Access and Authentication

Access Manager on Docker – Build your own environment for fun and learning

Share this post:

This post has moved…

An updated version of this post is available in the IAM Group section of the IBM Security Community.

Introduction

If you want to try out IBM Security Access Manager on Docker, but you don’t have a Docker environment, this post provides step-by-step instructions for setting up a Centos 7 Linux machine and then installing Docker Community Edition, docker-compose, minikube (a local Kubernetes cluster), and kubectl (the Kubernetes command-line client).

Once you have completed the steps in this post, you’ll be able to use my Access Manager with Docker and Access Manager with Kubernetes cookbooks to explore Access Manager on Docker.

Resource Requirements

For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine. For my virtual machine I used these settings:

  • 8GB Memory (4GB is enough without minikube)
  • 30GB Disk
  • 4 CPUs (2 CPUs is enough without minikube)
  • Enable nested hypervisor support (required for minikube)

Install Centos 7

The first step of the setup is to install Centos 7. I used the Centos 7 Minimal ISO from the Centos web site.

Here are a few notes on the installation:

  • You can use Automatic Partitioning. The XFS filesystem settings in the latest Centos 7 installer will work fine with Docker Overlay2 filesystem.
  • Be sure to go into the Network & Host name section to enable your network card. Set a hostname and domain to give your machine a unique name.
  • While the installation is running, you are asked to set a password for the root user and create a standard user. I created a standard user with username of demouser but you can choose your own name.

At the end of the installation you will reboot the system and end up at a login prompt.

Set up Graphical Desktop

To create a standalone system, install the X Window system, a desktop manager, and a browser. You can choose your own if you like but here are instructions for installing a minimal Gnome Desktop, a file editor, and the Firefox browser.

Login to the system as root. Rather than logging in at the console, you might prefer to connect with ssh so that you can cut and paste from this post.

Enter these commands:

yum -y update

yum -y groupinstall "X Window System"

yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center dejavu-sans-mono-fonts firefox gedit open-vm-tools-desktop

unlink /etc/systemd/system/default.target

ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

Reboot the system.

Install a few useful utilities

Login to the system as root. You can connect with ssh or use the graphical console.

Enter the following commands to install some useful utilities:

yum -y install open-vm-tools unzip net-tools git bash-completion xdg-utils openldap-clients wget

Install Docker Community Edition

You will now install Docker Community Edition. This is done by adding the Docker CE repository to yum and then installing. This allows updates to be managed by the update manager.

As root, enter the following commands to install Docker CE and set it to auto-start:

yum-config-manager -y --add-repo https://download.docker.com/linux/centos/docker-ce.repo

yum install -y yum-utils device-mapper-persistent-data lvm2 docker-ce

systemctl enable docker

systemctl start docker

Install docker-compose

The docker-compose utility allows some basic automation of a Docker environment.
As root, enter the following commands to download and install:

curl -L https://github.com/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

curl -L https://raw.githubusercontent.com/docker/compose/1.24.0/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose

Install Kubernetes command-line client

Kubernetes clusters are managed using a REST API. The kubectl utility provides a command-line client for this REST API.

As root, enter the following commands to add the Kubernetes repository to yum and install:

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF

yum install -y kubectl

echo "source <(kubectl completion bash)" >> /etc/bashrc

Install KVM and Minikube

Minikube is a self-contained Kubernetes cluster that can run locally under a hypervisor. In this case it will be installed under the KVM hypervisor.

As root, enter the following commands to install KVM and Minikube:

yum install -y qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libvirt-daemon-kvm

systemctl enable libvirtd

systemctl start libvirtd

curl -Lo minikube https://storage.googleapis.com/minikube/releases/v1.0.1/minikube-linux-amd64 && chmod +x minikube && cp minikube /usr/local/bin/ && rm -f minikube

curl -LO https://storage.googleapis.com/minikube/releases/v1.0.1/docker-machine-driver-kvm2 \
&& install docker-machine-driver-kvm2 /usr/local/bin/ && rm -f docker-machine-driver-kvm2

Add standard user to docker and libvirt groups

If you want a standard user to be able to run Docker commands, they must be added to the docker group. If you want a standard user to be able to start Minikube, they must be added to the libvirt group.

As root, enter the following commands (replacing demouser with the username of your standard user):

usermod -aG docker demouser

usermod -aG libvirt demouser

The installation is complete. To activate KVM you must now Reboot the system.

Set minikube configuration

Once your system has rebooted, login as the standard user that you created during Centos 7 installation. In my case the user is demouser.

Enter the following commands set minikube configuration:

minikube config set vm-driver kvm2

minikube config set memory 4096

minikube config set cpus 4

Start minikube for the first time

As the standard user, enter the following command to start minikube for the first time:

minikube start

This first start can take several minutes as assets are downloaded from the internet to initialize the Kubernetes system.

Once minikube has started successfully you can stop it again to reduce CPU and memory usage:

minikube stop

Test Docker

As the standard user, Run a test Docker container:

docker run --name test hello-world

You should see the following output:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
d1725b59e92d: Pull complete 
Digest: sha256:0add3ace90ecb4adbf7777e9aacf18357296e799f81cabc9fde470971e499788
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

The container has started, output a welcome message, and stopped. To keep things tidy, delete the stopped container and the image using the following commands:

docker rm test
docker rmi hello-world

Congratulations! You now have a working Docker environment in which you can explore installation of IBM Security Access Manager using Docker, docker-compose, and Kubernetes.

Prepare for Cookbook

Clone scripts from isamdocker git repository

As the standard user, clone the git repository that contains the scripts used by my cookbook and link into the user’s home directory:

git clone https://github.com/jonpharry/isamdocker.git ~/isamdocker

mkdir ~/studentfiles

ln -s ~/isamdocker/studentfiles/container-install ~/studentfiles/container-install

Add entries to /etc/hosts

As root, enter the following command to add a couple of static host mappings:

cat <<EOF >> /etc/hosts
127.0.0.2 isam.iamlab.ibm.com
127.0.0.3 www.iamlab.ibm.com
EOF

Click here to rate this article

Rate this article :

Access Management and Cloud Identity Expert

More Access and Authentication stories
By Anthony Ferguson and Katherine Cola on September 11, 2018

IBM Security Identity Governance & Intelligence Trial

IBM Security Identity Governance & Intelligence Trial Identity governance and administration (IGA) is a fundamental building block of your Identity & Access Management strategy. IGA tools manage digital identities and access rights across multiple systems and applications. They help you answer questions such as: How are you managing the provisioning and de-provisioning of access accurately […]

Continue reading

By Anthony Ferguson on March 8, 2018

IBM Security Access Manager Trial

IBM Security Access Manager Trial IBM Security Access Manager now offers a complimentary 90-day trial experience via Docker, allowing new and existing ISAM users to experience the full extent of what this product has to offer. To assist with your trial experience, this blog entry walks you through the following actions to help you gain […]

Continue reading