3.10.2 (#12)

* - prepare for 3.11 release
- added healthz check
- added 503 custom loading page

* - remove of bash code
- removed entrypoint.sh
- using privacyidea functions for config and setup
- preparing for 3.11
- update documentation
- added configuration variables
- re-write pi.cfg

* - prepare new 3.10.2

* 3.10.2 release with new entrypoint.py

Author: gpappsoft

.github/workflows/docker-publish.yml

@@ -1,8 +1,11 @@
 name: Docker
 
 on:
-  release:
-    types: [prereleased,released]
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+    - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
@@ -64,7 +67,9 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: PI_VERSION=${{ github.ref_name }}
+          build-args: |
+            - PI_VERSION=${{ github.ref_name }} 
+            - PI_VERSION_BUILD=${{ github.ref_name }}
           
     
       - name: Sign the published Docker image

Changelog

@@ -0,0 +1,16 @@
+Version 3.10.2, 2025-01-30
+
+  Enhancements:
+  * Removed bash scripting including shaky logic
+  * NGINX Template including landing site if container is not ready yet
+  * More values for pi.cfg
+  * Removed unecessary binds
+  * New persistent logic, file location inside container (app, configuration,...)
+
+Changed:
+  * Using entrypoint.py instead of bash script
+  * Using privacyIDEA application context calls for entrypoint.py (create_db...)
+
+  Fixes:
+  * Fix some minor problems
+  

Dockerfile

@@ -1,54 +1,62 @@
+### Build privacyidea container including gssapi (Kerberos) and hsm
+
 ### build stage
 ###
 FROM cgr.dev/chainguard/wolfi-base AS builder
 
 ARG PYVERSION=3.12
-ARG PI=3.10.1
-ARG PI_REQUIREMENTS=3.10.1
+ARG PI_VERSION=3.10.2
+ARG PI_REQUIREMENTS=3.10.2
 ARG GUNICORN==23.0.0
-ARG PSYCOPG2==2.9.9
+ARG PSYCOPG2==2.9.10
+ARG PYKCS11==1.5.14
+
 ENV LANG=C.UTF-8
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/privacyidea/venv/bin:$PATH"
 
 WORKDIR /privacyidea
-RUN apk add python-${PYVERSION} py${PYVERSION}-pip && \
+RUN apk add python-${PYVERSION} py${PYVERSION}-pip python3-dev && \
+#RUN apk add python-${PYVERSION} py${PYVERSION}-pip python3-dev build-base krb5-conf krb5-dev swig && \
         chown -R nonroot:nonroot /privacyidea/
 
 USER nonroot
 RUN python -m venv /privacyidea/venv
 RUN pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_REQUIREMENTS}/requirements.txt 
-RUN pip install psycopg2-binary==${PSYCOPG2} privacyidea==${PI} gunicorn==${GUNICORN}
+RUN pip install psycopg2-binary==${PSYCOPG2} privacyidea==${PI_VERSION} gunicorn==${GUNICORN}  
+#RUN pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_REQUIREMENTS}/requirements-kerberos.txt 
+# Workaroud for https://github.com/privacyidea/privacyidea/issues/4127
+#RUN pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_REQUIREMENTS}/requirements-hsm.txt 
+#RUN pip install pykcs11==${PYKCS11}
 
 ADD https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_REQUIREMENTS}/deploy/privacyidea/NetKnights.pem /privacyidea/etc/persistent/
 
 COPY  conf/pi.cfg /privacyidea/etc/
 COPY  conf/logging.cfg /privacyidea/etc/
-COPY  templates/healthcheck.py /privacyidea/venv/bin/healthcheck.py
-COPY  entrypoint.sh /privacyidea/venv/bin/entrypoint.sh
+COPY  entrypoint.py /privacyidea/entrypoint.py
 
 ### final stage
 ###
 FROM cgr.dev/chainguard/wolfi-base
 
-ARG version=3.12
+ARG PYVERSION=3.12
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/privacyidea/venv/bin:/privacyidea/bin:$PATH"
 ENV PRIVACYIDEA_CONFIGFILE="/privacyidea/etc/pi.cfg"
 LABEL maintainer="Marco Moenig <[email protected]>"
-LABEL org.opencontainers.image.source=https://github.com/gpappsoft/privacyidea-docker.git
-LABEL org.opencontainers.image.url=https://github.com/gpappsoft/privacyidea-docker.git
+LABEL org.opencontainers.image.source="https://github.com/gpappsoft/privacyidea-docker.git"
+LABEL org.opencontainers.image.url="https://github.com/gpappsoft/privacyidea-docker.git"
+LABEL org.opencontainers.image.description="Simply deploy and run a privacyIDEA instance in a container environment."
 
 WORKDIR /privacyidea
 VOLUME /privacyidea/etc/persistent
 
-RUN apk add python-${version} 
-#&& \ chown -R nonroot:nonroot /privacyidea/
+RUN apk add python-${PYVERSION} 
 
-COPY --from=builder /privacyidea/ /privacyidea        
+COPY --from=builder /privacyidea/ /privacyidea     
 
-EXPOSE ${PORT}
+EXPOSE ${PI_PORT}
 
 # Run privacyIDEA-Server
-ENTRYPOINT [ "entrypoint.sh" ]
+ENTRYPOINT [ "python", "/privacyidea/entrypoint.py" ]

Makefile

@@ -1,5 +1,5 @@
-PI_VERSION := 3.10.1
-PI_VERSION_BUILD := 3.10.1
+PI_VERSION := 3.10.2
+PI_VERSION_BUILD := 3.10.2
 IMAGE_NAME := privacyidea-docker:${PI_VERSION}
 
 BUILDER := docker build
@@ -18,7 +18,7 @@ TAG := prod
 PROFILE := stack
 
 build:
-	${BUILDER} --no-cache -t ${IMAGE_NAME} --build-arg PI_VERSION_BUILD=${PI_VERSION_BUILD} --build-arg PI_VERSION=${PI_VERSION} .
+	${BUILDER} --no-cache -t ${IMAGE_NAME}  --build-arg PI_VERSION_BUILD=${PI_VERSION_BUILD} --build-arg PI_VERSION=${PI_VERSION} .
 
 push:
 	${CONTAINER_ENGINE} tag ${IMAGE_NAME} ${REGISTRY}/${IMAGE_NAME}

README.md

@@ -5,10 +5,6 @@
 
 Simply deploy and run a privacyIDEA instance in a container environment. 
 
-> [!Important]
-> #### The base-image changed from ``python-slim`` to [Wolfi OS](https://github.com/wolfi-dev). 
-> The old approach is still available in the ```python-slim``` Branch.
-
 ## Overview 
 [privacyIDEA](https://github.com/privacyidea/privacyidea) is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. 
 
@@ -44,8 +40,6 @@ make cert fullstack
 ```
 Username / password: admin / admin
 
-**Starting the container for the first time could take a few seconds. Please reload the page after 20-30 seconds, if you get a 502 error from the reverse proxy.**
-
 ## Repository 
 
 | Directory | Description |
@@ -65,7 +59,7 @@ Sample images from this project can be found here:
 | [ghcr.io](https://github.com/gpappsoft/privacyidea-docker/pkgs/container/privacyidea-docker)| ```docker pull ghcr.io/gpappsoft/privacyidea-docker:latest```|
 
 > [!Note] 
-> ```latest``` tagged image is maybe a pre- or development-release. Please use always a release number (like ```3.10.1```) 
+> ```latest``` tagged image is maybe a pre- or development-release. Please use always a release number (like ```3.11```) 
 
 ## Quickstart
 
@@ -118,7 +112,7 @@ You can use *Makefile* targets to build different images with different privacyI
 
 #### Build a specific privacyIDEA version
 ```
-make build PI_VERSION=3.10.1
+make build PI_VERSION=3.11 PI_VERSION_BUILD=3.11
 ```
 
 #### Push to a registry
@@ -145,7 +139,7 @@ make distclean
 
 | target | optional ARGS | description | example
 ---------|----------|---|---------
-| ```build ``` | ```PI_VERSION```<br> ```IMAGE_NAME```|Build an image. Optional: specify the version and image name| ```make build PI_VERSION=3.10```|
+| ```build ``` | ```PI_VERSION```<br> ```IMAGE_NAME```|Build an image. Optional: specify the version, requirements version and image name| ```make build PI_VERSION=3.11 PI_VERSION_BUILD=3.11```|
 | ```push``` | ```REGISTRY```|Tag and push the image to the registry. Optional: specify the registry URI. Defaults to *localhost:5000*| ```make push REGISTRY=docker.io/gpappsoft/privacyidea-docker```|
 | ```run``` |  ```PORT``` <br> ```TAG```  |Run a standalone container with gunicorn and sqlite. Optional: specify the prefix tag of the container name and listen port. Defaults to *pi* and port *8080*| ```make run TAG=prod PORT=8888```|
 | ```secret``` | |Generate secrets to use in an environment file | ```make secret```|
@@ -269,7 +263,7 @@ You can start the stack in the background with console detached using the **-d**
 
 Full example including build with  ```make```targets:
 ```
-make cert build push stack PI_VERSION=3.10 TAG=pidev
+make cert build push stack PI_VERSION=3.11 PI_VERSION_BUILD=3.11 TAG=pidev
 ```
 ---
 Now you can deploy additional containers like OpenLDAP for user realms or Owncloud as a client to test 2FA authentication. 
@@ -300,6 +294,7 @@ Have fun!
 ```SUPERUSER_REALM```|"admin,helpdesk"| Admin realms, which can be used for policies in privacyIDEA. Comma separated list. See the privacyIDEA documentation for more information.
 ```PI_SQLALCHEMY_ENGINE_OPTIONS```| False | Set pool_pre_ping option. Set to ```True``` for DB clusters (like Galera).
 
+**Additional enviornment variables** starting with ```PI_``` will automatically added to ```pi.cfg```
 
 ### DB connection parameters
 | Variable | Description

conf/pi.cfg

@@ -1,35 +1,31 @@
 import logging
 import os
-
-# The realm, where users are allowed to login as administrators
-SUPERUSER_REALM =  os.getenv("SUPERUSER_REALM","admin,helpdesk").split(',') 
-
-# Your database
-SQLALCHEMY_DATABASE_URI = os.getenv("DB_API") + "://" + os.getenv("DB_USER") + ":" + os.getenv("DB_PASSWORD") + "@" + os.getenv("DB_HOST") + ":" + os.getenv("DB_PORT") + "/" + os.getenv("DB_NAME") + os.getenv("DB_EXTRA_PARAMS") if (os.getenv("DB_PASSWORD")) else "sqlite:////privacyidea/etc/persistent/data.sqlite" 
-
-# This is used to encrypt the auth_token
-SECRET_KEY = open('%s' % os.getenv("PI_SECRET")).read().rstrip('\n') if os.path.exists(os.getenv("PI_SECRET")) else os.getenv("PI_SECRET")
-
-# This is used to encrypt the admin passwords
-PI_PEPPER = open('%s' % os.getenv("PI_PEPPER")).read().rstrip('\n') if os.path.exists(os.getenv("PI_PEPPER")) else os.getenv("PI_PEPPER")
-# This is used to encrypt the token data and token passwords
-PI_ENCFILE = '/privacyidea/etc/persistent/enckey'
-
-# Scripts
-PI_SCRIPT_HANDLER_DIRECTORY='/privacyidea/scripts'
-
-# This is used to sign the audit log
-PI_AUDIT_KEY_PRIVATE = '/privacyidea/etc/persistent/private.pem'
-PI_AUDIT_KEY_PUBLIC = '/privacyidea/etc/persistent/public.pem'
-PI_AUDIT_SQL_TRUNCATE = True
-
-# The Class for managing the SQL connection pool
-PI_ENGINE_REGISTRY_CLASS = os.getenv("PI_REGISTRY_CLASS", "shared")
-PI_AUDIT_POOL_SIZE = 20
-
-# Logging
-PI_LOGCONFIG = '/privacyidea/etc/logging.cfg'
-PI_LOGLEVEL =  logging.getLevelName(os.getenv("PI_LOGLEVEL", "INFO").upper())
-PI_UUID_FILE = '/privacyidea/etc/persistent/uuid.txt'
-# Use true if DB cLuster used (e.g. galera, oracle...)
-SQLALCHEMY_ENGINE_OPTIONS= {"pool_pre_ping": os.getenv("PI_SQLALCHEMY_ENGINE_OPTIONS", "False")} 
+import pprint
+
+pi_os_special_vars = {
+    'SUPERUSER_REALM': os.getenv("SUPERUSER_REALM","admin,helpdesk").split(','),
+    'PI_ENCFILE' : '/privacyidea/etc/persistent/enckey',
+    'PI_SCRIPT_HANDLER_DIRECTORY' : '/privacyidea/scripts',
+    'PI_AUDIT_KEY_PRIVATE' : '/privacyidea/etc/persistent/private.pem',
+    'PI_AUDIT_KEY_PUBLIC' : '/privacyidea/etc/persistent/public.pem',
+    'PI_AUDIT_SQL_TRUNCATE' : os.getenv("PI_AUDIT_SQL_TRUNCATE",True),
+    'PI_ENGINE_REGISTRY_CLASS': os.getenv("PI_REGISTRY_CLASS", "shared"),
+    'PI_AUDIT_POOL_SIZE' : os.getenv("PI_AUDIT_POOL_SIZE", "20"),
+    'PI_AUDIT_NO_SIGN' : os.getenv("PI_AUDIT_POOL_SIZE", False),
+    'PI_LOGCONFIG' : '/privacyidea/etc/logging.cfg',
+    'PI_LOGLEVEL' : logging.getLevelName(os.getenv("PI_LOGLEVEL", "INFO").upper()),
+    'PI_UUID_FILE' : '/privacyidea/etc/persistent/uuid.txt',
+    'PI_SQLALCHEMY_ENGINE_OPTIONS' : {"pool_pre_ping": os.getenv("PI_SQLALCHEMY_ENGINE_OPTIONS", "False")} ,
+    'SQLALCHEMY_DATABASE_URI' : os.getenv("DB_API",'sqlite:////privacyidea/etc/persistent/data.sqlite') + "://" + os.getenv("DB_USER",'') + ":" + os.getenv("DB_PASSWORD",'') + "@" + os.getenv("DB_HOST",'') + ":" + os.getenv("DB_PORT",'') + "/" + os.getenv("DB_NAME",'') + os.getenv("DB_EXTRA_PARAMS",'')
+    }
+
+pi_os_vars = {key: value for key, value in os.environ.items() if key.startswith('PI_')}    
+
+for k, v in pi_os_vars.items():
+        locals()[k] = v
+
+for k, v in pi_os_special_vars.items():
+        locals()[k] = v
+
+#debugenv = locals().copy()
+#pprint.pprint (debugenv)

docker-compose.yaml

@@ -81,6 +81,10 @@ services:
         source: ./templates/nginx_default.conf.template
         target: /etc/nginx/templates/default.conf.template
         read_only: true
+      - type: bind
+        source: ./templates/502.html
+        target: /etc/privacyidea/customization/502.html
+        read_only: true
     networks:
       - privacyidea
     restart: always

entrypoint.py

@@ -0,0 +1,56 @@
+import os
+import base64
+from time import sleep
+from privacyidea.app import create_app
+from privacyidea.cli.pimanage.pi_setup import (create_enckey, create_audit_keys,create_pgp_keys)
+from privacyidea.lib.auth import create_db_admin
+from privacyidea.models import db
+
+
+app = create_app(config_name='production',config_file='/privacyidea/etc/pi.cfg')
+
+os.chdir('/privacyidea/venv/lib/python3.12/site-packages/privacyidea')
+
+# Update database schema, if set
+PI_UPDATE = os.environ.get('PI_UPDATE', False)
+
+# Create enckey
+if not os.path.exists('/privacyidea/etc/persistent/enckey') or os.path.getsize('/privacyidea/etc/persistent/enckey') == 0:
+    print("### Create enckey ###")
+    if 'PI_ENCKEY' in os.environ and not os.path.exists('/privacyidea/etc/persistent/enckey'):
+        print("### Use PI_ENCKEY ###")
+        with open('/privacyidea/etc/persistent/enckey', 'wb') as f:
+            f.write(base64.b64decode(os.environ['PI_ENCKEY']))
+        os.chmod('/privacyidea/etc/persistent/enckey', 0o400)
+    else:
+        print("### Use create_enckey() ###")
+        with app.app_context():
+            create_enckey()
+
+# Create audit keys if not exists
+if not os.path.exists('/privacyidea/etc/persistent/private.pem'):
+    print("### Create audit and pgp keys ###")
+    with app.app_context():
+        create_audit_keys()
+        create_pgp_keys()
+
+# Bootstrap database
+if os.path.exists('/privacyidea/etc/persistent/enckey') and not os.path.exists('/privacyidea/etc/persistent/dbcreated'):
+    print("### Creating database tables ###")
+    with app.app_context():
+        dbcreate = db.create_all()
+    open('/privacyidea/etc/persistent/dbcreated', 'w').close()
+
+print("### Create initial admin user ###")
+with app.app_context():
+    create_db_admin(os.environ.get('PI_ADMIN', 'admin'), 'email',os.environ.get('PI_ADMIN_PASS', 'admin'))
+
+# Run the app using gunicorn WSGI HTTP server
+cmd = [ "python",
+    "-m", "gunicorn",
+    "-w", "1",
+    "-b", os.environ['PI_ADDRESS']+":"+os.environ['PI_PORT'],
+    "privacyidea.app:create_app(config_name='production',config_file='/privacyidea/etc/pi.cfg')"
+]
+
+os.execvp('python', cmd)