diff --git a/docker/hadolint.yml b/docker/hadolint.yml index 5756be618..6fb0b82c1 100644 --- a/docker/hadolint.yml +++ b/docker/hadolint.yml @@ -1,2 +1,6 @@ ignored: + - DL3008 + - DL3009 + - DL3015 + - DL3025 - DL3059 diff --git a/docker/images/davrods/Dockerfile b/docker/images/davrods/Dockerfile index e6cd745d6..725ef772d 100644 --- a/docker/images/davrods/Dockerfile +++ b/docker/images/davrods/Dockerfile @@ -1,4 +1,4 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " # Network settings @@ -7,56 +7,87 @@ EXPOSE 443 # Application settings ARG TAG=development -ENV IRODS_VERSION="4.2.12" -ENV YUM_REPO_FILE_LOC "https://packages.irods.org/renci-irods.yum.repo" -ENV YUM_IRODS_REPO_SIGNING_KEY_LOC="https://packages.irods.org/irods-signing-key.asc" -ENV DAVRODS_RPM_URL="https://github.com/UtrechtUniversity/davrods/releases/download/4.2.12_1.5.1/" -ENV DAVRODS_RPM_PACKAGE="davrods-4.2.12_1.5.1-1.rpm" +ENV IRODS_PACKAGE_VERSION="4.2.12-1~bionic" +ENV APT_REPO_CONFIG="deb [arch=amd64] https://packages.irods.org/apt/ bionic main" +ENV APT_IRODS_REPO_SIGNING_KEY_LOC="https://packages.irods.org/irods-signing-key.asc" +ENV DAVRODS_APT_URL="https://github.com/UtrechtUniversity/davrods/releases/download/4.2.12_1.5.1" +ENV DAVRODS_APT_PACKAGE="davrods-4.2.12-1.5.1.deb" +ENV DEBIAN_FRONTEND="noninteractive" + +# Update packages +RUN apt-get update # Install common tools # hadolint ignore=DL3033 -RUN yum install -y epel-release wget && \ - yum clean all +RUN apt-get install -y wget + +# Install Python 3 +# hadolint ignore=DL3033 +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv # Install and configure Apache # hadolint ignore=DL3033 -RUN yum -y install httpd httpd-devel mod_ssl openssl && yum clean all -RUN rm /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.modules.d/00-lua.conf -COPY httpd.conf /etc/httpd/conf/httpd.conf -COPY ssl.conf /etc/httpd/conf.d/ssl.conf +RUN apt-get install -y apache2 apache2-dev openssl +RUN ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load +COPY apache2.conf /etc/apache2/apache2.conf +COPY ssl.conf /etc/apache2/mods-available/ssl.conf +RUN ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load +RUN ln -s /etc/apache2/mods-available/dav.load /etc/apache2/mods-enabled/dav.load +RUN ln -s /etc/apache2/mods-available/dav_fs.load /etc/apache2/mods-enabled/dav_fs.load +RUN ln -s /etc/apache2/mods-available/dav_lock.load /etc/apache2/mods-enabled/dav_lock.load +RUN ln -s /etc/apache2/mods-available/davrods.load /etc/apache2/mods-enabled/davrods.load +# Install iRODS dependencies +RUN apt-get -y install aptitude libboost-locale-dev libpython2-stdlib libpython2.7-minimal \ + libpython2.7-stdlib \ + python-is-python2 python-six python2 python2-minimal python2.7 python2.7-minimal \ + python-certifi python-chardet python-idna python-pkg-resources python-setuptools +ENV PY_URLLIB_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/p/python-urllib3" +ENV PY_URLLIB_FILENAME="python-urllib3_1.22-1ubuntu0.18.04.2_all.deb" +ENV PY_REQUESTS_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/r/requests" +ENV PY_REQUESTS_FILENAME="python-requests_2.18.4-2ubuntu0.1_all.deb" +ENV OPENSSL_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/o/openssl1.0" +ENV OPENSSL_FILENAME="libssl1.0.0_1.0.2n-1ubuntu5.13_amd64.deb" +RUN wget -q ${PY_URLLIB_PREFIX}/${PY_URLLIB_FILENAME} && \ + wget -q ${PY_REQUESTS_PREFIX}/${PY_REQUESTS_FILENAME} && \ + wget -q ${OPENSSL_PREFIX}/${OPENSSL_FILENAME} && \ + dpkg -i ${PY_URLLIB_FILENAME} && \ + dpkg -i ${PY_REQUESTS_FILENAME} && \ + dpkg -i ${OPENSSL_FILENAME} && \ + rm ${PY_URLLIB_FILENAME} && \ + rm ${PY_REQUESTS_FILENAME} && \ + rm ${OPENSSL_FILENAME} + # Install iRODS components: iCommands and runtime SHELL ["/bin/bash", "-o", "pipefail", "-c"] # hadolint ignore=DL3033 -RUN yum install -y epel-release wget git && \ - yum clean all && \ - useradd -d /var/lib/irods irods && \ - rpm --import "$YUM_IRODS_REPO_SIGNING_KEY_LOC" && \ - yum update -y ca-certificates && \ - wget -qO - "$YUM_REPO_FILE_LOC" | tee /etc/yum.repos.d/renci-irods.yum.repo && \ - yum -y update && \ - for package in irods-runtime irods-icommands ; \ - do echo "Installing package ${package} and its dependencies ..."; \ - yum -y install "$package-${IRODS_VERSION}" && yum clean all; \ - done && \ - yum clean all +RUN useradd -d /var/lib/irods irods && \ + wget -qO - "$APT_IRODS_REPO_SIGNING_KEY_LOC" | apt-key add - && \ + echo "$APT_REPO_CONFIG" | tee /etc/apt/sources.list.d/irods.list && \ + apt-get update && \ + apt-cache policy irods-runtime && \ + apt-cache policy irods-icommands && \ + apt-get -y install irods-runtime=${IRODS_PACKAGE_VERSION} irods-icommands=${IRODS_PACKAGE_VERSION} # Install DavRODS and its dependencies # hadolint ignore=DL3033 -RUN yum -y install boost jansson && yum clean all && \ +RUN apt-get -y install libboost-all-dev libjansson4 && \ mkdir /download && \ - wget -q "$DAVRODS_RPM_URL/$DAVRODS_RPM_PACKAGE" -O "/download/$DAVRODS_RPM_PACKAGE" && \ - rpm -ivh "/download/$DAVRODS_RPM_PACKAGE" + wget -q "$DAVRODS_APT_URL/$DAVRODS_APT_PACKAGE" -O "/download/$DAVRODS_APT_PACKAGE" && \ + dpkg -i "/download/$DAVRODS_APT_PACKAGE" # Copy DavRODS VHost and iRODS configuration files -COPY davrods-vhost.conf /etc/httpd/conf.d/davrods-vhost.conf -COPY davrods-anonymous-vhost.conf /etc/httpd/conf.d/davrods-anonymous-vhost.conf -COPY irods_environment.json /etc/httpd/irods/irods_environment.json +COPY davrods-vhost.conf /etc/apache2/stes-available/davrods-vhost.conf +COPY davrods-anonymous-vhost.conf /etc/apache2/sites-available/davrods-anonymous-vhost.conf +RUN ln -s /etc/apache2/sites-available/davrods-vhost.conf /etc/apache2/sites-enabled/davrods-vhost.conf +RUN ln -s /etc/apache2/sites-available/davrods-anonymous-vhost.conf /etc/apache2/sites-enabled/davrods-anonymous-vhost.conf +COPY irods_environment.json /etc/apache2/irods/irods_environment.json # Copy DavRODS theming files -COPY header.html /etc/httpd/irods/header.html -COPY head.html /etc/httpd/irods/head.html -COPY footer.html /etc/httpd/irods/footer.html +COPY header.html /etc/apache2/irods/header.html +COPY head.html /etc/apache2/irods/head.html +COPY footer.html /etc/apache2/irods/footer.html # Initialize VOLUME [ "/sys/fs/cgroup" ] diff --git a/docker/images/davrods/apache2.conf b/docker/images/davrods/apache2.conf new file mode 100644 index 000000000..672b38428 --- /dev/null +++ b/docker/images/davrods/apache2.conf @@ -0,0 +1,276 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + + +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# ServerTokens Directive +# Configures the Server HTTP response header +ServerTokens ProductOnly + +# TraceEnable Directive +# Determines the behaviour on TRACE requests +TraceEnable off + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# X-Frame-Options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +Header always append X-Frame-Options DENY + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker/images/davrods/davrods-anonymous-vhost.conf b/docker/images/davrods/davrods-anonymous-vhost.conf index 6eff46cf8..7614df442 100644 --- a/docker/images/davrods/davrods-anonymous-vhost.conf +++ b/docker/images/davrods/davrods-anonymous-vhost.conf @@ -66,7 +66,7 @@ # iRODS server, the values specified in the iRODS environment file are # NOT used. # - DavRodsEnvFile /etc/httpd/irods/irods_environment.json + DavRodsEnvFile /etc/apache2/irods/irods_environment.json # The following options can be used to customize davrods for your environment. # These options and their default values are provided below. @@ -183,14 +183,14 @@ # - DavRodsHtmlHeader is inserted at the top of the listing's BODY tag. # - DavRodsHtmlFooter is inserted at the bottom of the listing's BODY tag. # - # Example HTML files are provided in /etc/httpd/irods. You should edit these + # Example HTML files are provided in /etc/apache2/irods. You should edit these # before enabling them. # # To see an example, uncomment the following three lines: # - DavRodsHtmlHead "/etc/httpd/irods/head.html" - DavRodsHtmlHeader "/etc/httpd/irods/header.html" - DavRodsHtmlFooter "/etc/httpd/irods/footer.html" + DavRodsHtmlHead "/etc/apache2/irods/head.html" + DavRodsHtmlHeader "/etc/apache2/irods/header.html" + DavRodsHtmlFooter "/etc/apache2/irods/footer.html" # Depending on file type, web browser clients will either display # files directly or offer a download to the user. @@ -216,7 +216,7 @@ SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog SetEnvIf Request_URI "^/favicon\.ico$" dontlog SetEnvIf Request_Method "^OPTIONS$" dontlog - CustomLog /var/log/httpd/webdav_anon_access.log common env=!dontlog + CustomLog /var/log/apache2/webdav_anon_access.log common env=!dontlog # HSTS (mod_headers is required) (31536000 seconds = 1 year) Header always set Strict-Transport-Security "max-age=31536000" @@ -226,12 +226,12 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/davrods/davrods-vhost.conf b/docker/images/davrods/davrods-vhost.conf index e032de8ca..5148dbdab 100644 --- a/docker/images/davrods/davrods-vhost.conf +++ b/docker/images/davrods/davrods-vhost.conf @@ -64,7 +64,7 @@ # iRODS server, the values specified in the iRODS environment file are # NOT used. # - DavRodsEnvFile /etc/httpd/irods/irods_environment.json + DavRodsEnvFile /etc/apache2/irods/irods_environment.json # The following options can be used to customize davrods for your environment. # These options and their default values are provided below. @@ -181,14 +181,14 @@ # - DavRodsHtmlHeader is inserted at the top of the listing's BODY tag. # - DavRodsHtmlFooter is inserted at the bottom of the listing's BODY tag. # - # Example HTML files are provided in /etc/httpd/irods. You should edit these + # Example HTML files are provided in /etc/apache2/irods. You should edit these # before enabling them. # # To see an example, uncomment the following three lines: # - DavRodsHtmlHead "/etc/httpd/irods/head.html" - DavRodsHtmlHeader "/etc/httpd/irods/header.html" - DavRodsHtmlFooter "/etc/httpd/irods/footer.html" + DavRodsHtmlHead "/etc/apache2/irods/head.html" + DavRodsHtmlHeader "/etc/apache2/irods/header.html" + DavRodsHtmlFooter "/etc/apache2/irods/footer.html" # Depending on file type, web browser clients will either display # files directly or offer a download to the user. @@ -217,7 +217,7 @@ SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog SetEnvIf Request_URI "^/favicon\.ico$" dontlog SetEnvIf Request_Method "^OPTIONS$" dontlog - CustomLog /var/log/httpd/webdav_access.log common env=!dontlog + CustomLog /var/log/apache2/webdav_access.log common env=!dontlog # HSTS (mod_headers is required) (31536000 seconds = 1 year) Header always set Strict-Transport-Security "max-age=31536000" @@ -227,12 +227,12 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/davrods/davrods_init.sh b/docker/images/davrods/davrods_init.sh index a77b6a048..223486543 100755 --- a/docker/images/davrods/davrods_init.sh +++ b/docker/images/davrods/davrods_init.sh @@ -22,8 +22,8 @@ function progress_update { } function start_service { - /usr/sbin/httpd -DFOREGROUND || true - echo "Error: http either terminated or would not start. Keeping container running for troubleshooting purposes." + apache2ctl -D FOREGROUND || true + echo "Error: Apache either terminated or would not start. Keeping container running for troubleshooting purposes." sleep infinity } @@ -41,10 +41,10 @@ progress_update "Downloaded certificate bundle." before_update "Extracting certificate data" cd /download tar xvfz "${DATA_VERSION}.certbundle.tar.gz" -install -m 0644 docker.pem /etc/pki/tls/certs/localhost.crt -install -m 0644 docker.pem /etc/pki/tls/certs/localhost_and_chain.crt -install -m 0644 docker.key /etc/pki/tls/private/localhost.key -install -m 0644 dhparam.pem /etc/pki/tls/private/dhparams.pem +install -m 0644 docker.pem /etc/ssl/certs/localhost.crt +install -m 0644 docker.pem /etc/ssl/certs/localhost_and_chain.crt +install -m 0644 docker.key /etc/ssl/private/localhost.key +install -m 0644 dhparam.pem /etc/ssl/private/dhparams.pem progress_update "Certificate data extracted" # Start Apache diff --git a/docker/images/davrods/httpd.conf b/docker/images/davrods/httpd.conf deleted file mode 100644 index b037256b8..000000000 --- a/docker/images/davrods/httpd.conf +++ /dev/null @@ -1,365 +0,0 @@ -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# ServerTokens Directive -# Configures the Server HTTP response header -ServerTokens ProductOnly - -# TraceEnable Directive -# Determines the behaviour on TRACE requests -TraceEnable off - -# X-Frame-Options -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -Header always append X-Frame-Options DENY - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/docker/images/yoda_eus/02-wsgi.conf b/docker/images/yoda_eus/02-wsgi.conf deleted file mode 100644 index 19f356756..000000000 --- a/docker/images/yoda_eus/02-wsgi.conf +++ /dev/null @@ -1 +0,0 @@ -LoadModule wsgi_module modules/mod_wsgi.so diff --git a/docker/images/yoda_eus/Dockerfile b/docker/images/yoda_eus/Dockerfile index 14015c020..9d32c0275 100644 --- a/docker/images/yoda_eus/Dockerfile +++ b/docker/images/yoda_eus/Dockerfile @@ -1,4 +1,4 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " # Application settings @@ -7,58 +7,58 @@ ENV YODA_EUS_REPO "https://github.com/UtrechtUniversity/yoda-external-user-servi ENV YODA_EUS_BRANCH "$TAG" ENV YODA_PORTAL_REPO "https://github.com/UtrechtUniversity/yoda-portal.git" ENV YODA_PORTAL_BRANCH "$TAG" +ENV DEBIAN_FRONTEND="noninteractive" +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Network settings EXPOSE 80 EXPOSE 443 +# Update packages +RUN apt-get update + # Install common tools (PostgreSQL is needed for psql commands in init script) # hadolint ignore=DL3033 -RUN yum install -y epel-release wget git nc && \ - yum clean all - -# Update packages -RUN yum update -y +RUN apt-get install -y wget git netcat gnupg # Install PostgreSQL 15 for checks whether database container is up, as well as troubleshooting # hadolint ignore=DL3033 -RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \ - yum -y install libzstd-devel postgresql15 && \ - yum clean all +RUN wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list +RUN apt-get update +RUN apt-get -y install postgresql-15 python3-psycopg2 acl # Install Python 3 # hadolint ignore=DL3033 -RUN yum -y install centos-release-scl gcc python-virtualenv && \ - yum -y install --enablerepo centos-sclo-rh \ - rh-python38-python rh-python38-python-devel rh-python38-python-libs \ - rh-python38-python-pip rh-python38-python-pip-wheel && yum clean all && \ - ln -s /opt/rh/rh-python38/root/bin/pip3 /usr/local/bin/pip3 && \ - ln -s /opt/rh/rh-python38/root/bin/python3 /usr/local/bin/python33 && \ - /usr/local/bin/pip3 install virtualenv +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv virtualenv # Install and configure Apache # hadolint ignore=DL3033 -RUN yum -y install httpd httpd-devel mod_ssl openssl && yum clean all -RUN rm /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.modules.d/00-lua.conf -COPY httpd.conf /etc/httpd/conf/httpd.conf -COPY ssl.conf /etc/httpd/conf.d/ssl.conf +RUN apt-get install -y apache2 apache2-dev openssl +RUN ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load +COPY apache2.conf /etc/apache2/apache2.conf +COPY ssl.conf /etc/apache2/mods-available/ssl.conf +RUN ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load -# Install and configure Apache ModWSGI -RUN yum -y install --enablerepo centos-sclo-rh rh-python38-python-mod_wsgi && yum clean all -COPY 02-wsgi.conf /etc/httpd/conf.modules.d/02-wsgi.conf -RUN ln -s /opt/rh/rh-python38/root/usr/lib64/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so /usr/lib64/httpd/modules/mod_wsgi.so +# Install Apache ModWSGI +RUN apt-get install -y libapache2-mod-wsgi-py3 # Yoda EUS (and portal for theming data) -ENV C_INCLUDE_PATH /opt/rh/rh-python38/root/usr/include/python3.8 RUN useradd yodadeployment && \ + mkdir /home/yodadeployment && \ + chown yodadeployment:yodadeployment /home/yodadeployment && \ mkdir /var/www/yoda /var/www/extuser && \ chown yodadeployment:yodadeployment /var/www/yoda /var/www/extuser && \ git clone --branch $YODA_EUS_BRANCH $YODA_EUS_REPO /var/www/extuser/yoda-external-user-service && \ - git clone --branch $YODA_PORTAL_BRANCH $YODA_PORTAL_REPO /var/www/yoda -COPY yoda-external-user-service-vhost.conf /etc/httpd/conf.d/yoda-external-user-service-vhost.conf -RUN virtualenv --python /opt/rh/rh-python38/root/bin/python3 /var/www/extuser/yoda-external-user-service/venv && \ - /var/www/extuser/yoda-external-user-service/venv/bin/pip3 install pip==23.0.1 && \ - /var/www/extuser/yoda-external-user-service/venv/bin/pip3 install /var/www/extuser/yoda-external-user-service + git clone --branch $YODA_PORTAL_BRANCH $YODA_PORTAL_REPO /var/www/yoda && \ + git config --global --add safe.directory /var/www/yoda && \ + git config --global --add safe.directory /var/www/yoda-external-user-service +COPY yoda-external-user-service-vhost.conf /etc/apache2/sites-available/003-yoda-eus-vhost.conf +RUN ln -s /etc/apache2/sites-available/003-yoda-eus-vhost.conf /etc/apache2/sites-enabled/003-yoda-eus-vhost.conf +RUN virtualenv --python /usr/bin/python3 /var/www/extuser/yoda-external-user-service/venv && \ + /var/www/extuser/yoda-external-user-service/venv/bin/pip3 install --no-cache-dir pip==23.0.1 && \ + /var/www/extuser/yoda-external-user-service/venv/bin/pip3 install --no-cache-dir /var/www/extuser/yoda-external-user-service # Make copy of data on volumes that can optionally be bind mounted, so the container init script # can restore it if needed. diff --git a/docker/images/yoda_eus/apache2.conf b/docker/images/yoda_eus/apache2.conf new file mode 100644 index 000000000..672b38428 --- /dev/null +++ b/docker/images/yoda_eus/apache2.conf @@ -0,0 +1,276 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + + +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# ServerTokens Directive +# Configures the Server HTTP response header +ServerTokens ProductOnly + +# TraceEnable Directive +# Determines the behaviour on TRACE requests +TraceEnable off + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# X-Frame-Options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +Header always append X-Frame-Options DENY + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker/images/yoda_eus/httpd.conf b/docker/images/yoda_eus/httpd.conf deleted file mode 100644 index b037256b8..000000000 --- a/docker/images/yoda_eus/httpd.conf +++ /dev/null @@ -1,365 +0,0 @@ -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# ServerTokens Directive -# Configures the Server HTTP response header -ServerTokens ProductOnly - -# TraceEnable Directive -# Determines the behaviour on TRACE requests -TraceEnable off - -# X-Frame-Options -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -Header always append X-Frame-Options DENY - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/docker/images/yoda_eus/yoda-external-user-service-vhost.conf b/docker/images/yoda_eus/yoda-external-user-service-vhost.conf index 809cd9137..b898597a8 100644 --- a/docker/images/yoda_eus/yoda-external-user-service-vhost.conf +++ b/docker/images/yoda_eus/yoda-external-user-service-vhost.conf @@ -35,14 +35,14 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key Listen 8443 @@ -74,12 +74,12 @@ Listen 8443 # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/yoda_eus/yoda_eus_init.sh b/docker/images/yoda_eus/yoda_eus_init.sh index b64d52a89..081f43551 100644 --- a/docker/images/yoda_eus/yoda_eus_init.sh +++ b/docker/images/yoda_eus/yoda_eus_init.sh @@ -22,8 +22,8 @@ function progress_update { } function start_service { - /usr/sbin/httpd -DFOREGROUND || true - echo "Error: http either terminated or would not start. Keeping container running for troubleshooting purposes." + apache2ctl -D FOREGROUND || true + echo "Error: Apache either terminated or would not start. Keeping container running for troubleshooting purposes." sleep infinity } @@ -42,10 +42,10 @@ progress_update "Downloaded certificate bundle." before_update "Extracting certificate data" cd /download tar xvfz "${DATA_VERSION}.certbundle.tar.gz" -install -m 0644 docker.pem /etc/pki/tls/certs/localhost.crt -install -m 0644 docker.pem /etc/pki/tls/certs/localhost_and_chain.crt -install -m 0644 docker.key /etc/pki/tls/private/localhost.key -install -m 0644 dhparam.pem /etc/pki/tls/private/dhparams.pem +install -m 0644 docker.pem /etc/ssl/certs/localhost.crt +install -m 0644 docker.pem /etc/ssl/certs/localhost_and_chain.crt +install -m 0644 docker.key /etc/ssl/private/localhost.key +install -m 0644 dhparam.pem /etc/ssl/private/dhparams.pem progress_update "Certificate data extracted" CURRENT_UID="$(id -u yodadeployment)" diff --git a/docker/images/yoda_irods_icat/Dockerfile b/docker/images/yoda_irods_icat/Dockerfile index 7089de89b..805bce8e8 100644 --- a/docker/images/yoda_irods_icat/Dockerfile +++ b/docker/images/yoda_irods_icat/Dockerfile @@ -1,19 +1,22 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Application settings ARG TAG=development -ENV IRODS_VERSION "4.2.12" -ENV IRODS_PREP_VERSION "4.2.12.0" -ENV IRODS_INDEX_VERSION "4.2.12.0-1" -ENV IRODS_SUDO_MSVC_VERSION "4.2.12_1.0.0" +ENV IRODS_VERSION "4.2.12-1~bionic" +ENV IRODS_PREP_VERSION "4.2.12.0-1~bionic" +ENV IRODS_INDEX_VERSION "4.2.12.0-1~bionic" +ENV IRODS_MSVC_IRODS_VERSION "4.2.12" +ENV IRODS_SUDO_MSVC_VERSION "1.0.0" ENV IRODS_UU_MSVC_VERSION "1.0.0" ENV IRODS_UU_MSVC_VERSION_RELEASE "0" -ENV YUM_REPO_FILE_LOC "https://packages.irods.org/renci-irods.yum.repo" -ENV YUM_IRODS_REPO_SIGNING_KEY_LOC="https://packages.irods.org/irods-signing-key.asc" +ENV APT_REPO_CONFIG="deb [arch=amd64] https://packages.irods.org/apt/ bionic main" +ENV APT_IRODS_REPO_SIGNING_KEY_LOC="https://packages.irods.org/irods-signing-key.asc" ENV YODA_RULESET_REPO "https://github.com/UtrechtUniversity/yoda-ruleset.git" ENV YODA_RULESET_BRANCH "$TAG" ENV PRE_BUILD_RULESET_DEPENDENCIES "yes" +ENV DEBIAN_FRONTEND="noninteractive" # Network settings EXPOSE 1247 @@ -31,83 +34,121 @@ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*;\ rm -f /lib/systemd/system/anaconda.target.wants/*; -# Install Python 3.8 (needed for jsonschema execnet) +# Update packages +RUN apt-get update + +# Install common tools # hadolint ignore=DL3033 -RUN yum -y install centos-release-scl gcc python-virtualenv && \ - yum -y install --enablerepo centos-sclo-rh \ - rh-python38-python rh-python38-python-devel rh-python38-python-libs \ - rh-python38-python-pip rh-python38-python-pip-wheel && yum clean all && \ - ln -s /opt/rh/rh-python38/root/bin/pip3 /usr/local/bin/pip3 && \ - ln -s /opt/rh/rh-python38/root/bin/python3 /usr/local/bin/python3 && \ - /usr/local/bin/pip3 install virtualenv +RUN apt-get install -y wget git sudo netcat gcc -# Upload PAM Python library -COPY stage/pam_python.so /tmp/pam_python.so -RUN install -m 0755 -o root -g root /tmp/pam_python.so /usr/lib64/security/pam_python.so +# Install Python 2.7 +RUN apt-get install -y python2 python2-dev && \ + wget -q -O /usr/local/bin/get-pip.py https://bootstrap.pypa.io/pip/2.7/get-pip.py && \ + /usr/bin/python2 /usr/local/bin/get-pip.py -# Install EPEL and libZSTD for PostgreSQL 15 +# Install Python 3.8 # hadolint ignore=DL3033 -RUN yum install -y epel-release libzstd-devel && yum clean all +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv + +# Upload PAM Python library +COPY stage/pam_python.so /tmp/pam_python.so +RUN install -m 0755 -o root -g root /tmp/pam_python.so /usr/lib/x86_64-linux-gnu/security/pam_python.so -# Install PostgreSQL 15 for checks whether database container is up, as well as troubleshooting +# Install PostgreSQL 15 for ODBC drivers, checks whether database container is up, as well as troubleshooting # hadolint ignore=DL3033 -RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \ - yum -y install postgresql15 postgresql15-odbc unixODBC && \ - yum clean all +RUN wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list +RUN apt-get update +RUN apt-get -y install postgresql-15 unixodbc python3-psycopg2 acl COPY odbc-settings.txt /tmp/odbc-settings.txt RUN odbcinst -i -d -r < /tmp/odbc-settings.txt +# Install iRODS dependencies +RUN apt-get -y install aptitude libboost-locale-dev libpython2-stdlib libpython2.7-minimal \ + libpython2.7-stdlib \ + python-is-python2 python-six python2 python2-minimal python2.7 python2.7-minimal \ + python-certifi python-chardet python-idna python-pkg-resources python-setuptools \ + python-funcsigs python-mock python-pbr libodbc1 +ENV PY_URLLIB_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/p/python-urllib3" +ENV PY_URLLIB_FILENAME="python-urllib3_1.22-1ubuntu0.18.04.2_all.deb" +ENV PY_REQUESTS_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/r/requests" +ENV PY_REQUESTS_FILENAME="python-requests_2.18.4-2ubuntu0.1_all.deb" +ENV OPENSSL_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/o/openssl1.0" +ENV OPENSSL_FILENAME="libssl1.0.0_1.0.2n-1ubuntu5.13_amd64.deb" +ENV PY_JSONSCHEMA_PREFIX="http://security.ubuntu.com/ubuntu/pool/main/p/python-jsonschema" +ENV PY_JSONSCHEMA_FILENAME="python-jsonschema_2.3.0-1build1_all.deb" +ENV PY_ODBC_PREFIX="http://security.ubuntu.com/ubuntu/pool/universe/p/pyodbc" +ENV PY_ODBC_FILENAME="python-pyodbc_4.0.17-1_amd64.deb" +RUN wget -q ${PY_URLLIB_PREFIX}/${PY_URLLIB_FILENAME} && \ + wget -q ${PY_REQUESTS_PREFIX}/${PY_REQUESTS_FILENAME} && \ + wget -q ${OPENSSL_PREFIX}/${OPENSSL_FILENAME} && \ + wget -q ${PY_JSONSCHEMA_PREFIX}/${PY_JSONSCHEMA_FILENAME} && \ + wget -q ${PY_ODBC_PREFIX}/${PY_ODBC_FILENAME} && \ + dpkg -i ${PY_URLLIB_FILENAME} && \ + dpkg -i ${PY_REQUESTS_FILENAME} && \ + dpkg -i ${OPENSSL_FILENAME} && \ + dpkg -i ${PY_JSONSCHEMA_FILENAME} && \ + dpkg -i ${PY_ODBC_FILENAME} && \ + rm ${PY_URLLIB_FILENAME} && \ + rm ${PY_REQUESTS_FILENAME} && \ + rm ${OPENSSL_FILENAME} && \ + rm ${PY_JSONSCHEMA_FILENAME} && \ + rm ${PY_ODBC_FILENAME} + # Install iRODS -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# hadolint ignore=DL3033 -RUN yum install -y wget git sudo && \ - yum clean all && \ - useradd -d /var/lib/irods irods && \ - rpm --import "$YUM_IRODS_REPO_SIGNING_KEY_LOC" && \ - yum update -y ca-certificates && \ - wget -qO - "$YUM_REPO_FILE_LOC" | tee /etc/yum.repos.d/renci-irods.yum.repo && \ - yum -y update && \ +# hadolint ignore=DL3033,DL3047 +RUN useradd -d /var/lib/irods irods && \ + wget -qO - "$APT_IRODS_REPO_SIGNING_KEY_LOC" | apt-key add - && \ + echo "$APT_REPO_CONFIG" | tee /etc/apt/sources.list.d/irods.list && \ + apt-get update && \ for package in irods-runtime irods-icommands irods-server irods-database-plugin-postgres; \ do echo "Installing package ${package} and its dependencies ..."; \ - yum -y install "$package-${IRODS_VERSION}" && yum clean all; \ + apt-get -y install "$package=${IRODS_VERSION}" ; \ done && \ for package in irods-rule-engine-plugin-indexing irods-rule-engine-plugin-elasticsearch irods-rule-engine-plugin-document-type; \ do echo "Installing package ${package} and its dependencies ..."; \ - yum -y install "$package-${IRODS_INDEX_VERSION}" && yum clean all; \ + apt-get -y install "$package=${IRODS_INDEX_VERSION}"; \ done && \ - yum -y install "irods-rule-engine-plugin-python-${IRODS_PREP_VERSION}" && \ - yum clean all && \ - wget https://yoda.uu.nl/irods-patches/libirods_server.so.4.2.12 && \ - install -m 0644 libirods_server.so.4.2.12 /usr/lib/libirods_server.so.4.2.12 + apt-get -y install "irods-rule-engine-plugin-python=${IRODS_PREP_VERSION}" && \ + wget https://yoda.uu.nl/irods-patches/libirods_server.so.4.2.12.ubuntu2004 && \ + install -m 0644 libirods_server.so.4.2.12.ubuntu2004 /usr/lib/libirods_server.so.4.2.12 -# Install iRODS microservices for Yoda and their dependencies +# Install iRODS microservices for Yoda # hadolint ignore=DL3033 -RUN yum -y install boost-locale jansson libxslt libarchive && yum clean all && \ - rpm -ivh "https://github.com/UtrechtUniversity/irods-sudo-microservices/releases/download/${IRODS_SUDO_MSVC_VERSION}/irods-sudo-microservices-${IRODS_SUDO_MSVC_VERSION}-1.rpm" && \ - rpm -ivh "https://github.com/UtrechtUniversity/irods-uu-microservices/releases/download/v${IRODS_UU_MSVC_VERSION}/irods-uu-microservices-${IRODS_VERSION}_${IRODS_UU_MSVC_VERSION}-${IRODS_UU_MSVC_VERSION_RELEASE}.rpm" && \ +RUN apt-get -y install libc++1 libjansson4 && \ + wget -q "https://github.com/UtrechtUniversity/irods-sudo-microservices/releases/download/${IRODS_MSVC_IRODS_VERSION}_${IRODS_SUDO_MSVC_VERSION}/irods-sudo-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_SUDO_MSVC_VERSION}-1.deb" && \ + dpkg -i irods-sudo-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_SUDO_MSVC_VERSION}-1.deb && \ + rm irods-sudo-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_SUDO_MSVC_VERSION}-1.deb && \ + wget -q "https://github.com/UtrechtUniversity/irods-uu-microservices/releases/download/v${IRODS_UU_MSVC_VERSION}/irods-uu-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_UU_MSVC_VERSION}-${IRODS_UU_MSVC_VERSION_RELEASE}.deb" && \ + dpkg -i irods-uu-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_UU_MSVC_VERSION}-${IRODS_UU_MSVC_VERSION_RELEASE}.deb && \ + rm irods-uu-microservices-${IRODS_MSVC_IRODS_VERSION}-${IRODS_UU_MSVC_VERSION}-${IRODS_UU_MSVC_VERSION_RELEASE}.deb && \ chown irods:irods /var/lib/irods # Remove default iRODS msiExecCMD files # hadolint ignore=DL3059 RUN for file in irodsServerMonPerf test_execstream.py univMSSInterface.sh.template ; do rm "/var/lib/irods/msiExecCmd_bin/${file}" ; done -# Install iRODS autocompletion +# Install iRODS iCommands autocompletion COPY stage/irods_completion.sh /tmp/irods_completion.sh RUN install -m 0644 -o root -g root /tmp/irods_completion.sh /etc/profile.d/irods_completion.sh # Set up PAM authentication # hadolint ignore=DL3033 -RUN yum -y install gcc python-pip && \ - yum clean all && \ - pip --no-cache-dir install pysqlcipher3==1.0.4 +RUN pip --no-cache-dir install pysqlcipher3==1.0.4 COPY is-user-external.sh /tmp/is-user-external.sh COPY external-auth.py /tmp/external-auth.py RUN install -m 0750 -o root -g irods /tmp/is-user-external.sh /usr/local/bin/is-user-external.sh && \ install -m 0750 -o root -g irods /tmp/external-auth.py /usr/local/bin/external-auth.py && \ - wget -nv https://github.com/UtrechtUniversity/sqlcipher/releases/download/v4.5.1/sqlcipher-4.5.1-0.el7.x86_64.rpm -O sqlcipher-4.5.1-0.el7.x86_64.rpm && \ - wget -nv https://github.com/UtrechtUniversity/sqlcipher/releases/download/v4.5.1/sqlcipher-devel-4.5.1-0.el7.x86_64.rpm -O sqlcipher-devel-4.5.1-0.el7.x86_64.rpm && \ - rpm -ivh sqlcipher-4.5.1-0.el7.x86_64.rpm && \ - rpm -ivh sqlcipher-devel-4.5.1-0.el7.x86_64.rpm && \ + wget -q https://yoda.uu.nl/packages-irods-4.2.12-focal/sqlcipher4.deb && \ + dpkg -i sqlcipher4.deb && \ + rm sqlcipher4.deb && \ + wget -q https://yoda.uu.nl/packages-irods-4.2.12-focal/libsqlcipher4.deb && \ + dpkg -i libsqlcipher4.deb && \ + rm libsqlcipher4.deb && \ + wget -q https://yoda.uu.nl/packages-irods-4.2.12-focal/libsqlcipher4-dev.deb && \ + dpkg -i libsqlcipher4-dev.deb && \ + rm libsqlcipher4-dev.deb && \ chmod 04755 /usr/sbin/irodsPamAuthCheck COPY irods.pam /tmp/irods.pam RUN install -m 0644 /tmp/irods.pam /etc/pam.d/irods @@ -124,9 +165,9 @@ RUN sudo -u irods python -m pip --no-cache-dir install --user pip==20.2.4 && \ sudo -u irods python -m pip --no-cache-dir install --user setuptools==44.1.1 && \ sudo -u irods python -m pip --no-cache-dir install --user python-irodsclient==2.0.0 && \ sudo -u irods python -m pip --no-cache-dir install --user -r /etc/irods/yoda-ruleset/requirements.txt && \ - sudo -u irods /usr/local/bin/pip3 install --user jsonschema==4.17.3 && \ - sudo -u irods /usr/local/bin/pip3 install --user python-irodsclient==2.0.0 && \ - sudo -u irods /usr/local/bin/pip3 install --user psutil==5.9.5 + sudo -u irods python3 -m pip install --user jsonschema==4.17.3 && \ + sudo -u irods python3 -m pip install --user python-irodsclient==2.0.0 && \ + sudo -u irods python3 -m pip install --user psutil==5.9.5 COPY core.py.template /etc/irods/core.py COPY core.re.template /etc/irods/core.re RUN for script in scheduled-copytovault.sh admin-remove-orphan-vault-if-empty.sh admin-vaultactions.sh \ @@ -178,7 +219,6 @@ RUN install -m 0755 -o irods -g irods /var/lib/irods/securecopy.sh /var/lib/irod # Install init script # hadolint ignore=DL3033 -RUN yum install -y nc && yum clean all COPY irods-icat-init.sh /var/lib/irods/scripts/irods-icat-init.sh RUN chmod 0755 /var/lib/irods/scripts/irods-icat-init.sh diff --git a/docker/images/yoda_irods_icat/odbc-settings.txt b/docker/images/yoda_irods_icat/odbc-settings.txt index f260b1d43..a7362b488 100644 --- a/docker/images/yoda_irods_icat/odbc-settings.txt +++ b/docker/images/yoda_irods_icat/odbc-settings.txt @@ -1,4 +1,4 @@ [PostgreSQL] -Description = PostgreSQL 15 ODBC Driver -Driver = /usr/pgsql-15/lib/psqlodbc.so -Setup = /usr/pgsql-15/lib/psqlodbcw.so +Description=PostgreSQL 15 ODBC Driver +Driver=/usr/lib/x86_64-linux-gnu/odbc/psqlodbca.so +Setup=/usr/lib/x86_64-linux-gnu/odbc/libodbcpsqlS.so diff --git a/docker/images/yoda_irods_icat/rules_uu.cfg b/docker/images/yoda_irods_icat/rules_uu.cfg index c14e912e2..fe4e0ce3d 100644 --- a/docker/images/yoda_irods_icat/rules_uu.cfg +++ b/docker/images/yoda_irods_icat/rules_uu.cfg @@ -83,4 +83,4 @@ arb_min_percent_free = '0' text_file_extensions = 'bash csv c cpp csharp css diff fortran gams gauss go graphql ini irpf90 java js json julia julia-repl kotlin less lua makefile markdown md mathematica matlab maxima mizar objectivec openscad perl php php-template plaintext txt python py python-repl r ruby rust sas scilab scss shell sh sql stan stata swift typescript ts vbnet wasm xml yaml html' vault_copy_numthreads = '0' -python3_interpreter = '/usr/local/bin/python3' +python3_interpreter = '/usr/bin/python3' diff --git a/docker/images/yoda_portal/02-wsgi.conf b/docker/images/yoda_portal/02-wsgi.conf deleted file mode 100644 index 19f356756..000000000 --- a/docker/images/yoda_portal/02-wsgi.conf +++ /dev/null @@ -1 +0,0 @@ -LoadModule wsgi_module modules/mod_wsgi.so diff --git a/docker/images/yoda_portal/Dockerfile b/docker/images/yoda_portal/Dockerfile index aca2d4858..200fc7363 100644 --- a/docker/images/yoda_portal/Dockerfile +++ b/docker/images/yoda_portal/Dockerfile @@ -1,52 +1,52 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " # Application settings ARG TAG=development ENV YODA_PORTAL_REPO "https://github.com/UtrechtUniversity/yoda-portal.git" ENV YODA_PORTAL_BRANCH="$TAG" +ENV DEBIAN_FRONTEND="noninteractive" # Network settings EXPOSE 80 EXPOSE 443 +# Update packages +RUN apt-get update + # Install common tools # hadolint ignore=DL3033 -RUN yum install -y epel-release wget git && \ - yum clean all +RUN apt-get install -y wget git # Install Python 3 # hadolint ignore=DL3033 -RUN yum -y install centos-release-scl gcc python-virtualenv && \ - yum -y install --enablerepo centos-sclo-rh \ - rh-python38-python rh-python38-python-devel rh-python38-python-libs \ - rh-python38-python-pip rh-python38-python-pip-wheel && yum clean all && \ - ln -s /opt/rh/rh-python38/root/bin/pip3 /usr/local/bin/pip3 && \ - ln -s /opt/rh/rh-python38/root/bin/python3 /usr/local/bin/python33 && \ - /usr/local/bin/pip3 install virtualenv +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv virtualenv # Install and configure Apache # hadolint ignore=DL3033 -RUN yum -y install httpd httpd-devel mod_ssl openssl && yum clean all -RUN rm /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.modules.d/00-lua.conf -COPY httpd.conf /etc/httpd/conf/httpd.conf -COPY ssl.conf /etc/httpd/conf.d/ssl.conf +RUN apt-get install -y apache2 apache2-dev openssl +RUN ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load +COPY apache2.conf /etc/apache2/apache2.conf +COPY ssl.conf /etc/apache2/mods-available/ssl.conf +RUN ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load -# Install and configure Apache ModWSGI -RUN yum -y install --enablerepo centos-sclo-rh rh-python38-python-mod_wsgi && yum clean all -COPY 02-wsgi.conf /etc/httpd/conf.modules.d/02-wsgi.conf -RUN ln -s /opt/rh/rh-python38/root/usr/lib64/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so /usr/lib64/httpd/modules/mod_wsgi.so +# Install Apache ModWSGI +RUN apt-get install -y libapache2-mod-wsgi-py3 # Yoda Portal -ENV C_INCLUDE_PATH /opt/rh/rh-python38/root/usr/include/python3.8 RUN useradd yodadeployment && \ + mkdir /home/yodadeployment && \ + chown yodadeployment:yodadeployment /home/yodadeployment && \ mkdir /var/www/yoda && \ chown yodadeployment:yodadeployment /var/www/yoda && \ - git clone --branch $YODA_PORTAL_BRANCH $YODA_PORTAL_REPO /var/www/yoda -COPY yoda-portal-vhost.conf /etc/httpd/conf.d/yoda-portal-vhost.conf -RUN virtualenv --python /opt/rh/rh-python38/root/bin/python3 /var/www/yoda/venv && \ - /var/www/yoda/venv/bin/pip3 install pip==23.0.1 && \ - /var/www/yoda/venv/bin/pip3 install -r /var/www/yoda/requirements.txt + git clone --branch $YODA_PORTAL_BRANCH $YODA_PORTAL_REPO /var/www/yoda && \ + git config --global --add safe.directory /var/www/yoda +COPY yoda-portal-vhost.conf /etc/apache2/sites-available/001-yoda-portal-vhost.conf +RUN ln -s /etc/apache2/sites-available/001-yoda-portal-vhost.conf /etc/apache2/sites-enabled/001-yoda-portal-vhost.conf +RUN virtualenv --python /usr/bin/python3 /var/www/yoda/venv && \ + /var/www/yoda/venv/bin/pip3 install --no-cache-dir pip==23.0.1 && \ + /var/www/yoda/venv/bin/pip3 install --no-cache-dir -r /var/www/yoda/requirements.txt # Make copy of data on volumes that can optionally be bind mounted, so the container init script # can restore it if needed. diff --git a/docker/images/yoda_portal/apache2.conf b/docker/images/yoda_portal/apache2.conf new file mode 100644 index 000000000..672b38428 --- /dev/null +++ b/docker/images/yoda_portal/apache2.conf @@ -0,0 +1,276 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + + +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# ServerTokens Directive +# Configures the Server HTTP response header +ServerTokens ProductOnly + +# TraceEnable Directive +# Determines the behaviour on TRACE requests +TraceEnable off + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# X-Frame-Options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +Header always append X-Frame-Options DENY + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker/images/yoda_portal/httpd.conf b/docker/images/yoda_portal/httpd.conf deleted file mode 100644 index b037256b8..000000000 --- a/docker/images/yoda_portal/httpd.conf +++ /dev/null @@ -1,365 +0,0 @@ -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# ServerTokens Directive -# Configures the Server HTTP response header -ServerTokens ProductOnly - -# TraceEnable Directive -# Determines the behaviour on TRACE requests -TraceEnable off - -# X-Frame-Options -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -Header always append X-Frame-Options DENY - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/docker/images/yoda_portal/yoda-portal-vhost.conf b/docker/images/yoda_portal/yoda-portal-vhost.conf index 03b0d6962..fe4e70193 100644 --- a/docker/images/yoda_portal/yoda-portal-vhost.conf +++ b/docker/images/yoda_portal/yoda-portal-vhost.conf @@ -55,7 +55,7 @@ SetEnvIf Request_URI "\.woff$" dontlog SetEnvIf Request_URI "\.woff2$" dontlog SetEnvIf Request_Method "^OPTIONS$" dontlog - CustomLog /var/log/httpd/portal_access.log common env=!dontlog + CustomLog /var/log/apache2/portal_access.log common env=!dontlog # HSTS (mod_headers is required) (31536000 seconds = 1 year) Header always set Strict-Transport-Security "max-age=31536000" @@ -65,12 +65,12 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/yoda_portal/yoda_portal_init.sh b/docker/images/yoda_portal/yoda_portal_init.sh index 2f72dcaa8..6f883c097 100644 --- a/docker/images/yoda_portal/yoda_portal_init.sh +++ b/docker/images/yoda_portal/yoda_portal_init.sh @@ -22,8 +22,8 @@ function progress_update { } function start_service { - /usr/sbin/httpd -DFOREGROUND || true - echo "Error: httpd either terminated or would not start. Keeping container running for troubleshooting purposes." + apache2ctl -D FOREGROUND || true + echo "Error: Apache either terminated or would not start. Keeping container running for troubleshooting purposes." sleep infinity } @@ -42,10 +42,10 @@ progress_update "Downloaded certificate bundle." before_update "Extracting certificate data" cd /download tar xvfz "${DATA_VERSION}.certbundle.tar.gz" -install -m 0644 docker.pem /etc/pki/tls/certs/localhost.crt -install -m 0644 docker.pem /etc/pki/tls/certs/localhost_and_chain.crt -install -m 0644 docker.key /etc/pki/tls/private/localhost.key -install -m 0644 dhparam.pem /etc/pki/tls/private/dhparams.pem +install -m 0644 docker.pem /etc/ssl/certs/localhost.crt +install -m 0644 docker.pem /etc/ssl/certs/localhost_and_chain.crt +install -m 0644 docker.key /etc/ssl/private/localhost.key +install -m 0644 dhparam.pem /etc/ssl/private/dhparams.pem progress_update "Certificate data extracted" CURRENT_UID="$(id -u yodadeployment)" @@ -114,7 +114,7 @@ IRODS_ICAT_HOSTNAME = 'provider.yoda' IRODS_ICAT_PORT = '1247' IRODS_DEFAULT_ZONE = 'tempZone' IRODS_DEFAULT_RESC = 'irodsResc' -IRODS_SSL_CA_FILE = '/etc/pki/tls/certs/localhost_and_chain.crt' +IRODS_SSL_CA_FILE = '/etc/ssl/certs/localhost_and_chain.crt' IRODS_AUTH_SCHEME = 'PAM' IRODS_CLIENT_OPTIONS_FOR_SSL = { "irods_client_server_policy": "CS_NEG_REQUIRE", diff --git a/docker/images/yoda_public/02-wsgi.conf b/docker/images/yoda_public/02-wsgi.conf deleted file mode 100644 index 19f356756..000000000 --- a/docker/images/yoda_public/02-wsgi.conf +++ /dev/null @@ -1 +0,0 @@ -LoadModule wsgi_module modules/mod_wsgi.so diff --git a/docker/images/yoda_public/Dockerfile b/docker/images/yoda_public/Dockerfile index dbe904f6b..e0f3afe79 100644 --- a/docker/images/yoda_public/Dockerfile +++ b/docker/images/yoda_public/Dockerfile @@ -1,44 +1,38 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " # Application settings ARG TAG=development ENV MOAI_REPO "https://github.com/UtrechtUniversity/yoda-moai.git" ENV MOAI_BRANCH "$TAG" +ENV DEBIAN_FRONTEND="noninteractive" # Network settings EXPOSE 80 EXPOSE 443 +# Update packages +RUN apt-get update + # Install common tools # hadolint ignore=DL3033 -RUN yum install -y epel-release wget git nc sudo && \ - yum clean all - -# Update packages -RUN yum update -y +RUN apt-get install -y wget git netcat sudo # Install Python 3 # hadolint ignore=DL3033 -RUN yum -y install centos-release-scl gcc python-virtualenv && \ - yum -y install --enablerepo centos-sclo-rh \ - rh-python38-python rh-python38-python-devel rh-python38-python-libs \ - rh-python38-python-pip rh-python38-python-pip-wheel && yum clean all && \ - ln -s /opt/rh/rh-python38/root/bin/pip3 /usr/local/bin/pip3 && \ - ln -s /opt/rh/rh-python38/root/bin/python3 /usr/local/bin/python33 && \ - /usr/local/bin/pip3 install virtualenv +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv virtualenv # Install and configure Apache # hadolint ignore=DL3033 -RUN yum -y install httpd httpd-devel mod_ssl openssl && yum clean all -RUN rm /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.modules.d/00-lua.conf -COPY httpd.conf /etc/httpd/conf/httpd.conf -COPY ssl.conf /etc/httpd/conf.d/ssl.conf +RUN apt-get install -y apache2 apache2-dev openssl +RUN ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load +COPY apache2.conf /etc/apache2/apache2.conf +COPY ssl.conf /etc/apache2/mods-available/ssl.conf +RUN ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load -# Install and configure Apache ModWSGI -RUN yum -y install --enablerepo centos-sclo-rh rh-python38-python-mod_wsgi && yum clean all -COPY 02-wsgi.conf /etc/httpd/conf.modules.d/02-wsgi.conf -RUN ln -s /opt/rh/rh-python38/root/usr/lib64/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so /usr/lib64/httpd/modules/mod_wsgi.so +# Install Apache ModWSGI +RUN apt-get install -y libapache2-mod-wsgi-py3 # Install account for MOAI and landing pages # hadolint ignore=DL3059 @@ -46,25 +40,24 @@ RUN useradd yodadeployment -d /var/www/moai # Install MOAI dependencies # hadolint ignore=DL3033 -RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \ - yum -y install sqlite33 sqlite33-devel && yum clean all +RUN apt-get -y install sqlite3 libsqlite3-dev ## Setup MOAI virtual environment and directory structure -ENV C_INCLUDE_PATH /opt/rh/rh-python38/root/usr/include/python3.8 RUN mkdir -p /var/www/moai /var/www/moai/metadata && \ git clone --branch "$MOAI_BRANCH" "$MOAI_REPO" /var/www/moai/yoda-moai && \ + git config --global --add safe.directory /var/www/moai/yoda-moai && \ chmod 0755 /var/www/moai /var/www/moai/metadata && \ chown -R yodadeployment:yodadeployment /var/www/moai && \ - virtualenv --python /opt/rh/rh-python38/root/bin/python3 /var/www/moai/yoda-moai/venv && \ + virtualenv --python /usr/bin/python3 /var/www/moai/yoda-moai/venv && \ /var/www/moai/yoda-moai/venv/bin/pip3 install pip==23.0.1 ## Install PySQLite3 for MOAI -ENV C_INCLUDE_PATH /opt/rh/rh-python38/root/usr/include/python3.8:/usr/sqlite330/include -ENV LIBRARY_PATH /usr/sqlite330/lib +ENV C_INCLUDE_PATH /usr/include/python3.8:/usr/include +ENV LIBRARY_PATH /usr/lib/x86_64-linux-gnu RUN /var/www/moai/yoda-moai/venv/bin/pip3 install pysqlite3==0.5.0 ## Install MOAI itself -ENV C_INCLUDE_PATH /opt/rh/rh-python38/root/usr/include/python3.8 +ENV C_INCLUDE_PATH /usr/include/python3.8 RUN /var/www/moai/yoda-moai/venv/bin/pip3 install -e /var/www/moai/yoda-moai ## Configure and initialize MOAI @@ -86,7 +79,8 @@ COPY stage/leaflet-1.5.1.js /var/www/landingpages/static/js/leaflet-1.5.1.js RUN cp -Rdp /var/www/landingpages /var/www/landingpages-copy ## Configure public web server -COPY yoda-public-vhost.conf /etc/httpd/conf.d/yoda-public-vhost.conf +COPY yoda-public-vhost.conf /etc/apache2/sites-available/yoda-public-vhost.conf +RUN ln -s /etc/apache2/sites-available/yoda-public-vhost.conf /etc/apache2/sites-enabled/yoda-public-vhost.conf # Make copy of data on volumes that can optionally be bind mounted, so the container init script # can restore it if needed. diff --git a/docker/images/yoda_public/apache2.conf b/docker/images/yoda_public/apache2.conf new file mode 100644 index 000000000..672b38428 --- /dev/null +++ b/docker/images/yoda_public/apache2.conf @@ -0,0 +1,276 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + + +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# ServerTokens Directive +# Configures the Server HTTP response header +ServerTokens ProductOnly + +# TraceEnable Directive +# Determines the behaviour on TRACE requests +TraceEnable off + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# X-Frame-Options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +Header always append X-Frame-Options DENY + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker/images/yoda_public/httpd.conf b/docker/images/yoda_public/httpd.conf deleted file mode 100644 index b037256b8..000000000 --- a/docker/images/yoda_public/httpd.conf +++ /dev/null @@ -1,365 +0,0 @@ -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# ServerTokens Directive -# Configures the Server HTTP response header -ServerTokens ProductOnly - -# TraceEnable Directive -# Determines the behaviour on TRACE requests -TraceEnable off - -# X-Frame-Options -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -Header always append X-Frame-Options DENY - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/docker/images/yoda_public/yoda-public-vhost.conf b/docker/images/yoda_public/yoda-public-vhost.conf index eff8abd6f..d7291c038 100644 --- a/docker/images/yoda_public/yoda-public-vhost.conf +++ b/docker/images/yoda_public/yoda-public-vhost.conf @@ -37,12 +37,12 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/yoda_public/yoda_public_init.sh b/docker/images/yoda_public/yoda_public_init.sh index 345db59dd..2f640e6a5 100644 --- a/docker/images/yoda_public/yoda_public_init.sh +++ b/docker/images/yoda_public/yoda_public_init.sh @@ -22,7 +22,7 @@ function progress_update { } function start_service { - /usr/sbin/httpd -DFOREGROUND || true + apache2ctl -D FOREGROUND || true echo "Error: http either terminated or would not start. Keeping container running for troubleshooting purposes." sleep infinity } @@ -42,10 +42,10 @@ progress_update "Downloaded certificate bundle." before_update "Extracting certificate data" cd /download tar xvfz "${DATA_VERSION}.certbundle.tar.gz" -install -m 0644 docker.pem /etc/pki/tls/certs/localhost.crt -install -m 0644 docker.pem /etc/pki/tls/certs/localhost_and_chain.crt -install -m 0644 docker.key /etc/pki/tls/private/localhost.key -install -m 0644 dhparam.pem /etc/pki/tls/private/dhparams.pem +install -m 0644 docker.pem /etc/ssl/certs/localhost.crt +install -m 0644 docker.pem /etc/ssl/certs/localhost_and_chain.crt +install -m 0644 docker.key /etc/ssl/private/localhost.key +install -m 0644 dhparam.pem /etc/ssl/private/dhparams.pem progress_update "Certificate data extracted" # Update permissions / UID for bind mount, if needed diff --git a/docker/images/yoda_web_mock/02-wsgi.conf b/docker/images/yoda_web_mock/02-wsgi.conf deleted file mode 100644 index 19f356756..000000000 --- a/docker/images/yoda_web_mock/02-wsgi.conf +++ /dev/null @@ -1 +0,0 @@ -LoadModule wsgi_module modules/mod_wsgi.so diff --git a/docker/images/yoda_web_mock/Dockerfile b/docker/images/yoda_web_mock/Dockerfile index a66bbae83..b3681fa5a 100644 --- a/docker/images/yoda_web_mock/Dockerfile +++ b/docker/images/yoda_web_mock/Dockerfile @@ -1,52 +1,50 @@ -FROM centos:7 +FROM ubuntu:20.04 LABEL maintainer="Yoda team " # Application settings ARG TAG=development ENV YODA_MOCK_REPO "https://github.com/UtrechtUniversity/yoda-web-mock.git" ENV YODA_MOCK_BRANCH "$TAG" +ENV DEBIAN_FRONTEND="noninteractive" # Network settings EXPOSE 80 EXPOSE 443 -# Install common tools -# hadolint ignore=DL3033 -RUN yum install -y epel-release wget git nc && \ - yum clean all - # Update packages -RUN yum update -y +RUN apt-get update + +# Install common tools (PostgreSQL is needed for psql commands in init script) +# hadolint ignore=DL3033 +RUN apt-get install -y wget git netcat gnupg # Install Python 3 # hadolint ignore=DL3033 -RUN yum -y install centos-release-scl gcc python-virtualenv && \ - yum -y install --enablerepo centos-sclo-rh \ - rh-python38-python rh-python38-python-devel rh-python38-python-libs \ - rh-python38-python-pip rh-python38-python-pip-wheel && yum clean all && \ - ln -s /opt/rh/rh-python38/root/bin/pip3 /usr/local/bin/pip3 && \ - ln -s /opt/rh/rh-python38/root/bin/python3 /usr/local/bin/python33 && \ - /usr/local/bin/pip3 install virtualenv +RUN apt-get install -y gcc python3 python3-dev python3-pip python3-virtualenv \ + python3-wheel python3.8-venv virtualenv # Install and configure Apache # hadolint ignore=DL3033 -RUN yum -y install httpd httpd-devel mod_ssl openssl && yum clean all -RUN rm /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.modules.d/00-lua.conf -COPY httpd.conf /etc/httpd/conf/httpd.conf -COPY ssl.conf /etc/httpd/conf.d/ssl.conf +RUN apt-get install -y apache2 apache2-dev openssl +RUN ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load +COPY apache2.conf /etc/apache2/apache2.conf +COPY ssl.conf /etc/apache2/mods-available/ssl.conf +RUN ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load -# Install and configure Apache ModWSGI -RUN yum -y install --enablerepo centos-sclo-rh rh-python38-python-mod_wsgi && yum clean all -COPY 02-wsgi.conf /etc/httpd/conf.modules.d/02-wsgi.conf -RUN ln -s /opt/rh/rh-python38/root/usr/lib64/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so /usr/lib64/httpd/modules/mod_wsgi.so +# Install Apache ModWSGI +RUN apt-get install -y libapache2-mod-wsgi-py3 # Install Yoda web mock RUN useradd yodadeployment && \ + mkdir /home/yodadeployment && \ + chown yodadeployment:yodadeployment /home/yodadeployment && \ mkdir -p /var/www/webmock/log && \ chown yodadeployment:yodadeployment /var/www/webmock /var/www/webmock/log && \ - git clone --branch $YODA_MOCK_BRANCH $YODA_MOCK_REPO /var/www/webmock/yoda-web-mock -COPY yoda-web-mock-vhost.conf /etc/httpd/conf.d/yoda-web-mock-vhost.conf -RUN virtualenv --python /opt/rh/rh-python38/root/bin/python3 /var/www/webmock/venv && \ + git clone --branch $YODA_MOCK_BRANCH $YODA_MOCK_REPO /var/www/webmock/yoda-web-mock && \ + git config --global --add safe.directory /var/www/webmock/yoda-web-mock +COPY yoda-web-mock-vhost.conf /etc/apache2/sites-available/yoda-web-mock-vhost.conf +RUN ln -s /etc/apache2/sites-available/yoda-web-mock-vhost.conf /etc/apache2/sites-enabled/yoda-web-mock-vhost.conf +RUN virtualenv --python /usr/bin/python3 /var/www/webmock/venv && \ /var/www/webmock/venv/bin/pip3 install pip==23.0.1 && \ /var/www/webmock/venv/bin/pip3 install -e /var/www/webmock/yoda-web-mock diff --git a/docker/images/yoda_web_mock/apache2.conf b/docker/images/yoda_web_mock/apache2.conf new file mode 100644 index 000000000..672b38428 --- /dev/null +++ b/docker/images/yoda_web_mock/apache2.conf @@ -0,0 +1,276 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + + +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# ServerTokens Directive +# Configures the Server HTTP response header +ServerTokens ProductOnly + +# TraceEnable Directive +# Determines the behaviour on TRACE requests +TraceEnable off + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# X-Frame-Options +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +Header always append X-Frame-Options DENY + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker/images/yoda_web_mock/httpd.conf b/docker/images/yoda_web_mock/httpd.conf deleted file mode 100644 index b037256b8..000000000 --- a/docker/images/yoda_web_mock/httpd.conf +++ /dev/null @@ -1,365 +0,0 @@ -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# ServerTokens Directive -# Configures the Server HTTP response header -ServerTokens ProductOnly - -# TraceEnable Directive -# Determines the behaviour on TRACE requests -TraceEnable off - -# X-Frame-Options -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -Header always append X-Frame-Options DENY - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/html" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%{X-Forwarded-For}i %h %l %u %v %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %v %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/docker/images/yoda_web_mock/yoda-web-mock-vhost.conf b/docker/images/yoda_web_mock/yoda-web-mock-vhost.conf index 2d73f107c..2f2e22569 100644 --- a/docker/images/yoda_web_mock/yoda-web-mock-vhost.conf +++ b/docker/images/yoda_web_mock/yoda-web-mock-vhost.conf @@ -32,12 +32,12 @@ # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. - SSLCertificateFile /etc/pki/tls/certs/localhost_and_chain.crt + SSLCertificateFile /etc/ssl/certs/localhost_and_chain.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + SSLCertificateKeyFile /etc/ssl/private/localhost.key diff --git a/docker/images/yoda_web_mock/yoda_web_mock_init.sh b/docker/images/yoda_web_mock/yoda_web_mock_init.sh index e7cd4ed2f..db10d232c 100644 --- a/docker/images/yoda_web_mock/yoda_web_mock_init.sh +++ b/docker/images/yoda_web_mock/yoda_web_mock_init.sh @@ -22,8 +22,8 @@ function progress_update { } function start_service { - /usr/sbin/httpd -DFOREGROUND || true - echo "Error: http either terminated or would not start. Keeping container running for troubleshooting purposes." + apache2ctl -D FOREGROUND || true + echo "Error: Apache either terminated or would not start. Keeping container running for troubleshooting purposes." sleep infinity } @@ -42,16 +42,16 @@ progress_update "Downloaded certificate bundle." before_update "Extracting certificate data" cd /download tar xvfz "${DATA_VERSION}.certbundle.tar.gz" -install -m 0644 docker.pem /etc/pki/tls/certs/localhost.crt -install -m 0644 docker.pem /etc/pki/tls/certs/localhost_and_chain.crt -install -m 0644 docker.key /etc/pki/tls/private/localhost.key -install -m 0644 dhparam.pem /etc/pki/tls/private/dhparams.pem +install -m 0644 docker.pem /etc/ssl/certs/localhost.crt +install -m 0644 docker.pem /etc/ssl/certs/localhost_and_chain.crt +install -m 0644 docker.key /etc/ssl/private/localhost.key +install -m 0644 dhparam.pem /etc/ssl/private/dhparams.pem progress_update "Certificate data extracted" # Configure Vhost with right mock name and FQDN before_update "Configuring Vhost." -perl -pi.bak -e '$mockname=$ENV{MOCKNAME}; s/MOCKNAME/$mockname/gee' /etc/httpd/conf.d/yoda-web-mock-vhost.conf -perl -pi.bak -e '$mockfqdn=$ENV{MOCKNAME}; s/MOCKFQDN/$mockfqdn/gee' /etc/httpd/conf.d/yoda-web-mock-vhost.conf +perl -pi.bak -e '$mockname=$ENV{MOCKNAME}; s/MOCKNAME/$mockname/gee' /etc/apache2/sites-available/yoda-web-mock-vhost.conf +perl -pi.bak -e '$mockfqdn=$ENV{MOCKNAME}; s/MOCKFQDN/$mockfqdn/gee' /etc/apache2/sites-available/yoda-web-mock-vhost.conf progress_update "Vhost configured." CURRENT_UID="$(id -u yodadeployment)"