add configuration for the webui container

ui/00-mpm.conf.j2

@@ -0,0 +1,5 @@
+{% if RUCIO_HTTPD_MPM_MODE is defined and RUCIO_HTTPD_MPM_MODE == "prefork" -%}
+LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+{% else -%}
+LoadModule mpm_worker_module modules/mod_mpm_worker.so
+{% endif %}

ui/Dockerfile

@@ -0,0 +1,41 @@
+# Copyright European Organization for Nuclear Research (CERN) 2017
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Authors:
+# - Thomas Beermann, <[email protected]>, 2019
+
+FROM centos:7
+
+WORKDIR /tmp
+ADD oic.rpm /tmp
+
+RUN yum install -y epel-release.noarch
+RUN yum upgrade -y
+RUN yum install -y httpd mod_wsgi python-pip libaio gcc python-devel.x86_64 mod_ssl  openssl-devel.x86_64
+
+RUN rpm -i /tmp/oic.rpm; \
+    echo "/usr/lib/oracle/12.2/client64/lib" >/etc/ld.so.conf.d/oracle.conf; \
+    ldconfig
+RUN pip install --upgrade pip setuptools
+RUN rm -rf /usr/lib/python2.7/site-packages/ipaddress*
+RUN pip install rucio_webui[oracle,mysql,postgresql] j2cli psycopg2-binary
+# only necessary temporarily until setup.py for webui is fixed
+RUN pip install cx_oracle==6.3.1 psycopg2>=2.4.2 PyMySQL
+
+ADD rucio.cfg.j2 /tmp/
+ADD rucio.conf.j2 /tmp/
+ADD httpd.conf.j2 /tmp/
+ADD 00-mpm.conf.j2 /tmp
+ADD docker-entrypoint.sh /
+RUN rm /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/ssl.conf
+
+VOLUME /var/log/httpd
+VOLUME /opt/rucio/etc
+VOLUME /etc/grid-security
+
+EXPOSE 443
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

ui/README.rst

@@ -0,0 +1,75 @@
+Rucio WebUI
+-----------
+
+Data Management for science in the Big Data era.
+
+Rucio is a project that provides services and associated libraries for allowing scientific collaborations to manage large volumes of data spread across facilities at multiple institutions and organizations. Rucio has been developed by the [ATLAS](<https://atlas.cern/>). experiment. It offers advanced features, is highly scalable and modular. Rucio is a data management solution that could cover the needs of different communities in the scientific domain (e.g., HEP, astronomy, biology).
+
+Documentation
+-------------
+
+General information and latest documentation about Rucio can be found at [readthedocs](<http://rucio.readthedocs.io>).
+
+Developers
+----------
+
+For information on how to contribute to Rucio, please refer and follow our [CONTRIBUTING](<https://github.com/rucio/rucio/blob/master/CONTRIBUTING.rst>) guidelines.
+
+Getting Started
+---------------
+
+This image provides the Rucio WebUI which works as a web frontend to the Rucio server. It supports MySQL, PostgreSQL, Oracle and SQLite as database backends.
+
+A WebUI instance with the minimal configuration can be started like this:
+
+```docker run --name=rucio-webui -v /tmp/ca.pem:/etc/grid-security/ca.pem -v /tmp/hostcert.pem:/etc/grid-security/hostcert.pem -v /tmp/hostkey.pem:/etc/grid-security/hostkey.pem -v /tmp/rucio.cfg:/opt/rucio/etc/rucio.cfg -p 443:443 -e RUCIO_PROXY="server.rucio" -e RUCIO_AUTH_PROXY="auth.rucio"  -d rucio/rucio-ui```
+
+The rucio.cfg is used to configure the database backend, which is only needed for authentication and should point to the same database as the Rucio authentication server.
+
+SSL is necessary for the WebUI so you need to include the host certificate, key and the the CA certificate as volumes.
+
+`RUCIO_PROXY` and `RUCIO_AUTH` should point to your rucio server and rucio authentication endpoints. They are necessary for the WebUI to work.
+
+Environment Variables
+--------------------------
+
+As shown in the examples above the rucio-server image can be configured using environment variables that are passed with `docker run`. Below is a list of all available variables and their behaviour:
+
+`RUCIO_PROXY`
+=============
+Set this value to the address where you Rucio server can be reached. The WebUI uses a local httpd proxy to communicated with the Rucio server. This is necessary to circumvent possible cross-origin request problems.
+
+`RUCIO_AUTH_PROXY`
+==================
+Same as `RUCIO_PROXY` but for the authentication server (which can be add different host as the main server).
+
+`RUCIO_CA_PATH`
+===============
+If you are using SSL and want use `SSLCACertificatePath` and `SSLCARevocationPath` you can do so by specifying the path in this variable.
+
+`RUCIO_ENABLE_LOGFILE`
+======================
+By default the log output of the web server is written to stdout and stderr. If you set this variable to `True` the output will be written to `access_log` and `error_log` under `/var/log/httpd`.
+
+`RUCIO_LOG_LEVEL`
+=================
+The default log level is `info`. You can change it using this variable.
+
+`RUCIO_LOG_FORMAT`
+==================
+The default rucio log format is `%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b`
+You can set your own format using this variable.
+
+`RUCIO_HOSTNAME`
+================
+This variable sets the server name in the apache config.
+
+`RUCIO_SERVER_ADMIN`
+====================
+This variable sets the server admin in the apache config.
+
+Getting Support
+----------------
+
+If you are looking for support, please contact our mailing list [email protected]
+or join us on our [slack support](<https://rucio.slack.com/messages/#support>) channel.

ui/docker-entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/bash -e
+
+j2 /tmp/00-mpm.conf.j2 > /etc/httpd/conf.modules.d/00-mpm.conf
+
+echo "=================== /etc/httpd/conf.modules.d/00-mpm.conf ========================"
+cat /etc/httpd/conf.modules.d/00-mpm.conf
+echo ""
+
+j2 /tmp/httpd.conf.j2 | sed '/^\s*$/d' > /etc/httpd/conf/httpd.conf
+
+echo "=================== /etc/httpd/conf/httpd.conf ========================"
+cat /etc/httpd/conf/httpd.conf
+echo ""
+
+if [ -f /opt/rucio/etc/rucio.cfg ]; then
+    echo "rucio.cfg already mounted."
+else
+    echo "rucio.cfg not found. will generate one."
+    j2 /tmp/rucio.cfg.j2 | sed '/^\s*$/d' > /opt/rucio/etc/rucio.cfg
+fi
+
+echo "=================== /opt/rucio/etc/rucio.cfg ============================"
+cat /opt/rucio/etc/rucio.cfg
+echo ""
+
+j2 /tmp/rucio.conf.j2 | sed '/^\s*$/d' > /etc/httpd/conf.d/rucio.conf
+
+echo "=================== /etc/httpd/conf.d/rucio.conf ========================"
+cat /etc/httpd/conf.d/rucio.conf
+echo ""
+
+httpd -D FOREGROUND

ui/httpd.conf.j2

@@ -0,0 +1,86 @@
+ServerRoot "/etc/httpd"
+Include conf.modules.d/*.conf
+User apache
+Group apache
+ServerAdmin root@localhost
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+DocumentRoot "/var/www/html"
+<Directory "/var/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+</IfModule>
+
+<Directory "/var/www/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+EnableSendfile on
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
+
+{% if RUCIO_HTTPD_MPM_MODE is defined and RUCIO_HTTPD_MPM_MODE == "prefork" -%}
+StartServers         {{ RUCIO_HTTPD_START_SERVERS | default('8') }}
+MinSpareServers      {{ RUCIO_HTTPD_MIN_SPARE_SERVERS | default('5') }}
+MaxSpareServers      {{ RUCIO_HTTPD_MAX_SPARE_SERVERS | default('20') }}
+ServerLimit          {{ RUCIO_HTTPD_SERVER_LIMIT | default('256') }}
+MaxClients           {{ RUCIO_HTTPD_MAX_CLIENTS | default('256') }}
+MaxRequestsPerChild  {{ RUCIO_HTTPD_MAX_REQUESTS_PER_CHILD | default('4000') }}
+{% else %}
+StartServers         {{ RUCIO_HTTPD_START_SERVERS | default('1') }}
+MaxClients           {{ RUCIO_HTTPD_MAX_CLIENTS | default('20') }}
+MinSpareThreads      {{ RUCIO_HTTPD_MIN_SPARE_THREADS | default('1') }}
+MaxSpareThreads      {{ RUCIO_HTTPD_MAX_SPARE_THREADS | default('20') }}
+ThreadsPerChild      {{ RUCIO_HTTPD_THREADS_PER_CHILD | default('5') }}
+MaxRequestsPerChild  {{ RUCIO_HTTPD_MAX_REQUESTS_PER_CHILD | default('8192') }}
+{% endif %}

ui/rucio.cfg.j2

@@ -0,0 +1,50 @@
+[common]
+logdir = {{ RUCIO_CFG_COMMON_LOGDIR | default('/var/log/rucio') }}
+loglevel = {{ RUCIO_CFG_COMMON_LOGLEVEL | default('DEBUG') }}
+mailtemplatedir = {{ RUCIO_CFG_COMMON_MAILTEMPLATEDIR | default('/opt/rucio/etc/mail_templates') }}
+
+[database]
+default = {{ RUCIO_CFG_DATABASE_DEFAULT | default('sqlite:////tmp/rucio.db') }}
+{% if RUCIO_CFG_DATABASE_SCHEMA is defined %}
+schema = {{ RUCIO_CFG_DATABASE_SCHEMA }}
+{%- endif %}
+pool_reset_on_return = {{ RUCIO_CFG_DATABASE_POOL_RESET_ON_RETURN | default('rollback') }}
+echo = {{ RUCIO_CFG_DATABASE_ECHO | default('0') }}
+pool_recycle = {{ RUCIO_CFG_DATABASE_POOL_RECYCLE | default('600') }}
+{% if RUCIO_CFG_DATABASE_POOL_SIZE is defined %}pool_size = {{ RUCIO_CFG_DATABASE_POOL_SIZE }}{% endif %}
+{% if RUCIO_CFG_DATABASE_POOL_TIMEOUT is defined %}pool_timeout = {{ RUCIO_CFG_DATABASE_POOL_TIMEOUT }}{% endif %}
+{% if RUCIO_CFG_DATABASE_MAX_OVERFLOW is defined %}max_overflow = {{ RUCIO_CFG_DATABASE_MAX_OVERFLOW }}{% endif %}
+{% if RUCIO_CFG_DATABASE_POWUSERACCOUNT is defined %}powuseraccount = {{ RUCIO_CFG_DATABASE_POWUSERACCOUNT }}{% endif %}
+{% if RUCIO_CFG_DATABASE_POWUSERPASSWORD is defined %}powuserpassword = {{ RUCIO_CFG_DATABASE_POWUSERPASSWORD }}{% endif %}
+
+[monitor]
+carbon_server = {{ RUCIO_CFG_MONITOR_CARBON_SERVER | default('localhost') }}
+carbon_port = {{ RUCIO_CFG_MONITOR_CARBON_PORT | default('8125') }}
+user_scope = {{ RUCIO_CFG_MONITOR_USER_SCOPE | default('default_docker') }}
+
+[trace]
+tracedir = {{ RUCIO_CFG_TRACE_TRACEDIR | default('/var/log/rucio/trace') }}
+brokers = {{ RUCIO_CFG_TRACE_BROKERS | default('localhost') }}
+port = {{ RUCIO_CFG_TRACE_PORT | default('61013') }}
+{%- if RUCIO_CFG_TRACE_USERNAME is defined -%}username = {{ RUCIO_CFG_TRACE_USERNAME }}{% endif %}
+{%- if RUCIO_CFG_TRACE_PASSWORD is defined -%}password = {{ RUCIO_CFG_TRACE_PASSWORD }}{% endif %}
+topic = {{ RUCIO_CFG_TRACE_TOPIC | default('/topic/rucio.tracer') }}
+
+[nongrid_trace]
+tracedir = {{ RUCIO_CFG_NONGRID_TRACE_TRACEDIR | default('/var/log/rucio/trace') }}
+brokers = {{ RUCIO_CFG_NONGRID_TRACE_BROKERS | default('localhost') }}
+port = {{ RUCIO_CFG_NONGRID_TRACE_PORT | default('61013') }}
+{%- if RUCIO_CFG_NONGRID_TRACE_USERNAME is defined -%}username = {{ RUCIO_CFG_NONGRID_TRACE_USERNAME }}{% endif %}
+{%- if RUCIO_CFG_NONGRID_TRACE_PASSWORD is defined -%}password = {{ RUCIO_CFG_NONGRID_TRACE_PASSWORD }}{% endif %}
+topic = {{ RUCIO_CFG_NONGRID_TRACE_TOPIC | default('/topic/rucio.tracer') }}
+
+[policy]
+permission = {{ RUCIO_CFG_POLICY_PERMISSION | default('generic') }}
+schema = {{ RUCIO_CFG_POLICY_SCHEMA | default('generic') }}
+lfn2pfn_algorithm_default = {{ RUCIO_CFG_POLICY_LFN2PFN_ALGORITHM_DEFAULT | default('hash') }}
+support = {{ RUCIO_CFG_POLICY_SUPPORT | default('https://github.com/rucio/rucio/issues/') }}
+support_rucio = {{ RUCIO_CFG_POLICY_SUPPORT_RUCIO | default('https://github.com/rucio/rucio/issues/') }}
+{% if RUCIO_CFG_POLICY_LFN2PFN_MODULE is defined %}lfn2pfn_module = {{ RUCIO_CFG_POLICY_LFN2PFN_MODULE }}{% endif %}
+
+[webui]
+usercert = {{ RUCIO_CFG_WEBUI_USERCERT | default('/opt/rucio/etc/usercert_with_key.pem') }}

ui/rucio.conf.j2

@@ -0,0 +1,84 @@
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+LoadModule unique_id_module modules/mod_unique_id.so
+LoadModule wsgi_module /usr/lib64/httpd/modules/mod_wsgi.so
+
+Listen 443
+Listen 80
+
+Header set X-Rucio-Host "%{HTTP_HOST}e"
+RequestHeader add X-Rucio-RequestId "%{UNIQUE_ID}e"
+
+{% if RUCIO_LOG_FORMAT is defined %}
+LogFormat "{{ RUCIO_LOG_FORMAT }}" combinedrucio
+{% else %}
+LogFormat "%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b" combinedrucio
+{% endif %}
+
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule cache_disk_module modules/mod_cache_disk.so
+
+CacheEnable disk /
+CacheRoot /tmp
+
+{% if RUCIO_HOSTNAME is defined %}
+<VirtualHost *:80>
+ ServerName {{ RUCIO_HOSTNAME }}:80
+ Redirect / https://{{ RUCIO_HOSTNAME }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName {{ RUCIO_HOSTNAME }}:443
+{% else %}
+<VirtualHost *:443>
+{% endif %}
+{% if RUCIO_SERVER_ADMIN is defined %}
+ ServerAdmin {{ RUCIO_SERVER_ADMIN }}
+{% else %}
+ ServerAdmin [email protected]
+{% endif %}
+
+ SSLEngine on
+ SSLCertificateFile /etc/grid-security/hostcert.pem
+ SSLCertificateKeyFile /etc/grid-security/hostkey.pem
+{% if RUCIO_CA_PATH is defined %}
+ SSLCACertificatePath {{ RUCIO_CA_PATH }}
+ SSLCARevocationPath {{ RUCIO_CA_PATH }}
+{% else %}
+ SSLCACertificateFile /etc/grid-security/ca.pem
+{% endif %}
+ SSLVerifyClient optional_no_ca
+ SSLVerifyDepth 10
+ SSLOptions +StdEnvVars
+ SSLProxyEngine On
+
+ #AB: SSLv3 disable
+ SSLProtocol              all -SSLv2 -SSLv3
+ #AB: for Security
+ SSLCipherSuite           HIGH:!CAMELLIA:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!3DES
+{% if RUCIO_LOG_LEVEL is defined %}
+ LogLevel {{ RUCIO_LOG_LEVEL }}
+{% else %}
+ LogLevel info
+{% endif %}
+
+{% if RUCIO_ENABLE_LOGFILE|default('False') == 'True' %}
+ CustomLog logs/access_log combinedrucio
+ ErrorLog logs/error_log
+{% else %}
+ CustomLog /dev/stdout combinedrucio
+ ErrorLog /dev/stderr
+{% endif %}
+
+ Alias /media                 /usr/lib/python2.7/site-packages/rucio/web/ui/media
+ Alias /static                /usr/lib/python2.7/site-packages/rucio/web/ui/static
+ WSGIScriptAlias /            /usr/lib/python2.7/site-packages/rucio/web/ui/main.py
+
+{% if RUCIO_PROXY is defined %}
+  ProxyPass /proxy             https://{{ RUCIO_PROXY }}
+  ProxyPassReverse /proxy      https://{{ RUCIO_PROXY }}
+{% endif %}
+{% if RUCIO_AUTH_PROXY is defined %}
+  ProxyPass /authproxy             https://{{ RUCIO_AUTH_PROXY }}
+  ProxyPassReverse /authproxy      https://{{ RUCIO_AUTH_PROXY }}
+{% endif %}
+</VirtualHost>