mirror of
https://github.com/netbox-community/netbox-docker.git
synced 2024-11-30 11:53:17 +01:00
Merge branch 'ScanPlusGmbH-ldap'
This commit is contained in:
commit
b13617aff2
@ -19,12 +19,7 @@ after_script:
|
|||||||
|
|
||||||
after_success:
|
after_success:
|
||||||
- docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
|
- docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
|
||||||
- if [ "$TRAVIS_BRANCH" = "master" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then
|
- ./build-all.sh --push
|
||||||
./build-branches.sh --push;
|
|
||||||
./build-latest.sh --push;
|
|
||||||
PRERELEASE=true ./build-latest.sh --push;
|
|
||||||
SRC_ORG=lampwins TAG=webhooks-backend ./build.sh "feature/webhooks-backend" --push;
|
|
||||||
fi
|
|
||||||
|
|
||||||
notifications:
|
notifications:
|
||||||
slack:
|
slack:
|
||||||
|
9
Dockerfile.ldap
Normal file
9
Dockerfile.ldap
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
ARG DOCKER_ORG=ninech
|
||||||
|
ARG DOCKER_REPO=netbox
|
||||||
|
ARG FROM_TAG=latest
|
||||||
|
FROM $DOCKER_ORG/$DOCKER_REPO:$FROM_TAG
|
||||||
|
|
||||||
|
RUN pip install django_auth_ldap
|
||||||
|
|
||||||
|
COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
|
||||||
|
COPY configuration/ldap_config.py /etc/netbox/ldap_config.py
|
@ -136,6 +136,10 @@ COPY startup_scripts/ /opt/netbox/startup_scripts/
|
|||||||
COPY initializers/ /opt/netbox/initializers/
|
COPY initializers/ /opt/netbox/initializers/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### LDAP enabled variant
|
||||||
|
|
||||||
|
In the images tagged with "-ldap" you can authenticate netbox against an LDAP / AD server. The included ldap_config.py is configured to use an AD domain controller. The custom values can be injected with environment variables like those in the main configuration file.
|
||||||
|
|
||||||
### Production
|
### Production
|
||||||
|
|
||||||
The default settings are optimized for (local) development environments.
|
The default settings are optimized for (local) development environments.
|
||||||
|
60
build-all.sh
Executable file
60
build-all.sh
Executable file
@ -0,0 +1,60 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Builds all Docker images this project provides
|
||||||
|
|
||||||
|
VARIANTS=("" "ldap")
|
||||||
|
|
||||||
|
if [ ! -z "${DEBUG}" ]; then
|
||||||
|
export DEBUG
|
||||||
|
fi
|
||||||
|
|
||||||
|
ERROR=0
|
||||||
|
|
||||||
|
# Don't build if not on `master` and don't build if on a pull request,
|
||||||
|
# but build when DEBUG is not empty
|
||||||
|
if [ ! -z "${DEBUG}" ] || \
|
||||||
|
( [ "$TRAVIS_BRANCH" = "master" ] && [ "$TRAVIS_PULL_REQUEST" = "false" ] ); then
|
||||||
|
for VARIANT in "${VARIANTS[@]}"; do
|
||||||
|
export VARIANT
|
||||||
|
|
||||||
|
# Checking which VARIANT to build
|
||||||
|
if [ -z "$VARIANT" ]; then
|
||||||
|
DOCKERFILE="Dockerfile"
|
||||||
|
else
|
||||||
|
DOCKERFILE="Dockerfile.${VARIANT}"
|
||||||
|
|
||||||
|
# Fail fast
|
||||||
|
if [ ! -f "${DOCKERFILE}" ]; then
|
||||||
|
echo "🚨 The Dockerfile '${DOCKERFILE}' for variant '${VARIANT}' doesn't exist."
|
||||||
|
ERROR=1
|
||||||
|
|
||||||
|
if [ -z "$DEBUG" ]; then
|
||||||
|
continue
|
||||||
|
else
|
||||||
|
echo "⚠️ Would skip this, but DEBUG is enabled."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "🛠 Building '$DOCKERFILE'"
|
||||||
|
|
||||||
|
# build the latest release
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
./build-latest.sh $@
|
||||||
|
|
||||||
|
# build the latest pre-release
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
PRERELEASE=true ./build-latest.sh $@
|
||||||
|
|
||||||
|
# build all branches
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
./build-branches.sh $@
|
||||||
|
|
||||||
|
# special build
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
SRC_ORG=lampwins TAG=webhooks-backend ./build.sh "feature/webhooks-backend" $@
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "❎ Not building anything."
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit $ERROR
|
@ -1,14 +1,15 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
# Builds all published branches
|
||||||
|
|
||||||
ORIGINAL_GITHUB_REPO="digitalocean/netbox"
|
ORIGINAL_GITHUB_REPO="digitalocean/netbox"
|
||||||
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
|
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
|
||||||
URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/branches"
|
URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/branches"
|
||||||
|
|
||||||
CURL_OPTS="-s"
|
CURL="curl -sS"
|
||||||
CURL="curl ${CURL_OPTS}"
|
|
||||||
|
|
||||||
BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")')
|
BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")')
|
||||||
|
|
||||||
for BRANCH in $BRANCHES; do
|
for BRANCH in $BRANCHES; do
|
||||||
|
# shellcheck disable=SC2068
|
||||||
./build.sh "${BRANCH}" $@
|
./build.sh "${BRANCH}" $@
|
||||||
done
|
done
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
# Builds the latest released version
|
||||||
|
|
||||||
ORIGINAL_GITHUB_REPO="digitalocean/netbox"
|
ORIGINAL_GITHUB_REPO="digitalocean/netbox"
|
||||||
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
|
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
|
||||||
@ -6,25 +7,32 @@ URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/releases"
|
|||||||
|
|
||||||
JQ_LATEST="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==${PRERELEASE-false}) | .tag_name"
|
JQ_LATEST="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==${PRERELEASE-false}) | .tag_name"
|
||||||
|
|
||||||
CURL_OPTS="-s"
|
CURL="curl -sS"
|
||||||
CURL="curl ${CURL_OPTS}"
|
|
||||||
|
|
||||||
VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_LATEST}")
|
VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_LATEST}")
|
||||||
|
|
||||||
# Check if the prerelease version is actually higher than stable version
|
# Check if the prerelease version is actually higher than stable version
|
||||||
if [ "${PRERELEASE}" == "true" ]; then
|
if [ "${PRERELEASE}" == "true" ]; then
|
||||||
JQ_STABLE="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==false) | .tag_name"
|
JQ_STABLE="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==false) | .tag_name"
|
||||||
STABLE_VERSION=$(curl $CURL_OPTS "${URL_RELEASES}" | jq -r "${JQ_STABLE}")
|
STABLE_VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_STABLE}")
|
||||||
|
|
||||||
|
# shellcheck disable=SC2003
|
||||||
MAJOR_STABLE=$(expr match "${STABLE_VERSION}" 'v\([0-9]\+\)')
|
MAJOR_STABLE=$(expr match "${STABLE_VERSION}" 'v\([0-9]\+\)')
|
||||||
|
# shellcheck disable=SC2003
|
||||||
MINOR_STABLE=$(expr match "${STABLE_VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
|
MINOR_STABLE=$(expr match "${STABLE_VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
|
||||||
|
# shellcheck disable=SC2003
|
||||||
MAJOR_UNSTABLE=$(expr match "${VERSION}" 'v\([0-9]\+\)')
|
MAJOR_UNSTABLE=$(expr match "${VERSION}" 'v\([0-9]\+\)')
|
||||||
|
# shellcheck disable=SC2003
|
||||||
MINOR_UNSTABLE=$(expr match "${VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
|
MINOR_UNSTABLE=$(expr match "${VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
|
||||||
|
|
||||||
if ( [ "$MAJOR_STABLE" -eq "$MAJOR_UNSTABLE" ] && [ "$MINOR_STABLE" -ge "$MINOR_UNSTABLE" ] ) \
|
if ( [ "$MAJOR_STABLE" -eq "$MAJOR_UNSTABLE" ] && [ "$MINOR_STABLE" -ge "$MINOR_UNSTABLE" ] ) \
|
||||||
|| [ "$MAJOR_STABLE" -gt "$MAJOR_UNSTABLE" ]; then
|
|| [ "$MAJOR_STABLE" -gt "$MAJOR_UNSTABLE" ]; then
|
||||||
echo "Latest unstable version ('$VERSION') is not higher than the latest stable version ('$STABLE_VERSION')."
|
echo "❎ Latest unstable version ('$VERSION') is not higher than the latest stable version ('$STABLE_VERSION')."
|
||||||
exit 0
|
if [ -z "$DEBUG" ]; then
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
echo "⚠️ Would exit here with code '0', but DEBUG is enabled."
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -39,6 +47,7 @@ AUTHORIZATION_HEADER="Authorization: Bearer ${BEARER_TOKEN}"
|
|||||||
ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")"
|
ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")"
|
||||||
|
|
||||||
if [ "$ALREADY_BUILT" == "false" ]; then
|
if [ "$ALREADY_BUILT" == "false" ]; then
|
||||||
|
# shellcheck disable=SC2068
|
||||||
./build.sh "${VERSION}" $@
|
./build.sh "${VERSION}" $@
|
||||||
else
|
else
|
||||||
echo "✅ ${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}"
|
echo "✅ ${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}"
|
||||||
|
58
build.sh
58
build.sh
@ -1,4 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
# Builds the Dockerfile[.variant] and injects tgz'ed Netbox code from Github
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
@ -8,6 +9,8 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
|
|||||||
echo " --push Pushes built Docker image to docker hub."
|
echo " --push Pushes built Docker image to docker hub."
|
||||||
echo ""
|
echo ""
|
||||||
echo "You can use the following ENV variables to customize the build:"
|
echo "You can use the following ENV variables to customize the build:"
|
||||||
|
echo " DEBUG If defined, the script does not stop when certain checks are unsatisfied."
|
||||||
|
echo " DRY_RUN Prints all build statements instead of running them."
|
||||||
echo " DOCKER_OPTS Add parameters to Docker."
|
echo " DOCKER_OPTS Add parameters to Docker."
|
||||||
echo " Default:"
|
echo " Default:"
|
||||||
echo " When <TAG> starts with 'v': \"\""
|
echo " When <TAG> starts with 'v': \"\""
|
||||||
@ -35,6 +38,17 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
|
|||||||
echo " URL Where to fetch the package from."
|
echo " URL Where to fetch the package from."
|
||||||
echo " Must be a tar.gz file of the source code."
|
echo " Must be a tar.gz file of the source code."
|
||||||
echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz"
|
echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz"
|
||||||
|
echo " VARIANT The variant to build."
|
||||||
|
echo " The value will be used as a suffix to the \$TAG and for the Dockerfile"
|
||||||
|
echo " selection. The TAG being build must exist for the base variant and"
|
||||||
|
echo " corresponding Dockerfile must start with the following lines:"
|
||||||
|
echo " ARG DOCKER_ORG=ninech"
|
||||||
|
echo " ARG DOCKER_REPOT=netbox"
|
||||||
|
echo " ARG FROM_TAG=latest"
|
||||||
|
echo " FROM \$DOCKER_ORG/\$DOCKER_REPO:\$FROM_TAG"
|
||||||
|
echo " Example: VARIANT=ldap will result in the tag 'latest-ldap' and the"
|
||||||
|
echo " Dockerfile 'Dockerfile.ldap' being used."
|
||||||
|
echo " Default: empty"
|
||||||
|
|
||||||
if [ "${1}x" == "x" ]; then
|
if [ "${1}x" == "x" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
@ -70,15 +84,53 @@ case "${TAG}" in
|
|||||||
CACHE="${CACHE---no-cache}";;
|
CACHE="${CACHE---no-cache}";;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
# Checking which VARIANT to build
|
||||||
|
if [ -z "$VARIANT" ]; then
|
||||||
|
DOCKERFILE="Dockerfile"
|
||||||
|
else
|
||||||
|
DOCKERFILE="Dockerfile.${VARIANT}"
|
||||||
|
DOCKER_TAG="${DOCKER_TAG}-${VARIANT}"
|
||||||
|
|
||||||
|
# Fail fast
|
||||||
|
if [ ! -f "${DOCKERFILE}" ]; then
|
||||||
|
echo "🚨 The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist."
|
||||||
|
|
||||||
|
if [ -z "$DEBUG" ]; then
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "⚠️ Would exit here with code '1', but DEBUG is enabled."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Docker options
|
# Docker options
|
||||||
DOCKER_OPTS="${DOCKER_OPTS-$CACHE}"
|
DOCKER_OPTS=(
|
||||||
|
"$CACHE"
|
||||||
|
--pull
|
||||||
|
)
|
||||||
|
|
||||||
|
# Build args
|
||||||
|
DOCKER_BUILD_ARGS=(
|
||||||
|
--build-arg "FROM_TAG=${TAG}"
|
||||||
|
--build-arg "BRANCH=${BRANCH}"
|
||||||
|
--build-arg "URL=${URL}"
|
||||||
|
--build-arg "DOCKER_ORG=${DOCKER_ORG}"
|
||||||
|
--build-arg "DOCKER_REPO=${DOCKER_REPO}"
|
||||||
|
)
|
||||||
|
|
||||||
|
if [ -z "$DRY_RUN" ]; then
|
||||||
|
DOCKER_CMD="docker"
|
||||||
|
else
|
||||||
|
echo "⚠️ DRY_RUN MODE ON ⚠️"
|
||||||
|
DOCKER_CMD="echo docker"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
|
echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
|
||||||
docker build -t "${DOCKER_TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} .
|
$DOCKER_CMD build -t "${DOCKER_TAG}" "${DOCKER_BUILD_ARGS[@]}" "${DOCKER_OPTS[@]}" -f "${DOCKERFILE}" .
|
||||||
echo "✅ Finished building the Docker images '${DOCKER_TAG}'"
|
echo "✅ Finished building the Docker images '${DOCKER_TAG}'"
|
||||||
|
|
||||||
if [ "${2}" == "--push" ] ; then
|
if [ "${2}" == "--push" ] ; then
|
||||||
echo "⏫ Pushing '${DOCKER_TAG}"
|
echo "⏫ Pushing '${DOCKER_TAG}"
|
||||||
docker push "${DOCKER_TAG}"
|
$DOCKER_CMD push "${DOCKER_TAG}"
|
||||||
echo "✅ Finished pushing the Docker image '${DOCKER_TAG}'."
|
echo "✅ Finished pushing the Docker image '${DOCKER_TAG}'."
|
||||||
fi
|
fi
|
||||||
|
55
configuration/ldap_config.py
Normal file
55
configuration/ldap_config.py
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
import ldap
|
||||||
|
import os
|
||||||
|
|
||||||
|
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
|
||||||
|
|
||||||
|
# Server URI
|
||||||
|
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '')
|
||||||
|
|
||||||
|
# The following may be needed if you are binding to Active Directory.
|
||||||
|
AUTH_LDAP_CONNECTION_OPTIONS = {
|
||||||
|
ldap.OPT_REFERRALS: 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set the DN and password for the NetBox service account.
|
||||||
|
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
|
||||||
|
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
|
||||||
|
|
||||||
|
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
|
||||||
|
# Note that this is a NetBox-specific setting which sets:
|
||||||
|
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
||||||
|
LDAP_IGNORE_CERT_ERRORS = True
|
||||||
|
|
||||||
|
AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''),
|
||||||
|
ldap.SCOPE_SUBTREE,
|
||||||
|
"(sAMAccountName=%(user)s)")
|
||||||
|
|
||||||
|
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
|
||||||
|
# heirarchy.
|
||||||
|
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
|
||||||
|
"(objectClass=group)")
|
||||||
|
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
|
||||||
|
|
||||||
|
# Define a group required to login.
|
||||||
|
AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
|
||||||
|
|
||||||
|
# Define special user types using groups. Exercise great caution when assigning superuser status.
|
||||||
|
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||||
|
"is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
|
||||||
|
"is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
|
||||||
|
"is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
|
||||||
|
}
|
||||||
|
|
||||||
|
# For more granular permissions, we can map LDAP groups to Django groups.
|
||||||
|
AUTH_LDAP_FIND_GROUP_PERMS = True
|
||||||
|
|
||||||
|
# Cache groups for one hour to reduce LDAP traffic
|
||||||
|
AUTH_LDAP_CACHE_GROUPS = True
|
||||||
|
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
|
||||||
|
|
||||||
|
# Populate the Django user from the LDAP directory.
|
||||||
|
AUTH_LDAP_USER_ATTR_MAP = {
|
||||||
|
"first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
|
||||||
|
"last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
|
||||||
|
"email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
|
||||||
|
}
|
10
docker/ldap_config.docker.py
Normal file
10
docker/ldap_config.docker.py
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
import importlib.util
|
||||||
|
import sys
|
||||||
|
|
||||||
|
try:
|
||||||
|
spec = importlib.util.spec_from_file_location('ldap_config', '/etc/netbox/ldap_config.py')
|
||||||
|
module = importlib.util.module_from_spec(spec)
|
||||||
|
spec.loader.exec_module(module)
|
||||||
|
sys.modules['netbox.ldap_config'] = module
|
||||||
|
except:
|
||||||
|
raise ImportError('')
|
Loading…
Reference in New Issue
Block a user