Install and Verify the Docker Image

This section describes the procedure to install and verify the Docker image.

Before you begin

Make sure you have following in your computer.

Must have ICD 7612 build or greater (lower versions of ICD are not supporter with VNC remote diagnostic).

Procedure

Install Docker. Refer external website for example: https://docs.docker.com/engine/installation/.

Note: Docker and ICD can be installed on the same machine or Docker can be installed in another machine as necessary.
Once the Docker installed, create a passwordless SSH connection between the ICD machine to Docker machine. Refer external website for example: https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/ or https://linuxize.com/post/how-to-setup-passwordless-ssh-login/.
Note:
- For ICD running on Windows server, create a user NT AUTHORITY\SYSTEM and make passwordless SSH connection with Docker machine. Refer external website, for example: https://mikehowells.wordpress.com/2011/02/12/running-a-command-prompt-as-nt-authoritysystem
- Passwordless SSH connection between the ICD machine to Docker machine must be created even-if the Docker and ICD are installed in the same machine or the different machine.
If Docker is installed in Window or Linux, update the docker_launcher.sh or docker_launcher.cmd script in below paths of respective ICD machine:
- For Windows ICD machine, update following in the docker_launcher.cmd script placed at path: C:\Program Files\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\installedApps\ctgCell01\MAXIMO.ear\maximouiweb.war\webclient\utility
  If Docker is on Linux machine, then uncomment/comment and make sure below commands are updated as follows:
```
ssh $dockerCredentials "docker ps -a | grep $port_ssh
```
```
#ssh $dockerCredentials "docker ps -a | findstr $port_ssh
```
  If Docker is on window machine, then uncomment/comment and make sure below commands are updated as follows:
```
ssh $dockerCredentials "docker ps -a | findstr $port_ssh
```
```
#ssh $dockerCredentials "docker ps -a | grep $port_ssh
```
- For Linux ICD machine, update following in the docker_launcher.sh script placed at path: /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/installedApps/ctgCell01/MAXIMO.ear/maximouiweb.war/webclient/utility
  If Docker is on Linux machine, then uncomment/comment and make sure below commands are updated as follows:
```
ssh $dockerCredentials "docker images | grep icdvnc
```
```
ssh $dockerCredentials "docker ps -a | grep $port_ssh
```
```
#ssh $dockerCredentials "docker images | findstr icdvnc
```
```
#ssh $dockerCredentials "docker ps -a | findstr $port_ssh
```
  If Docker is on window machine, then uncomment/comment and make sure below commands are updated as follows:
```
ssh $dockerCredentials "docker images | findstr icdvnc
```
```
ssh $dockerCredentials "docker ps -a | findstr $port_ssh
```
```
#ssh $dockerCredentials "docker images | grep icdvnc
```
```
#ssh $dockerCredentials "docker ps -a | grep $port_ssh
```
  Note: For Linux ICD machine, make sure that you have right execution permission (755) for the scripts placed at path: /opt/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/installedApps/ctgCell01/MAXIMO.ear/maximouiweb.war/webclient/utility
Once the Docker is installed and configured as above, follow below instructions to test the Docker image.
1. Log in to IBM Control Desk and go to Administration > Download tools.
2. Click on Remote Diagnostic Tools. This will download the ZIP file containing the ICDVNC.tar file, readme along with Agent, User, and SystemAdministrator folders.
3. Load the Docker image by running below command:
  - ```
  docker load -i icdvnc.tar
```
4. The Docker container is loaded now. Run below command to test if the Docker image loaded correctly:
  - ```
  docker images
```
5. Make sure icdvnc image is listed.
6. Start the container with the following command:
  - ```
  docker run -u vnc --rm -p 5905:22 -e SSH_ENABLE_ROOT=false icdvnc:v1 container test 1 1
```
7. Start the container again in key mode to include a RSA private key, run below command:
  - ```
  docker run -u vnc --rm -e SSH_ENABLE_ROOT=false icdvnc:v1 key TEST
```
8. Make sure that no container are left running, run below command:
  - ```
  docker ps -a
```

What to do next

Once the Docker is installed, test and execute following commands on your Docker machine for Security guidelines:

Note: Below steps are not mandatory but recommended.

Ensure that the content trust for Docker is enabled
- Run below command and this must return a value of 1:
```
echo $DOCKER_CONTENT_TRUST
```
  To enable content trust in a bash shell, run below command:
```
export DOCKER_CONTENT_TRUST=1
```
Ensure that, if applicable, SELinux security options are set
- Run the below command:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}
```
  If no options (SecurityOpt=<no value>) then:
  - Edit the /etc/selinux/config file, set SELINUX=enforcing.
  - Edit the /etc/sysconfig/selinux file, set SELINUX=enforcing.
  - Start Docker in daemon mode with SELinux enabled. For example:
```
docker daemon --selinux-enabled
```
Do the test for the following and troubleshoot as necessary:
- Ensure that the memory usage for containers is limited:
  - Run the command below, and if this command returns 0, that means memory limits are not in place:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}
```
- Ensure that the CPU priority is set appropriately on the container:
  - Run the command below, and if this command returns 0 or 1024, it means that CPU shares are not in place:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}
```
- Ensure that the 'on-failure' container restart policy is set to 5:
  - Run the command below, and if this command returns RestartPolicyName=always, then the system configurations are not in place:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}
```
- Ensure that the container is restricted from acquiring additional privileges (Privileges not restricted: compassionate_kalam):
  - Run the command below, this command must return all the security options currently configured for containers, no-new-privileges must be one of them:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}
```
- Ensure that the PIDs group limit is used (PIDs limit not set: compassionate_kalam):
  - Run the command below, this command must not return PIDs Limit 0 or -1. A PIDs Limit of 0 or -1 means that any number of processes can be forked concurrently inside the container:
```
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}
```

If any of the test given in above step fails, run below command to troubleshoot:

Update the docker_launcher.sh or docker_launcher.cmd script:

Add comment (add # symbol) on below command:

ssh $dockerCredentials "docker run -u vnc --rm -d -p $port_ssh:22 -e SSH_ENABLE_ROOT=false icdvnc:v1 container $public_key $connection_timeout $hard_timeout

Uncomment (remove # symbol) on below command:

#ssh $dockerCredentials "docker run -u vnc -d -p $port_ssh:22 -e SSH_ENABLE_ROOT=false --pids-limit 100 --security-opt=no-new-privileges --restart on-failure:5 --cpu-shares 256 --memory 256m icdvnc:v1 container $public_key $connection_timeout $hard_timeout"

To make sure that incoming container traffic is bound to a specific host interface, update the above command as follow:

#ssh $dockerCredentials "docker run -u vnc -d --publish <hostip>:$port_ssh:22 -e SSH_ENABLE_ROOT=false --pids-limit 100 --security-opt=no-new-privileges --restart on-failure:5 --cpu-shares 256 --memory 256m icdvnc:v1 container $public_key $connection_timeout $hard_timeout"

where hostip is the docker IP address.