From d98ce95de4d65903e4540f3df3ecac9a8e673ac5 Mon Sep 17 00:00:00 2001 From: Sonia Zorba <sonia.zorba@inaf.it> Date: Fri, 14 May 2021 19:07:38 +0200 Subject: [PATCH] Added Dockerfiles and Docker Compose demo --- Dockerfile | 57 ---------------------------------- docker/Dockerfile | 30 ++++++++++++++++++ docker/base-Dockerfile | 15 +++++++++ docker/composer-Dockerfile | 34 ++++++++++++++++++++ docker/db-Dockerfile | 2 ++ docker/demo-config.yaml | 48 ++++++++++++++++++++++++++++ docker/docker-compose.yml | 25 +++++++++++++++ docker/gms/Dockerfile | 6 ++++ docker/gms/gms-auth.properties | 6 ++++ docker/gms/gms-entrypoint.sh | 6 ++++ docker/rap.conf | 39 +++++++++++++++++++++++ 11 files changed, 211 insertions(+), 57 deletions(-) delete mode 100644 Dockerfile create mode 100644 docker/Dockerfile create mode 100644 docker/base-Dockerfile create mode 100644 docker/composer-Dockerfile create mode 100644 docker/demo-config.yaml create mode 100644 docker/docker-compose.yml create mode 100644 docker/gms/Dockerfile create mode 100644 docker/gms/gms-auth.properties create mode 100755 docker/gms/gms-entrypoint.sh create mode 100644 docker/rap.conf diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 98be7a8..0000000 --- a/Dockerfile +++ /dev/null @@ -1,57 +0,0 @@ -FROM ubuntu:18.10 - -# To fix "configuring tzdata" interactive input during apt install -ENV DEBIAN_FRONTEND=noninteractive - -RUN apt-get update && \ - apt-get install -yq --no-install-recommends \ - apache2 \ - libapache2-mod-php7.2 \ - php7.2-xml \ - php7.2-mbstring \ - php-mysql \ - php-curl \ - libapache2-mod-shib2 \ - make \ - wget \ - ca-certificates \ - ssl-cert \ - vim - -# Copying Shibboleth SP configuration -COPY docker/shibboleth/shibboleth2.xml /etc/shibboleth/ -COPY docker/shibboleth/sp-key.pem /etc/shibboleth/ -COPY docker/shibboleth/sp-cert.pem /etc/shibboleth/ - -# Installing Embedded Discovery Service -WORKDIR /usr/local/src - -RUN wget https://shibboleth.net/downloads/embedded-discovery-service/1.2.1/shibboleth-embedded-ds-1.2.1.tar.gz -O shibboleth-eds.tar.gz -RUN tar xzf shibboleth-eds.tar.gz - -WORKDIR shibboleth-embedded-ds-1.2.1 -RUN make install - -RUN mv /etc/shibboleth-ds/shibboleth-ds.conf /etc/apache2/conf-available/shibboleth-ds.conf -RUN sed -i 's/Allow from All/Require all granted/g' /etc/apache2/conf-available/shibboleth-ds.conf -RUN a2enconf shibboleth-ds.conf - -# Adding RAP Apache configuration -COPY docker/rap.conf /etc/apache2/conf-available/ -RUN a2enconf rap.conf - -# Enable mod_rewrite (for Flight framework) -RUN a2enmod rewrite -RUN a2enmod ssl -RUN a2ensite default-ssl - -# Copying RAP php files -WORKDIR /var/www/html -COPY . rap-ia2 - -WORKDIR /var/www/html/rap-ia2 -RUN mkdir -p logs -RUN chown -R www-data logs - -# Starting shibd & Apache -CMD service shibd start && apachectl -D FOREGROUND diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..eba5c10 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,30 @@ +FROM git.ia2.inaf.it:5050/ia2/rap-ia2/composer + +FROM git.ia2.inaf.it:5050/ia2/rap-ia2/base + +# add RAP Apache configuration +COPY docker/rap.conf /etc/apache2/conf-available/ +RUN a2enconf rap.conf + +# enable mod_rewrite and mod_headers (for Flight framework) +RUN a2enmod rewrite +RUN a2enmod headers + +ARG RAP_DIR=/var/www/html/rap-ia2/ + +# create RAP directory +RUN mkdir $RAP_DIR +COPY --from=0 /rap-ia2 $RAP_DIR + +WORKDIR $RAP_DIR + +# create logs directory +RUN mkdir -p logs + +RUN chown -R www-data $RAP_DIR + +# allow apache2 to stop gracefully +STOPSIGNAL SIGWINCH + +EXPOSE 80 +CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/docker/base-Dockerfile b/docker/base-Dockerfile new file mode 100644 index 0000000..eca61e7 --- /dev/null +++ b/docker/base-Dockerfile @@ -0,0 +1,15 @@ +# Base Docker image for running RAP inside Apache server + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -yq --no-install-recommends \ + apache2 \ + libapache2-mod-php \ + php-xml \ + php-mbstring \ + php-mysql \ + php-curl \ + php-yaml \ + ca-certificates \ + ssl-cert diff --git a/docker/composer-Dockerfile b/docker/composer-Dockerfile new file mode 100644 index 0000000..3c87cf4 --- /dev/null +++ b/docker/composer-Dockerfile @@ -0,0 +1,34 @@ +# Docker image containing composer and RAP source code + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -yq --no-install-recommends \ + php-zip php-yaml php-curl php-xml php-mysql \ + composer git unzip + +COPY composer* /rap-ia2/ + +WORKDIR /rap-ia2 + +RUN composer install --no-dev --no-autoloader + +# copy RAP php files +COPY auth /rap-ia2/auth +COPY classes /rap-ia2/classes +COPY css /rap-ia2/css +COPY exec /rap-ia2/exec +COPY img /rap-ia2/img +COPY include /rap-ia2/include +COPY js /rap-ia2/js +COPY service-logos /rap-ia2/service-logos +COPY views /rap-ia2/views +COPY config-example.yaml index.php version.txt .htaccess /rap-ia2/ + +RUN composer install --no-dev + +COPY tests /rap-ia2/tests + +ARG INCLUDE_TESTS=false + +RUN if [ "$INCLUDE_TESTS" = 'true' ]; then composer install; else rm -Rf /rap-ia2/tests; fi diff --git a/docker/db-Dockerfile b/docker/db-Dockerfile index 4ac0f9f..d6dabba 100644 --- a/docker/db-Dockerfile +++ b/docker/db-Dockerfile @@ -2,6 +2,8 @@ FROM mariadb:10.5 ENV MYSQL_ALLOW_EMPTY_PASSWORD yes ENV MYSQL_DATABASE rap +ENV MYSQL_USER rap +ENV MYSQL_PASSWORD rap COPY sql/setup-database.sql /docker-entrypoint-initdb.d/01-setup-database.sql COPY sql/delete-user-procedure.sql /docker-entrypoint-initdb.d/02-delete-user-procedure.sql diff --git a/docker/demo-config.yaml b/docker/demo-config.yaml new file mode 100644 index 0000000..2ad850e --- /dev/null +++ b/docker/demo-config.yaml @@ -0,0 +1,48 @@ +--- +contextRoot: "/rap-ia2" +serviceLogFile: "/var/www/html/rap-ia2/logs/rap-service.log" +auditLogFile: "/var/www/html/rap-ia2/logs/rap-audit.log" +timeZone: "Europe/Rome" +logLevel: "DEBUG" +jwtIssuer: "http://rap-ia2/rap-ia2" +contactEmail: "ia2@inaf.it" +contactLabel: "IA2 Team" + +databaseConfig: + dbtype: "MySQL" + hostname: "rap-db" + port: 3306 + username: "rap" + password: "rap" + dbname: "rap" + +authenticationMethods: + test: true + +gms: + id: "gms" + joinEndpoint: "http://gms:8080/gms/join" + +tokenIssuer: + services: + - id: gms + label: GMS + aud: [gms, rap] + scope: read:gms write:gms read:rap + lifespans: [1, 6, 12, 24] + +clients: + - label: "GMS" + id: gms + secret: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + redirect: http://localhost:8081/gms/login + scope: "openid email read:rap" + home: http://localhost:8081/gms + icon: + showInHome: true + methods: [eduGAIN, Google, Facebook, LinkedIn, X.509, LocalIdP] + +cliClients: + - id: rap_cli + secret: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + scope: "read:rap write:rap" diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 0000000..3fc82a7 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,25 @@ +--- +version: '3.0' +services: + rap: + image: git.ia2.inaf.it:5050/ia2/rap-ia2 + volumes: + - ./demo-config.yaml:/var/www/html/rap-ia2/config.yaml + ports: + - "8080:80" + rap-db: + image: git.ia2.inaf.it:5050/ia2/rap-ia2/database + gms: + build: ./gms + environment: + - server.port=8081 + - spring.datasource.url=jdbc:postgresql://gms-db:5432/postgres + - spring.datasource.username=gms + - spring.datasource.password= + - AUTH_CONFIG_PATH=/etc/gms/auth.properties + volumes: + - ./gms/gms-auth.properties:/etc/gms/auth.properties + ports: + - "8081:8081" + gms-db: + image: git.ia2.inaf.it:5050/ia2/ia2-gms/database diff --git a/docker/gms/Dockerfile b/docker/gms/Dockerfile new file mode 100644 index 0000000..debefe3 --- /dev/null +++ b/docker/gms/Dockerfile @@ -0,0 +1,6 @@ +FROM git.ia2.inaf.it:5050/ia2/ia2-gms + +RUN apk add socat +ADD gms-entrypoint.sh / + +ENTRYPOINT ["/gms-entrypoint.sh"] diff --git a/docker/gms/gms-auth.properties b/docker/gms/gms-auth.properties new file mode 100644 index 0000000..bedaac3 --- /dev/null +++ b/docker/gms/gms-auth.properties @@ -0,0 +1,6 @@ +client_id=gms +client_secret=test +rap_uri=http://localhost:8080/rap-ia2 +store_state_on_login_endpoint=true +scope=openid email profile read:rap +rap_client_class=it.inaf.ia2.gms.authn.ServletRapClient diff --git a/docker/gms/gms-entrypoint.sh b/docker/gms/gms-entrypoint.sh new file mode 100755 index 0000000..18bda95 --- /dev/null +++ b/docker/gms/gms-entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# workaround for making http://localhost:8080/rap-ia2 works also inside container +socat TCP-LISTEN:8080,fork TCP:rap:80 & + +exec java -jar /gms.jar diff --git a/docker/rap.conf b/docker/rap.conf new file mode 100644 index 0000000..1a760e9 --- /dev/null +++ b/docker/rap.conf @@ -0,0 +1,39 @@ +# RAP directory configuration +<Directory /var/www/html/rap-ia2> + + # Allow .htaccess override + AllowOverride All + + # Set cookies to HTTP Only for better security + php_flag session.cookie_httponly on + + # Protect config file + <Files "config.yaml"> + Order allow,deny + Deny from all + </Files> +</Directory> + +# X.509 client certificate authentication (needs SSL enabled) + +<IfModule mod_ssl.c> + <Directory /var/www/html/rap-ia2/auth/x509/> + Options Indexes FollowSymLinks + AllowOverride None + Order allow,deny + allow from all + SSLVerifyClient require + SSLVerifyDepth 10 + SSLOptions +ExportCertData + </Directory> +</IfModule> + +# Shibboleth authentication (needs Shibboleth module installed and enabled) + +<IfModule mod_shib.c> + <Directory /var/www/html/rap-ia2/auth/saml2/> + AuthType shibboleth + ShibRequestSetting requireSession 1 + Require valid-user + </Directory> +</IfModule> -- GitLab