Skip to content

Instantly share code, notes, and snippets.

@duncan-brown

duncan-brown/comanage.md

Last active April 19, 2019 02:43
Show Gist options
  • Save duncan-brown/021e74d61a5faedb892484f06cee74dd to your computer and use it in GitHub Desktop.
Save duncan-brown/021e74d61a5faedb892484f06cee74dd to your computer and use it in GitHub Desktop.
Download ZIP
COmanage Docker Container
Raw
comanage.md

Setting up COmanage Using a Docker Image

Setup

As root, stop apache as COmanage will hijack these ports:

systemctl stop httpd
systemctl disable httpd

For good measure, let's also shut down the host's Shibboleth daemon:

systemctl stop shibd
systemctl disable shibd

Then make sure the user that is going to do the setup is in the docker group.

Get code and set the version

Get the repo and cd into in

git clone https://github.com/Internet2/comanage-registry-docker.git
cd comanage-registry-docker

Use the Latest release version of COmanage to build:

export COMANAGE_REGISTRY_VERSION=3.2.1

Build the database container

Create the container:

pushd comanage-registry-postgres
docker build -t comanage-registry-postgres .
popd

Create the network bridge:

docker network create --driver=bridge \
  --subnet=192.168.0.0/16 \
  --gateway=192.168.0.100 \
  comanage-registry-internal-network

Make a local storage directory:

mkdir -p /usr1/${USER}/postgresql/data
chgrp -R docker /usr1/${USER}/postgresql
chmod -R g+rwx /usr1/${USER}/postgresql

Start the container:

docker run -d --name comanage-registry-database \
  --network comanage-registry-internal-network \
  -v /usr1/${USER}/postgresql/data:/var/lib/postgresql/data \
  comanage-registry-postgres

Check that it is working by running

docker logs comanage-registry-database

and that it returns database system is ready to accept connections.

Prepare the COmanage Container

Create the dockerfile for the Shib config:

pushd comanage-registry-shibboleth-sp-base
sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template  > Dockerfile

Copy the shibboleth key and cert:

cp /etc/shibboleth/sp-cert.pem .
mv /etc/shibboleth/sp-key.pem .

Note: root will be needed to get the key because of the permissions.

Copy the host cert and key to make an apache cert and key:

cat /etc/grid-security/hostcert.pem > apache-cert.pem
cat /etc/grid-security/hostkey.pem > apache-key.pem

Download the InCommon metdata

/usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \
        | /usr/bin/tee inc-md-cert.pem \
        | /usr/bin/openssl x509 -sha1 -fingerprint -noout

and patch the Dockerfile to copy it into the image.

Tell COmanage who the admin is

export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Duncan
export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Brown
export COMANAGE_REGISTRY_ADMIN_USERNAME=dabrown@syr.edu

Patch the Dockerfile to fix the Debian apt issue.

I encounted the error

WARNING: the following files are not readable by _shibd
/etc/shibboleth/inc-md-cert.pem
/etc/shibboleth/shibboleth2.xml.template

so I patched the Dockerfile to fix the ownership.

Install vim as it is helpful for debugging.

Finally, build the image

docker build \
  --build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \
  --build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \
  --build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \
  -t comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp .

Set up config files

Make a config directory

mkdir -p /usr1/${USER}/comanage-registry/Config

Create the database config file

cat > /usr1/${USER}/comanage-registry/Config/database.php <<"EOF"
<?php

class DATABASE_CONFIG {

  public $default = array(
    'datasource' => 'Database/Postgres',
    'persistent' => false,
    'host' => 'comanage-registry-database',
    'login' => 'registry_user',
    'password' => 'password',
    'database' => 'registry',
    'prefix' => 'cm_',
  );

}
EOF

Create the email config file:

cat > /usr1/${USER}/comanage-registry/Config/email.php <<"EOF"
<?php

class EmailConfig {

  public $default = array(
    'transport' => 'Smtp',
    'host' => 'mx.syr.edu',
    'port' => 25
  );
}
EOF

Fix permissions

chgrp -R docker /usr1/${USER}/comanage-registry
chmod -R g+rw  /usr1/${USER}/comanage-registry
chmod -R o+r /usr1/${USER}/comanage-registry
chmod g+x  /usr1/${USER}/comanage-registry
chmod g+rw  /usr1/${USER}/comanage-registry/Config

chmod go+r apache-cert.pem apache-key.pem sp-cert.pem sp-key.pem provider-metadata.xml

Start the Container

docker run -d --name comanage-registry \
  -v /usr1/${USER}/comanage-registry:/srv/comanage-registry/local \
  --network comanage-registry-internal-network \
  -v ${PWD}/apache-cert.pem:/tmp/https_cert_file \
  -v ${PWD}/apache-key.pem:/tmp/https_privkey_file \
  -v ${PWD}/sp-cert.pem:/tmp/sp-cert.pem \
  -v ${PWD}/sp-key.pem:/tmp/sp-key.pem \
  -v ${PWD}/provider-metadata.xml:/tmp/provider-metadata.xml \
  -e HTTPS_CERT_FILE=/tmp/https_cert_file \
  -e HTTPS_PRIVKEY_FILE=/tmp/https_privkey_file \
  -e SHIBBOLETH_SP_ENTITY_ID=https://sugwg-osg.phy.syr.edu/shibboleth-sp \
  -e SHIBBOLETH_SP_CERT=/tmp/sp-cert.pem \
  -e SHIBBOLETH_SP_PRIVKEY=/tmp/sp-key.pem \
  -e SERVER_NAME=sugwg-osg.phy.syr.edu \
  -e SHIBBOLETH_SP_SAMLDS_URL=https://sugwg-jobs.phy.syr.edu/shibboleth-ds/index.html \
  -e SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/tmp/provider-metadata.xml \
  -p 80:80 -p 443:443 \
  comanage-registry:${COMANAGE_REGISTRY_VERSION}-shibboleth-sp

If everything is working then docker logs comanage-registry should show something like

2019-04-18 23:46:48,693 CRIT Set uid to user 0
2019-04-18 23:46:48,695 INFO supervisord started with pid 1
2019-04-18 23:46:49,697 INFO spawned: 'shibd' with pid 10
2019-04-18 23:46:49,698 INFO spawned: 'apache2' with pid 11
[Thu Apr 18 23:46:50.091197 2019] [mpm_prefork:notice] [pid 11] AH00163: Apache/2.4.10 (Debian) PHP/7.0.33 OpenSSL/1.0.1t configured -- resuming normal operations
[Thu Apr 18 23:46:50.091233 2019] [core:notice] [pid 11] AH00094: Command line: 'apache2 -D FOREGROUND'
2019-04-18 23:46:51,092 INFO success: shibd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-18 23:46:51,092 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

Debugging

It can take about 5 minutes for shibd to initialize on the InCommon metadata, so it is useful to log in with

docker exec -it comanage-registry /bin/bash -l

and run top to see when it is finished checking the signatures on the certs.

To check for cert/key mismatches, run

root@ce4ee4dcf532:/etc/shibboleth# openssl rsa -noout -modulus -in /etc/shibboleth/sp-key.pem 
Modulus=D45605ACAE23AC23F8DB8257FA2A50C62BF6DF46252F5A1A1FC8600457617A69E4237E7C85D296F430279FE452765AE206311439E83BB48966E37BC5E50D7C2C4494F8883808C085603AC89D53E791AC4EEC60DBA785B4839D8CFBE8F49E12135BFB7F4FB0E487CF1F9F687CCDB205D3A6700CDFB58C44EFF49767F167D6F01B8B7D3CA8861C333436A59AE14EE2F08F8BA09EA331FE60C74585DEB922CDD41F44311B5D54A6FD232B73FD003944CE49430669CCA8E290A5B45EE2225E4F11B5F6B4ADCBD246BAF7CF4C0EA45D744BF441882FE9A0B6093F8463C05D6CFA73F8637E7B001F412F07E98D4A81672363F80FE05A5FF725A07A8E32FDD711292D4B
root@ce4ee4dcf532:/etc/shibboleth# openssl x509 -noout -modulus -in /etc/shibboleth/sp-cert.pem 
Modulus=D45605ACAE23AC23F8DB8257FA2A50C62BF6DF46252F5A1A1FC8600457617A69E4237E7C85D296F430279FE452765AE206311439E83BB48966E37BC5E50D7C2C4494F8883808C085603AC89D53E791AC4EEC60DBA785B4839D8CFBE8F49E12135BFB7F4FB0E487CF1F9F687CCDB205D3A6700CDFB58C44EFF49767F167D6F01B8B7D3CA8861C333436A59AE14EE2F08F8BA09EA331FE60C74585DEB922CDD41F44311B5D54A6FD232B73FD003944CE49430669CCA8E290A5B45EE2225E4F11B5F6B4ADCBD246BAF7CF4C0EA45D744BF441882FE9A0B6093F8463C05D6CFA73F8637E7B001F412F07E98D4A81672363F80FE05A5FF725A07A8E32FDD711292D4B
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment