Name: tier-grouper-deployment
Owner: Unicon, Inc.
Description: Contains materials related to the tutorial on running the TIER Grouper image on Docker Swarm
Created: 2018-04-07 04:58:09.0
Updated: 2018-05-10 04:45:57.0
Pushed: 2018-05-10 04:45:55.0
Homepage: https://www.youtube.com/watch?v=750J5UBTctw&list=PLgUWExUT8bVcPHLnRe1yz4Cum_Avs6wQW
Size: 50
Language: null
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This is the companion repository for the 4-part video tutorial that demonstrates how to deploy the TIER Grouper Docker image. In the video series, John Gasper, IAM Consultant, demonstrates:
The videos are:
This tutorial was funded through Unicon's Grouper Open Source Support program. We thank our clients that are members of the program for their support that made this project possible. For more information about the Grouper OSS program, please see https://unicon.net/opensource/grouper.
ddr show
mount -t iso9660 /dev/sr0 /mnt
mnt
./install
reboot
yum update
yum install -y yum-utils \
vice-mapper-persistent-data \
m2
yum-config-manager \
--add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
ps://github.com/moby/moby/issues/16137#issuecomment-271615192
systemctl stop firewalld
systemctl disable firewalld
systemctl enable docker
systemctl start docker
yum install -y git
clone https://github.com/Unicon/tier-grouper-deployment.git
ier-grouper-deployment
docker swarm init
docker container run -d --name registry -p 5000:5000 registry:2
docker container ps
http://localhost:5000/v2/_catalog
ncillary
docker network create --driver overlay --scope swarm --attachable internal
docker stack deploy anc -c stack.yml
docker service ls
.
ase
docker build --tag=localhost:5000/organization/grouper-base .
docker push localhost:5000/organization/grouper-base
.
docker container run -it --rm \
mount type=bind,src=$(pwd)/configs-and-secrets/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
mount type=bind,src=$(pwd)/configs-and-secrets/subject.properties,dst=/run/secrets/grouper_subject.properties \
network internal \
calhost:5000/organization/grouper-base gsh -registry -check -runscript -noprompt
docker container run -it --rm \
mount type=bind,src=$(pwd)/configs-and-secrets/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
mount type=bind,src=$(pwd)/configs-and-secrets/subject.properties,dst=/run/secrets/grouper_subject.properties \
network internal \
calhost:5000/organization/grouper-base gsh
perSession = GrouperSession.startRootSession();
ember("etc:sysadmingroup","jgasper");
t
onfigs-and-secrets
docker secret create grouper.hibernate.properties grouper.hibernate.properties
docker secret create subject.properties subject.properties
docker secret create host-key.pem host-key.pem
docker config create shibboleth2.xml shibboleth2.xml
docker config create host-cert.pem host-cert.pem
.
aemon
docker build --tag=localhost:5000/organization/grouper-daemon .
docker push localhost:5000/organization/grouper-daemon
.
docker service create --detach --name=daemon \
network internal \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
calhost:5000/organization/grouper-daemon
docker service list
i
docker build --tag=localhost:5000/organization/grouper-ui .
docker push localhost:5000/organization/grouper-ui
.
docker service create --detach --name=ui \
network internal \
publish 443:443 \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
secret source=host-key.pem,target=host-key.pem \
config source=shibboleth2.xml,target=/etc/shibboleth/shibboleth2.xml \
config source=host-cert.pem,target=/etc/pki/tls/certs/host-cert.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/cachain.pem \
calhost:5000/organization/grouper-ui
docker service list
https://<hostname_or_ip/grouper>
s
docker build --tag=localhost:5000/organization/grouper-ws .
docker push localhost:5000/organization/grouper-ws
.
docker service create --detach --name=ws \
network internal \
publish 8443:443 \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
secret host-key.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/host-cert.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/cachain.pem \
calhost:5000/organization/grouper-ws
docker service list
https://<hostname_or_ip:8443/grouper-ws/status?diagnosticType=db>
docker service rm daemon
docker service rm ui
docker service rm ws
docker secret rm grouper.hibernate.properties
docker secret rm subject.properties
docker secret rm host-key.pem
docker config rm shibboleth2.xml
docker config rm host-cert.pem
docker stack rm anc
docker container rm -f registry
docker network rm internal
Do you understand the docker service
and docker secret
subcommands? Try using the short-cut stack.yml
file to save you some time.
You still need to have the internal network defined, the DB populated, and an image registry started… along with a directory and idp (using the ancillary ones or external ones).
Start up all the Grouper components and verify:
docker stack deploy grouper -c stack.yml
docker stack ls
docker service ls
docker secret ls
Shutdown the Grouper componenets and verify:
docker stack rm grouper
docker stack ls
docker service ls
docker secret ls
docker service update daemon \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties
docker service update ui \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties
docker service update ws \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties
Let's assuming we need to change the grouper-loader.properties
secret. First we update the grouper-loader.properties file on the host with the desired changes.
Note:
-2
is an arbitrary extension. If additional changes were being made the--secret-rm
parameter would also need to be updated to include that last arbitrary extension. But thetarget=grouper_grouper-loader.properties
remains the same.
Add the new secret file:
docker secret create grouper-loader-2.properties grouper-loader.properties
Update the service removing the old secret and adding the new secret:
docker service update daemon \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties
docker service update ui \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties
docker service update ws \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties
At some point remove the old secret (this will prevent a rollback
operation from working):
docker secret rm grouper-loader.properties
docker service rollback daemon
docker service rollback ui
docker service rollback ws
Create the multi-part secret and configmaps:
onfigs-and-secrets
ctl create secret generic grouper --from-file=grouper.hibernate.properties --from-file=subject.properties --from-file=host-key.pem
ctl create configmap shibboleth2.xml --from-file=shibboleth2.xml
ctl create configmap host-certs --from-file=host-cert.pem --from-file=cachain.pem=host-cert.pem
Apply the config
ctl apply -f kubernetes.yaml