CD2H gitForager

Unicon/tier-grouper-deployment

Name: tier-grouper-deployment

Owner: Unicon, Inc.

Description: Contains materials related to the tutorial on running the TIER Grouper image on Docker Swarm

Created: 2018-04-07 04:58:09.0

Updated: 2018-05-10 04:45:57.0

Pushed: 2018-05-10 04:45:55.0

Homepage: https://www.youtube.com/watch?v=750J5UBTctw&list=PLgUWExUT8bVcPHLnRe1yz4Cum_Avs6wQW

Size: 50

Language: null

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Deploying the TIER Grouper Image using Docker Swarm

This is the companion repository for the 4-part video tutorial that demonstrates how to deploy the TIER Grouper Docker image. In the video series, John Gasper, IAM Consultant, demonstrates:

Create a simple Docker Swarm.
Create an organizational base image.
Populate the Grouper database.
Create custom images for each component (vs a single common image).
Create Docker Secrets and Docker Configs.
Starting Swarm Services: Grouper Daemon, UI, and WS.
Discussing next steps for moving forward in your deployment.

The videos are:

Session 1: Grouper Environment Prep: https://youtu.be/750J5UBTctw
Session 2: Grouper Database and Configs: https://youtu.be/agX-cm4-Okg
Session 3: Grouper Services: https://youtu.be/HQ0qjOysexA
Session 4: Grouper Continuing Forward: https://youtu.be/eMAL_RamYPc

This tutorial was funded through Unicon's Grouper Open Source Support program. We thank our clients that are members of the program for their support that made this project possible. For more information about the Grouper OSS program, please see https://unicon.net/opensource/grouper.

Env Prep

Clean Centos 7 install

4 processors
4-6 gb RAM
64 gb harddrive (we only use about 10gb)
all host/guest shared components turned off
user account that can sudo

On the new machine

ddr show

SSH into the server (copy/paste, etc. is easier)
setup grouper.example.edu and idp.example.edu hostnames

VM Tools installed

 mount -t iso9660 /dev/sr0 /mnt
mnt
 ./install
 reboot

Fully updated

 yum update

Docker installed

 yum install -y yum-utils \
vice-mapper-persistent-data \
m2

 yum-config-manager \
--add-repo https://download.docker.com/linux/centos/docker-ce.repo

 yum install -y docker-ce 

ps://github.com/moby/moby/issues/16137#issuecomment-271615192
 systemctl stop firewalld
 systemctl disable firewalld

 systemctl enable docker
 systemctl start docker

Install Git and pull project source

 yum install -y git

clone https://github.com/Unicon/tier-grouper-deployment.git
ier-grouper-deployment

Installing Swarm

 docker swarm init

Start Registry

 docker container run -d --name registry -p 5000:5000 registry:2
 docker container ps


 http://localhost:5000/v2/_catalog

Ancillary Services

Start Database, LDAP, and Shibboleth IdP Services

ncillary

 docker network create --driver overlay --scope swarm --attachable internal
 docker stack deploy anc -c stack.yml
 docker service ls
.

Build Base Image

ase

 docker build --tag=localhost:5000/organization/grouper-base .
 docker push localhost:5000/organization/grouper-base

.

Populate Database

 docker container run -it --rm \
mount type=bind,src=$(pwd)/configs-and-secrets/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
mount type=bind,src=$(pwd)/configs-and-secrets/subject.properties,dst=/run/secrets/grouper_subject.properties \
network internal \
calhost:5000/organization/grouper-base gsh -registry -check -runscript -noprompt

 docker container run -it --rm \
mount type=bind,src=$(pwd)/configs-and-secrets/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
mount type=bind,src=$(pwd)/configs-and-secrets/subject.properties,dst=/run/secrets/grouper_subject.properties \
network internal \
calhost:5000/organization/grouper-base gsh


perSession = GrouperSession.startRootSession();
ember("etc:sysadmingroup","jgasper");
t

Configs and Secrets

onfigs-and-secrets

 docker secret create grouper.hibernate.properties grouper.hibernate.properties
 docker secret create subject.properties subject.properties
 docker secret create host-key.pem host-key.pem
 docker config create shibboleth2.xml shibboleth2.xml
 docker config create host-cert.pem host-cert.pem

.

Create services

Daemon

aemon

 docker build --tag=localhost:5000/organization/grouper-daemon .
 docker push localhost:5000/organization/grouper-daemon

.


 docker service create --detach --name=daemon \
network internal \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
calhost:5000/organization/grouper-daemon

 docker service list

UI

i

 docker build --tag=localhost:5000/organization/grouper-ui .
 docker push localhost:5000/organization/grouper-ui

.


 docker service create --detach --name=ui \
network internal \
publish 443:443 \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
secret source=host-key.pem,target=host-key.pem \
config source=shibboleth2.xml,target=/etc/shibboleth/shibboleth2.xml \
config source=host-cert.pem,target=/etc/pki/tls/certs/host-cert.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/cachain.pem \
calhost:5000/organization/grouper-ui

 docker service list

https://<hostname_or_ip/grouper>

WS

s

 docker build --tag=localhost:5000/organization/grouper-ws .
 docker push localhost:5000/organization/grouper-ws

.


 docker service create --detach --name=ws \
network internal \
publish 8443:443 \
secret source=grouper.hibernate.properties,target=grouper_grouper.hibernate.properties \
secret source=subject.properties,target=grouper_subject.properties \
secret host-key.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/host-cert.pem \
config source=host-cert.pem,target=/etc/pki/tls/certs/cachain.pem \
calhost:5000/organization/grouper-ws

 docker service list

https://<hostname_or_ip:8443/grouper-ws/status?diagnosticType=db>

Resetting the Env

Grouper Stuff

 docker service rm daemon
 docker service rm ui
 docker service rm ws

 docker secret rm grouper.hibernate.properties
 docker secret rm subject.properties
 docker secret rm host-key.pem
 docker config rm shibboleth2.xml
 docker config rm host-cert.pem

Everything else

 docker stack rm anc
 docker container rm -f registry 
 docker network rm internal

Bonus: Using a stack file to spin up the env

Do you understand the docker service and docker secret subcommands? Try using the short-cut stack.yml file to save you some time.

You still need to have the internal network defined, the DB populated, and an image registry started… along with a directory and idp (using the ancillary ones or external ones).

Start up all the Grouper components and verify:

 docker stack deploy grouper -c stack.yml
 docker stack ls
 docker service ls
 docker secret ls

Shutdown the Grouper componenets and verify:

 docker stack rm grouper
 docker stack ls
 docker service ls
 docker secret ls

Bonus: Adding a new secret (or config) to an existing service

 docker service update daemon \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties
 docker service update ui \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties
 docker service update ws \
cret-add source=grouper-loader.properties,target=grouper_grouper-loader.properties

Bonus: Updating an Existing Secret

Let's assuming we need to change the grouper-loader.properties secret. First we update the grouper-loader.properties file on the host with the desired changes.

Note: -2 is an arbitrary extension. If additional changes were being made the --secret-rm parameter would also need to be updated to include that last arbitrary extension. But the target=grouper_grouper-loader.properties remains the same.

Add the new secret file:

 docker secret create grouper-loader-2.properties grouper-loader.properties

Update the service removing the old secret and adding the new secret:

 docker service update daemon \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties
 docker service update ui \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties
 docker service update ws \
cret-add source=grouper-loader-2.properties,target=grouper_grouper-loader.properties \
cret-rm grouper-loader.properties

At some point remove the old secret (this will prevent a rollback operation from working):
```
 docker secret rm grouper-loader.properties
```

Bonus: Rolling Back a Service Configuration Change

 docker service rollback daemon
 docker service rollback ui
 docker service rollback ws

Bonus: Kubernetes Deployment Configuration

Create the multi-part secret and configmaps:

onfigs-and-secrets
ctl create secret generic grouper --from-file=grouper.hibernate.properties --from-file=subject.properties --from-file=host-key.pem
ctl create configmap shibboleth2.xml --from-file=shibboleth2.xml
ctl create configmap host-certs --from-file=host-cert.pem --from-file=cachain.pem=host-cert.pem

Apply the config
```
ctl apply -f kubernetes.yaml
```

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.