WIP

docker/Dockerfile

@@ -51,6 +51,11 @@ RUN systemctl enable ssh.service                 && \
     systemctl disable systemd-timesyncd.service  && \
     echo "exit 0" > /usr/sbin/policy-rc.d
 
+RUN systemctl disable getty@  && \
+    systemctl disable getty.target  && \
+    rm /lib/systemd/system/multi-user.target.wants/getty.target  && \
+    rm /lib/systemd/system/getty.target.wants/getty-static.service
+
 RUN useradd --create-home --shell /bin/bash --groups adm ansible        && \
     install -d -o ansible -m 0700 /home/ansible/.ssh  && \
     echo -n 'ansible:ansible' | chpasswd

docker/docker-compose.yml.py

@@ -15,6 +15,7 @@
 hosts = {
     'sbs':      27,
     'db':       28,
+    'docker':   31,
 }
 if ci_enabled:
     hosts.update({
@@ -36,7 +37,7 @@
     'mdq',         'cm',        'comanage', 'ldap',
     'meta',        'oidc-test', 'sp-test',  'idp-test',
     'google-test', 'sbs',       'sandbox1', 'pam',
-    'oidc-op',
+    'oidc-op',     'docker'
 ]
 
 extra_options = {}
@@ -57,9 +58,9 @@ def host_config(num: int, name: str) -> Dict[str, Any]:
     data: Dict[str, Any] = dict()
     data['image'       ] = 'scz-base'
     data['hostname'    ] =  name
-    data['volumes'     ] = [ './ansible_key.pub:/tmp/authorized_keys', '/sys/fs/cgroup:/sys/fs/cgroup:ro' ]
+    data['volumes'     ] = [ './ansible_key.pub:/tmp/authorized_keys' ]
     data['tmpfs'       ] = [ '/run', '/run/lock', '/tmp' ]
-    data['privileged'  ] = False
+    data['privileged'  ] = True
     data['security_opt'] = [ 'seccomp:unconfined', 'apparmor:unconfined' ]
     data['cap_add'     ] = [ 'SYS_ADMIN', 'SYS_PTRACE' ]
     data['networks'    ] = {

docker/hosts

@@ -11,5 +11,6 @@
 172.20.1.28 db.vm.scz-vm.net
 172.20.1.29 bhr.vm.scz-vm.net
 172.20.1.30 test.vm.scz-vm.net
+172.20.1.31 docker.vm.scz-vm.net
 172.20.1.40 websso.scz-vm.net
 172.20.1.41 webssod.scz-vm.net

environments/vm/inventory

@@ -35,6 +35,9 @@ db.vm.scz-vm.net ansible_host=172.20.1.28
 [vm_bhr]
 bhr.vm.scz-vm.net ansible_host=172.20.1.29
 
+[vm_docker]
+docker.vm.scz-vm.net ansible_host=172.20.1.31
+
 [vm:children]
 vm_lb
 vm_ldap
@@ -44,6 +47,7 @@ vm_sandbox1
 vm_sbs
 vm_db
 vm_bhr
+vm_docker
 
 ##########################################
 # role-based groups
@@ -86,6 +90,8 @@ vm_bhr
 [bhr2:children]
 vm_bhr
 
+[docker:children]
+vm_docker
 ##########################################
 # all
 [all:children]

provision.yml

@@ -87,6 +87,15 @@
     - { role: 'http_apache', tags: ['bhr12','ci-runner']}
     - { role: 'ci-runner',   tags: ['bhr12','ci-runner']}
 
+- name: "docker"
+  hosts: docker
+  tasks:
+    - { import_tasks: "tasks/versions.yml", tags: ['common']  }
+  roles:
+    - { role: docker,                       tags: ['docker'] }
+    - { role: docker_pyff,                  tags: ['meta', 'docker_pyff'] }
+    - { role: docker_metadata,              tags: ['meta', 'docker_metadata'] }
+
 - name: "lb"
   hosts: lb
   tasks:
@@ -129,9 +138,9 @@
   hosts: meta
   tasks:
     - { import_tasks: "tasks/versions.yml", tags: ['common'] }
-  roles:
-    - { role: pyff-metadata, tags: ['meta','pyff-metadata']}
-    - { role: metadata,      tags: ['meta','metadata']     }
+  # roles:
+    # - { role: pyff-metadata, tags: ['meta','pyff-metadata']}
+    # - { role: metadata,      tags: ['meta','metadata']     }
 
 - name: "client"
   hosts: client
@@ -165,3 +174,4 @@
     - { import_tasks: "tasks/versions.yml", tags: ['common']  }
   roles:
     - { role: ci-test,                      tags: ['ci-test'] }
+

roles/docker/files/traefik.yml

@@ -0,0 +1,28 @@
+---
+log:
+  level: INFO
+entryPoints:
+  websecure:
+    address: ":443"
+providers:
+  file:
+    filename: "/config/config/traefik.yml"
+    watch: true
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    network: "traefik"
+    exposedByDefault: false
+ping:
+  manualRouting: true
+http:
+  routers:
+    ping:
+      rule: "PathPrefix(`/health`)"
+      service: "ping@internal"
+      tls: true
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: "/config/certs/backend.crt"
+        keyFile: "/config/certs/backend.key"

roles/docker/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: "restart docker"
+  ansible.builtin.systemd:
+    name: docker
+    state: restarted
+    enabled: true

roles/docker/tasks/main.yml

@@ -0,0 +1,76 @@
+---
+- name: Add Docker GPG key.
+  ansible.builtin.apt_key:
+    url: "https://download.docker.com/linux/debian/gpg"
+    state: present
+
+- name: Add Docker repository.
+  ansible.builtin.apt_repository:
+    repo: deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable
+    state: present
+
+- name: Install docker
+  ansible.builtin.apt:
+    name: docker-ce
+    state: present
+  notify:
+    - "restart docker"
+
+- name: Create the traefik configuration file directory
+  ansible.builtin.file:
+    state: directory
+    path: "/opt/openconext/traefik/{{ item }}"
+    owner: root
+    mode: "0755"
+  with_items:
+    - config
+    - certs
+
+- name: Copy the (dynamic) configuration
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/opt/openconext/traefik/config/{{ item }}"
+    owner: root
+    mode: "0640"
+  with_items:
+    - traefik.yml
+
+- name: Create Traefik backend key
+  copy:
+    content: "{{wildcard_backend_cert.priv}}"
+    dest: "/opt/openconext/traefik/certs/backend.key"
+    owner: "root"
+    group: "ssl-cert"
+    mode: "0640"
+  no_log: "{{sram_ansible_nolog}}"
+
+- name: Create Traefik backend cert
+  copy:
+    content: "{{wildcard_backend_cert.pub}}"
+    dest: "/opt/openconext/traefik/certs/backend.crt"
+    owner: "root"
+    group: "root"
+    mode: 0644
+
+- name: Create the Traefik gateway network
+  community.docker.docker_network:
+    name: traefik
+
+- name: Create the Traefik gateway
+  community.docker.docker_container:
+    name: traefik
+    image: traefik:latest
+    published_ports:
+      - "0.0.0.0:443:443"
+    pull: true
+    restart_policy: "always"
+    networks:
+      - name: "traefik"
+    command: "--configFile=/config/config/traefik.yml"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/openconext/traefik/:/config/
+    comparisons:
+      published_ports: strict
+      networks: strict
+

roles/docker_metadata/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+# meta_port: 80
+metadata_basedir: "/opt/metadata"
+metadata_dirs:
+  web: "{{metadata_basedir}}/web"
+# metadata_documentroot: "/var/www/metadata"
+# mdparser_repo_url: "https://github.com/SURFscz/mdparser.git"
+# mdparser_version: "master"
+# mdparser_dir: "/opt/mdparser"
+# mdparser_venv_dir: "{{mdparser_dir}}/venv"

roles/docker_metadata/files/idps.xsl

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    version="1.0">
+
+    <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+    <xsl:template match="node()|@*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*" />
+        </xsl:copy>
+    </xsl:template>
+
+    <xsl:template match="md:EntityDescriptor[not(md:IDPSSODescriptor)]" />
+
+    <xsl:template match="md:SPSSODescriptor" />
+
+    <xsl:template match="ds:Signature" />
+
+</xsl:stylesheet>

roles/docker_metadata/files/nohide.xsl

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    version="1.0">
+
+    <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:copy>
+            <xsl:copy-of select="*[
+                not(md:Extensions/mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']/saml:AttributeValue[text()='http://refeds.org/category/hide-from-discovery'])
+                ]"/>
+        </xsl:copy>
+    </xsl:template>
+</xsl:stylesheet>

roles/docker_metadata/files/nologo.xsl

@@ -0,0 +1,23 @@
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+  <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+  <xsl:template match="node()|@*">
+    <xsl:copy>
+      <xsl:apply-templates select="node()|@*"/>
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="mdui:Logo" />
+
+  <xsl:template match="/">
+    <xsl:apply-templates select="*" />
+  </xsl:template>
+
+  <xsl:template match="*/text()[normalize-space()]">
+    <xsl:value-of select="normalize-space()"/>
+  </xsl:template>
+
+  <xsl:template match="*/text()[not(normalize-space())]" />
+</xsl:stylesheet>

roles/docker_metadata/files/nosc.xsl

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    version="1.0">
+
+    <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:copy>
+            <xsl:copy-of select="*[
+                not(md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority='http://www.surfconext.nl/'])
+                ]"/>
+        </xsl:copy>
+    </xsl:template>
+</xsl:stylesheet>

roles/docker_metadata/files/rs_coco_nosc.xsl

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    version="1.0">
+
+    <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:copy>
+            <xsl:copy-of select="md:EntityDescriptor
+            [md:Extensions/mdattr:EntityAttributes/saml:Attribute[starts-with(@Name,'http://macedir.org/entity-category')]/saml:AttributeValue[text()='http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+            or md:Extensions/mdattr:EntityAttributes/saml:Attribute[starts-with(@Name,'http://macedir.org/entity-category')]/saml:AttributeValue[text()='http://refeds.org/category/research-and-scholarship']]
+            [md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority!='http://www.surfconext.nl/']]
+            "/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>

roles/docker_metadata/files/sps.xsl

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet 
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    version="1.0">
+
+    <xsl:output method="xml" indent="yes" omit-xml-declaration="no"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:copy>
+            <xsl:copy-of select="md:EntityDescriptor[md:SPSSODescriptor]"/>
+        </xsl:copy>
+    </xsl:template>
+
+</xsl:stylesheet>

roles/docker_metadata/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: "systemd daemon-reload"
+  systemd:
+    daemon_reload: true
+
+- name: "restart zabbix-agent"
+  systemd:
+    name: "zabbix-agent2.service"
+    state: "restarted"