nicolabs/vegardit-docker-openldap
1
0
Fork 0
mirror of https://github.com/vegardit/docker-openldap.git synced 2026-04-10 07:26:41 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
vegardit-docker-openldap/image/Dockerfile

234 lines
7.3 KiB
Docker
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#syntax=docker/dockerfile:1
# see https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/reference.md
# see https://docs.docker.com/engine/reference/builder/#syntax
#
# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-openldap
# https://hub.docker.com/_/debian/tags?name=trixie-slim
ARG BASE_IMAGE=debian:trixie-slim
#############################################################
# build pqchecker
#############################################################
# https://github.com/hadolint/hadolint/wiki/DL3006 Always tag the version of an image explicitly
# hadolint ignore=DL3006
FROM ${BASE_IMAGE} AS pqchecker-build
ARG DEBIAN_FRONTEND=noninteractive
ARG LC_ALL=C
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
# hadolint ignore=DL3008
RUN <<EOF
set -x
apt-get update
apt-get install --no-install-recommends -y \
build-essential \
ca-certificates \
git
git config --global advice.detachedHead false
git config --global core.sparseCheckout true
git config --global init.defaultBranch main
EOF
WORKDIR /opt/openldap-src
RUN <<EOF
git clone --depth 1 --branch OPENLDAP_REL_ENG_2_6 https://github.com/openldap/openldap.git .
./configure
make depend
EOF
WORKDIR /opt/jni-headers
ENV JVM_DIR=/usr/lib/jvm/openjdk11
RUN <<EOF
set -x
git clone --depth 1 --filter=blob:none --no-checkout --branch jdk-11-ga https://github.com/openjdk/jdk.git .
git sparse-checkout init --cone
git sparse-checkout set \
src/java.base/share/native/include/jni.h \
src/java.base/unix/native/include/jni_md.h
git checkout
mkdir -p "$JVM_DIR/include/linux"
cp src/java.base/share/native/include/jni.h "$JVM_DIR/include/"
cp src/java.base/unix/native/include/jni_md.h "$JVM_DIR/include/linux/"
EOF
WORKDIR /opt/pqchecker
RUN <<EOF
set -eu
# auto-detect JAVA_HOME from wherever jni.h landed
JNI_HDR=$(find /usr/lib/jvm -path '*/include/jni.h' -print -quit)
if [[ -z $JNI_HDR ]]; then
echo "ERROR: jni.h not found under /usr/lib/jvm cannot set JAVA_HOME" >&2
exit 1
fi
JAVA_HOME=$(dirname "$(dirname "$JNI_HDR")")
echo "Detected JAVA_HOME=$JAVA_HOME"
export JAVA_HOME
set -x
git init .
# git remote add origin https://bitbucket.org/ameddeb/pqchecker.git
git remote add origin https://github.com/pqchecker/pqchecker.git
git fetch --depth 1 origin 2813c1922c4233d72066201d11b6b4ad4f61239d
git checkout FETCH_HEAD
bash ./adjustdate.bash
./configure \
LDAPSRC=/opt/openldap-src \
JAVAHOME="$JAVA_HOME" \
libdir=/usr/lib/ldap \
PARAMDIR=/etc/ldap/pqchecker
make
EOF
#############################################################
# build final image
#############################################################
# https://github.com/hadolint/hadolint/wiki/DL3006 Always tag the version of an image explicitly
# hadolint ignore=DL3006
FROM ${BASE_IMAGE} as final
ARG DEBIAN_FRONTEND=noninteractive
ARG LC_ALL=C
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
ARG INSTALL_SUPPORT_TOOLS=0
ARG BASE_LAYER_CACHE_KEY
COPY --from=pqchecker-build /opt/pqchecker/src/.libs/pqchecker.so /usr/lib/ldap/pqchecker.so
COPY --from=pqchecker-build /opt/pqchecker/pqparams.dat /etc/ldap/pqchecker/pqparams.dat
# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
# hadolint ignore=DL3008,SC2016
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh
/mnt/shared/cmd/debian-install-support-tools.sh
echo "#################################################"
echo "Installing tini..."
echo "#################################################"
apt-get install --no-install-recommends -y tini
echo "#################################################"
echo "Installing slapd..."
echo "#################################################"
echo 'slapd slapd/root_password password whatever' | debconf-set-selections
echo 'slapd slapd/root_password_again password whatever' | debconf-set-selections
apt-get install --no-install-recommends -y slapd ldap-utils
echo "OpenLDAP $(apt-cache show slapd | grep Version)" >> /opt/build_info
# workaround for 'service slapd stop' not working, see https://stackoverflow.com/a/58792698/5116073
sed -i 's/--exec $SLAPD 2/--name slapd 2/' /etc/init.d/slapd
echo "#################################################"
echo "Moving config and data directories..."
echo "#################################################"
mv /etc/ldap/slapd.d /etc/ldap/slapd.d_orig
mkdir /etc/ldap/slapd.d
mv /var/lib/ldap /var/lib/ldap_orig
mkdir /var/lib/ldap
/mnt/shared/cmd/debian-cleanup.sh
EOF
ARG OCI_authors
ARG OCI_title
ARG OCI_description
ARG OCI_source
ARG OCI_revision
ARG OCI_version
ARG OCI_created
ARG GIT_BRANCH
ARG GIT_COMMIT_DATE
# https://github.com/opencontainers/image-spec/blob/main/annotations.md
LABEL \
org.opencontainers.image.title="$OCI_title" \
org.opencontainers.image.description="$OCI_description" \
org.opencontainers.image.source="$OCI_source" \
org.opencontainers.image.revision="$OCI_revision" \
org.opencontainers.image.version="$OCI_version" \
org.opencontainers.image.created="$OCI_created"
LABEL maintainer="$OCI_authors"
# Default configuration: can be overridden at the docker command line
# see https://github.com/hadolint/hadolint/wiki/DL3044
# hadolint ignore=DL3044
ENV \
INIT_SH_FILE='' \
#
LDAP_INIT_ORG_DN='DC=example,DC=com' \
LDAP_INIT_ORG_NAME='Example Corporation' \
LDAP_INIT_ORG_ATTR_O='' \
LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,${LDAP_INIT_ORG_DN}' \
LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,${LDAP_INIT_ORG_DN}' \
LDAP_INIT_ROOT_USER_DN='uid=admin,${LDAP_INIT_ORG_DN}' \
LDAP_INIT_ROOT_USER_PW='' \
LDAP_INIT_ALLOW_CONFIG_ACCESS='false' \
LDAP_INIT_PPOLICY_DEFAULT_DN='cn=DefaultPasswordPolicy,ou=Policies,${LDAP_INIT_ORG_DN}' \
LDAP_INIT_PPOLICY_PW_MIN_LENGTH=8 \
LDAP_INIT_PPOLICY_MAX_FAILURES=3 \
LDAP_INIT_PPOLICY_LOCKOUT_DURATION=300 \
LDAP_INIT_RFC2307BIS_SCHEMA=0 \
LDAP_PPOLICY_PQCHECKER_RULE='0|01010101' \
LDAP_NOFILE_LIMIT=1024 \
LDAP_LOG_LEVELS='Config Stats' \
# Format is "HH:MM", i.e. 24-hour format with minute precision
LDAP_BACKUP_TIME='02:00' \
LDAP_BACKUP_FILE='/var/lib/ldap/data.ldif' \
LDAP_OPENLDAP_UID='' \
LDAP_OPENLDAP_GID='' \
LDAP_TLS_ENABLED='auto' \
LDAP_LDAPS_ENABLED='true' \
LDAP_TLS_SSF=128 \
LDAP_TLS_CERT_FILE='/run/secrets/ldap/server.crt' \
LDAP_TLS_KEY_FILE='/run/secrets/ldap/server.key' \
LDAP_TLS_CA_FILE='/run/secrets/ldap/ca.crt' \
LDAP_TLS_VERIFY_CLIENT='try'
RUN <<EOF
echo "#################################################"
echo "Writing build_info..."
echo "#################################################"
cat <<EOT >/opt/build_info
GIT_REPO: $OCI_source
GIT_BRANCH: $GIT_BRANCH
GIT_COMMIT: $OCI_revision @ $GIT_COMMIT_DATE
IMAGE_BUILD: $OCI_created
EOT
cat /opt/build_info
EOF
COPY image/ldifs /opt/ldifs
COPY image/run.sh /opt/run.sh
COPY .shared/lib/bash-init.sh /opt/bash-init.sh
VOLUME ["/etc/ldap/slapd.d", "/var/lib/ldap"]
EXPOSE 389 636
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/bin/bash", "/opt/run.sh"]
Reference in a new issue View git blame Copy permalink