docker: remove unused examples and debian dockerfile; fix filename typo on logging conf file

Makefile

@@ -30,8 +30,8 @@ clean:
 # 20250401 Owner glpat-JhqpFhEGvxuVzHqxjwqx
 .PHONY: upload-war-deb
 upload-war-deb:
-	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-soda-$(VERSION).war  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-soda-$(VERSION).war
-	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-$(VERSION).deb
-	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-obscore-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-obscore-$(VERSION).deb
-	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkbd-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkbd-$(VERSION).deb
+	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-soda-$(VERSION).war  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/vlkb-soda-$(VERSION).war
+	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkb-$(VERSION).deb
+	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-obscore-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkb-obscore-$(VERSION).deb
+	curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkbd-$(VERSION).deb  https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkbd-$(VERSION).deb
 

docker/Dockerfile.soda

-FROM debian:bullseye-slim
+FROM tomcat:9-jre17-temurin-jammy
+# From: https://hub.docker.com/_/tomcat/
+# The default Tomcat environment in the image is:
+# CATALINA_BASE:   /usr/local/tomcat
+# CATALINA_HOME:   /usr/local/tomcat
+# CATALINA_TMPDIR: /usr/local/tomcat/temp
+# JRE_HOME:        /usr
+# CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
+# The configuration files are available in /usr/local/tomcat/conf/.
+
+ENV CATALINA_BASE=/usr/local/tomcat
+ENV CATALINA_HOME=/usr/local/tomcat
 
 WORKDIR /root
 ENV HOME /root
 
-RUN apt-get -y update \
- && apt-get -y --no-install-recommends install libcfitsio9 \
-                  unzip openjdk-17-jre-headless tomcat9 libtcnative-1 ca-certificates
 
-ENV CATALINA_BASE=/var/lib/tomcat9
-ENV CATALINA_HOME=/usr/share/tomcat9
+RUN apt-get -y update \
+ && apt-get -y install apt-utils \
+ && apt-get -y install libcfitsio-bin unzip
 
-RUN rm -rf $CATALINA_BASE/webapps/examples/ \
-           $CATALINA_BASE/webapps/docs/ \
-           $CATALINA_BASE/webapps/host-manager
 
 ENV WEBAPP_DIR=/webapps/vlkb-soda
 
+
 COPY deps/ast_9.2.9-1_amd64.deb ./
 RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
  && mkdir -p ${WEBAPP_DIR} \
- && mkdir -p /srv/surveys \
- && mkdir -p /srv/cutouts \
+ && mkdir -p /srv/surveys && mkdir -p /srv/cutouts \
  && mkdir -p /etc/pki/tls
 
 ARG VLKB_VERSION
-
 COPY vlkb-${VLKB_VERSION}.deb ./
 COPY vlkb-soda-${VLKB_VERSION}.war ${WEBAPP_DIR}/
 RUN dpkg -i vlkb-${VLKB_VERSION}.deb \
  && cd ${WEBAPP_DIR} && unzip vlkb-soda-${VLKB_VERSION}.war \
- && apt-get autoremove && apt-get clean \
  && rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
 # remove jjwt used by IA2 (IA2 and IAM token filters used different ver of jjwt)
 
-
-# configure build instance
+# configure instance
 
 ENV INST_DIR=/usr/local
 
 RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
  && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
 
-# change webapps-dir and preconfigure port 8080 (no SSL)
+# pre-configure port 8080 (no TSL)
 COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
 COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
 COPY deps/setenv.sh ${CATALINA_BASE}/bin/
 
-env ACCESS_CONTEXT_ROOT=datasets
-
-# configure at start-up
-
-COPY start-soda.sh.soda /root/start-soda.sh
-
-# modif permissions to allow run as non-root
-WORKDIR ${CATALINA_HOME}
-# orig was: chmod 1777 logs temp work;
-# logs --> /var/log/tomcat9 work --> /var/cache/tomcat9 temp (missing)
-RUN chmod -R +rX .; chmod 1777 /var/log/tomcat9 /var/cache/tomcat9
+# modif permissions to allow run as non-root: need to config TSL and ROOT-CONTEXT
 WORKDIR ${CATALINA_BASE}
 RUN chmod -R a+rwX conf
 
@@ -64,6 +57,11 @@ RUN chmod -R a+rwX conf
 RUN chmod a+rw ${WEBAPP_DIR}/WEB-INF/web.xml \
  && chmod a+rw ${WEBAPP_DIR}/WEB-INF/classes/iamtoken.properties
 
+env ACCESS_CONTEXT_ROOT=datasets
+# configure during start-up
+COPY start-soda.sh.soda /root/start-soda.sh
+
+
 RUN chmod +rx /root && chmod +rx /root/start-soda.sh
 USER 1000:1000
 CMD ["sh", "-c", "/root/start-soda.sh"]

docker/Dockerfile.soda.temurin-jammy

-FROM tomcat:9-jre17-temurin-jammy
-# From: https://hub.docker.com/_/tomcat/
-# The default Tomcat environment in the image is:
-# CATALINA_BASE:   /usr/local/tomcat
-# CATALINA_HOME:   /usr/local/tomcat
-# CATALINA_TMPDIR: /usr/local/tomcat/temp
-# JRE_HOME:        /usr
-# CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-# The configuration files are available in /usr/local/tomcat/conf/.
-
-ENV CATALINA_BASE=/usr/local/tomcat
-ENV CATALINA_HOME=/usr/local/tomcat
-
-WORKDIR /root
-ENV HOME /root
-
-
-RUN apt-get -y update \
- && apt-get -y install apt-utils \
- && apt-get -y install libcfitsio-bin unzip
-
-
-ENV WEBAPP_DIR=/webapps/vlkb-soda
-
-
-COPY deps/ast_9.2.9-1_amd64.deb ./
-RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
- && mkdir -p ${WEBAPP_DIR} \
- && mkdir -p /srv/surveys && mkdir -p /srv/cutouts \
- && mkdir -p /etc/pki/tls
-
-ARG VLKB_VERSION
-COPY vlkb-${VLKB_VERSION}.deb ./
-COPY vlkb-soda-${VLKB_VERSION}.war ${WEBAPP_DIR}/
-RUN dpkg -i vlkb-${VLKB_VERSION}.deb \
- && cd ${WEBAPP_DIR} && unzip vlkb-soda-${VLKB_VERSION}.war \
- && rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
-# remove jjwt used by IA2 (IA2 and IAM token filters used different ver of jjwt)
-
-# configure instance
-
-ENV INST_DIR=/usr/local
-
-RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
- && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
-
-# pre-configure port 8080 (no TSL)
-COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
-COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
-COPY deps/setenv.sh ${CATALINA_BASE}/bin/
-
-# modif permissions to allow run as non-root: need to config TSL and ROOT-CONTEXT
-WORKDIR ${CATALINA_BASE}
-RUN chmod -R a+rwX conf
-
-# enable SKA IAM token filter update
-RUN chmod a+rw ${WEBAPP_DIR}/WEB-INF/web.xml \
- && chmod a+rw ${WEBAPP_DIR}/WEB-INF/classes/iamtoken.properties
-
-env ACCESS_CONTEXT_ROOT=datasets
-# configure during start-up
-COPY start-soda.sh.soda /root/start-soda.sh
-
-
-RUN chmod +rx /root && chmod +rx /root/start-soda.sh
-USER 1000:1000
-CMD ["sh", "-c", "/root/start-soda.sh"]
-

docker/Makefile

@@ -31,9 +31,6 @@ ast-9.2.9.tar.gz:
 
 
 .PHONY: build
-build-soda-temurin-jammy:
-	docker build --build-arg VLKB_VERSION=$(VERSION) -t soda -f Dockerfile.soda.temurin-jammy .
-
 build-soda:
 	docker build --build-arg VLKB_VERSION=$(VERSION) -t soda -f Dockerfile.soda .
 

docker/example-compose-ska-soda.yaml

-version: '3'
-
-services:
-
-  ska:
-    container_name: ska
-    #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
-    #image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
-    image: soda:latest
-    ports:
-      - 18019:8080
-    environment:
-      - SECURITY=
-      - ACCESS_CONTEXT_ROOT=ska#datasets
-      #- RESPONSE_FORMAT=application/fits
-      #- RESPONSE_FORMAT=application/fits;createfile=yes
-    volumes:
-      - /srv/ska/surveys:/srv/surveys:ro
-        #- /srv/ska/cutouts:/srv/cutouts:z,rw
-    restart: always
-
-
-  ska-ssl:
-    container_name: ska-ssl
-    #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
-    #image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
-    image: soda:latest
-    ports:
-      - 18025:8443
-    environment:
-      - SECURITY=iamtoken
-      - ACCESS_CONTEXT_ROOT=ska#datasets
-      #- RESPONSE_FORMAT=application/fits
-      #- RESPONSE_FORMAT=application/fits;createfile=yes
-    volumes:
-      - /srv/ska/surveys:/srv/surveys:z,ro
-        #- /srv/ska/cutouts:/srv/cutouts:z,rw
-    restart: always
-

docker/example-compose-soda.yaml

@@ -2,27 +2,51 @@ version: '3'
 
 services:
 
-  soda:
-    container_name: soda-vlkb
-    image: git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:1.6.3
+  ska:
+    container_name: ska
+    image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+    user: 5000:5000
     ports:
       - 18019:8080
     environment:
       - ACCESS_CONTEXT_ROOT=ska#datasets
     volumes:
-      - /srv/ska/surveys:/srv/surveys:z,ro
+      - /srv/ska/surveys:/srv/surveys:ro
     restart: always
 
 
-  soda-ssl:
-    container_name: soda-ssl-vlkb
-    image: git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:1.6.3
+  ska-tls:
+    container_name: ska-tls
+    image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+    user: 5000:5000
     ports:
       - 18025:8443
     environment:
-      - SECURITY=ia2token
       - ACCESS_CONTEXT_ROOT=ska#datasets
+      - KEYSTORE_ALIAS=tomcat
     volumes:
       - /srv/ska/surveys:/srv/surveys:ro
+      - ./security/keystore.jks:/etc/pki/tls/keystore.jks:ro
+      - ./security/keystore.pwd:/etc/pki/tls/keystore.pwd:ro
     restart: always
 
+
+  ska-tls-iam:
+    container_name: ska-tls-iam
+    image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+    user: 5000:5000
+    ports:
+      - 18025:8443
+    environment:
+      - ACCESS_CONTEXT_ROOT=ska#datasets
+      - KEYSTORE_ALIAS=tomcat
+      - SKAIAM_INTROSPECT=https://iam-escape.cloud.cnaf.infn.it/introspect
+      - SKAIAM_CLIENT=02cc260f-9837-4907-b2cb-a1a2d764fb15
+      - SKAIAM_PASSWORD=AJMi3qrB6AHRp_6y55tEwU-IpJ8uZ6X4QXeQ3W4la6dc-BlkzAY1OQpAE9hb1W7-VfYl4208FUtjE2Cl3hUYLkQ
+    volumes:
+      - /srv/ska/surveys:/srv/surveys:ro
+      - ./security/keystore.jks:/etc/pki/tls/keystore.jks:ro
+      - ./security/keystore.pwd:/etc/pki/tls/keystore.pwd:ro
+    restart: always
+
+

docker/example-security/README.tex

@@ -6,7 +6,6 @@
 #    -- ia2 needs SECTIGO
 #    -- iam needs self-signed keystore.jks
 # * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
-# FIXME implement *.properties and server-connector.xml by paramters
 
 
 
@@ -14,7 +13,7 @@
 # SSL-certificates are site-dependent and must be regularly updated:
 # vlkb-soda expects them in /etc/pki/tls
 #
-# map volume: ./security:/etc/pki/tls:z,ro
+# map volume: ./security:/etc/pki/tls:ro
 #
 # ia2token: 
 #  auth.propeties
@@ -22,10 +21,9 @@
 #  server-connector.xml
 #  SECTIGO/*
 #
-# iamtoken:
-#  iamtoken.properties
-#  server-connector.xml
+# iamtoken: env KEYSTORE_ALIAS=tomcat
 #   keystore.jks
+#   keystore.pwd
 #
 
 

docker/example-security/garrtoken/neatoken.properties

-
-# certificates endpoint
-jwks_url=
-
-# account created for the service
-resource_id=
-
-# username for non-authenticated requests
-non_authn_username=anonymous
-

docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks

-   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
-               maxThreads="150" SSLEnabled="true" >
-        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig>
-            <Certificate certificateKeyAlias="tomcat"
-                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
-                         certificateKeystorePassword="tomcatskassl"
-                         type="RSA" />
-        </SSLHostConfig>
-   </Connector>
-

docker/example-security/iamtoken/iamtoken.properties

-
-# certificates endpoint
-#jwks_url=
-introspect=
-client_name=
-client_password=
-
-# account created for the service
-resource_id=
-
-# username for non-authenticated requests
-non_authn_username=anonymous
-