This section includes some tips and best practices for deploying Docker containers:
NetIQ recommends you to set a limit on the amount of CPU used for a container. This can be achieved by using the --cpuset-cpus flag in the docker run command.
To set a restart policy for a container, use the --restart flag in the docker run command. It is recommended to choose the on-failure restart policy and limit the restart attempts to 5.
To set a limit on the memory used by a container, use the --memory flag in the docker run command.
To gracefully stop a container, use the --stop-timeout flag. NetIQ recommends you to set the value of this flag to 100. If there are any active processes running inside the container, the container waits for 100 seconds and then exits. If all the processes are killed before the time specified in the --stop-timeout flag, the container exits when the last process is killed.
To redirect the default log output to customized docker logs, use the LOGTOFOLLOW flag with the docker run command. For example, if you want to follow the new logs for OSP, specify the -e LOGTOFOLLOW="<list of files separated by space>" in the docker run command. This prints the logs in the new docker logs. You can use the docker logs -f <container-name> command to monitor the log files. The default logs for each containers are listed in the following table.
|
Container |
Default logs |
|---|---|
|
Identity Manager Engine |
/var/opt/novell/eDirectory/log/ndsd.log |
|
OSP |
/opt/netiq/idm/apps/tomcat/logs/catalina.out |
|
Identity Applications |
/opt/netiq/idm/apps/tomcat/logs/catalina.out |
|
Form Renderer |
/opt/netiq/idm/apps/sites/logs/formslogger.log |
|
ActiveMQ |
/opt/netiq/idm/activemq/data/activemq.log |
|
Identity Reporting |
/opt/netiq/idm/apps/tomcat/logs/catalina.out |
For all containers except Remote Loader and Fanout Agent, you can monitor the health of the containers. Based on your requirement, you can customize the health status using the Docker runtime health checks. For example, to check the health of the rdxml service, use the --health-cmd "ps -eaf | grep -i rdxml" --health-interval 60 flag.
If you want to back up the trace files for the deployed drivers, then you can place the trace file under /config/idm/ or manually copy the trace file to the volumized folder.
To set a limit on the number of processes allowed to run at any point in time, use the --pids-limit flag in the docker run command. It is recommended to limit the PID value to 300.
For Identity Manager Engine container, if you want to view the environ file located at the /process directory of the /proc file system, use the --cap-add=SYS_PTRACE flag in the docker run command. By default, most of the privileges are restricted and only the required privileges are enabled. For more information, see Docker documentation.
It is recommended to map individual data volume for each component.
Ensure that the third party jar files are volume mounted so that they are available when the container is started every time. For example, if the ojdbc.jar is present in the /opt/netiq/idm/apps/tomcat/lib directory of the container, then you must volume mount the jar file using the following command:
-v /host/ojdbc.jar:/opt/netiq/idm/apps/tomcat/lib/ojdbc.jar
Once the containers are deployed, it is recommended that you remove all the input files that were used for bringing up containers. This includes files such as the silent.properties, credentials.properties, and StartupRL.txt.
For example, run the following sample command containing all the above arguments for deploying containers:
docker run -d --name=<assign a name to the container> --network=<> --cap-add=SYS_PTRACE --pids-limit <tune container pids limit> --memory=<maximum amout of memory container can use> --restart=on-failure:5 --cpuset-cpus=<CPUs in which to allow execution> --network=<connect a container to network> --stop-timeout 100 -e LOGTOFOLLOW "/opt/netiq/idm/apps/tomcat/logs/catalina.out /opt/netiq/idm/apps/tomcat/logs/idapps.out" --health-cmd "ps -eaf | grep -i tomcat" --health-interval 60 -v <bind mount a volume> <image name>