Building a sample configured IBM MQ queue manager image
After you have built your generic base IBM MQ container image, we need to apply your own configuration to allow secure access. To do this, you create your own container image layer, using the generic image as a parent.
Before starting
This task assumes that, when you built your sample
base IBM MQ queue manager image, we used the
No-Install
IBM MQ package. Otherwise we cannot configure secure
access using the Red Hat OpenShift Container Platform
restricted
Security Context Constraint (SCC). The restricted
SCC, which is used by
default, uses random user IDs, and prevents privilege escalation by changing to a different user.
The IBM MQ traditional RPM-based installer relies on an
mqm user and group, and also uses setuid bits on executable
programs. In IBM MQ Version 9.2, when we use the
No-Install
IBM MQ package, there is no mqm user
any more, nor an mqm group.
Procedure
-
Create a new directory, and add a file called config.mqsc, with the following
contents:
DEFINE QLOCAL(EXAMPLE.QUEUE.1) REPLACE
Note that the preceding example uses simple user ID and password authentication. However, we can apply any security configuration that your enterprise requires.
-
Create a file called Dockerfile, with the following contents:
FROM mq COPY config.mqsc /etc/mqm/
-
Build your custom container image using the following command:
docker build -t mymq .
where "." is the directory containing the two files you have just created.Docker then creates a temporary container using that image, and runs the remaining commands.
Note: On Red Hat Enterprise Linux (RHEL), we use the command docker (RHEL V7) or podman (RHEL V7 or RHEL V8). On Linux, we will need to run docker commands with sudo at the beginning of the command, to gain extra privileges. -
Run your new customized image to create a new container, with the disk image you have just
created.
Your new image layer did not specify any particular command to run, so that has been inherited
from the parent image. The entry point of the parent (the code is available on GitHub):
- Creates a queue manager
- Starts the queue manager
- Creates a default listener
- Then runs any MQSC commands from /etc/mqm/config.mqsc.
Issue the following commands to run your new customized image:
docker run \ --env LICENSE=accept \ --env MQ_QMGR_NAME=QM1 \ --volume /var/example:/var/mqm \ --publish 1414:1414 \ --detach \ mymq
where the:- First env parameter
- Passes an environment variable into the container, which acknowledges your acceptance of the license for IBM IBM WebSphere MQ. We can also set the LICENSE variable to view to view the license.
- Second env parameter
- Sets the queue manager name that we are using.
- Volume parameter
- Tells the container that whatever MQ writes to /var/mqm should actually be written to /var/example on the host.
- Publish parameter
- Maps ports on the host system to ports in the container. The container runs by default with its own internal IP address, which means that we need to specifically map any ports that we want to expose.
- Detach parameter
- Runs the container in the background.
Results
We have built a configured container image and can view running containers using the docker ps command. We can view the IBM MQ processes running in your container using the docker top command.
Attention:We can view the logs of a container using the docker logs ${CONTAINER_ID} command.
What to do next
- If your container is not shown when we use the docker ps command the container might have failed. We can see failed containers by using the docker ps -a command.
- When we use the docker ps -a command, the container ID is displayed. This ID was also printed when we issued the docker run command.
- We can view the logs of a container by using the docker logs ${CONTAINER_ID} command.
Parent topic: Building a sample IBM MQ queue manager container image