IBM MQ Advanced container image

A prebuilt container image is available from the IBM® Container Registry. You can use this image with either an IBM MQ Advanced or an IBM MQ license. From IBM MQ 9.4.2, you can also use this image with the IBM MQ Native HA and Cross-Region Replication Add-on for container deployments.

Usage

To be able to use the image, you must accept the terms of the IBM MQ Advanced or IBM MQ license by setting the LICENSE environment variable. IBM MQ licenses might require further configuration; for more information, see Configuring Queue Managers with IBM MQ license annotations by using the IBM MQ Operator.

Note: From IBM MQ 9.4.2, you can configure IBM MQ licensed queue managers to use Native HA and Cross-Region Replication features by adding additional licenses to a queue manager. For more information, see Configuring Native HA and Cross-Region Replication on IBM MQ licensed Queue Managers by using the IBM MQ Operator. You cannot use Native HA features on queue managers before IBM MQ 9.4.2 that use an IBM MQ license.

Environment variables supported

AMQ_AMS_FORCE_DISABLED: Set by the IBM MQ Operator on IBM MQ licensed queue managers to prevent accidental use of the IBM MQ Advanced feature AMQ Advanced Message Security (AMS).
LANG: Set the language you want the license to be printed in.
LICENSE: Set accept to agree to the license conditions.; Set view to view the license conditions.
MQ_CMDLEVEL: Set to the MQ command level to use.
MQ_ENABLE_EMBEDDED_WEB_SERVER: Set to true to start the web server when the container starts.
MQ_ENABLE_FIPS: Set to true to enable FIPS mode. Set to false to disable FIPS mode. By default, FIPS mode is automatically enabled if the underlying Linux® host has FIPS enabled, but this option can be useful for testing.
MQ_ENABLE_METRICS: Set true to generate Prometheus metrics for your queue manager.
MQ_ENABLE_TRACE_CRTMQDIR: Set to "true" to create an IBM MQ diagnostic trace while running the crtmqdir command.
MQ_ENABLE_TRACE_CRTMQM: Set to "true" to create an MQ diagnostic trace while running the crtmqm command.
MQ_ENABLE_TRACE_STRMQM: Set to "true" to create an IBM MQ diagnostic trace while running the strmqm command.
MQ_GRACE_PERIOD: The target time in which ending the queue manager within is attempted, escalating the phases of application disconnection. Sets the endmqm -tp option used when the container terminates. See endmqm (end queue manager) for more information.
MQ_LOGGING_CONSOLE_SOURCE: Specify a comma-separated list of sources for logs that are mirrored to the container's stdout location.; Valid values are qmgr, web and mqsc.; Default value is qmgr,web.; Optional value is mqsc. This option can be used to reflect the contents of autocfgmqsc.LOG in the container log.
MQ_LOGGING_CONSOLE_FORMAT: Change the format of the logs that are printed to the container's stdout location.; Set basic to use a simple human-readable format. This is the default value.; Set json to use JSON format (one JSON object on each line).
MQ_LOGGING_CONSOLE_EXCLUDE_ID: Specify a comma-separated list of message IDs for log messages that are excluded.; The log messages still appear in the log file on disk, but are not printed to the container's stdout location.; Default value is AMQ5041I,AMQ5052I,AMQ5051I,AMQ5037I,AMQ5975I.
MQ_LOGGING_METRICS_AUDIT_ENABLED: Set to "true" to enable audit logging of access to the Prometheus metrics endpoint. Log output is sent to a JSON file in /var/mqm/errors/. You must also set MQ_ENABLE_METRICS=true, to generate the Prometheus metrics.
MQ_MULTI_INSTANCE: Set to "true" to enable running as a multi-instance queue manager. This changes the options used with endmqm.
MQ_NATIVE_HA: Set to "true" to enable Native HA. This sets the crtmqm -lr option. See crtmqm (create queue manager) for more information. You can configure other Native HA settings by mounting an INI file. See NativeHAInstance stanza of the qm.ini file and NativeHALocalInstance stanza of the qm.ini file.
MQ_NATIVE_HA_INSTANCE_0_NAME: Sets the Name attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_INSTANCE_1_NAME: Sets the Name attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_INSTANCE_2_NAME: Sets the Name attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_INSTANCE_0_REPLICATION_ADDRESS: Sets the ReplicationAddress attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_INSTANCE_1_REPLICATION_ADDRESS: Sets the ReplicationAddress attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_INSTANCE_2_REPLICATION_ADDRESS: Sets the ReplicationAddress attribute in the NativeHAInstance INI stanza for one of the three Native HA instances. See NativeHAInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_CIPHERSPEC: Sets the CipherSpec attribute in the NativeHALocalInstance INI stanza for one of the three Native HA instances. See NativeHALocalInstance stanza of the qm.ini file. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply an INI file fragment in /etc/mqm.
MQ_NATIVE_HA_KEY_REPOSITORY: Ignore automatically generated key repository for Native HA, and use the one specified. From IBM MQ 9.4.1, this variable is deprecated, and you should instead supply the location of the key repository in an INI file fragment in /etc/mqm.
MQ_QMGR_LOG_FILE_PAGES: MQ recovery log data is held in a series of files called log files. The log file size is specified in units of 4 KB pages. This environment variable sets the crtmqm -lf option. See crtmqm (create queue manager) for more information.
MQ_QMGR_NAME: Set the name you want your queue manager to be created with.

File system and mount points

/etc/mqm: Any MQSC or INI files in this directory will be processed by the queue manager when it starts. This is the directory used by the automatic configuration feature. See Automatic configuration from an MQSC script at startup and Automatic configuration of qm.ini at startup for more information.

/etc/mqm/pki/keys

Contains sub-directories with private keys in PEM format, using either PKCS #1 or unencrypted PKCS #8 key structure. Each sub-directory under /etc/mqm/pki/keys is scanned for any files with the .key extension. The public X.509 certificate chain should be in the same directory, in one or more files with the .crt extension, in PEM format. If keys are mounted in this way, then a key repository is automatically generated in /run/runmqserver/tls. The key repository will be set in the queue manager's SSLKEYR setting, and the default key (CERTLABL) will be the first name after sorting the list of key names lexicographically.

/etc/mqm/pki/trust

Contains sub-directories with public X.509 certificates in PEM format. Each sub-directory will be scanned for any .crt files, and added as trusted certificates. The certificates for any private keys are automatically trusted, and don't need to be added this way.

/etc/mqm/ha/pki/keys

Configures the keys and certificates used by Native HA for intra-cluster communication. Contains sub-directories with private keys in PEM format, using either PKCS #1 or unencrypted PKCS #8 key structure. Each sub-directory under /etc/mqm/ha/pki/keys is scanned for any files with the .key extension. The public X.509 certificate chain should be in the same directory, in one or more files with the .crt extension, in PEM format. If keys are mounted in this way, then a key repository is automatically generated, along with an INI file fragment to use that key repository. The key used will be the first name after sorting the list of key names lexicographically. The generated key repository is written into /run/runmqserver/ha/tls.

/etc/mqm/groupha/pki/keys

Configures the keys used by Native HA CRR for inter-cluster communication. Merges into the same key repository, and follows the same rules as /etc/mqm/ha/pki/keys.

/etc/mqm/groupha/pki/trust

Configures the trusted certificates used by Native HA CRR for inter-cluster communication. Contains sub-directories with public X.509 certificates in PEM format. Each sub-directory will be scanned for any .crt files, and added as trusted certificates. The certificates for any private keys are automatically trusted, and don't need to be added this way.

/etc/mqm/metrics/pki/keys

From 9.4.2.0-r1, if TLS keys are provided in this directory, and metrics are enabled for a queue manager, an HTTPS server is started on /metrics port 9157. Files in this directory should be PEM formatted:

tls.crt: Server's public X.509 certificate
tls.key: Server's private key (PKCS #1 or unencrypted PKCS #8)
ca.crt: CA's public X.509 certificate (optional)

If no TLS keys are provided, or earlier versions of IBM MQ are used, an HTTP server is started.

/etc/mqm/web

The directory tree under /etc/mqm/web is copied over the top of /var/mqm/web when the container starts. For example, you can create /etc/mqm/web/installations/Installation1/servers/mqweb/mqwebuser.xml to configure the web server. This file would be copied into right location under the /var/mqm/web, which is usually a mounted volume. See Configuring the IBM MQ Console and REST API.

/mnt/mqm

The /var/mqm directory is symbolically linked to this location. By mounting in a persistent volume into this location, you can persist the MQ data across container runs.

/mnt/mqm-log

Directory used to hold recovery log files for the queue manager. If a volume is mounted into this location, the container code sets the crtmqm -ld option. See crtmqm (create queue manager) for more information.

/mnt/mqm-data

Directory used to hold the data files for the queue manager. If a volume is mounted into this location, the container code sets the crtmqm -md option. See crtmqm (create queue manager) for more information.

/run

The container writes temporary files under this directory. If you want to use a read-only filesystem for the container, you need to mount a volume into this location, and into /tmp

/run/termination-log

If the container code encounters an error which will cause the queue manager to terminate, it will write the reason into this file. This file location is used by default in Kubernetes to retrieve termination information.

/tmp

The container writes temporary files under this directory. If you want to use a read-only filesystem for the container, you need to mount a volume into this location, and into /run