cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dockerization of IdentityIQ

Dockerization of IdentityIQ

Hi Sailors,

I want to show you guys how I use docker for IdentityIQ. You only need to follow the first steps (since my environment is different), but this should be able to help you build a docker environment for your IdentityIQ. So, let's start:

For the first step, we should determine at a minimum of what we need:

  1. Tomcat (version 8.5.42)
  2. Database MySQL (version 5.7.26)

For the second step, we should determine how to use docker:

  1. Build all stuff in a one container (slow (need to install all stuff) and more complex Dockerfile)
  2. Use docker-compose (horizontal scaling)

We have the minimal requirements for our dockerization.

Folder structure:

docker
|--db
|--sp
|--tomcat
|--webapps

docker - main folder contains docker-compose.yml and .env files

db - contains sql files for database initialization

sp - contains common staff for IdentityIQ (e.g.: iiq.properties, log4j.properties)

tomcat - all stuff for tomcat container

tomcat/webapps - contains wars to deploy

Each folder (db, sp, tomcat/webapps) contains version folders:

 

docker
|--db
   |--7.3
   |--8.0
|--sp
   |--7.3
   |--8.0
|--tomcat
   |--webapps
      |--7.3
      |--8.0

 

Create docker-compose.yml:

version: "3"
services:
  tomcat:
    build: ./tomcat
    working_dir: /usr/local/tomcat
    environment:
      MYSQL_USER: ${MYSQL_USER}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD}
      MYSQL_DATABASE: ${MYSQL_DATABASE}
    links:
      - "db:${MYSQL_LINK_NAME}"
    ports:
      - "${TOMCAT_APPLICATION_PORT}:8080"
      - "${TOMCAT_APPLICATION_DEBUG_PORT}:8000"
    depends_on:
      - db
    command: ["/home/sp-mysql-ping.sh"]
    volumes:
      - "./tomcat/webapps/${SP_VERSION}/identityiq.war:/usr/local/tomcat/webapps/identityiq.war"
  db:
    image: mysql:${MYSQL_VERSION}
    volumes:
      - "./db/${SP_VERSION}/:/docker-entrypoint-initdb.d/"
    environment:
      MYSQL_USER: ${MYSQL_USER}
      MYSQL_PASSWORD: ${MYSQL_PASSWORD}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
      MYSQL_DATABASE: ${MYSQL_DATABASE}
    ports:
      - "${MYSQL_PORT}:3306"
 
Environment file (.env):
# +++++++++++++++ GLOBAL environment +++++++++++++++
MYSQL_LINK_NAME=mysql

MYSQL_VERSION=5.7.26
TOMCAT_VERSION=8.5.42-jdk8-openjdk-slim
SP_VERSION=7.3
# --------------- GLOBAL environment ---------------

# +++++++++++++++ MYSQL environment +++++++++++++++
MYSQL_DATABASE=identityiq
MYSQL_USER=identityiq
MYSQL_PASSWORD=identityiq
MYSQL_ROOT_PASSWORD=root
MYSQL_PORT=3306
# --------------- MYSQL environment ---------------

# +++++++++++++++ TOMCAT environment +++++++++++++++
TOMCAT_APPLICATION_PORT=8080
TOMCAT_APPLICATION_DEBUG_PORT=8000
# --------------- TOMCAT environment ---------------
Docker-compose will create 2 containers:
  1. Tomcat
  2. MySQL

MySQL container will be built from an image, but Tomcat not. It is necessary for 1 reason: tomcat must start only after MySQL container.

For tomcat container uses Dockerfile:

FROM tomcat:8.5.42-jdk8-openjdk-slim

#Add waiting script
COPY ./sp-mysql-ping.sh /home/sp-mysql-ping.sh

#Add waiting script
RUN chmod +x /home/sp-mysql-ping.sh

#Update all packages
RUN apt update

#Install mysql-client to check DB
RUN apt install mysql-client -y
There are several steps to build the image:
  1. Copy the script for testing connection to mysql
  2. Installing mysql-client for script

Script (sp-mysql-ping.sh):

#!/bin/bash

ATTEMPTS=0

echo "Waiting for mysql"
until mysql -u $MYSQL_USER -h db -e "select 1 from $MYSQL_DATABASE.spt_identity" -p$MYSQL_PASSWORD &> /dev/null
do
  printf "\nWaiting for MySQL"
  printf "\nAttempts: $ATTEMPTS"
  sleep 1
  ATTEMPTS=$((ATTEMPTS+1))
done

printf "\nMySQL is running\n"
printf "\nTry to start tomcat\n"
catalina.sh jpda run

In this script container, we will not start tomcat until DB is not initialized.

 

Main properties for identityiq.war:

# +++++++++++++++++ Database properties +++++++++++++++++
dataSource.username=identityiq
dataSource.password=identityiq

dataSource.url=jdbc:mysql://mysql:3306/identityiq?useServerPrepStmts=true&tinyInt1isBit=true&useUnicode=true&characterEncoding=utf8
dataSource.driverClassName=com.mysql.jdbc.Driver
sessionFactory.hibernateProperties.hibernate.dialect=sailpoint.persistence.MySQL5InnoDBDialec
# ----------------- Database properties -----------------

# +++++++++++++++++ Logs properties +++++++++++++++++
log4j.appender.file.File=/usr/local/tomcat/logs/sailpoint.log
# ----------------- Logs properties -----------------

Before storing docker container, we need (version of IdentityIQ = 7.3):

  1. Put sql file of creating DB for identityiq in docker/db/7.3/
  2. Put identityiq.war in docker/tomcat/webapps/7.3/

Command for starting containers: "docker-compose up -d".

Using docker for IdentityIQ allows:

  • Speedup developing and debugging
  • Fast deployment (can have several versions at the same time)
  • Horizontal scaling (adding specific containers: ldap, DB users...)
  • Customization of environment (using sql dump as initial script for DB)

All sources you can find in GitHub

Labels (1)
Tags (1)
Comments
Sally_Newton

I made a mistake - in Dockerfile for tomcat the following row

FROM tomcat:${TOMCAT_VERSION}

Must be

FROM tomcat:8.5.42-jdk8-openjdk-slim

Dockefile does not know environment variable here. 

Sorry for mistake.

@Sally_Newton - I edited the article to correct! Let me know if there is anything else. 

We really want to move this way, but how do you propose that the issues with IQService and Connector Gateway be handled?  Docker is fine is we're not dealing with mainframe or AD integration...  Please advise if I'm off track. 

Sally_Newton

Hi @kirkpabk

You can add other dockers to you environment or you can use some platform to manage containers. Also, you can setup different containers to manage one part (Connection Getaway) and use it for others... Also you can add them in one environment for local developing and testing. If you need more details. write me to discuss and then we can update article with new examples. Thanks.

I am able to copy (docker cp) files from my server path to container path (/usr/tomcat), how can I do the reverse. i.e. I want to get the export of files ?

Version history
Revision #:
8 of 8
Last update:
‎Jun 22, 2023 02:31 PM
Updated by: