Some Docker engines are configured by default to listen on a UNIX socket. However, you can reconfigure the engine to listen over a TCP/IP port. If you do that, you can submit Docker commands over the network to run on remote Db2® Warehouse
nodes by using the Docker CLI or Docker API (docker-py).
To support secure remote invocation of the commands, Db2 Warehouse provides the
setup_docker_remote.sh script. This script sets up the CA certificate and the
server and client TLS certificates that are required for secure remote communication. The script
also installs a /usr/bin/docker_remote command, which makes it easier to invoke
the Docker commands remotely, using TLS.
Procedure
-
If you are using the Db2 Warehouse Orchestrator
tool from the container, perform the following substeps:
- On the head node host, copy the Db2 Warehouse
Orchestrator scripts from the container by issuing the applicable command:
- For a container for IBM® POWER® LE hardware:
docker run --rm --entrypoint cat icr.io/obs/hdm/db2wh_ee:v11.5.6.0-db2wh-ppcle /tmp/db2wh_host_tools.zip > path_on_host /db2wh_host_tools.zip
- For a container for IBM z Systems® hardware:
docker run --rm --entrypoint cat icr.io/obs/hdm/db2wh_ee:v11.5.6.0-db2wh-s390x /tmp/db2wh_host_tools.zip > path_on_host /db2wh_host_tools.zip
- For a container for x86 hardware:
docker run --rm --entrypoint cat icr.io/obs/hdm/db2wh_ee:v11.5.6.0-db2wh-linux /tmp/db2wh_host_tools.zip > path_on_host /db2wh_host_tools.zip
- On the head node host, extract the db2wh_host_tools.zip file into the
location that you want to use.
-
If you are using the Db2 Warehouse Orchestrator tool from the IBM GitHub repository, issue the following commands on each node host:
- Issue the following
command:
wget https://github.com/IBM/db2warehouse-tools/archive/master.zip -O db2warehouse-tools-master.zip
- Issue the following command:
unzip db2warehouse-tools-master.zip
- Issue the following command:
cd db2warehouse-tools-master
-
Move the setup_docker_remote.sh script to the
/mnt/clusterfs folder.
-
Make the script executable by issuing the following command:
chmod +x path_to_script/setup_docker_remote.sh
-
On all the nodes on which you want to remotely execute Docker commands, run the script as
follows:
path_to_script/setup_docker_remote.sh --cert-path "path" [--host hostname] [-h|--help]
where:
- --cert-path "path" specifies a
shared file system path (by convention, /mnt/clusterfs) where the client TLS
certificates will be saved. Specifying a shared file system path enables the certificates to be
accessed from any node in the Db2 Warehouse
cluster.
- --host
hostname specifies a host name or an IP address that is allowed to authenticate
with the Docker engine. By default, the setup_docker_remote.sh script enables
authentication from localhost and 127.0.0.1 and from the fully qualified domain name, short host
name, or IP address of the host by using the TLS certificates that the script generates. However,
you can specify one or more extra host names or IP addresses, such as an internal (fabric network)
IP address, to be enabled for authenticating with the Docker engine by using TLS. If you have more
than one host name or IP address, specify them as a comma-separated list.
-
On each node, verify that the socket and TLS settings (hosts,
tlsverify, tlscacert, tlscert, and
tlskey) are defined in the Docker engine options file
(/etc/docker/daemon.json).
-
If you used a Docker systemd unit configuration file
(/etc/systemd/system/docker.service.d/docker.conf) on the node, migrate all
those settings from the unit file into the /etc/docker/daemon.json file and
remove the unit file if you haven't done so already.
-
On each node, restart the Docker engine by issuing the following command:
systemctl restart docker.service
What to do next
You can now remotely invoke Docker commands by using the
/usr/bin/docker_remote command. See Invoking Docker commands remotely for IBM Db2 Warehouse.