Privacyidea with mssql

Dockerfile

@@ -1,15 +1,35 @@
-FROM ubuntu:trusty
-MAINTAINER Cornelius Kölbel <cornelius@privacyidea.org>
-RUN apt-get update
-RUN apt-get install -y software-properties-common
-RUN add-apt-repository ppa:privacyidea/privacyidea
-RUN apt-get update
-RUN apt-get install -y privacyidea
-RUN apt-get install -y python-mysqldb
-RUN privacyidea-create-pwidresolver-user -u admin -p test > /etc/privacyidea/admin-users 
-EXPOSE 5001
-VOLUME /etc/privacyidea
-VOLUME /var/log/privacyidea
-VOLUME /var/lib/privacyidea
-ENTRYPOINT paster serve /etc/privacyidea/privacyidea.ini 
-USER privacyidea
+FROM python:3.7
+
+ENV DEBIAN_FRONTEND="noninteractive"
+ENV USER=pi
+ENV HOME=/home/pi
+ENV PRIVACYIDEA_CONFIGFILE=$HOME/pi.py
+ENV PATH=$PATH:/home/pi/.local/bin
+
+RUN useradd -ms /bin/bash $USER -u 1000 \
+    && mkdir -p $HOME/db \
+    && chown "${USER}:${USER}" ${HOME}/db
+
+RUN apt-get update -yqq \
+    && apt-get install -yqq \
+        unixodbc-dev \
+    && rm -rf /var/lib/apt/list/*
+
+USER $USER
+
+WORKDIR $HOME
+
+RUN pip -q install virtualenv \
+    && virtualenv /home/pi \
+    && . bin/activate \
+    && pip -q install privacyidea==3.2.2 pymssql==2.1.4 \
+    && pip -q install -r lib/privacyidea/requirements.txt \
+    && rm -rf ~/.cache/pip
+
+COPY --chown=1000:1000 . .
+
+ENTRYPOINT [ "./entrypoint.sh" ]
+
+CMD ["./start-server.sh"]
+
+EXPOSE 5000

README.md

@@ -3,26 +3,14 @@ This is a small draft build environment to build a docker image for privacyIDEA.
 The image
 =========
 
-The docker image is a self contained Ubuntu 14.04 with privacyIDEA installed, which will
-run on every distribution.
-
 Run it with 
 
-  docker run -d -p 5001:5001 privacyidea/otpserver
+  docker run -d -p 5001:5000 privacyidea/otpserver
 
-This will download the existing privacyIDEA container from the docker hub
-https://registry.hub.docker.com/u/privacyidea/otpserver/
-and run it.
+Login to http://localhost:5000 with "admin"/"admin".
 
-Login to http://localhost:5001 with "admin@admin"/"test".
+Create mssql database: docker-compose exec mssql sh -c '/opt/mssql-tools/bin/sqlcmd -U "$SA_USER" -P "$SA_PASSWORD" -Q "create database pi"'
 
 You must not use this in productive environment, since it contains fixed encryption keys
 and SSL certificate!
 
-Building
-========
-
-To build the docker image, you must be root, since the result is written to
-/var/lib/docker...
-
-

docker-compose.yml

@@ -0,0 +1,41 @@
+version: "3.7"
+
+services:
+
+  privacyidea:
+    image: privacyidea:dev
+    build:
+      context: .
+    depends_on:
+      - mssql
+    ports:
+      - 5000:5000
+    volumes:
+      - pidata:/home/pi/etc/privacyidea
+    environment: 
+      ADMIN_ACCOUNT: admin@admin.com
+      ADMIN_PASSWORD: admin
+      DB_HOSTNAME: mssql:1433
+      DB_USER: sa
+      DB_PASSWORD: Password!23
+      DB_DATABASE: pi
+      # This is used to encrypt the auth_token
+      SECRET_KEY: 'T0p S3Cret!'
+      # This is used to encrypt the admin passwords
+      PI_PEPPER: 'S3Cret'
+      PI_UI_DEACTIVATED: 'False'
+
+  # https://hub.docker.com/_/microsoft-mssql-server
+  mssql:
+    image: mcr.microsoft.com/mssql/server:2017-CU14
+    volumes:
+      - mssqldata:/var/opt/mssql
+    environment: 
+      ACCEPT_EULA: 'Y'
+      SA_USER: sa
+      SA_PASSWORD: Password!23
+      MSSQL_PID: Developer # Could be also "Express", "Standard", "Enterprise" and "EnterpriseCore"
+
+volumes:
+  mssqldata:
+  pidata:

entrypoint.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+
+. bin/activate
+
+NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ADMIN_ACCOUNT="${ADMIN_ACCOUNT:-admin@admin.com}"
+ADMIN_PASSWORD="${ADMIN_PASSWORD:-$NEW_UUID}"
+
+if [ ! -f /home/pi/etc/privacyidea/enckey ];
+then
+    pi-manage create_enckey
+else
+    echo "SKIP: enckey already exists."
+fi
+
+if [ ! -f /home/pi/etc/privacyidea/private.pem ];
+then
+    pi-manage create_audit_keys
+else
+    echo "SKIP: audit keys already exists."
+fi
+
+echo "Creating database..."
+until pi-manage createdb; 
+do
+    echo "Cannot connect to database. Trying again..."
+    sleep 3
+done
+
+echo "Migrations step..."
+pi-manage db stamp head -d lib/privacyidea/migrations
+
+echo "Creating admin account"
+pi-manage admin add admin -e "$ADMIN_ACCOUNT" -p "$ADMIN_PASSWORD"
+
+echo "
+    You can login with the following credentials:
+    email: $ADMIN_ACCOUNT 
+    password: $ADMIN_PASSWORD
+"
+
+exec "$@"

pi.py

@@ -0,0 +1,21 @@
+from os import getenv
+
+SUPERUSER_REALM = getenv('SUPERUSER_REALM', ['super', 'administrators'])
+# Your database
+SQLALCHEMY_DATABASE_URI = 'mssql+pymssql://%s:%s@%s/%s' % (getenv('DB_USER'), getenv('DB_PASSWORD'), getenv('DB_HOSTNAME'), getenv('DB_DATABASE'))
+# This is used to encrypt the auth_token
+SECRET_KEY = getenv('SECRET_KEY')
+# This is used to encrypt the admin passwords
+PI_PEPPER = getenv('PI_PEPPER')
+# This is used to encrypt the token data and token passwords
+PI_ENCFILE = '/home/pi/etc/privacyidea/enckey'
+# This is used to sign the audit log
+PI_AUDIT_KEY_PRIVATE = '/home/pi/etc/privacyidea/private.pem'
+PI_AUDIT_KEY_PUBLIC = '/home/pi/etc/privacyidea/public.pem'
+# PI_AUDIT_MODULE = <python audit module>
+# PI_AUDIT_SQL_URI = <special audit log DB uri>
+# PI_LOGFILE = '....'
+PI_UI_DEACTIVATED = getenv('PI_UI_DEACTIVATED') == 'True'
+# PI_LOGLEVEL = 20
+# PI_INIT_CHECK_HOOK = 'your.module.function'
+# PI_CSS = '/location/of/theme.css'

start-server.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+. bin/activate
+
+echo "Starting development server.."
+
+pi-manage runserver -h 0.0.0.0 -p 5000