Docker Compose support

Docker Compose provides a simple mechanism for defining multi-container environments.

Developers who want to familiarize themselves with the anatomy of a Security Verify Access Docker environment can use the following sample .yaml and .env file to easily build an environment on their workstation for development purposes. This practical example is used to illustrate the composition of an example Security Verify Access Docker environment.

docker-compose.yaml
version: '3'
services:

#
# Security Verify Access Containers
#

  isva-config:
    image: ibmcom/verify-access:${ISVA_VERSION}
    hostname: isva-conf
    environment:
      - SERVICE=config
#     - SNAPSHOT=${SNAPSHOT}
#     - FIXPACKS=${FIXPACKS}
#     - ADMIN_PWD=${ADMIN_PWD}
      - CONTAINER_TIMEZONE=${TIMEZONE}
    volumes:
      - ./isva-volume:/var/shared
      - ./isva-logs/conf:/var/application.logs
    ports:
      - ${CONFIG_HTTPS_PORT}:9443
    depends_on:
      - isva-ldap
      - isva-db
    cap_add:
      - SYS_PTRACE
      - SYS_RESOURCE

  isva-webseal:
    image: ibmcom/verify-access-wrp:${ISVA_VERSION}    
    hostname: isva-webseal
    environment:
      - INSTANCE=${WEBSEAL_INSTANCE_NAME}
#     - SNAPSHOT=${SNAPSHOT}
    volumes:
      - ./isva-volume:/var/shared
      - ./isva-logs/webseal:/var/application.logs
    ports:
      - "${WEBSEAL_HTTPS_PORT}:9443"
      - "${WEBSEAL_HTTP_PORT}:9080"
    depends_on:
      - isva-ldap
      - isva-dsc

  isva-aac:
    image: ibmcom/verify-access-runtime:${ISVA_VERSION}
    hostname: isva-aac
    environment:
      - SERVICE=runtime
    volumes:
      - ./isva-volume:/var/shared
      - ./isva-logs/aac:/var/application.logs
    ports:
      - "${AAC_HTTPS_PORT}:9443"
      - "${AAC_HTTP_PORT}:9080"
    depends_on:
      - isva-ldap
      - isva-db
      - isva-webseal
      - isva-dsc

  isva-dsc:
    image: ibmcom/verify-access-dsc:${ISVA_VERSION}
    hostname: isva-dsc
    environment:
      - INSTANCE=1
#     - SNAPSHOT=${SNAPSHOT}
#     - FIXPACKS=${FIXPACKS}
    volumes:
      - ./isva-volume:/var/shared
    ports:
      - "${DSC_SERVICE_PORT}:443"
      - "${DSC_REPLICA_PORT}:444"

#
# Service Containers
#

  isva-ldap:
    image: ibmcom/verify-access-openldap:${ISVA_VERSION}
    hostname: isva-ldap
    environment:
      - LDAP_ADMIN_PASSWORD=${LDAP_PASSWORD}
#     - LDAP_CONFIG_PASSWORD=${LDAP_CONFIG_PASSWORD}
#     - LDAP_BASE_DN=${LDAP_BASE_DN}
#     - LDAP_TLS_VERIFY_CLIENT=${LDAP_TLS_VERIFY_CLIENT}
#     - LDAP_DOMAIN=${LDAP_DOMAIN}
#     - LDAP_ORGANISATION=${LDAP_ORGANISATION}
#     - LDAP_ENABLE_PORT_389=${LDAP_SSL_DISABLED}
    volumes:
      - libldap:/var/lib/ldap
      - ldapslapd:/etc/ldap/slapd.d
      - libsecauthority:/var/lib/ldap.secAuthority
    ports:
#      - ${LDAP_PORT}:389
      - ${LDAPS_PORT}:636

  isva-db:
    image: ibmcom/verify-access-postgresql:${ISVA_VERSION}
    hostname: isva-db
    environment:
      - POSTGRES_DB=${DB_NAME}
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_SSL_CN=${DB_CN}
#     - POSTGRES_UNSECURE=${DB_SSL_DISABLED}
    volumes:
      - pgdata:/var/lib/postgresql/data
    ports:
      - "${DB_PORT}:5432"

Environment

The environment is defined in the following .env file.

ISVA_VERSION=10.0.0.0
TIMEZONE=Australia/Brisbane

#
# Security Verify Access CONTAINERS
#

# The name of the snapshot which is to be used when starting the container.
# The snapshot must reside in <shared-volume>/snapshots
# SNAPSHOT=

# A list of fixpacks to apply when starting the container.
# The fixpacks must reside in <shared-volume>/snapshots
# FIXPACKS=

# The password to be set for the default 'admin' user account.
# ADMIN_PWD=

# Config Container
CONFIG_HTTPS_PORT=10443

# AAC Container
AAC_HTTP_PORT=11080
AAC_HTTPS_PORT=11443

# WebSEAL default Container
WEBSEAL_INSTANCE_NAME=default
WEBSEAL_HTTP_PORT=12080
WEBSEAL_HTTPS_PORT=12443

# DSC Container
DSC_SERVICE_PORT=13443
DSC_REPLICA_PORT=13444

#
# SERVICE CONTAINERS
#

# LDAP Container
LDAP_PORT=14389
LDAPS_PORT=14636
LDAP_DOMAIN=ldap.ibm.com
LDAP_PASSWORD=passw0rd
LDAP_ORGANISATION=isva
LDAP_BASE_DN=cn=isva
LDAP_CONFIG_PASSWORD=passw0rd
LDAP_TLS_VERIFY_CLIENT=false
LDAP_SSL_DISABLED=true

# Database Container
DB_PORT=15432
DB_CN=isva
DB_SSL_DISABLED=false
DB_USER=postgres
DB_PASSWORD=passw0rd
DB_NAME=isva

Overview

This Docker Compose configuration defines an environment with the following containers:

  • Security Verify Access containers (ibmcom/verify-access , ibmcom-verify-access-wrp , ibmcom/verify-access-runtime, and ibmcom/verify-access-dsc)
    • Configuration container
    • WebSEAL instance container
    • AAC runtime container
    • DSC container
  • Services
    • PostgreSQL server container (ibmcom/verify-access-postgresql)
    • OpenLDAP server container (ibmcom/verify-access-openldap)

This environment has been created for simplicity to demonstrate:

  • The concept of the shared configuration volume.

    The shared configuration volume is created in a folder named 'isva-volume'. All Security Verify Access containers share this volume.

  • Log file storage

    The log file directories are created in a folder name 'isva-logs'. Each Security Verify Access container has its own log directory within this folder.

  • Port mappings that are used by each container

    All environment variables and port mappings are externalized to the file '.env' for convenience.

  • How to persist data within the OpenLDAP and PostgreSQL containers.

    The PostgreSQL and OpenLDAP containers will store their data in folders named 'db' and 'ldap' respectively.

Note:
  • If you are not using the Advanced Access Control capability, you do not need the isva-postgres and isva-aac containers. However, if you are using the Federation capabilities in your environment, you will need similar containers created.
  • The name of the WebSEAL instance that is run in the isva-webseal container must be defined when the container is created. Customize the value of WEBSEAL_INSTANCE_NAME in .env or create your WebSEAL instance with the default name 'default'.

Quick start

Place the 'docker-compose.yaml' and '.env' files into a new directory. From that directory, execute the following command to start the test environment:

docker-compose up -d

This command will create and start all of the containers in the environment.

To access the LMI, open your web browser and visit:

https://{docker-host}:10443
or 
https://{docker-host}:CONFIG_HTTPS_PORT if .env has been customized

To access the Security Verify Access CLI, execute:

docker exec -it <container-name> isva_cli

To destroy the environment, execute the following command:

docker-compose down

Note that the data stored on the shared configuration volume and log file directories will not be removed when the environment is destroyed.

Additional commands

Some example commands for some common Docker Compose tasks are listed in the following table:

Table 1. Example commands for some common Docker Compose tasks
Task Command
Run just the configuration service container and its dependencies docker-compose run isva-config
Stop the LDAP service container docker-compose stop isva-ldap
Remove the stopped LDAP service container docker-compose rm isva-ldap
Recreate the Database service container docker-compose up --force-recreate -d isva-db

For more information about Docker Compose, see the Docker Compose website. (https://docs.docker.com/compose/)