Base Docker Images

ForgeRock provides eleven Docker images for deploying the ForgeRock Identity Platform:

  • Eight unsupported, evaluation-only base images:

    • amster

    • am-base

    • am-config-upgrader

    • ds

    • ldif-importer

    • idm

    • rcs-agent

    • ig

  • Three supported base images that implement the platform’s user interface elements:

    • platform-admin-ui

    • platform-enduser-ui

    • platform-login-ui

All of the Docker images are publicly available in ForgeRock’s Docker registry, gcr.io/forgerock-io.

Which Docker Images Do I Deploy?

  • I am a developer using the CDK.

    • UI elements. Deploy the supported images from ForgeRock.

    • Other platform elements. Either deploy the evaluation-only images from ForgeRock or your own base images.

  • I am doing a proof-of-concept CDM deployment.

    • UI elements. Deploy the supported images from ForgeRock.

    • Other platform elements. Either deploy the evaluation-only images from ForgeRock or your own base images.

  • I am deploying the platform in production.

    • UI elements. Deploy the supported images from ForgeRock.

    • Other platform elements. Deploy your own base images. The evaluation-only images are not supported for production deployments of the ForgeRock Identity Platform.

Your Own Base Docker Images

Perform the following steps to build base images for the seven unsupported, evaluation-only Docker images. After you’ve built your own base images, push them to your Docker registry:

  1. Download the latest versions of the AM, Amster, IDM, DS, and RCS Agent .zip files from the ForgeRock Download Center. Optionally, you can also download the latest version of the IG .zip file.

  2. Build the base image for Amster. This image must be available in order to build the base image for AM in the next step:

    1. Make a directory named amster.

    2. Unzip the Amster .zip file into the new amster directory.

    3. Change to the samples/docker directory in the expanded .zip file output.

    4. Run the setup.sh script:

      $ ./setup.sh
      
      + mkdir -p build
      + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/ ';'
      + cp ../../docker/amster-install.sh ../../docker/docker-entrypoint.sh ../../docker/export.sh ../../docker/tar.sh build
    5. Build the amster Docker image:

      $ docker build --tag amster:7.1.0 .
      
      Sending build context to Docker daemon  59.44MB
      Step 1/12 : FROM gcr.io/forgerock-io/java-11:latest
      latest: Pulling from forgerock-io/java-11
      . . .
      ⇒ exporting to image                                                                                                                                              1.2s
       ⇒ ⇒ exporting layers                                                                                                                                             1.2s
       ⇒ ⇒ writing image sha256:bc474cb6c189e253278f831f178b8d51f63a958a6526c0189fdf122ddf8f9e52                                                                        0.0s
       ⇒ ⇒ naming to docker.io/library/amster:7.1.0
  3. Build the base image for AM:

    1. Unzip the AM .zip file.

    2. Change to the openam/samples/docker directory in the expanded .zip file output.

    3. Run the setup.sh script:

      $ chmod u+x setup.sh
      $ ./setup.sh
    4. Change to the images/am-empty directory.

    5. Build the am-empty Docker image:

      $ docker build --tag am-empty:7.1.0 .
      
      Sending build context to Docker daemon  207.7MB
      Step 1/34 : FROM tomcat:9-jdk11-adoptopenjdk-hotspot AS base
      9-jdk11-adoptopenjdk-hotspot: Pulling from library/tomcat
      . . .
      Successfully tagged am-empty:7.1.0
    6. Change to the ../am-base directory.

    7. Build the am-base Docker image:

      $ docker build --build-arg docker_tag=7.1.0 --tag my-registry/am-base:7.1.0 .
      
      Sending build context to Docker daemon  27.12MB
      Step 1/27 : ARG docker_tag=latest
      . . .
      Successfully tagged my-registry/am-base:7.1.0
  4. Now that the AM image is built, tag the base image for Amster in advance of pushing it to your private repository:

    $ docker tag amster:7.1.0 my-registry/amster:7.1.0
  5. Build the am-config-upgrader base image:

    1. Change to the openam directory in the expanded AM .zip file output.

    2. Unzip the Config-Upgrader-7.1.0.zip file.

    3. Change to the amupgrade/samples/docker directory in the expanded Config-Upgrader-7.1.0.zip file output.

    4. Run the setup.sh script:

      $ ./setup.sh
    5. Create the base am-config-upgrader image:

      docker build . --tag my-registry/am-config-upgrader:7.1.0
  6. Build the base image for DS:

    1. Unzip the DS .zip file.

    2. Change to the opendj directory in the expanded .zip file output.

    3. Run the samples/docker/setup.sh script to create a server:

      $ ./samples/docker/setup.sh
      
      + rm -f template/config/tools.properties
      + cp -r samples/docker/Dockerfile samples/docker/README.md . . .
      + rm -rf — README README.md bat '*.zip' opendj_logo.png setup.bat upgrade.bat setup.sh
      + ./setup --serverId docker --hostname localhost
      . . .
      
      Validating parameters…​.. Done
      Configuring certificates…​…​. Done
      . . .
    4. Build the ds base image:

      $ docker build --tag my-registry/ds:7.1.0 .
      
      Sending build context to Docker daemon  60.53MB
      Step 1/14 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4804ddd23a47
      . . .
      Successfully tagged my-registry/ds:7.1.0
  7. Build the ldif-importer base image:

    1. Change to the /path/to/forgeops/docker/7.0/ldif-importer directory.

    2. Open the file, Dockerfile.

    3. Change the FROM statement—the first line in the file—to reference the ds base image you created in the previous step:

      FROM my-registry/ds:7.1.0
    4. Save and close the updated file.

    5. Create the base ldif-importer image:

      $ docker build . --tag my-registry/ldif-importer:7.1.0
  8. Build the base image for IDM:

    1. Unzip the IDM .zip file.

    2. Change to the openidm directory in the expanded .zip file output.

    3. Build the idm base image:

      $ docker build . --file bin/Custom.Dockerfile --tag my-registry/idm:7.1.0
      
      Sending build context to Docker daemon  220.2MB
      Step 1/7 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/7 : RUN apt-get update &&     apt-get install -y ttf-dejavu
       --→ Running in e0943ff14f4b
      Get:1 http://deb.debian.org/debian stable InRelease [121 kB]
      Get:2 http://deb.debian.org/debian stable-updates InRelease [51.9 kB]
      Get:3 http://deb.debian.org/debian stable/main amd64 Packages [7905 kB]
      Get:4 http://security.debian.org/debian-security stable/updates InRelease [65.4 kB]
      Get:5 http://security.debian.org/debian-security stable/updates/main amd64 Packages [213 kB]
      Get:6 http://deb.debian.org/debian stable-updates/main amd64 Packages [7868 B]
      Fetched 8364 kB in 2s (3401 kB/s)
      Reading package lists…​
      . . .
  9. Build the base image for the RCS Agent:

    1. Create a directory named rcs-agent

    2. Unzip the RCS Agent .zip file into the new rcs-agent directory.

    3. Change to the rcs-agent directory containing the expanded .zip file output.

    4. Build the rcs-agent base image:

      $ docker build . --tag my-registry/rcs-agent:7.1.0
      
      Sending build context to Docker daemon  6.362MB
      Step 1/5 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4804ddd23a47
      . . .
      Successfully tagged my-registry/rcs-agent:7.1.0
  10. (Optional) Build the base image for IG:

    1. Unzip the IG .zip file.

    2. Change to the identity-gateway directory in the expanded .zip file output.

    3. Build the ig base image:

      $ docker build . --file docker/Dockerfile --tag my-registry/ig:7.1.0
      
      Sending build context to Docker daemon   74.2MB
      Step 1/7 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/7 : ENV INSTALL_DIR /opt/ig
       --→ Running in f5e061706b02
      Removing intermediate container f5e061706b02
       --→ 708270442f94
      Step 3/7 : COPY --chown=forgerock:root . "${INSTALL_DIR}"
       --→ 9352147619b8
      Step 4/7 : ENV IG_INSTANCE_DIR /var/ig
       --→ Running in 343ef5140cee
      Removing intermediate container 343ef5140cee
       --→ a9bcb4b280c6
      . . .
  11. Run the docker images command to verify that you built the base images:

    $ docker images
    
    REPOSITORY                     TAG      IMAGE ID        CREATED        SIZE
    my-registry/am-base            7.1.0    552073a1c000    1 hour ago     795MB
    my-registry/am-config-upgrader 7.1.0    d115125b1c3f    1 hour ago     795MB
    my-registry/amster             7.1.0    d9e1c735f415    1 hour ago     577MB
    my-registry/ds                 7.1.0    ac8e8ab0fda6    1 hour ago     196MB
    my-registry/idm                7.1.0    0cc1b7f70ce6    1 hour ago     387MB
    my-registry/ig                 7.1.0    9728c30c1829    1 hour ago     249MB
    my-registry/ldif-importer      7.1.0    1ef5333c4230    1 hour ago     223MB
    my-registry/rcs-agent          7.1.0    422a1d76ff28    1 hour ago     148MB
    . . .
  12. Push the new base Docker images to your Docker registry.

    See your registry provider documentation for detailed instructions. For most Docker registries, you run the docker login command to log in to the registry. Then, you run the docker push command to push a Docker image to the registry.

    However, some Docker registries have different requirements. For example, to push Docker images to Google Container Registry, you use Google Cloud SDK commands instead of using the docker push command.

    Push the following images:

    • my-registry/am-base:7.1.0

    • my-registry/amster:7.1.0

    • my-registry/am-config-upgrader:7.1.0

    • my-registry/ds:7.1.0

    • my-registry/idm:7.1.0

    • my-registry/ldif-importer:7.1.0

    • my-registry/rcs-agent:7.1.0

    If you’re deploying your own IG base image, also push the my-registry/ig:7.1.0 image.

Developer Dockerfile Changes

After you’ve pushed your own base images to your Docker registry, update the Dockerfiles that your developers use when creating customized Docker images for the ForgeRock Identity Platform. The Dockerfiles can now reference your own base images instead of the evaluation-only images from ForgeRock.

To change developer Dockerfiles to use your base images:

  1. Update the AM Dockerfile:

    1. Change to the /path/to/forgeops/docker/7.0/am directory.

    2. Open the file, Dockerfile, in that directory.

    3. Change the line:

      FROM gcr.io/forgerock-io/am-base:7.1.0

      to:

      FROM my-registry/am-base:7.1.0
  2. Make a similar change to the file, /path/to/forgeops/docker/7.0/amster/Dockerfile.

  3. Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/cts/Dockerfile.

  4. Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/idrepo/Dockerfile.

  5. Make a similar change to the file, /path/to/forgeops/docker/7.0/idm/Dockerfile.

  6. (Optional) Make a similar change to the file, /path/to/forgeops/docker/7.0/ig/Dockerfile.

You can now build customized Docker images for the ForgeRock Identity Platform based on your own Docker images and use them in production deployments.

The next time you run Skaffold, you must set the --no-prune and --cache-artifacts options to false to ensure that Skaffold loads the new images that you just built instead of loading previous images from cache. For example:

$ skaffold run --no-prune=false --cache-artifacts=false