0

これは、ここhttps://github.com/jupyter/docker-stacks/blob/master/minimal-notebook/Dockerfileからの Dockerfile の適応の下で、カスタム JupyterHub 環境「oracle-minimal」をセットアップする方法です。 ORACLE DBに接続するためのORACLEウォレット。

次のファイルを作成します...

Dockerfile (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

# Copyright (c) Jupyter Development Team.
# Distributed under the terms of the Modified BSD License.
ARG BASE_CONTAINER=jupyter/base-notebook
FROM $BASE_CONTAINER

LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"

USER root

# Install all OS dependencies for fully functional notebook server
RUN apt-get update && apt-get install -yq --no-install-recommends \
    build-essential \
    vim-tiny \
    git \
    inkscape \
    libsm6 \
    libxext-dev \
    libxrender1 \
    lmodern \
    netcat \
    # ---- nbconvert dependencies ----
    texlive-xetex \
    texlive-fonts-recommended \
    texlive-plain-generic \
    # ----
    tzdata \
    unzip \
    nano-tiny \
    && apt-get clean && rm -rf /var/lib/apt/lists/*

#BEGIN: JAVA JRE / JDK installation
RUN apt update && \
    apt install default-jre -y && \
    apt install default-jdk -y

#BEGIN: ORACLE InstantClient / ORACLE SQL*Plus / ORACLE SDK installation
COPY oracle-instantclient-basic-21.1.0.0.0-1.x86_64.rpm /
COPY oracle-instantclient-sqlplus-21.1.0.0.0-1.x86_64.rpm /
COPY oracle-instantclient-devel-21.1.0.0.0-1.x86_64.rpm /
WORKDIR /
RUN apt-get install alien -y && \
    alien -i oracle-instantclient-basic-21.1.0.0.0-1.x86_64.rpm && \
    alien -i oracle-instantclient-sqlplus-21.1.0.0.0-1.x86_64.rpm && \
    alien -i oracle-instantclient-devel-21.1.0.0.0-1.x86_64.rpm && \
    rm /oracle*.rpm && \
    apt-get install libaio1 -y && \
    echo 'export ORACLE_HOME=/usr/lib/oracle/21/client64' >> ~/.bashrc && \
    source ~/.bashrc && \
    echo '$ORACLE_HOME/lib/' > /etc/ld.so.conf.d/oracle.conf && \
    ldconfig && \
    echo 'export LD_LIBRARY_PATH=$ORACLE_HOME/lib' >> ~/.bashrc && \
    echo 'export PATH=$PATH:$ORACLE_HOME/bin' >> ~/.bashrc && \
    echo 'export TNS_ADMIN=$ORACLE_HOME/lib/network/admin' >> ~/.bashrc && \
    source ~/.bashrc
COPY sqlnet.ora /
COPY tnsnames.ora /
WORKDIR /usr/lib/oracle/21/client64/lib/network/admin/
RUN mv -t $(pwd) /*.ora
#END: ORACLE InstantClient / ORACLE SQL*Plus / ORACLE SDK installation

#BEGIN: cx_Oracle installation
RUN python -m pip install cx_Oracle
#END: cx_Oracle installation

#BEGIN: SQLcl installation
COPY sqlcl-20.4.2.35.2359.zip /
WORKDIR /usr/lib/oracle/
RUN unzip -oq /sqlcl-20.4.2.35.2359.zip -d . && \
    rm /sqlcl*.zip && \ 
    echo "alias sql='/usr/lib/oracle/sqlcl/bin/sql'" >> ~/.bashrc && \
    source ~/.bashrc
#END: SQLcl installation
    
#BEGIN: Prepare ORACLE Wallet creation
COPY orapki /
COPY mkstore /
COPY create_wallet.sh /home/jovyan/
RUN mv -t /usr/lib/oracle/sqlcl/bin/ /orapki /mkstore
#END: Prepare ORACLE Wallet creation

WORKDIR $HOME

# Create alternative for nano -> nano-tiny
RUN update-alternatives --install /usr/bin/nano nano /bin/nano-tiny 10

# Switch back to jovyan to avoid accidental container runs as root
USER $NB_UID

# Executes the script create_wallet.sh, and removes the script file before starting the JupyterHub environment
CMD ~/create_wallet.sh && rm ~/create_wallet.sh && start-notebook.sh

sqlnet.ora (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/jovyan/.wallet/)))
SQLNET.WALLET_OVERRIDE=TRUE
SSL_CLIENT_AUTHENTICATION = FALSE

tnsnames.ora (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

ORA019 =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = ora019.srv.domain.com)(PORT = 1514))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = ORCLSRV1)
    )
  )

sqlcl-20.4.2.35.2359.zip (場所: C:\oracle_minimal):

Downloaded from here: https://www.oracle.com/de/tools/downloads/sqlcl-downloads.html

oracle-instantclient-basic-21.1.0.0.0-1.x86_64.rpm (場所: C:\oracle_minimal):

Downloaded from here: https://www.oracle.com/de/database/technologies/instant-client/linux-x86-64-downloads.html

oracle-instantclient-sqlplus-21.1.0.0.0-1.x86_64.rpm (場所: C:\oracle_minimal):

Downloaded from here: https://www.oracle.com/de/database/technologies/instant-client/linux-x86-64-downloads.html

oracle-instantclient-devel-21.1.0.0.0-1.x86_64.rpm (場所: C:\oracle_minimal):

Downloaded from here: https://www.oracle.com/de/database/technologies/instant-client/linux-x86-64-downloads.html

mkstore (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

#!/bin/bash
# set classpath for mkstore - align this to your local SQLcl installation
SQLCL=/usr/lib/oracle/sqlcl/lib
CLASSPATH=${SQLCL}/oraclepki.jar:${SQLCL}/osdt_core.jar:${SQLCL}/osdt_cert.jar
# simulate mkstore command
java -classpath ${CLASSPATH} oracle.security.pki.OracleSecretStoreTextUI  "$@"

orapki (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

#!/bin/bash
# set classpath for orapki - align this to your local SQLcl installation
SQLCL=/usr/lib/oracle/sqlcl/lib
CLASSPATH=${SQLCL}/oraclepki.jar:${SQLCL}/osdt_core.jar:${SQLCL}/osdt_cert.jar
# simulate orapki command
java -classpath ${CLASSPATH} oracle.security.pki.textui.OraclePKITextUI "$@"

create_wallet.sh (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

# Creates a new directory ".wallet" for the ORACLE Wallet
mkdir ~/.wallet/

# Creates an empty/new ORACLE Wallet using "orapki"
/usr/lib/oracle/sqlcl/bin/orapki wallet create -wallet ~/.wallet -pwd "MyWalletPwd1!" -auto_login_local

# Stores a new Credential in the ORACLE Wallet 
# TNSNAMES-Entry: ORA019 
# DB_USERNAME: Username for TNSNAMES-Entry above
# DB_PASSWORD: Password for TNSNAMES-Entry above
/usr/lib/oracle/sqlcl/bin/mkstore -wrl ~/.wallet/ -createCredential ORA019 DB_USERNAME DB_PASSWORD <<EOF
MyWalletPwd1!
EOF

Dockerfile をビルドし、追加のリソース (上記を参照) を CMD.exe を使用して Docker イメージにバインドします

REM Change directory to have all Dockerfile ressources in place
cd C:\oracle_minimal

REM Build new Docker image "oracle_minimal"
docker build -t oracle_minimal .

REM List all Docker images
docker images

REM Run Docker container using the latest "IMAGE ID", and set hostname as "jupyter-user1"
docker run --hostname jupyter-user1 -p 8888:8888 <IMAGE ID>

新しい Web ブラウザ ウィンドウを開き、CMD-Window の最後の URL 行に貼り付けます

Jupyter Web Interface のNewボタンをクリックし、ドロップダウン エントリTerminalを選択して、新しいターミナル セッションを開始します...

ここに画像の説明を入力

Jupyter Web Interface のNewボタンをクリックし、ドロップダウン エントリPython 3を選択して、新しい Jupyter Notebook を開始します...

ここに画像の説明を入力

セキュリティへのコメント:

Is it possible to steal the ORACLE Wallet files and use them as 
- another user on the SAME host
- or as the same / another user on a DIFFERENT host?

いいえORACLE Wallet はorapkiを使用して作成されたため、ORACLE Wallet はそれを作成したユーザー名とホスト名 (ここでは jovyan@jupyter-user1) にバインドされます。ORACLE Wallet を作成したユーザー名とホスト名の同じ組み合わせのみが ORACLE Wallet を開くことができます。

異なるユーザーやホストで ORACLE Wallet を共有する場合は、代わりに次のスクリプト コンテンツを使用します。

create_wallet.sh (場所: C:\oracle_minimal; UNIX (LF); UTF-8):

# Creates a new directory ".wallet" for the ORACLE Wallet
mkdir ~/.wallet/

# Creates an empty/new ORACLE Wallet using "mkstore"
/usr/lib/oracle/sqlcl/bin/mkstore -wrl ~/.wallet -create <<EOF
MyWalletPwd1!
MyWalletPwd1!
EOF

# Stores a new Credential in the ORACLE Wallet 
# TNSNAMES-Entry: ORA019 
# DB_USERNAME: Username for TNSNAMES-Entry above
# DB_PASSWORD: Password for TNSNAMES-Entry above
/usr/lib/oracle/sqlcl/bin/mkstore -wrl ~/.wallet/ -createCredential ORA019 DB_USERNAME DB_PASSWORD <<EOF
MyWalletPwd1!
EOF

参考文献

https://oracle-base.com/articles/10g/secure-external-password-store-10gr2 https://docs.oracle.com/cd/E78494_01/aip/pdf/1411/html/ig/aip-ig -apx_wallet.htm https://ogobrecht.com/posts/2020-07-29-how-to-use-mkstore-and-orapki-with-oracle-instant-client/

4

0 に答える 0