Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit dd15fdab authored by Jeff Cousineau's avatar Jeff Cousineau
Browse files

initial commit

parents
FROM httpd:2.4
MAINTAINER ITS-Webhosting "webmaster@umich.edu"
### Cosign Pre-requisites ###
WORKDIR /usr/local/apache2
ENV COSIGN_VER 3.4.0
ENV COSIGN_URL https://github.com/umich-iam/cosign/archive/cosign-$COSIGN_VER.tar.gz
ENV OIDC_MOD libapache2-mod-auth-openidc
ENV OIDC_VER 2.3.7
ENV OIDC_URL https://github.com/zmartzone/mod_auth_openidc/releases/download/v$OIDC_VER/mod_auth_openidc-$OIDC_VER.tar.gz
ENV CPPFLAGS="-I/usr/kerberos/include"
#ENV OPENSSL_VERSION 1.0.2l-1~bpo8+1
RUN apt-get update \
# && apt-get install -y wget gcc libssl-dev=$OPENSSL_VERSION make openssl autoconf \
&& apt-get install -y wget gcc libssl-dev make openssl autoconf \
wget curl telnet net-tools $OIDC_MOD
### Build Cosign ###
RUN wget "$COSIGN_URL" \
&& mkdir -p src/cosign \
&& tar -xvf cosign-$COSIGN_VER.tar.gz -C src/cosign --strip-components=1 \
&& rm cosign-$COSIGN_VER.tar.gz \
&& cd src/cosign \
&& sed "s/INTERNAL/$COSIGN_VER/g" configure.ac > configure.ac.new \
&& mv configure.ac.new configure.ac \
&& autoconf \
&& ./configure --enable-apache2=/usr/local/apache2/bin/apxs \
&& make \
&& make install \
&& cd ../../ \
&& rm -r src/cosign \
&& mkdir -p /var/cosign/filter /var/cosign/proxy \
&& chmod 775 /var/cosign/filter /var/cosign/proxy
# Install CA intermediate & root certs
ENV CA_CERT_INCOMMON sha384\ Intermediate\ cert
ENV CA_CERT_INCOMMON_LOCAL sha384-Intermediate-cert
ENV CA_CERT_USERTRUST USERTrustRSACertificationAuthority
ENV CA_CERT_ADDTRUST AddTrustExternalCARoot
ENV TXT txt
ENV PEM pem
ENV CERTS_DIR /usr/local/apache2/certs
ENV INCOMMON_URL https://www.incommon.org/cert/repository
ENV UMWEB_URL http://www.umich.edu/~umweb
### mkdir certs
RUN mkdir $CERTS_DIR
WORKDIR $CERTS_DIR
RUN wget "$INCOMMON_URL/$CA_CERT_INCOMMON.$TXT" \
&& cat "$CA_CERT_INCOMMON.$TXT" | tr '\r' '\n' > "$CA_CERT_INCOMMON_LOCAL.$PEM" \
&& rm -f "$CA_CERT_INCOMMON.$TXT" \
&& wget "$UMWEB_URL/$CA_CERT_USERTRUST.$PEM"\
&& wget "$INCOMMON_URL/$CA_CERT_ADDTRUST.$TXT" \
&& mv "$CA_CERT_ADDTRUST.$TXT" "$CA_CERT_ADDTRUST.$PEM" \
&& c_rehash $CERTS_DIR
### Remove pre-reqs ###
RUN apt-get remove -y make wget autoconf \
&& apt-get autoremove -y
# Section that setups up Apache and Cosign to run as non-root user.
EXPOSE 8080
EXPOSE 8443
### There may be an easier way to do all of this by setting APACHE_RUN_USER
### and APACHE_RUN_GROUP in env vars or /etc/apache2/envvars
### change directory owner, as openshift user is in root group.
RUN chown -R root:root /usr/local/apache2/logs /var/lock /var/run/lock
RUN chmod 777 /usr/local/apache2/certs /usr/local/apache2/conf /usr/local/apache2/conf/extra
RUN rm -f /usr/local/apache2/conf/httpd.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
### Modify perms for the openshift user, who is not root, but part of root group.
RUN chmod g+r /var/cosign
RUN chmod g+rw /usr/local/apache2 /usr/local/apache2/logs /usr/local/apache2/htdocs \
/var/lock /var/run/lock
# /usr/local/apache2/certs /usr/local/apache2/conf /usr/local/apache2/conf/extra \
### Start script incorporates config files and sends logs to stdout ###
COPY start.sh .
RUN chmod +x start.sh
CMD /usr/local/apache2/start.sh
# umich-httpd-auth
Docker image of Apache httpd integrated with the University of Michigan's SSO solutions (cosign, oidc).
Will pass remote-user onto java apps via AJP.
#!/bin/sh
# link configuration files for apache and cosign
# from volume from preloaded secret.
if [ -f /secrets/httpd/httpd.conf ];
then
ln -sf /secrets/httpd/httpd.conf /usr/local/apache2/conf/httpd.conf
fi
if [ -f /secrets/httpd/httpd-cosign.conf ];
then
ln -sf /secrets/httpd/httpd-cosign.conf /usr/local/apache2/conf/extra/httpd-cosign.conf
fi
if [ -f /secrets/httpd/httpd-ssl.conf ];
then
ln -sf /secrets/httpd/httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
fi
# copy certs from secret volume to a location that can be written to.
#mkdir /usr/local/apache2/certs/
if [ -e /secrets/certs ];
then
cp /secrets/certs/* /usr/local/apache2/certs/
fi
# Rehash command needs to be run before starting apache.
#c_rehash /usr/local/apache2/certs
# Redirect logs to stdout and stderr for docker reasons.
ln -sf /dev/stdout /usr/local/apache2/logs/access_log
ln -sf /dev/stderr /usr/local/apache2/logs/error_log
/usr/local/apache2/bin/httpd -DFOREGROUND
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment