- Installer docker
See if docker is running
bin $ docker info Client: Debug Mode: false Server: Containers: 5 Running: 0 Paused: 0
List containers
bin $ docker ps --all CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ca762df952a6 tier/gte:101.1.1-201906 "/usr/local/bin/entr…" 9 months ago Exited (137) 9 months ago 101.1.1 8f34afbb8629 tier/gte:201.1.1-201906 "/usr/local/bin/entr…" 9 months ago Created 0.0.0.0:80->80/tcp, 0.0.0.0:389->389/tcp, 0.0.0.0:3306->3306/tcp, 4443/tcp, 0.0.0.0:8443->443/tcp 201.1.1 476467cdebbc rabbitmq:management "docker-entrypoint.s…" 9 months ago Exited (255) 9 months ago 4369/tcp, 5671-5672/tcp, 15671/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp rabbitmq 13ac772c36c9 72c25d9fc4a8 "/usr/local/bin/entr…" 10 months ago Exited (255) 10 months ago 0.0.0.0:80->80/tcp, 0.0.0.0:389->389/tcp, 0.0.0.0:3306->3306/tcp, 4443/tcp, 0.0.0.0:8443->443/tcp gte-101.1.1 73fb83d9b03a tier/grouper-training-env:full_demo "/usr/local/bin/entr…" 18 months ago Exited (137) 17 months ago grouper-demo bin $
Remove unneeded containers if necessary
bin $ docker rm -f ca762df952a6 ca762df952a6
- See which version to run
Pull the image
bin $ docker pull i2incommon/grouper:2.5.15
Create a directory to mount files and folder in and out of container
2.5 $ mkdir -p /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot 2.5 $ mkdir -p /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes 2.5 $ vi /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties
- Create a local database (e.g. mysql, utf8, bin collation, create a user and password, and grant all to the new database from username and password)
Set grouper.hibernate.properties
hibernate.connection.url = jdbc:mysql://192.168.86.71:3306/grouper_v2_5?useSSL=false hibernate.connection.username = grouper_v2_5 hibernate.connection.password = ************ # what version should we auto install DDL up to. You should put the major and minor version here (e.g. 2.5.*). Or you could go to a build number if you like, # or nothing to not auto DDL. e.g. 2.5.32 or 2.5.* # {valueType: "string"} registry.auto.ddl.upToVersion = 2.5.* # UI basic auth is for quick start. Set to false when you migrate to shib or something else grouper.is.ui.basicAuthn=true grouper.is.ws.basicAuthn=true grouper.is.scim.basicAuthn = true
Set morphString.properties unique key for encryption
2.5 $ vi /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/morphString.properties # random 16 char alphanumeric upper/lower encrypt.key = *******************
Configure logging
2.5 $ mkdir -p /Users/mchyzer/grouper/2.5/grouperContainer/logs 2.5 $ vi /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties ## Log messages to stderr log4j.appender.grouper_stderr = org.apache.log4j.ConsoleAppender log4j.appender.grouper_stderr.Target = System.err log4j.appender.grouper_stderr.layout = org.apache.log4j.PatternLayout log4j.appender.grouper_stderr.layout.ConversionPattern = %d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n ## Grouper API error logging log4j.appender.grouper_error = org.apache.log4j.DailyRollingFileAppender log4j.appender.grouper_error.File = /opt/grouper/logs/grouper.log log4j.appender.grouper_error.DatePattern = '.'yyyy-MM-dd log4j.appender.grouper_error.MaxBackupIndex = 30 log4j.appender.grouper_error.layout = org.apache.log4j.PatternLayout log4j.appender.grouper_error.layout.ConversionPattern = %d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n log4j.appender.grouper_daemon = org.apache.log4j.DailyRollingFileAppender log4j.appender.grouper_daemon.File = /opt/grouper/logs/grouperDaemon.log log4j.appender.grouper_daemon.DatePattern = '.'yyyy-MM-dd log4j.appender.grouper_daemon.MaxBackupIndex = 30 log4j.appender.grouper_daemon.layout = org.apache.log4j.PatternLayout log4j.appender.grouper_daemon.layout.ConversionPattern = %d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n log4j.appender.grouper_pspng = org.apache.log4j.DailyRollingFileAppender log4j.appender.grouper_pspng.File = /opt/grouper/logs/pspng.log log4j.appender.grouper_pspng.DatePattern = '.'yyyy-MM-dd log4j.appender.grouper_pspng.MaxBackupIndex = 30 log4j.appender.grouper_pspng.layout = org.apache.log4j.PatternLayout log4j.appender.grouper_pspng.layout.ConversionPattern = %d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n # Loggers ## Default logger; will log *everything* log4j.rootLogger = WARN, grouper_stderr, grouper_error log4j.logger.edu = ERROR, grouper_stderr log4j.logger.com = ERROR, grouper_stderr log4j.logger.org = ERROR, grouper_stderr log4j.logger.edu.internet2.middleware.grouper.app.loader.GrouperLoaderLog = DEBUG, grouper_daemon log4j.additivity.edu.internet2.middleware.grouper.app.loader.GrouperLoaderLog = false log4j.logger.edu.internet2.middleware.grouper.pspng = INFO, grouper_pspng log4j.additivity.edu.internet2.middleware.grouper.pspng = false
(UI ONLY) Allow grouper db config from all (dev only)
2.5 $ vi /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties grouperUi.configurationEditor.sourceIpAddresses = 0.0.0.0/0
Self-signed SSL
slashRoot $ mkdir -p /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/etc/httpd/conf.d slashRoot $ vi ssl-enabled.conf SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) Listen 443 https <VirtualHost *:443> RewriteEngine on RewriteRule "^/$" "/grouper/" [R] SSLEngine on #SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" </VirtualHost>
(UI ONLY) Take out shib
slashRoot $ vi /Users/mchyzer/grouper/2.5/grouperContainer/slashRoot/etc/httpd/conf.d/grouper-www.conf Timeout 2400 ProxyTimeout 2400 ProxyBadHeader Ignore ProxyPass /grouper ajp://localhost:8009/grouperWebapp timeout=2400 ProxyPass /grouper-ws ajp://localhost:8009/grouperWebapp timeout=2400 ProxyPass /grouper-ws-scim ajp://localhost:8009/grouperWebapp timeout=2400 RewriteEngine on RewriteCond %{REQUEST_URI} "^/$" RewriteRule . %{REQUEST_SCHEME}://%{HTTP_HOST}/grouper/ [R=301,L] #<Location /grouper> # AuthType shibboleth # ShibRequestSetting requireSession 1 # ShibRequireSession on # ShibUseHeaders On # require shibboleth #</Location>
(UI ONLY) Run the container
2.5 $ docker run --detach --publish 8080:8080 --publish 8443:443 \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/slashRoot,dst=/opt/grouper/slashRoot \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/logs,dst=/opt/grouper/logs \ --restart always --name grouper-ui i2incommon/grouper:2.5.15 ui
Shell in there
2.5 $ docker exec -it grouper-ui /bin/bash
Start GSH which inits the database
[root@d588628876f7 WEB-INF]# cd /opt/grouper/grouperWebapp/WEB-INF/bin [root@d588628876f7 bin]# ls gsh.sh README.txt setenv.example.bat setenv.example.sh [root@d588628876f7 bin]# ./gsh.sh
See database tables
(UI ONLY) Create a UI username and password
vi createPass.gsh grouperPasswordSave = new GrouperPasswordSave(); grouperPasswordSave.assignUsername("GrouperSystem").assignPassword("****").assignEntityType("username"); grouperPasswordSave.assignApplication(GrouperPassword.Application.UI); new Authentication().assignUserPassword(grouperPasswordSave); [root@d588628876f7 bin]# ./gsh.sh createPass.gsh
If you want to make your own image, make a Dockerfile
grouperContainer $ vi Dockerfile FROM i2incommon/grouper:2.5.15 grouperContainer $ docker build -t my-grouper-ui . Sending build context to Docker daemon 216.1kB Step 1/2 : FROM i2incommon/grouper:2.5.15 ---> 04ced0374ad5 ---> Running in 7bd1a51c3552 Removing intermediate container 7bd1a51c3552 ---> ff79b4b2afb9 Successfully built ff79b4b2afb9 Successfully tagged my-grouper-ui:latest
(WS/SCIM ONLY) Create a WS/SCIM username and password
vi createPass.gsh grouperPasswordSave = new GrouperPasswordSave(); grouperPasswordSave.assignUsername("GrouperSystem").assignPassword("****").assignEntityType("username"); grouperPasswordSave.assignApplication(GrouperPassword.Application.WS); new Authentication().assignUserPassword(grouperPasswordSave); [root@d588628876f7 bin]# ./gsh.sh createPass.gsh
(WS ONLY) Run the container
2.5 $ docker run --detach --publish 8080:8080 --publish 8443:443 \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/slashRoot,dst=/opt/grouper/slashRoot \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/logs,dst=/opt/grouper/logs \ --restart always --name grouper-ws i2incommon/grouper:2.5.15 ws
(SCIM ONLY) Run the container
2.5 $ docker run --detach --publish 8080:8080 --publish 8443:443 \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/slashRoot,dst=/opt/grouper/slashRoot \ --mount type=bind,src=/Users/mchyzer/grouper/2.5/grouperContainer/logs,dst=/opt/grouper/logs \ --restart always --name grouper-scim i2incommon/grouper:2.5.15 scim