Base Docker Images
ForgeRock provides eleven Docker images for deploying the ForgeRock Identity Platform:
-
Seven unsupported, evaluation-only base images:
-
amster -
am-base -
am-config-upgrader -
ds -
ldif-importer -
idm -
ig
-
-
Three supported base images that implement the platform’s user interface elements:
-
platform-admin-ui -
platform-enduser-ui -
platform-login-ui
-
All of the Docker images are publicly available in ForgeRock’s Docker registry.
Which Docker Images Do I Deploy?
-
I am a developer using the CDK.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Either deploy the evaluation-only images from ForgeRock or your own base images.
-
-
I am doing a proof-of-concept CDM deployment.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Either deploy the evaluation-only images from ForgeRock or your own base images.
-
-
I am deploying the platform in production.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Deploy your own base images. The evaluation-only images are not supported for production deployments of the ForgeRock Identity Platform.
-
Your Own Base Docker Images
Perform the following steps to build base images for the seven unsupported, evaluation-only Docker images. After you’ve built your own base images, push them to your Docker registry:
-
Download the latest versions of the AM, Amster, IDM, and DS
.zipfiles from the ForgeRock Download Center. Optionally, you can also download the latest version of the IG.zipfile. -
Build the base image for Amster. This image must be available in order to build the base image for AM in the next step:
-
Make a directory named
amster. -
Unzip the Amster
.zipfile into the newamsterdirectory. -
Change to the samples/docker directory in the expanded
.zipfile output. -
Run the setup.sh script:
$ ./setup.sh + mkdir -p build + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/ ';' + cp ../../docker/amster-install.sh ../../docker/docker-entrypoint.sh ../../docker/export.sh ../../docker/tar.sh build -
Build the
amsterDocker image:$ docker build --tag amster:7.1.4 . [+] Building 45.1s (13/13) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.67kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for gcr.io/forgerock-io/java-11:latest 1.1s ⇒ [1/8] FROM gcr.io/forgerock-io/java-11:latest@sha256:8828befbed5cb57cd1d0fa3aa01aceb849fe5a71aa124871207d6c417bf1d8a9 . . . ⇒ exporting to image 1.2s ⇒ ⇒ exporting layers 1.2s ⇒ ⇒ writing image sha256:bc474cb6c189e253278f831f178b8d51f63a958a6526c0189fdf122ddf8f9e52 0.0s ⇒ ⇒ naming to docker.io/library/amster:7.1.4
-
-
Build the base image for AM:
-
Unzip the AM
.zipfile. -
Change to the openam/samples/docker directory in the expanded
.zipfile output. -
Run the setup.sh script:
$ chmod u+x setup.sh $ ./setup.sh
-
Change to the images/am-empty directory.
-
Build the
am-emptyDocker image:$ docker build --tag am-empty:7.1.4 . [+] Building 81.9s (31/31) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 3.55kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/tomcat:9-jdk11-adoptopenjdk-hotspot 1.6s ⇒ [internal] load build context 4.1s ⇒ ⇒ transferring context: 204.45MB 4.0s ⇒ [am-tomcat 1/13] FROM docker.io/library/tomcat:9-jdk11-adoptopenjdk-hotspot@sha256:1cac44feaa72ca0937995084a25512c43161c84bcb651ff4623977d96a31fa89 . . . ⇒ exporting to image 1.8s ⇒ ⇒ exporting layers 1.8s ⇒ ⇒ writing image sha256:a95979051437a80dddef5829531a6d42a79ac55b9cd23b91617811861b8e0a3d 0.0s ⇒ ⇒ naming to docker.io/library/am-empty:7.1.4 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
Change to the ../am-base directory.
-
Build the
am-baseDocker image:$ docker build --build-arg docker_tag=7.1.4 --tag my-registry/am-base:7.1.4 . [+] Building 129.7s (28/28) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 2.49kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/amster:7.1.4 0.0s . . . ⇒ [am-base 7/7] COPY --chown=forgerock:root scripts/import-pem-certs.sh /home/forgerock/ 0.0s ⇒ exporting to image 0.3s ⇒ ⇒ exporting layers 0.3s ⇒ ⇒ writing image sha256:0a32f2927ccffa54c044acbbe708bff58e97f4652c94223d52611e4135b7f525 0.0s ⇒ ⇒ naming to my-registry/am-base:7.1.4 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
Now that the AM image is built, tag the base image for Amster in advance of pushing it to your private repository:
$ docker tag amster:7.1.4 my-registry/amster:7.1.4
-
Build the
am-config-upgraderbase image:-
Change to the
openamdirectory in the expanded AM.zipfile output. -
Unzip the
Config-Upgrader-7.1.4.zipfile. -
Change to the
amupgrade/samples/dockerdirectory in the expandedConfig-Upgrader-7.1.4.zipfile output. -
Run the setup.sh script:
$ ./setup.sh + mkdir -p build/amupgrade + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/amupgrade ';' + cp ../../docker/docker-entrypoint.sh . -
Create the base
am-config-upgraderimage:$ docker build . --tag my-registry/am-config-upgrader:7.1.4 [+] Building 7.1s (9/9) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.14kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for gcr.io/forgerock-io/java-11:latest 0.3s ⇒ [internal] load build context 0.4s ⇒ ⇒ transferring context: 15.29MB 0.4s ⇒ CACHED [1/4] FROM gcr.io/forgerock-io/java-11:latest@sha256:8828befbed5cb57cd1d0fa3aa01aceb849fe5a71aa124871207d6c417bf1d8a9 0.0s . . . ⇒ [4/4] COPY build/ /home/forgerock/ 0.1s ⇒ exporting to image 0.2s ⇒ ⇒ exporting layers 0.2s ⇒ ⇒ writing image sha256:98b35624f41081be4981abef8c6d22178ece19282543c7b6bf1b5616abbc2721 0.0s ⇒ ⇒ naming to my-registry/am-config-upgrader:7.1.4 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
Build the base image for DS:
-
Unzip the DS
.zipfile. -
Change to the opendj directory in the expanded
.zipfile output. -
Run the samples/docker/setup.sh script to create a server:
$ ./samples/docker/setup.sh + rm -f template/config/tools.properties + cp -r samples/docker/Dockerfile samples/docker/README.md . . . + rm -rf — README README.md bat '*.zip' opendj_logo.png setup.bat upgrade.bat setup.sh + ./setup --serverId docker --hostname localhost . . . Validating parameters….. Done Configuring certificates……. Done . . .
-
Build the
dsbase image:$ docker build --tag my-registry/ds:7.1.7 . [+] Building 2.1s (8/8) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.19kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for gcr.io/forgerock-io/java-11:latest 0.3s ⇒ [internal] load build context 1.1s ⇒ ⇒ transferring context: 60.31MB 1.1s ⇒ CACHED [1/3] FROM gcr.io/forgerock-io/java-11:latest@sha256:8828befbed5cb57cd1d0fa3aa01aceb849fe5a71aa124871207d6c417bf1d8a9 0.0s ⇒ [2/3] COPY --chown=forgerock:root . /opt/opendj/ 0.2s ⇒ [3/3] WORKDIR /opt/opendj 0.0s ⇒ exporting to image 0.3s ⇒ ⇒ exporting layers 0.3s ⇒ ⇒ writing image sha256:d7e583ca5d632edcae2da90dbe3cafc336519f4b671ce1ab19e38c09b06377d9 0.0s ⇒ ⇒ naming to my-registry/ds:7.1.7 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
Build the
ldif-importerbase image:-
Change to the /path/to/forgeops/docker/7.0/ldif-importer directory.
-
Open the file, Dockerfile.
-
Change the FROM statement—the first line in the file—to reference the
dsbase image you created in the previous step:FROM my-registry/ds:7.1.7
-
Save and close the updated file.
-
Create the base
ldif-importerimage:$ docker build . --tag my-registry/ldif-importer:7.1.7 [+] Building 7.9s (10/10) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 325B 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for my-registry/ds:7.1.7 0.0s ⇒ [internal] load build context 0.1s ⇒ ⇒ transferring context: 3.08kB 0.0s ⇒ [1/5] FROM my-registry/ds:7.1.7 0.0s ⇒ [2/5] COPY debian-buster-sources.list /etc/apt/sources.list 0.0s ⇒ [3/5] RUN apt-get update -y && apt-get install -y curl 7.5s ⇒ [4/5] COPY --chown=forgerock:root start.sh /opt/opendj 0.0s ⇒ [5/5] COPY --chown=forgerock:root ds-passwords.sh /opt/opendj 0.0s ⇒ exporting to image 0.2s ⇒ ⇒ exporting layers 0.2s ⇒ ⇒ writing image sha256:bdc5e75854c8015d0b5bd6d2a54c6c044cf0fd23ce6ea828b4ae1a9d04517515 0.0s ⇒ ⇒ naming to my-registry/ldif-importer:7.1.7 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
Build the base image for IDM:
-
Unzip the IDM
.zipfile. -
Change to the openidm directory in the expanded
.zipfile output. -
Build the
idmbase image:$ docker build . --file bin/Custom.Dockerfile --tag my-registry/idm:7.1.5 [+] Building 12.2s (9/9) FINISHED ⇒ [internal] load build definition from Custom.Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 648B 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for gcr.io/forgerock-io/java-11:latest 0.3s ⇒ [internal] load build context 8.1s ⇒ ⇒ transferring context: 314.59MB 8.1s ⇒ CACHED [1/4] FROM gcr.io/forgerock-io/java-11:latest@sha256:8828befbed5cb57cd1d0fa3aa01aceb849fe5a71aa124871207d6c417bf1d8a9 0.0s ⇒ [2/4] RUN apt-get update && apt-get install -y ttf-dejavu 8.6s ⇒ [3/4] COPY --chown=forgerock:root . /opt/openidm 0.9s ⇒ [4/4] WORKDIR /opt/openidm 0.0s ⇒ exporting to image 2.3s ⇒ ⇒ exporting layers 2.3s ⇒ ⇒ writing image sha256:f91dcb5e04c25a0362196d358452a52f75cc5ab0af5764f60e48e13ac4fbfd98 0.0s ⇒ ⇒ naming to my-registry/idm:7.1.5 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
(Optional) Build the base image for IG:
-
Unzip the IG
.zipfile. -
Change to the identity-gateway directory in the expanded
.zipfile output. -
Build the
igbase image:$ docker build . --file docker/Dockerfile --tag my-registry/ig:2023.11.0 [+] Building 3.3s (8/8) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 931B 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for gcr.io/forgerock-io/java-11:latest 0.4s ⇒ [internal] load build context 1.4s ⇒ ⇒ transferring context: 77.56MB 1.4s ⇒ CACHED [1/3] FROM gcr.io/forgerock-io/java-11:latest@sha256:8828befbed5cb57cd1d0fa3aa01aceb849fe5a71aa124871207d6c417bf1d8a9 0.0s ⇒ [2/3] COPY --chown=forgerock:root . /opt/ig 0.3s ⇒ [3/3] RUN mkdir -p "/var/ig" && chown -R forgerock:root "/var/ig" "/opt/ig" && chmod -R g+rwx "/var/ig" "/opt/ig" 0.7s ⇒ exporting to image 0.4s ⇒ ⇒ exporting layers 0.4s ⇒ ⇒ writing image sha256:02bf0ff34ee4b1a98ce3d6fbb21ac208b899d930634384018bfaab1f9a300ac7 0.0s ⇒ ⇒ naming to my-registry/ig:2023.11.0 0.0s Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
-
-
Run the docker images command to verify that you built the base images:
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE my-registry/am-base 7.1.4 552073a1c000 1 hour ago 810MB my-registry/am-config-upgrader 7.1.4 d115125b1c3f 1 hour ago 176MB my-registry/amster 7.1.4 d9e1c735f415 1 hour ago 760MB my-registry/ds 7.1.7 ac8e8ab0fda6 1 hour ago 204MB my-registry/idm 7.1.5 0cc1b7f70ce6 1 hour ago 486MB my-registry/ig 2023.11.0 9728c30c1829 1 hour ago 299MB my-registry/ldif-importer 7.1.7 1ef5333c4230 1 hour ago 227MB . . .
-
Push the new base Docker images to your Docker registry.
See your registry provider documentation for detailed instructions. For most Docker registries, you run the docker login command to log in to the registry. Then, you run the docker push command to push a Docker image to the registry.
However, some Docker registries have different requirements. For example, to push Docker images to Google Container Registry, you use Google Cloud SDK commands instead of using the docker push command.
Push the following images:
-
my-registry/am-base:7.1.4 -
my-registry/amster:7.1.4 -
my-registry/am-config-upgrader:7.1.4 -
my-registry/ds:7.1.7 -
my-registry/idm:7.1.5 -
my-registry/ldif-importer:7.1.7
If you’re deploying your own IG base image, also push the
my-registry/ig:2023.11.0image. -
Developer Dockerfile Changes
After you’ve pushed your own base images to your Docker registry, update the Dockerfiles that your developers use when creating customized Docker images for the ForgeRock Identity Platform. The Dockerfiles can now reference your own base images instead of the evaluation-only images from ForgeRock.
To change developer Dockerfiles to use your base images:
-
Update the AM Dockerfile:
-
Change to the /path/to/forgeops/docker/7.0/am directory.
-
Open the file, Dockerfile, in that directory.
-
Change the line:
FROM gcr.io/forgerock-io/am-base:7.1.4
to:
FROM my-registry/am-base:7.1.4
-
-
Make a similar change to the file, /path/to/forgeops/docker/7.0/amster/Dockerfile.
-
Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/cts/Dockerfile.
-
Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/idrepo/Dockerfile.
-
Make a similar change to the file, /path/to/forgeops/docker/7.0/idm/Dockerfile.
-
(Optional) Make a similar change to the file, /path/to/forgeops/docker/7.0/ig/Dockerfile.
You can now build customized Docker images for the ForgeRock Identity Platform based on your own Docker images and use them in production deployments.
|
Before you run Skaffold again, clear the Skaffold cache. Then, when you run
Skaffold, set the $ rm -rf $HOME/.skaffold/cache $ skaffold run --no-prune=false --cache-artifacts=false Occasionally, you need to pull the images even after clearing Skaffold’s cache. |