Dockerized IdP

John Gasper jgasper at unicon.net
Mon Mar 7 17:53:36 EST 2016


Thanks Greg.

Tom,

Let me start by saying I am not a lawyer and do not pretend to be one, but
I think it falls within the terms of:
C. LICENSE TO DISTRIBUTE SOFTWARE. Subject to the terms and conditions of
this Agreement and restrictions and exceptions set forth in the README
File, including, but not limited to the Java Technology Restrictions and
Limitations on Redistribution of these Supplemental Terms, Oracle grants
you a non-exclusive, non-transferable, limited license without fees to
reproduce and distribute the Software, provided that (i) you distribute
the Software complete and unmodified and only bundled as part of, and for
the sole purpose of running, your Programs, (ii) the Programs add
significant and primary functionality to the Software, (iii) you do not
distribute additional software intended to replace any component(s) of the
Software, (iv) you do not remove or alter any proprietary legends or
notices contained in the Software, (v) you only distribute the Software
subject to a license agreement that: (a) is a complete, unmodified
reproduction of this Agreement; or (b) protects Oracle's interests
consistent with the terms contained in this Agreement and that includes
the notice set forth in Section H, and (vi) you agree to defend and
indemnify Oracle and its licensors from and against any damages, costs,
liabilities, settlement amounts and/or expenses (including attorneys'
fees) incurred in connection with any claim, lawsuit or action by any
third party that arises or results from the use or distribution of any and
all Programs and/or Software. The license set forth in this Section C does
not extend to the Software identified in Section G.


If there is a consensus that the image should not include Java, it can
certainly be removed and left as an exercise of the user, much like I do
with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files (See https://hub.docker.com/r/unicon/shibboleth-idp/.) Or,
someone can mount a JRE/JDK directory on the Docker host. Personally, I'm
not a fan of OpenJDK as I've seen it break too many clients IdPs when they
ran an OS update and the IdP quit starting-up.

Thoughts?



On 3/7/16, 2:42 PM, "users-bounces at shibboleth.net on behalf of
users-request at shibboleth.net" <users-bounces at shibboleth.net on behalf of
users-request at shibboleth.net> wrote:
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon, 7 Mar 2016 16:53:14 -0500
>From: Tom Scavo <trscavo at gmail.com>
>To: Shib Users <users at shibboleth.net>
>Subject: Re: Dockerized IdP
>Message-ID:
>	<CAEtu=dNO3J9yLPiZ4fHBrniDj-PwWxChC_+QhEwnF=54FHGG0A at mail.gmail.com>
>Content-Type: text/plain; charset=UTF-8
>
>Hi John,
>
>On Mon, Mar 7, 2016 at 4:40 PM, John Gasper <jgasper at unicon.net> wrote:
>>
>> I wanted to take a moment and share a project that I've been working on
>>for
>> the last year. That project is a dockerized Shibboleth IdP image, which
>> includes Java and Jetty.
>
>John, what Java are you using? (I didn't think Oracle Java could be
>used in this way, for licensing reasons.)
>
>Thanks,
>
>Tom
>
>
>------------------------------
>
>Message: 2
>Date: Mon, 7 Mar 2016 14:14:11 -0800
>From: Greg Haverkamp <gahaverkamp at lbl.gov>
>To: Shib Users <users at shibboleth.net>
>Subject: Re: Dockerized IdP
>Message-ID:
>	<CAHEFaoSJDsBz1TZjCWsZvRY8X=NAO6oZNvLHojYH5HS=sNOBgQ at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On Mon, Mar 7, 2016 at 1:40 PM, John Gasper <jgasper at unicon.net> wrote:
>
>> I think this is the answer if you are thinking of running the IdP in
>> Docker, but feel free to make up your own mind. I'd love any
>>constructive
>> criticism and contributions. Please share any feedback you might have
>>via
>> the Github repo.
>
>
>Thanks for all the work on this, John.  After TechEx last year, I came
>back
>a convert, and when we deployed v3, we used a tailored version of one of
>your older revs.
>
>I was a little skeptical of the value of Docker with the IdP at first,
>thinking that perhaps we just didn't have the need for the complexity, but
>after 5 months, we've been very happy.  I highly recommend the approach to
>others.
>
>Greg
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: 
><http://shibboleth.net/pipermail/users/attachments/20160307/f56d4dab/attac
>hment-0001.html>
>




More information about the users mailing list