November 30, 2018 | Written by: Jon Harry
Categorized: Access and Authentication | Getting Started
Share this post:
This post has moved…
An updated version of this post is available in the IAM Group section of the IBM Security Community.
If you want to try out IBM Security Access Manager on Docker, but you don’t have a Docker environment, this post provides step-by-step instructions for setting up a Centos 7 Linux machine and then installing Docker Community Edition, docker-compose, minikube (a local Kubernetes cluster), and kubectl (the Kubernetes command-line client).
Once you have completed the steps in this post, you’ll be able to use my Access Manager with Docker and Access Manager with Kubernetes cookbooks to explore Access Manager on Docker.
For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine. For my virtual machine I used these settings:
- 8GB Memory (4GB is enough without minikube)
- 30GB Disk
- 4 CPUs (2 CPUs is enough without minikube)
- Enable nested hypervisor support (required for minikube)
Install Centos 7
The first step of the setup is to install Centos 7. I used the Centos 7 Minimal ISO from the Centos web site.
Here are a few notes on the installation:
- You can use Automatic Partitioning. The XFS filesystem settings in the latest Centos 7 installer will work fine with Docker Overlay2 filesystem.
- Be sure to go into the Network & Host name section to enable your network card. Set a hostname and domain to give your machine a unique name.
- While the installation is running, you are asked to set a password for the root user and create a standard user. I created a standard user with username of
demouser but you can choose your own name.
At the end of the installation you will reboot the system and end up at a login prompt.
Set up Graphical Desktop
To create a standalone system, install the X Window system, a desktop manager, and a browser. You can choose your own if you like but here are instructions for installing a minimal Gnome Desktop, a file editor, and the Firefox browser.
Login to the system as root. Rather than logging in at the console, you might prefer to connect with
ssh so that you can cut and paste from this post.
Enter these commands:
yum -y update
yum -y groupinstall "X Window System"
yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center dejavu-sans-mono-fonts firefox gedit open-vm-tools-desktop
ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
Reboot the system.
Install a few useful utilities
Login to the system as root. You can connect with
ssh or use the graphical console.
Enter the following commands to install some useful utilities:
yum -y install open-vm-tools unzip net-tools git bash-completion xdg-utils openldap-clients wget
Install Docker Community Edition
You will now install Docker Community Edition. This is done by adding the Docker CE repository to
yum and then installing. This allows updates to be managed by the update manager.
As root, enter the following commands to install Docker CE and set it to auto-start:
yum-config-manager -y --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y yum-utils device-mapper-persistent-data lvm2 docker-ce
systemctl enable docker
systemctl start docker
docker-compose utility allows some basic automation of a Docker environment.
As root, enter the following commands to download and install:
curl -L https://github.com/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
curl -L https://raw.githubusercontent.com/docker/compose/1.24.0/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
Install Kubernetes command-line client
Kubernetes clusters are managed using a REST API. The kubectl utility provides a command-line client for this REST API.
As root, enter the following commands to add the Kubernetes repository to yum and install:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
yum install -y kubectl
echo "source <(kubectl completion bash)" >> /etc/bashrc
Install KVM and Minikube
Minikube is a self-contained Kubernetes cluster that can run locally under a hypervisor. In this case it will be installed under the KVM hypervisor.
As root, enter the following commands to install KVM and Minikube:
yum install -y qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libvirt-daemon-kvm
systemctl enable libvirtd
systemctl start libvirtd
curl -Lo minikube https://storage.googleapis.com/minikube/releases/v1.0.1/minikube-linux-amd64 && chmod +x minikube && cp minikube /usr/local/bin/ && rm -f minikube
curl -LO https://storage.googleapis.com/minikube/releases/v1.0.1/docker-machine-driver-kvm2 \
&& install docker-machine-driver-kvm2 /usr/local/bin/ && rm -f docker-machine-driver-kvm2
Add standard user to docker and libvirt groups
If you want a standard user to be able to run Docker commands, they must be added to the
docker group. If you want a standard user to be able to start Minikube, they must be added to the
As root, enter the following commands (replacing demouser with the username of your standard user):
usermod -aG docker demouser
usermod -aG libvirt demouser
The installation is complete. To activate KVM you must now Reboot the system.
Set minikube configuration
Once your system has rebooted, login as the standard user that you created during Centos 7 installation. In my case the user is demouser.
Enter the following commands set minikube configuration:
minikube config set vm-driver kvm2
minikube config set memory 4096
minikube config set cpus 4
Start minikube for the first time
As the standard user, enter the following command to start minikube for the first time:
This first start can take several minutes as assets are downloaded from the internet to initialize the Kubernetes system.
Once minikube has started successfully you can stop it again to reduce CPU and memory usage:
As the standard user, Run a test Docker container:
docker run --name test hello-world
You should see the following output:
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
d1725b59e92d: Pull complete
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
For more examples and ideas, visit:
The container has started, output a welcome message, and stopped. To keep things tidy, delete the stopped container and the image using the following commands:
docker rm test
docker rmi hello-world
Congratulations! You now have a working Docker environment in which you can explore installation of IBM Security Access Manager using Docker, docker-compose, and Kubernetes.
Prepare for Cookbook
Clone scripts from isamdocker git repository
As the standard user, clone the git repository that contains the scripts used by my cookbook and link into the user’s home directory:
git clone https://github.com/jonpharry/isamdocker.git ~/isamdocker
ln -s ~/isamdocker/studentfiles/container-install ~/studentfiles/container-install
Add entries to /etc/hosts
As root, enter the following command to add a couple of static host mappings:
cat <<EOF >> /etc/hosts