As root, stop apache as COmanage will hijack these ports:
systemctl stop httpd
systemctl disable httpd
For good measure, let's also shut down the host's Shibboleth daemon:
systemctl stop shibd
systemctl disable shibd
Then make sure the user that is going to do the setup is in the docker
group.
Get the repo and cd into in
git clone https://github.com/Internet2/comanage-registry-docker.git
cd comanage-registry-docker
Use the Latest release version of COmanage to build:
export COMANAGE_REGISTRY_VERSION=3.2.1
Create the container:
pushd comanage-registry-postgres
docker build -t comanage-registry-postgres .
popd
Create the network bridge:
docker network create --driver=bridge \
--subnet=192.168.0.0/16 \
--gateway=192.168.0.100 \
comanage-registry-internal-network
Make a local storage directory:
mkdir -p /usr1/${USER}/postgresql/data
chgrp -R docker /usr1/${USER}/postgresql
chmod -R g+rwx /usr1/${USER}/postgresql
Start the container:
docker run -d --name comanage-registry-database \
--network comanage-registry-internal-network \
-v /usr1/${USER}/postgresql/data:/var/lib/postgresql/data \
comanage-registry-postgres
Check that it is working by running
docker logs comanage-registry-database
and that it returns database system is ready to accept connections
.
Create the dockerfile for the Shib config:
pushd comanage-registry-shibboleth-sp-base
sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile
Copy the shibboleth key and cert:
cp /etc/shibboleth/sp-cert.pem .
mv /etc/shibboleth/sp-key.pem .
Note: root will be needed to get the key because of the permissions.
Copy the host cert and key to make an apache cert and key:
cat /etc/grid-security/hostcert.pem > apache-cert.pem
cat /etc/grid-security/hostkey.pem > apache-key.pem
Download the InCommon metdata
/usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \
| /usr/bin/tee inc-md-cert.pem \
| /usr/bin/openssl x509 -sha1 -fingerprint -noout
and patch the Dockerfile to copy it into the image.
Tell COmanage who the admin is
export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Duncan
export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Brown
export COMANAGE_REGISTRY_ADMIN_USERNAME=dabrown@syr.edu
Patch the Dockerfile to fix the Debian apt issue.
I encounted the error
WARNING: the following files are not readable by _shibd
/etc/shibboleth/inc-md-cert.pem
/etc/shibboleth/shibboleth2.xml.template
so I patched the Dockerfile to fix the ownership.
Install vim as it is helpful for debugging.
Finally, build the image
docker build \
--build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \
--build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \
--build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \
-t comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp .
Make a config directory
mkdir -p /usr1/${USER}/comanage-registry/Config
Create the database config file
cat > /usr1/${USER}/comanage-registry/Config/database.php <<"EOF"
<?php
class DATABASE_CONFIG {
public $default = array(
'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => 'comanage-registry-database',
'login' => 'registry_user',
'password' => 'password',
'database' => 'registry',
'prefix' => 'cm_',
);
}
EOF
Create the email config file:
cat > /usr1/${USER}/comanage-registry/Config/email.php <<"EOF"
<?php
class EmailConfig {
public $default = array(
'transport' => 'Smtp',
'host' => 'mx.syr.edu',
'port' => 25
);
}
EOF
chgrp -R docker /usr1/${USER}/comanage-registry
chmod -R g+rw /usr1/${USER}/comanage-registry
chmod -R o+r /usr1/${USER}/comanage-registry
chmod g+x /usr1/${USER}/comanage-registry
chmod g+rw /usr1/${USER}/comanage-registry/Config
chmod go+r apache-cert.pem apache-key.pem sp-cert.pem sp-key.pem provider-metadata.xml
docker run -d --name comanage-registry \
-v /usr1/${USER}/comanage-registry:/srv/comanage-registry/local \
--network comanage-registry-internal-network \
-v ${PWD}/apache-cert.pem:/tmp/https_cert_file \
-v ${PWD}/apache-key.pem:/tmp/https_privkey_file \
-v ${PWD}/sp-cert.pem:/tmp/sp-cert.pem \
-v ${PWD}/sp-key.pem:/tmp/sp-key.pem \
-v ${PWD}/provider-metadata.xml:/tmp/provider-metadata.xml \
-e HTTPS_CERT_FILE=/tmp/https_cert_file \
-e HTTPS_PRIVKEY_FILE=/tmp/https_privkey_file \
-e SHIBBOLETH_SP_ENTITY_ID=https://sugwg-osg.phy.syr.edu/shibboleth-sp \
-e SHIBBOLETH_SP_CERT=/tmp/sp-cert.pem \
-e SHIBBOLETH_SP_PRIVKEY=/tmp/sp-key.pem \
-e SERVER_NAME=sugwg-osg.phy.syr.edu \
-e SHIBBOLETH_SP_SAMLDS_URL=https://sugwg-jobs.phy.syr.edu/shibboleth-ds/index.html \
-e SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/tmp/provider-metadata.xml \
-p 80:80 -p 443:443 \
comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp
If everything is working then docker logs comanage-registry
should show something like
2019-04-18 23:46:48,693 CRIT Set uid to user 0
2019-04-18 23:46:48,695 INFO supervisord started with pid 1
2019-04-18 23:46:49,697 INFO spawned: 'shibd' with pid 10
2019-04-18 23:46:49,698 INFO spawned: 'apache2' with pid 11
[Thu Apr 18 23:46:50.091197 2019] [mpm_prefork:notice] [pid 11] AH00163: Apache/2.4.10 (Debian) PHP/7.0.33 OpenSSL/1.0.1t configured -- resuming normal operations
[Thu Apr 18 23:46:50.091233 2019] [core:notice] [pid 11] AH00094: Command line: 'apache2 -D FOREGROUND'
2019-04-18 23:46:51,092 INFO success: shibd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-18 23:46:51,092 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
It can take about 5 minutes for shibd to initialize on the InCommon metadata, so it is useful to log in with
docker exec -it comanage-registry /bin/bash -l
and run top
to see when it is finished checking the signatures on the certs.
To check for cert/key mismatches, run
root@ce4ee4dcf532:/etc/shibboleth# openssl rsa -noout -modulus -in /etc/shibboleth/sp-key.pem
Modulus=D45605ACAE23AC23F8DB8257FA2A50C62BF6DF46252F5A1A1FC8600457617A69E4237E7C85D296F430279FE452765AE206311439E83BB48966E37BC5E50D7C2C4494F8883808C085603AC89D53E791AC4EEC60DBA785B4839D8CFBE8F49E12135BFB7F4FB0E487CF1F9F687CCDB205D3A6700CDFB58C44EFF49767F167D6F01B8B7D3CA8861C333436A59AE14EE2F08F8BA09EA331FE60C74585DEB922CDD41F44311B5D54A6FD232B73FD003944CE49430669CCA8E290A5B45EE2225E4F11B5F6B4ADCBD246BAF7CF4C0EA45D744BF441882FE9A0B6093F8463C05D6CFA73F8637E7B001F412F07E98D4A81672363F80FE05A5FF725A07A8E32FDD711292D4B
root@ce4ee4dcf532:/etc/shibboleth# openssl x509 -noout -modulus -in /etc/shibboleth/sp-cert.pem
Modulus=D45605ACAE23AC23F8DB8257FA2A50C62BF6DF46252F5A1A1FC8600457617A69E4237E7C85D296F430279FE452765AE206311439E83BB48966E37BC5E50D7C2C4494F8883808C085603AC89D53E791AC4EEC60DBA785B4839D8CFBE8F49E12135BFB7F4FB0E487CF1F9F687CCDB205D3A6700CDFB58C44EFF49767F167D6F01B8B7D3CA8861C333436A59AE14EE2F08F8BA09EA331FE60C74585DEB922CDD41F44311B5D54A6FD232B73FD003944CE49430669CCA8E290A5B45EE2225E4F11B5F6B4ADCBD246BAF7CF4C0EA45D744BF441882FE9A0B6093F8463C05D6CFA73F8637E7B001F412F07E98D4A81672363F80FE05A5FF725A07A8E32FDD711292D4B