Installing and uninstalling an IBM z/OS Connect Server image with Podman

How to build and deploy a z/OS Connect API that uses an API project (OpenAPI 3) and the z/OS Connect Server image by using Podman.

Deploying the z/OS Connect Server zosConnect-3.0 image with Podman

About this task

zosConnect-3.0 Applies to zosConnect-3.0.

Image to show the end to end z/OS Connect Server image installation process in an online environment using Podman to build the API image, (using the API project and the z/OS Connect Server image), storing the z/OS Connect API image in a private container registry an OCI compliant container platform. In this image, the container platform is Podman.

Important: The z/OS Connect Server image hosts z/OS Connect API projects in z/OS/s390x, Linux/s390xLinux®, and amd64 OCI-compliant container environments. For more information, see IBM z/OS Connect system requirements.
Note: The z/OS Connect documentation is available in the IBM Document offline tool, should you require an 'offline' copy. For more information, see IBM z/OS Connect offline documentation.

The following topic describes the steps that are required to build and deploy the IBM z/OS Connect API image with Podman and how to uninstall the z/OS Connect API image.

For information on how-to build and deploy the z/OS Connect API images with Red Hat® OpenShift®, see Installing IBM z/OS Connect Server with Red Hat OpenShift. To uninstall the z/OS Connect API image with Red Hat OpenShift, see Uninstalling IBM z/OS Connect the ZosConnect Custom Resource and the IBM z/OS Connect Operator.

Table 1. Steps to install and uninstall a z/OS Connect API image with required roles
z/OS Connect installation steps
Download the IBM z/OS Connect Server image.
Verify the IBM z/OS Connect Server image (Optional).
Build the z/OS Connect API image.
Create a secret.
Run the container.
Invoke z/OS Connect API.
Stopping the container.
Publish the z/OS Connect API image.
Uninstalling your z/OS Connect API image

Before you begin

About this task

The following tasks must be completed.

  1. Download and install Podman. For more information about installing Podman, see A launch icon to indicate a link opens a new tab or window. Podman Installation Instructions.
    Note: If you are using IBM z/OS Container Platform, Podman will already be installed and your user ID configured to use Podman. For more information, see
  2. Create a z/OS Connect API project. For more information, see Developing API provider with zosConnect-3.0.
  3. Optional: Verifying a z/OS Connect Server image signature is an optional step. If you need to verify the z/OS Connect signed images, install the following command-line tools:
  4. Optional: If using z/OS Connect policies to adjust how an API request is processed in IBM z/OS Connect, see Configuring IBM z/OS Connect policies. When building the WAR file in Build a z/OS Connect API image as part of this procedure, you must include the policy configuration and rules file within the image.

Download a z/OS Connect Server image

Before you begin

The following tasks must be completed.

  1. To get access to the z/OS Connect Server image, you must have an IBM entitlement registry key to pull the images from the IBM Cloud Container Registry icr.io. Refer to your license document for specific instructions on obtaining the entitlement key.
    Note: If you don't have the license document with the entitlement key, place a new order for the product in ShopZ where the additional documentation contains the entitlement key. As an existing customer, if you already have a license for IBM z/OS Connect Unlimited, no charge is incurred when the new order is placed.

Procedure

  1. Log in to IBM Cloud Container Registry. If you are in an airgapped environment, skip this step. 
    podman login icr.io
    Provide your username and password login credentials. Instructions for obtaining these credentials can be found in your license documents.
  2. Pull the z/OS Connect Server image to your local system. 
    podman pull icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100
    If your environment is a disconnected (airgapped) environment, copy the z/OS Connect Server image to a registry you have access to before completing the next steps. For example, by using either the podman pull or skopeo copy commands. 
    podman pull <internal-registry-location>/ibm-zcon-server:3.0.100
    skopeo copy <internal-registry-location>/ibm-zcon-server:3.0.100
  3. Optional: To make the z/OS Connect Server image available to others, it can be pushed into the internal image registry for others to access it. To do this, enter the following command to push the z/OS Connect Server image to your internal registry. 
    podman push <internal-registry-location>/ibm-zcon-server:3.0.100

Results

The z/OS Connect Server image is in your local Podman image storage and (optional) in your internal registry. Validate the image is in your local Podman image storage by running the following command. 
podman images
The output is similar to the following. 

REPOSITORY                                  TAG        IMAGE ID    CREATED     SIZE
icr.io/zosconnectunlimited/ibm-zcon-server 3.0.100    6d2af17d10bd  1 days ago   979MB
Note: Image size and ID alter depending on the release.

What to do next

Optional: z/OS Connect images are signed. You must have a downloaded IBM z/OS Connect Server image to continue the installation procedure. For more information on verifying image signatures, see Verify a z/OS Connect image signature (Optional).

OpenSSL and GPG aren't supported on z/OS. If you're using IBM z/OS Container Platform, you need to verify your IBM z/OS Connect Server image signatures on a different platform.

If you don't need to verify your image signatures, go to Build a z/OS Connect API image.

Verify a z/OS Connect image signature (Optional)

Digital signatures provide a way to ensure that an image is both authentic (it originated from the expected source) and has integrity (it is what is expected). z/OS Connect images are signed and this topic describes how to verify the signatures on those images.

Before you begin

The following tasks must be completed.

  1. The z/OS Connect public keys must exist on the same machine as the command-line tools.

    Copy the following text block exactly as shown into a text editor, and save it in a file named PRD0012028key.pub.asc:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQU0cUBEACqSHOnQ2HyQRdr0dkcYpehWGz/OSXLpOiKpmgqcvLEm2ZIGpZu
pzN5wc57XOxhz5YNodODFysewjqKntgQg1EbQ85g8BmV14iZJZ/8oVMCQGe6yt2G
efpD1+qY/QxK+JBB45Y5E6TEudNPzhhNY/9BsImPvHLSD95ikMYHVs2jCIquTXdT
UC1fyaXKU5T1qQZd1XxTX+HEaFGIInRHRWvjw2z92LNM35Ul6vJU5R8f8yVZIRAG
Y+J8/4qBRd2w23uUupNWQw6QYdW3Q3K6LVZc3K9ykJ8/zNaYBLT/dUXd3L2UYPO7
glWmO3oJynGc0kQczq/ohtCiUtKkXigYZ1feFC0nrFsVa7+Edzao5LOCYNhd9ASM
KZBL11VYvQ9pdjeWa4yd/VuTtG6l3GwN1AHXY+dLYdG3lrB0UmTNfyHZoJtIJ+yd
cmTZHhfvQ5djjCDwuNxN6NLuAKkzBzUNK3CMi7swKwym7agidMtf4G/WUAy981+P
502RGEtEDO98egA7yEXjGNB0vh7wuqyUKtugsCpGYQhuto42L8nEUogM69JK8Z9J
d2xs9PM/N8DEFdOXc73MMYnZejstoZ71t79MyEKw/3flKMADJE3x1xebnOMIj4CI
32Mnc0YHnmeADuYRtbk8omEOQAlWJrCFRUMr8+uSfvUb8QChuhKZDURRKQARAQAB
tEBJQk0gei9PUyBDb25uZWN0IEVudGVycHJpc2UgRWRpdGlvbiBVbmxpbWl0ZWQg
PHBzaXJ0QHVzLmlibS5jb20+iQI6BBMBCAAkBQJkFNHFAhsPBQsJCAcCBhUKCQgL
AgQWAgMBAh4BBQkAAAAAAAoJELBRtMIty7kNhqwP/1YQPQECXMUqno1z0OfQK+Wn
+eVQlS8cwvgarpKMv/a3tjFwggJvTaB6TRzdEcBHMSaXqY0+ljnHn7pHWtIQA3uR
FZszNWWzsRG9ahlne2NqjIwzCrvIN0BNKL3LSsJWOOptSTSjCxqeg9UmThdtXBu4
8DBCjHSsvtNa0hnSJG2tC5HQ3bnoduU1D7v9jZIP2SEg/lL6iZkKAz1HLxT9oqLL
KMpoUAVwRFN/wTFpQy83loxkU+xqXHgcq0htZWWspeqRrTSGkhtqEDcO8Bt3jSQ0
p9U7Bq9chpmEwngN5WwtvxXcrMMerlbaVJ6jLbNnJwERv+Q5N36Wl1hoNffV6Itw
LOYp4rfqO6eV5yFmC2gYLq6xMEHHM4q8nUQ1KhmwoARzwXJuRxocDl62kjq2YBOR
6H8WLZmHuE0ba0dp4JR+Wg99no2Sud4dT6Rs/ZylezyJGaFEEK7NNrl+G1JYVbms
Ynq6McZVz+Hcqow5k7PsZ4KviFb+F/DlP/lNCDlabFy+IC0gD4gjoKYbyOed+rKc
ZUd4DDxLl2KqEUiItn3aIU3epLAf9MtrGd+tugwMQPaq0v2Gep8zntuWew2TWEoy
c7C0udUwdjw1q4SwyJzYwiapwz6LCu+dlu7sf2Kxds5USYBWsrTxVzga3/BtRghK
V7Pi5/oMEPjk9O7eoOnL
=2ZDV
-----END PGP PUBLIC KEY BLOCK----

About this task

z/OS Connect images are signed. If you need to verify the image signatures, complete the following procedure.

Enabling signature verification when container images are pulled to a host system can be automated. For information on automating image signature verification, see A launch icon to indicate a link opens a new tab or window. Verifying image signing for Red Hat Container Registry.

Some of the steps in this procedure use gpg. GPG2 is the extended version of GPG and gpg2 can be used instead of gpg.

Procedure

  1. Import the z/OS Connect public key on the machine that you prepared according to the Prerequisites section: 
    sudo gpg --import PRD0012028key.pub.asc
    This step needs to be done only once on each machine you use for signature verification.
  2. Calculate the fingerprints: 
    fingerprint=$(sudo gpg --fingerprint --with-colons | grep -B1 'IBM z/OS Connect Enterprise Edition Unlimited' | grep fpr | tr -d ‘fpr:’)

    This command stores the keys' fingerprint in an environment variable that is called fingerprint, which is needed to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.

  3. Log in to Skopeo. 
    sudo skopeo login icr.io
  4. Create a directory for the image and use skopeo to pull it into local storage: 
    mkdir images

    sudo skopeo copy docker://icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 dir:./images -a
    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose). If the source image is a list of images for different architectures, the -a attribute copies all of the images.
    Tip: One of these files is a manifest file that is named images/manifest.json, and a signature file is named images/signature-1. You reference both these files in the next step (in the command to verify the signature).
  5. Verify the signature: 

    sudo skopeo standalone-verify ./images/manifest.json icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 ${fingerprint} ./images/signature-1

    The confirmation output should be similar to the following where the sha256 value is a 64-byte hexadecimal string. 

    Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

Results

The IBM z/OS Connect Server image signature is successfully verified.

Build a z/OS Connect API image

About this task

To build a z/OS Connect API image from your API project, use a container platform tool of your choice to build an image FROM the z/OS Connect Server image. For more information about downloading the z/OS Connect Server image, see Download a z/OS Connect Server image.

Note: The API WAR file can be built on any supported environment.

If the deployment target for this API image is the IBM z/OS Container Platform, the z/OS Connect API image must be built and run on a z/OS LPAR with Podman installed.

Procedure

  1. Go to the root of your z/OS Connect API project and open the Dockerfile.
  2. Make sure that the Dockerfile within the z/OS Connect API project references your downloaded z/OS Connect Server image in the FROM instruction.
    For example, 
    FROM icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100
    If you pushed the z/OS Connect Server image to an internal registry in step 3 of Download a z/OS Connect Server image, the image location in the FROM instruction should be updated to reflect that location. 
    FROM <internal-registry-location>/ibm-zcon-server:3.0.100
  3. If you are building the z/OS Connect API image from your API project on IBM z/OS Container Platform, you need to complete the following step.
    In the Dockerfile, replace the --chown options from the COPY instructions with --chmod=755 options. Update the Dockerfile to the following.
    FROM <internal-registry-location>/ibm-zcon-server:3.0.100

# customise server.xml via dropins
COPY --chmod=755 src/main/liberty/config /config/configDropins/overrides

# install war
COPY --chmod=755 build/libs /config/dropins
  4. Log in to the private Container Registry.
    Note: This is not the IBM Cloud Container Registry, but the registry where you intend to host your z/OS Connect API image.
    For example, 
    podman login example.io
  5. Build the z/OS Connect API image by using the podman build command from the same location as the Dockerfile. This makes sure that the build directory is correct. 
    podman build -f Dockerfile -t <internal_registry_location>/<api_image>:<api_image_tag> .
    Where
    • <internal_registry_location> is the registry location of the z/OS Connect API image.
    • <api_image> is a descriptive name for your z/OS Connect API image.
    • <api_image_tag> is a descriptive tag for your z/OS Connect API image.
    An example of the podman build command is:
    podman build -f Dockerfile -t example.io/zcon-employees-api:v1.0.0 .
    Note: The trailing period '.' in the command states to use the current directory as the build context.
    Important:

    The z/OS Connect API image is a multi-architecture image and defaults to an architecture that matches the system on which it is built. To build a z/OS Connect API image with a different architecture to your build system, use podman build --platform <os/arch> to specify the target platform for the build output. For example,

    podman build --platform linux/amd64 -t example.io/zcon-employees-api:v1.0.0 .

    For more information, see A launch icon to indicate a link opens a new tab or window. Building multi-platform images.

    Images for the IBM z/OS Container Platform can be built only on a z/OS LPAR with Podman installed.

  6. Verify that the z/OS Connect Server image is built by using Podman.
    Run the following command to list the available images.
    podman images
    The output should be similar to: 
    REPOSITORY                                     TAG             IMAGE ID             CREATED         SIZE       
<internal_registry_location>/<api_image>      <api_image_tag>   08f295112cff       2 mins ago    1.17 GB   
<internal_registry_location>/ibm-zcon-server   3.0.100          290218c5a5ct         2 weeks ago     1.17 GB

    If the image is listed, the z/OS Connect API image has been built.

Create a secret (Optional)

About this task

If your z/OS Connect API project requires a password to be provided to the IBM z/OS Connect Server, these passwords are provided to the Podman run command by using a secret.

If your z/OS Connect API project doesn't require a password, go to Run the z/OS Connect API container.

Procedure

  1. Create a secret for the z/OS Connect API. In the following example, it is referred to as <api-secret>.
    On the command-line run.
    SECRET="mypassword" podman secret create <api-secret> --env SECRET

    Change the value of mypassword to the value of your secret. For example, iamasecret.

    This <api-secret> is provided to the container in Run the z/OS Connect API container when Podman is used to run the z/OS Connect API container.

    For more information on podman secret create, see podman-secret-create - Create a new secret.

  2. Run the following command to list the secrets that are available. 
    podman secret ls
    The output is:
    
ID                           NAME                         DRIVER      CREATED             UPDATED
2d2827fde389659effd3a27c5    <api-secret>                 file        3 seconds ago       3 seconds ago

Run the z/OS Connect API container

About this task

To run the container, the z/OS Connect API image that is built in Build a z/OS Connect API image contains a z/OS Connect API project with connection and credential environment variables. Pass these values (optionally including any secret values) into the container by using the podman run command.

Procedure

  1. Start the configured z/OS Connect API container with the following podman run command. 
    podman run -p=<hostport>:9080 -d --rm <api_image>:<api_image_tag>
    Note: For IBM z/OS Container Platform, don't specify -p=<hostport>:9080 as Podman will dynamically allocate an IP address for the container that the API container is contactable on.

    If you need to pass in secrets and or environmental variables, the following is an example of passing the environmental variables and secrets to the z/OS Connect API projects.

    podman run -p=<hostport>:9080 -d --rm --secret <product>-password,type=env,target=<product>_PASSWORD -e <product>_HOST=<host> -e <product>_PORT=<port> -e <product>_USER=<user> <api_image>:<api_image_tag>
    The podman run command output shows the ID of the container that is now running.
    For example, 
    0734b19230649ffa1f2edec0c6198aa61bad0756f9316b405a81605bd9be1fb8
  2. Copy this container ID value to your clipboard as you need to reference the container ID when using Podman to work with this container.
    Tip: If you lose the container ID, the container ID can be found by using the podman ps command.

Results

Now that the container is started, check the logs to make sure that the API endpoint is ready. 
podman logs -f <container-id>
  • Replace the variable <container-id> with the container ID of the running container. For example, 0734b19230649ffa1f2edec0c6198aa61bad0756f9316b405a81605bd9be1fb8.
  • By specifying the -f option, it allows the logs to continue to track further log messages as they appear. If you use this option, you need to enter Ctrl+C to cancel further output and exit the command.

When you see the message 
[AUDIT   ] CWWKZ0001I: Application api started in <time> seconds.
in the logs, you can connect to the API endpoint and the following output confirms that the server is up and running. 
[AUDIT   ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in <time> seconds.
[INFO    ] Setting the server's publish address to be /
[INFO    ] SRVE0242I: [api] [/] [CatalogManagerApi]: Initialization successful.

Invoke z/OS Connect APIs

Procedure

  1. Find the API endpoint. The API endpoint is specific to the API project that you are running and is found in the z/OS Connect Server logs.
    Note: All API endpoints are relative to the base URL.

    For example, assuming the base URL of https://api.example.com/v1, the /users endpoint refers to https://api.example/com/v1/users.

  2. Invoke the API with the following curl command on your host system to send an HTTP request to invoke the z/OS Connect API endpoint.
    Note:
    • Choose the configured endpoint port. Typical defaults are port 9080 for HTTP endpoints and 9443 for HTTPS endpoints.
    • For z/OS Container Platform, replace 127.0.0.1 with the <container-ip-address> identified with the following command. 
      podman inspect -f "{{.NetworkSettings.IPAddress}}" <container-id>
    curl -s 127.0.0.1:<port>/<api_endpoint>
    For example, 
    curl -s http://127.0.0.1:9080/v1/users

Results

The output from the curl command will be similar to the following Db2® example.
{"employeeNumber":"000010","firstName":"CHRISTINE","middleInitial":"I","lastName":"HAAS","department":"A00","phoneNumber":"3978",
"hireDate":"1965-01-01","job":"PRES    ","educationLevel":18,"sex":"F","dateOfBirth":"1933-08-14","salary":52750.0,"bonus":1000.0,"commission":4220.0}
You successfully invoked a z/OS Connect API deployed to the z/OS Container Platform.

Stopping the container

Procedure

When you are happy with the container you have created, run the following command to stop the container. 
podman stop <container-id>
Replace the <container-id> value with the Container ID of the running container that you want to stop.
For example, 0734b19230649ffa1f2edec0c6198aa61bad0756f9316b405a81605bd9be1fb8.
Tip: The podman run command in Run the z/OS Connect API container included the --rm option. This means that the container is removed when the container is stopped.

If you did not include the --rm option, run the podman stop <container-id> command, followed by the podman rm <container-id> command to remove the container.

Publish the image

Procedure

  1. Log in to your internal Container Registry.
    For example, where example.io is your internal Container Registry location.
    podman login example.io
    Note: This is not the IBM Cloud Container Registry, but the registry where you host your z/OS Connect API image.
  2. Push the z/OS Connect API image to your internal Container Registry.
    For example, 
    podman push <internal_registry_location>/<api_image>:<api_image_tag>
    Note: Using the <api_image_tag> latest adds the risk of updating the image automatically.

Uninstalling the z/OS Connect API image

Procedure

  1. Before uninstalling the z/OS Connect API image, stop and remove the container from the system. Use the following command to list all the running containers on the system to make sure it's stopped and removed. 
    podman ps --all
    If the container you want to uninstall is still running, go to Stopping the container to stop and remove the container.
  2. To remove the z/OS Connect API image, use the following command. 
    podman rmi <internal_registry_location>/<api_image>:<api_image_tag>
  3. Verify that the z/OS Connect API image is removed with the following command. 
    podman images
    The z/OS Connect API image should no longer be listed.