From 75cfafebc98c18fd4eae63da47c65d03c85f7074 Mon Sep 17 00:00:00 2001 From: Felix Bartels Date: Sun, 3 Nov 2019 10:31:42 +0100 Subject: [PATCH 1/4] General Dockerfile improvements & automatic configuration - add a docker-compose file for easy rebuilds and test deployments - switch to slim version of base image - instruct apt to run noninteractive - maintainer is deprecated in Dockerfile - reformat packages being installed and add ca-certificates - reduce layers and size while cleaning up in the indivdual layers - add proper startup script - make apache put logs on the console - add healthcheck - set lam password at startup - make more settings configurable through env variables - add ldap to the example compose file - predefine DEBUG var - Upgrade to Debian Buster Signed-off-by: Felix Bartels --- lam-packaging/docker/.env | 10 +++++ lam-packaging/docker/Dockerfile | 57 ++++++++++++++++++------- lam-packaging/docker/docker-compose.yml | 45 +++++++++++++++++++ lam-packaging/docker/start.sh | 36 ++++++++++++++++ 4 files changed, 133 insertions(+), 15 deletions(-) create mode 100644 lam-packaging/docker/.env create mode 100644 lam-packaging/docker/docker-compose.yml create mode 100755 lam-packaging/docker/start.sh diff --git a/lam-packaging/docker/.env b/lam-packaging/docker/.env new file mode 100644 index 00000000..ab771746 --- /dev/null +++ b/lam-packaging/docker/.env @@ -0,0 +1,10 @@ +LDAP_ORGANISATION="LDAP Account Manager Demo" +LDAP_DOMAIN=mydomain.com +LDAP_BASE_DN=dc=mydomain,dc=com +LDAP_SERVER=ldap://ldap:389 +LDAP_ADMIN_PASSWORD=adminpw +LDAP_READONLY_USER_PASSWORD=readonlypw +LDAP_BIND_DN=cn=readonly,dc=mydomain,dc=com +LDAP_SEARCH_BASE=dc=mydomain,dc=com + +LAM_PASSWORD=lam diff --git a/lam-packaging/docker/Dockerfile b/lam-packaging/docker/Dockerfile index 8682a0d3..41c70435 100644 --- a/lam-packaging/docker/Dockerfile +++ b/lam-packaging/docker/Dockerfile @@ -25,32 +25,59 @@ # You can change the port 8080 if needed. # -FROM debian:stretch -MAINTAINER Roland Gruber +FROM debian:buster-slim +LABEL maintainer="Roland Gruber " ARG LAM_RELEASE=6.9 -# update OS -RUN apt-get update \ - && apt-get upgrade -y +ENV \ + DEBIAN_FRONTEND=noninteractive \ + DEBUG='' -# install requirements -RUN apt-get install -y wget apache2 libapache2-mod-php php php-ldap php-zip php-xml php-curl php-gd php-imagick php-mcrypt php-tcpdf php-phpseclib fonts-dejavu php-monolog +RUN apt-get update && \ + apt-get install --no-install-recommends -y \ + apache2 \ + ca-certificates \ + dumb-init \ + fonts-dejavu \ + libapache2-mod-php \ + php \ + php-curl \ + php-gd \ + php-imagick \ + php-ldap \ + php-monolog \ + php-phpseclib \ + php-xml \ + php-zip \ + wget \ + && \ + rm /etc/apache2/sites-enabled/*default* && \ + rm -rf /var/cache/apt /var/lib/apt/lists/* # install LAM -RUN wget http://prdownloads.sourceforge.net/lam/ldap-account-manager_${LAM_RELEASE}-1_all.deb?download -O /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb \ - && dpkg -i /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb +RUN wget http://prdownloads.sourceforge.net/lam/ldap-account-manager_${LAM_RELEASE}-1_all.deb?download \ + -O /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb && \ + dpkg -i /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb && \ + rm -f /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb -# cleanup -RUN apt-get autoremove -y && apt-get clean all \ - && rm -f /tmp/ldap-account-manager_${LAM_RELEASE}-1_all.deb \ - && rm /etc/apache2/sites-enabled/*default* +# redirect Apache logging +RUN sed -e 's,^ErrorLog.*,ErrorLog "|/bin/cat",' -i /etc/apache2/apache2.conf +# because there is no logging set in the lam vhost logging goes to other_vhost_access.log +RUN ln -sf /dev/stdout /var/log/apache2/other_vhosts_access.log # add redirect for / RUN a2enmod rewrite RUN echo "RewriteEngine on" >> /etc/apache2/conf-enabled/laminit.conf \ && echo "RewriteRule ^/$ /lam/ [R,L]" >> /etc/apache2/conf-enabled/laminit.conf -# start Apache when container starts -ENTRYPOINT service apache2 start && sleep infinity +COPY start.sh /usr/local/bin/start.sh +WORKDIR /var/lib/ldap-account-manager/config + +# start Apache when container starts +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD [ "/usr/local/bin/start.sh" ] + +HEALTHCHECK --interval=1m --timeout=10s \ + CMD wget -qO- http://localhost/lam/ | grep -q 'LDAP Account Manager' diff --git a/lam-packaging/docker/docker-compose.yml b/lam-packaging/docker/docker-compose.yml new file mode 100644 index 00000000..cff0dc65 --- /dev/null +++ b/lam-packaging/docker/docker-compose.yml @@ -0,0 +1,45 @@ +version: '3.5' +services: + ldap-account-manager: + build: + context: . + args: + - LAM_RELEASE=6.9 + image: ldapaccountmanager/lam:latest + restart: unless-stopped + ports: + - "8080:80" + volumes: + - lametc/:/etc/ldap-account-manager + - lamconfig/:/var/lib/ldap-account-manager/config + - lamsession/:/var/lib/ldap-account-manager/sess + environment: + - LAM_PASSWORD=${LAM_PASSWORD} + - LAM_LANG=en_US + - LAM_TIMEZONE=Europe/Berlin + - LDAP_SERVER=${LDAP_SERVER} + - LDAP_DOMAIN=${LDAP_DOMAIN} + - LDAP_BASE_DN=${LDAP_BASE_DN} + - ADMIN_USER=cn=admin,${LDAP_BASE_DN} + - DEBUG=true + ldap: + image: osixia/openldap:latest + restart: unless-stopped + environment: + - LDAP_ORGANISATION=${LDAP_ORGANISATION} + - LDAP_DOMAIN=${LDAP_DOMAIN} + - LDAP_BASE_DN=${LDAP_BASE_DN} + - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} + - LDAP_READONLY_USER=true + - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD} + command: "--loglevel info --copy-service" + volumes: + - ldap:/var/lib/ldap + - slapd:/etc/ldap/slapd.d + +volumes: + lametc: + lamconfig: + lamsession: + ldap: + slapd: diff --git a/lam-packaging/docker/start.sh b/lam-packaging/docker/start.sh new file mode 100755 index 00000000..e959f8eb --- /dev/null +++ b/lam-packaging/docker/start.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -eu # unset variables are errors & non-zero return values exit the whole script +[ "$DEBUG" ] && set -x + +LAM_LANG="${LAM_LANG:-en_US}" +export LAM_PASSWORD="${LAM_PASSWORD:-lam}" +LAM_PASSWORD_SSHA=$(php -r '$password = getenv("LAM_PASSWORD"); mt_srand((microtime() * 1000000)); $rand = abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5)))); $salt0 = substr(pack("h*", md5($rand)), 0, 8); $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4); print "{SSHA}" . base64_encode(pack("H*", sha1($password . $salt))) . " " . base64_encode($salt) . "\n";') +LAM_TIMEZONE="${LAM_TIMEZONE:-Europe/Berlin}" +LDAP_HOST="${LDAP_HOST:-ldap://ldap:389}" +LDAP_DOMAIN="${LDAP_DOMAIN:-mydomain.com}" +LDAP_BASE_DN="${LDAP_BASE_DN:-dc=${LDAP_DOMAIN//\./,dc=}}" +ADMIN_USER="${LDAP_USER:-cn=admin,${LDAP_BASE_DN}}" + +echo "Setting LAM password to: $LAM_PASSWORD" +sed -i -f- /etc/ldap-account-manager/config.cfg <<- EOF + s|^password:.*|password: ${LAM_PASSWORD_SSHA}|; +EOF +unset LAM_PASSWORD + +sed -i -f- /var/lib/ldap-account-manager/config/lam.conf <<- EOF + s|^ServerURL:.*|ServerURL: ${LDAP_HOST}|; + s|^Admins:.*|Admins: ${ADMIN_USER}|; + s|^Passwd:.*|Passwd: ${LAM_PASSWORD_SSHA}|; + s|^treesuffix:.*|treesuffix: ${LDAP_BASE_DN}|; + s|^defaultLanguage:.*|defaultLanguage: ${LAM_LANG}.utf8|; + s|^types: suffix_user:.*|types: suffix_user: ${LDAP_BASE_DN}|; + s|^types: suffix_group:.*|types: suffix_group: ${LDAP_BASE_DN}|; +EOF + +echo "Starting Apache" +rm -f /run/apache2/apache2.pid +set +u +# shellcheck disable=SC1091 +source /etc/apache2/envvars +exec /usr/sbin/apache2 -DFOREGROUND From 3d7e2e9c47b9766974b712efbfec540ecf93b269 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 7 Dec 2019 20:00:44 +0100 Subject: [PATCH 2/4] copyright --- lam-packaging/docker/start.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/lam-packaging/docker/start.sh b/lam-packaging/docker/start.sh index e959f8eb..44f77ab3 100755 --- a/lam-packaging/docker/start.sh +++ b/lam-packaging/docker/start.sh @@ -1,4 +1,24 @@ #!/bin/bash +# +# Docker start script for LDAP Account Manager + +# This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) +# Copyright (C) 2019 Felix Bartels + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + set -eu # unset variables are errors & non-zero return values exit the whole script [ "$DEBUG" ] && set -x From 3054f38d7cf300452956d7b2f02ee5bdcabdd1a9 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 7 Dec 2019 21:41:36 +0100 Subject: [PATCH 3/4] documented environment variables, cleanup --- lam-packaging/docker/.env | 20 ++++++++++++++------ lam-packaging/docker/docker-compose.yml | 1 - lam-packaging/docker/start.sh | 12 +++++------- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/lam-packaging/docker/.env b/lam-packaging/docker/.env index ab771746..fec3ea26 100644 --- a/lam-packaging/docker/.env +++ b/lam-packaging/docker/.env @@ -1,10 +1,18 @@ -LDAP_ORGANISATION="LDAP Account Manager Demo" -LDAP_DOMAIN=mydomain.com -LDAP_BASE_DN=dc=mydomain,dc=com +# domain of LDAP database root entry, will be converted to dc=...,dc=... +LDAP_DOMAIN=my-domain.com +# LDAP base DN to overwrite value generated by LDAP_DOMAIN +LDAP_BASE_DN=dc=my-domain,dc=com +# LDAP server URL LDAP_SERVER=ldap://ldap:389 +# LDAP admin user (set as login user for LAM) +LDAP_USER=cn=admin111,dc=my-domain,dc=com +# LDAP admin password LDAP_ADMIN_PASSWORD=adminpw -LDAP_READONLY_USER_PASSWORD=readonlypw -LDAP_BIND_DN=cn=readonly,dc=mydomain,dc=com -LDAP_SEARCH_BASE=dc=mydomain,dc=com +# LAM configuration master password and password for server profile "lam" LAM_PASSWORD=lam + +# docker-compose only, LDAP organisation name for OpenLDAP +LDAP_ORGANISATION="LDAP Account Manager Demo" +# docker-compose only, password for LDAP read-only user +LDAP_READONLY_USER_PASSWORD=readonlypw diff --git a/lam-packaging/docker/docker-compose.yml b/lam-packaging/docker/docker-compose.yml index cff0dc65..596d7dd5 100644 --- a/lam-packaging/docker/docker-compose.yml +++ b/lam-packaging/docker/docker-compose.yml @@ -16,7 +16,6 @@ services: environment: - LAM_PASSWORD=${LAM_PASSWORD} - LAM_LANG=en_US - - LAM_TIMEZONE=Europe/Berlin - LDAP_SERVER=${LDAP_SERVER} - LDAP_DOMAIN=${LDAP_DOMAIN} - LDAP_BASE_DN=${LDAP_BASE_DN} diff --git a/lam-packaging/docker/start.sh b/lam-packaging/docker/start.sh index 44f77ab3..70390b1d 100755 --- a/lam-packaging/docker/start.sh +++ b/lam-packaging/docker/start.sh @@ -26,13 +26,11 @@ set -eu # unset variables are errors & non-zero return values exit the whole scr LAM_LANG="${LAM_LANG:-en_US}" export LAM_PASSWORD="${LAM_PASSWORD:-lam}" LAM_PASSWORD_SSHA=$(php -r '$password = getenv("LAM_PASSWORD"); mt_srand((microtime() * 1000000)); $rand = abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5)))); $salt0 = substr(pack("h*", md5($rand)), 0, 8); $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4); print "{SSHA}" . base64_encode(pack("H*", sha1($password . $salt))) . " " . base64_encode($salt) . "\n";') -LAM_TIMEZONE="${LAM_TIMEZONE:-Europe/Berlin}" LDAP_HOST="${LDAP_HOST:-ldap://ldap:389}" -LDAP_DOMAIN="${LDAP_DOMAIN:-mydomain.com}" +LDAP_DOMAIN="${LDAP_DOMAIN:-my-domain.com}" LDAP_BASE_DN="${LDAP_BASE_DN:-dc=${LDAP_DOMAIN//\./,dc=}}" -ADMIN_USER="${LDAP_USER:-cn=admin,${LDAP_BASE_DN}}" +LDAP_ADMIN_USER="${LDAP_USER:-cn=admin,${LDAP_BASE_DN}}" -echo "Setting LAM password to: $LAM_PASSWORD" sed -i -f- /etc/ldap-account-manager/config.cfg <<- EOF s|^password:.*|password: ${LAM_PASSWORD_SSHA}|; EOF @@ -40,12 +38,12 @@ unset LAM_PASSWORD sed -i -f- /var/lib/ldap-account-manager/config/lam.conf <<- EOF s|^ServerURL:.*|ServerURL: ${LDAP_HOST}|; - s|^Admins:.*|Admins: ${ADMIN_USER}|; + s|^Admins:.*|Admins: ${LDAP_ADMIN_USER}|; s|^Passwd:.*|Passwd: ${LAM_PASSWORD_SSHA}|; s|^treesuffix:.*|treesuffix: ${LDAP_BASE_DN}|; s|^defaultLanguage:.*|defaultLanguage: ${LAM_LANG}.utf8|; - s|^types: suffix_user:.*|types: suffix_user: ${LDAP_BASE_DN}|; - s|^types: suffix_group:.*|types: suffix_group: ${LDAP_BASE_DN}|; + s|^.*suffix_user:.*|types: suffix_user: ${LDAP_BASE_DN}|; + s|^.*suffix_group:.*|types: suffix_group: ${LDAP_BASE_DN}|; EOF echo "Starting Apache" From 7734b33e26e51fc9460932330f45a2dea8f63443 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 7 Dec 2019 21:46:22 +0100 Subject: [PATCH 4/4] docs update --- lam/HISTORY | 1 + lam/docs/manual-sources/chapter-installation.xml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/lam/HISTORY b/lam/HISTORY index 57d4627d..9976b14a 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -4,6 +4,7 @@ December 2019 7.0 - YubiKey: support to configure multiple verification servers - Deactivated non-maintained translations: Catalan, Czech, Hungarian, Polish and Turkish Contact us if you would like to take over. Translators get LAM Pro for free (commercial use included). + - Docker updates - Fixed bugs: -> Missing CSS for Duo -> Editing of DNs with comma on Windows (210) diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml index 5528d3ce..d570c1d2 100644 --- a/lam/docs/manual-sources/chapter-installation.xml +++ b/lam/docs/manual-sources/chapter-installation.xml @@ -318,6 +318,10 @@ You can run LAM inside Docker. + Possible environment variables are documented in the sample + .env file. + See here: