Deploying #OpenAM instances in #Docker

Deploying services with Docker has become pretty popular in the DevOps world (understatement).

I want to demonstrate how to deploy an instance of ForgeRock’s OpenAM and OpenDJ using Docker.

Essentially this is my ForgeRock Docker Cheat Sheet

Setup:
I am running this on a virtual Ubuntu instance in Virtualbox on my laptop. You can run Docker on both Windows and OS X too … I just personally prefer Linux.

Step 1: Install Docker:
https://docs.docker.com/engine/installation/linux/ubuntulinux/

Step 2: Clone ForgeRock Docker Files:

cd /home/brad/Dev/

Use git to clone from: https://stash.forgerock.org/projects/DOCKER/repos/docker/browse

This will create a directory called “docker” in the above path.

Step 3: Build Files:

cd /home/brad/Dev/docker
make clean
make

At this point a few images are created on your local host, to view Images:

docker images

 

OpenDJ Instance:
Note: the first time you run an instance you need to create the “dj” directory first (persistent storage)
eg.:

cd /home/brad
mkdir dj // <— just run this once; the first time you launch an instance on this host
docker run -d -p 1389:389 -v `pwd`/dj:/opt/opendj/instances/instance1 -t 9f332a0fbb88

To enable a persistent store you can use docker’s volume capability. From the above command, “-v `pwd`/dj:/opt/opendj/instances/instance1” this tells docker to cp “/opt/opendj/instances/instance1” from the running instance to `pwd`/dj on the docker host. You can then kill this instance and then launch a new one, referring to the same volume.

To view the running docker instances:

docker ps

Now when we launch OpenAM, we’ll want to allow it to access the OpenDJ container. By default Docker does not setup this networking but we can create a link (see run command below). Using the link parameter, Docker will edit the /etc/hosts file on the OpenAM container and create a “link” to the OpenDJ server

OpenAM:

cd /home/brad
mkdir am // <— just run this once; the first time you launch an instance on this host
docker run -d -p 8080:8080 -v `pwd`/am:/root/openam –link dreamy_hypatia:opendj -t c02f00f42e18

As we did with OpenDJ we tell Docker to create a volume, on the Docker host, and copy the OpenAM configurations to this location. This allows us to launch a new instance without having to reconfigure OpenAM.

Next Steps:
There are a lot of things that I did not cover in this post, specifically running multiple instances for scalability. OpenDJ would need to be configured for replication and OpenAM would need to be configured to join a Site. I plan on covering these things in a future post.

Also, I didn’t cover Docker best practices (specifically security). In your environment, treat your container ids as you would passwords.

Lastly, I plan on exploring other options for persistent storage, in future posts. I am pretty sure there are better alternatives than storing this data on the Docker host’s filesystem. Possibly looking at creating another Docker container specifically for storage.

Acknowledgements:
Warren Strange (ForgeRock) … he’s constantly producing awesome and developed a lot (probably most) of the capability around the ForgeRock docker instances

My friends at GoodDogLabs for mentoring me on all things Docker

Also, I have been gleaning a lot of Docker tips from @frazelledazzell … she drops a ton of Docker knowledge via Twitter and her blog.

 

This blog post was first published @ http://tumy-tech.com, included here with permission.

6 Comments

Comments are closed.

  1. usowmyas 3 years ago

    Hi , i’m doing a docker for openam Apache Web Agent . I got it working the 1st time in 30 mins !! :)

    When I tried the same thing second time , i’m getting this error and am just not able to resolve it .

    [root@ba5fdc467f62 opt]# tail -f /etc/httpd/logs/error_log
    [Tue May 10 10:10:12.465343 2016] [suexec:notice] [pid 1] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Tue May 10 10:10:12.474240 2016] [auth_digest:notice] [pid 1] AH01757: generating secret for digest authentication …
    [Tue May 10 10:10:12.474851 2016] [lbmethod_heartbeat:notice] [pid 1] AH02282: No slotmem from mod_heartmonitor
    [Tue May 10 10:10:12.500238 2016] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.0-SNAPSHOT configured — resuming normal operations
    [Tue May 10 10:10:12.500254 2016] [core:notice] [pid 1] AH00094: Command line: ‘httpd -D FOREGROUND’
    [Tue May 10 10:11:22.716411 2016] [amagent:error] [pid 22] [client 125.16.15.17:55998] OpenAM Web Agent is not configured to handle the request to / (unable to get agent configuration instance, configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: max number of retries exhausted)
    [Tue May 10 10:11:30.772343 2016] [amagent:error] [pid 22] [client 125.16.15.17:55998] OpenAM Web Agent is not configured to handle the request to /.noindex.html (unable to get agent configuration instance, configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: max number of retries exhausted)
    [Tue May 10 10:17:11.158133 2016] [amagent:error] [pid 24] [client 125.16.15.17:6905] OpenAM Web Agent is not configured to handle the request to / (unable to get agent configuration instance, configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: max number of retries exhausted)
    [Tue May 10 10:17:19.213945 2016] [amagent:error] [pid 24] [client 125.16.15.17:6905] OpenAM Web Agent is not configured to handle the request to /.noindex.html (unable to get agent configuration instance, configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: max number of retries exhausted)
    [Tue May 10 10:17:37.810655 2016] [amagent:error] [pid 54] [client 125.16.15.17:2530] OpenAM Web Agent is not configured to handle the request to / (unable to get agent configuration instance, configuration: /opt/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: max number of retries exhausted)agent.conf

    file permissions for agent.conf
    -rw-r–r– 1 root root 6793 May 10 11:38 agent.conf
    -rwxr-xr-x 1 root root 6793 May 10 11:38 agent.conf.bak

    which already has read permissions .

    [root@f0c07c4865fc opt]# ps aux | egrep ‘(apache|httpd)’
    root 1 0.0 4.0 508496 41392 ? Ssl 11:38 0:02 httpd -DFOREGROUND
    root 45 0.0 0.0 4360 672 ? S 11:38 0:00 tail -f /etc/httpd/logs/error_log
    apache 2180 0.0 0.6 500420 6576 ? S 14:21 0:00 httpd -DFOREGROUND
    apache 2181 0.0 0.4 500300 4360 ? S 14:21 0:00 httpd -DFOREGROUND
    apache 2182 0.0 0.4 500300 4360 ? S 14:21 0:00 httpd -DFOREGROUND
    apache 2183 0.0 0.4 500300 4360 ? S 14:21 0:00 httpd -DFOREGROUND
    apache 2184 0.0 0.4 500300 4360 ? S 14:21 0:00 httpd -DFOREGROUND
    apache 3469 0.0 0.4 500300 4360 ? S 16:00 0:00 httpd -DFOREGROUND
    root 3523 0.0 0.0 9044 860 ? S+ 16:03 0:00 grep -E –color=auto (apache|httpd)

  2. usowmyas 3 years ago

    I did something similar to wstrange/apache-agent-nightly , but instead of Ubuntu , I used centos : latest

  3. usowmyas 3 years ago

    also one more question regarding openam and opendj dockers , for some reason , my dockers just die after 2 weeks , I need to restart them again , sometimes I need terminate the EC2 and create a new one because docker service just hangs …

    I guess its more of managing docker then openam deployment or is it ? **)

  4. dhorbyspringer 3 years ago

    Very useful post. One minor thing. The -link on the last command should be –link

  5. raje@gworks.mobi 2 years ago

    I try to pull openAm docker follow this above document

    >Use git to clone from: https://stash.forgerock.org/projects/DOCKER/repos/docker/browse

    >This will create a directory called “docker” in the above path.

    so, i try but throw below error,

    # git clone https://stash.forgerock.org/projects/DOCKER/repos/docker/browse
    Cloning into ‘browse’…
    fatal: https://stash.forgerock.org/projects/DOCKER/repos/docker/browse/info/refs not valid: is this a git repository?

    suggest me , How to pull OPENAM official docker image.

  6. bbos 2 years ago

    That repo doesn’t exist.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?