new baseimage

Author: BertrandGouny

README.md

@@ -95,9 +95,9 @@ By default TLS is enable, a certificate is created with the container hostname (
 
 Add your custom certificate, private key and CA certificate in the directory **image/service/slapd/assets/ssl** adjust filename in **image/env.yaml** and rebuild the image ([see manual build](#manual-build)).
 
-Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/osixia/service/slapd/assets/ssl** and adjust there name with the following environment variables :
+Or you can set your custom certificate at run time, by mouting a directory containing thoses files to **/container/service/slapd/assets/ssl** and adjust there name with the following environment variables :
 
-	docker run -h ldap.example.org -v /path/to/certifates:/osixia/service/slapd/assets/ssl \
+	docker run -h ldap.example.org -v /path/to/certifates:/container/service/slapd/assets/ssl \
 	-e SSL_CRT_FILENAME=my-ldap.crt \
 	-e SSL_KEY_FILENAME=my-ldap.key \
 	-e SSL_CA_CRT_FILENAME=the-ca.crt \
@@ -129,7 +129,7 @@ That's it ! But a litle test to be sure :
 
 Add a new user "billy" on the first ldap server
 
-	docker exec $LDAP_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /osixia/service/slapd/assets/test/new-user.ldif -h ldap.example.org -ZZ
+	docker exec $LDAP_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/new-user.ldif -h ldap.example.org -ZZ
 
 Search on the second ldap server, and billy should show up !
 

image/Dockerfile

@@ -1,36 +1,29 @@
 FROM osixia/light-baseimage:0.1.0
 MAINTAINER Bertrand Gouny <[email protected]>
 
-# Use osixia/light-baseimage's init system.
-CMD ["/osixia/tool/run"]
-
-# Add service directory to /osixia/service
-ADD service /osixia/service
-
-# Scripts /sbin/add-service-available
-# /sbin/install-service and /sbin/clean-container
-# are tools from osixia/light-baseimage
-RUN /sbin/add-service-available ssl-helper-gnutls \
- && /sbin/install-service \
- && /sbin/clean-container
-
-# /sbin/add-service-available ssl-helper-gnutls
-# Add ssl-helper-gnutls, used to generate TLS default certificates
-
-# /sbin/install-service
-# make an apt-get update
-# run /osixia/service/*/install.sh
-# link /osixia/service/*/container-start.sh to /etc/my_init.d/*
-# link /osixia/service/*/daemon.sh to /etc/service/*/run
-
-# Files in /etc/my_init.d will be run during container start,
-# Files in /etc/service/*/run are the process run by the docker image
-
-# /sbin/clean-container remove unnecessary files
-
-# More information :
-# https://github.com/osixia/docker-light-baseimage
-
+# Use baseimage's init system.
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/run
+CMD ["/container/tool/run"]
+
+# Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
+RUN groupadd -r openldap && useradd -r -g openldap openldap
+
+# Install OpenLDAP, ldap-utils and ssl-helper from baseimage and remove default ldap db
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/install-service-available
+RUN apt-get -y update \
+    && /container/tool/install-service-available ssl-helper-gnutls \
+	  && LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes --no-install-recommends \
+	     slapd ldap-utils \
+	  && rm -rf /var/lib/ldap /etc/ldap/slapd.d
+
+# Add service directory to /container/service
+ADD service /container/service
+
+# Use baseimage install-service script and clean all
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/install-service
+RUN /container/tool/install-service \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Add default env variables
 ADD env.yaml /etc/env.yaml

image/service/slapd/assets/config/tls/tls-enable.ldif

@@ -4,16 +4,16 @@ replace: olcTLSCipherSuite
 olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
 -
 replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: /osixia/service/slapd/assets/ssl/ca.crt
+olcTLSCACertificateFile: /container/service/slapd/assets/ssl/ca.crt
 -
 replace: olcTLSCertificateFile
-olcTLSCertificateFile: /osixia/service/slapd/assets/ssl/ldap.crt
+olcTLSCertificateFile: /container/service/slapd/assets/ssl/ldap.crt
 -
 replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /osixia/service/slapd/assets/ssl/ldap.key
+olcTLSCertificateKeyFile: /container/service/slapd/assets/ssl/ldap.key
 -
 replace: olcTLSDHParamFile
-olcTLSDHParamFile: /osixia/service/slapd/assets/ssl/dhparam.pem
+olcTLSDHParamFile: /container/service/slapd/assets/ssl/dhparam.pem
 -
 replace: olcTLSVerifyClient
 olcTLSVerifyClient: demand

image/service/slapd/assets/ssl/README.md

@@ -1,2 +1,2 @@
 Add your ssl crt, key and ca crt here
-or during docker run mount a data volume with thoses files to /osixia/service/slapd/assets/ssl
+or during docker run mount a data volume with thoses files to /container/service/slapd/assets/ssl

image/service/slapd/container-start.sh

@@ -12,7 +12,7 @@ ulimit -n 1024
 #fix file permissions
 chown -R openldap:openldap /var/lib/ldap
 chown -R openldap:openldap /etc/ldap
-chown -R openldap:openldap /osixia/service/slapd
+chown -R openldap:openldap /container/service/slapd
 
 # container first start
 if [ ! -e "$FIRST_START_DONE" ]; then
@@ -44,13 +44,13 @@ if [ ! -e "$FIRST_START_DONE" ]; then
     local LDAP_KEY=$3
 
     # check certificat and key or create it
-    /sbin/ssl-helper "/osixia/service/slapd/assets/ssl/$LDAP_CRT" "/osixia/service/slapd/assets/ssl/$LDAP_KEY" --ca-crt=/osixia/service/slapd/assets/ssl/$CA_CRT --gnutls
+    /sbin/ssl-helper "/container/service/slapd/assets/ssl/$LDAP_CRT" "/container/service/slapd/assets/ssl/$LDAP_KEY" --ca-crt=/container/service/slapd/assets/ssl/$CA_CRT --gnutls
 
     # create DHParamFile if not found
-    [ -f /osixia/service/slapd/assets/ssl/dhparam.pem ] || openssl dhparam -out /osixia/service/slapd/assets/ssl/dhparam.pem 2048
+    [ -f /container/service/slapd/assets/ssl/dhparam.pem ] || openssl dhparam -out /container/service/slapd/assets/ssl/dhparam.pem 2048
 
     # fix file permissions
-    chown -R openldap:openldap /osixia/service/slapd
+    chown -R openldap:openldap /container/service/slapd
   }
 
 
@@ -114,13 +114,13 @@ EOF
 
     # convert schemas to ldif
     SCHEMAS=""
-    for f in $(find /osixia/service/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
+    for f in $(find /container/service/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
       SCHEMAS="$SCHEMAS ${f}"
     done
-    /osixia/service/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
+    /container/service/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
 
     # add schemas
-    for f in $(find /osixia/service/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do
+    for f in $(find /container/service/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do
       echo "Processing file ${f}"
       # add schema if not already exists
       SCHEMA=$(basename "${f}" .ldif)
@@ -135,14 +135,14 @@ EOF
 
     # set config password
     CONFIG_PASSWORD_ENCRYPTED=$(slappasswd -s $LDAP_CONFIG_PASSWORD)
-    sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /osixia/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
+    sed -i "s|{{ CONFIG_PASSWORD_ENCRYPTED }}|$CONFIG_PASSWORD_ENCRYPTED|g" /container/service/slapd/assets/config/bootstrap/ldif/01-config-password.ldif
 
     # adapt security config file
     get_base_dn
-    sed -i "s|dc=example,dc=org|$BASE_DN|g" /osixia/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
+    sed -i "s|dc=example,dc=org|$BASE_DN|g" /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
 
     # process config files
-    for f in $(find /osixia/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -type f | sort); do
+    for f in $(find /container/service/slapd/assets/config/bootstrap/ldif  -name \*.ldif -type f | sort); do
       echo "Processing file ${f}"
       ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
     done
@@ -157,11 +157,11 @@ EOF
     check_tls_files $SSL_CA_CRT_FILENAME $SSL_CRT_FILENAME $SSL_KEY_FILENAME
 
     # adapt tls ldif
-    sed -i "s,/osixia/service/slapd/assets/ssl/ca.crt,/osixia/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /osixia/service/slapd/assets/config/tls/tls-enable.ldif
-    sed -i "s,/osixia/service/slapd/assets/ssl/ldap.crt,/osixia/service/slapd/assets/ssl/${SSL_CRT_FILENAME},g" /osixia/service/slapd/assets/config/tls/tls-enable.ldif
-    sed -i "s,/osixia/service/slapd/assets/ssl/ldap.key,/osixia/service/slapd/assets/ssl/${SSL_KEY_FILENAME},g" /osixia/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s,/container/service/slapd/assets/ssl/ca.crt,/container/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s,/container/service/slapd/assets/ssl/ldap.crt,/container/service/slapd/assets/ssl/${SSL_CRT_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
+    sed -i "s,/container/service/slapd/assets/ssl/ldap.key,/container/service/slapd/assets/ssl/${SSL_KEY_FILENAME},g" /container/service/slapd/assets/config/tls/tls-enable.ldif
 
-    ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /osixia/service/slapd/assets/config/tls/tls-enable.ldif
+    ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-enable.ldif
 
     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
     touch $WAS_STARTED_WITH_TLS
@@ -171,20 +171,20 @@ EOF
     chmod +x $WAS_STARTED_WITH_TLS
 
     # ldap client config
-    sed -i "s,TLS_CACERT.*,TLS_CACERT /osixia/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
+    sed -i "s,TLS_CACERT.*,TLS_CACERT /container/service/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
     echo "TLS_REQCERT demand" >> /etc/ldap/ldap.conf
 
     [[ -f "$HOME/.ldaprc" ]] && rm -f $HOME/.ldaprc
     touch $HOME/.ldaprc
-    echo "TLS_CERT /osixia/service/slapd/assets/ssl/${SSL_CRT_FILENAME}" >> $HOME/.ldaprc
-    echo "TLS_KEY /osixia/service/slapd/assets/ssl/${SSL_KEY_FILENAME}" >> $HOME/.ldaprc
+    echo "TLS_CERT /container/service/slapd/assets/ssl/${SSL_CRT_FILENAME}" >> $HOME/.ldaprc
+    echo "TLS_KEY /container/service/slapd/assets/ssl/${SSL_KEY_FILENAME}" >> $HOME/.ldaprc
 
   else
 
     echo "Don't use TLS"
 
     [[ -f "$WAS_STARTED_WITH_TLS" ]] && rm -f "$WAS_STARTED_WITH_TLS"
-    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/service/slapd/assets/config/tls/tls-disable.ldif || true
+    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/tls/tls-disable.ldif || true
 
   fi
 
@@ -205,31 +205,31 @@ EOF
         #host var contain a variable name, we access to the variable value
         host=${!host}
 
-        sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ REPLICATION_HOSTS }}|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-        sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${REPLICATION_CONFIG_SYNCPROV}\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-        sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${REPLICATION_HDB_SYNCPROV}\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
+        sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ REPLICATION_HOSTS }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
+        sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${REPLICATION_CONFIG_SYNCPROV}\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
+        sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${REPLICATION_HDB_SYNCPROV}\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
         ((i++))
       done
 
       get_base_dn
-      sed -i "s|\$BASE_DN|$BASE_DN|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-      sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-      sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|\$BASE_DN|$BASE_DN|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-      sed -i "/{{ REPLICATION_HOSTS }}/d" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-      sed -i "/{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
-      sed -i "/{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /osixia/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "/{{ REPLICATION_HOSTS }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "/{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "/{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /container/service/slapd/assets/config/replication/replication-enable.ldif
 
-      ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/service/slapd/assets/config/replication/replication-enable.ldif
+      ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/replication/replication-enable.ldif
       touch $WAS_STARTED_WITH_REPLICATION
     fi
 
   else
 
     echo "Don't use replication"
     [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
-    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/service/slapd/assets/config/replication/replication-disable.ldif || true
+    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /container/service/slapd/assets/config/replication/replication-disable.ldif || true
 
     rm -f $WAS_STARTED_WITH_REPLICATION
 

image/service/slapd/install.sh

@@ -32,7 +32,7 @@ load test_helper
 
 @test "ldapsearch new database with strict TLS and custom ca/crt" {
 
-  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/osixia/service/slapd/assets/ssl -e SSL_CRT_FILENAME=ldap-test.crt -e SSL_KEY_FILENAME=ldap-test.key -e SSL_CA_CRT_FILENAME=ca-test.crt
+  run_image -h ldap.osixia.net -v $BATS_TEST_DIRNAME/ssl:/container/service/slapd/assets/ssl -e SSL_CRT_FILENAME=ldap-test.crt -e SSL_KEY_FILENAME=ldap-test.key -e SSL_CA_CRT_FILENAME=ca-test.crt
   wait_service slapd
   run docker exec $CONTAINER_ID ldapsearch -x -h ldap.osixia.net -b dc=example,dc=org -ZZ -D "cn=admin,dc=example,dc=org" -w admin
   clear_container
@@ -79,7 +79,7 @@ load test_helper
   wait_service_by_cid $LDAP_REPL_CID slapd
 
   # add user on ldap2.example.org
-  docker exec $LDAP_REPL_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /osixia/service/slapd/assets/test/new-user.ldif -h ldap2.example.org -ZZ
+  docker exec $LDAP_REPL_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/new-user.ldif -h ldap2.example.org -ZZ
 
   sleep 5