Another major update: Shibboleth IdP v5.0.0 and Jetty v11.0.17, on Debian 12 (Bookworm)
- Shibboleth IdP is the latest stable release, v5.0.0, a major change. You will probably need to update your configuration. Please see the official documentation for this release
- Jetty 11.0.17 - a major version change, but relatively little has changed for Jetty configuration with this update.
- The Linux OS is now based on Debian 12 (Bookworm) - this should have little practical effect
- The
DISABLE_MODULESARG will, predictably, disable the named modules if they have been enabled (only during build). - The healthcheck uses a browser agent string of "Ishigaki Healthcheck" so it can be filtered from logs
- Default credentials permissions are now 0640
INSTALL_PROPERTIESARG is used to provide functionality that the old installer used to support but the new one does not - it can be redefined if you need to specify additional Java options for the installer at build time but you probably won't need to.- The state of modules and plugins will be printed at the end of builds - show with
docker build ./ --progress plain - The
prepare_apps.shscript has been removed. You may need to fix permissions in images based on Ishigaki but from now on you should fix them directly and explicitly in your Dockerfile using RUN and shell commands.
apt-keyis now deprecated so the GPG key for Corretto Java packages is installed directly as a file- Build messages in the Dockerfile are never shown by modern Docker so they've all been removed and replaced by comments
- Jetty contains fixes for HTTP2 DDOS issues and Curl should also be free of recent issues.
- Image size has increased a little, by about 50MB.
- The Ishigaki Specs (tests) have been moved back into the main repository: they weren't being used elsewhere, and syncing them was a chore. There might be a better, stand-alone set of IdP specs later to replace them as a generic tool.
A major update with potentially breaking changes - Linux, Shibboleth IdP, Java and Jetty are all new.
- Shibboleth IdP updated to latest stable release: v4.3.1
- Jetty 10 and simplified Jetty configuration: You will need to rewrite any existing customisation of Jetty configuration
- Java updated to Corretto JDK 17
- Linux updated to Debian 11 (Bullseye)
- Updated plugin trust keys
- New
PLUGIN_IDSbuild argument to add official modules by ID, rather than file or URL jetty94-dta-ssl-1.0.0.jaris included by default so with additional configuration both TLS and backchannel can be supported- Jetty request logging to STDOUT is active
- LogBack .jars are included, and LogBack enabled
- Jetty no longer forks on startup, saving about 120MB of RAM
- Jetty's ugly default favicon is replaced by a nicer Shibboleth logo (but please replace that with your own!)
- Static web files are now at
/opt/jetty-shib/static - Tests are now using Cinc Auditor and always update before running
- Plus edition adds latest version of plugins automatically
- Build-time installation of plugins has been fixed (twice)
- Jetty
tmp/has been moved to/opt/jetty-shib/tmpfrom JETTY_HOME
prepare_apps.sh rebuildnow explicitly sets installer idp.home using the $IDP_HOME environment variable. It's still deprecated though.
Minor updates to the Shibboleth IdP and Jetty software
- Uses Shibboleth 4.1.4 (bug fixes and minor changes)
- Uses Jetty 9.4.43 (more bug fixes)
- Latest OIDC Plugin versions are downloaded for 'plus' edition
Corrects an issue where the filesystem uid and gid may be unpredictable and cause issues when mounting volumes directly. To maintain normal security permissions on mounted credentials you can either create a local user with these IDs, or use user mapping.
- On build UID and GID of the jetty process can be set using build arguments JETTY_UID and JETTY_GID, defaulting to 5101
- jetty group has a fixed uid and gid, determined at build-time, defaulting to 5101 to put it above auto-assigned uids/gids on most servers
- Using tweaked test suite, updated to match ignore the plugins directory in /usr/local/src when checking if it's tidy
Another significant update, with a new IdP and new Dockerfile features. The updated IdP brings plugin and module functionality, and the new Dockerfile is much more useful for building bespoke images.
- Uses Shibboleth IdP v4.1.0: This is a breaking change - configuration files will need to be replaced or upgraded. Please read the release notes for v4.1.0
- Jetty has been updated to v9.4.40
- The Dockerfile can be used to active or deactivate modules when building a new image
- The Dockerfile can be used to build IdPs including plugins when building a new image
- More installer settings can be configured using the Dockerfile
rake build:basebuilds a minimal image for use a base imagerake build:plusbuilds an image with OIDC, TOTP and Javascript pluginsrake build:allbuilds default, plus and base imagesrake exportcopies the configuration out of the default image- The new plugins directory can be used to install plugin archives (local or remote) and truststores during a build
- The
prepare_apps.shscript is now deprecated and is (fingers crossed) no longer needed. The Shibboleth IdP installer will now set the correct permissions on credentials, andbin/build.shshould be used to rebuild the .war.
- Travis is no longer used as a CI to build Ishigaki images
- Images are now available from Github as well as from Dockerhub. Only the default image is available at Docker Hub.
- Using tweaked test suite, updated to match new IdP version.
- The new images are now considerably larger (especially the plus version)
- Jetty no longer sets
-Xmx1500mas a JVM option so that memory usage can be controlled using Docker's--memoryoption or Docker Compose'sdeploy: resource:settings. The previous behaviour can be restored by copying a tweaked start.ini to /opt/jetty-shib/
- Uses Shibboleth IdP v4.0.1: This is a breaking change - configuration files will need to be replaced or upgraded. Please read the release notes for v4.0.0
- Switched from Zulu 8 JDK to Amazon's Corretto 11 JDK
- Jetty bumped to 9.4.32 (bug fixes)
- Initial secrets can be passed with build arguments
- EDWIN_STARR build argument switch for when a .war is good for absolutely nothing
- Improved and simplified Dockerfile
- Messages during Docker build now work correctly
- Logging configuration ignores spurious Status.vm error messages
- Using new version of test suite, updated to match new environment and IdP version
- Jetty 9.4.24 (patch release with various bug fixes)
- Shibboleth IdP 3.4.6 (various bug fixes)
- Jetty 9.4.21 (also just a patch release)
- Using Shibboleth IdP 3.4.5 (various bug fixes and a potential data-leak fix)
- Using Jetty 9.4.20
- Based on Debian 10 Buster (via MiniDeb)
- Using Jetty 9.4.18 rather than 9.4.15
- Shibboleth IdP updated to 3.4.4 (new LDAP driver option and bug fixes)
- Using Jetty 9.4.15 rather than 9.4.11
- Updated test libraries
- No longer refering to Debian 8 backport packages (since OS is Debian 9)
- Shibboleth IdP updated to 3.4.3 (no functionality changes, just bug fixes)
- Shibboleth IdP updated to 3.4.2
- Update IdP to 3.4.1 (a bugfix patch release)
- Use latest version of inSpec for tests (3.0.n)
- Shibboleth IdP updated to 3.4.0 (including quite a few new features)
- Tests no longer check the permissions on the webapp directory, as it's gone.
- Jetty updated to 9.4.11
- Updated to Shibboleth 3.3.3, which contains a fix for a CAS vulnerability
- Moved all inSpec tests over to their own repo. They can now be resused by other Ishigaki-based projects.
- Ruby version fixed (changed to 2.4) in Travis CI build config (it was incorrectly at 2.2)
- Shibboleth IdP updated to 3.3.2, which fixes a security bug in LDAP library and updates Duo support
- Jetty is updated too, to 9.4.7.v20170914, a bugfix release.
- The
prepare_apps.shscript now has a "rebuild" option that will rebuild the IdP's .war file, using files in edit-webapp.
- The Dockerfile USER now stays as root, so no need to switch to root and back to jetty in your own images. Jetty continues to run as the jetty user.
- Jetty should receive signals properly (or at least better than before). This means shutdown is much faster and cleaner.
- Added badges to the Readme file
- Added warnings about overwriting prepare_apps.sh to the documentation
- Adjusted the example Dockerfile now that switching users is not needed
- One test has been disabled since netstat no longer names the jetty process properly.
- Turning off the JVM's silly default DNS caching. It's always a pain but with Docker it's much worse.
- Now works correctly with reverse proxies (config file was in wrong directory!)
- Snapshot name is consistent with released image name
- Also 14MB smaller (Jetty demo files have been removed)
- Scripts to deploy image to Docker Hub
- Created /var/cache/shibboleth-idp directory for storing file caches of remote data
- Fixed tests for removable Java JDK directories
- Shibboleth IdP directories now have same permissions when image is built on Linux and Mac
- Development branch builds on Travis correctly