diff --git a/Makefile b/Makefile
index ff6a061b07f81ab0452f3441a0b906b1b1e97348..13371a8f2d4e1c8e61570bd0ce23755f95f2a21f 100644
--- a/Makefile
+++ b/Makefile
@@ -30,8 +30,8 @@ clean:
# 20250401 Owner glpat-JhqpFhEGvxuVzHqxjwqx
.PHONY: upload-war-deb
upload-war-deb:
- curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-soda-$(VERSION).war https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-soda-$(VERSION).war
- curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-$(VERSION).deb
- curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-obscore-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkb-obscore-$(VERSION).deb
- curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkbd-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.5/vlkbd-$(VERSION).deb
+ curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-soda-$(VERSION).war https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/vlkb-soda-$(VERSION).war
+ curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkb-$(VERSION).deb
+ curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkb-obscore-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkb-obscore-$(VERSION).deb
+ curl --header "PRIVATE-TOKEN: glpat-JhqpFhEGvxuVzHqxjwqx" --upload-file vlkbd-$(VERSION).deb https://ict.inaf.it/gitlab/api/v4/projects/1780/packages/generic/vlkb-soda/1.7/ubuntu22/vlkbd-$(VERSION).deb
diff --git a/docker/Dockerfile.soda b/docker/Dockerfile.soda
index 8c9f052c7e78d081b78f32b24863f8ed1074c78c..21ccb03558fe76b4a2eeed28f79bbd9d09b7a353 100644
--- a/docker/Dockerfile.soda
+++ b/docker/Dockerfile.soda
@@ -1,62 +1,55 @@
-FROM debian:bullseye-slim
+FROM tomcat:9-jre17-temurin-jammy
+# From: https://hub.docker.com/_/tomcat/
+# The default Tomcat environment in the image is:
+# CATALINA_BASE: /usr/local/tomcat
+# CATALINA_HOME: /usr/local/tomcat
+# CATALINA_TMPDIR: /usr/local/tomcat/temp
+# JRE_HOME: /usr
+# CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
+# The configuration files are available in /usr/local/tomcat/conf/.
+
+ENV CATALINA_BASE=/usr/local/tomcat
+ENV CATALINA_HOME=/usr/local/tomcat
WORKDIR /root
ENV HOME /root
-RUN apt-get -y update \
- && apt-get -y --no-install-recommends install libcfitsio9 \
- unzip openjdk-17-jre-headless tomcat9 libtcnative-1 ca-certificates
-ENV CATALINA_BASE=/var/lib/tomcat9
-ENV CATALINA_HOME=/usr/share/tomcat9
+RUN apt-get -y update \
+ && apt-get -y install apt-utils \
+ && apt-get -y install libcfitsio-bin unzip
-RUN rm -rf $CATALINA_BASE/webapps/examples/ \
- $CATALINA_BASE/webapps/docs/ \
- $CATALINA_BASE/webapps/host-manager
ENV WEBAPP_DIR=/webapps/vlkb-soda
+
COPY deps/ast_9.2.9-1_amd64.deb ./
RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
&& mkdir -p ${WEBAPP_DIR} \
- && mkdir -p /srv/surveys \
- && mkdir -p /srv/cutouts \
+ && mkdir -p /srv/surveys && mkdir -p /srv/cutouts \
&& mkdir -p /etc/pki/tls
ARG VLKB_VERSION
-
COPY vlkb-${VLKB_VERSION}.deb ./
COPY vlkb-soda-${VLKB_VERSION}.war ${WEBAPP_DIR}/
RUN dpkg -i vlkb-${VLKB_VERSION}.deb \
&& cd ${WEBAPP_DIR} && unzip vlkb-soda-${VLKB_VERSION}.war \
- && apt-get autoremove && apt-get clean \
&& rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
# remove jjwt used by IA2 (IA2 and IAM token filters used different ver of jjwt)
-
-# configure build instance
+# configure instance
ENV INST_DIR=/usr/local
RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
&& echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
-# change webapps-dir and preconfigure port 8080 (no SSL)
+# pre-configure port 8080 (no TSL)
COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
COPY deps/setenv.sh ${CATALINA_BASE}/bin/
-env ACCESS_CONTEXT_ROOT=datasets
-
-# configure at start-up
-
-COPY start-soda.sh.soda /root/start-soda.sh
-
-# modif permissions to allow run as non-root
-WORKDIR ${CATALINA_HOME}
-# orig was: chmod 1777 logs temp work;
-# logs --> /var/log/tomcat9 work --> /var/cache/tomcat9 temp (missing)
-RUN chmod -R +rX .; chmod 1777 /var/log/tomcat9 /var/cache/tomcat9
+# modif permissions to allow run as non-root: need to config TSL and ROOT-CONTEXT
WORKDIR ${CATALINA_BASE}
RUN chmod -R a+rwX conf
@@ -64,6 +57,11 @@ RUN chmod -R a+rwX conf
RUN chmod a+rw ${WEBAPP_DIR}/WEB-INF/web.xml \
&& chmod a+rw ${WEBAPP_DIR}/WEB-INF/classes/iamtoken.properties
+env ACCESS_CONTEXT_ROOT=datasets
+# configure during start-up
+COPY start-soda.sh.soda /root/start-soda.sh
+
+
RUN chmod +rx /root && chmod +rx /root/start-soda.sh
USER 1000:1000
CMD ["sh", "-c", "/root/start-soda.sh"]
diff --git a/docker/Dockerfile.soda.temurin-jammy b/docker/Dockerfile.soda.temurin-jammy
deleted file mode 100644
index 21ccb03558fe76b4a2eeed28f79bbd9d09b7a353..0000000000000000000000000000000000000000
--- a/docker/Dockerfile.soda.temurin-jammy
+++ /dev/null
@@ -1,68 +0,0 @@
-FROM tomcat:9-jre17-temurin-jammy
-# From: https://hub.docker.com/_/tomcat/
-# The default Tomcat environment in the image is:
-# CATALINA_BASE: /usr/local/tomcat
-# CATALINA_HOME: /usr/local/tomcat
-# CATALINA_TMPDIR: /usr/local/tomcat/temp
-# JRE_HOME: /usr
-# CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-# The configuration files are available in /usr/local/tomcat/conf/.
-
-ENV CATALINA_BASE=/usr/local/tomcat
-ENV CATALINA_HOME=/usr/local/tomcat
-
-WORKDIR /root
-ENV HOME /root
-
-
-RUN apt-get -y update \
- && apt-get -y install apt-utils \
- && apt-get -y install libcfitsio-bin unzip
-
-
-ENV WEBAPP_DIR=/webapps/vlkb-soda
-
-
-COPY deps/ast_9.2.9-1_amd64.deb ./
-RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
- && mkdir -p ${WEBAPP_DIR} \
- && mkdir -p /srv/surveys && mkdir -p /srv/cutouts \
- && mkdir -p /etc/pki/tls
-
-ARG VLKB_VERSION
-COPY vlkb-${VLKB_VERSION}.deb ./
-COPY vlkb-soda-${VLKB_VERSION}.war ${WEBAPP_DIR}/
-RUN dpkg -i vlkb-${VLKB_VERSION}.deb \
- && cd ${WEBAPP_DIR} && unzip vlkb-soda-${VLKB_VERSION}.war \
- && rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
-# remove jjwt used by IA2 (IA2 and IAM token filters used different ver of jjwt)
-
-# configure instance
-
-ENV INST_DIR=/usr/local
-
-RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
- && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
-
-# pre-configure port 8080 (no TSL)
-COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
-COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
-COPY deps/setenv.sh ${CATALINA_BASE}/bin/
-
-# modif permissions to allow run as non-root: need to config TSL and ROOT-CONTEXT
-WORKDIR ${CATALINA_BASE}
-RUN chmod -R a+rwX conf
-
-# enable SKA IAM token filter update
-RUN chmod a+rw ${WEBAPP_DIR}/WEB-INF/web.xml \
- && chmod a+rw ${WEBAPP_DIR}/WEB-INF/classes/iamtoken.properties
-
-env ACCESS_CONTEXT_ROOT=datasets
-# configure during start-up
-COPY start-soda.sh.soda /root/start-soda.sh
-
-
-RUN chmod +rx /root && chmod +rx /root/start-soda.sh
-USER 1000:1000
-CMD ["sh", "-c", "/root/start-soda.sh"]
-
diff --git a/docker/Makefile b/docker/Makefile
index 8baf6882209c687f936428d4108b829155e9c009..95bf21b9c7902715ffe9ea096c8400b2159de3db 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -31,9 +31,6 @@ ast-9.2.9.tar.gz:
.PHONY: build
-build-soda-temurin-jammy:
- docker build --build-arg VLKB_VERSION=$(VERSION) -t soda -f Dockerfile.soda.temurin-jammy .
-
build-soda:
docker build --build-arg VLKB_VERSION=$(VERSION) -t soda -f Dockerfile.soda .
diff --git a/docker/deps/soda.logging.properites b/docker/deps/soda.logging.properties
similarity index 100%
rename from docker/deps/soda.logging.properites
rename to docker/deps/soda.logging.properties
diff --git a/docker/example-compose-ska-soda.yaml b/docker/example-compose-ska-soda.yaml
deleted file mode 100644
index df3c1a7ec5e6d059e74f4b912163005622e939f2..0000000000000000000000000000000000000000
--- a/docker/example-compose-ska-soda.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-version: '3'
-
-services:
-
- ska:
- container_name: ska
- #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
- #image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
- image: soda:latest
- ports:
- - 18019:8080
- environment:
- - SECURITY=
- - ACCESS_CONTEXT_ROOT=ska#datasets
- #- RESPONSE_FORMAT=application/fits
- #- RESPONSE_FORMAT=application/fits;createfile=yes
- volumes:
- - /srv/ska/surveys:/srv/surveys:ro
- #- /srv/ska/cutouts:/srv/cutouts:z,rw
- restart: always
-
-
- ska-ssl:
- container_name: ska-ssl
- #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
- #image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
- image: soda:latest
- ports:
- - 18025:8443
- environment:
- - SECURITY=iamtoken
- - ACCESS_CONTEXT_ROOT=ska#datasets
- #- RESPONSE_FORMAT=application/fits
- #- RESPONSE_FORMAT=application/fits;createfile=yes
- volumes:
- - /srv/ska/surveys:/srv/surveys:z,ro
- #- /srv/ska/cutouts:/srv/cutouts:z,rw
- restart: always
-
diff --git a/docker/example-compose-soda.yaml b/docker/example-compose-soda.yaml
index c9d65bc2b609e21bc32088a542e110895a2a8dc3..59fc971a1350832c0a6c14170dd079554a5de0df 100644
--- a/docker/example-compose-soda.yaml
+++ b/docker/example-compose-soda.yaml
@@ -2,27 +2,51 @@ version: '3'
services:
- soda:
- container_name: soda-vlkb
- image: git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:1.6.3
+ ska:
+ container_name: ska
+ image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+ user: 5000:5000
ports:
- 18019:8080
environment:
- ACCESS_CONTEXT_ROOT=ska#datasets
volumes:
- - /srv/ska/surveys:/srv/surveys:z,ro
+ - /srv/ska/surveys:/srv/surveys:ro
restart: always
- soda-ssl:
- container_name: soda-ssl-vlkb
- image: git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:1.6.3
+ ska-tls:
+ container_name: ska-tls
+ image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+ user: 5000:5000
ports:
- 18025:8443
environment:
- - SECURITY=ia2token
- ACCESS_CONTEXT_ROOT=ska#datasets
+ - KEYSTORE_ALIAS=tomcat
volumes:
- /srv/ska/surveys:/srv/surveys:ro
+ - ./security/keystore.jks:/etc/pki/tls/keystore.jks:ro
+ - ./security/keystore.pwd:/etc/pki/tls/keystore.pwd:ro
restart: always
+
+ ska-tls-iam:
+ container_name: ska-tls-iam
+ image: harbor.srcdev.skao.int/soda/visivo-vlkb-soda:1.7
+ user: 5000:5000
+ ports:
+ - 18025:8443
+ environment:
+ - ACCESS_CONTEXT_ROOT=ska#datasets
+ - KEYSTORE_ALIAS=tomcat
+ - SKAIAM_INTROSPECT=https://iam-escape.cloud.cnaf.infn.it/introspect
+ - SKAIAM_CLIENT=02cc260f-9837-4907-b2cb-a1a2d764fb15
+ - SKAIAM_PASSWORD=AJMi3qrB6AHRp_6y55tEwU-IpJ8uZ6X4QXeQ3W4la6dc-BlkzAY1OQpAE9hb1W7-VfYl4208FUtjE2Cl3hUYLkQ
+ volumes:
+ - /srv/ska/surveys:/srv/surveys:ro
+ - ./security/keystore.jks:/etc/pki/tls/keystore.jks:ro
+ - ./security/keystore.pwd:/etc/pki/tls/keystore.pwd:ro
+ restart: always
+
+
diff --git a/docker/example-security/README.tex b/docker/example-security/README.tex
index 9c98827cedc7ff789b5d7b25314aa4d707b43e80..599a06e15b88f1f720aaaa3f8008f59f0afdc082 100644
--- a/docker/example-security/README.tex
+++ b/docker/example-security/README.tex
@@ -6,7 +6,6 @@
# -- ia2 needs SECTIGO
# -- iam needs self-signed keystore.jks
# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
-# FIXME implement *.properties and server-connector.xml by paramters
@@ -14,7 +13,7 @@
# SSL-certificates are site-dependent and must be regularly updated:
# vlkb-soda expects them in /etc/pki/tls
#
-# map volume: ./security:/etc/pki/tls:z,ro
+# map volume: ./security:/etc/pki/tls:ro
#
# ia2token:
# auth.propeties
@@ -22,10 +21,9 @@
# server-connector.xml
# SECTIGO/*
#
-# iamtoken:
-# iamtoken.properties
-# server-connector.xml
-# keystore.jks
+# iamtoken: env KEYSTORE_ALIAS=tomcat
+# keystore.jks
+# keystore.pwd
#
diff --git a/docker/example-security/garrtoken/keystore.jks b/docker/example-security/garrtoken/keystore.jks
deleted file mode 100644
index 57c469584925bdc3de5f6919123d67c5a3189560..0000000000000000000000000000000000000000
Binary files a/docker/example-security/garrtoken/keystore.jks and /dev/null differ
diff --git a/docker/example-security/garrtoken/neatoken.properties b/docker/example-security/garrtoken/neatoken.properties
deleted file mode 100644
index 839e15d714346acd080d3bc7474dc164e97a4af8..0000000000000000000000000000000000000000
--- a/docker/example-security/garrtoken/neatoken.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-
-# certificates endpoint
-jwks_url=
-
-# account created for the service
-resource_id=
-
-# username for non-authenticated requests
-non_authn_username=anonymous
-
diff --git a/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks b/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
deleted file mode 100644
index 02ca4500189bcdf839f61eb03958e8284c4c9205..0000000000000000000000000000000000000000
--- a/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ /dev/null
@@ -1,11 +0,0 @@
- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
- maxThreads="150" SSLEnabled="true" >
- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
- <SSLHostConfig>
- <Certificate certificateKeyAlias="tomcat"
- certificateKeystoreFile="/etc/pki/tls/keystore.jks"
- certificateKeystorePassword="tomcatskassl"
- type="RSA" />
- </SSLHostConfig>
- </Connector>
-
diff --git a/docker/example-security/iamtoken/iamtoken.properties b/docker/example-security/iamtoken/iamtoken.properties
deleted file mode 100644
index d275d68bee277ed3450eee1349d4a3a2c48210dc..0000000000000000000000000000000000000000
--- a/docker/example-security/iamtoken/iamtoken.properties
+++ /dev/null
@@ -1,13 +0,0 @@
-
-# certificates endpoint
-#jwks_url=
-introspect=
-client_name=
-client_password=
-
-# account created for the service
-resource_id=
-
-# username for non-authenticated requests
-non_authn_username=anonymous
-