Grouper Users - Open Discussion List

["Black, Carey M." <>]

+1 for "proxy".   However... "local proxy please" ( IMHO ).

 

I recently upgraded from 2.3 to 2.5.

                We use Shib for the UI. ( So it was already behind apache and was "proxied" from on the host. )

                We use LDAP auth for WS. ( So it was already behind apache and was "proxied" from on the host. )

                                Yes they were separate tomcat processes in v2.3 as well.

                                So they already had separate ajp ports in my v2.3 deploy.

 

For v2.5 I decided to:

                Keep Apache "on the host".

                Only run a single Tomee process in the container too. ( exposing only the ajp ports to the local host )

                And I decided to add an additional ajp port and apache proxy for the daemon since it now also runs in a Tomee JVM. So that it can be monitored directly.

 

                FWIW: Yea I build my own sub image. But that is mostly because of the java binaries that we have added locally. (Which may be avoidable if/when they allow storing files in the DB. 😊 )

 

HTH.

 

--

Carey Matthew Black.123

Love, then teach

Share your dream. So that you can find others who share your dream.

Solution = People + Process + Tools

Fast, Accurate, Cheap.... Pick two.

 

-----Original Message-----
From: <> On Behalf Of Darren Boss
Sent: Monday, July 13, 2020 10:52 PM
To: Baron Fujimoto <>; Grouper Users <>
Subject: Re: [grouper-users] containerized grouper noob questions

 

One option would be to set up a reverse proxy in front of the

containers that directs traffic to the correct container based on the

url pattern. That reverse proxy is grouper.example.edu and it has

rules so traffic to /grouper goes to the ui container while

/grouper-ws goes to the web services container. In Kubernetes, this is

a core part of the platform and called the ingress controller which is

typically done via Nginx.

 

On Mon, Jul 13, 2020 at 8:15 PM Baron Fujimoto <> wrote:

> 

> On Thu, Jul 02, 2020 at 05:15:31PM -1000, Baron Fujimoto wrote:

> >We're dipping our toes in the water of containerized Grouper, generally upgrading from 2.2 to 2.5. Upgrade issues aside, I have some basic questions about containerized Grouper that I hope aren't too stupid. I poked around the Grouper doucmentation I could find but didn't find what I was looking for – I'm happy to RTFM if someone will point me to TFM.

> >

> 

> Different question:

> 

> Our current grouper UI and WS deployments share a common hostname and port (443).  E.g.:

> 

> UI: <https://urldefense.com/v3/__https://grouper.example.edu.grouper/grouper__;!!KGKeukY!lJu0m8cxKqwP0FnNNi7mvVj7P_g4l956BIGFnLtCTuTBcH6wy_d9CT0JTPloVieya4Q$ >

> WS: <https://urldefense.com/v3/__https://grouper.example.edu.grouper/grouper-ws__;!!KGKeukY!lJu0m8cxKqwP0FnNNi7mvVj7P_g4l956BIGFnLtCTuTBcH6wy_d9CT0JTPloA8mJ8sE$ >

> 

> We achieve this by running both services out of a shared Tomcat servlet container. With dockerized Grouper the the best practice seems to be to run each service in its own docker container (each with its own Tomcat servlet container)?  Since each service can't listen to the same port (right?), what is the recommended way of handling this? Just having, say, the WS, listen to a different port? (Assuming we want to retain the same hostname.) E.g.:

> 

> UI: <https://urldefense.com/v3/__https://grouper.example.edu.grouper/grouper__;!!KGKeukY!lJu0m8cxKqwP0FnNNi7mvVj7P_g4l956BIGFnLtCTuTBcH6wy_d9CT0JTPloVieya4Q$ >

> WS: <https://urldefense.com/v3/__https://grouper.example.edu.grouper:9443/grouper__;!!KGKeukY!lJu0m8cxKqwP0FnNNi7mvVj7P_g4l956BIGFnLtCTuTBcH6wy_d9CT0JTPlo_U28pFc$ >

> 

> --

> UH Information Technology Services : Identity & Access Mgmt, Middleware

> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

 

 

 

--

Darren Boss

Senior Programmer/Analyst

Programmeur-analyste principal