Base Docker Images

ForgeRock provides a set of unsupported, evaluation-only base images for the ForgeRock Identity Platform. These images are available in ForgeRock’s public Docker registry.

Developers working with the CDK use the base images from ForgeRock to build customized Docker images for a fully-configured ForgeRock Identity Platform deployment:

Brief overview of containers for developers.

Users working with the CDM also use the base images from ForgeRock to perform proof-of-concept deployments, and to benchmark the ForgeRock Identity Platform.

The base images from ForgeRock are evaluation-only. They are not supported for production use. Because of this, you must build your own base images before you deploy in production:

Brief overview of containers in production.

This topic tells you how to build your own base images, which you can deploy in production.

Your Own Base Docker Images

Perform the following procedure to build base Docker images that you can use in production deployments of the ForgeRock Identity Platform. After you’ve built the base images, push them to your Docker registry:

Build and Deploy Your Own Base Docker Images
  1. Download the latest versions of the AM, Amster, IDM, and DS .zip files from the ForgeRock Download Center. Optionally, you can also download the latest version of the IG .zip file.

  2. Build an Amster Docker image. This image must be available in order to build the AM image in the next step:

    1. Unzip the Amster .zip file:

      $ unzip Amster-7.0.0.zip -d amster
    2. Change to the amster/samples/docker directory in the expanded .zip file output.

    3. Run the setup.sh script:

      $ ./setup.sh
      
      + mkdir -p build
      + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/ ';'
      + cp ../../docker/amster-install.sh ../../docker/docker-entrypoint.sh ../../docker/export.sh ../../docker/tar.sh build
    4. Build the amster Docker image:

      $ docker build --tag amster:7.0 .
      
      Sending build context to Docker daemon   51.7MB
      Step 1/12 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/12 : ENV FORGEROCK_HOME /home/forgerock
       --→ Running in 472b8b0e1200
      Removing intermediate container 472b8b0e1200
      . . .
  3. Build the AM base image:

    1. Unzip the AM .zip file.

    2. Change to the openam/samples/docker directory in the expanded .zip file output.

    3. Update and run the setup.sh script:

      $ chmod u+x setup.sh
      $ sed -i'.tmp' -e 's/[Oo]pen[Aa][Mm]/AM/g' setup.sh
      $ ./setup.sh
    4. Change to the images/am-empty directory.

    5. Set privileges on scripts in the images/am-empty directory:

      $ chmod u+x docker-entrypoint.sh
      $ chmod u+x scripts/*
    6. Update the WAR file name in the Dockerfile:

      $ sed -i'.tmp' -e 's/openam.war/AM.war/g' Dockerfile
    7. Build the am-empty Docker image:

      $ docker build --tag am-empty:7.0 .
      
      Sending build context to Docker daemon  198.7MB
      Step 1/27 : FROM tomcat:9-jdk11-adoptopenjdk-hotspot AS base
      9-jdk11-adoptopenjdk-hotspot: Pulling from library/tomcat
      a1125296b23d: Pull complete
      3c742a4a0f38: Pull complete
      4c5ea3b32996: Pull complete
      1b4be91ead68: Pull complete
      0cbfb179272d: Pull complete
      9648e8b5b6e1: Pull complete
      d1aef586a7d1: Pull complete
      ddd6eed10da2: Pull complete
      3f5d89f2e2b4: Pull complete
      Digest: sha256:ee307e4f1a1f5596b3636eb9107aa7989c768716bf0157651b28a4e34ff0846f
      Status: Downloaded newer image for tomcat:9-jdk11-adoptopenjdk-hotspot
       --→ 4f1036cadd4b
      Step 2/27 : RUN apt-get update -y &&     apt-get install -y binutils wget unzip
       --→ Running in ef6f6c08ba9b
      . . .
    8. Change to the ../am-base directory.

    9. Set privileges on scripts in the images/am-base directory:

      $ chmod u+x docker-entrypoint.sh
      $ chmod u+x scripts/*
    10. Build the am-base Docker image:

      $ docker build --build-arg docker_tag=7.0 --tag my-registry/am-base:7.0 .
      
      Sending build context to Docker daemon  27.27MB
      Step 1/27 : ARG docker_tag=latest
      Step 2/27 : FROM amster:${docker_tag} as amster
       --→ 50d60dbf29f5
      Step 3/27 : FROM am-empty:${docker_tag} AS generator
       --→ 0b258dc0c896
      Step 4/27 : USER 0
       --→ Running in 0512b3042833
      Removing intermediate container 0512b3042833
       --→ 59dfa4e1043e
      . . .
  4. Now that the AM image is built, tag the Amster image in advance of pushing it to your private repository:

    $ docker tag amster:7.0 my-registry/amster:7.0
  5. Build the DS base image:

    1. Unzip the DS .zip file.

    2. Change to the opendj directory in the expanded .zip file output.

    3. Run the samples/docker/setup.sh script to create a server:

      $ ./samples/docker/setup.sh
      
      + rm -f template/config/tools.properties
      + cp -r samples/docker/Dockerfile samples/docker/README.md . . .
      + rm -rf — README README.md bat '*.zip' opendj_logo.png setup.bat upgrade.bat setup.sh
      + ./setup --serverId docker --hostname localhost . . .
      
      Validating parameters…​.. Done
      Configuring certificates…​…​. Done
      . . .
    4. Build the DS base Docker image:

      $ docker build --tag my-registry/ds:7.0 .
      
      Sending build context to Docker daemon  54.19MB
      Sending build context to Docker daemon  55.31MB
      Step 1/14 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/14 : COPY --chown=forgerock:root . /opt/opendj/
       --→ 75c3db504d4c
      Step 3/14 : USER 11111
       --→ Running in 2346c3e1d73f
      Removing intermediate container 2346c3e1d73f
       --→ d66c728f8d2e
      Step 4/14 : WORKDIR /opt/opendj
       --→ Running in 2aa62e2d415f
      Removing intermediate container 2aa62e2d415f
       --→ 9e2cdf65ae56
      . . .
  6. Build the ldif-importer base image:

    1. Change to the /path/to/forgeops/docker/7.0/ldif-importer directory.

    2. Open the file, Dockerfile.

    3. Change the FROM statement—the first line in the file—to:

      FROM my-registry/ds:7.0
    4. Save and close the updated file.

    5. Create the base ldif-importer image:

      $ docker build . --tag my-registry/ldif-importer:7.0
  7. Build the idm Docker image:

    1. Unzip the IDM .zip file.

    2. Change to the openidm directory in the expanded .zip file output.

    3. Build the IDM base Docker image:

      $ docker build . --file bin/Custom.Dockerfile --tag my-registry/idm:7.0
      
      Sending build context to Docker daemon  220.2MB
      Step 1/7 : FROM gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/7 : RUN apt-get update &&     apt-get install -y ttf-dejavu
       --→ Running in e0943ff14f4b
      Get:1 http://deb.debian.org/debian stable InRelease [121 kB]
      Get:2 http://deb.debian.org/debian stable-updates InRelease [51.9 kB]
      Get:3 http://deb.debian.org/debian stable/main amd64 Packages [7905 kB]
      Get:4 http://security.debian.org/debian-security stable/updates InRelease [65.4 kB]
      Get:5 http://security.debian.org/debian-security stable/updates/main amd64 Packages [213 kB]
      Get:6 http://deb.debian.org/debian stable-updates/main amd64 Packages [7868 B]
      Fetched 8364 kB in 2s (3401 kB/s)
      Reading package lists…​
      . . .
  8. (Optional) Build the IG base image:

    1. Unzip the IG .zip file.

    2. Change to the identity-gateway directory in the expanded .zip file output.

    3. Build the IG base Docker image:

      $ docker build ig --tag my-registry/ig:7.0
      
      Sending build context to Docker daemon  54.19MB
      Step 1/7 : FROM gcr.io/forgerock-io/java-11:latest
      latest: Pulling from forgerock-io/java-11
      d50302ca539a: Already exists
      79c4c086a545: Pull complete
      dc6dba627cfa: Pull complete
      Digest: sha256:5c5fdae70dbabb58c6fa0609b4d5a51b049f562e337d8bd9ed8653f7078b3d88
      Status: Downloaded newer image for gcr.io/forgerock-io/java-11:latest
       --→ 4d0811d78b02
      Step 2/7 : ENV INSTALL_DIR /opt/ig
       --→ Running in 5fff26381d8f
      Removing intermediate container 5fff26381d8f
       --→ e5bb2b75f4fb
      Step 3/7 : COPY --chown=forgerock:root . "${INSTALL_DIR}"
       --→ 1f35484fefb8
      Step 4/7 : ENV IG_INSTANCE_DIR /var/ig
       --→ Running in 3526eaf403d5
      Removing intermediate container 3526eaf403d5
       --→ 194c0495a29d
      Step 5/7 : RUN mkdir -p "${IG_INSTANCE_DIR}"  && chown -R forgerock:root "${IG_INSTANCE_DIR}" "${INSTALL_DIR}"     && chmod -R g+rwx "${IG_INSTANCE_DIR}" "${INSTALL_DIR}"
       --→ Running in a9c4bbcb7df0
      Removing intermediate container a9c4bbcb7df0
       --→ b6ca5a1022a7
      Step 6/7 : USER 11111
       --→ Running in fd53e422afad
      Removing intermediate container fd53e422afad
       --→ 954148a95b46
      Step 7/7 : ENTRYPOINT ${INSTALL_DIR}/bin/start.sh ${IG_INSTANCE_DIR}
       --→ Running in 59353752d80a
      Removing intermediate container 59353752d80a
       --→ 610d9934bfd0
      Successfully built 610d9934bfd0
      Successfully tagged my-registry/ig:7.0
  9. Run the docker images to verify that you built the base images:

    $ docker images
    
    REPOSITORY                      TAG      IMAGE ID        CREATED        SIZE
    my-registry/am-base             7.0      d115125b1c3f    1 hour ago     795MB
    my-registry/amster              7.0      d9e1c735f415    1 hour ago     577MB
    my-registry/ds                  7.0      ac8e8ab0fda6    1 hour ago     196MB
    my-registry/idm                 7.0      0cc1b7f70ce6    1 hour ago     387MB
    my-registry/ig                  7.0      9728c30c1829    1 hour ago     249MB
    my-registry/ldif-importer       7.0      1ef5333c4230    1 hour ago     223MB
    . . .
  10. Push the new base Docker images to your Docker registry.

    See your registry provider documentation for detailed instructions. For most Docker registries, you run the docker login command to log in to the registry. Then, you run the docker push command to push a Docker image to the registry.

    However, some Docker registries have different requirements. For example, to push Docker images to Google Container Registry, you use Google Cloud SDK commands instead of using the docker push command.

    Push the following images:

    • my-registry/am-base:7.0

    • my-registry/amster:7.0

    • my-registry/ds:7.0

    • my-registry/ldif-importer:7.0

    • my-registry/idm:7.0

    If you’re deploying your own IG base image, also push the my-registry/ig:7.0 image.

Developer Dockerfile Changes

After you’ve pushed your own base images to your Docker registry, update the Dockerfiles that your developers use when creating customized Docker images for the ForgeRock Identity Platform. The Dockerfiles can now reference your own base images instead of the evaluation-only images from ForgeRock.

Change Developer Dockerfiles to Use Your Base Images
  1. Update the AM Dockerfile:

    1. Change to the /path/to/forgeops/docker/7.0/am directory.

    2. Open the file, Dockerfile, in that directory.

    3. Change the line:

      FROM gcr.io/forgerock-io/am-base...

      to:

      FROM my-registry/am-base:7.0
  2. Make a similar change to the file, /path/to/forgeops/docker/7.0/amster/Dockerfile.

  3. Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/cts/Dockerfile.

  4. Make a similar change to the file, /path/to/forgeops/docker/7.0/ds/idrepo/Dockerfile.

  5. Make a similar change to the file, /path/to/forgeops/docker/7.0/idm/Dockerfile.

  6. (Optional) Make a similar change to the file, /path/to/forgeops/docker/7.0/ig/Dockerfile.

You can now build customized Docker images for the ForgeRock Identity Platform based on your own Docker images and use them in production deployments.

The next time you run Skaffold, you must set the --no-prune and --cache-artifacts options to false to ensure that Skaffold loads the new images that you just built instead of loading previous images from cache. For example:

$ skaffold run --no-prune=false --cache-artifacts=false