {valueType: "string"} registry.auto.ddl.upToVersion = 2.5.* # UI basic auth is for quick start. Set to false when you migrate to shib or something else grouper.is.ui.basicAuthn=true grouper.is.ws.basicAuthn=true grouper.is.scim.basicAuthn = true
If you cant connect to the database, go in the container (instructions later ) and test the communication with telnet
Code Block grouperContainer $ docker exec -it grouper-daemon /bin/bash [root@0d9054515bed WEB-INF]# yum install telnet [root@0d9054515bed WEB-INF]# telnet database-2.cstlzkqw179p.us-east-1.rds.amazonaws.com 3306 Trying 172.30.3.40... Connected to database-2.cstlzkqw179p.us-east-1.rds.amazonaws.com. Escape character is '^]'. X 5.5.5-10.4.8-MariaDBK;&I~bLþ8pOz8H?EzW(\mysql_native_password^CConnection closed by foreign host. [root@0d9054515bed WEB-INF]#
- The container contains jdbc drivers for hsql, msyql and postgres. If you're using Oracle, you'll need to add the jar.
Might want to use: https://raw.githubusercontent.com/Internet2/grouper/GROUPER_2_4_BRANCH/grouper/lib/jdbcSamples/ojdbc6_g.jar
Might want to use: https://repo1.maven.org/maven2/com/oracle/ojdbc/ojdbc8/19.3.0.0/ojdbc8-19.3.0.0.jarCode Block 2.5 $ ls -al /opt/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/lib/ojdbc6_g.jar
Set morphString.properties unique key for encryption
Code Block 2.5 $ vi /opt/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/morphString.properties # random 16 char alphanumeric upper/lower encrypt.key = *******************
Decide how many containers
Strategy Containers Notes SEPARATE-CONTAINERS ui
ws
daemon
scimMore like a production env
Uses more memory
Can control, bring up down, configure each separately
Need to manage ports. Generally 443 for UI, 8443 for WS, 8444 for ScimALL-IN-ONE all Runs everything in one container. Don't do this in prod
Uses less memory
When anything is up or down all is up or down
Can use 443 for UI, WS, ScimUI-WS ui-ws
daemonThis is not documented here. Don't do this in prod
You can have a hybrid and put whatever components in whatever containers you wantAssume logs go to docker. If you want to mount external logs, follow directions from maturity level 0
Allow grouper db config from all. You can decide if you trust your authn and mfa if you want to leave this open, or lock it down to your vpn or whatever.
Code Block 2.5 $ vi /opt/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties grouperUi.configurationEditor.sourceIpAddresses = 0.0.0.0/0
Make a Dockerfile and subcontainer
Code Block slashRoot $ vi /opt/grouperContainer/Dockerfile # this matches the version you decided on from release notes ARG GROUPER_VERSION=2.5.XX FROM i2incommon/grouper:${GROUPER_VERSION} # this will overlay all the files from /opt/grouperContainer/slashRoot on to / COPY slashRoot / RUN chown -R tomcat:tomcat /opt/grouper \ && chown -R tomcat:tomcat /opt/tomee
Make container. Note you could have one subcontainer (recommended if possible), and deploy that to UI/WS/daemon (either ALL-IN-ONE or SEPARATE-CONTAINERS)
Code Block grouperContainer $ docker build -t my-grouper-2.5.XX /opt/grouperContainer Sending build context to Docker daemon 216.1kB Step 1/2 : FROM i2incommon/grouper:2.5.XX ---> 04ced0374ad5 ---> Running in 7bd1a51c3552 Removing intermediate container 7bd1a51c3552 ---> ff79b4b2afb9 Successfully built ff79b4b2afb9 Successfully tagged my-grouper-2.5.XX:latest
See maturity level 0 for Docker run command (approx step 15), make your shell script(s). Note, you do not need mounts. e.g. for ui
Code Block docker run --detach -e RUN_SHIB_SP='false' \ -e SELF_SIGNED_CERT='true' --name grouper-ui --publish 443:443 my-grouper-2.5.XX:latest ui
- Setup the database run grouper