3.3 Deploying iManager Container

The OS base image of the iManager Docker image is openSUSE Leap 15.2. iManager image archive file should be downloaded to the Docker Host machine. After downloading the archive file, it has to be extracted and then the image has to be loaded into the local Docker registry by using the following commands to install standalone iManager container:

# tar -xvf iManager_326_Container.tar.gz
# docker load --input iManager_326/iManager_326.tar.gz

The above command will load a Docker image named imanager:3.2.6.

NOTE:To enable iManager container deployment along with Identity Manager, the iManager image is bundled along with other Identity Manager images into a single .tar.gz file. For more information on iManager container deployment with Identity Manager, see Deploying iManager Container in the NetIQ Identity Manager 4.8.5: Installation and Upgrade Guide.

Before deploying iManager, you must consider the following recommendations:

  • Docker containers do not have any resource constraints by default. This provides every container with the access to all the CPU and memory resources provided by the host’s kernel. You must also ensure that one running container should not consume more resources and starve other running containers by setting limits to the amount of resources that can be used by a container.

    • Docker container should ensure that a Hard Limit is applied for the memory used by the container using the --memory flag on Docker run command.

    • Docker container should ensure that a limit is applied to the amount of CPU used by a running container using the --cpuset-cpus flag on the Docker run command.

    • --pids-limit should be set to 300 to restrict the number of kernel threads spawned inside the container at any given time. This is to prevent DoS attacks.

  • You must set the container restart policy to on-failure with number of retries as 5 using the --restart flag on Docker run command. Containers will have to be manually restarted if the Docker daemon on the host machine gets restarted.

  • You must only use the iManager container once the health status shows as healthy after the container comes up. To check the container’s health status, run the following command:

    docker ps --filter status="running"

  • Docker containers usually have a default list of Linux capabilities enabled. You must ensure to keep only the following capabilities enabled for iManager container and drop the others:

    • AUDIT_WRITE

    • CHOWN

    • DAC_OVERRIDE

    • SETGID

    • SETUID

    • FOWNER

    • SYS_PTRACE (Only if using utilities that make use of Linux ptrace. Such as gdb)

      For more information on how to add and drop capabilities, see Runtime privilege and Linux capabilities.

  • iManager container will always start as non-root user (novlwww). As an additional security measure, enable user namespace remapping on the daemon to prevent privilege-escalation attacks from within the container. For more information on user namespace remapping, see Isolate containers with a user namespace.

Configuring iManager Using Environment File

The iManager.env file is found at /etc/opt/novell/iManager/conf inside the iManager container. A sample configuration file with default values for the parameters is shown below:

# Certificate Public Key Algorithm
# Allowed Values: RSA, ECDSA256, ECDSA384
CERTIFICATE_ALGORITHM=RSA
# Cipher Suite
# Allowed Values:
# For RSA - NONE, LOW, MEDIUM HIGH
# For ECDSA256 - SUITEB128ONLY
# For ECDSA384 - SUITEB128, SUITEB192
CIPHER_SUITE=NONE
# Tomcat Server HTTP Port
TOMCAT_HTTP_PORT=8080
# Tomcat Server SSL Port
TOMCAT_SSL_PORT=8443
# iManager Authorized User (admin_name.container_name.tree_name)
AUTHORIZED_USER=

To start an iManager container with non-default values for any of the above parameters, you should create the iManager.env file in the Docker host file-system and bind mount it to the path /etc/opt/novell/iManager/conf inside the iManager container using --volume option. For example,

docker run --name=iMan320 --volume /path/to/iManager.env:/etc/opt/novell/iManager/conf/iManager.env imanager:3.2.0

Parameters can be modified after the container is started by editing the /path/to/iManager.env file and restart the container. To change the configuration of a running container, perform the following steps:

  • Modify the /path/to/iManager.env file.

  • Restart the container using docker restart iMan320

Installing the iManager Plug-Ins During Container Startup

To install plug-ins from a local directory on the Host machine during Container startup, you must mount the directory path that contains the appropriate plug-in (.npm) files to the /var/opt/novell/iManager/nps/packages/ location on the iManager container using -v option in the docker run command.

docker run --name=iMan322 --volume /path/to/iManager.env:/etc/opt/novell/iManager/conf/iManager.env -v /path/to/plugins:/var/opt/novell/iManager/nps/packages imanager:3.2.2

The plug-ins which are available in the directory path, get installed automatically during the container bring up and can be viewed under the Installed NetIQ Plug-in Modules in iManager.

NOTE:

  • The Container must be restarted after it comes up.

  • New plug-ins can be added to the available iManager plug-ins list after the container comes up, using the same bind mount. New plug-ins need to be copied to the same local directory on the Host machine mounted to /var/opt/novell/iManager/nps/packages/ location on the iManager container. A container restart has to be performed afterwards to get the new plug-ins listed.

iManager Docker container supports Host and Overlay network drivers for deployment in a multi-host Docker environment:

3.3.1 Deploying iManager Container in Host Network

iManager containers can be configured using the Host network driver to access eDirectory servers that are deployed on the network. For information on Docker networks, see Configure Networking.

The following example shows how to configure iManager container using the Host network driver:

docker run -it --name=iMan320 --net=host --restart on-failure:5 --memory="1000M" --cpuset-cpus="2" --volume iManager-volume:/config --volume /path/to/iManager.env:/etc/opt/novell/iManager/conf/iManager.env imanager:3.2.0

NOTE:

  • --net=host flag is used to deploy the container using the Host network driver.

  • iManager-volume should be created before deploying iManager in the Host network. For more information, see Managing iManager Data Storage.

Figure 3-1 Deploying iManager Container in Host Network

3.3.2 Deploying iManager Container in User Defined Overlay Network

A User Defined Overlay network can be used to create a distributed network of eDirectory containers running on multiple Docker daemon hosts. An iManager container that is deployed in this overlay network can be used to manage all of these eDirectory servers. User defined overlay network can be deployed in both Linux and Windows. Ensure that the iManager Docker host is a part of the same Docker Swarm as the eDirectory Docker hosts. For more information on how to deploy containers in Overlay network, see Use Overlay Networks.

Before deploying iManager container in a user defined Overlay network, you must consider the following recommendations:

  • eDirectory containers and the iManager container must be deployed within the same Overlay network.

  • You must publish the container ports when the ports are accessed from outside the Docker Overlay network. Docker publishes the container ports on 0.0.0.0 by default which is the wild card IP address. This will match any possible incoming port on the host machine. Docker containers should be made to publish ports on a particular interface of the Host machine by using the following Docker run option:

    --publish <Host_IP Address>:host_port:container_port

The following example shows how to configure iManager container in user defined overlay network:

docker run -it --name=iManager320 --net=eDir-overlay-nw --restart on-failure:5 --memory="1000M" --cpuset-cpus="2" --volume iManager-volume:/config --volume /path/to/iManager.env:/etc/opt/novell/iManager/conf/iManager.env --publish 443:8443 imanager:3.2.0

NOTE:eDir-overlay-nw is the name of the Overlay network in Docker swarm inside which eDirectory containers are deployed. For more information on how to configure an Overlay network in Docker swarm, see Use Overlay Networks.

Figure 3-2 Deploying iManager Container in User Defined Overlay Network