-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add containerization for the ipa-tuura+Apache service
Add Containerfile and podman-compose files that containerize ipa-tuura using httpd as HTTPS server. This replaces the previous Dockerfile.test, using Apache HTTPS server instead of the insecure built-in Django HTTP server. By running the podman-compose.yaml, the container is built and deployed with the needed port mapping. Signed-off-by: Antonio Torres <antorres@redhat.com>
- Loading branch information
1 parent
1c76040
commit c9f52e4
Showing
5 changed files
with
132 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
FROM fedora:38 | ||
ENV TZ=Europe/Madrid | ||
|
||
LABEL org.opencontainers.image.source=https://github.com/freeipa/ipa-tuura | ||
LABEL org.opencontainers.image.description="IPA-tuura Container" | ||
|
||
# Install dependencies | ||
RUN dnf -y update && dnf -y install \ | ||
dbus-daemon \ | ||
dbus-devel \ | ||
gcc \ | ||
glib2-devel \ | ||
glibc \ | ||
httpd \ | ||
krb5-devel \ | ||
maven \ | ||
mod_ssl \ | ||
mod_wsgi \ | ||
openldap-devel \ | ||
openssl \ | ||
python3-devel \ | ||
python3-netifaces \ | ||
python3-pip \ | ||
python3-sssdconfig \ | ||
python-devel \ | ||
python-ipalib \ | ||
sssd-dbus \ | ||
unzip \ | ||
&& dnf clean all | ||
RUN mkdir /www | ||
COPY . /www/ipa-tuura | ||
RUN pip install -r /www/ipa-tuura/src/install/requirements.txt | ||
|
||
# Setup ipa-tuura | ||
RUN echo 'LoadModule wsgi_module modules/mod_wsgi.so' >> /etc/httpd/conf/httpd.conf | ||
RUN sed -i 's/ALLOWED_HOSTS = \[\]/ALLOWED_HOSTS = \['"'*'"'\]/g' /www/ipa-tuura/src/ipa-tuura/root/settings.py | ||
RUN sed -i 's/staticfiles/static/g' /usr/local/lib/python3.11/site-packages/rest_framework_swagger/templates/rest_framework_swagger/index.html | ||
|
||
# Generate and configure self-signed certificate | ||
COPY src/conf/ipa.conf /root | ||
RUN openssl req -config /root/ipa.conf -newkey rsa -x509 -days 365 -out /etc/pki/tls/certs/apache-selfsigned.crt | ||
RUN sed -i 's\localhost.crt\apache-selfsigned.crt\g' /etc/httpd/conf.d/ssl.conf | ||
RUN sed -i 's\localhost.key\apache-selfsigned.key\g' /etc/httpd/conf.d/ssl.conf | ||
|
||
# Setup Apache virtual host | ||
COPY src/conf/ipatuura.conf /etc/httpd/conf.d/ipatuura.conf | ||
|
||
CMD ["/usr/sbin/httpd", "-DFOREGROUND"] |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
version: "3" | ||
services: | ||
tuura-server: | ||
container_name: tuura-server | ||
build: | ||
context: . | ||
ports: | ||
- 8005:80 | ||
- 3501:3500 | ||
- 4701:81 | ||
- 4430:443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# Key: | ||
# - <SK> = Key to a config subsection | ||
|
||
# Main entry point | ||
# since our command on the CLI is `req`, OpenSSL is going to look for a matching entry-point | ||
# This lets you store multiple command configs together, in a single file | ||
[req] | ||
# algorithm and number of bits to use when creating the private key | ||
# rsa:2048 | ||
default_bits = 2048 | ||
# Same as `-nodes` argument, to prevent encryption of private key (passphrase) | ||
encrypt_key = no | ||
# Explicitly tells OpenSSL which message digest algorithm to use | ||
# Good practice to specify, since older versions might default to MD5 (insecure) | ||
default_md = sha256 | ||
# If you don't use `-keyout` in the CLI, this determines the private key filename | ||
default_keyfile = /etc/pki/tls/private/apache-selfsigned.key | ||
# <SK> These are values that are used to *distinguish* the certificate, such as the country and organization | ||
# These values are normally collected via Q&A prompt in the CLI if config file is not used | ||
distinguished_name = req_distinguished_name | ||
# Ensures that distinguished_name values will be pulled from this file, as | ||
# opposed to prompting the user in the CLI | ||
prompt = no | ||
# <SK> Used for extensions to the self-signed cert OpenSSL is going to generate for us | ||
x509_extensions = x509_extensions | ||
|
||
[req_distinguished_name] | ||
# - These are all values that are used to *distinguish* the certificate, such as | ||
# the country and organization | ||
# - Many of these have shorter keys that should be used for non-prompt values, | ||
# and long keys that should have a prompt string to display to the user, and | ||
# optionally a default value if the prompt is skipped (see below note) | ||
# - For long keys, if you use fieldName with `_default` at the end, the value | ||
# will be used if prompt!==true, or if the user skips the prompt in the CLI | ||
|
||
# Long = countryName | ||
C = ES | ||
# Long = stateOrProvinceName | ||
ST = AB | ||
# Long = localityName | ||
L = Albacete | ||
# Long = organizationName | ||
O = IPA | ||
# Long = organizationalUnitName | ||
OU = IPA TUURA | ||
# Long = commonName | ||
# Pay extra attention to common name - You can only define one, and it is the | ||
# value that is displayed to the user. Should NOT include protocol, but can | ||
# be in format of domain.tld, www.domain.tld, or even wildcard, to share a | ||
# common cert across multiple subdomains - `*.domain.tld`. | ||
# Also, any value that you use here !*** MUST ***! be ALSO included in the SAN | ||
# (subject alternative name) section (subjectAltName), if you choose to | ||
# include that section. See: https://stackoverflow.com/a/25971071/11447682 | ||
CN = *.ipa.test | ||
|
||
[x509_extensions] | ||
# <SK> Used for (generically) custom field-value pairs that should be associated | ||
# with the cert, such as extra DNS names, IP addresses, and emails | ||
subjectAltName = @alternate_names | ||
|
||
[alternate_names] | ||
# Extra domain names to associate with our cert | ||
# - These can be a mix of wildcard, IP address, subdomain, etc. | ||
DNS.1 = *.ipa.test | ||
DNS.2 = localhost | ||
DNS.3 = 127.0.0.1 | ||
DNS.4 = master.ipa.test | ||
# Etc. | ||
# See: | ||
# - https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html#Subject-Alternative-Name | ||
# - https://en.wikipedia.org/wiki/Subject_Alternative_Name |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters