Building a sample configured IBM MQ queue manager image
Once we have built your generic base IBM MQ Docker image, you need to apply your own configuration to allow secure access. To do this, create your own Docker image, using the generic image as a parent. The following steps show you how to build a sample image, with a minimal security configuration.
Procedure
-
Create a new directory, and add a file called config.mqsc, with the following
contents:
DEFINE CHANNEL(PASSWORD.SVRCONN) CHLTYPE(SVRCONN) SET CHLAUTH(PASSWORD.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody') + DESCR('Allow privileged users on this channel') SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule') SET CHLAUTH(PASSWORD.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES) REFRESH SECURITY TYPE(CONNAUTH)Note that the preceding example uses simple user ID and password authentication. However, we can apply any security configuration that your enterprise requires.
-
Create a file called Dockerfile, with the following contents:
FROM mq RUN useradd johndoe -G mqm && \ echo johndoe:passw0rd | chpasswd COPY config.mqsc /etc/mqm/where:- johndoe is the user ID to add
- passw0rd is the original password
-
Build your custom Docker image using the
following command:
sudo docker build -t mymq .
where "." is the directory containing the two files we have just created.Docker then creates a temporary container using that image, and runs the remaining commands.
The RUN command adds a user named johndoe with password passw0rd and the COPY command adds the config.mqsc file into a specific location known by the parent image.
-
Run your new customized image to create a new container, with the disk image we have just
created.
Your new image layer did not specify any particular command to run, so that has been inherited
from the parent image. The entry point of the parent (the code is available on GitHub):
- Creates a queue manager
- Starts the queue manager
- Creates a default listener
- Then runs any MQSC commands from /etc/mqm/config.mqsc.
Issue the following commands to run your new customized image:
sudo docker run \ --env LICENSE=accept \ --env MQ_QMGR_NAME=QM1 \ --volume /var/example:/var/mqm \ --publish 1414:1414 \ --detach \ mymq
where the:- First env parameter
- Passes an environment variable into the container, which acknowledges your acceptance of the license for IBM IBM WebSphere MQ. We can also set the LICENSE variable to view to view the license.
- Second env parameter
- Sets the queue manager name that you are using.
- Volume parameter
- Tells the container that whatever MQ writes to /var/mqm should actually be written to /var/example on the host.
- Publish parameter
- Maps ports on the host system to ports in the container. The container runs by default with its own internal IP address, which means that you need to specifically map any ports to expose.
- Detach parameter
- Runs the container in the background.
Results
You have built a configured Docker image and can view running containers using the docker ps command. We can view the IBM MQ processes running in your container using the docker top command.
Attention: If your container is not shown when we use the docker ps command the container might have failed. We can see failed containers using the command docker ps -a.The container ID will be shown by using the docker ps -a command, and was also printed when you issued the docker run command.
We can view the logs of a container using the docker logs ${CONTAINER_ID} command.
A common problem is that mqconfig indicates that certain kernel settings on the Docker host are not correct. Kernel settings are shared between the Docker host and containers, and need to be set correctly (see Hardware and software requirements on UNIX and Linux systems.
For example, the maximum number of open files can be set using the command sysctl fs.file-max=524288.