This article provides a sample exercise that demonstrates how to create a Linux Sentry Software instance as a Docker image. The steps listed below aim to simplify this process however there are many ways to accomplish the end goal of making use of Docker Images to simplify creation, testing and deployment of Forum Sentry instances. There are many options to make these processes even simpler with the use of other tools such as Docker Compose, etc.
The setup below assumes some general knowledge of Docker and CentOS v7 administration.
- Create the Docker file (Dockerfile)
Attached is a sample Dockerfile which creates a Centos v7 with supporting utilities and Forum Sentry version 8.11.34. Edit the file to make changes to fit your environment such as the Forum Sentry version you need to install. Place your Dockerfile in the local directory.
- Build the Docker Image
# docker build -t <Tag> .
For this exercise the following command is creating the Sentry Docker Image with the Tag sentry_8.11.34 under the repository forumsys/services
# docker build -t forumsys/services:sentry_8.11.34 .
Once finished you should see that the new Docker Image has been created via the command:
# docker images
Or more specifically
# docker images <repository>:<Tag>
# docker images forumsys/services:sentry_8.11.34
REPOSITORY TAG IMAGE ID CREATED SIZE
forumsys/services sentry_8.11.34 fdd4d234086f 17 hours ago 1.69GB
- Launch the Docker Image
The following two commands launch the Docker Image and start Forum Sentry. The first command shows CPU and Memory allocation as well as mapping of the default Web Admin port (5050) inside the Docker Container to the desired, available, port on the host. The second command starts Forum sentry.
Note: in the example below the port on the host is 50501 which is mapped to the web admin port (5050) in the container running Forum Sentry
# docker run --cpus 2 -m 12GB --rm -itd -p 50501:5050 - --name sentry_8.11.34 forumsys/services:Sentry_8.11.34
# docker exec sentry_8.11.34 ./root/ForumSystems/xmlserver.nonroot restart
The above two commands can go into a single script and executed as a shell script.
Note: again, there are many ways to accomplish these steps and further simplify. This is but one of these methods.
After running the above commands, you should be able to view the newly created container using:
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
38137c33e867 forumsys/services:sentry_8.11.34 "/usr/sbin/init" 9 minutes ago Up 9 minutes 0.0.0.0:50501->5050/tcp sentry_8.11.34
b. Commit base images
It is recommended that a Docker Image is saved apart from any you intend to deploy. These base images can be used as part of a new Dockerfile to create more specialized Docker Images. For example, the above steps have led to the creation of a base Forum Sentry Linux Docker Image which can be used to further create newer Test/Dev and production images.
To create a base image, you will need to specify a name tag as follows:
# docker commit 38137c33e867 forumsys/services:Sentry_8.11.34_base
The following command places you inside the container in execute mode:
# docker exec -it <container_name> bash
# docker exec -it sentry_8.11.34 bash
The above command should place you right inside the container:
- Forum Systems Licensing
Launch the browser and go to your host’s IP at the mapped web admin port (i.e. https://docker-development.forumsys.com:50505):
Please contact Forum Systems for Forum Sentry Docker Image licensing.
- Create a Sentry Configuration
Once licensed you should be prompted to create an initial Web Admin Account. Login and proceed to create a new configuration by adding new policies, etc. You can also import a pre-existing configuration via GDM Import of FSX or FSG. Please note that at this point the newly created Policies will not be exposed until you commit changes.
As it was recommended above, the Commit is again used to create a pre-configured Docker ready to deploy.
# docker commit acadd734d92e forumsys/services:Sentry_8.11.34_prod
At this point you would have at least a couple of Docker Images where the first, base image, can be used in a Dockerfile to create new Docker Images and the second, pre-configured Forum Sentry Images, ready to be deployed.
In order to deploy Forum Sentry Docker Images, all of the listener ports used in all policies that will be exposed need to be mapped during the deployment. For example, the command below shows the web Admin port 5050 is mapped to 50505 on the host and policy ports 8080 and 443 are mapped respectively to 8088 and 443 on the host.
# docker run --cpus 2 -m 12GB --rm -itd -p 50505:5050 -p 8088:8080 -p 443:443 --name sentry_8.11.34_prod1 forumsys/services:sentry_8.11.34_prod
# docker exec sentry_8.11.34_prod1 ./root/ForumSystems/xmlserver.nonroot restart
# docker ps | grep prod1
137c12b26edc forumsys/services:sentry_8.11.34_prod "/usr/sbin/init" 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 0.0.0.0:50505->5050/tcp, 0.0.0.0:8088->8080/tcp sentry_8.11.34_prod1
Send a request to one of your policies and then check logs:
Access log showing transaction via Forum Sentry: