diff --git a/Dockerfile b/Dockerfile index 884bdc1..626068e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,35 @@ -FROM ubuntu:trusty -MAINTAINER Cornelius Kölbel -RUN apt-get update -RUN apt-get install -y software-properties-common -RUN add-apt-repository ppa:privacyidea/privacyidea -RUN apt-get update -RUN apt-get install -y privacyidea -RUN apt-get install -y python-mysqldb -RUN privacyidea-create-pwidresolver-user -u admin -p test > /etc/privacyidea/admin-users -EXPOSE 5001 -VOLUME /etc/privacyidea -VOLUME /var/log/privacyidea -VOLUME /var/lib/privacyidea -ENTRYPOINT paster serve /etc/privacyidea/privacyidea.ini -USER privacyidea +FROM python:3.7 + +ENV DEBIAN_FRONTEND="noninteractive" +ENV USER=pi +ENV HOME=/home/pi +ENV PRIVACYIDEA_CONFIGFILE=$HOME/pi.py +ENV PATH=$PATH:/home/pi/.local/bin + +RUN useradd -ms /bin/bash $USER -u 1000 \ + && mkdir -p $HOME/db \ + && chown "${USER}:${USER}" ${HOME}/db + +RUN apt-get update -yqq \ + && apt-get install -yqq \ + unixodbc-dev \ + && rm -rf /var/lib/apt/list/* + +USER $USER + +WORKDIR $HOME + +RUN pip -q install virtualenv \ + && virtualenv /home/pi \ + && . bin/activate \ + && pip -q install privacyidea==3.2.2 pymssql==2.1.4 \ + && pip -q install -r lib/privacyidea/requirements.txt \ + && rm -rf ~/.cache/pip + +COPY --chown=1000:1000 . . + +ENTRYPOINT [ "./entrypoint.sh" ] + +CMD ["./start-server.sh"] + +EXPOSE 5000 \ No newline at end of file diff --git a/README.md b/README.md index 69ded36..1efd7a7 100644 --- a/README.md +++ b/README.md @@ -3,26 +3,14 @@ This is a small draft build environment to build a docker image for privacyIDEA. The image ========= -The docker image is a self contained Ubuntu 14.04 with privacyIDEA installed, which will -run on every distribution. - Run it with - docker run -d -p 5001:5001 privacyidea/otpserver + docker run -d -p 5001:5000 privacyidea/otpserver -This will download the existing privacyIDEA container from the docker hub -https://registry.hub.docker.com/u/privacyidea/otpserver/ -and run it. +Login to http://localhost:5000 with "admin"/"admin". -Login to http://localhost:5001 with "admin@admin"/"test". +Create mssql database: docker-compose exec mssql sh -c '/opt/mssql-tools/bin/sqlcmd -U "$SA_USER" -P "$SA_PASSWORD" -Q "create database pi"' You must not use this in productive environment, since it contains fixed encryption keys and SSL certificate! -Building -======== - -To build the docker image, you must be root, since the result is written to -/var/lib/docker... - - diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..a6c30e0 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,41 @@ +version: "3.7" + +services: + + privacyidea: + image: privacyidea:dev + build: + context: . + depends_on: + - mssql + ports: + - 5000:5000 + volumes: + - pidata:/home/pi/etc/privacyidea + environment: + ADMIN_ACCOUNT: admin@admin.com + ADMIN_PASSWORD: admin + DB_HOSTNAME: mssql:1433 + DB_USER: sa + DB_PASSWORD: Password!23 + DB_DATABASE: pi + # This is used to encrypt the auth_token + SECRET_KEY: 'T0p S3Cret!' + # This is used to encrypt the admin passwords + PI_PEPPER: 'S3Cret' + PI_UI_DEACTIVATED: 'False' + + # https://hub.docker.com/_/microsoft-mssql-server + mssql: + image: mcr.microsoft.com/mssql/server:2017-CU14 + volumes: + - mssqldata:/var/opt/mssql + environment: + ACCEPT_EULA: 'Y' + SA_USER: sa + SA_PASSWORD: Password!23 + MSSQL_PID: Developer # Could be also "Express", "Standard", "Enterprise" and "EnterpriseCore" + +volumes: + mssqldata: + pidata: \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..6894bca --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,43 @@ +#!/bin/bash +set -e + +. bin/activate + +NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +ADMIN_ACCOUNT="${ADMIN_ACCOUNT:-admin@admin.com}" +ADMIN_PASSWORD="${ADMIN_PASSWORD:-$NEW_UUID}" + +if [ ! -f /home/pi/etc/privacyidea/enckey ]; +then + pi-manage create_enckey +else + echo "SKIP: enckey already exists." +fi + +if [ ! -f /home/pi/etc/privacyidea/private.pem ]; +then + pi-manage create_audit_keys +else + echo "SKIP: audit keys already exists." +fi + +echo "Creating database..." +until pi-manage createdb; +do + echo "Cannot connect to database. Trying again..." + sleep 3 +done + +echo "Migrations step..." +pi-manage db stamp head -d lib/privacyidea/migrations + +echo "Creating admin account" +pi-manage admin add admin -e "$ADMIN_ACCOUNT" -p "$ADMIN_PASSWORD" + +echo " + You can login with the following credentials: + email: $ADMIN_ACCOUNT + password: $ADMIN_PASSWORD +" + +exec "$@" \ No newline at end of file diff --git a/pi.py b/pi.py new file mode 100644 index 0000000..dbc900e --- /dev/null +++ b/pi.py @@ -0,0 +1,21 @@ +from os import getenv + +SUPERUSER_REALM = getenv('SUPERUSER_REALM', ['super', 'administrators']) +# Your database +SQLALCHEMY_DATABASE_URI = 'mssql+pymssql://%s:%s@%s/%s' % (getenv('DB_USER'), getenv('DB_PASSWORD'), getenv('DB_HOSTNAME'), getenv('DB_DATABASE')) +# This is used to encrypt the auth_token +SECRET_KEY = getenv('SECRET_KEY') +# This is used to encrypt the admin passwords +PI_PEPPER = getenv('PI_PEPPER') +# This is used to encrypt the token data and token passwords +PI_ENCFILE = '/home/pi/etc/privacyidea/enckey' +# This is used to sign the audit log +PI_AUDIT_KEY_PRIVATE = '/home/pi/etc/privacyidea/private.pem' +PI_AUDIT_KEY_PUBLIC = '/home/pi/etc/privacyidea/public.pem' +# PI_AUDIT_MODULE = +# PI_AUDIT_SQL_URI = +# PI_LOGFILE = '....' +PI_UI_DEACTIVATED = getenv('PI_UI_DEACTIVATED') == 'True' +# PI_LOGLEVEL = 20 +# PI_INIT_CHECK_HOOK = 'your.module.function' +# PI_CSS = '/location/of/theme.css' \ No newline at end of file diff --git a/start-server.sh b/start-server.sh new file mode 100755 index 0000000..099ef99 --- /dev/null +++ b/start-server.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e + +. bin/activate + +echo "Starting development server.." + +pi-manage runserver -h 0.0.0.0 -p 5000 \ No newline at end of file