Initial commit

Author: battlecow

.dockerignore

@@ -0,0 +1,2 @@
+Makefile
+.travis.yml

.travis.yml

@@ -0,0 +1,9 @@
+services:
+  - 'docker'
+
+script:
+  - if [[ "$TRAVIS_BRANCH" == "master" ]]; then
+      make release ;
+    else
+      make build ;
+    fi

Dockerfile

@@ -0,0 +1,17 @@
+FROM tomcat:8.5.35-jre8-slim
+
+LABEL Maintaner JamfDevops <[email protected]>
+
+RUN adduser --disabled-password --gecos '' tomcat && \
+	rm -rf /usr/local/tomcat/webapps && \
+	mkdir -p /usr/local/tomcat/webapps
+
+COPY startup.sh /startup.sh
+COPY log4j.stdout.replace /log4j.stdout.replace
+COPY configuration.sh /configuration.sh
+
+CMD ["/startup.sh"]
+
+VOLUME /usr/local/tomcat/logs
+
+EXPOSE 8080

LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2010-2018 Google, Inc. http://angularjs.org
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

Makefile

@@ -0,0 +1,61 @@
+# HELP
+# This will output the help for each task
+# thanks to https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
+.PHONY: help
+
+help: ## This help.
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+.DEFAULT_GOAL := help
+
+DOCKER_IMAGE_BASE := jamfdevops
+DOCKER_ORG := 
+DOCKER_IMAGE := jamfpro
+
+VERSION=$(shell git --no-pager describe --tags --always)
+SHA=$(shell git rev-parse --verify HEAD)
+BUILD_URL=$(TRAVIS_JOB_WEB_URL)
+BUILD_TIMESTAMP=$(shell date +%s)
+
+# DOCKER TASKS
+# Build the image
+build: ## Build the image
+	docker build -t $(DOCKER_IMAGE) .
+
+build-nc: ## Build the image without caching
+	docker build --no-cache \
+	--label "GIT_SHA=$(SHA)" \
+	--label "BUILD_URL=$(BUILD_URL)" \
+	--label "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)" \
+	-t $(DOCKER_IMAGE) .
+
+release: build-nc tag publish ## Make a release by building and publishing the `{version}` tagged image
+
+# Docker publish
+publish: repo-login publish-version ## Publish the `{version}` tagged image
+
+publish-latest: tag-latest ## Publish the `latest` taged container
+	@echo 'Publish latest to $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)'
+	docker push $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)/$(DOCKER_IMAGE):latest
+
+publish-version: tag-version ## Publish the `{version}` tagged container
+	@echo 'Publish $(VERSION) to $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)'
+	docker push $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)/$(DOCKER_IMAGE):$(VERSION)
+
+# Docker tagging
+tag: tag-latest tag-version ## Generate image tags for the `{version}` and `latest`
+
+tag-latest: ## Generate image `{version}` tag
+	@echo 'Create tag latest'
+	docker tag $(DOCKER_IMAGE) $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)/$(DOCKER_IMAGE):latest
+
+tag-version: ## Generate image `latest` tag
+	@echo 'Create tag $(VERSION)'
+	docker tag $(DOCKER_IMAGE) $(DOCKER_IMAGE_BASE)$(DOCKER_ORG)/$(DOCKER_IMAGE):$(VERSION)
+
+repo-login: ## Login to docker repo
+	@echo 'Logging into DockerHub'
+	docker login -u $(DOCKER_USERNAME) -p $(DOCKER_PASSWORD)
+
+version: ## Output the current version
+	@echo $(VERSION)

README.md

@@ -0,0 +1,51 @@
+# JamfPro Tomcat Docker image
+
+## Description
+Basic Docker image based upon upstream Tomcat image to run a manually downloaded JamfPro ROOT.war from JamfNation
+
+## Features
+* Creates and runs Tomcat as user:group tomcat (non-root)
+* Correct pathing for JamfPro file logs
+* Logs to stdout of JamfPro logs in addtion to catalina logs
+* JMX connection information
+* Remote database connection in DataBase.xml
+
+## Environment Variable Options
+```
+STDOUT_LOGGING [ true ] / false
+
+DATABASE_HOST [ localhost ]
+DATABASE_NAME [ jamfsoftware ]
+DATABASE_USERNAME [ jamfsoftware ]
+DATABASE_PASSWORD [ jamfsw03 ]
+DATABASE_PORT [ 3306 ]
+
+JMXREMOTE true / [ false ]
+JMXREMOTE_PORT
+JMXREMOTE_RMI_PORT
+JMXREMOTE_SSL
+JMXREMOTE_AUTHENTICATE
+RMI_SERVER_HOSTNAME
+JMXREMOTE_PASSWORD_FILE
+
+CATALINA_OPTS
+JAVA_OPTS [ -Djava.awt.headless=true ]
+
+```
+
+## Data Persistence
+This image requires that either a `/data/ROOT.war` be bind-mounted and exist, or the `/usr/bin/tomcat/webapps/ROOT` directory exist.
+A ROOT.war will be auto-unpacked and configured based upon the above environment variables, or if the ROOT directory already exists, nothing will be unpacked but logging paths, database information, JMX, and Java opts will be set.
+
+## Example
+Run a basic JamfPro instance with port 8080 exposed locally on port 8080, setup remote database, bind-mounted ROOT.war, and bind-mounted webapps directory
+
+```
+docker run -p 8080:8080 -d \
+-e DATABASE_USERNAME=root \
+-e DATABASE_PASSWORD=jamfsw03 \
+-e DATABASE_HOST=host.docker.internal \
+-v $(pwd)/ROOT.war:/data/ROOT.war \
+-v $(pwd)/webapps:/usr/local/tomcat/webapps \
+jamfpro
+```

configuration.sh

@@ -0,0 +1,116 @@
+#!/bin/bash -e
+
+##########################################################
+####################### Functions ########################
+echo_time() {
+    date +"%Y-%m-%d %T %z $(printf "%b " "$@" | sed 's/%/%%/g')"
+}
+
+unpack_root_war() {
+  if [ ! -f /data/ROOT.war ]; then
+    echo_time "FATAL ERROR: No ROOT.war to unpack, cannot continue
+    Mount ROOT.war to /data/ROOT.war"
+    exit 1
+  fi
+  #Unpack the warfile
+  echo_time "Unpacking ROOT.war to /usr/local/tomcat/webapps/ROOT \n"
+  unzip -q /data/ROOT.war -d /usr/local/tomcat/webapps/ROOT
+}
+
+setup_linux_logging_paths() {
+  #Replace Mac logging paths with linux based paths
+  echo_time "Set logging file paths to use linux file paths"
+  sed -i s#/Library/JSS/Logs#/usr/local/tomcat/logs# /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/log4j.properties
+}
+
+setup_stdout_logging() {
+  STDOUT_LOGGING=${STDOUT_LOGGING:-true}
+  if [[ $STDOUT_LOGGING == "true" ]]; then
+    #Add stdout output for Jamf specific log files while maintaining logging to the files
+    echo_time "STDOUT_LOGGING is true, add stdout logging for all logfiles"
+    sed -e '/log4j.rootLogger/ {r /log4j.stdout.replace
+      d}' -i /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/log4j.properties
+  fi
+}
+
+setup_remote_database() {
+  DATABASE_HOST=${DATABASE_HOST:-localhost}
+  DATABASE_NAME=${DATABASE_NAME:-jamfsoftware}
+  DATABASE_USERNAME=${DATABASE_USERNAME:-jamfsoftware}
+  DATABASE_PASSWORD=${DATABASE_PASSWORD:-jamfsw03}
+  DATABASE_PORT=${DATABASE_PORT:-3306}
+
+  echo_time "\n\nDatabase connection information: \n DATABASE_HOST: $DATABASE_HOST \n DATABASE_NAME: $DATABASE_NAME \n DATABASE_USERNAME: $DATABASE_USERNAME\n\n"
+
+  echo_time "Setting up the DataBase.xml file to use remote MySQL database"
+  if [ ! -f "/usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml" ]; then
+    echo_time "FATAL ERROR: DataBase.xml not where expected, cannot continue"
+    exit 1
+  else
+    sed -i s#\<ServerName.*#\<ServerName\>$DATABASE_HOST\</ServerName\># /usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
+    sed -i s#\<DataBaseName.*#\<DataBaseName\>$DATABASE_NAME\</DataBaseName\># /usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
+    sed -i s#\<DataBaseUser.*#\<DataBaseUser\>$DATABASE_USERNAME\</DataBaseUser\># /usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
+    sed -i s#\<DataBasePassword.*#\<DataBasePassword\>$DATABASE_PASSWORD\</DataBasePassword\># /usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
+    sed -i s#\<ServerPort.*#\<ServerPort\>$DATABASE_PORT\</ServerPort\># /usr/local/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
+  fi
+}
+
+setup_jmx_remote_opts() {
+  JMXREMOTE_OPTS=${JMXREMOTE_OPTS:-}
+  JMXREMOTE=${JMXREMOTE:-false}
+  
+  if [[ $JMXREMOTE == "true" ]]; then
+    echo_time "JMX is set to enabled, parsing environment variable settings"
+    JMXREMOTE_PORT=${JMXREMOTE_PORT:-}
+    JMXREMOTE_RMI_PORT=${JMXREMOTE_RMI_PORT:-}
+    JMXREMOTE_SSL=${JMXREMOTE_SSL:-}
+    JMXREMOTE_AUTHENTICATE=${JMXREMOTE_AUTHENTICATE:-}
+    RMI_SERVER_HOSTNAME=${RMI_SERVER_HOSTNAME:-}
+    JMXREMOTE_PASSWORD_FILE=${JMXREMOTE_PASSWORD_FILE:-}
+
+    echo_time "\n\nJMX connection information:\n JMXREMOTE: $JMXREMOTE \n JMXREMOTE_PORT: $JMXREMOTE_PORT \n JMXREMOTE_RMI_PORT: $JMXREMOTE_RMI_PORT \n JMXREMOTE_SSL: $JMXREMOTE_SSL \n JMXREMOTE_AUTHENTICATE: $JMXREMOTE_AUTHENTICATE \n RMI_SERVER_HOSTNAME: $RMI_SERVER_HOSTNAME \n JMXREMOTE_PASSWORD_FILE: $JMXREMOTE_PASSWORD_FILE \n\n"
+
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote.port=${JMXREMOTE_PORT}"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote.rmi.port=${JMXREMOTE_RMI_PORT}"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote.ssl=${JMXREMOTE_SSL}"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote.authenticate=${JMXREMOTE_AUTHENTICATE}"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Djava.rmi.server.hostname=${RMI_SERVER_HOSTNAME}"
+    JMXREMOTE_OPTS="${JMXREMOTE_OPTS} -Dcom.sun.management.jmxremote.password.file=${JMXREMOTE_PASSWORD_FILE}"
+  fi
+}
+
+setup_java_opts() {
+  echo_time "Setting CATALINA_OPTS and JAVA_OPTS"
+
+  CATALINA_OPTS=${CATALINA_OPTS:-}
+  JAVA_OPTS=${JAVA_OPTS:-"-Djava.awt.headless=true"}
+
+  export JAVA_OPTS="${JAVA_OPTS} ${CATALINA_OPTS} ${JMXREMOTE_OPTS}"
+
+  echo_time "\n\nJAVA_OPTS: $JAVA_OPTS \n\n"
+}
+
+##########################################################
+####################### Executions #######################
+
+echo_time "Check if Tomcat ROOT directory exists, will NOT overwrite if exists"
+if [ ! -d /usr/local/tomcat/webapps/ROOT ]; then
+  echo_time "/usr/local/tomcat/webapps/ROOT directory does not exist, attempt to deploy ROOT.war from /data"
+  unpack_root_war
+
+  setup_stdout_logging
+else
+  echo_time "/usr/local/tomcat/webapps/ROOT exists, skipping ROOT.war deploy"
+fi
+
+setup_linux_logging_paths
+
+setup_remote_database
+
+setup_jmx_remote_opts
+
+setup_java_opts
+
+
+##########################################################

log4j.stdout.replace

@@ -0,0 +1,7 @@
+log4j.rootLogger=INFO,JAMF,stdout
+
+# Direct log messages to stdout
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.Target=System.out
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n

startup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+RUN_USER=${RUN_USER:=tomcat}
+RUN_GROUP=${RUN_GROUP:=tomcat}
+
+source /configuration.sh
+
+if [ $? -gt 0 ]; then
+	exit $?
+fi
+
+# Start Tomcat as the correct user.
+if [ "${UID}" -eq 0 ]; then
+    echo "User is currently root. Will change directory ownership to ${RUN_USER}:${RUN_GROUP}, then downgrade permission to ${RUN_USER}"
+    PERMISSIONS_SIGNATURE=$(stat -c "%u:%U:%a" "${CATALINA_HOME}")
+    EXPECTED_PERMISSIONS=$(id -u ${RUN_USER}):${RUN_USER}:700
+    if [ "${PERMISSIONS_SIGNATURE}" != "${EXPECTED_PERMISSIONS}" ]; then
+        echo "Updating permissions for CATALINA_HOME"
+        chmod -R 700 "${CATALINA_HOME}" &&
+        chown -R "${RUN_USER}:${RUN_GROUP}" "${CATALINA_HOME}"
+    fi
+    # Now drop privileges
+    exec su -s /bin/bash "${RUN_USER}" -c "/usr/local/tomcat/bin/catalina.sh run"
+else
+    exec /usr/local/tomcat/bin/catalina.sh run
+fi
+