Building a sample configured IBM MQ queue manager image

Once you have built your generic base IBM® MQ Docker image, you need to apply your own configuration to allow secure access. To do this, create your own Docker image, using the generic image as a parent. The following steps show you how to build a sample image, with a minimal security configuration.

1. Create a new directory, and add a file called config.mqsc, with the following contents:

   DEFINE CHANNEL(PASSWORD.SVRCONN) CHLTYPE(SVRCONN)
   SET CHLAUTH(PASSWORD.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody') +
   DESCR('Allow privileged users on this channel')
   SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
   SET CHLAUTH(PASSWORD.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
   ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
   REFRESH SECURITY TYPE(CONNAUTH)
   

   Note that the preceding example uses simple user ID and password authentication. However, you can apply any security configuration that your enterprise requires.

2. Create a file called Dockerfile, with the following contents:

   FROM mq
   RUN useradd johndoe -G mqm && \
       echo johndoe:passw0rd | chpasswd
   COPY config.mqsc /etc/mqm/
   

   where:

   • johndoe is the user ID that you want to add
   • passw0rd is the original password
3. Build your custom Docker image using the following command:

   sudo docker build -t mymq .
   

   where "." is the directory containing the two files you have just created.

   Docker then creates a temporary container using that image, and runs the remaining commands.

   The RUN command adds a user named johndoe with password passw0rd and the COPY command adds the config.mqsc file into a specific location known by the parent image.

4. Run your new customized image to create a new container, with the disk image you have just created.
   Your new image layer did not specify any particular command to run, so that has been inherited from the parent image. The entry point of the parent (the code is available on GitHub):

   • Creates a queue manager
   • Starts the queue manager
   • Creates a default listener
   • Then runs any MQSC commands from /etc/mqm/config.mqsc.

   Issue the following commands to run your new customized image:

   sudo docker run \
     --env LICENSE=accept \
     --env MQ_QMGR_NAME=QM1 \
     --volume /var/example:/var/mqm \
     --publish 1414:1414 \
     --detach \
     mymq
   

   where the:

   First env parameter

   Passes an environment variable into the container, which acknowledges your acceptance of the license for IBM IBM WebSphere® MQ. You can also set the LICENSE variable to view to view the license.

   See IBM MQ license information for further details on IBM MQ licenses.

   Second env parameter

   Sets the queue manager name that you are using.

   Volume parameter

   Tells the container that whatever MQ writes to /var/mqm should actually be written to /var/example on the host.

   This option means that you can easily delete the container later, and still keep any persistent data. This option also makes it easier to view log files.

   Publish parameter

   Maps ports on the host system to ports in the container. The container runs by default with its own internal IP address, which means that you need to specifically map any ports that you want to expose.

   In this example, that means mapping port 1414 on the host to port 1414 in the container.

   Detach parameter

   Runs the container in the background.