Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-5310

fix container certs for openshift

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • 4.11.0, 5.8.0
    • None
    • None
    • None

    Description

      Benjamin Rappleyea
      1 hour ago
      We are attempting to update from 4.8.0 to 4.10.3 and erroring out at runtime due to a permissions issue. We have tried doing several different things but are still running into an error. We do not have root access during runtime because of how OpenShift is configured (I2 container seems to assume it can be run as Root, but OpenShift does not allow that) so the chmod of /usr/lib/jvm/java-17-amazon-corretto/lib/security/cacerts is failing (librarySetupFilesTomcat.sh, function setupFilesTomcat_sslCertsClient)
      Any guidance or help would be greatly appreciated.

      Chris Hyzer
      32 minutes ago
      do you have a file added to /opt/grouper/certs/anchors/ ?

      Benjamin Rappleyea
      32 minutes ago
      We do not, we handle all of our connections/etc... through a VIP so haven't needed any certs up to this point.
      New

      Benjamin Rappleyea
      10 minutes ago
      Did a little extra checking to confirm our suspicions, 4.10.3 is auto generating a pem cert to /opt/grouper/certs/client while 4.8.0 did not. This is causing the librarySetupFilesTomcat.sh to run that function which runs into the permission errors.
      Ran it locally on my computer to see if anything showed up:
      PS C:\Users\jerem> docker run i2incommon/grouper:4.10.3 ls /opt/grouper/certs/client/
      grouperContainer; INFO: (library.sh) Start loading library.sh
      grouperContainer; INFO: (library.sh) End loading library.sh
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) Start setting up initial pipes
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) GROUPER_USE_PIPES=true
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/logpipe
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/logsuperd
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/loggrouper
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) End setting up initial pipes
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) Loading env vars from /opt/grouper/grouperEnv.sh
      grouperContainer; INFO: (entrypoint.sh) Executing ls /opt/grouper/certs/client/
      localhost.pem
      While 4.8.0:
      PS C:\Users\jerem> docker run i2incommon/grouper:4.8.0 ls /opt/grouper/certs/client
      grouperContainer; INFO: (library.sh) Start loading library.sh
      grouperContainer; INFO: (library.sh) End loading library.sh
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) Start setting up initial pipes
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) GROUPER_USE_PIPES=true
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/logpipe
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/logsuperd
      grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: /tmp/loggrouper
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) End setting up initial pipes
      grouperContainer; INFO: (libraryPrep.sh-prep_conf) Loading env vars from /opt/grouper/grouperEnv.sh
      grouperContainer; INFO: (entrypoint.sh) Executing ls /opt/grouper/certs/client

      Chris Hyzer
      < 1 minute ago
      ok i guess we need to that in the container docker build and not in the startup... sorry about that. will be in next version. in the meantime if you want to overlay that ibrarySetupFilesTomcat.sh file and remove the offending method feel free. but we are trying to get an updated container out soon, hopefully by end of weekend

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: