docker/openldap
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: docker/openldap:main
Branches Tags
docker/openldap:main docker/openldap:2.6 docker/openldap:2.5 docker/openldap:2.4
...
pull from: docker/openldap:2.4
Branches Tags
docker/openldap:2.6 docker/openldap:main docker/openldap:2.5 docker/openldap:2.4

35 Commits
main ... 2.4

Author SHA1 Message Date
endial 6a4aef871e docs: 更新说明文档 2023-09-25 14:25:29 +08:00
endial 34f690393e feat: 更新脚本中处理命令 2023-09-25 12:32:07 +08:00
endial cbacbbd3f0 feat: 更新默认路径的用户组配置 2023-09-25 12:30:30 +08:00
endial 07e6e1e7ef fix: 更新应用验证指令 2023-09-18 09:39:44 +08:00
endial c0b4614cad fix: 更新应用验证指令 2023-09-18 09:24:38 +08:00
endial ccae24f68c feat: 根据新模板更新脚本文件 2023-09-16 10:20:05 +08:00
endial cf70d38535 feat: 更新overrides脚本中配置文件路径定义方式 2023-09-15 18:50:30 +08:00
endial 464690ce57 fix: 更新脚本解决使用 main 作为主分支时无法生成 latest 标签的问题 2023-09-15 18:45:04 +08:00
endial f54d307229 feat: 更新compose样例文件 2023-09-14 17:55:53 +08:00
endial 54baafdb3d feat: 更新CI/CD命令 2023-09-14 17:48:35 +08:00
endial 876cb7a573 feat: 更新Dockerfile忽略配置 2023-09-14 17:47:31 +08:00
endial 06e06c37dd feat: 删除不再使用的管理脚本 2023-08-28 12:09:45 +08:00
endial a314f6f001 feat: 优化CI/CD配置中资源清理,调整使用-VV命令解决测试失败问题 2023-08-28 11:40:23 +08:00
endial f241b1bfc6 feat: 优化CI/CD配置中资源清理 2023-08-28 11:35:47 +08:00
endial 7a0a82adce fix: 规避slapd服务一直返回状态值为1的问题 2023-08-16 12:00:14 +08:00
endial 56e620103f fix: 规避slapd服务一直返回状态值为1的问题 2023-08-16 11:52:24 +08:00
endial e080ae89e7 fix: 规避slapd服务一直返回状态值为1的问题 2023-08-16 11:47:13 +08:00
endial d9dc2c0c60 feat: 优化Dockerfile 2023-08-16 09:25:14 +08:00
endial ec8aead8b1 feat: 更新为使用 Debian 12 2023-08-16 09:22:36 +08:00
endial 76cc298e38 fix: 使用 readlink 解决 libltdl7 库遗漏安装问题 2023-08-16 09:13:07 +08:00
endial 1e1e4077ed feat: CI/CD配置增加临时数据清理 2023-08-15 17:09:34 +08:00
endial 0076a4514e feat: 根据基础镜像通用库路径更改相应调用 2023-08-15 17:06:20 +08:00
endial 23850d3af7 feat: 更新本地编译脚本 2023-08-04 15:37:56 +08:00
endial 678a7e0ff6 feat: 更新 CI/CD 编译阶段定义 2023-08-04 15:33:56 +08:00
endial 7c86979332 feat: 删除 Docker Hub 使用的 Hooks 2023-08-04 15:31:59 +08:00
endial c4d8fd5845 fix: 增加应用信息变量设置 2023-08-03 13:02:42 +08:00
endial baea6b9945 fix: 更新依赖镜像的架构选择 2023-08-02 11:22:25 +08:00
endial 3103d458f9 feat: 增加slapd编译 2023-08-02 11:17:04 +08:00
endial 04704f191c feat: 更新依赖软件包及编译命令 2023-08-02 11:07:44 +08:00
endial f1f92c5a76 feat: CI/CD 增加 tag 选择编译环境 2023-08-02 11:02:49 +08:00
endial 1dc232d5df fix: 移除针对当前版本无效的配置项 2023-08-01 15:32:47 +08:00
endial ca53e5f798 fix: 移除针对当前版本无效的配置项 2023-08-01 15:08:14 +08:00
endial e732ffb824 fix: 移除针对当前版本无效的配置项 2023-08-01 15:06:08 +08:00
endial 68aa36c810 fix: 增加开发库,解决 POSIX regex 问题 2023-08-01 14:49:19 +08:00
endial 27009abc37 docs: 更新版本信息 2023-08-01 14:08:42 +08:00
18 changed files with 594 additions and 545 deletions
Expand all files Collapse all files
.dockerignore
-1
View File
@@ -1,7 +1,6 @@
.git
.gitignore
./alpine
./Makefile
*.yml
.gitlab-ci.yml
+21 -9
View File
@@ -13,10 +13,10 @@ variables:
default:
# 各 stage 使用的默认镜像,如果不定义,则为 gitlab-runner 创建时指定的镜像;各 stage 可以覆盖该值以使用不同的镜像
image: docker.colovu.com/library/docker:20.10.16
# Gitlab-runner 配置的执行器为 Docker 时,需要 配置对应的 dind 服务
services:
- name: docker.colovu.com/library/docker:20.10.16-dind
alias: docker
# Gitlab-runner 配置的执行器为 Docker 时,需要 配置对应的 dind 服务(这里使用Runner中配置的Dind服务)
#services:
# - name: docker.colovu.com/library/docker:20.10.16-dind
# alias: docker
# 流水线中,各阶段都会执行的脚本命令,包括`before_script`(在各阶段 script 前执行)/`after_script`(在各阶段 script 后执行)
before_script:
- |
@@ -27,32 +27,44 @@ default:
fi
- docker login -u "$HARBOR_USERNAME" -p "$HARBOR_PASSWORD" $HARBOR_URL
# 环境变量信息
env-variables:
stage: .pre
script:
- export
# 编译阶段任务
build-arm64:
stage: build
tags:
- arm64
script:
- export
- env
- docker buildx build --platform=linux/arm64 --pull -t "$IMG_URL$IMG_TAG-linux-arm64" . --push
- docker rmi "$IMG_URL$IMG_TAG-linux-arm64"
build-amd64:
stage: build
tags:
- amd64
script:
- docker buildx build --platform=linux/amd64 --pull -t "$IMG_URL$IMG_TAG-linux-amd64" . --push
- docker rmi "$IMG_URL$IMG_TAG-linux-amd64"
# 生成多架构制品,并在上传后删除本地文件
build-artifact:
stage: build
needs: [build-amd64, build-arm64]
script:
- docker manifest create "$IMG_URL$IMG_TAG" "$IMG_URL$IMG_TAG-linux-arm64" "$IMG_URL$IMG_TAG-linux-amd64"
- docker manifest push "$IMG_URL$IMG_TAG"
- docker manifest push -p "$IMG_URL$IMG_TAG"
# 测试阶段任务
test:
stage: test
script:
- docker run --rm --platform=linux/arm64 "$IMG_URL$IMG_TAG" /bin/uname -a
- docker run --rm --platform=linux/amd64 "$IMG_URL$IMG_TAG" /bin/uname -a
- docker run --pull always --rm --platform=linux/arm64 "$IMG_URL$IMG_TAG" -V
- docker run --pull always --rm --platform=linux/amd64 "$IMG_URL$IMG_TAG" -V
- docker images -q "$IMG_URL" | sort -u | xargs docker rmi -f
# 部署阶段任务
deploy:
Dockerfile
+66 -85
View File
@@ -1,9 +1,8 @@
# Ver: 1.9 by Endial Fang (endial@126.com)
# Ver: 1.11 by Endial Fang (endial@126.com)
#
# 默认变量 ========================================================================
# 系统默认变量 ====================================================================
# 该部分变量为系统根据编译命令默认设置
# `TARGETPLATFORM`:构建后的目标平台信息。如 `linux/amd64``linux/arm/v7``windows/amd64`
# `TARGETOS`:目标平台信息(TARGETPLATFORM)中的操作系统部分,如:`linux`、`windows`
# `TARGETARCH`:目标平台信息(TARGETPLATFORM)中的平台架构部分,如:`amd64`、`arm`
@@ -16,39 +15,28 @@
# 可变参数 ========================================================================
# 该部分变量,在编译命令中通过 `--build-arg` 传入;如果未设置,则使用下面对应的默认值
# 设置当前应用名称及版本
ARG APP_NAME=openldap
ARG APP_VER=2.4.59
# 设置默认仓库地址,默认为本地仓库;定义时需要包含末尾的`/`
ARG REGISTRY_URL="docker.colovu.com/"
# 设置 apt-get 源:default / ustc / aliyun
ARG APT_SOURCE=aliyun
# 编译镜像时指定用于加速的本地软件包存储服务器地址
ARG LOCAL_URL=""
ARG APP_NAME=openldap # 设置当前应用名称
ARG APP_VER=2.4.59 # 设置当前应用版本
ARG REGISTRY_URL="docker.colovu.com/" # 设置默认仓库地址,默认为本地仓库;定义时需要包含末尾的`/`
ARG APT_SOURCE=aliyun # 设置 apt-get 源:default / ustc / aliyun
ARG LOCAL_URL="http://local.colovu.com/dist" # 编译镜像时指定用于加速的本地软件包存储服务器地址
# 0. 预处理 ======================================================================
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/dbuilder:11 as builder
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/dbuilder:12 as builder
# 声明需要使用的全局可变参数
ARG APP_NAME
ARG APP_VER
ARG REGISTRY_URL
ARG APT_SOURCE
ARG LOCAL_URL
# 选择软件包源(Optional),以加速后续软件包安装
# 选择软件包源加速后续软件包安装
RUN select_source ${APT_SOURCE};
# 安装依赖的软件包及库(Optional)
# 安装依赖的软件包及库
# 官方推荐包:Cyrus SASL 2.1.27+、OpenSSL 1.1.1+、libevent 2.1.8+、libsodiumgroff
RUN install_pkg libssl1.1 libssl-dev libcrypto++-dev libsasl2-dev libevent-dev groff groff-base libdb5.3-dev
# RUN install_pkg libtool libltdl7 libltdl-dev libperl-dev
# 设置工作目录
WORKDIR /tmp
RUN install_pkg libperl-dev libcrypto++-dev libsasl2-dev libevent-dev libdb5.3-dev groff groff-base
# dbuilder已安装: libtool libltdl7 libltdl-dev libssl1.1 libssl-dev
# 参考文档:
# 编译: https://www.cnblogs.com/si-jie/p/8214206.html
@@ -57,7 +45,7 @@ WORKDIR /tmp
# 下载并解压软件包(OpenLDAP 2.4.59)
RUN set -eux; \
appName=${APP_NAME}-${APP_VER}.tgz; \
[ ! -z ${LOCAL_URL} ] && localURL=${LOCAL_URL}/${APP_NAME}; \
[ -n ${LOCAL_URL} ] && localURL=${LOCAL_URL}/${APP_NAME}; \
appUrls="${localURL:-} \
https://www.openldap.org/software/download/OpenLDAP/openldap-release \
"; \
@@ -66,20 +54,21 @@ RUN set -eux; \
# 源码编译(OpenLDAP)
# --enable-overlays 会安装所有模块到 slapd 中,比如 memberof 属性,不需要单独添加该模块,但需要配置文件中增加:`overlay memberof`来开启
RUN set -eux; \
APP_ARCH=`arch` \
APP_SRC="/tmp/${APP_NAME}-${APP_VER}"; \
cd ${APP_SRC}; \
LDFLAGS="-L/usr/local/lib -L/usr/lib/${APP_ARCH}-linux-gnu" \
CPPFLAGS="-I/usr/local/include -D_GNU_SOURCE" \
./configure \
--prefix=/usr/local/${APP_NAME} \
--enable-dynamic --enable-syslog \
--enable-dynamic \
--enable-slapd --enable-cleartext --enable-crypt --enable-spasswd --enable-modules \
--enable-mdb --enable-ndb=no --enable-sql=no \
--enable-bdb --enable-mdb --enable-ndb=no --enable-sql=no \
--enable-overlays \
--enable-balancer \
--with-cyrus-sasl --with-tls=openssl --with-systemd=no \
--with-cyrus-sasl --with-tls=openssl \
; \
make depend; \
make -j "$(nproc)"; \
make install;
make -j "$(nproc)" && make install;
# 删除编译生成的多余文件
RUN set -eux; \
@@ -90,31 +79,25 @@ RUN set -eux; \
# 检测并生成依赖文件记录
RUN set -eux; \
find /usr/local/${APP_NAME} -type f -executable -exec ldd '{}' ';' | \
awk '/=>/ { print $(NF-1) }' | \
sort -u | \
xargs -r dpkg-query --search 2>/dev/null | \
cut -d: -f1 | \
sort -u >/usr/local/${APP_NAME}/runDeps;
awk '/=>/ { print $(NF-1) }' | xargs -r basename -a | sort -u | \
xargs -r dpkg-query --search 2>/dev/null | cut -d: -f1 | sort -u \
>>/usr/local/${APP_NAME}/runDeps;
# 1. 生成镜像 =====================================================================
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/debian:11
FROM --platform=${TARGETPLATFORM:-linux/amd64} ${REGISTRY_URL}colovu/debian:12
# 声明需要使用的全局可变参数
# 声明需要使用的全局可变参数ARG声明的变量仅编译打包阶段有效)
ARG APP_NAME
ARG APP_VER
ARG REGISTRY_URL
ARG APT_SOURCE
ARG LOCAL_URL
ARG TARGETARCH
# 镜像所包含应用的基础信息,定义环境变量,供后续脚本使用
ENV APP_EXEC=slapd
ENV APP_HOME_DIR=/usr/local/${APP_NAME} \
APP_DEF_DIR=/etc/${APP_NAME}
ENV PATH="${APP_HOME_DIR}/sbin:${APP_HOME_DIR}/bin:${APP_HOME_DIR}/libexec:${PATH}" \
LD_LIBRARY_PATH="${APP_HOME_DIR}/lib"
# 定义应用的基础信息变量(ENV声明的变量实例化后容器内有效)
ENV APP_NAME=${APP_NAME} \
APP_VER=${APP_VER} \
APP_EXEC=slapd \
APP_USER=${APP_NAME} \
LD_LIBRARY_PATH="/usr/local/${APP_NAME}/lib" \
PATH="${PATH}:/usr/local/${APP_NAME}/sbin:/usr/local/${APP_NAME}/bin:/usr/local/${APP_NAME}/libexec"
LABEL \
"Version"="v${APP_VER}" \
@@ -122,46 +105,44 @@ LABEL \
"Github"="https://github.com/colovu/docker-${APP_NAME}" \
"Vendor"="Endial Fang (endial@126.com)"
# 从预处理过程中拷贝软件包(Optional),可以使用阶段编号或阶段命名定义来源
COPY --from=0 /usr/local/${APP_NAME} /usr/local/${APP_NAME}
# 拷贝应用使用的客制化脚本,并创建对应的用户及数据存储目录
# 拷贝多阶段构建结果输出及客制化脚本
COPY --from=builder /usr/local/${APP_NAME} /usr/local/${APP_NAME}
COPY customer /
RUN set -eux; \
prepare_env; \
/bin/bash -c "ln -sf /usr/local/${APP_NAME}/etc/${APP_NAME} /etc/";
\
# 创建对应的用户及数据存储目录
useradd -U -u 996 -d /srv/${APP_NAME} -s /usr/sbin/nologin -r ${APP_USER}; \
mkdir -p /var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME}; \
mkdir -p /srv/${APP_NAME}/conf /srv/${APP_NAME}/data /srv/${APP_NAME}/cert /srv/${APP_NAME}/log; \
chown -R ${APP_USER}:${APP_USER} /var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME}; \
chown -R ${APP_USER}:${APP_USER} /usr/local/${APP_NAME} /srv/${APP_NAME}; \
\
/bin/bash -c "ln -sf /usr/local/${APP_NAME}/etc/${APP_NAME} /etc/"; \
\
# 选择软件包源,以加速后续软件包安装
select_source ${APT_SOURCE}; \
\
# 安装应用依赖的软件包及库
install_pkg pwgen; \
install_pkg `cat /usr/local/${APP_NAME}/runDeps`; \
\
# 执行后处理脚本
overrideShell="/usr/local/overrides/overrides-${APP_VER}.sh"; \
[ -e "${overrideShell}" ] && /bin/bash "${overrideShell}"; \
\
# 验证安装的应用
${APP_EXEC} -V;
# 选择软件包源(Optional),以加速后续软件包安装
RUN select_source ${APT_SOURCE}
# 安装依赖的软件包及库(Optional)
RUN install_pkg `cat /usr/local/${APP_NAME}/runDeps`;
RUN install_pkg pwgen
# 执行预处理脚本,并验证安装的软件包
RUN set -eux; \
override_file="/usr/local/overrides/overrides-${APP_VER}.sh"; \
[ -e "${override_file}" ] && /bin/bash "${override_file}"; \
${APP_EXEC} -V | :;
# 默认提供的数据卷
VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"]
# 默认使用gosu切换为新建用户启动,必须保证端口在1024之上
# 配置容器的数据卷、工作目录及服务端口(必须保证端口在1024之上)
VOLUME ["/srv/${APP_NAME}/conf", "/srv/${APP_NAME}/data", "/srv/${APP_NAME}/cert", "/srv/${APP_NAME}/log"]
WORKDIR /srv/${APP_NAME}/data
EXPOSE 8389 8636
# 关闭基础镜像的健康检查
#HEALTHCHECK NONE
#HEALTHCHECK --interval=30s --timeout=30s --retries=3 CMD curl -fs http://localhost:8080/ || exit 1
#HEALTHCHECK --interval=10s --timeout=10s --retries=3 CMD netstat -ltun | grep 8389
# 应用健康状态检查
HEALTHCHECK --interval=10s --timeout=10s --retries=3 \
CMD netstat -ltun | grep 8389
# 使用 non-root 用户运行后续的命令
USER 1001
# 容器初始化命令
ENTRYPOINT ["/usr/local/bin/entry.sh"]
# 应用程序的启动命令,必须使用非守护进程方式运行
CMD ["/usr/local/bin/run.sh"]
# 使用 dumb-init 启动入口 Shell,确保容器可以接收控制信号;并使用前台方式启动应用程序
ENTRYPOINT ["dumb-init", "entry.sh"]
CMD ["run.sh"]
Makefile
+7 -10
View File
@@ -9,30 +9,27 @@ image_name :=colovu/openldap
REGISTRY_URL :=docker.colovu.com
# 定义系统默认使用的源服务器,包含:default / ustc / aliyun
APT_SOURCE :=ustc
APT_SOURCE :=aliyun
# 定义镜像TAG,类似:
# <镜像名>:<分支名>-<7位Git ID> # Git 仓库且无文件修改直接编译
# <镜像名>:<分支名>-<年月日>-<时分秒> # Git 仓库有文件修改后的编译
# <镜像名>:latest-<年月日>-<时分秒> # 非 Git 仓库编译
# <镜像名>:<分支名>-<7位Git ID> # Git 仓库且无文件修改直接编译
# <镜像名>:<分支名>-<年月日>-<时分秒> # Git 仓库有文件修改后的编译
# <镜像名>:latest-<年月日>-<时分秒> # 非 Git 仓库编译
current_subversion:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --short HEAD; else date +%y%m%d-%H%M%S; fi)
image_tag:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --abbrev-ref HEAD | sed -e 's/master/latest/'; else echo "latest"; fi)-$(current_subversion)
image_tag:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --abbrev-ref HEAD | sed -e 's/master/latest/' | sed -e 's/main/latest/'; else echo "latest"; fi)-$(current_subversion)
build-arg:=--build-arg REGISTRY_URL=$(REGISTRY_URL)
build-arg+=--build-arg APT_SOURCE=$(APT_SOURCE)
# 设置本地下载服务器路径,加速调试时的本地编译速度
local_ip:=`echo "en0 eth0" | xargs -n1 ip addr show 2>/dev/null | grep inet | grep -v 127.0.0.1 | grep -v inet6 | tr "/" " " | awk '{print $$2}'`
build-arg+=--build-arg LOCAL_URL=http://$(local_ip)/dist-files
build-arg+=--build-arg LOCAL_URL=http://local.colovu.com/dist
.PHONY: build clean clearclean upgrade
# 屏蔽 "Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them"
export DOCKER_SCAN_SUGGEST=false
build:
@echo "Build $(image_name):$(image_tag)"
@docker build --progress plain --force-rm $(build-arg) -t $(image_name):$(image_tag) .
@docker buildx build --progress plain --force-rm $(build-arg) -t $(image_name):$(image_tag) .
@echo "Add tag: $(image_name):latest"
@docker tag $(image_name):$(image_tag) $(image_name):latest
@echo "Build complete"
README.md
+31 -20
View File
@@ -8,17 +8,16 @@
**版本信息:**
- 2.4、latest
- 2.4
**镜像信息:**
* 镜像地址:
* 阿里云: registry.cn-shenzhen.aliyuncs.com/colovu/openldap:latest
* Docker Hub: colovu/openldap:latest
* Colovu Registry: docker.colovu.com/colovu/openldap:latest
* 依赖镜像:colovu/debian:11
* 阿里云: registry.cn-shenzhen.aliyuncs.com/colovu/openldap:2.4
* Colovu Registry: docker.colovu.com/colovu/openldap:2.4
* 依赖镜像:colovu/debian:12
> 后续相关命令行默认使用`[Colovu Registry](https://docker.colovu.com)`镜像服务器做说明
> 后续相关命令行默认使用 Aliyun ACR 镜像服务器做说明
## TL;DR
@@ -26,9 +25,12 @@ Docker 快速启动命令:
```shell
# 从 Registry 服务器下载镜像并启动
$ docker run -it docker.colovu.com/colovu/openldap:latest /bin/bash
$ docker run -d --name imgname registry.cn-shenzhen.aliyuncs.com/colovu/openldap:2.4
```
- `registry.cn-shenzhen.aliyuncs.com/colovu/imgname:<TAG>`:镜像名称及版本标签 TAG;标签不指定时默认使用最新版本
Docker-Compose 快速启动命令:
```shell
@@ -53,16 +55,14 @@ $ docker-compose up -d
### 数据卷
镜像默认提供以下数据卷定义,默认数据分别存储在自动生成的应用名对应`openldap`子目录中
镜像默认提供以下数据卷定义:
```shell
/var/datalog # 数据操作日志文件
/srv/conf # 配置文件
/srv/data # 数据文件,主要存放应用数据
/srv/cert # 证书文件存放目录
/var/log # 日志输出
/var/run # 系统运行时文件,如 PID 文件
/srv/openldap/conf # 配置文件
/srv/openldap/data # 数据文件,主要存放应用数据
/srv/openldap/cert # 证书文件存放目录
/srv/openldap/log # 日志输出
/var/run/openldap # 系统运行时文件,如 PID 文件
```
如果需要持久化存储相应数据,需要**在宿主机建立本地目录**,并在使用镜像初始化容器时进行映射。宿主机相关的目录中如果不存在对应应用`openldap`的子目录或相应数据文件,则容器会在初始化时创建相应目录及文件。
@@ -86,13 +86,24 @@ $ docker network create my-network --driver bridge
```shell
$ docker run --detach --rm --name openldap \
--network my-network \
--env LDAP_ROOT=dc=example,dc=org \
--env LDAP_ROOT_PASSWORD=rootpassword \
--env LDAP_BIND_UID=bind \
--env LDAP_BIND_PASSWORD=bindpassword \
--env LDAP_USERS=customuser \
--env LDAP_PASSWORDS=custompassword \
docker.colovu.com/colovu/openldap:latest
registry.cn-shenzhen.aliyuncs.com/colovu/openldap:2.4
```
则 OpenLDAP 容器初始化完成后,相关配置信息如下:
- RootDNcn=root,dc=example,dc=org
- RootPassword: rootpassword
- BindDN: uid=bind,ou=Manager,dc=example,dc=org
- BindPassword: bindpassword
- UserDN: uid=customuser,ou=Manager,dc=example,dc=org
- UserPassword: custompassword
### 启动 MariaDB Galera 容器
使用之前定义的`my-network`网络初始化 MariaDB Galera 容器:
@@ -109,7 +120,7 @@ $ docker run --detach --rm --name mariadb-galera \
--env LDAP_BASE=dc=example,dc=org \
--env LDAP_BIND_DN=uid=bind,ou=Manager,dc=example,dc=org \
--env LDAP_BIND_PASSWORD=bindpassword \
bitnami/mariadb-galera:latest
bitnami/mariadb-galera
```
### 启动 MariaDB client 容器验证
@@ -119,7 +130,7 @@ $ docker run --detach --rm --name mariadb-galera \
```shell
$ docker run -it --rm --name mariadb-client \
--network my-network \
bitnami/mariadb-galera:latest mysql -h mariadb-galera -u customuser -D customdatabase -pcustompassword
bitnami/mariadb-galera mysql -h mariadb-galera -u customuser -D customdatabase -pcustompassword
```
## 容器配置
@@ -127,7 +138,7 @@ $ docker run -it --rm --name mariadb-client \
在初始化 `OpenLDAP` 容器时,如果没有预置配置文件,可以在命令行中设置相应环境变量对默认参数进行修改。类似命令如下(配置环境变量`APP_ENV_KEY_NAME`的值为`key_value`):
```shell
$ docker run -d -e "APP_ENV_KEY_NAME=key_value" colovu/openldap
$ docker run -d -e "APP_ENV_KEY_NAME=key_value" registry.cn-shenzhen.aliyuncs.com/openldap:2.4
```
### 常规配置参数
@@ -136,7 +147,7 @@ $ docker run -d -e "APP_ENV_KEY_NAME=key_value" colovu/openldap
- `LDAP_ROOT`:默认值:**dc=example,dc=org**。设置数据库根 DN
- `LDAP_ORGNIZATION_NAME`:默认值:**Colovu Lab**。设置数据库所属组织名
- `LDAP_ROOT_USERNAME`:默认值:**root**。设置 RootDN 用户名
- `LDAP_ROOT_UID`:默认值:**root**。设置 RootDN 用户名
- `LDAP_ROOT_PASSWORD`:默认值:**rootpassword**。设置 RootDN 用户密码
- `LDAP_BIND_UID`:默认值:**bind**。设置 Binder 用户 UID
- `LDAP_BIND_PASSWORD`:默认值:**bindpassword**。设置 Binder 用户密码
customer/usr/local/bin/common.sh
+333 -275
View File
@@ -1,85 +1,133 @@
#!/bin/bash
# Ver: 1.1 by Endial Fang (endial@126.com)
# Ver: 1.4 by Endial Fang (endial@126.com)
#
# 应用通用业务处理函数
# {0}config
# {-1}frontend
# {1}hdb
# {2}monitor
# 加载依赖脚本
. /usr/local/scripts/libcommon.sh # 通用函数库
. /colovu/lib/libcommon.sh # 通用函数库
. /colovu/lib/libfile.sh
. /colovu/lib/libfs.sh
. /colovu/lib/liblog.sh
. /colovu/lib/libos.sh
. /colovu/lib/libservice.sh
. /colovu/lib/libvalidations.sh
. /usr/local/scripts/libfile.sh
. /usr/local/scripts/libfs.sh
. /usr/local/scripts/liblog.sh
. /usr/local/scripts/libos.sh
. /usr/local/scripts/libservice.sh
. /usr/local/scripts/libvalidations.sh
# 检测应用相应的配置文件是否存在,如果不存在,则从默认配置文件目录拷贝一份
# 默认配置文件路径:/etc/${APP_NAME}
# 目标配置文件路径:/srv/conf/${APP_NAME}
# 参数:
# $1 - 目标路径
# $2 - 源路径
# $* - 基础路径下的文件及目录列表,以" "分割
# 例子:
# ensure_config_file_exist /etc/${APP_NAME} conf.d server.conf
app_ensure_config_file_exist() {
local -r dist_path="${1:?dist paths is missing}"
local -r base_path="${2:?source paths is missing}"
local f=""
# 函数列表
shift 2
LOG_D "List to check in ${base_path}: $@"
while [ "$#" -gt 0 ]; do
f="${1}"
LOG_D " Process \"${f}\""
if [ -d "${base_path}/${f}" ]; then
[[ ! -d "${dist_path}/${f}" ]] && LOG_D " Create directory: ${dist_path}/${f}" && mkdir -p "${dist_path}/${f}"
[[ ! -z $(ls -A "${base_path}/${f}") ]] && app_ensure_config_file_exist "${dist_path}/${f}" "${base_path}/${f}" $(ls -A "${base_path}/${f}")
else
[[ ! -e "${dist_path}/${f}" ]] && LOG_D " Copy: ${base_path}/${f} to ${dist_path}" && cp "${base_path}/${f}" "${dist_path}"
fi
shift
done
}
# 使用环境变量中配置,更新配置文件
openldap_update_conf() {
app_update_conf() {
LOG_I "Update configure files..."
}
# 生成RootDN用户信息
openldap_root_credentials() {
app_root_credentials() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for RootDN"
LOG_I "Update RootDN"
cat > "${APP_CONF_DIR}/rootdn.ldif" << EOF
cat > "${APP_CONF_DIR}/default_rootdn.ldif" << EOF
# RootDN configration
dn: olcDatabase={2}hdb,cn=config
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: $LDAP_ROOT
dn: olcDatabase={2}hdb,cn=config
changetype: modify
-
replace: olcRootDN
olcRootDN: $LDAP_ROOT_DN
dn: olcDatabase={2}hdb,cn=config
-
add: olcRootPW
olcRootPW: $LDAP_ENCRYPTED_ROOT_PASSWORD
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external, cn=auth" read
by dn.base="${LDAP_ADMIN_DN}" read
by * none
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/rootdn.ldif"
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_rootdn.ldif"
}
openldap_add_default_policy() {
app_add_default_policy() {
# 根据容器参数,设置配置文件
LOG_I "Add default global access control policy"
cat > "${APP_CONF_DIR}/default_policy.ldif" << EOF
# Add default global access control policy
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs="userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire"
by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" read
by * none
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by * none
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by * none
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
by dn.base="gidNumber=0+uidNumber=$(id -u),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {0}to attrs="userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPwdCanChange,shadowMax,shadowExpire"
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
olcAccess: {1}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" manage
by dn.base="gidNumber=$(id -g ${APP_GROUP})+uidNumber=$(id -u ${APP_NAME}),cn=peercred,cn=external,cn=auth" manage
by dn.base="${LDAP_BIND_DN}" read
by dn.base="${LDAP_ADMIN_DN}" write
by anonymous auth
by self write
by * none
EOF
@@ -87,23 +135,23 @@ EOF
}
# 生成Admin账户用户信息
openldap_create_tree() {
app_create_tree() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for admin user"
LOG_I "Add manager account"
cat > "${APP_CONF_DIR}/admin.ldif" << EOF
# RootDN creation
cat > "${APP_CONF_DIR}/default_manager.ldif" << EOF
# Root object creation
dn: $LDAP_ROOT
objectClass: dcObject
objectClass: organization
o: $LDAP_ORGNIZATION_NAME
# Mnanger OU creation
# Mnanger OU object creation
dn: ou=Manager,$LDAP_ROOT
objectClass: organizationalUnit
ou: Manager
# User Admin creation
# User Admin object creation
dn: uid=$LDAP_ADMIN_UID,ou=Manager,$LDAP_ROOT
objectClass: inetOrgPerson
cn: $LDAP_ADMIN_GIVEN_NAME $LDAP_ADMIN_SURNAME
@@ -112,26 +160,27 @@ uid: $LDAP_ADMIN_UID
userPassword: $LDAP_ENCRYPTED_ADMIN_PASSWORD
mail: $LDAP_ADMIN_MAIL
# User Binder creation
# User Binder object creation
dn: uid=$LDAP_BIND_UID,ou=Manager,$LDAP_ROOT
objectClass: inetOrgPerson
cn: $LDAP_BIND_GIVEN_NAME $LDAP_BIND_SURNAME
sn: $LDAP_BIND_SURNAME
uid: $LDAP_BIND_UID
userPassword: $LDAP_ENCRYPTED_BIND_PASSWORD
EOF
debug_execute ldapadd -f "${APP_CONF_DIR}/admin.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
debug_execute ldapadd -f "${APP_CONF_DIR}/default_manager.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
openldap_add_default_policy
app_add_default_policy
}
# 生成自定义账户用户信息
openldap_create_users() {
app_create_users() {
# 根据容器参数,设置配置文件
LOG_I "Configure LDAP credentials for admin user"
LOG_I "Add defined user"
cat > "${APP_CONF_DIR}/users.ldif" << EOF
cat > "${APP_CONF_DIR}/default_users.ldif" << EOF
# User OU creation
dn: ${LDAP_USER_OU/#/ou=},$LDAP_ROOT
objectClass: organizationalUnit
@@ -144,7 +193,8 @@ EOF
local index=0
for user in "${users[@]}"; do
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
LOG_D " Add user: ${user}"
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
# User $user creation
dn: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
cn: User$((index + 1 ))
@@ -162,7 +212,8 @@ EOF
index=$((index + 1 ))
done
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
LOG_D " Add group: ${LDAP_USER_GROUP}"
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
# Group creation
dn: ${LDAP_USER_GROUP/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
cn: $LDAP_USER_GROUP
@@ -171,28 +222,27 @@ objectClass: groupOfNames
EOF
for user in "${users[@]}"; do
cat >> "${APP_CONF_DIR}/users.ldif" << EOF
cat >> "${APP_CONF_DIR}/default_users.ldif" << EOF
member: ${user/#/cn=},${LDAP_USER_OU/#/ou=},${LDAP_ROOT}
EOF
done
debug_execute ldapadd -f "${APP_CONF_DIR}/users.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
debug_execute ldapadd -f "${APP_CONF_DIR}/default_users.ldif" -H "ldapi:///" -D "$LDAP_ROOT_DN" -w "$LDAP_ROOT_PASSWORD"
}
# 生成默认配置文件
openldap_generate_conf() {
app_generate_conf() {
# 根据容器参数,设置配置文件
LOG_I "Creating LDAP online configuration"
! is_root && replace_in_file "${APP_CONF_DIR}/slapd.ldif" "uidNumber=0" "uidNumber=$(id -u)"
debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l "${APP_CONF_DIR}/slapd.ldif"
debug_execute slapadd -n 0 -F "$LDAP_ONLINE_CONF_DIR" -l "${APP_CONF_DIR}/slapd.ldif"
}
# 生成LTS配置文件
openldap_generate_lts_conf() {
app_generate_lts_conf() {
LOG_I "Configuring TLS"
cat > "${APP_CONF_DIR}/certs.ldif" << EOF
cat > "${APP_CONF_DIR}/default_certs.ldif" << EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
@@ -206,21 +256,21 @@ olcTLSCertificateKeyFile: $LDAP_TLS_KEY_FILE
EOF
if [[ -f "$LDAP_TLS_DH_PARAMS_FILE" ]]; then
cat >> "${APP_CONF_DIR}/certs.ldif" << EOF
cat >> "${APP_CONF_DIR}/default_certs.ldif" << EOF
-
replace: olcTLSDHParamFile
olcTLSDHParamFile: $LDAP_TLS_DH_PARAMS_FILE
EOF
fi
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/certs.ldif"
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_certs.ldif"
}
# 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息
openldap_verify_minimum_env() {
app_verify_minimum_env() {
local error_code=0
LOG_D "Validating settings in APP_* env vars..."
LOG_D "Validating settings in ENV vars..."
print_validation_error() {
LOG_E "$1"
@@ -278,55 +328,56 @@ openldap_verify_minimum_env() {
}
# 以后台方式启动应用服务,并等待启动就绪
openldap_start_server_bg() {
local -a flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:/// " "-F" "${APP_CONF_DIR}/slapd.d")
app_start_server_bg() {
app_is_server_running && return
local -a flags=("-h" "ldapi:///" "-F" "${APP_CONF_DIR}/slapd.d")
local -r command="$(command -v slapd)"
LOG_I "Starting ${APP_NAME} in background..."
LOG_D "${command} ${flags[@]}"
if openldap_is_server_not_running; then
ulimit -n "${LDAP_ULIMIT_NOFILES}"
LOG_I "Starting ${APP_NAME} in background..."
LOG_D "${command} ${flags[@]}"
ulimit -n "$LDAP_ULIMIT_NOFILES"
is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
debug_execute ${command} "${flags[@]}"
debug_execute ${command} "${flags[@]}"
# 通过命令或特定端口检测应用是否就绪
LOG_D "Checking ${APP_NAME} ready status..."
# wait-for-port --timeout 60 "$ZOO_PORT_NUMBER"
LOG_I "${APP_NAME} is ready for service..."
fi
LOG_D "Checking ${APP_NAME} ready status..."
local counter=10
while app_is_server_not_running ; do
LOG_D "Waiting for ${APP_NAME} to ready ... $counter"
if [[ "$counter" -ne 0 ]]; then
break
fi
sleep 1;
counter=$((counter - 1))
done
}
# 停止应用服务
openldap_stop_server() {
local -r retries="${1:-10}"
local -r sleep_time="${2:-1}"
if openldap_is_server_running ; then
app_stop_server() {
if app_is_server_running ; then
LOG_I "Stopping ${APP_NAME}..."
# 使用 PID 文件 kill 进程
stop_service_using_pid "$LDAP_PID_FILE"
# 检测停止是否完成
while [[ "$retries" -ne 0 ]] && openldap_is_server_running; do
LOG_D "Waiting for ${APP_NAME} to stop..."
sleep ${sleep_time}
retries=$((retries - 1))
LOG_D "Checking ${APP_NAME} running status..."
local counter=10
while [[ "$counter" -ne 0 ]] && app_is_server_running; do
LOG_D "Waiting for ${APP_NAME} to stop ... $counter"
sleep 1
counter=$((counter - 1))
done
else
LOG_D "${APP_NAME} stopped..."
fi
fi
}
# 检测应用服务是否在后台运行中
openldap_is_server_running() {
app_is_server_running() {
LOG_D "Check if ${APP_NAME} is running..."
local pid
pid="$(get_pid_from_file "${LDAP_PID_FILE}")"
pid="$(get_pid_from_file ${LDAP_PID_FILE})"
LOG_D "${APP_NAME} PID: ${pid}"
if [[ -n "${pid}" ]]; then
@@ -336,33 +387,193 @@ openldap_is_server_running() {
fi
}
openldap_is_server_not_running() {
! openldap_is_server_running
app_is_server_not_running() {
if [[ app_is_server_running == false ]]; then
true
else
flse
fi
}
# 增加 schema 文件
openldap_add_modules() {
LOG_I "Adding LDAP extra modules"
# 清理初始化应用时生成的临时文件
app_clean_tmp_file() {
LOG_D "Clean ${APP_NAME} tmp files for init..."
local -r -a files=(
"${LDAP_PID_FILE}"
)
#read -r -a modules <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_MODULES}")"
modules=($(echo "${LDAP_EXTRA_MODULES[*]} accesslog" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
cat > "${APP_CONF_DIR}/modules.ldif" << EOF
dn: cn=module{0},cn=config
add: olcModuleLoad
EOF
for module in "${modules[@]}"; do
LOG_D "Add module: ${module}.la"
cat >> "${APP_CONF_DIR}/modules.ldif" << EOF
olcModuleLoad: ${module}.la
EOF
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/modules.ldif"
for file in ${files[@]}; do
if [[ -f "$file" ]]; then
LOG_D " Remove $file"
rm "$file"
fi
done
}
# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag
app_custom_preinit() {
LOG_I "Process pre-init for ${APP_NAME}..."
# 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "${APP_CONF_DIR}/preinitdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "${APP_CONF_DIR}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then
LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..."
# 检索所有可执行脚本,排序后执行
find "${APP_CONF_DIR}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files
touch "${APP_DATA_DIR}/.custom_preinit_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag"
LOG_I "Custom preinit for ${APP_NAME} complete."
else
LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
# 应用默认初始化操作
# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件
app_default_init() {
LOG_I "Process default init for ${APP_NAME}..."
# 检测配置文件是否存在
if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then
LOG_I "No injected configuration file found, creating default config files..."
app_generate_conf
touch "${APP_CONF_DIR}/.app_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag"
else
LOG_I "User injected custom configuration detected!"
LOG_D "Update configure files from environment..."
app_update_conf
fi
if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then
LOG_I "Deploying ${APP_NAME} from scratch..."
# 启动后台服务
app_start_server_bg
app_root_credentials
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
app_generate_lts_conf
fi
if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then
LOG_I "Skipping default schemas/tree structure"
else
# 使用相应的 schemas/tree 初始化 OpenLDAP
app_add_modules
app_add_schemas
if ! is_dir_empty "$LDAP_CUSTOM_SCHEMA_DIR"; then
app_add_custom_schema
fi
if ! is_dir_empty "$LDAP_CUSTOM_LDIF_DIR"; then
app_add_custom_ldifs
else
app_create_tree
app_create_users
fi
fi
touch ${APP_DATA_DIR}/.data_init_flag
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag
app_is_server_running && app_stop_server
else
LOG_I "Deploying ${APP_NAME} with persisted data..."
fi
}
# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag
app_custom_init() {
LOG_I "Process customer init ${APP_NAME}..."
# 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "${APP_CONF_DIR}/initdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "${APP_CONF_DIR}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then
LOG_I "Process custom init scripts from ${APP_CONF_DIR}/initdb.d..."
# 启动后台服务
app_start_server_bg
# 检索所有可执行脚本,排序后执行
find "${APP_CONF_DIR}/initdb.d/" -type f -regex ".*\.\(sh\|ldif\|ldif.gz\)" | sort | while read -r f; do
case "$f" in
*.sh)
if [[ -x "$f" ]]; then
LOG_D "Executing $f"; "$f"
else
LOG_D "Sourcing $f"; . "$f"
fi
;;
*.ldif)
LOG_D "Executing $f";
ldapmodify -Y EXTERNAL -H "ldapi:///" -f
;;
*.ldif.gz)
LOG_D "Executing $f";
gunzip -c "$f" | ldapmodify -Y EXTERNAL -H "ldapi:///" -f
;;
*)
LOG_D "Ignoring $f" ;;
esac
done
touch "${APP_DATA_DIR}/.custom_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag"
LOG_I "Custom init for ${APP_NAME} complete."
# 检测服务是否运行中;如果运行,则停止后台服务
app_is_server_running && app_stop_server
app_clean_tmp_file
else
LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
# 增加 schema 文件
openldap_add_schemas() {
LOG_I "Adding LDAP extra schemas"
app_add_modules() {
local flag_first=true
LOG_I "Add extra modules"
#read -r -a modules <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_MODULES}")"
modules=($(echo "${LDAP_EXTRA_MODULES[*]} accesslog" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
cat > "${APP_CONF_DIR}/default_modules.ldif" << EOF
dn: cn=module{0},cn=config
changetype: modify
EOF
for module in "${modules[@]}"; do
LOG_D " Add module: ${module}.la"
cat >> "${APP_CONF_DIR}/default_modules.ldif" << EOF
add: olcModuleLoad
olcModuleLoad: ${module}.la
EOF
[[ ! $flag_first ]] && echo "-" >> "${APP_CONF_DIR}/default_modules.ldif"
flag_first=false
done
debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${APP_CONF_DIR}/default_modules.ldif"
}
# 增加 schema 文件
app_add_schemas() {
LOG_I "Add extra schemas"
#read -r -a schemas <<< "$(tr ',;' ' ' <<< "${LDAP_EXTRA_SCHEMAS}")"
schemas=($(echo "${LDAP_EXTRA_SCHEMAS[*]} cosine inetorgperson nis samba" | tr ',;' ' ' | sed 's/ /\n/g' | sort | uniq) )
@@ -373,7 +584,7 @@ openldap_add_schemas() {
}
# 增加个性化 schema 文件
openldap_add_custom_schema() {
app_add_custom_schema() {
LOG_I "Adding custom Schema in $LDAP_CUSTOM_SCHEMA_DIR ..."
#find "$LDAP_CUSTOM_SCHEMA_DIR" -maxdepth 1 \( -type f -o -type l \) -iname '*.ldif' -print0 | sort -z | xargs --null -I{} bash -c ". /usr/local/scripts/libos.sh && debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l {} "
@@ -382,13 +593,13 @@ openldap_add_custom_schema() {
debug_execute debug_execute slapadd -F "$LDAP_ONLINE_CONF_DIR" -n 0 -l $f
done
openldap_stop_server
#while openldap_is_server_running; do sleep 1; done
openldap_start_server_bg
app_stop_server
#while app_is_server_running; do sleep 1; done
app_start_server_bg
}
# 导入 ldif 文件定义的数据
openldap_add_custom_ldifs() {
app_add_custom_ldifs() {
LOG_I "Loading custom LDIF files..."
LOG_W "Ignoring LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_OU and LDAP_USER_GROUP environment variables..."
@@ -399,157 +610,4 @@ openldap_add_custom_ldifs() {
done
}
# 清理初始化应用时生成的临时文件
openldap_clean_tmp_file() {
LOG_D "Clean ${APP_NAME} tmp files for init..."
}
# 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动)
openldap_clean_from_restart() {
LOG_D "Clean ${APP_NAME} tmp files for restart..."
local -r -a files=(
"/var/run/${APP_NAME}/${APP_NAME}.pid"
)
for file in ${files[@]}; do
if [[ -f "$file" ]]; then
LOG_I "Cleaning stale $file file"
rm "$file"
fi
done
}
# 应用默认初始化操作
# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件
openldap_default_init() {
openldap_clean_from_restart
LOG_D "Check init status of ${APP_NAME}..."
# 检测配置文件是否存在
if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then
LOG_I "No injected configuration file found, creating default config files..."
openldap_generate_conf
touch "${APP_CONF_DIR}/.app_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag"
else
LOG_I "User injected custom configuration detected!"
LOG_D "Update configure files from environment..."
openldap_update_conf
fi
if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then
LOG_I "Deploying ${APP_NAME} from scratch..."
[[ ! -e ${APP_DATA_DIR}/DB_CONFIG ]] && cp ${APP_CONF_DIR}/DB_CONFIG.example ${APP_DATA_DIR}/DB_CONFIG
# 启动后台服务
openldap_start_server_bg
openldap_root_credentials
if is_boolean_yes "$LDAP_ENABLE_TLS"; then
openldap_generate_lts_conf
fi
if is_boolean_yes "$LDAP_SKIP_DEFAULT_TREE"; then
LOG_I "Skipping default schemas/tree structure"
else
# 使用相应的 schemas/tree 初始化 OpenLDAP
openldap_add_modules
openldap_add_schemas
if ! is_dir_empty "$LDAP_CUSTOM_SCHEMA_DIR"; then
openldap_add_custom_schema
fi
if ! is_dir_empty "$LDAP_CUSTOM_LDIF_DIR"; then
openldap_add_custom_ldifs
else
openldap_create_tree
openldap_create_users
fi
fi
touch ${APP_DATA_DIR}/.data_init_flag
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag
else
LOG_I "Deploying ${APP_NAME} with persisted data..."
fi
}
# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag
openldap_custom_preinit() {
LOG_I "Check custom pre-init status of ${APP_NAME}..."
# 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then
LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..."
# 检索所有可执行脚本,排序后执行
find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files
touch "${APP_DATA_DIR}/.custom_preinit_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag"
LOG_I "Custom preinit for ${APP_NAME} complete."
else
LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization."
fi
fi
# 检测依赖的服务是否就绪
#for i in ${SERVICE_PRECONDITION[@]}; do
# openldap_wait_service "${i}"
#done
}
# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本
# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag
openldap_custom_init() {
LOG_I "Check custom initdb status of ${APP_NAME}..."
# 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本
if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then
# 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作
if [[ -n $(find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \
[[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then
LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..."
# 启动后台服务
openldap_start_server_bg
# 检索所有可执行脚本,排序后执行
find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do
case "$f" in
*.sh)
if [[ -x "$f" ]]; then
LOG_D "Executing $f"; "$f"
else
LOG_D "Sourcing $f"; . "$f"
fi
;;
*.ldif)
LOG_D "Executing $f";
postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f"
;;
*)
LOG_D "Ignoring $f" ;;
esac
done
touch "${APP_DATA_DIR}/.custom_init_flag"
echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag"
LOG_I "Custom init for ${APP_NAME} complete."
else
LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization."
fi
fi
}
customer/usr/local/bin/entry.sh
+22 -14
View File
@@ -1,29 +1,37 @@
#!/bin/bash
# Ver: 1.2 by Endial Fang (endial@126.com)
#!/usr/bin/dumb-init /bin/bash
# Ver: 1.5 by Endial Fang (endial@126.com)
#
# 容器入口脚本
# 容器入口脚本;当前脚本执行完毕时,使用默认用户执行镜像 CMD 定义的命令(默认为'/usr/local/bin/run.sh'
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /usr/local/scripts/libcommon.sh # 加载通用函数库
. /colovu/lib/libcommon.sh # 加载通用函数库
. /usr/local/bin/environment.sh # 设置环境变量
LOG_I "** Processing entry.sh **"
if [[ "$*" = "/usr/local/bin/run.sh" ]]; then
print_image_welcome
# 优先处理'-'开始的版本信息、帮助信息显示命令,如果是该类命令,处理后退出容器
[[ "${1:0:1}" == '-' ]] && set -- "${APP_EXEC:-/bin/bash}" "$@" && print_command_help "$@"
LOG_I "** Starting ${APP_NAME} setup **"
# 处理 root 用户**且**使用默认启动脚本时的初始化
if [[ "$(id -u)" == '0' ]] && [[ "$1" == "run.sh" ]]; then
print_welcome_info
/usr/local/bin/setup.sh
/usr/local/bin/init.sh
LOG_I "** ${APP_NAME} setup finished! **"
gosu "${APP_USER}" /usr/local/bin/init.sh
# 执行应用启动脚本并替换当前进程
exec gosu "${APP_USER}" "$@"
fi
# 检测是否仅打印帮助信息
[ "${1:0:1}" = '-' ] && set -- "${APP_EXEC:-/bin/bash}" "$@"
print_command_help "$@"
# 处理 root 用户**且**使用init.sh脚本时的初始化
if [[ "$(id -u)" == '0' ]] && [[ "$1" == "init.sh" ]]; then
/usr/local/bin/setup.sh
gosu "${APP_USER}" /usr/local/bin/init.sh
fi
# 处理非以上情形的自定义命令
LOG_I "Start container with command: $@"
exec "$@"
customer/usr/local/bin/environment.sh
+20 -18
View File
@@ -1,16 +1,17 @@
#!/bin/bash
# Ver: 1.0 by Endial Fang (endial@126.com)
# Ver: 1.2 by Endial Fang (endial@126.com)
#
# 应用环境变量定义及初始化
# 通用设置
export ENV_DEBUG=${ENV_DEBUG:-false}
export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}"
export ALLOW_ANONYMOUS="${ALLOW_ANONYMOUS:-no}"
# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖
# 通过读取变量名对应的`*_FILE`文件,获取变量值
# 变量优先级: *_FILE > 传入变量 > 默认值
app_env_file_lists=(
APP_PASSWORD
LDAP_ROOT_PASSWORD
LDAP_BIND_PASSWORD
LDAP_ADMIN_PASSWORD
)
for env_var in "${app_env_file_lists[@]}"; do
file_env_var="${env_var}_FILE"
@@ -21,16 +22,20 @@ for env_var in "${app_env_file_lists[@]}"; do
done
unset app_env_file_lists
# 应用路径参数
export APP_HOME_DIR="/usr/local"
export APP_DEF_DIR="/etc/${APP_NAME}"
export APP_CONF_DIR="/srv/conf/${APP_NAME}"
export APP_DATA_DIR="/srv/data/${APP_NAME}"
export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}"
# 应用路径参数Dockerfile 已定义:APP_NAME、APP_VER,可能定义 APP_USER、APP_EXEC
export APP_EXEC="${APP_EXEC:-${APP_NAME}}"
export APP_USER="${APP_USER:-${APP_NAME}}"
export APP_GROUP="${APP_USER:-${APP_NAME}}"
export APP_HOME="${APP_HOME:-/srv/${APP_NAME}}"
export APP_BASE="${APP_BASE:-/usr/local/${APP_NAME}}"
export APP_DEF_DIR="${APP_BASE}/etc/${APP_NAME}"
export APP_CONF_DIR="/srv/${APP_NAME}/conf"
export APP_DATA_DIR="/srv/${APP_NAME}/data"
export APP_CERT_DIR="/srv/${APP_NAME}/cert"
export APP_LOG_DIR="/srv/${APP_NAME}/log"
export APP_CACHE_DIR="/var/cache/${APP_NAME}"
export APP_RUN_DIR="/var/run/${APP_NAME}"
export APP_LOG_DIR="/var/log/${APP_NAME}"
export APP_CERT_DIR="/srv/cert/${APP_NAME}"
# 应用配置参数
export LDAP_PORT_NUMBER="${LDAP_PORT_NUMBER:-8389}"
@@ -53,8 +58,8 @@ export LDAP_TLS_DH_PARAMS_FILE="${LDAP_TLS_DH_PARAMS_FILE:-}"
export LDAP_ROOT="${LDAP_ROOT:-dc=example,dc=org}"
export LDAP_ORGNIZATION_NAME="${LDAP_ORGNIZATION_NAME:-Colovu Lab}"
export LDAP_ROOT_USERNAME="${LDAP_ROOT_USERNAME:-root}"
export LDAP_ROOT_DN="${LDAP_ROOT_USERNAME/#/cn=},${LDAP_ROOT}"
export LDAP_ROOT_UID="${LDAP_ROOT_UID:-root}"
export LDAP_ROOT_DN="${LDAP_ROOT_UID/#/cn=},${LDAP_ROOT}"
export LDAP_ROOT_PASSWORD="${LDAP_ROOT_PASSWORD:-rootpassword}"
export LDAP_BIND_GIVEN_NAME="${LDAP_BIND_GIVEN_NAME:-Binder}"
@@ -82,9 +87,6 @@ export LDAP_ONLINE_CONF_DIR="${APP_CONF_DIR}/slapd.d"
export LDAP_PID_FILE="${APP_RUN_DIR}/slapd.pid"
export LDAP_ARGS_FILE="${APP_RUN_DIR}/slapd.args"
export LDAP_DAEMON_USER="slapd"
export LDAP_DAEMON_GROUP="slapd"
#export LDAP_ENCRYPTED_ROOT_PASSWORD="$(echo -n $LDAP_ROOT_PASSWORD | slappasswd -n -T /dev/stdin)"
#export LDAP_ENCRYPTED_BIND_PASSWORD="$(echo -n $LDAP_BIND_PASSWORD | slappasswd -n -T /dev/stdin)"
#export LDAP_ENCRYPTED_ADMIN_PASSWORD="$(echo -n $LDAP_ADMIN_PASSWORD | slappasswd -n -T /dev/stdin)"
customer/usr/local/bin/init.sh
+7 -11
View File
@@ -5,25 +5,21 @@
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /usr/local/bin/common.sh # 应用专用函数库
. /usr/local/bin/environment.sh # 设置环境变量
. /usr/local/bin/common.sh # 应用专用函数库
LOG_I "** Processing init.sh **"
trap "app_stop_server" EXIT
trap "${APP_NAME}_stop_server" EXIT
${APP_NAME}_verify_minimum_env
app_verify_minimum_env
# 执行应用预初始化操作
${APP_NAME}_custom_preinit
app_custom_preinit
# 执行应用初始化操作
${APP_NAME}_default_init
app_default_init
# 执行用户自定义初始化脚本
${APP_NAME}_custom_init
LOG_I "** Processing init.sh finished! **"
app_custom_init
customer/usr/local/bin/run.sh
+15 -17
View File
@@ -1,14 +1,15 @@
#!/bin/bash
# Ver: 1.3 by Endial Fang (endial@126.com)
# Ver: 1.5 by Endial Fang (endial@126.com)
#
# 应用启动脚本
# 应用启动脚本;组合默认的配置参数及容器启动时传入的 CMD 参数,启动应用
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /colovu/lib/liblog.sh # 日志输出函数库
. /colovu/lib/libvalidations.sh # 数据校验
. /usr/local/bin/common.sh # 应用专用函数库
. /usr/local/bin/environment.sh # 设置环境变量
LOG_I "** Processing run.sh **"
@@ -17,22 +18,19 @@ LOG_I "** Processing run.sh **"
# https://github.com/docker/docker/issues/8231
ulimit -n "$LDAP_ULIMIT_NOFILES"
readonly START_COMMAND="$(command -v ${APP_EXEC})"
readonly START_COMMAND="$(command -v ${APP_EXEC:-${APP_NAME}})"
flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldapi:///")
# 配置默认启动参数(应用配置文件、前台方式启动)
flags=("-h" "ldapi:/// ldap://:${LDAP_PORT_NUMBER}/")
# 如果启用 TLS, 增加 LDAPS 服务
is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" "ldap://:${LDAP_PORT_NUMBER}/ ldaps://:${LDAP_LDAPS_PORT_NUMBER}/ ldapi:///")
is_boolean_yes "$LDAP_ENABLE_TLS" && flags=("-h" '"ldapi:/// ldap://:'${LDAP_PORT_NUMBER}'/ ldaps://:'${LDAP_LDAPS_PORT_NUMBER}'/"')
# 确保应用运行在前台
flags=("-d" "stats" "${flags[@]}")
flags=("-F" "${APP_CONF_DIR}/slapd.d" "${flags[@]}")
flags+=("-d" "stats")
[[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}")
# 增加 "@" 以使用用户在命令行添加的扩展标识
flags=("${flags[@]}" "$@")
[[ -n "${APP_CONF_DIR:-}" ]] && flags+=("-F" "${APP_CONF_DIR}/slapd.d")
[[ -n "${APP_EXTRA_FLAGS:-}" ]] && flags+=("${APP_EXTRA_FLAGS[@]}")
flags+=("$@")
LOG_I "** Starting ${APP_NAME} **"
is_root && flags=("-u" "$LDAP_DAEMON_USER" "${flags[@]}")
LOG_I "Command: ${START_COMMAND[@]} ${flags[@]}"
LOG_I "Start ${APP_NAME} with command: ${START_COMMAND[@]} ${flags[@]}"
exec "${START_COMMAND[@]}" "${flags[@]}"
customer/usr/local/bin/setup.sh
+17 -18
View File
@@ -1,36 +1,35 @@
#!/bin/bash
# Ver: 1.2 by Endial Fang (endial@126.com)
# Ver: 1.3 by Endial Fang (endial@126.com)
#
# 应用环境及依赖文件设置脚本
# 应用环境及依赖文件设置脚本;当前脚本以‘root’用户执行
# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用:
# -e: 命令执行错误则报错(errexit); -u: 变量未定义则报错(nounset); -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错
set -eu
set -o pipefail
set -euo pipefail
. /usr/local/scripts/libcommon.sh # 加载通用函数库
. /usr/local/scripts/libfs.sh # 加载文件操作函数库
. /usr/local/scripts/libos.sh # 加载系统管理函数库
. /colovu/lib/libcommon.sh # 加载通用函数库
. /colovu/lib/libfs.sh # 加载文件操作函数库
. /colovu/lib/libos.sh # 加载系统管理函数库
. /usr/local/bin/environment.sh # 设置环境变量
. /usr/local/bin/common.sh # 应用专用函数库
LOG_I "** Processing setup.sh **"
APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}"
APP_DIRS=(/var/log/${APP_NAME} /var/run/${APP_NAME} /var/cache/${APP_NAME} ${APP_HOME})
APP_DIRS+=(${APP_HOME}/conf ${APP_HOME}/data ${APP_HOME}/cert ${APP_HOME}/log ${LDAP_ONLINE_CONF_DIR})
APP_DIRS="${APP_DIRS} ${LDAP_ONLINE_CONF_DIR}"
LOG_I "Ensure directory exists: ${APP_DIRS}"
for dir in ${APP_DIRS}; do
ensure_dir_exists ${dir}
LOG_I "Ensure directory exists: ${APP_DIRS[@]}"
for dir in ${APP_DIRS[@]}; do
ensure_dir_exists ${dir} ${APP_USER}
done
# 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在)
LOG_I "Check config files in: ${APP_CONF_DIR}"
if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then
ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}")
if [[ -z "$(ls -A "${APP_CONF_DIR}")" ]]; then
app_ensure_config_file_exist "${APP_CONF_DIR}" "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}")
fi
is_root && ensure_user_exists "$LDAP_DAEMON_USER" -g "$LDAP_DAEMON_GROUP"
LOG_I "** Processing setup.sh finished! **"
# 解决使用non-root后,[emerg] open() "/dev/stdout" failed (13: Permission denied)
LOG_D "Change permissions of stdout/stderr to 0662"
chmod 0662 /dev/stdout /dev/stderr
customer/usr/local/openldap/etc/openldap/slapd.ldif
+18 -20
View File
@@ -41,7 +41,7 @@ dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///srv/conf/openldap/schema/core.ldif
include: file:///srv/openldap/conf/schema/core.ldif
#
# Frontend settings, olcDatabase: -1
@@ -50,7 +50,7 @@ dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to * by * manage
#
# Configuration database, olcDatabase: 0
@@ -58,18 +58,10 @@ olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=a
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
olcAccess: to * by * manage
#
# Server status monitoring, olcDatabase: 1
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
#
# Backend database definitions, olcDatabase: 2
# Backend database definitions, olcDatabase: 1
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
@@ -77,14 +69,23 @@ objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=root,dc=example,dc=com
olcDbDirectory: /srv/data/openldap
olcDbDirectory: /srv/openldap/data
olcDbIndex: objectClass eq,pres
olcDbIndex: uid,ou,cn,mail,surname,givenname eq,pres,sub
olcAccess: to * by * manage
#
# Add memberof overlay and refint
# Server status monitoring, olcDatabase: 2
#
dn: olcOverlay=memberof,olcDatabase={2}hdb,cn=config
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by * manage
#
# Add overlay
#
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
@@ -96,7 +97,7 @@ olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
@@ -104,10 +105,7 @@ objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember owner
#
# Add ppolicy overlay and syncprov
#
#dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
#dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
#objectClass: olcConfig
#objectClass: olcOverlayConfig
#objectClass: olcPPolicyConfig
customer/usr/local/overrides/overrides-x.x.x.sh
+3 -3
View File
@@ -1,11 +1,11 @@
#!/bin/bash -e
# Ver: 1.1 by Endial Fang (endial@126.com)
# Ver: 1.2 by Endial Fang (endial@126.com)
#
# 在安装完应用后,使用该脚本修改默认配置文件中部分配置项; 如果相应的配置项已经定义为容器环境变量,则不需要在这里修改
# 定义要修改的文件(改文件应当是默认配置文件目录中的模板文件)
CONF_FILE="${APP_DEF_DIR}/config/server.properties"
CONF_FILE="/usr/local/${APP_NAME}/etc/${APP_NAME}/slapd.ldif"
echo "Process overrides for: ${CONF_FILE}"
#echo "Process overrides for: ${CONF_FILE}"
#sed -i -E 's/^#?listeners=/d' "${CONF_FILE}"
#sed -i -E 's/^#?log.dirs=\/tmp\/kafka-logs*/log.dirs=\/var\/log\/kafka/g' "${CONF_FILE}"
customer/usr/sbin/create_user
-12
View File
@@ -1,12 +0,0 @@
#!/bin/bash
# Ver: 1.2 by Endial Fang (endial@126.com)
#
# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行)
set -eux
groupadd --gid 1001 --system ${APP_USER}
#useradd --gid 1001 --uid 1001 --shell /bin/bash --home /srv/data/${APP_NAME} --system ${APP_USER}
useradd --gid 1001 --uid 1001 --shell /usr/sbin/nologin --home /srv/data/${APP_NAME} --system ${APP_USER}
# 如果需要 sudo 权限,需要在 Dockerfile 中安装 su 软件包:RUN install_pkg sudo
#sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers
#echo "${APP_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
customer/usr/sbin/prepare_env
-17
View File
@@ -1,17 +0,0 @@
#!/bin/bash
# Ver: 1.3 by Endial Fang (endial@126.com)
#
# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行)
set -eux
APP_DIRS=" \
/srv/conf/${APP_NAME} \
/srv/data/${APP_NAME} \
/srv/datalog/${APP_NAME} \
/var/cache/${APP_NAME} \
/var/run/${APP_NAME} \
/var/log/${APP_NAME} \
/srv/cert/${APP_NAME}"
mkdir -p ${APP_DIRS}
chmod -R g+rwX ${APP_DIRS} /usr/local/${APP_NAME}
docker-compose-cluster.yml
+34
View File
@@ -0,0 +1,34 @@
version: '3.8'
# Docker-Compose 方式启动容器集群的 YAML 配置文件
# 当前配置仅保证可以启动容器;更多配置参数请参考镜像 README.md 文档中说明
services:
openldap-1:
image: 'registry.cn-shenzhen.aliyuncs.com/colovu/docker-openldap'
ports:
- '8001:8000'
openldap-2:
image: 'registry.cn-shenzhen.aliyuncs.com/colovu/docker-openldap'
ports:
- '8002:8000'
volumes:
- 'app_conf:/srv/conf'
depends_on:
- openldap-1
# 系统中已经存在使用`docker network create front-tier --driver bridge`创建的网络
networks:
back-tier:
external: back-tier
front-tier:
driver: bridge
# 定义本地数据卷,由系统管理,需要手动删除
volumes:
app_conf:
driver: local
app_data:
driver: local
var_log:
driver: local
hooks/README.md
-8
View File
@@ -1,8 +0,0 @@
# 说明
## 用途
本目录下相关 Hooks 脚本主要用于 Docker Hub 服务器编译镜像时,获取用户设置的环境变量,并根据环境变量进行条件编译。相关脚本说明参照[官方文档](https://docs.docker.com/docker-hub/builds/advanced/)。
目录`hooks`必须与镜像编译文件 Dockerfile 同目录。
hooks/build
-7
View File
@@ -1,7 +0,0 @@
#!/bin/bash
# v1.0 by Endial Fang (endial@126.com)
#
# 用户 docker.hub 的自动编译钩子文件,相应的变量在镜像库自动编译界面进行配置(如:registry_url、apt_source
# 参见: https://docs.docker.com/docker-hub/builds/advanced/
docker build --build-arg registry_url=${registry_url:-docker.io} --build-arg apt_source=${apt_source:-default} -f $DOCKERFILE_PATH -t $IMAGE_NAME .