Once you have built your generic base IBM® MQ
Docker image, you need to apply your own configuration to allow secure access. To do this, create
your own Docker image, using the generic image as a parent. The following steps show you how to
build a sample image, with a minimal security configuration.
Procedure
-
Create a new directory, and add a file called
config.mqsc
, with the following
contents:
DEFINE CHANNEL(PASSWORD.SVRCONN) CHLTYPE(SVRCONN)
SET CHLAUTH(PASSWORD.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody') +
DESCR('Allow privileged users on this channel')
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
SET CHLAUTH(PASSWORD.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
REFRESH SECURITY TYPE(CONNAUTH)
Note that the preceding example uses simple user ID and password authentication. However, you can
apply any security configuration that your enterprise requires.
-
Create a file called
Dockerfile
, with the following contents:
FROM mq
RUN useradd johndoe -G mqm && \
echo johndoe:passw0rd | chpasswd
COPY config.mqsc /etc/mqm/
where:
johndoe
is the user ID that you want to add
passw0rd
is the original password
-
Build your custom Docker image using the following command:
sudo docker build -t mymq .
where
"
.
" is the directory containing the two files you have just created.
Docker then
creates a temporary container using that image, and runs the remaining commands.
The
RUN command adds a user named johndoe
with password
passw0rd
and the COPY command adds the
config.mqsc
file into a specific location known by the parent image.
-
Run your new customized image to create a new container, with the disk image you have just
created.
Your new image layer did not specify any particular command to run, so that has been inherited
from the parent image. The entry point of the parent (the code is available on GitHub):
- Creates a queue manager
- Starts the queue manager
- Creates a default listener
- Then runs any MQSC commands from /etc/mqm/config.mqsc.
Issue the following commands to run your new customized
image:
sudo docker run \
--env LICENSE=accept \
--env MQ_QMGR_NAME=QM1 \
--volume /var/example:/var/mqm \
--publish 1414:1414 \
--detach \
mymq
where the:
- First
env
parameter
- Passes an environment variable into the container, which acknowledges your acceptance of the
license for IBM
IBM WebSphere® MQ. You can also set the LICENSE variable to view
to view the license.
- See IBM MQ license information for further details on IBM MQ licenses.
- Second
env
parameter
- Sets the queue manager name that you are using.
- Volume parameter
- Tells the container that whatever MQ writes to /var/mqm should actually be
written to /var/example on the host.
- This option means that you can easily delete the container later, and still keep any persistent
data. This option also makes it easier to view log files.
- Publish parameter
- Maps ports on the host system to ports in the container. The container runs by default with its
own internal IP address, which means that you need to specifically map any ports that you want to
expose.
- In this example, that means mapping port 1414 on the host to port 1414 in the container.
- Detach parameter
- Runs the container in the background.
Results
You have built a configured docker image and can view running containers using the docker
ps command. You can view the IBM MQ
processes running in your container using the docker top command.
Attention: If your container is not shown when you use the docker
ps
command the container might have failed. You can see failed containers using the command docker
ps -a.
The container ID will be shown by using the docker ps
-a command, and was also printed when you issued the docker run
command.
You can view the logs of a container using the docker logs
${CONTAINER_ID} command.
A common problem is that mqconfig
indicates that certain kernel settings on the Docker host are not correct. Kernel settings are
shared between the Docker host and containers, and need to be set correctly (see Hardware and software requirements on
UNIX and Linux® systems.
For example, the
maximum number of open files can be set using the command sysctl
fs.file-max=524288.