This section includes some tips and best practices for deploying Docker containers:
NetIQ recommends you to set a limit on the amount of CPU used for a container. This can be achieved by using the --cpuset-cpus flag in the docker run command.
To set a restart policy for a container, use the --restart flag in the docker run command. It is recommended to choose the on-failure restart policy and limit the restart attempts to 5.
To set a limit on the memory used by a container, use the --memory flag in the docker run command.
If you want to back up the trace files for the deployed drivers, then you can place the trace file under /config/idm/ or manually copy the trace file to the volumized folder.
To set a limit on the number of processes allowed to run at any point in time, use the --pids-limit flag in the docker run command. It is recommended to limit the PID value to 300.
For Identity Manager Engine container, if you want to view the environ file located at the /process directory of the /proc file system, use the --cap-add=SYS_PTRACE flag in the docker run command. By default, most of the privileges are restricted and only the required privileges are enabled. For more information, see Docker documentation.
Ensure that the third party jar files are volume mounted so that they are available when the container is started every time. For example, if the ojdbc.jar is present in the /opt/netiq/idm/apps/tomcat/lib directory of the container, then you must volume mount the jar file using the following command:
-v /host/ojdbc.jar:/opt/netiq/idm/apps/tomcat/lib/ojdbc.jar
For example, run the following sample command containing all the above arguments for deploying containers:
docker run -itd --cap-add=SYS_PTRACE --pids-limit<tune container pids limit> --memory=<maximum amout of memory container can use> --restart=on-failure:5 --cpuset-cpus=<CPUs in which to allow execution> --network=<connect a container to network> -v <bind mount a volume> --name=<assign a name to the container> <image name>