docker: consolidates docker build/configure and makes security conf the same as in vlkb-soda

data-discovery/src/main/resources/formatresponsefilter.properties

@@ -8,7 +8,10 @@ db_password=
 # VLKB-legacy: surveys metadata in csv file
 surveys_metadata_abs_pathname=
 
-# these URL's are used in response.xml so client can access those services
+# these URL's (up to '?') are used in response.xml so client can access those services
 cutout_url=
 merge_url=
 
+# set reponse format
+# response_format=application/x-votable+xml
+

docker/Dockerfile.vlkb → docker/Dockerfile

@@ -12,27 +12,24 @@ RUN apt -y update \
                    rabbitmq-server openjdk-17-jre openjdk-17-jdk tomcat9 tomcat9-admin \
                    postgresql-client
 
+ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ENV CATALINA_BASE=/var/lib/tomcat9
+ENV CATALINA_HOME=/usr/share/tomcat9
+ENV CATALINA_TMPDIR=/tmp
+ENV WEBAPP_DIR=/webapps/vlkb-search
 
-RUN mkdir -p /webapps/vlkb-search
+RUN mkdir -p ${WEBAPP_DIR}
 ARG VLKB_VERSION
-COPY vlkb-search-${VLKB_VERSION}.war /webapps/vlkb-search/
-RUN cd /webapps/vlkb-search && jar -xf vlkb-search-${VLKB_VERSION}.war \
+COPY vlkb-search-${VLKB_VERSION}.war ${WEBAPP_DIR}/
+RUN cd ${WEBAPP_DIR} && jar -xf vlkb-search-${VLKB_VERSION}.war \
  && mkdir /srv/surveys
-COPY postgresql-*.jar  /var/lib/tomcat9/lib
 
-# Lines with postgresql_*.jar: provide DB-driver so Tomcat loads it
-# vlkb-search does not explicitely load DB-driver
+# Tomcat must load postgresql DB driver, vlkb-search does not explicitely load it
+COPY deps/postgresql-*.jar  /var/lib/tomcat9/lib
 
+# configure
 
-# configure instance
-
-COPY config-vlkb/auth.properties config-vlkb/neatoken.properties config-vlkb/iamtoken.properties config-vlkb/formatresponsefilter.properties /webapps/vlkb-search/WEB-INF/classes/
-
-#COPY ssl/keystore.jks /root/
-COPY ssl/server.xml ssl/server-connector-8080.xml ssl/server-connector-8443.xml /etc/tomcat9/
-
-# configure during docker run-time
-
+COPY deps/server.xml deps/server-connector.xml /etc/tomcat9/
 COPY entrypoint.sh /root
 
 RUN echo "alias log-catalina='ls -t /var/log/tomcat9/catalina*.log | head -n 1 | xargs tail -200 '" >> /root/.bashrc

docker/Makefile

@@ -32,7 +32,7 @@ ast-9.2.9.tar.gz:
 
 .PHONY: build
 build:
-	docker build --build-arg VLKB_VERSION=$(VERSION) -t siav2 -f Dockerfile.vlkb .
+	docker build --build-arg VLKB_VERSION=$(VERSION) -t siav2 -f Dockerfile .
 
 # the docker-login below needed a ca-cert(?) which in the middle of the certificate-chain,
 # but was not automatically downloaded and also local cert/ket pair(?) ->

docker/config-vlkb/Obsolete/context-cutout.xml

-<Context docBase="/webapps/vlkb-cutout">
-
-        <Resources allowLinking="true">
-                <PostResources readOnly="false"
-                        className="org.apache.catalina.webresources.DirResourceSet"
-                        base="/srv/cutouts"
-                        webAppMount="/cutouts"/>
-                <PostResources readOnly="true"
-                        className="org.apache.catalina.webresources.DirResourceSet"
-                        base="/srv/surveys"
-                        webAppMount="/surveys"/>
-        </Resources>
-
-</Context>
-

docker/config-vlkb/Obsolete/tomcat-users.xml

-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<tomcat-users xmlns="http://tomcat.apache.org/xml"
-              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
-              version="1.0">
-<!--
-  NOTE:  By default, no user is included in the "manager-gui" role required
-  to operate the "/manager/html" web application.  If you wish to use this app,
-  you must define such a user - the username and password are arbitrary. It is
-  strongly recommended that you do NOT use one of the users in the commented out
-  section below since they are intended for use with the examples web
-  application.
--->
-<!--
-  NOTE:  The sample user and role entries below are intended for use with the
-  examples web application. They are wrapped in a comment and thus are ignored
-  when reading this file. If you wish to configure these users for use with the
-  examples web application, do not forget to remove the <!.. ..> that surrounds
-  them. You will also need to set the passwords to something appropriate.
--->
-<!--
-  <role rolename="tomcat"/>
-  <role rolename="role1"/>
-  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
-  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
-  <user username="role1" password="<must-be-changed>" roles="role1"/>
--->
-
-  <role rolename="manager-script"/>
-  <user username="admin" password="IA2lbt09" roles="manager-script"/>
-</tomcat-users>
-

docker/config-vlkb/Obsolete/vlkb-obscore.datasets.conf

-
-# root of path for local access
-fits_path_surveys=/srv/surveys
-
-# obs_publisher_did = <obscore publisher> ? <generated-pubdid>
-obscore_publisher=ivo://ia2.inaf.it/vlkb/datasets
-
-# full access URL: <obscore_access_url>/<storage-path>/<file-name>
-obscore_access_url=https://vlkb-devel.ia2.inaf.it:8443/vlkb/datasets/surveys
-obscore_access_format=application/fits
-
-# logging (holds last exec only)
-# log_dir=/tmp
-# log_filename=vlkb-obscore.log
-

docker/config-vlkb/Obsolete/vlkbd.datasets.conf

-
-# path to original files
-fits_path_surveys=/srv/surveys
-# path to generated cutouts
-fits_path_cutouts=/srv/cutouts
-
-# logging records last request only
-# log_dir=/tmp
-# log_filename=vlkbd.log
-

docker/config-vlkb/Obsolete/web-cutout.xml

-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
- Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
- Use is subject to license terms.
--->
-
-<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
-        <display-name>Via Lactea. Query FITS datacubes.</display-name>
-        <distributable/>
-
-
-
-<!-- no authorization filter configured -->
-
-    <servlet>
-        <servlet-name>default</servlet-name>
-        <servlet-class>
-          org.apache.catalina.servlets.DefaultServlet
-        </servlet-class>
-        <init-param>
-            <param-name>debug</param-name>
-            <param-value>1</param-value>
-        </init-param>
-        <init-param>
-            <param-name>listings</param-name>
-            <param-value>true</param-value>
-        </init-param>
-        <load-on-startup>1</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>default</servlet-name>
-        <url-pattern>/</url-pattern>
-    </servlet-mapping>
-
-
-
-
-
-
-
-
-        <servlet>
-                <servlet-name>vlkb_cutout</servlet-name>
-                <servlet-class>ServletCutout</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_cutout</servlet-name>
-                <url-pattern>/vlkb_cutout</url-pattern>
-        </servlet-mapping>
-
-        <servlet>
-                <servlet-name>vlkb_mcutout</servlet-name>
-                <servlet-class>ServletMCutout</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_mcutout</servlet-name>
-                <url-pattern>/vlkb_mcutout</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>vlkb_merge</servlet-name>
-                <servlet-class>ServletMerge</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_merge</servlet-name>
-                <url-pattern>/vlkb_merge</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>vlkb_vosi_availability</servlet-name>
-                <servlet-class>VlkbServletFile</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_vosi_availability</servlet-name>
-                <url-pattern>/availability</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>vlkb_vosi_capabilities</servlet-name>
-                <servlet-class>VlkbServletFile</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_vosi_capabilities</servlet-name>
-                <url-pattern>/capabilities</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>vlkb_soda</servlet-name>
-                <servlet-class>ServletCutout</servlet-class>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>vlkb_soda</servlet-name>
-                <url-pattern>/soda</url-pattern>
-        </servlet-mapping>
-        <servlet-mapping>
-                <servlet-name>vlkb_soda</servlet-name>
-                <url-pattern>/vlkb_soda</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>uws_merge</servlet-name>
-                <servlet-class>UWSMerge</servlet-class>
-                <init-param>
-                        <param-name>name</param-name>
-                        <param-value>merge</param-value>
-                </init-param>
-                 <init-param>
-                        <param-name>rootDirectory</param-name>
-                        <param-value>/tmp</param-value>
-                </init-param>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>uws_merge</servlet-name>
-                <url-pattern>/uws_merge/*</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>uws_mcutout</servlet-name>
-                <servlet-class>UWSMCutout</servlet-class>
-                <init-param>
-                        <param-name>name</param-name>
-                        <param-value>mcutout</param-value>
-                </init-param>
-                 <init-param>
-                        <param-name>rootDirectory</param-name>
-                        <param-value>/tmp</param-value>
-                </init-param>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>uws_mcutout</servlet-name>
-                <url-pattern>/uws_mcutout/*</url-pattern>
-        </servlet-mapping>
-
-
-        <servlet>
-                <servlet-name>uws_soda</servlet-name>
-                <servlet-class>UWSSoda</servlet-class>
-                <init-param>
-                        <param-name>name</param-name>
-                        <param-value>soda_uws</param-value>
-                </init-param>
-                 <init-param>
-                        <param-name>rootDirectory</param-name>
-                        <param-value>/tmp</param-value>
-                </init-param>
-        </servlet>
-        <servlet-mapping>
-                <servlet-name>uws_soda</servlet-name>
-                <url-pattern>/soda_uws/*</url-pattern>
-        </servlet-mapping>
-
-</web-app>

docker/config-vlkb/auth.properties

-rap_uri=https://sso.ia2.inaf.it/rap-ia2
-gms_uri=https://sso.ia2.inaf.it/gms
-client_id=vospace_ui_demo
-client_secret=VOSpaceDemo123
-
-groups_autoload=true
-store_state_on_login_endpoint=true
-scope=openid email profile read:rap
-
-allow_anonymous_access=true

docker/config-vlkb/authpolicy.properties

-db_uri=jdbc:postgresql://127.0.0.1:5432/vialactea
-db_schema=datasets
-db_user_name=vialactea
-db_password=ia2vlkb
-
-

docker/config-vlkb/formatresponsefilter.properties

-
-# used to retrieve extraCards to add to FITS_header (VLKB-only)
-surveys_metadata_abs_pathname=/srv/surveys/survey_populate.csv
-
-# these URL's are used to construct cutout merge requests strings in response.xml
-cutout_url=http://vlkb-devel.ia2.inaf.it:8004/vlkb/datasets/vlkb_cutout
-merge_url=http://vlkb-devel.ia2.inaf.it:8004/vlkb/datasets/vlkb_merge

docker/config-vlkb/iamtoken.properties

-
-#jwks_url=https://iam-escape.cloud.cnaf.infn.it/jwk
-introspect=https://iam-escape.cloud.cnaf.infn.it/introspect
-client_name=02cc260f-9837-4907-b2cb-a1a2d764fb15
-client_password=AJMi3qrB6AHRp_6y55tEwU-IpJ8uZ6X4QXeQ3W4la6dc-BlkzAY1OQpAE9hb1W7-VfYl4208FUtjE2Cl3hUYLkQ
-
-resource_id=vlkb
-
-non_authn_username=anonymous
-

docker/config-vlkb/neatoken.properties

-
-jwks_url=https://sso.neanias.eu/auth/realms/neanias-production/protocol/openid-connect/certs
-
-resource_id=vlkb
-
-non_authn_username=anonymous
-

docker/entrypoint.sh

@@ -7,59 +7,66 @@ LOG_FILE=/tmp/entrypoint.log
 date
 whoami
 env
-#########################################################################
-#INST_DIR="/usr/local"
-WEBAPP_DIR=/webapps
 
+#########################################################################
+echo "run-time config (compose.yaml):"
 echo "SECURITY   : "$SECURITY
 echo "DISCOVERY_CONTEXT_ROOT : "$DISCOVERY_CONTEXT_ROOT
-echo "DISCOVERY_DB_URI       : "$DISCOVERY_DB_URI
+echo "DB_*                   : "$DB_URI" ["$DB_SCHEMA"] "$DB_USERNAME" / "$DB_PASSWORD
+echo "METADATA_PATHNAME  : "$METADATA_PATHNAME
+echo "CUTOUT_SERVICE_URL : "$CUTOUT_SERVICE_URL
+echo "MERGE_SERVICE_URL  : "$MERGE_SERVICE_URL
 echo "RESPONSE_FORMAT    : "$RESPONSE_FORMAT
-echo "URL_CUTOUTS            : "$URL_CUTOUTS
-echo "INST_DIR   : "$INST_DIR
+
+echo "build-time config'd (Dockefile):"
 echo "WEBAPP_DIR : "$WEBAPP_DIR
+echo "JAVA_HOME  : "$JAVA_HOME
+echo "CATALINA_BASE   : "$CATALINA_BASE
+echo "CATALINA_HOME   : "$CATALINA_HOME
+echo "CATALINA_TMPDIR : "$CATALINA_TMPDIR
 #########################################################################
 
+echo "<Context docBase=\"$WEBAPP_DIR\"/>" > $CATALINA_BASE/conf/Catalina/localhost/$DISCOVERY_CONTEXT_ROOT.xml
 
-if test -n "$DISCOVERY_CONTEXT_ROOT" && test -n "$DISCOVERY_DB_URI"
-then
 
-   if test -n "$SECURITY"
-   then
-     cd $WEBAPP_DIR/vlkb-search/WEB-INF/ && rm -f web.xml && cp web-search-$SECURITY.xml web.xml && cd -
-   fi
+# configure DB with ObsCore
 
-   echo "<Context docBase=\"$WEBAPP_DIR/vlkb-search\"/>" > /var/lib/tomcat9/conf/Catalina/localhost/$DISCOVERY_CONTEXT_ROOT.xml
-   echo "db_uri=$DISCOVERY_DB_URI"  >  $WEBAPP_DIR/vlkb-search/WEB-INF/classes/search.properties
-   echo "db_schema=datasets"        >> $WEBAPP_DIR/vlkb-search/WEB-INF/classes/search.properties
-   echo "db_user_name=$DB_USERNAME" >> $WEBAPP_DIR/vlkb-search/WEB-INF/classes/search.properties
-   echo "db_password=$DB_PASSWORD"  >> $WEBAPP_DIR/vlkb-search/WEB-INF/classes/search.properties
-   # use the same DB for authz permissions (ObsCore with extensions)
-   cp $WEBAPP_DIR/vlkb-search/WEB-INF/classes/search.properties $WEBAPP_DIR/vlkb-search/WEB-INF/classes/authpolicy.properties
+{
+   echo "db_uri=$DB_URI"
+   echo "db_schema=$DB_SCHEMA"
+   echo "db_user_name=$DB_USERNAME"
+   echo "db_password=$DB_PASSWORD"  
+} >> $WEBAPP_DIR/WEB-INF/classes/search.properties
+
+
+# configure response format
 
+grep db_ $WEBAPP_DIR/WEB-INF/classes/search.properties > $WEBAPP_DIR/WEB-INF/classes/formatresponsefilter.properties
+{
+   echo "surveys_metadata_abs_pathname=$METADATA_PATHNAME"
+   echo "cutout_url=$CUTOUT_SERVICE_URL"
+   echo "merge_url=$MERGE_SERVICE_URL"
    if test -n "$RESPONSE_FORMAT"
    then
-      echo "response_format=$RESPONSE_FORMAT" >> $WEBAPP_DIR/vlkb-search/WEB-INF/classes/formatresponsefilter.properties
+      echo "response_format=$RESPONSE_FORMAT"
    fi
+} >> $WEBAPP_DIR/WEB-INF/classes/formatresponsefilter.properties
 
 
-fi
-
+# configure security
 
-# configure port/SSL connector: (path is relative to the dir where compose.yaml is
-# - web.xml to run filters set above
-# * ssl: set tomcat connector with certificates (ia2 needs SECTIGO, iam needs self-signed keystore.jks)
-# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
-# assume all files in ssl sub-dir relative to where compose.yaml is
-# set volume mapping in compose.yaml: ssl/ -> /etc/pki/tls/
 case $SECURITY in
    ia2token)
-      cp /root/ssl/server-connector-8443.xml /etc/tomcat9/server-connector-8443.xml
-      rm /webapps/vlkb-search/WEB-INF/lib/jjwt-*0.12*.jar
+      cd $WEBAPP_DIR/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
+      cp /etc/pki/tls/server-connector.xml /etc/tomcat9/
+      cp /etc/pki/tls/auth*.properties $WEBAPP_DIR/WEB-INF/classes/
+      rm -f /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.12*.jar
       ;;  
    iamtoken)
-      cp /root/ssl/server-connector-8443.xml  /etc/tomcat9/server-connector-8443.xml
-      rm /webapps/vlkb-search/WEB-INF/lib/jjwt-*0.11*.jar
+      cd $WEBAPP_DIR/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
+      cp /etc/pki/tls/server-connector.xml /etc/tomcat9/
+      cp /etc/pki/tls/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
+      rm -f /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.11*.jar
       ;;  
    *)  
       echo "Security not configured, runs open."
@@ -67,29 +74,12 @@ case $SECURITY in
 esac
 
 
-
-if test -n "$SECURITY"
-then
-   cd /etc/tomcat9/ && ln -s server-connector-8443.xml server-connector.xml && cd -
-else
-   cd /etc/tomcat9/ && ln -s server-connector-8080.xml server-connector.xml && cd -
-fi
-
-
-
-# configure access-token validation
-if test -f /srv/surveys/iamtoken.properties
-then
-   cp /srv/surveys/iamtoken.properties $WEBAPP_DIR/vlkb-search/WEB-INF/classes/
-fi
-
-
-
+###################################################################
 date
 
 } 1> $LOG_FILE 2>&1
 
-JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 CATALINA_BASE=/var/lib/tomcat9 CATALINA_HOME=/usr/share/tomcat9 CATALINA_TMPDIR=/tmp /usr/libexec/tomcat9/tomcat-start.sh &
+/usr/libexec/tomcat9/tomcat-start.sh &
 
 wait -n
 

docker/compose-example.yaml → docker/example-compose.yaml

@@ -26,12 +26,15 @@ services:
       - SECURITY=
         #- SECURITY=ia2token
       - DISCOVERY_CONTEXT_ROOT=vlkb#datasets#vlkb_search
-      - DISCOVERY_DB_URI=jdbc:postgresql://vlkb-db:5432/vialactea
+      - DB_URI=jdbc:postgresql://vlkb-db:5432/vialactea
       - DB_USERNAME=vialactea
       - DB_PASSWORD=ia2vlkb
-        #- VLKBOBSCORE_PG_URI=postgresql://vialactea:ia2vlkb@localhost:5432/vialactea
+      - METADATA_PATHNAME=/srv/surveys/survey_populate.csv
+      - CUTOUT_SERVICE_URL=http://vlkb-devel.ia2.inaf.it:8004/vlkb/datasets/vlkb_cutout
+      - MERGE_SERVICE_URL=http://vlkb-devel.ia2.inaf.it:8004/vlkb/datasets/vlkb_merge
         #- RESPONSE_FORMAT=application/x-vlkb+xml
         #- RESPONSE_FORMAT=application/x-votable+xml
+        #- VLKBOBSCORE_PG_URI=postgresql://vialactea:ia2vlkb@localhost:5432/vialactea
     volumes:
       - /srv/vlkb/surveys:/srv/surveys:z
         #- ./ssl:/etc/pki/tls:z