Docker
The containers can be deployed in a Docker environment.
Repository
The IBM® Security Verify Directory Integrator images are available from the IBM Cloud Repository: icr.io/isvdi
. To load the image from the repository, the 'docker pull' command can be used. The image name can be supplied with the
pull command, along with a tag that corresponds to the image version number. For example,
docker pull icr.io/isvdi/verify-directory-integrator:latest
Configuration
The configuration for the container is supplied as a single YAML file, along with other potential supporting files (for example PEM certificate files). When the container first starts, it applies the configuration from the file that is defined
in the YAML_CONFIG_FILE
environment variable. As such the configuration for the container needs to be placed at the location that is referenced by the YAML_CONFIG_FILE
environment variable before the container is
started.
The configuration file can be supplied in one of three ways:
-
Pre-baking the configuration into a new image that is based on the IBM® Security Verify Directory Integrator image. A Dockerfile that can be used to create a pre-baked image is shown in the following code example.
## ## You can build this image by issuing the following command: ## docker build -t acme-ibm-svdi:1.0 $PWD ## ## The container is based on the IBM SVDI container. FROM icr.io/isvdi/verify-directory-integrator:latest ## Copy the configuration files from the config directory ## to the docker image. COPY config/* /var/IBM/svdi/config/ ## Set the environment variable for the configuration YAML. ENV YAML_CONFIG_FILE=/var/IBM/svdi/config/config.yaml ## Some labels which will be associated with the image. LABEL maintainer="ibmsvdi@acme.com" \ vendor="ACME"
-
Placing the configuration information into a Docker volume and then mounting this volume into the Docker container. Information on Docker volumes can be found at: https://docs.docker.com/storage/volumes/;
-
Placing the configuration information into a local directory on the Docker host and then creating a Bind mount to the Docker container. Information on Docker Bind mounts can be found at: https://docs.docker.com/storage/bind-mounts/.
Security Considerations
When you start a Docker container, consider the following practices to achieve maximum security.
-
Use the PIDs cgroup parameter,
--pidslimit
, to restrict the number of forks that can happen inside a container. For example,docker run -it --pids-limit 100 <Image_ID>
. -
Restrict the container from acquiring more privileges through the
suid
orsgid
bits. For example,docker run --it --security-opt no-new-privileges <Image_ID>
. -
Ensure that incoming container traffic is bound to a specific host interface. For example,
docker run --it --publish 10.10.10.200:9636:9636 <Image_ID>
. -
Ensure that the CPU priority is set for the containers by using the
--cpus
option. For example,docker run --it --cpus 1.5 <Image_ID>
. -
Ensure that the memory usage for containers is limited by using the
--memory
option. For example,docker run --it --memory 4096m <Image_ID>
.
Quick Start
A command to start a IBM® Security Verify Directory Integrator Base container, which would specify a Bind mounted configuration volume (i.e. /Users/test/ibm-svdi-config - local directory containing the YAML_CONFIG_FILE), a data volume (i.e ibm-svdi-test-volume 'optional'), and standard environment variables, is shown by the following example.
docker run --hostname ibm-svdi-test --name ibm-svdi-test \
--detach \
--volume /Users/test/ibm-svdi-config:/var/IBM/svdi/config \
--volume ibm-svdi-test-volume:/var/isvdi/data \
--env YAML_CONFIG_FILE=/var/IBM/svdi/config/config.yaml \
--env LANG=C \
icr.io/isvdi/verify-directory-integrator:latest
## Examine the log file of the container.
docker logs -f ibm-svdi-test
Supported Docker Versions
- This image is officially supported on Docker version v17 and later;
- Support for older versions is provided on a best-effort basis.