Docker Compose support
Docker Compose provides a simple mechanism for defining multi-container environments.
Developers who want to familiarize themselves with the anatomy of an ISAM Docker environment can use the following sample .yaml and .env file to easily build an environment on their workstation for development purposes. This practical example is used to illustrate the composition of an example Security Verify Access Docker environment.
docker-compose.yaml
version: '3' services: # # Security Verify Access Containers # isva-config: image: ibmcom/verify-access:${ISAM_VERSION} hostname: isva-conf environment: - SERVICE=config # - SNAPSHOT=${SNAPSHOT}# - FIXPACKS=${FIXPACKS}# - ADMIN_PWD=${ADMIN_PWD} - CONTAINER_TIMEZONE=${TIMEZONE} volumes: - ./isva-volume:/var/shared - ./isva-logs/conf:/var/application.logs ports: - ${CONFIG_HTTPS_PORT}:9443 depends_on: - isva-ldap - isva-db cap_add: - SYS_PTRACE - SYS_RESOURCE isva-webseal: image: ibmcom/verify-access:${ISAM_VERSION} hostname: isva-webseal environment: - SERVICE=webseal - INSTANCE=${WEBSEAL_INSTANCE_NAME}# - SNAPSHOT=${SNAPSHOT}# - FIXPACKS=${FIXPACKS}# - ADMIN_PWD=${ADMIN_PWD} - CONTAINER_TIMEZONE=${TIMEZONE} volumes: - ./isva-volume:/var/shared - ./isva-logs/webseal:/var/application.logs ports: - "${WEBSEAL_HTTPS_PORT}:443" - "${WEBSEAL_HTTP_PORT}:80" depends_on: - isva-ldap - isva-dsc cap_add: - SYS_PTRACE - SYS_RESOURCE isva-aac: image: ibmcom/verify-access:${ISAM_VERSION} hostname: isva-aac environment: - SERVICE=runtime # - SNAPSHOT=${SNAPSHOT}# - FIXPACKS=${FIXPACKS}# - ADMIN_PWD=${ADMIN_PWD} - CONTAINER_TIMEZONE=${TIMEZONE} volumes: - ./isva-volume:/var/shared - ./isva-logs/aac:/var/application.logs ports: - "${AAC_HTTPS_PORT}:443" - "${AAC_HTTP_PORT}:80" depends_on: - isva-ldap - isva-db - isva-webseal - isva-dsc cap_add: - SYS_PTRACE - SYS_RESOURCE isva-dsc: image: ibmcom/verify-access:${ISAM_VERSION} hostname: isva-dsc environment: - SERVICE=dsc - INSTANCE=1 # - SNAPSHOT=${SNAPSHOT}# - FIXPACKS=${FIXPACKS}# - ADMIN_PWD=${ADMIN_PWD} - CONTAINER_TIMEZONE=${TIMEZONE} volumes: - ./isva-volume:/var/shared - ./isva-logs/dsc:/var/application.logs ports: - "${DSC_SERVICE_PORT}:443" - "${DSC_REPLICA_PORT}:444" cap_add: - SYS_PTRACE - SYS_RESOURCE # # Service Containers # isva-ldap: image: ibmcom/verify-access-openldap:${ISAM_VERSION} hostname: isva-ldap environment: - LDAP_ADMIN_PASSWORD=${LDAP_PASSWORD}# - LDAP_CONFIG_PASSWORD=${LDAP_CONFIG_PASSWORD}# - LDAP_BASE_DN=${LDAP_BASE_DN}# - LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT}# - LDAP_DOMAIN=${LDAP_DOMAIN}# - LDAP_ORGANISATION=${LDAP_ORGANISATION}# - LDAP_ENABLE_PORT_389=${LDAP_SSL_DISABLED} volumes: - libldap:/var/lib/ldap - ldapslapd:/etc/ldap/slapd.d - libsecauthority:/var/lib/ldap.secAuthority ports: # - ${LDAP_PORT}:389 - ${LDAPS_PORT}:636 isva-db: image: ibmcom/verify-access-postgresql:${ISAM_VERSION} hostname: isva-db environment: - POSTGRES_DB=${DB_NAME} - POSTGRES_USER=${DB_USER} - POSTGRES_PASSWORD=${DB_PASSWORD} - POSTGRES_SSL_CN=${DB_CN}# - POSTGRES_UNSECURE=${DB_SSL_DISABLED} volumes: - pgdata:/var/lib/postgresql/data ports: - "${DB_PORT}:5432"
Environment
The environment is defined in the following .env file.
ISAM_VERSION=10.0.0.0 TIMEZONE=Australia/Brisbane # # Security Verify Access CONTAINERS # # The name of the snapshot which is to be used when starting the container. # The snapshot must reside in <shared-volume>/snapshots # SNAPSHOT= # A list of fixpacks to apply when starting the container. # The fixpacks must reside in <shared-volume>/snapshots # FIXPACKS= # The password to be set for the default 'admin' user account. # ADMIN_PWD= # Config Container CONFIG_HTTPS_PORT=10443 # AAC Container AAC_HTTP_PORT=11080 AAC_HTTPS_PORT=11443 # WebSEAL default Container WEBSEAL_INSTANCE_NAME=default WEBSEAL_HTTP_PORT=12080 WEBSEAL_HTTPS_PORT=12443 # DSC Container DSC_SERVICE_PORT=13443 DSC_REPLICA_PORT=13444 # # SERVICE CONTAINERS # # LDAP Container LDAP_PORT=14389 LDAPS_PORT=14636 LDAP_DOMAIN=ldap.ibm.com LDAP_PASSWORD=passw0rd LDAP_ORGANISATION=isva LDAP_BASE_DN=cn=isva LDAP_CONFIG_PASSWORD=passw0rd LDAP_TLS_VERIFY_CLIENT=false LDAP_SSL_DISABLED=true # Database Container DB_PORT=15432 DB_CN=isva DB_SSL_DISABLED=false DB_USER=postgres DB_PASSWORD=passw0rd DB_NAME=isva
Overview
This Docker Compose configuration defines an environment with the following containers:
- Security Verify Access containers (ibmcom/verify-access)
- Configuration container
- WebSEAL instance container
- AAC runtime container
- DSC container
- Services
- PostgreSQL server container (ibmcom/verify-access-postgresql)
- OpenLDAP server container (ibmcom/verify-access-openldap)
This environment has been created for simplicity to demonstrate:
- The concept of the shared configuration volume.
The shared configuration volume is created in a folder named 'isva-volume'. All Security Verify Access containers share this volume.
- Log file storage
The log file directories are created in a folder name 'isva-logs'. Each Security Verify Access container has its own log directory within this folder.
- Port mappings used by each container
All environment variables and port mappings are externalized to the file '.env' for convenience.
- How to persist data within the OpenLDAP and PostgreSQL containers.
The PostgreSQL and OpenLDAP containers will store their data in folders named 'db' and 'ldap' respectively.
- If we are not using the Advanced Access Control capability, we do not need the isva-postgres and isva-aac containers. However, if we are using the Federation capabilities in the environment, you will need similar containers created.
- The name of the WebSEAL instance that is run in the isva-webseal container must be defined when the container is created. Customize the value of WEBSEAL_INSTANCE_NAME in .env or create our WebSEAL instance with the default name 'default'.
Quick start
Place the 'docker-compose.yaml' and '.env' files into a new directory. From that directory, execute the following command to start the test environment:
docker-compose up -d
This command will create and start all of the containers in the environment.
To access the LMI, open your web browser and visit:
https://{docker-host}:10443 or https://{docker-host}:CONFIG_HTTPS_PORT if .env has been customized
To access the ISAM CLI, execute:
docker exec -it <container-name> isva_cli
To destroy the environment, execute the following command:
docker-compose down
Note the data stored on the shared configuration volume and log file directories will not be removed when the environment is destroyed.
Additional commands
Some example commands for some common Docker Compose tasks are listed in the following table:
Task Command Run just the configuration service container and its dependencies docker-compose run isva-config Stop the LDAP service container docker-compose stop isva-ldap Remove the stopped LDAP service container docker-compose rm isva-ldap Recreate the Database service container docker-compose up --force-recreate -d isva-db
For information about Docker Compose, see the Docker Compose website. (https://docs.docker.com/compose/)
Parent topic: Orchestration