├── README.md └── docker ├── README.md ├── customer-build ├── .gitignore ├── Makefile ├── README.md └── datapower │ ├── config │ ├── auto-startup.cfg │ └── foo │ │ └── foo.cfg │ ├── local │ └── foo │ │ └── hello-too.js │ ├── start.sh │ └── start │ ├── debug.sh │ ├── loadbalancer-group.sh │ └── vbox-inotify-workaround.sh ├── customer-commit ├── Makefile ├── Makefile.secrets ├── README.md ├── datapower-external-evolve.cfg └── evolve.cfg ├── customer-optimized ├── .gitignore ├── Makefile ├── Makefile.secrets ├── README.md ├── bldsrc │ └── README └── datapower │ └── config │ └── evolve.cfg ├── deb2img ├── .gitignore ├── Dockerfile ├── Makefile ├── README.md └── linkdeb.sh ├── ibmcom-datapower-example ├── .dockerignore ├── .gitignore ├── Makefile ├── README.md └── src │ ├── drouter │ ├── config │ │ ├── auto-startup.cfg │ │ ├── auto-user.cfg │ │ ├── foo │ │ │ └── foo.cfg │ │ └── reset-password.cfg │ └── local │ │ └── foo │ │ └── hello-too.js │ ├── start.sh │ └── start │ ├── debug.sh │ ├── loadbalancer-group.sh │ ├── reset-password.sh │ ├── vbox-inotify-workaround.sh │ └── web-mgmt.sh └── rpm2img ├── .gitignore ├── Dockerfile ├── Makefile └── readme.md /README.md: -------------------------------------------------------------------------------- 1 | # datapower-labs 2 | 3 | ## Sections 4 | 5 | ### [DataPower on Docker](https://github.com/ibm-datapower/datapower-labs/tree/master/docker "DataPower on Docker") 6 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # DataPower and Docker ![DataPower on Docker Logo](https://sketch.io/render/sk-5717d8f02b1b9.png) 2 | 3 | ## Overview 4 | 5 | Docker makes it easier to build, manage and run composite applications in a world where there is increasing interest in the benefits of micro-services architecture, Continuous Deployment and Continuous Integration and DevOps practices. With DataPower on Docker, we can enjoy the usual benefits of Docker containers such as being able to automate the build process of our images from version control artifacts, having immutable images for reproducible builds and running multiple containers per host. 6 | 7 | It is important to realize that these benefits are good in isolation, but much more powerful as part of the greater Docker ecosystem, which includes a growing variety of solution suites and tools to reduce friction when developing, testing, and publishing distributed applications. These features provide motivation to enable DataPower workflows that use the synergy of DataPower running not only as a container, but as a component of a distributed application. 8 | ___ 9 | 10 | ## Introduction 11 | The DataPower projects in GitHub demonstrate non-definitive, sample workflows with DataPower on Docker that range from quickly building a base image with DataPower firmware, to including externally managed configuration. Other projects demonstrate more advanced techniques to efficiently use the union file system to save disk space when building images. 12 | 13 | There are two groups of examples in this collection. There are the old examples that use DataPower for Linux inside Docker. These examples were originally developed for DataPower v7.5.0. These examples are still provided because they are useful when DataPower v7.5.2 is not a possibility. Keep in mind however that in nearly every conceivable way DataPower for Docker provides a superior experience to DataPower for Linux running inside Docker. 14 | 15 | Beginning with v7.5.2, DataPower is available specifically for Docker and is available on Docker Hub. This newer offering provides much better Docker support and is the recommended starting point for nearly everyone working with the combination of DataPower and Docker. 16 | 17 | ## The current DataPower for Docker projects include: 18 | 19 | ### [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) 20 | 21 | Starts from `ibmcom/datapower` Docker Hub image and adds all configuration required along the way. This example does in a single simple step what was previously a multi-step, complicated process. It also demonstrates DataPower's new ability to use crypto-material in `local:` and to save secrets as standard configuration. 22 | 23 | ## The legacy DataPower for Linux on Docker projects include: 24 | 25 | ### [deb2img](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/deb2img) 26 | Starting from the IBM DataPower Debian packages (available from PPA), build a license-accepted 'base' image. 27 | 28 | [[sample Dockerfile]](https://github.com/ibm-datapower/datapower-labs/blob/master/docker/deb2img/Dockerfile) 29 | 30 | ### [rpm2img](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/rpm2img) 31 | This is analogous to _**deb2img**_. Starting with the rpm packages (available from PPA), build a license-accepted 'base' image. 32 | 33 | [[sample Dockerfile]](https://github.com/ibm-datapower/datapower-labs/blob/master/docker/rpm2img/Dockerfile) 34 | ### [customer-commit](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/customer-commit) 35 | Starting from a DataPower base image, demonstrate how to add intrinsic DataPower artifacts (for example: crypto-material, users, passwords). 36 | 37 | ### [customer-build](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/customer-build) 38 | Starting from the DataPower base image, demonstrate core development and build workflows such as live editing of Gatewayscript or XSLT in the host, manage DataPower configuration in version control, and consume environment variables. 39 | 40 | ### [customer-optimized](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/customer-optimized) 41 | A more advanced sample, customer-optimized is akin to deb2img and customer-commit but is more efficient in how it decides to commit changes to the image, resulting in a smaller image size. 42 | 43 | 44 | ### Prerequisites 45 | 46 | If you previously installed a version of the Docker Engine, make sure that you are now using version 1.8 or 1.9. To see your docker-engine version, run: ``` docker version ```. For more information about DataPower on Docker, refer to [the official documentation](http://www.ibm.com/support/knowledgecenter/SS9H2Y_7.5.0/com.ibm.dp.doc/welcome.html?lang=en) 47 | 48 | ___ 49 | 50 | ## License 51 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 52 | 53 | http://www.apache.org/licenses/LICENSE-2.0 54 | 55 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 56 | -------------------------------------------------------------------------------- /docker/customer-build/.gitignore: -------------------------------------------------------------------------------- 1 | # Files that don't need to be saved because they're generated at runtime 2 | datapower/config/autoconfig.cfg 3 | datapower/config/debug.cfg 4 | datapower/config/foo/debug.cfg 5 | datapower/config/foo/loadbalancer-group.cfg 6 | datapower/config/vbox-inotify-workaround.cfg 7 | Dockerfile 8 | -------------------------------------------------------------------------------- /docker/customer-build/Makefile: -------------------------------------------------------------------------------- 1 | # Instructions: 2 | # 3 | # Prereq: 4 | # 1) Build the "-base" image image using deb2img 5 | # 2) Build the "customer-commit" image using customer-commit 6 | # 7 | # This project: 8 | # A) Like a builder: make 9 | # This will build, run, test, and tag the resulting image. If this completes, 10 | # then the resulting image works. 11 | # 12 | # B) As a developer: 13 | # a) make rundev 14 | # b) Do development! 15 | # c) make test, if fail, goto b 16 | # d) make stop fixate clean build run test 17 | # f) Perform other manual tests. If tests fail, make rm rundev and goto b 18 | # g) If happy, check in any and all resulting files 19 | # 20 | # A note on naming conventions: 21 | # * The registry defaults to USER. Override at will. Add the registry prefix. 22 | # * The repository defaults to customer-build. 23 | # * The default name for a running container is "customer-build". Override at will, 24 | # remember that the name of a container must be unique on this docker engine. 25 | # * The repository of the committed image is the same as the name of the built image 26 | # * The tagged image is the same repository, except the tag is "latest". instead 27 | # of the value of TAG, which defaults to 0.1. 28 | # 29 | # A note on working with multiple containers: 30 | # * The default container name is "customer-build" 31 | # * The "CONTAINER_NAME" variable can be specified on make or as an environment 32 | # variable. 33 | # * One option is to have a window for each of several DataPower containers 34 | # * And set CONTAINER_NAME=foo, where foo is unique in each window. 35 | # 36 | # How it works: 37 | # 38 | # We start from a license-accepted, secrets added DataPower Docker image. 39 | # The image already uses /datapower/local for local: and /datapower/config 40 | # for config:. 41 | # 42 | # When we docker build the DataPower image, we add DataPower configuration 43 | # to /datapower/local and /datapower/config. We also use our own CMD so 44 | # we can run our own code prior to DataPower starting. The code looks at 45 | # the Docker environment and produces DataPower .cfg files in /datapower/config 46 | # that is then loaded by a DataPower include-config. 47 | # 48 | # We place all of our content inside the /datapower directory. This aids both 49 | # the docker build process and allows us to use /datapower as a docker volume 50 | # when running in development mode. By mounting the /datapower directory as a 51 | # volume, DataPower's "write mem" and WebGUI "Save" cause DataPower to write 52 | # configuration to datapower/config/autoconfig.cfg and datapower/config/ 53 | # /.cfg. Additionally, direct editing on xsl and gatewayscript 54 | # files is possible using one's favorite editor. 55 | # 56 | # When we run the resulting image, we either run it in development mode (rundev) 57 | # or in unit test mode (run). The run target runs the built image without mounting 58 | # volumes, so only the files built into the docker image are used. The rundev 59 | # target runs the docker image using the datapower directory as a volume for 60 | # /datapower. 61 | # 62 | # Examples of DataPower configuration that is inherited from the Docker environment 63 | # is the DEBUG environment variable which controls some DataPower log targets and 64 | # the creation of a load balancer group that allows distribution among all linked 65 | # back-end servers on port 8080. 66 | # 67 | # This image can then be run and tested. Once the image's validity is verified, 68 | # it can be tagged as customer-build:latest for use in the customer-build project. 69 | # 70 | # The point of this step is to enable DataPower development workflows and 71 | # and release engineering process. This is what allows DataPower docker images 72 | # to be run everywhere, to adapt themselves to the running environment, and to 73 | # integrate with deployment methodology. 74 | # 75 | # The resulting DataPower docker image is one that would be "docker push"ed to 76 | # a private registry and deployed. 77 | # 78 | # The targets: 79 | # 80 | # rundev: Use this target for DataPower development. DataPower runs, and the 81 | # datapower/ directory is a volume. Clicking 'save' in DataPower causes files 82 | # to be saved in datapower/config and datapower/local where they can be used 83 | # with version control. 84 | # 85 | # build: Performs the docker build. After rundev and testing is working 86 | # satisfactorily, use the build target to put datapower/ into a Docker image. 87 | # 88 | # shell: Run a bash shell inside the container 89 | # 90 | # gui: Load the DataPower WebGUI in firefox 91 | # 92 | # run: Run the built docker image 93 | # 94 | # test: Test the DataPower services deployed in the running container. The 95 | # DataPower container must be running with either rundev or run first. 96 | # 97 | # stop: Stop the running container 98 | # 99 | # rm: Delete the container 100 | # 101 | # clean: Remove files generated by the Makefile and the non-persisted results 102 | # of rundev 103 | # 104 | # fixate: Like a photocopier, fixate takes the docker/DataPower created files 105 | # from dev mode and fixes the permissions so the ownership is consistent with 106 | # the rest of the project. Use this step after rundev and before build or 107 | # version control operations. 108 | # 109 | # logs: Show the docker logs for the container 110 | # 111 | # tag: Add the :latest tag to the result docker image 112 | # 113 | # NUM_BACKENDS specifies how many back-end servers should be used. It 114 | # defaults to 3. It must be specified on the run, rundev, test, and rm 115 | # make targets. 116 | # 117 | # DEBUG can be used to enable a debug log target inside DataPower. It may 118 | # be specified on the rundev or run targets. 119 | 120 | REGISTRY ?= $(USER) 121 | BASEREPOSITORY ?= customer-commit 122 | RESULTREPOSITORY ?= customer-build 123 | REPOSITORY = $(RESULTREPOSITORY) 124 | TAG ?= 0.1 125 | CONTAINER_NAME ?= customer-build 126 | NUM_BACKENDS ?= 3 127 | 128 | MAXWAIT = 600 129 | DEBUG ?= 130 | 131 | RUNFLAGS = --privileged -P -e DEBUG="$(DEBUG)" 132 | 133 | BACKEND_CONTAINER_NAMES = $(foreach backend, $(shell seq $(NUM_BACKENDS)), $(CONTAINER_NAME)-backend-$(backend)) 134 | 135 | .PHONY: all build shell evolve run rundev rm cli gui clean logs tag stop fixate test 136 | 137 | all: clean build run test tag 138 | 139 | # Make sure a listener is on a port before trying to connect with it 140 | # Inside the container, check netstat once a second until the TCP 141 | # port is in LISTEN. 142 | define wait-for-listener 143 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 144 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 145 | NL=""; \ 146 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 147 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 148 | && { RC=0; break; }; \ 149 | echo -n $$MSG; \ 150 | MSG=.; \ 151 | NL="\n"; \ 152 | sleep 1; \ 153 | done; \ 154 | echo -ne "$$NL"; \ 155 | exit $$RC' 156 | endef 157 | 158 | # The DOCKER_HOST variable may be unset or may contain tcp://1.2.3.4:1234 159 | # We just want to know the address of the Docker Engine we're talking to 160 | # so it's either the IP address portion of DOCKER_HOST or it's 127.0.0.1. 161 | ifeq '$(DOCKER_HOST)' '' 162 | DP_DOCKER_HOST=127.0.0.1 163 | DP_VBOX_INOTIFY= 164 | else 165 | # remove the leading tcp://, then replace the : with a " " so we have 166 | # 2 words. Lastly take just the first word, which is just the IP address 167 | # portion of the DOCKER_HOST. 168 | DP_DOCKER_HOST=$(firstword $(subst :, ,$(patsubst tcp://%,%,$(DOCKER_HOST)))) 169 | DP_VBOX_INOTIFY=-e DP_VBOX_INOTIFY=true 170 | endif 171 | 172 | rundev: RUNFLAGS+=-v $(PWD)/datapower:/datapower -p 443 $(DP_VBOX_INOTIFY) 173 | rundev: LISTENPORT=2200 174 | rundev: REPOSITORY=$(BASEREPOSITORY) 175 | rundev: TAG=latest 176 | rundev: datapower/config datapower/local run 177 | rundev: CONTAINER_CMD=/datapower/start.sh 178 | 179 | # The Dockerfile has to be generated so we can put the correct 180 | # REGISTRY and BASEREPOSITORY into it 181 | Dockerfile: Makefile 182 | echo '# Dockerfile generated by Makefile $(shell date)' > $@ 183 | echo 'FROM $(REGISTRY)/$(BASEREPOSITORY):latest' >> $@ 184 | echo 'COPY /datapower /datapower/' >> $@ 185 | echo 'EXPOSE 9090 443' >> $@ 186 | echo 'CMD ["/datapower/start.sh"]' >> $@ 187 | 188 | 189 | build: Dockerfile 190 | docker build -t $(REGISTRY)/$(RESULTREPOSITORY):$(TAG) . 191 | 192 | shell: 193 | docker exec -it $(CONTAINER_NAME) /bin/bash 194 | 195 | # Start the CLI via telnet. But first wait up to $(MAXWAIT) sec for telnet to come up. 196 | cli: LISTENPORT=2200 197 | cli: 198 | $(wait-for-listener) 199 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 200 | 201 | gui: LISTENPORT=9090 202 | gui: 203 | $(wait-for-listener) 204 | firefox https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME)) > /dev/null 2>&1 & 205 | 206 | run: 207 | $(foreach name, $(BACKEND_CONTAINER_NAMES), docker run -d --name $(name) --hostname $(name) hstenzel/nodejs-hostname; ) true 208 | docker run -d --name $(CONTAINER_NAME) $(RUNFLAGS) $(EXTRA_RUNFLAGS) $(foreach name, $(BACKEND_CONTAINER_NAMES), --link $(name)) $(REGISTRY)/$(REPOSITORY):$(TAG) $(CONTAINER_CMD) 209 | 210 | test: LISTENPORT=443 211 | test: 212 | $(wait-for-listener) 213 | curl --insecure $(foreach name, $(BACKEND_CONTAINER_NAMES), https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME))) | sort 214 | 215 | stop: 216 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 217 | 218 | rm: stop 219 | docker rm $(CONTAINER_NAME) || true 220 | docker rm -f $(BACKEND_CONTAINER_NAMES) || true 221 | 222 | clean: 223 | rm -f Dockerfile datapower/config/foo/loadbalancer-group.cfg datapower/config/debug.cfg datapower/config/foo/debug.cfg 224 | 225 | # Fix permissions and ownership. 226 | # If new docker-created root files are present; save them. 227 | fixate: 228 | find datapower/ -user root -print0 | xargs -0 --no-run-if-empty sudo chown --reference=. 229 | 230 | logs: 231 | docker logs $(CONTAINER_NAME) 2>&1 232 | 233 | tag: 234 | docker tag -f $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest 235 | 236 | datapower/%: 237 | mkdir -p $@ 238 | 239 | -------------------------------------------------------------------------------- /docker/customer-build/README.md: -------------------------------------------------------------------------------- 1 | # Purpose 2 | Show the core development and build functions of a DataPower docker project. 3 | 4 | This project demonstrates how one might: 5 | 6 | * Use the DataPower WebGUI as an IDE for DataPower configuration 7 | * Easily edit Gatewayscript or xsl files such that they are immediately 8 | available inside DataPower with no further action required 9 | * Use version control with DataPower configuration with the docker 10 | run --volume flag 11 | * Customize containers at run time so they can consume Docker-provided 12 | environment variables and honor the docker run --link flag 13 | * Build and test new images 14 | 15 | NOTICE: This is a legacy example that does not take advantage of DataPower Gateway for Docker. Consider using the [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) instead. 16 | 17 | ## Usage 18 | Files: 19 | 20 | ./Makefile -- the orchestrator. See comments for details of operation. 21 | 22 | ./datapower/config/autoconfig.cfg 23 | ./datapower/config/.drouter.cfg -- The saved DataPower default domain 24 | configuration files. These are saved by DataPower and carried as-is 25 | into version control. 26 | 27 | ./datapower/config/foo/foo.cfg -- The saved DataPower domain foo 28 | configuration. 29 | 30 | ./datapower/local/foo/hello-too.js -- Gatewayscript in support of 31 | the domain foo Multi-Protocol gateway 32 | 33 | ./datapower/start.sh -- Startup script, runs the datapower/start/... 34 | and then starts DataPower itself. This is the Dockerfile CMD. 35 | 36 | ./datapower/start/debug.sh -- Generates a log target at run time if 37 | the Docker environment variable DEBUG is set, such as 'make DEBUG=true 38 | run' or 'make DEBUG=true rundev' 39 | 40 | ./datapower/start/loadbalancer-group.sh -- Generates the loadbalancer- 41 | group used by domain foo for back end servers. The back end servers 42 | are all linked Docker containers and run on port 8080. 43 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/config/auto-startup.cfg: -------------------------------------------------------------------------------- 1 | top; configure terminal; 2 | 3 | # configuration generated Wed Mar 23 14:18:01 2016; firmware version 274960 4 | 5 | dns 6 | admin-state enabled 7 | search-domain "raleigh.ibm.com" 8 | name-server "9.0.128.50" "53" "53" 0 "3" 9 | name-server "9.0.130.50" "53" "53" 0 "3" 10 | static-host "customer-build-backend-1" "172.17.0.2" 11 | static-host "customer-build-backend-2" "172.17.0.3" 12 | static-host "customer-build-backend-3" "172.17.0.4" 13 | static-host "d28eeff4c515" "172.17.0.5" 14 | static-host "ip6-allnodes" "ff02::1" 15 | static-host "ip6-allrouters" "ff02::2" 16 | static-host "ip6-localhost" "::1" 17 | static-host "ip6-localnet" "fe00::" 18 | static-host "ip6-loopback" "::1" 19 | static-host "ip6-mcastprefix" "ff00::" 20 | static-host "localhost" "::1" 21 | no force-ip-preference 22 | load-balance first-alive 23 | retries 2 24 | timeout 5 25 | exit 26 | 27 | %if% available "password-alias" 28 | 29 | password-alias "bar" 30 | exit 31 | 32 | password-alias "crypto" 33 | exit 34 | 35 | password-alias "foo" 36 | exit 37 | 38 | %endif% 39 | 40 | %if% available "include-config" 41 | 42 | include-config "datapower-external-config" 43 | config-url "internalconfig:///datapower-external.cfg" 44 | auto-execute 45 | no interface-detection 46 | exit 47 | 48 | exec "internalconfig:///datapower-external.cfg" 49 | 50 | include-config "debug" 51 | config-url "config:///debug.cfg" 52 | auto-execute 53 | no interface-detection 54 | exit 55 | 56 | exec "config:///debug.cfg" 57 | 58 | include-config "DPPatterns" 59 | config-url "internalconfig://dppatterns.cfg" 60 | auto-execute 61 | no interface-detection 62 | exit 63 | 64 | exec "internalconfig://dppatterns.cfg" 65 | 66 | include-config "host-dns" 67 | config-url "temporary:///host-dns.cfg" 68 | auto-execute 69 | no interface-detection 70 | exit 71 | 72 | exec "temporary:///host-dns.cfg" 73 | 74 | include-config "vbox-inotify-workaround" 75 | config-url "config://vbox-inotify-workaround.cfg" 76 | auto-execute 77 | no interface-detection 78 | exit 79 | 80 | %endif% 81 | 82 | exec "config://vbox-inotify-workaround.cfg" 83 | 84 | %if% available "radius" 85 | 86 | radius 87 | admin-state enabled 88 | timeout 1000 89 | retries 3 90 | exit 91 | 92 | %endif% 93 | 94 | %if% available "timezone" 95 | 96 | timezone "EST5EDT" 97 | 98 | %endif% 99 | 100 | %if% available "throttle" 101 | 102 | throttle 103 | admin-state enabled 104 | memory-throttle 20 105 | memory-terminate 5 106 | temp-fs-throttle 0 107 | temp-fs-terminate 0 108 | qcode-warn 10 109 | timeout 30 110 | no status-log 111 | status-loglevel debug 112 | sensors-log 113 | backlog-size 0 114 | backlog-timeout 30 115 | exit 116 | 117 | %endif% 118 | 119 | %if% available "snmp" 120 | 121 | snmp 122 | admin-state disabled 123 | version 2c 124 | ip-address 0.0.0.0 125 | port 161 126 | security-level authPriv 127 | access-level read-only 128 | trap-default-subscriptions 129 | trap-priority warn 130 | trap-code 0x00030002 131 | trap-code 0x00230003 132 | trap-code 0x00330002 133 | trap-code 0x00b30014 134 | trap-code 0x00e30001 135 | trap-code 0x00e40008 136 | trap-code 0x00f30008 137 | trap-code 0x01530001 138 | trap-code 0x01a2000e 139 | trap-code 0x01a40001 140 | trap-code 0x01a40005 141 | trap-code 0x01a40008 142 | trap-code 0x01b10006 143 | trap-code 0x01b10009 144 | trap-code 0x01b20002 145 | trap-code 0x01b20004 146 | trap-code 0x01b20008 147 | trap-code 0x02220001 148 | trap-code 0x02220003 149 | trap-code 0x02240002 150 | exit 151 | 152 | %endif% 153 | 154 | crypto 155 | certificate "iop-mgmt-cert" "cert:///dtxcert.der" 156 | exit 157 | 158 | crypto 159 | key "iop-mgmt-key" "cert:///dtxkey.pem" 160 | exit 161 | 162 | crypto 163 | idcred "iop-mgmt-idcred" "iop-mgmt-key" "iop-mgmt-cert" 164 | exit 165 | 166 | crypto 167 | profile "iop-mgmt-profile" "iop-mgmt-idcred" option-string OpenSSL-default+Disable-SSLv2 ciphers "HIGH:MEDIUM:!aNULL:!eNULL:!RC4:@STRENGTH" clientcalist off 168 | exit 169 | 170 | sslproxy "iop-mgmt-ssl" "reverse" "iop-mgmt-profile" sess-timeout "300" cache-size "20" 171 | 172 | sslproxy "system-wsgw-management-loopback" "forward" "system-default" client-cache "on" client-sess-timeout "300" client-cache-size "100" 173 | 174 | crypto 175 | 176 | %if% available "cert-monitor" 177 | 178 | cert-monitor 179 | admin-state enabled 180 | poll 1 181 | reminder 30 182 | log-level warn 183 | no disable-expired-certs 184 | exit 185 | 186 | %endif% 187 | 188 | exit 189 | 190 | crypto 191 | no crl 192 | 193 | exit 194 | 195 | %if% available "raid-volume" 196 | 197 | raid-volume "raid0" 198 | admin-state disabled 199 | no read-only 200 | exit 201 | 202 | %endif% 203 | 204 | %if% available "language" 205 | 206 | language "de" 207 | admin-state disabled 208 | exit 209 | 210 | language "en" 211 | admin-state enabled 212 | exit 213 | 214 | language "es" 215 | admin-state disabled 216 | exit 217 | 218 | language "fr" 219 | admin-state disabled 220 | exit 221 | 222 | language "it" 223 | admin-state disabled 224 | exit 225 | 226 | language "ja" 227 | admin-state disabled 228 | exit 229 | 230 | language "ko" 231 | admin-state disabled 232 | exit 233 | 234 | language "pt_BR" 235 | admin-state disabled 236 | exit 237 | 238 | language "ru" 239 | admin-state disabled 240 | exit 241 | 242 | language "zh_CN" 243 | admin-state disabled 244 | exit 245 | 246 | language "zh_TW" 247 | admin-state disabled 248 | exit 249 | 250 | %endif% 251 | 252 | %if% available "system" 253 | 254 | system 255 | admin-state enabled 256 | entitlement "0000001" 257 | name "d28eeff4c515" 258 | audit-reserve 40 259 | no system-log-fixed-format 260 | exit 261 | 262 | %endif% 263 | logging event default-log "system" "notice" 264 | logging event default-log "all" "error" 265 | logging event default-log "mgmt" "notice" 266 | 267 | %if% available "rbm" 268 | 269 | rbm 270 | admin-state enabled 271 | au-method local 272 | no au-ldap-search 273 | ldap-prefix "cn=" 274 | no au-force-dn-ldap-order 275 | au-cache-mode absolute 276 | au-cache-ttl 600 277 | au-ldap-readtimeout 60 278 | mc-method local 279 | no mc-ldap-search 280 | mc-ldap-readtimeout 60 281 | fallback-login disabled 282 | no apply-cli 283 | no restrict-admin 284 | pwd-minimum-length 6 285 | no pwd-mixed-case 286 | no pwd-digit 287 | no pwd-nonalphanumeric 288 | no pwd-username 289 | no pwd-aging 290 | pwd-max-age 30 291 | no pwd-history 292 | pwd-max-history 5 293 | cli-timeout 0 294 | max-login-failure 0 295 | lockout-duration 1 296 | no mc-force-dn-ldap-order 297 | password-hash-algorithm md5crypt 298 | ssl-client-type proxy 299 | mc-ssl-client-type proxy 300 | exit 301 | 302 | %endif% 303 | 304 | acl "rest-mgmt" 305 | exit 306 | 307 | acl "ssh" 308 | exit 309 | 310 | acl "web-b2b-viewer" 311 | exit 312 | 313 | acl "web-mgmt" 314 | exit 315 | 316 | acl "xml-mgmt" 317 | exit 318 | 319 | no ssh 320 | 321 | user-agent "default" 322 | summary "Default User Agent" 323 | max-redirects 8 324 | timeout 300 325 | exit 326 | 327 | %if% available "urlmap" 328 | 329 | urlmap "default-attempt-stream-all" 330 | match "*" 331 | exit 332 | 333 | %endif% 334 | 335 | %if% available "compile-options" 336 | 337 | compile-options "default-attempt-stream" 338 | xslt-version XSLT10 339 | no strict 340 | try-stream default-attempt-stream-all 341 | stack-size 524288 342 | wsi-validate ignore 343 | wsdl-validate-body strict 344 | wsdl-validate-headers lax 345 | wsdl-validate-faults strict 346 | no wsdl-wrapped-faults 347 | no wsdl-strict-soap-version 348 | no xacml-debug 349 | exit 350 | 351 | %endif% 352 | 353 | action "__default-accept-service-providers-filter-action__" 354 | reset 355 | type filter 356 | input "NULL" 357 | transform "store:///filter-accept-service-providers.xsl" 358 | transform-language none 359 | named-inouts default 360 | ssl-client-type proxy 361 | no transactional 362 | soap-validation body 363 | sql-source-type static 364 | strip-signature 365 | no asynchronous 366 | results-mode first-available 367 | retry-count 0 368 | retry-interval 1000 369 | no multiple-outputs 370 | iterator-type XPATH 371 | timeout 0 372 | http-method GET 373 | http-method-limited POST 374 | http-method-limited2 POST 375 | exit 376 | 377 | action "__default-accept-service-providers-results-action__" 378 | reset 379 | type results 380 | input "INPUT" 381 | transform-language none 382 | named-inouts default 383 | ssl-client-type proxy 384 | no transactional 385 | soap-validation body 386 | sql-source-type static 387 | strip-signature 388 | no asynchronous 389 | results-mode first-available 390 | retry-count 0 391 | retry-interval 1000 392 | no multiple-outputs 393 | iterator-type XPATH 394 | timeout 0 395 | http-method GET 396 | http-method-limited POST 397 | http-method-limited2 POST 398 | exit 399 | 400 | action "__dp-policy-call-action__" 401 | reset 402 | summary "Call the next policy." 403 | type call 404 | input "INPUT" 405 | transform-language none 406 | output "INPUT" 407 | named-inouts default 408 | ssl-client-type proxy 409 | rule "var://context/policy/fw/call-rule" 410 | no transactional 411 | soap-validation body 412 | sql-source-type static 413 | strip-signature 414 | no asynchronous 415 | results-mode first-available 416 | retry-count 0 417 | retry-interval 1000 418 | no multiple-outputs 419 | iterator-type XPATH 420 | timeout 0 421 | http-method GET 422 | http-method-limited POST 423 | http-method-limited2 POST 424 | exit 425 | 426 | action "__dp-policy-init-xform-action__" 427 | reset 428 | summary "Set up context vars and annotate map XML." 429 | type xform 430 | input "NULL" 431 | transform "store://dp/policy-enforce-init.xsl" 432 | transform-language none 433 | output "NULL" 434 | named-inouts default 435 | ssl-client-type proxy 436 | no transactional 437 | soap-validation body 438 | sql-source-type static 439 | strip-signature 440 | no asynchronous 441 | results-mode first-available 442 | retry-count 0 443 | retry-interval 1000 444 | no multiple-outputs 445 | iterator-type XPATH 446 | timeout 0 447 | http-method GET 448 | http-method-limited POST 449 | http-method-limited2 POST 450 | exit 451 | 452 | action "__dp-policy-results-action__" 453 | reset 454 | summary "Results action for our policy enforcement rules." 455 | type results 456 | input "INPUT" 457 | transform-language none 458 | named-inouts default 459 | ssl-client-type proxy 460 | no transactional 461 | soap-validation body 462 | sql-source-type static 463 | strip-signature 464 | no asynchronous 465 | results-mode first-available 466 | retry-count 0 467 | retry-interval 1000 468 | no multiple-outputs 469 | iterator-type XPATH 470 | timeout 0 471 | http-method GET 472 | http-method-limited POST 473 | http-method-limited2 POST 474 | exit 475 | 476 | action "__dp-policy-traverse-xform-action__" 477 | reset 478 | summary "Identify next policy by traversing the annotated map." 479 | type xform 480 | input "NULL" 481 | transform "store://dp/policy-enforce-traverse.xsl" 482 | transform-language none 483 | output "NULL" 484 | named-inouts default 485 | ssl-client-type proxy 486 | no transactional 487 | soap-validation body 488 | sql-source-type static 489 | strip-signature 490 | no asynchronous 491 | results-mode first-available 492 | retry-count 0 493 | retry-interval 1000 494 | no multiple-outputs 495 | iterator-type XPATH 496 | timeout 0 497 | http-method GET 498 | http-method-limited POST 499 | http-method-limited2 POST 500 | exit 501 | 502 | rule "__default-accept-service-providers-request__" 503 | reset 504 | summary "Accept messages intended for known services, reject everything else." 505 | type request-rule 506 | input-filter none 507 | output-filter none 508 | no non-xml-processing 509 | no unprocessed 510 | action "__default-accept-service-providers-filter-action__" 511 | action "__default-accept-service-providers-results-action__" 512 | exit 513 | 514 | rule "__default-accept-service-providers-response__" 515 | reset 516 | summary "Accept responses received from known services." 517 | type response-rule 518 | input-filter none 519 | output-filter none 520 | no non-xml-processing 521 | no unprocessed 522 | action "__default-accept-service-providers-results-action__" 523 | exit 524 | 525 | rule "__dp-policy-begin__" 526 | reset 527 | summary "Initiate policy enforcement by annotating policy and determining first policy to enforce." 528 | type rule 529 | input-filter none 530 | output-filter none 531 | no non-xml-processing 532 | no unprocessed 533 | action "__dp-policy-init-xform-action__" 534 | action "__dp-policy-traverse-xform-action__" 535 | action "__dp-policy-call-action__" 536 | action "__dp-policy-results-action__" 537 | exit 538 | 539 | matching "__default-accept-service-providers__" 540 | summary "Match all messages." 541 | urlmatch "*" 542 | no match-with-pcre 543 | no combine-with-or 544 | exit 545 | 546 | stylepolicy "default" 547 | reset 548 | summary "Default Processing Policy" 549 | filter "store:///filter-reject-all.xsl" 550 | xsldefault "store:///identity.xsl" 551 | xquerydefault "store:///reject-all-json.xq" 552 | exit 553 | 554 | stylepolicy "default-accept-service-providers" 555 | reset 556 | summary "Default Processing Policy which accepts only messages that match known WSRR services in a Multi-Protocol Gateway." 557 | filter "store:///filter-reject-all.xsl" 558 | xsldefault "store:///identity.xsl" 559 | xquerydefault "store:///reject-all-json.xq" 560 | match "__default-accept-service-providers__" "__default-accept-service-providers-request__" 561 | match "__default-accept-service-providers__" "__default-accept-service-providers-response__" 562 | exit 563 | 564 | %if% available "metadata" 565 | 566 | metadata "ftp-usercert-metadata" 567 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 568 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 569 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 570 | exit 571 | 572 | metadata "ftp-username-metadata" 573 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 574 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 575 | meta-item "variable" "password" "var://context/INPUT/ftp/password" 576 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 577 | meta-item "variable" "username" "var://context/INPUT/ftp/username" 578 | exit 579 | 580 | metadata "oauth-scope-metadata" 581 | meta-item "variable" "scope" "var://context/INPUT/oauth/verified-scope" 582 | exit 583 | 584 | metadata "ssh-password-metadata" 585 | meta-item "variable" "password" "var://context/INPUT/ssh/password" 586 | meta-item "variable" "publickey" "var://context/INPUT/ssh/publickey" 587 | meta-item "variable" "username" "var://context/INPUT/ssh/username" 588 | exit 589 | 590 | %endif% 591 | 592 | xmlmgr "default" 593 | xsl cache size "default" "256" 594 | xsl checksummed cache default 595 | no tx-warn "default" 596 | memoization "default" 597 | 598 | xml parser limits "default" 599 | bytes-scanned 4194304 600 | element-depth 512 601 | attribute-count 128 602 | max-node-size 33554432 603 | forbid-external-references 604 | external-references forbid 605 | max-prefixes 1024 606 | max-namespaces 1024 607 | max-local-names 60000 608 | exit 609 | 610 | documentcache "default" 611 | no policy 612 | maxdocs "5000" 613 | size "0" 614 | max-writes "32768" 615 | exit 616 | no xml validate "default" * 617 | 618 | xml-manager "default" 619 | summary "Default XML-Manager" 620 | user-agent "default" 621 | exit 622 | 623 | xmlmgr "default-attempt-stream" 624 | xslconfig "default-attempt-stream" "default-attempt-stream" 625 | xsl cache size "default-attempt-stream" "256" 626 | xsl checksummed cache default-attempt-stream 627 | no tx-warn "default-attempt-stream" 628 | memoization "default-attempt-stream" 629 | 630 | xml parser limits "default-attempt-stream" 631 | bytes-scanned 268435456 632 | element-depth 512 633 | attribute-count 128 634 | max-node-size 268435456 635 | forbid-external-references 636 | external-references forbid 637 | max-prefixes 1024 638 | max-namespaces 1024 639 | max-local-names 60000 640 | exit 641 | 642 | documentcache "default-attempt-stream" 643 | no policy 644 | maxdocs "5000" 645 | size "0" 646 | max-writes "32768" 647 | exit 648 | no xml validate "default-attempt-stream" * 649 | 650 | xml-manager "default-attempt-stream" 651 | summary "Default Streaming XML-Manager" 652 | user-agent "default" 653 | exit 654 | 655 | xmlmgr "default-wsrr" 656 | xsl cache size "default-wsrr" "256" 657 | xsl checksummed cache default-wsrr 658 | no tx-warn "default-wsrr" 659 | memoization "default-wsrr" 660 | 661 | xml parser limits "default-wsrr" 662 | bytes-scanned 4194304 663 | element-depth 512 664 | attribute-count 128 665 | max-node-size 33554432 666 | forbid-external-references 667 | external-references forbid 668 | max-prefixes 1024 669 | max-namespaces 1024 670 | max-local-names 60000 671 | exit 672 | 673 | documentcache "default-wsrr" 674 | no policy 675 | maxdocs "5000" 676 | size "0" 677 | max-writes "32768" 678 | exit 679 | no xml validate "default-wsrr" * 680 | 681 | xml-manager "default-wsrr" 682 | summary "WSRR XML-Manager" 683 | user-agent "default" 684 | exit 685 | 686 | %if% available "aaapolicy" 687 | 688 | aaapolicy "iop-mgmt-aaa" 689 | extract-identity "http-basic-auth+client-ssl" "" "" "" "" "login" "off" "" "off" "" "xmlfile" "" "" "" "" "" "proxy" "" "" "" 690 | authenticate xmlfile "store:///iop-mgmt-aaa.xml" "" "" "" "absolute" "3" "" "" "" "" "" "on" "" "" "1.1" "cn=" "" "" "" "" "" "" "" "" "" "" "" "userPassword" "LTPA2" "" "" "" "" "" "off" "" "1.2" "off" "" "off" "32" "off" "32" "off" "off" "" "" "" "" "0" "off" "60" "proxy" "" "" "" "webagent" "" "" "" 691 | map-credentials xmlfile "store:///iop-mgmt-aaa.xml" "" "" 692 | extract-resource "request-uri+request-opname" "" "" 693 | map-resource xmlfile "store:///iop-mgmt-aaa.xml" "" "WebSEAL" "" "" 694 | authorize xmlfile "store:///iop-mgmt-aaa.xml" "" "" "" "" "" "any" "" "" "absolute" "3" "" "" "" "1.1" "" "" "" "member" "" "" "subtree" "(objectClass=*)" "2.0" "deny-biased" "on" "" "" "custom" "" "" "" "off" "" "T" "" "off" "" "r" "" "0" "tfim" "" "off" "on" "off" "off" "60" "proxy" "" "" "webagent" "" "" "" 695 | post-process "off" "" "off" "XS" "" "off" "" "" "" "off" "on" "0" "off" "2.0" "off" "" "" "off" "Digest" "0" "0" "on" "off" "LTPA2" "600" "" "" "" "off" "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" "off" "" "off" "" "off" "" "off" "1000" "off" "all" "CallTFIM" "hmac-sha1" "sha1" "off" "random" "" "0" "off" "off" "off" "off" "" "off" "assertion" "" "wssec-replace" "authentication+attribute" "bearer" "on" "" "" "" "off" "off" "off" "" "0" "AllHTTP" "" "on" "off" "iv-creds" "0" "off" "" "off" "mc-output" "" "" "" "" "as-is-string" "" "" "proxy" "" "" "off" "" 696 | log-allowed 697 | log-allowed-level info 698 | log-rejected 699 | log-rejected-level warn 700 | no ping-identity-compatibility 701 | dos-valve 3 702 | ldap-version v2 703 | enforce-actor-role 704 | dyn-config none 705 | exit 706 | 707 | %endif% 708 | 709 | %if% available "wsm-stylepolicy" 710 | 711 | wsm-stylepolicy "default" 712 | summary "Default Processing Policy" 713 | filter "store:///filter-reject-all.xsl" 714 | xsldefault "store:///identity.xsl" 715 | exit 716 | 717 | %endif% 718 | 719 | %if% available "audit-log-settings" 720 | 721 | audit-log-settings 722 | admin-state enabled 723 | size 1000 724 | rotate 3 725 | audit-level standard 726 | exit 727 | 728 | %endif% 729 | 730 | %if% available "domain-availability" 731 | 732 | domain-availability 733 | admin-state disabled 734 | exit 735 | 736 | %endif% 737 | 738 | %if% available "iop-mgmt" 739 | 740 | iop-mgmt 741 | admin-state disabled 742 | http-service 743 | http-ip-address 0.0.0.0 744 | http-port 9990 745 | https-service 746 | https-ip-address 0.0.0.0 747 | https-port 9991 748 | ssl-config-type proxy 749 | exit 750 | 751 | %endif% 752 | 753 | %if% available "nfs-client" 754 | 755 | nfs-client 756 | admin-state disabled 757 | mount-refresh-time 10 758 | exit 759 | 760 | %endif% 761 | 762 | %if% available "nfs-dynamic-mounts" 763 | 764 | nfs-dynamic-mounts 765 | admin-state disabled 766 | version 3 767 | transport tcp 768 | mount-type hard 769 | no read-only 770 | rsize 4096 771 | wsize 4096 772 | timeo 7 773 | retrans 3 774 | inactivity-timeout 900 775 | mount-timeout 30 776 | exit 777 | 778 | %endif% 779 | 780 | %if% available "quota-enforcement-server" 781 | 782 | quota-enforcement-server 783 | admin-state disabled 784 | raid-volume raid0 785 | server-port 16379 786 | monitor-port 26379 787 | no enable-peer-group 788 | enable-ssl 789 | priority 100 790 | strict-mode 791 | exit 792 | 793 | %endif% 794 | 795 | %if% available "secure-mode" 796 | 797 | secure-mode 798 | admin-state enabled 799 | mode normal 800 | exit 801 | 802 | %endif% 803 | 804 | xml-mgmt 805 | admin-state "disabled" 806 | local-address "eth0_ipv4_1" "5550" 807 | no ws-management 808 | slm-peering 10 809 | mode "any+soma+v2004+amp+slm+wsrr-subscription" 810 | ssl-config-type server 811 | exit 812 | 813 | rest-mgmt 814 | admin-state "disabled" 815 | local-address "0.0.0.0" "5554" 816 | ssl-config-type server 817 | exit 818 | 819 | save-config overwrite 820 | 821 | web-mgmt 822 | admin-state "enabled" 823 | local-address "eth0_ipv4_1" "9090" 824 | save-config-overwrite 825 | idle-timeout 600 826 | ssl-config-type server 827 | exit 828 | 829 | %if% available "slm-action" 830 | 831 | slm-action "notify" 832 | type log-only 833 | log-priority warn 834 | exit 835 | 836 | slm-action "shape" 837 | type shape 838 | log-priority debug 839 | exit 840 | 841 | slm-action "throttle" 842 | type reject 843 | log-priority debug 844 | exit 845 | 846 | %endif% 847 | 848 | no statistics 849 | 850 | %if% available "wsm-agent" 851 | 852 | wsm-agent 853 | admin-state enabled 854 | max-records 3000 855 | max-memory 64000 856 | capture-mode faults 857 | buffer-mode discard 858 | no mediation-enforcement-metrics 859 | push-interval 100 860 | push-priority normal 861 | exit 862 | 863 | %endif% 864 | 865 | domain "foo" 866 | base-dir foo: 867 | base-dir local: 868 | config-file foo.cfg 869 | url-permissions "http+https" 870 | file-permissions "CopyFrom+CopyTo+Delete+Display+Exec+Subdir" 871 | config-mode local 872 | import-format ZIP 873 | local-ip-rewrite 874 | maxchkpoints 3 875 | exit 876 | 877 | %endif% 878 | 879 | failure-notification 880 | admin-state "enabled" 881 | no upload-report 882 | no use-smtp 883 | internal-state 884 | no ffdc packet-capture 885 | no ffdc event-log 886 | no ffdc memory-trace 887 | no always-on-startup 888 | always-on-shutdown 889 | protocol ftp 890 | report-history 5 891 | exit 892 | 893 | %if% isfile temporary:///backtrace 894 | save error-report 895 | %endif% 896 | 897 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/config/foo/foo.cfg: -------------------------------------------------------------------------------- 1 | top; configure terminal; 2 | 3 | # configuration generated Wed Mar 23 14:36:53 2016; firmware version 274960 4 | 5 | %if% available "password-alias" 6 | 7 | password-alias "bar" 8 | exit 9 | 10 | password-alias "crypto" 11 | exit 12 | 13 | password-alias "foo" 14 | exit 15 | 16 | %endif% 17 | 18 | %if% available "include-config" 19 | 20 | include-config "debug" 21 | config-url "config:///debug.cfg" 22 | auto-execute 23 | no interface-detection 24 | exit 25 | 26 | exec "config:///debug.cfg" 27 | 28 | include-config "loadbalancer-group" 29 | config-url "config:///loadbalancer-group.cfg" 30 | auto-execute 31 | no interface-detection 32 | exit 33 | 34 | %endif% 35 | 36 | exec "config:///loadbalancer-group.cfg" 37 | 38 | crypto 39 | certificate "crypto-certificate" "sharedcert:///server.crt" 40 | exit 41 | 42 | crypto 43 | key "crypto-key" "cert:///server.key" password-alias "crypto" 44 | exit 45 | 46 | crypto 47 | idcred "crypto-identification-credentials" "crypto-key" "crypto-certificate" 48 | exit 49 | 50 | crypto 51 | 52 | %if% available "ssl-server" 53 | 54 | ssl-server "ssl-server-profile" 55 | protocols "TLSv1d2" 56 | ciphers ECDHE_RSA_WITH_AES_256_GCM_SHA384 57 | ciphers ECDHE_RSA_WITH_AES_256_CBC_SHA384 58 | ciphers ECDHE_RSA_WITH_AES_256_CBC_SHA 59 | ciphers DHE_DSS_WITH_AES_256_GCM_SHA384 60 | ciphers DHE_RSA_WITH_AES_256_GCM_SHA384 61 | ciphers DHE_RSA_WITH_AES_256_CBC_SHA256 62 | ciphers DHE_DSS_WITH_AES_256_CBC_SHA256 63 | ciphers DHE_RSA_WITH_AES_256_CBC_SHA 64 | ciphers DHE_DSS_WITH_AES_256_CBC_SHA 65 | ciphers RSA_WITH_AES_256_GCM_SHA384 66 | ciphers RSA_WITH_AES_256_CBC_SHA256 67 | ciphers RSA_WITH_AES_256_CBC_SHA 68 | ciphers ECDHE_RSA_WITH_AES_128_GCM_SHA256 69 | ciphers ECDHE_RSA_WITH_AES_128_CBC_SHA256 70 | ciphers ECDHE_RSA_WITH_AES_128_CBC_SHA 71 | ciphers DHE_DSS_WITH_AES_128_GCM_SHA256 72 | ciphers DHE_RSA_WITH_AES_128_GCM_SHA256 73 | ciphers DHE_RSA_WITH_AES_128_CBC_SHA256 74 | ciphers DHE_DSS_WITH_AES_128_CBC_SHA256 75 | ciphers DHE_RSA_WITH_AES_128_CBC_SHA 76 | ciphers DHE_DSS_WITH_AES_128_CBC_SHA 77 | ciphers RSA_WITH_AES_128_GCM_SHA256 78 | ciphers RSA_WITH_AES_128_CBC_SHA256 79 | ciphers RSA_WITH_AES_128_CBC_SHA 80 | ciphers ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 81 | ciphers DHE_RSA_WITH_3DES_EDE_CBC_SHA 82 | ciphers DHE_DSS_WITH_3DES_EDE_CBC_SHA 83 | ciphers RSA_WITH_3DES_EDE_CBC_SHA 84 | idcred crypto-identification-credentials 85 | no request-client-auth 86 | require-client-auth 87 | validate-client-cert 88 | send-client-auth-ca-list 89 | caching 90 | cache-timeout 300 91 | cache-size 20 92 | ssl-options "" 93 | max-duration 60 94 | max-renegotiation-allowed 0 95 | no prohibit-resume-on-reneg 96 | no compression 97 | no allow-legacy-renegotiation 98 | prefer-server-ciphers 99 | curves secp521r1 100 | curves secp384r1 101 | curves secp256k1 102 | curves secp256r1 103 | exit 104 | 105 | %endif% 106 | 107 | exit 108 | 109 | crypto 110 | 111 | %if% available "ssl-sni-mapping" 112 | 113 | ssl-sni-mapping "ssl-hostname-mapping" 114 | sni-mapping "*" "ssl-server-profile" 115 | exit 116 | 117 | %endif% 118 | 119 | exit 120 | 121 | crypto 122 | 123 | %if% available "ssl-sni-server" 124 | 125 | ssl-sni-server "ssl-sni-server-profile" 126 | protocols "TLSv1d2" 127 | sni-server-mapping ssl-hostname-mapping 128 | sni-server-default ssl-server-profile 129 | ssl-options "" 130 | max-duration 3600 131 | max-renegotiation-allowed 0 132 | exit 133 | 134 | %endif% 135 | 136 | exit 137 | logging event default-log "all" "error" 138 | logging event default-log "mgmt" "notice" 139 | 140 | user-agent "default" 141 | summary "Default User Agent" 142 | max-redirects 8 143 | timeout 300 144 | exit 145 | 146 | %if% available "urlmap" 147 | 148 | urlmap "default-attempt-stream-all" 149 | match "*" 150 | exit 151 | 152 | %endif% 153 | 154 | %if% available "compile-options" 155 | 156 | compile-options "default-attempt-stream" 157 | xslt-version XSLT10 158 | no strict 159 | try-stream default-attempt-stream-all 160 | stack-size 524288 161 | wsi-validate ignore 162 | wsdl-validate-body strict 163 | wsdl-validate-headers lax 164 | wsdl-validate-faults strict 165 | no wsdl-wrapped-faults 166 | no wsdl-strict-soap-version 167 | no xacml-debug 168 | exit 169 | 170 | %endif% 171 | 172 | action "__default-accept-service-providers-filter-action__" 173 | reset 174 | type filter 175 | input "NULL" 176 | transform "store:///filter-accept-service-providers.xsl" 177 | transform-language none 178 | named-inouts default 179 | ssl-client-type proxy 180 | no transactional 181 | soap-validation body 182 | sql-source-type static 183 | strip-signature 184 | no asynchronous 185 | results-mode first-available 186 | retry-count 0 187 | retry-interval 1000 188 | no multiple-outputs 189 | iterator-type XPATH 190 | timeout 0 191 | http-method GET 192 | http-method-limited POST 193 | http-method-limited2 POST 194 | exit 195 | 196 | action "__default-accept-service-providers-results-action__" 197 | reset 198 | type results 199 | input "INPUT" 200 | transform-language none 201 | named-inouts default 202 | ssl-client-type proxy 203 | no transactional 204 | soap-validation body 205 | sql-source-type static 206 | strip-signature 207 | no asynchronous 208 | results-mode first-available 209 | retry-count 0 210 | retry-interval 1000 211 | no multiple-outputs 212 | iterator-type XPATH 213 | timeout 0 214 | http-method GET 215 | http-method-limited POST 216 | http-method-limited2 POST 217 | exit 218 | 219 | action "__dp-policy-call-action__" 220 | reset 221 | summary "Call the next policy." 222 | type call 223 | input "INPUT" 224 | transform-language none 225 | output "INPUT" 226 | named-inouts default 227 | ssl-client-type proxy 228 | rule "var://context/policy/fw/call-rule" 229 | no transactional 230 | soap-validation body 231 | sql-source-type static 232 | strip-signature 233 | no asynchronous 234 | results-mode first-available 235 | retry-count 0 236 | retry-interval 1000 237 | no multiple-outputs 238 | iterator-type XPATH 239 | timeout 0 240 | http-method GET 241 | http-method-limited POST 242 | http-method-limited2 POST 243 | exit 244 | 245 | action "__dp-policy-init-xform-action__" 246 | reset 247 | summary "Set up context vars and annotate map XML." 248 | type xform 249 | input "NULL" 250 | transform "store://dp/policy-enforce-init.xsl" 251 | transform-language none 252 | output "NULL" 253 | named-inouts default 254 | ssl-client-type proxy 255 | no transactional 256 | soap-validation body 257 | sql-source-type static 258 | strip-signature 259 | no asynchronous 260 | results-mode first-available 261 | retry-count 0 262 | retry-interval 1000 263 | no multiple-outputs 264 | iterator-type XPATH 265 | timeout 0 266 | http-method GET 267 | http-method-limited POST 268 | http-method-limited2 POST 269 | exit 270 | 271 | action "__dp-policy-results-action__" 272 | reset 273 | summary "Results action for our policy enforcement rules." 274 | type results 275 | input "INPUT" 276 | transform-language none 277 | named-inouts default 278 | ssl-client-type proxy 279 | no transactional 280 | soap-validation body 281 | sql-source-type static 282 | strip-signature 283 | no asynchronous 284 | results-mode first-available 285 | retry-count 0 286 | retry-interval 1000 287 | no multiple-outputs 288 | iterator-type XPATH 289 | timeout 0 290 | http-method GET 291 | http-method-limited POST 292 | http-method-limited2 POST 293 | exit 294 | 295 | action "__dp-policy-traverse-xform-action__" 296 | reset 297 | summary "Identify next policy by traversing the annotated map." 298 | type xform 299 | input "NULL" 300 | transform "store://dp/policy-enforce-traverse.xsl" 301 | transform-language none 302 | output "NULL" 303 | named-inouts default 304 | ssl-client-type proxy 305 | no transactional 306 | soap-validation body 307 | sql-source-type static 308 | strip-signature 309 | no asynchronous 310 | results-mode first-available 311 | retry-count 0 312 | retry-interval 1000 313 | no multiple-outputs 314 | iterator-type XPATH 315 | timeout 0 316 | http-method GET 317 | http-method-limited POST 318 | http-method-limited2 POST 319 | exit 320 | 321 | action "mpgw-style-policy_rule_0_gatewayscript_1" 322 | reset 323 | type gatewayscript 324 | input "INPUT" 325 | transform-language none 326 | gatewayscript-location "local:///example-header.js" 327 | output "PIPE" 328 | named-inouts default 329 | ssl-client-type proxy 330 | no transactional 331 | soap-validation body 332 | sql-source-type static 333 | strip-signature 334 | no asynchronous 335 | results-mode first-available 336 | retry-count 0 337 | retry-interval 1000 338 | no multiple-outputs 339 | iterator-type XPATH 340 | timeout 0 341 | http-method GET 342 | http-method-limited POST 343 | http-method-limited2 POST 344 | exit 345 | 346 | action "mpgw-style-policy_rule_0_results_output_0" 347 | reset 348 | type results 349 | input "INPUT" 350 | transform-language none 351 | named-inouts default 352 | ssl-client-type proxy 353 | output-type default 354 | no transactional 355 | soap-validation body 356 | sql-source-type static 357 | strip-signature 358 | no asynchronous 359 | results-mode first-available 360 | retry-count 0 361 | retry-interval 1000 362 | no multiple-outputs 363 | iterator-type XPATH 364 | timeout 0 365 | http-method GET 366 | http-method-limited POST 367 | http-method-limited2 POST 368 | exit 369 | 370 | action "mpgw-style-policy_rule_1_gatewayscript_2" 371 | reset 372 | type gatewayscript 373 | input "INPUT" 374 | transform-language none 375 | gatewayscript-location "local:///hello-too.js" 376 | output "OUTPUT" 377 | named-inouts default 378 | ssl-client-type proxy 379 | no transactional 380 | soap-validation body 381 | sql-source-type static 382 | strip-signature 383 | no asynchronous 384 | results-mode first-available 385 | retry-count 0 386 | retry-interval 1000 387 | no multiple-outputs 388 | iterator-type XPATH 389 | timeout 0 390 | http-method GET 391 | http-method-limited POST 392 | http-method-limited2 POST 393 | exit 394 | 395 | rule "__default-accept-service-providers-request__" 396 | reset 397 | summary "Accept messages intended for known services, reject everything else." 398 | type request-rule 399 | input-filter none 400 | output-filter none 401 | no non-xml-processing 402 | no unprocessed 403 | action "__default-accept-service-providers-filter-action__" 404 | action "__default-accept-service-providers-results-action__" 405 | exit 406 | 407 | rule "__default-accept-service-providers-response__" 408 | reset 409 | summary "Accept responses received from known services." 410 | type response-rule 411 | input-filter none 412 | output-filter none 413 | no non-xml-processing 414 | no unprocessed 415 | action "__default-accept-service-providers-results-action__" 416 | exit 417 | 418 | rule "__dp-policy-begin__" 419 | reset 420 | summary "Initiate policy enforcement by annotating policy and determining first policy to enforce." 421 | type rule 422 | input-filter none 423 | output-filter none 424 | no non-xml-processing 425 | no unprocessed 426 | action "__dp-policy-init-xform-action__" 427 | action "__dp-policy-traverse-xform-action__" 428 | action "__dp-policy-call-action__" 429 | action "__dp-policy-results-action__" 430 | exit 431 | 432 | rule "mpgw-style-policy_rule_0" 433 | reset 434 | type request-rule 435 | input-filter none 436 | output-filter none 437 | no non-xml-processing 438 | no unprocessed 439 | action "mpgw-style-policy_rule_0_results_output_0" 440 | exit 441 | 442 | rule "mpgw-style-policy_rule_1" 443 | reset 444 | type response-rule 445 | input-filter none 446 | output-filter none 447 | no non-xml-processing 448 | no unprocessed 449 | action "mpgw-style-policy_rule_1_gatewayscript_2" 450 | exit 451 | 452 | matching "__default-accept-service-providers__" 453 | summary "Match all messages." 454 | urlmatch "*" 455 | no match-with-pcre 456 | no combine-with-or 457 | exit 458 | 459 | matching "All" 460 | urlmatch ".*" 461 | match-with-pcre 462 | no combine-with-or 463 | exit 464 | 465 | matching "matching-rule-all-get" 466 | methodmatch "GET" 467 | no match-with-pcre 468 | no combine-with-or 469 | exit 470 | 471 | stylepolicy "default" 472 | reset 473 | summary "Default Processing Policy" 474 | filter "store:///filter-reject-all.xsl" 475 | xsldefault "store:///identity.xsl" 476 | xquerydefault "store:///reject-all-json.xq" 477 | exit 478 | 479 | stylepolicy "default-accept-service-providers" 480 | reset 481 | summary "Default Processing Policy which accepts only messages that match known WSRR services in a Multi-Protocol Gateway." 482 | filter "store:///filter-reject-all.xsl" 483 | xsldefault "store:///identity.xsl" 484 | xquerydefault "store:///reject-all-json.xq" 485 | match "__default-accept-service-providers__" "__default-accept-service-providers-request__" 486 | match "__default-accept-service-providers__" "__default-accept-service-providers-response__" 487 | exit 488 | 489 | stylepolicy "mpgw-style-policy" 490 | reset 491 | filter "store:///filter-reject-all.xsl" 492 | xsldefault "store:///identity.xsl" 493 | xquerydefault "store:///reject-all-json.xq" 494 | match "matching-rule-all-get" "mpgw-style-policy_rule_0" 495 | match "All" "mpgw-style-policy_rule_1" 496 | exit 497 | 498 | %if% available "metadata" 499 | 500 | metadata "ftp-usercert-metadata" 501 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 502 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 503 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 504 | exit 505 | 506 | metadata "ftp-username-metadata" 507 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 508 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 509 | meta-item "variable" "password" "var://context/INPUT/ftp/password" 510 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 511 | meta-item "variable" "username" "var://context/INPUT/ftp/username" 512 | exit 513 | 514 | metadata "oauth-scope-metadata" 515 | meta-item "variable" "scope" "var://context/INPUT/oauth/verified-scope" 516 | exit 517 | 518 | metadata "ssh-password-metadata" 519 | meta-item "variable" "password" "var://context/INPUT/ssh/password" 520 | meta-item "variable" "publickey" "var://context/INPUT/ssh/publickey" 521 | meta-item "variable" "username" "var://context/INPUT/ssh/username" 522 | exit 523 | 524 | %endif% 525 | 526 | xmlmgr "default" 527 | xsl cache size "default" "256" 528 | xsl checksummed cache default 529 | no tx-warn "default" 530 | memoization "default" 531 | 532 | xml parser limits "default" 533 | bytes-scanned 4194304 534 | element-depth 512 535 | attribute-count 128 536 | max-node-size 33554432 537 | forbid-external-references 538 | external-references forbid 539 | max-prefixes 1024 540 | max-namespaces 1024 541 | max-local-names 60000 542 | exit 543 | 544 | documentcache "default" 545 | no policy 546 | maxdocs "5000" 547 | size "0" 548 | max-writes "32768" 549 | exit 550 | no xml validate "default" * 551 | 552 | xml-manager "default" 553 | summary "Default XML-Manager" 554 | loadbalancer-group "lbg-backend" 555 | user-agent "default" 556 | exit 557 | 558 | xmlmgr "default-attempt-stream" 559 | xslconfig "default-attempt-stream" "default-attempt-stream" 560 | xsl cache size "default-attempt-stream" "256" 561 | xsl checksummed cache default-attempt-stream 562 | no tx-warn "default-attempt-stream" 563 | memoization "default-attempt-stream" 564 | 565 | xml parser limits "default-attempt-stream" 566 | bytes-scanned 268435456 567 | element-depth 512 568 | attribute-count 128 569 | max-node-size 268435456 570 | forbid-external-references 571 | external-references forbid 572 | max-prefixes 1024 573 | max-namespaces 1024 574 | max-local-names 60000 575 | exit 576 | 577 | documentcache "default-attempt-stream" 578 | no policy 579 | maxdocs "5000" 580 | size "0" 581 | max-writes "32768" 582 | exit 583 | no xml validate "default-attempt-stream" * 584 | 585 | xml-manager "default-attempt-stream" 586 | summary "Default Streaming XML-Manager" 587 | user-agent "default" 588 | exit 589 | 590 | xmlmgr "default-wsrr" 591 | xsl cache size "default-wsrr" "256" 592 | xsl checksummed cache default-wsrr 593 | no tx-warn "default-wsrr" 594 | memoization "default-wsrr" 595 | 596 | xml parser limits "default-wsrr" 597 | bytes-scanned 4194304 598 | element-depth 512 599 | attribute-count 128 600 | max-node-size 33554432 601 | forbid-external-references 602 | external-references forbid 603 | max-prefixes 1024 604 | max-namespaces 1024 605 | max-local-names 60000 606 | exit 607 | 608 | documentcache "default-wsrr" 609 | no policy 610 | maxdocs "5000" 611 | size "0" 612 | max-writes "32768" 613 | exit 614 | no xml validate "default-wsrr" * 615 | 616 | xml-manager "default-wsrr" 617 | summary "WSRR XML-Manager" 618 | user-agent "default" 619 | exit 620 | 621 | %if% available "source-https" 622 | 623 | source-https "https-fsph-foo" 624 | local-address 0.0.0.0 625 | port 443 626 | http-client-version HTTP/1.1 627 | allowed-features "HTTP-1.0+HTTP-1.1+POST+GET+QueryString+FragmentIdentifiers" 628 | persistent-connections 629 | max-persistent-reuse 0 630 | no compression 631 | no websocket-upgrade 632 | websocket-idle-timeout 0 633 | max-url-len 16384 634 | max-total-header-len 128000 635 | max-header-count 0 636 | max-header-name-len 0 637 | max-header-value-len 0 638 | max-querystring-len 0 639 | credential-charset protocol 640 | ssl-config-type sni 641 | ssl-sni-server ssl-sni-server-profile 642 | http2-max-streams 100 643 | http2-max-frame 16384 644 | no http2-stream-header 645 | exit 646 | 647 | %endif% 648 | 649 | %if% available "wsm-stylepolicy" 650 | 651 | wsm-stylepolicy "default" 652 | summary "Default Processing Policy" 653 | filter "store:///filter-reject-all.xsl" 654 | xsldefault "store:///identity.xsl" 655 | exit 656 | 657 | %endif% 658 | 659 | %if% available "policy-attachments" 660 | 661 | policy-attachments "MPGW-foo" 662 | enforcement-mode enforce 663 | policy-references 664 | sla-enforcement-mode allow-if-no-sla 665 | exit 666 | 667 | %endif% 668 | 669 | %if% available "mpgw" 670 | 671 | mpgw "MPGW-foo" 672 | no policy-parameters 673 | priority normal 674 | front-protocol https-fsph-foo 675 | xml-manager default 676 | ssl-client-type proxy 677 | default-param-namespace "http://www.datapower.com/param/config" 678 | query-param-namespace "http://www.datapower.com/param/query" 679 | backend-url "http://lbg-backend:80" 680 | propagate-uri 681 | monitor-processing-policy terminate-at-first-throttle 682 | request-attachments strip 683 | response-attachments strip 684 | no request-attachments-flow-control 685 | no response-attachments-flow-control 686 | root-part-not-first-action process-in-order 687 | front-attachment-format dynamic 688 | back-attachment-format dynamic 689 | mime-front-headers 690 | mime-back-headers 691 | stream-output-to-back buffer-until-verification 692 | stream-output-to-front buffer-until-verification 693 | max-message-size 0 694 | no gateway-parser-limits 695 | element-depth 512 696 | attribute-count 128 697 | max-node-size 33554432 698 | forbid-external-references 699 | external-references forbid 700 | max-prefixes 1024 701 | max-namespaces 1024 702 | max-local-names 60000 703 | attachment-byte-count 2000000000 704 | attachment-package-byte-count 0 705 | debugger-type internal 706 | debug-history 25 707 | no flowcontrol 708 | soap-schema-url "store:///schemas/soap-envelope.xsd" 709 | front-timeout 120 710 | back-timeout 120 711 | front-persistent-timeout 180 712 | back-persistent-timeout 180 713 | no include-content-type-encoding 714 | http-server-version HTTP/1.1 715 | persistent-connections 716 | no loop-detection 717 | host-rewriting 718 | no chunked-uploads 719 | process-http-errors 720 | http-client-ip-label "X-Client-IP" 721 | http-global-tranID-label "X-Global-Transaction-ID" 722 | inorder-mode "" 723 | wsa-mode sync2sync 724 | wsa-require-aaa 725 | wsa-strip-headers 726 | wsa-default-replyto "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous" 727 | wsa-default-faultto "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous" 728 | no wsa-force 729 | wsa-genstyle sync 730 | wsa-http-async-response-code 204 731 | wsa-timeout 120 732 | no wsrm 733 | wsrm-sequence-expiration 3600 734 | wsrm-destination-accept-create-sequence 735 | wsrm-destination-maximum-sequences 400 736 | no wsrm-destination-inorder 737 | wsrm-destination-maximum-inorder-queue-length 10 738 | no wsrm-destination-accept-offers 739 | no wsrm-request-force 740 | no wsrm-response-force 741 | no wsrm-source-request-create-sequence 742 | no wsrm-source-response-create-sequence 743 | no wsrm-source-make-offer 744 | no wsrm-source-sequence-ssl 745 | wsrm-source-maximum-sequences 400 746 | wsrm-source-retransmission-interval 10 747 | wsrm-source-exponential-backoff 748 | wsrm-source-retransmit-count 4 749 | wsrm-source-maximum-queue-length 30 750 | wsrm-source-request-ack-count 1 751 | wsrm-source-inactivity-close-interval 360 752 | no force-policy-exec 753 | rewrite-errors 754 | delay-errors 755 | delay-errors-duration 1000 756 | request-type preprocessed 757 | response-type preprocessed 758 | follow-redirects 759 | no rewrite-location-header 760 | stylepolicy mpgw-style-policy 761 | type static-backend 762 | no compression 763 | no allow-cache-control 764 | policy-attachments MPGW-foo 765 | no wsmagent-monitor 766 | wsmagent-monitor-capture-mode all-messages 767 | no proxy-http-response 768 | exit 769 | 770 | %endif% 771 | 772 | %if% available "domain-availability" 773 | 774 | domain-availability 775 | admin-state disabled 776 | exit 777 | 778 | %endif% 779 | 780 | %if% available "nfs-dynamic-mounts" 781 | 782 | nfs-dynamic-mounts 783 | admin-state disabled 784 | version 3 785 | transport tcp 786 | mount-type hard 787 | no read-only 788 | rsize 4096 789 | wsize 4096 790 | timeo 7 791 | retrans 3 792 | inactivity-timeout 900 793 | mount-timeout 30 794 | exit 795 | 796 | %endif% 797 | 798 | %if% available "slm-action" 799 | 800 | slm-action "notify" 801 | type log-only 802 | log-priority warn 803 | exit 804 | 805 | slm-action "shape" 806 | type shape 807 | log-priority debug 808 | exit 809 | 810 | slm-action "throttle" 811 | type reject 812 | log-priority debug 813 | exit 814 | 815 | %endif% 816 | 817 | no statistics 818 | 819 | %if% available "wsm-agent" 820 | 821 | wsm-agent 822 | admin-state enabled 823 | max-records 3000 824 | max-memory 64000 825 | capture-mode faults 826 | buffer-mode discard 827 | no mediation-enforcement-metrics 828 | push-interval 100 829 | push-priority normal 830 | exit 831 | 832 | %endif% 833 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/local/foo/hello-too.js: -------------------------------------------------------------------------------- 1 | var hm = require('header-metadata'); 2 | 3 | // Set the X-Hello-World header 4 | hm.current.set('X-Hello-World', 'Hello from DataPower domain foo'); 5 | 6 | session.input.readAsBuffer (function (error, buffer) { 7 | if (error) { 8 | // throw the error if there was one 9 | throw error; 10 | } 11 | // Since this simple application only returns a test hello world 12 | // string, we'll just prepend our placeholder string 13 | session.output.write("DataPower Proxied: " + buffer.toString()); 14 | }); 15 | 16 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | for f in $(find /datapower/start -type f) 6 | do 7 | echo "Processing $f" 8 | . "$f" 9 | set -x 10 | echo 11 | done 12 | 13 | exec /opt/ibm/datapower/datapower-launch 14 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/start/debug.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ ! -z "$DEBUG" ] 4 | then 5 | # Have the DEBUG env var from Docker 6 | # This means we want the log level to be set to debug in both default and foo 7 | tee /datapower/config/debug.cfg <<-EOF 8 | # DEBUG log is enabled 9 | top; co 10 | logging target "debug-log" 11 | type file 12 | priority normal 13 | soap-version soap11 14 | format text 15 | timestamp zulu 16 | no fixed-format 17 | size 10000 18 | local-file "logtemp:///debug-log" 19 | archive-mode rotate 20 | rotate 4 21 | no ansi-color 22 | facility user 23 | rate-limit 100 24 | connect-timeout 60 25 | idle-timeout 15 26 | active-timeout 0 27 | no feedback-detection 28 | no event-detection 29 | suppression-period 10 30 | ssl-client-type proxy 31 | event "all" "debug" 32 | exit 33 | EOF 34 | tee /datapower/config/foo/debug.cfg <<-EOF 35 | # DEBUG log is enabled 36 | top; co 37 | logging target "debug-log" 38 | type file 39 | priority normal 40 | soap-version soap11 41 | format text 42 | timestamp zulu 43 | no fixed-format 44 | size 10000 45 | local-file "logtemp:///debug-log" 46 | archive-mode rotate 47 | rotate 4 48 | no ansi-color 49 | facility user 50 | rate-limit 100 51 | connect-timeout 60 52 | idle-timeout 15 53 | active-timeout 0 54 | no feedback-detection 55 | no event-detection 56 | suppression-period 10 57 | ssl-client-type proxy 58 | event "all" "debug" 59 | exit 60 | EOF 61 | else 62 | # The DEBUG env var is not set in Docker; use loglevel info 63 | tee /datapower/config/debug.cfg <<-EOF 64 | # DEBUG log is not enabled 65 | EOF 66 | tee /datapower/config/foo/debug.cfg <<-EOF 67 | # DEBUG log is not enabled 68 | EOF 69 | fi 70 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/start/loadbalancer-group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | { 4 | cat <<-EOF 5 | top; co 6 | 7 | loadbalancer-group lbg-backend 8 | reset 9 | EOF 10 | 11 | env | grep '^[a-zA-Z0-9_-]*_PORT_8080_TCP_ADDR' | cut -d= -f2- | while read ADDR 12 | do 13 | echo " server $ADDR 1 8080 enabled" 14 | done 15 | cat <<-EOF 16 | exit 17 | 18 | xml-manager default 19 | loadbalancer-group lbg-backend 20 | exit 21 | EOF 22 | } | tee /datapower/config/foo/loadbalancer-group.cfg 23 | 24 | -------------------------------------------------------------------------------- /docker/customer-build/datapower/start/vbox-inotify-workaround.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Work around the VBox/Docker Toolbox inotify bug [1] by disabling 4 | # GatewayScript Cache. Note that if we had XSL, we would want 5 | # to disable caches for that too. 6 | # 7 | # If you're running docker then you'd need to get around the 8 | # DataPower container protections by running as root. 9 | # One way to do that is to run docker with `---user=root`. 10 | # 11 | # [1] https://www.virtualbox.org/ticket/10660 12 | 13 | rm -f /datapower/config/vbox-inotify-workaround.cfg 14 | 15 | if [ "$DP_VBOX_INOTIFY" = "true" ] 16 | then 17 | tee /datapower/config/vbox-inotify-workaround.cfg <<-EOF 18 | # Working around https://www.virtualbox.org/ticket/10660 19 | # by disabling gatewayscript cache 20 | # We only do this when using GatewayScript with Docker 21 | # volumes when we expect to modify the GatewayScript itself 22 | # and want the changes to be immediately recognized. 23 | top; diag; set-gatewayscript-cache disable; top; config 24 | EOF 25 | else 26 | tee /datapower/config/vbox-inotify-workaround.cfg <<-EOF 27 | # No need to work around https://www.virtualbox.org/ticket/10660 28 | EOF 29 | fi 30 | -------------------------------------------------------------------------------- /docker/customer-commit/Makefile: -------------------------------------------------------------------------------- 1 | # Instructions: 2 | # 3 | # 1) Build the "-base" image image using deb2img or rpm2img 4 | # This can be shortened to 3 steps: 5 | # 2) make 6 | # 3) Use the resulting image as the basis for the customer-build project 7 | # 8 | # A note on naming conventions: 9 | # * The registry defaults to USER. Override at will. Add the registry prefix. 10 | # * The repository defaults to customer-commit. 11 | # * The default name for a running container is "customer-commit". Override at will, 12 | # remember that the name of a container must be unique on this docker engine. 13 | # * The repository of the committed image is the same as the name of the built image 14 | # * The tagged image is the same repository, except the tag is "latest". instead 15 | # of the value of TAG, which defaults to 0.1. 16 | # 17 | # A note on working with multiple containers: 18 | # * The default container name is "customer-build" 19 | # * The "CONTAINER_NAME" variable can be specified on make or as an environment 20 | # variable. 21 | # * One option is to have a window for each of several DataPower containers 22 | # * And set CONTAINER_NAME=foo, where foo is unique in each window. 23 | # 24 | # How it works: 25 | # 26 | # We start from a license-accepted but otherwise unconfigured DataPower Docker 27 | # image. The image already uses /datapower/local for local: and /datapower/config 28 | # for config:. 29 | # 30 | # When we docker run the datapower image, we use Docker volumes for 31 | # datapower-external.cfg and /datapower. The datapower-external.cfg file contains 32 | # DataPower CLI instructions that DataPower processes at startup. We add commands 33 | # to this file that allow us to set up the parts of DataPower that we do not want 34 | # to be visible in the clear-text filesystem of the image or of the container. 35 | # 36 | # Examples of the sorts of things we set up here are users and passwords, keys and 37 | # certs, etc. Broadly speaking, the kinds of things we want to add here are the things 38 | # that cannot be extracted from DataPower once added. 39 | # 40 | # Because we use a docker volume for the container's /datapower directory, we can 41 | # use it for our keys and certs, then we can use the DataPower "copy" command to 42 | # get the cryptomaterial directly from the release engineering machine into 43 | # DataPower without being exposed at any other time. 44 | # 45 | # Once we know this process has completed, which is signaled by the availability 46 | # of services defined later in datapower-external.cfg, the container can be 47 | # stopped and turned into an image with "docker commit". 48 | # 49 | # The "evolve" target in this Makefile performs these operations, which can be 50 | # reduced to running the datapower-base image with the volume options and waiting 51 | # for a DataPower management service to be available. The "build" target then 52 | # depends on evolve, stop, commit and rm. Meaning that in order to "build" a 53 | # DataPower Gateway docker image with users and keys one runs the previous image using 54 | # special configuration which DataPower receives via docker volumes and 55 | # "docker commits" the result. 56 | # 57 | # This image can then be run and tested. Once the image's validity is verified, 58 | # it can be tagged as customer-commit:latest for use in the customer-build project. 59 | # 60 | # The point of this step is to add in the secrets. To this end, the secrets are 61 | # contained in Makefile.secrets. This contains all the passwords and the 62 | # meta data for generation of keys and certs. Only the non-annointed will 63 | # generate the keys and certs this way; the release engineering team will have 64 | # the real keys and certs. Developers who are building their own images use 65 | # their own low-value cryptomaterial. 66 | include Makefile.secrets 67 | 68 | REGISTRY ?= $(USER) 69 | BASEREPOSITORY ?= datapower-base 70 | RESULTREPOSITORY ?= customer-commit 71 | REPOSITORY = $(RESULTREPOSITORY) 72 | TAG ?= 0.1 73 | CONTAINER_NAME ?= customer-commit 74 | 75 | MAXWAIT=600 76 | 77 | RUNFLAGS = --privileged -P 78 | 79 | .PHONY: all build shell evolve run rundev rm cli gui clean logs commit tag stop password fixate distclean 80 | 81 | all: clean evolve password stop commit rm tag 82 | build: all 83 | 84 | GENERATEDFILES = datapower/local/server.crt \ 85 | datapower/local/server.key \ 86 | datapower/local/foo/server.crt \ 87 | datapower/local/foo/server.key \ 88 | datapower/config/password-map.cfg \ 89 | datapower/config/evolve.cfg 90 | 91 | # Make sure a listener is on a port before trying to connect with it 92 | # Inside the container, check netstat once a second until the TCP 93 | # port is in LISTEN. 94 | define wait-for-listener 95 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 96 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 97 | NL=""; \ 98 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 99 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 100 | && { RC=0; break; }; \ 101 | echo -n $$MSG; \ 102 | MSG=.; \ 103 | NL="\n"; \ 104 | sleep 1; \ 105 | done; \ 106 | echo -ne "$$NL"; \ 107 | exit $$RC' 108 | endef 109 | 110 | # The DOCKER_HOST variable may be unset or may contain tcp://1.2.3.4:1234 111 | # We just want to know the address of the Docker Engine we're talking to 112 | # so it's either the IP address portion of DOCKER_HOST or it's 127.0.0.1. 113 | ifeq '$(DOCKER_HOST)' '' 114 | DP_DOCKER_HOST=127.0.0.1 115 | else 116 | # remove the leading tcp://, then replace the : with a " " so we have 117 | # 2 words. Lastly take just the first word, which is just the IP address 118 | # portion of the DOCKER_HOST. 119 | DP_DOCKER_HOST=$(firstword $(subst :, ,$(patsubst tcp://%,%,$(DOCKER_HOST)))) 120 | endif 121 | 122 | 123 | evolve: RUNFLAGS+=-v $(PWD)/datapower:/datapower -v $(PWD)/datapower-external-evolve.cfg:/opt/ibm/datapower/datapower-external.cfg 124 | evolve: LISTENPORT=2200 125 | evolve: REPOSITORY=$(BASEREPOSITORY) 126 | evolve: TAG=latest 127 | evolve: run $(GENERATEDFILES) 128 | evolve: 129 | $(wait-for-listener) 130 | 131 | define PASSWORD_template 132 | .PHONY: password-$(1) 133 | password-$(1): 134 | @echo ====== Changing password for user $(1) ====== 135 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 136 | '{ echo $(1); sleep 5; \ 137 | echo "changeme"; sleep 1.2; \ 138 | if [ "$(1)" = "admin" ]; then \ 139 | echo "top; co; user admin; password"; sleep 1.2; \ 140 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 141 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 142 | echo "exit; exit"; sleep 1.2; \ 143 | else \ 144 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 145 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 146 | fi ; sleep 5; }\ 147 | | telnet 127.0.0.1 2200'; echo 148 | endef 149 | $(foreach user,$(DPUSERS),$(eval $(call PASSWORD_template,$(user)))) 150 | 151 | password: $(foreach user,$(DPUSERS),password-$(user)) 152 | 153 | shell: 154 | docker exec -it $(CONTAINER_NAME) /bin/bash 155 | 156 | # Start the CLI via telnet. But first wait up to $(MAXWAIT) sec for telnet to come up. 157 | cli: LISTENPORT=2200 158 | cli: 159 | $(wait-for-listener) 160 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 161 | 162 | gui: LISTENPORT=9090 163 | gui: 164 | $(wait-for-listener) 165 | firefox https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME)) > /dev/null 2>&1 & 166 | 167 | run: $(GENERATEDFILES) 168 | run: 169 | docker run -d --name $(CONTAINER_NAME) $(RUNFLAGS) $(REGISTRY)/$(REPOSITORY):$(TAG) 170 | 171 | stop: 172 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 173 | 174 | rm: stop 175 | docker rm $(CONTAINER_NAME) || true 176 | 177 | clean: 178 | sudo rm -rf datapower || rm -rf datapower || true 179 | 180 | # When distributing the source, the keys are not included! 181 | distclean: clean 182 | rm -f server.crt server.csr server.key 183 | 184 | # Fix permissions and ownership. Keep Makefile.secrets as private as possible. 185 | # If new docker-created root files are present; save them. 186 | fixate: 187 | find datapower/ -user root -print0 | xargs -0 --no-run-if-empty sudo chown --reference=. 188 | chmod a-x,og-rw,u+r Makefile.secrets 189 | 190 | logs: 191 | docker logs $(CONTAINER_NAME) 2>&1 192 | 193 | commit: 194 | docker rmi $(REGISTRY)/$(REPOSITORY):$(TAG) >/dev/null 2>&1 || true 195 | docker commit $(CONTAINER_NAME) $(REGISTRY)/$(REPOSITORY):$(TAG) 196 | 197 | tag: 198 | docker tag -f $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest 199 | 200 | datapower/local/server.crt datapower/local/server.key datapower/local/foo/server.crt datapower/local/foo/server.key: server.crt server.key 201 | mkdir -p datapower/local/foo 202 | cp server.crt datapower/local/server.crt 203 | cp server.key datapower/local/server.key 204 | cp server.crt datapower/local/foo/server.crt 205 | cp server.key datapower/local/foo/server.key 206 | 207 | server.crt server.key: 208 | rm -f server.crt server.csr server.key 209 | openssl genrsa -passout pass:$(DPPASS_CRYPTO) -des3 -out server.key 4096 210 | printf "$(DN_CountryCode)\n$(DN_State_Province)\n$(DN_City)\n$(DN_Organization)\n$(DN_OrgUnit)\n$(DN_CommonName)\n$(DN_EmailAddress)\n\n\n" | \ 211 | openssl req -passin pass:$(DPPASS_CRYPTO) -new -key server.key -out server.csr 212 | openssl x509 -passin pass:$(DPPASS_CRYPTO) -req -days 365 -in server.csr -signkey server.key -out server.crt 213 | 214 | datapower/config/password-map.cfg: 215 | mkdir -p datapower/config 216 | rm -f $@ 217 | touch $@ 218 | chmod 600 $@ 219 | echo "crypto" > $@ 220 | @echo " add password-map foo secretfoo" >> $@ 221 | @echo " add password-map bar secretbar" >> $@ 222 | @echo " add password-map crypto $(DPPASS_CRYPTO)" >> $@ 223 | echo "exit" >> $@ 224 | 225 | datapower/config/evolve.cfg: 226 | mkdir -p datapower/config 227 | cp evolve.cfg datapower/config/evolve.cfg 228 | -------------------------------------------------------------------------------- /docker/customer-commit/Makefile.secrets: -------------------------------------------------------------------------------- 1 | # Imported by Makefile; sets passwords for each user. 2 | # The users are created in the usual way, via CLI 3 | # Each of the user passwords is set to "changeme" in evolve.cfg 4 | # Then the Makefile sets the password for each user 5 | # This allows all the passwords to be held in just this one place. 6 | 7 | DPUSERS = admin annieadmin freddiefoo 8 | DPPASS_admin = supersecret 9 | DPPASS_annieadmin = raggedyanne 10 | DPPASS_freddiefoo = freddiefriesfoo 11 | 12 | DPPASS_CRYPTO = mySuperDuperSecretPassword 13 | 14 | DN_CountryCode = . 15 | DN_State_Province = . 16 | DN_City = . 17 | DN_Organization = . 18 | DN_OrgUnit = . 19 | DN_CommonName = $(shell hostname --fqdn) 20 | DN_EmailAddress = $(USER)@$(shell hostname --domain) 21 | -------------------------------------------------------------------------------- /docker/customer-commit/README.md: -------------------------------------------------------------------------------- 1 | # Purpose 2 | Show how customers would add "intrinsic" artifacts to DataPower within 3 | an automated process driven by version control artifacts. 4 | 5 | NOTICE: This is a legacy example that does not take advantage of DataPower Gateway for Docker. Consider using the [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) instead. 6 | 7 | ___ 8 | Examples of DataPower artifacts include keys and certs in cert: 9 | or sharedcert:, users and passwords, and the like. These are things 10 | that we do not want to appear in the clear in the Docker image, so 11 | we avoid that by ensuring that they are placed directly into 12 | DataPower, which persists them in the encrypted datapower.img 13 | file, which is inside the image/container. 14 | 15 | Note that at mastering time, the artifacts to have to appear "in the 16 | clear". The assumption is that this only happens on trusted, well-controlled environments where that is a safe assumption. 17 | 18 | Otherwise, the same actions shown here could be done manually, 19 | with all the caveats that manual steps bring. 20 | -------------------------------------------------------------------------------- /docker/customer-commit/datapower-external-evolve.cfg: -------------------------------------------------------------------------------- 1 | # Licensed Materials - Property of IBM 2 | # IBM WebSphere DataPower Appliances 3 | # Copyright IBM Corporation 2006, 2015. All Rights Reserved. 4 | # 5 | 6 | top; configure terminal; 7 | 8 | # configuration imported from the host system in a native package install 9 | 10 | exec config:///evolve.cfg 11 | 12 | cli telnet "Telnet-Service" 13 | ip-address 127.0.0.1 14 | port 2200 15 | exit 16 | 17 | %if% false 18 | ssh "eth0_ipv4_1" "2201" 19 | %endif% 20 | 21 | xml-mgmt 22 | admin-state "disabled" 23 | local-address "eth0_ipv4_1" "5550" 24 | exit 25 | 26 | web-mgmt 27 | admin-state "enabled" 28 | local-address "eth0_ipv4_1" "9090" 29 | exit 30 | -------------------------------------------------------------------------------- /docker/customer-commit/evolve.cfg: -------------------------------------------------------------------------------- 1 | # Commands performed to evolve a license-accepted DataPower 2 | # Docker image into a DataPower where users and passwords 3 | # are set, crypto material is loaded, and password maps 4 | # are created. 5 | 6 | top; configure terminal; 7 | 8 | # Set up users and temporary passwords. Passwords will be changed 9 | # by another step in the build process. This allows the passwords 10 | # to be closely held and localized in a single file. Passwords 11 | # are expected to be different for every builder. The temporary 12 | # password for each user is "changeme" 13 | user "admin" 14 | password "changeme" 15 | exit 16 | 17 | user "annieadmin" 18 | password "changeme" 19 | access-level privileged 20 | exit 21 | 22 | user "freddiefoo" 23 | password "changeme" 24 | access-level user 25 | domain foo 26 | exit 27 | 28 | # Create domains; must be done before the copying of files 29 | domain foo 30 | visible-domain default 31 | exit 32 | 33 | # Copy crypto material 34 | copy -f local:///server.crt sharedcert:///server.crt 35 | copy -f local:///server.key sharedcert:///server.key 36 | copy -f local:///server.crt cert:///server.crt 37 | copy -f local:///server.key cert:///server.key 38 | 39 | copy -f local:///server.crt cert:///foo/server.crt 40 | copy -f local:///server.key cert:///foo/server.key 41 | 42 | # The password-map.cfg file comes from "somewhere else". It might 43 | # be closely held by the release engineering team. Developers might 44 | # have their own version -- that is what this example shows. password- 45 | # map is generated by the Makefile using a password in Makefile.passwd 46 | exec config:///password-map.cfg 47 | 48 | # Write mem will trigger password map save 49 | write mem 50 | -------------------------------------------------------------------------------- /docker/customer-optimized/.gitignore: -------------------------------------------------------------------------------- 1 | bldsrc/* 2 | !bldsrc/README 3 | datapower/local 4 | datapower/config 5 | !datapower/config/evolve.cfg 6 | -------------------------------------------------------------------------------- /docker/customer-optimized/Makefile: -------------------------------------------------------------------------------- 1 | # A more advanced example that keeps the image size smaller through careful 2 | # use of Docker volumes and commit. The strategy is to build a single 3 | # Docker container up by issuing standard commands then performing a 4 | # Docker commit at the end. 5 | # 6 | # Think of this example as deb2img and customer-commit combined. It performs 7 | # both roles but in a single container that becomes a single image. 8 | # This allows the image to be constructed without without unnecessarily 9 | # increasing the size of the docker image along the way. 10 | # 11 | # The resulting image is called customer-commit, so it can be used directly 12 | # by the customer-build example. 13 | # 14 | # If you use the rpm2img/deb2img then customer-commit examples, you end up 15 | # with something that is functionally similar to using this example, except 16 | # the size of the image will be far less with this example. 17 | 18 | RESULTREGISTRY ?= $(USER)/ 19 | RESULTREPOSITORY ?= customer-commit 20 | RESULTTAG ?= 0.1 21 | 22 | REGISTRY ?= $(USER)/ 23 | RUNREGISTRY ?= $(USER)/ 24 | RUNREPOSITORY ?= $(RESULTREPOSITORY) 25 | RUNTAG ?= 0.1 26 | CONTAINER_NAME ?= customer-optimized 27 | RUNFLAGS ?= --privileged --publish-all 28 | MAXWAIT ?= 600 29 | RUNDETACH ?= true 30 | 31 | FROM ?= ubuntu:trusty 32 | 33 | .PHONY: all shell run rm cli gui clean logs tag stop fixate 34 | 35 | GENERATEDFILES = datapower/local/server.crt \ 36 | datapower/local/server.csr \ 37 | datapower/local/server.key \ 38 | datapower/local/foo/server.crt \ 39 | datapower/local/foo/server.key \ 40 | datapower/config/password-map.cfg 41 | 42 | all: ubuntu 43 | deb: clean installdeb install acceptlicense password commit tagdeb 44 | rpm: clean installrpm install acceptlicense password commit tagrpm 45 | 46 | .PHONY: ubuntu 47 | ubuntu: FROM=ubuntu:trusty 48 | ubuntu: deb 49 | 50 | .PHONY: centos 51 | centos: FROM=centos:7 52 | centos: rpm 53 | 54 | .PHONY: rhel 55 | rhel: FROM=rhel7.2:latest 56 | rhel: rpm 57 | 58 | # Make sure a listener is on a port before trying to connect with it 59 | # Inside the container, check netstat once a second until the TCP 60 | # port is in LISTEN. 61 | define wait-for-listener 62 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 63 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 64 | NL=""; \ 65 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 66 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 67 | && { RC=0; break; }; \ 68 | echo -n $$MSG; \ 69 | MSG=.; \ 70 | NL="\n"; \ 71 | sleep 1; \ 72 | done; \ 73 | echo -ne "$$NL"; \ 74 | exit $$RC' 75 | endef 76 | 77 | define wait-for-stop 78 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 79 | 'MSG="Waiting for DataPower processes to stop"; \ 80 | NL=""; \ 81 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 82 | ps aguxwww | grep -v grep | grep -q "datapower-launch" \ 83 | || { RC=0; break; }; \ 84 | echo -n $$MSG; \ 85 | MSG=.; \ 86 | NL="\n"; \ 87 | sleep 1; \ 88 | done; \ 89 | echo -ne "$$NL"; \ 90 | exit $$RC' 91 | endef 92 | 93 | # The DOCKER_HOST variable may be unset or may contain tcp://1.2.3.4:1234 94 | # We just want to know the address of the Docker Engine we're talking to 95 | # so it's either the IP address portion of DOCKER_HOST or it's 127.0.0.1. 96 | ifeq '$(DOCKER_HOST)' '' 97 | DP_DOCKER_HOST=127.0.0.1 98 | DP_DOCKER_PROMPTHOSTS=$(DP_DOCKER_HOST) $(shell hostname -f) $(shell hostname -I) 99 | else 100 | # remove the leading tcp://, then replace the : with a " " so we have 101 | # 2 words. Lastly take just the first word, which is just the IP address 102 | # portion of the DOCKER_HOST. 103 | DP_DOCKER_HOST=$(firstword $(subst :, ,$(patsubst tcp://%,%,$(DOCKER_HOST)))) 104 | DP_DOCKER_PROMPTHOSTS=$(DP_DOCKER_HOST) 105 | endif 106 | 107 | .PHONY: installdeb 108 | installdeb: bldsrc/ibm-datapower-common.deb bldsrc/ibm-datapower-image.deb $(GENERATEDFILES) 109 | touch datapower/running 110 | rm -f ./datapower/config/evolve.enabled 111 | docker run -d --privileged --name $(CONTAINER_NAME) \ 112 | -v $(PWD)/bldsrc:/bldsrc \ 113 | -v $(PWD)/datapower:/datapower \ 114 | -p 9090 \ 115 | $(FROM) \ 116 | /bin/sh -c 'while [ -e /datapower/running ]; do sleep 1; done' 117 | docker exec $(CONTAINER_NAME) mkdir -p /datapower/config /datapower/local 118 | docker exec $(CONTAINER_NAME) apt-get update 119 | docker exec $(CONTAINER_NAME) apt-get -y install kpartx schroot telnet psmisc 120 | docker exec $(CONTAINER_NAME) dpkg -i /bldsrc/ibm-datapower-common.deb /bldsrc/ibm-datapower-image.deb 121 | 122 | .PHONY: installrpm 123 | installrpm: bldsrc/ibm-datapower-image.rpm bldsrc/ibm-datapower-common.rpm $(GENERATEDFILES) 124 | touch datapower/running 125 | rm -f ./datapower/config/evolve.enabled 126 | docker run -d --privileged --name $(CONTAINER_NAME) \ 127 | -v $(PWD)/bldsrc:/bldsrc \ 128 | -v $(PWD)/datapower:/datapower \ 129 | -p 9090 \ 130 | $(FROM) \ 131 | /bin/sh -c 'while [ -e /datapower/running ]; do sleep 1; done' 132 | docker exec $(CONTAINER_NAME) mkdir -p /datapower/config /datapower/local 133 | docker exec $(CONTAINER_NAME) yum -y update 134 | docker exec $(CONTAINER_NAME) rpm -Uvh 'http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm' 135 | docker exec $(CONTAINER_NAME) yum -y install kpartx telnet net-tools psmisc 136 | docker exec $(CONTAINER_NAME) yum -y install /bldsrc/ibm-datapower-image.rpm 137 | docker exec $(CONTAINER_NAME) yum -y install /bldsrc/ibm-datapower-common.rpm 138 | 139 | .PHONY: install 140 | install: 141 | docker exec $(CONTAINER_NAME) sed -i -e '/^web-mgmt/,/^exit/s/admin-state.*/admin-state "enabled"/g' /opt/ibm/datapower/datapower-external.cfg 142 | docker exec $(CONTAINER_NAME) /bin/sh -c 'echo "DataPowerConfigDir=/datapower/config" >> /opt/ibm/datapower/datapower.conf' 143 | docker exec $(CONTAINER_NAME) /bin/sh -c 'echo "DataPowerLocalDir=/datapower/local" >> /opt/ibm/datapower/datapower.conf' 144 | docker exec $(CONTAINER_NAME) /bin/sh -c 'echo "DataPowerCpuCount=4" >> /opt/ibm/datapower/datapower.conf' 145 | docker exec $(CONTAINER_NAME) /bin/sh -c 'echo "DataPowerMemoryLimit=8192" >> /opt/ibm/datapower/datapower.conf' 146 | docker exec $(CONTAINER_NAME) sed -i -e '/^cli telnet/iexec config://evolve.cfg' /opt/ibm/datapower/datapower-external.cfg 147 | docker exec $(CONTAINER_NAME) /opt/ibm/datapower/datapower-docker-build.sh 148 | docker exec $(CONTAINER_NAME) /bin/sh -c 'rm /opt/ibm/datapower/*.img.gz' 149 | docker exec -d $(CONTAINER_NAME) /opt/ibm/datapower/datapower-launch 150 | 151 | .PHONY: acceptlicense 152 | acceptlicense: LISTENPORT=2200 153 | acceptlicense: WEBGUIPORT=$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "9090/tcp") 0).HostPort}}' $(CONTAINER_NAME)) 154 | acceptlicense: 155 | @echo "#############################################################" 156 | @echo "## It is a manual process to turn a factory image into a ##" 157 | @echo "## base image. You must now answer the initial questions ##" 158 | @echo "## DataPower normally asks upon initialization, such as ##" 159 | @echo "## enabling secure backup and common criteria mode. You ##" 160 | @echo "## will also be prompted to change the DataPower password. ##" 161 | @echo "## As soon as you receive a DataPower prompt, issue the ##" 162 | @echo "## command 'exit'. There is no need to enable the WebGUI, ##" 163 | @echo "## that step has already been performed. ##" 164 | @echo "#############################################################" 165 | $(wait-for-listener) 166 | touch ./datapower/config/evolve.enabled 167 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 168 | firefox https://$(DP_DOCKER_HOST):$(WEBGUIPORT) > /dev/null 2>&1 & 169 | @echo "#############################################################" 170 | @echo "## In the WebGUI, please accept the DataPower license. ##" 171 | @echo "## After you have accepted the license, wait until you ##" 172 | @echo "## are again presented with a login prompt. ##" 173 | @echo "## ##" 174 | @echo "## Only after you see the DataPower login prompt should ##" 175 | @echo "## you press 'Enter' in this screen to continue. ##" 176 | @echo "## ##" 177 | @echo "## If a browser does not open automatically, you must ##" 178 | @echo "## point an appropriate browser to port $(WEBGUIPORT) ##" 179 | @echo "## of the Docker host using https in order to accept the ##" 180 | @echo "## license manually. ##" 181 | @echo "## ##" 182 | @echo "## Your host identifies itself as: ##" 183 | @echo "## $(DP_DOCKER_PROMPTHOSTS)" 184 | @echo "## ##" 185 | @echo "## Press 'Enter' ONLY after BOTH accepting the license ##" 186 | @echo "## AND being prompted with a new login screen! ##" 187 | @echo "#############################################################" 188 | @bash -c "read" 189 | docker exec $(CONTAINER_NAME) sed -i -e '/^exec config:.*evolve.cfg/d' /opt/ibm/datapower/datapower-external.cfg 190 | @echo "**** $@ complete ****" 191 | 192 | include Makefile.secrets 193 | define PASSWORD_template 194 | .PHONY: password-$(1) 195 | password-$(1): 196 | @echo ====== Changing password for user $(1) ====== 197 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 198 | '{ echo $(1); sleep 5; \ 199 | echo "changeme"; sleep 1.2; \ 200 | if [ "$(1)" = "admin" ]; then \ 201 | echo "top; co; user admin; password"; sleep 1.2; \ 202 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 203 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 204 | echo "exit; exit"; sleep 1.2; \ 205 | else \ 206 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 207 | echo "$$(DPPASS_$(1))"; sleep 1.2; \ 208 | fi ; sleep 5; }\ 209 | | telnet 127.0.0.1 2200'; echo 210 | endef 211 | $(foreach user,$(DPUSERS),$(eval $(call PASSWORD_template,$(user)))) 212 | 213 | 214 | .PHONY: password 215 | password: $(foreach user,$(DPUSERS),password-$(user)) 216 | @echo "**** $@ complete ****" 217 | 218 | datapower/local/server.crt datapower/local/server.csr datapower/local/server.key datapower/local/foo/server.crt datapower/local/foo/server.key: 219 | mkdir -p datapower/local/foo 220 | cd datapower/local && rm -f server.crt server.csr server.key 221 | cd datapower/local && openssl genrsa -passout pass:$(DPPASS_CRYPTO) -des3 -out server.key 4096 222 | cd datapower/local && printf "$(DN_CountryCode)\n$(DN_State_Province)\n$(DN_City)\n$(DN_Organization)\n$(DN_OrgUnit)\n$(DN_CommonName)\n$(DN_EmailAddress)\n\n\n" | \ 223 | openssl req -passin pass:$(DPPASS_CRYPTO) -new -key server.key -out server.csr 224 | cd datapower/local && openssl x509 -passin pass:$(DPPASS_CRYPTO) -req -days 365 -in server.csr -signkey server.key -out server.crt 225 | cp datapower/local/server.key datapower/local/foo/server.key 226 | cp datapower/local/server.crt datapower/local/foo/server.crt 227 | 228 | datapower/config/password-map.cfg: 229 | mkdir -p datapower/config 230 | rm -f $@; touch $@; chmod 600 $@ 231 | echo "crypto" > $@ 232 | echo " add password-map foo secretfoo" >> $@ 233 | echo " add password-map bar secretbar" >> $@ 234 | echo " add password-map crypto $(DPPASS_CRYPTO)" >> $@ 235 | echo "exit" >> $@ 236 | 237 | commit: 238 | docker rmi $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) >/dev/null 2>&1 || true 239 | docker exec $(CONTAINER_NAME) killall datapower-launch || true 240 | $(wait-for-stop) 241 | rm -f datapower/running 242 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 243 | docker commit --change='CMD ["/opt/ibm/datapower/datapower-launch"]' -c "EXPOSE 9090" $(CONTAINER_NAME) $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) 244 | @echo "**** $@ complete ****" 245 | 246 | ##################################### 247 | 248 | shell: 249 | docker exec -it $(CONTAINER_NAME) /bin/bash 250 | 251 | # Start the CLI via telnet. But first wait up to $(MAXWAIT) sec for telnet to come up. 252 | cli: LISTENPORT=2200 253 | cli: 254 | $(wait-for-listener) 255 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 256 | 257 | gui: LISTENPORT=9090 258 | gui: 259 | $(wait-for-listener) 260 | firefox https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME)) > /dev/null 2>&1 & 261 | 262 | run: 263 | docker run --detach=$(RUNDETACH) --name $(CONTAINER_NAME) $(RUNFLAGS) $(RUNREGISTRY)$(RUNREPOSITORY):$(RUNTAG) $(CONTAINER_CMD) 264 | 265 | stop: 266 | rm -f datapower/running 267 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 268 | 269 | rm: stop 270 | docker rm $(CONTAINER_NAME) || true 271 | 272 | kill: 273 | docker kill $(CONTAINER_NAME) || true 274 | 275 | clean: rm 276 | sudo rm -rf ./datapower/config/foo/foo.cfg ./datapower/config/auto-startup.cfg ./datapower/config/autoconfig.cfg ./datapower/config/evolve.enabled 277 | 278 | .PHONY: cleaner 279 | cleaner: clean 280 | rm -f $(GENERATEDFILES) 281 | find datapower/ -type f ! -name evolve.cfg -print0 | xargs -0 rm -f || true 282 | 283 | # Fix permissions and ownership. 284 | # If new docker-created root files are present; save them. 285 | .PHONY: fixate 286 | fixate: 287 | find datapower/ -user root -print0 | xargs -0 --no-run-if-empty sudo chown --no-dereference --reference=. || true 288 | 289 | .PHONY: logs 290 | logs: 291 | docker logs $(CONTAINER_NAME) 2>&1 292 | 293 | # When we tag, add identifying information about the DataPower packages that are installed. 294 | .PHONY: tagdeb 295 | tagdeb: DPVERSION=$(subst +,-,$(shell docker run --rm -it $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) dpkg-query --show --showformat='$${Version}' ibm-datapower-*image )) 296 | tagdeb: DPPACKAGE=$(subst -image,,$(subst ibm-datapower-,,$(subst ibm-datapower-image,,$(subst +,-,$(shell docker run --rm -it $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) dpkg-query --show --showformat='$${Package}' ibm-datapower-*image ))))) 297 | tagdeb: FROMID=ubuntu 298 | tagdeb: tag 299 | 300 | .PHONY: tagrpm 301 | tagrpm: DPVERSION=$(subst +,-,$(shell docker run --rm -it $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) /bin/sh -c "rpm -qa --queryformat '%{name} %{version}\n' | grep '^ibm-datapower-.*image' | cut -d' ' -f2 ")) 302 | tagrpm: DPPACKAGE=$(subst -image,,$(subst ibm-datapower-,,$(subst ibm-datapower-image,,$(subst +,-,$(shell docker run --rm -it $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) /bin/sh -c "rpm -qa --queryformat '%{name} %{version}\n' | grep '^ibm-datapower-.*image' | cut -d' ' -f1 "))))) 303 | tagrpm: FROMID=$(shell docker run --rm -it $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) /bin/sh -c '. /etc/os-release; echo $$ID') 304 | tagrpm: tag 305 | 306 | .PHONY: tag 307 | tag: 308 | docker tag -f $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) $(RESULTREGISTRY)$(RESULTREPOSITORY):latest 309 | docker tag -f $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG) $(RESULTREGISTRY)$(RESULTREPOSITORY):$(RESULTTAG)-$(DPPACKAGE)-$(DPVERSION)-$(FROMID) 310 | 311 | datapower/%: 312 | mkdir -p $@ 313 | 314 | -------------------------------------------------------------------------------- /docker/customer-optimized/Makefile.secrets: -------------------------------------------------------------------------------- 1 | # Imported by Makefile; sets passwords for each user. 2 | # The users are created in the usual way, via CLI 3 | # Each of the user passwords is set to "changeme" in evolve.cfg 4 | # Then the Makefile sets the password for each user 5 | # This allows all the passwords to be held in just this one place. 6 | 7 | DPUSERS = admin annieadmin freddiefoo 8 | DPPASS_admin = supersecret 9 | DPPASS_annieadmin = raggedyanne 10 | DPPASS_freddiefoo = freddiefriesfoo 11 | 12 | DPPASS_CRYPTO = mySuperDuperSecretPassword 13 | 14 | DN_CountryCode = . 15 | DN_State_Province = . 16 | DN_City = . 17 | DN_Organization = . 18 | DN_OrgUnit = . 19 | DN_CommonName = $(shell hostname --fqdn) 20 | DN_EmailAddress = $(USER)@$(shell hostname --domain) 21 | -------------------------------------------------------------------------------- /docker/customer-optimized/README.md: -------------------------------------------------------------------------------- 1 | # Purpose 2 | 3 | A more advanced sample, customer-optimized is functionally similar to 4 | deb2img and customer-commit combined but is more careful with image commits to 5 | try to keep the image size as small as possible. 6 | Such a workflow avoids unnecessarily increasing the size of the image 7 | 8 | NOTICE: This is a legacy example that does not take advantage of DataPower Gateway for Docker. Consider using the [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) instead. 9 | 10 | ## Usage 11 | 12 | Files: 13 | 14 | * bldsrc/ - Working directory where to place ibm-datapower-image.deb and ibm-datapower-common.deb 15 | or respective rpm files. 16 | 17 | * Makefile - Automates the workflow steps 18 | 19 | * Makefile.secrets - Imported by `Makefile`, sets user passwords 20 | 21 | * datapower/config - Config directory with mapping inside DataPower's `config:`` directory 22 | , mounted as a Docker volume in this example. 23 | -------------------------------------------------------------------------------- /docker/customer-optimized/bldsrc/README: -------------------------------------------------------------------------------- 1 | Place the DataPower .deb or .rpm files in this directory. You need only one 2 | set of .debs or one set of .rpms. 3 | 4 | Name them: 5 | 6 | ibm-datapower-image.deb 7 | ibm-datapower-common.deb 8 | ibm-datapower-image.rpm 9 | ibm-datapower-common.rpm 10 | -------------------------------------------------------------------------------- /docker/customer-optimized/datapower/config/evolve.cfg: -------------------------------------------------------------------------------- 1 | %if% isfile "config:///evolve.enabled" 2 | 3 | # Commands performed to evolve a license-accepted DataPower 4 | # Docker image into a DataPower where users and passwords 5 | # are set, crypto material is loaded, and password maps 6 | # are created. This is only run after the initial questions 7 | # are answered, and can only be run once otherwise 8 | # parts of it will fail. 9 | 10 | top; configure terminal; 11 | 12 | # Set up users and temporary passwords. Passwords will be changed 13 | # by another step in the build process. This allows the passwords 14 | # to be closely held and localized in a single file. Passwords 15 | # are expected to be different for every builder. The temporary 16 | # password for each user is "changeme" 17 | user "admin" 18 | password "changeme" 19 | exit 20 | 21 | user "annieadmin" 22 | password "changeme" 23 | access-level privileged 24 | exit 25 | 26 | user "freddiefoo" 27 | password "changeme" 28 | access-level user 29 | domain foo 30 | exit 31 | 32 | # Create domains; must be done before the copying of files 33 | domain foo 34 | visible-domain default 35 | exit 36 | 37 | # Copy crypto material 38 | copy -f local:///server.crt sharedcert:///server.crt 39 | copy -f local:///server.key sharedcert:///server.key 40 | copy -f local:///server.crt cert:///server.crt 41 | copy -f local:///server.key cert:///server.key 42 | 43 | copy -f local:///server.crt cert:///foo/server.crt 44 | copy -f local:///server.key cert:///foo/server.key 45 | 46 | # The password-map.cfg file comes from "somewhere else". It might 47 | # be closely held by the release engineering team. Developers might 48 | # have their own version -- that is what this example shows. password- 49 | # map is generated by the Makefile using a password in Makefile.passwd 50 | exec config:///password-map.cfg 51 | 52 | # Write mem will trigger password map save 53 | write mem 54 | 55 | # Run Once Only! 56 | delete config:///evolve.enabled 57 | 58 | %endif% 59 | -------------------------------------------------------------------------------- /docker/deb2img/.gitignore: -------------------------------------------------------------------------------- 1 | *.deb 2 | -------------------------------------------------------------------------------- /docker/deb2img/Dockerfile: -------------------------------------------------------------------------------- 1 | # Purpose: 2 | # Create a Docker image that contains a DataPower Gateway. The resulting 3 | # image will have the WebGUI enabled so the license can be accepted. 4 | # 5 | # Usage: 6 | # 1) Place the DataPower debian packages in the docker build directory 7 | # 2) Rename the packages ibm-datapower-common.deb and ibm-datapower-image.deb 8 | # respectively. 9 | # 3) Issue the command "docker build ." 10 | # 11 | # Notes: 12 | # After building the DataPower image, run it mapping port 8080. Browse to 13 | # the mapped port and accept the license. 14 | # 15 | # To access the cli, issue the following command: 16 | # docker run -it telnet localhost 2200 17 | 18 | FROM ubuntu:trusty 19 | 20 | # Place *only* the one common deb and one image deb in the local directory 21 | # before running docker build 22 | COPY ibm-datapower-common.deb ibm-datapower-image.deb /tmp/ 23 | 24 | ENV DEBIAN_FRONTEND noninteractive 25 | 26 | # Install dependencies, enable web-mgmt, prepare for first run. 27 | # Don't carry the deb packages forward in the image 28 | RUN echo "Installing dependencies" \ 29 | && apt-get update \ 30 | && apt-get -y install \ 31 | kpartx \ 32 | schroot \ 33 | telnet \ 34 | && echo "Installing DataPower Packages" \ 35 | && dpkg -i /tmp/ibm-datapower-common.deb /tmp/ibm-datapower-image.deb \ 36 | && echo "Enabling WebGUI" \ 37 | && sed -i \ 38 | -e '/^web-mgmt/,/^exit/s/admin-state.*/admin-state "enabled"/g' \ 39 | /opt/ibm/datapower/datapower-external.cfg \ 40 | && echo "Removing intermediate package files" \ 41 | && rm /tmp/ibm-datapower-common.deb /tmp/ibm-datapower-image.deb \ 42 | && echo "Preparing to run" \ 43 | && /opt/ibm/datapower/datapower-docker-build.sh \ 44 | && mkdir -p /datapower/config /datapower/local \ 45 | && echo "DataPowerConfigDir=/datapower/config" >> /opt/ibm/datapower/datapower.conf \ 46 | && echo "DataPowerLocalDir=/datapower/local" >> /opt/ibm/datapower/datapower.conf \ 47 | && echo "DataPowerCpuCount=4" >> /opt/ibm/datapower/datapower.conf 48 | 49 | 50 | # EXPOSE the port for the WebGUI. 51 | EXPOSE 9090 52 | 53 | CMD ["/opt/ibm/datapower/datapower-launch"] 54 | -------------------------------------------------------------------------------- /docker/deb2img/Makefile: -------------------------------------------------------------------------------- 1 | # Instructions: 2 | # 3 | # 1) Place the DataPower debian packages in the docker build directory 4 | # 2) Rename the packages ibm-datapower-common.deb and ibm-datapower-image.deb 5 | # respectively. 6 | # 3) make build -- this will give you a docker image of a just-installed 7 | # DataPower Gateway. This is the DataPower Factory Image. 8 | # 4) make evolve -- this starts the DataPower Gateway in a container; 9 | # It runs the factory image so the license can be accepted and initial 10 | # configuration performed. This will evolve into the base image. 11 | # 5) make cli -- Connect to the DataPower via the CLI. Initially this 12 | # is used for selecting secure backup and common criteria mode, 13 | # later it can be used for testing the resulting image. 14 | # 6) make accept-license -- Opens the DataPower WebGUI in Firefox. 15 | # 7) Accept the license in the DataPower WebGUI, then press 'enter' to 16 | # continue 17 | # 8) make stop -- This stops the DataPower container but does not delete it. 18 | # 9) make commit -- creates a docker image of the license-accepted 19 | # DataPower Gateway. This image is called "-base" because it will be 20 | # used as the base for future DataPower images. 21 | # 10) make run -- runs the -base image. 22 | # 11) make tag -- tags the license-accepted image from the previous step 23 | # with the :latest suffix. 24 | # 25 | # This can be shortened to 3 steps: 26 | # 1) make build evolve cli gui 27 | # 2) accept license 28 | # 3) make stop commit rm tag 29 | # 30 | # And an optional test step, to verify that the resulting image works properly. 31 | # 4) make run cli rm 32 | # 33 | # For the especially brave, the whole process can be shortened to a single step: 34 | # A) Use the "all" target: "make" or "make all". 35 | # B) optional "make run cli rm" to test 36 | # 37 | # At the end of this process, you will have a DataPower Docker image suitable 38 | # for use as a base for application development. 39 | # 40 | # A note on naming conventions: 41 | # * The registry defaults to USER. Override at will. Add the registry prefix. 42 | # * The repository defaults to the package name of the -image deb, with the 43 | # trailing "-image" removed and "-factory" appended. 44 | # * The default name for a running container is "datapower". Override at will, 45 | # remember that the name of a container must be unique on this docker engine. 46 | # * The repository of the committed image is the same as the name of the built image 47 | # with the addition of the "-base" suffix. This is because the committed, 48 | # license-accepted DataPower gateway is the image that will serve as the base 49 | # for other DataPower Gateway images created with docker build. 50 | # * The tagged image is the same repository as the "-base" repository, except that the 51 | # tag is "latest". 52 | # 53 | # A note on working with multiple containers: 54 | # * The default container name is "datapower" 55 | # * The "CONTAINER_NAME" variable can be specified on make or as an environment 56 | # variable. 57 | # * The "CONTAINER_HTTP_PROXY" variable can be specified to enable docker image 58 | # building behind a firewall, e.g. CONTAINER_HTTP_PROXY=http://9.138.237.58:3128 59 | # (you'll probably need http_proxy in /etc/default/docker as well) 60 | # (e.g. export http_proxy="http://9.138.237.58:3128") 61 | # * One option is to have a window for each of several DataPower containers 62 | # * And set CONTAINER_NAME=datapowerX, where X is 1..n, and is unique in each 63 | # window. 64 | 65 | # Windows notes: 66 | # 1) Use cygwin 67 | # 2) Make sure to place your build dir somewhere under c:\users or /cygdrive/c/users, 68 | # it's the only way Docker volumes work as of this writing 69 | # 3) Ensure that you can use docker and that your docker-machine meets 70 | # DataPower's minimum requirements of 2 CPUs, 4G ram, and 100G disk 71 | # 4) Use the cmd.exe and not the cygwin terminal to invoke make 72 | 73 | # Override these at will 74 | REGISTRY ?= $(USER) 75 | PACKAGENAME ?= datapower 76 | TAG ?= 0.1 77 | CONTAINER_NAME ?= datapower 78 | MAXWAIT=600 79 | 80 | # Used internally to the Makefile 81 | BLDDIR=$(subst /cygdrive,,$(shell pwd)) 82 | FACTORYREPOSITORY=$(PACKAGENAME)-factory 83 | BASEREPOSITORY=$(PACKAGENAME)-base 84 | REPOSITORY=$(BASEREPOSITORY) 85 | 86 | RUNFLAGS = --restart=on-failure --privileged -P 87 | 88 | .PHONY: all build shell evolve run rm cli gui accept-license clean commit tag stop 89 | 90 | all: build evolve cli accept-license stop commit rm tag 91 | 92 | # Wait until a listener is on a port before trying to connect with it. 93 | # Inside the container, check netstat once a second until the TCP 94 | # port is in LISTEN. Time out after MAXWAIT. 95 | define wait-for-listener 96 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 97 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 98 | NL=""; \ 99 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 100 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 101 | && { RC=0; break; }; \ 102 | echo -n $$MSG; \ 103 | MSG=.; \ 104 | NL="\n"; \ 105 | sleep 1; \ 106 | done; \ 107 | echo -ne "$$NL"; \ 108 | exit $$RC' 109 | endef 110 | 111 | # The DOCKER_HOST variable may be unset or may contain tcp://1.2.3.4:1234 112 | # We just want to know the address of the Docker Engine we're talking to 113 | # so it's either the IP address portion of DOCKER_HOST or it's 127.0.0.1. 114 | ifeq '$(DOCKER_HOST)' '' 115 | DP_DOCKER_HOST=127.0.0.1 116 | else 117 | # remove the leading tcp://, then replace the : with a " " so we have 118 | # 2 words. Lastly take just the first word, which is just the IP address 119 | # portion of the DOCKER_HOST. 120 | DP_DOCKER_HOST=$(firstword $(subst :, ,$(patsubst tcp://%,%,$(DOCKER_HOST)))) 121 | endif 122 | 123 | build: Dockerfile ibm-datapower-common.deb ibm-datapower-image.deb 124 | docker build --pull -t $(REGISTRY)/$(FACTORYREPOSITORY):$(TAG) . 125 | 126 | evolve: REPOSITORY=$(FACTORYREPOSITORY) 127 | evolve: run 128 | @echo "#############################################################" 129 | @echo "## It is a manual process to turn a factory image into a ##" 130 | @echo "## base image. You must now answer the initial questions ##" 131 | @echo "## DataPower normally asks upon initialization, such as ##" 132 | @echo "## enabling secure backup and common criteria mode. You ##" 133 | @echo "## will also be prompted to change the DataPower password. ##" 134 | @echo "## As soon as you receive a DataPower prompt, type 'exit'. ##" 135 | @echo "#############################################################" 136 | @echo "" 137 | 138 | shell: 139 | docker exec -it $(CONTAINER_NAME) /bin/bash 140 | 141 | # Start the CLI via telnet. But first wait up to $(MAXWAIT) sec for telnet to come up. 142 | cli: LISTENPORT=2200 143 | cli: 144 | $(wait-for-listener) 145 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 146 | 147 | gui: LISTENPORT=9090 148 | gui: 149 | $(wait-for-listener) 150 | firefox https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME) 2>/dev/null) > /dev/null 2>&1 & 151 | 152 | accept-license: LISTENPORT=9090 153 | accept-license: WEBGUIPORT=$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME) 2>/dev/null) 154 | accept-license: gui 155 | @echo "#############################################################" 156 | @echo "## In the WebGUI, please accept the DataPower license. ##" 157 | @echo "## After you have accepted the license, wait until you ##" 158 | @echo "## are again presented with a login prompt. ##" 159 | @echo "## ##" 160 | @echo "## Only after you see the DataPower login prompt should ##" 161 | @echo "## you press 'Enter' in this screen to continue. ##" 162 | @echo "## ##" 163 | @echo "## If a browser does not open automatically, you must ##" 164 | @echo "## point an appropriate browser to port $(WEBGUIPORT) ##" 165 | @echo "## of the Docker host using https in order to accept the ##" 166 | @echo "## license manually. ##" 167 | @echo "## ##" 168 | @echo "## Press 'Enter' ONLY after BOTH accepting the license ##" 169 | @echo "## AND being prompted with a new login screen! ##" 170 | @echo "#############################################################" 171 | @echo "" 172 | @bash -c "read" 173 | 174 | run: 175 | docker run -d --name $(CONTAINER_NAME) $(RUNFLAGS) $(REGISTRY)/$(REPOSITORY):$(TAG) 176 | 177 | stop: 178 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 179 | 180 | rm: stop 181 | docker rm $(CONTAINER_NAME) || true 182 | 183 | commit: 184 | docker rmi $(REGISTRY)/$(BASEREPOSITORY):$(TAG) >/dev/null 2>&1 || true 185 | docker commit $(CONTAINER_NAME) $(REGISTRY)/$(BASEREPOSITORY):$(TAG) 186 | 187 | tag: 188 | docker tag -f $(REGISTRY)/$(BASEREPOSITORY):$(TAG) $(REGISTRY)/$(BASEREPOSITORY):latest 189 | -------------------------------------------------------------------------------- /docker/deb2img/README.md: -------------------------------------------------------------------------------- 1 | ## deb2img Purpose: 2 | 3 | Given the DataPower Gateway Debian files, create a Docker Image suitable 4 | for further DataPower work. 5 | 6 | NOTICE: This is a legacy example that does not take advantage of DataPower Gateway for Docker. Consider using the [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) instead. 7 | 8 | ## Usage: 9 | 10 | 0) Meet the documented DataPower Gateway Virtual Edition minimum 11 | requirements. Four cores and 8 GB RAM is a good starting place. 12 | Have Docker already installed and working properly. Additionally, 13 | a browser will have to be available for accepting the license. 14 | The experience will be best if Firefox is available on the build 15 | host. This example is Makefile based; GNU make is required. 16 | 17 | 1) Download the DataPower Gateway Virtual Edition Debian files from 18 | IBM PassPort Advantage 19 | 20 | 2) Name the files "ibm-datapower-common.deb" and "ibm-datapower-image.deb" 21 | respectively. The process works the same way no matter which variety of 22 | image deb is used. 23 | 24 | 3) Run `make`. It will: 25 | * `docker build` -- Create a DataPower "factory image" using the sample 26 | Dockerfile from the debs 27 | * `docker run` -- Run DataPower in a container 28 | * `docker exec` -- Use the DataPower CLI to answer initial setup questions 29 | * Try to use Firefox to accept the license. 30 | * `docker stop` -- Gracefully the DataPower container 31 | * `docker commit` -- Save the license-accepted container as a "base image" 32 | * `docker rm` -- Delete the license-accepted container, we don't need it 33 | any more. 34 | * `docker tag` -- tag the image as "latest". 35 | 36 | 4) Try out your new "base image" 37 | * `make run` -- Run a container from the base image, named "datapower" by default 38 | * `make cli` -- Access the cli of the running "datapower" container 39 | * `make gui` -- Access the DataPower WebGUI 40 | * `make rm` -- Stop and remove the container "datapower" 41 | * Use it as the FROM in another Docker project! 42 | 43 | The Makefile itself contains extensive, detailed notes. 44 | 45 | This is the first step in taking advantage of a Dockerized 46 | DataPower Gateway. The next step is to create another image based upon 47 | this image. 48 | -------------------------------------------------------------------------------- /docker/deb2img/linkdeb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # A little helper that finds a -common.deb and a -image.deb that were 3 | # locally built in WORKDIR and creates hard links for use by Makefile. 4 | # Keep this separate, since the Makefile is a fairly customer-ready 5 | # example 6 | 7 | set -ex 8 | 9 | if [ -z "$WORKDIR" -o ! -d "$WORKDIR" ] 10 | then 11 | echo FAIL: WORKDIR not set or not a dir 12 | exit 1 13 | fi 14 | 15 | COMMON=$(find $WORKDIR/_build/x86_64/datapower/distro-ng -name \*-common\*.deb | head -1) 16 | IMAGE=$(find $WORKDIR/_build/x86_64/datapower/distro-ng -name \*-image\*.deb | head -1) 17 | 18 | if [ "$COMMON" -a "$IMAGE" ] 19 | then 20 | ln -f "$COMMON" ibm-datapower-common.deb 21 | ln -f "$IMAGE" ibm-datapower-image.deb 22 | exit 0 23 | fi 24 | 25 | echo FAIL: could not find debian packages 26 | exit 1 27 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/.dockerignore: -------------------------------------------------------------------------------- 1 | # Don't build in auto-generated files from dev 2 | # These files are not in version control, 3 | # but they might be in the directory as a result of 'rundev'. 4 | src/drouter/config/debug.cfg 5 | src/drouter/config/foo/debug.cfg 6 | src/drouter/config/foo/loadbalancer-group.cfg 7 | src/drouter/config/reset-password-imp.cfg 8 | src/drouter/config/vbox-inotify-workaround.cfg 9 | src/drouter/config/web-mgmt.cfg 10 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/.gitignore: -------------------------------------------------------------------------------- 1 | # Files that don't need to be saved because they're generated at runtime 2 | src/drouter/config/debug.cfg 3 | src/drouter/config/foo/debug.cfg 4 | src/drouter/config/foo/loadbalancer-group.cfg 5 | src/drouter/config/vbox-inotify-workaround.cfg 6 | src/drouter/config/web-mgmt.cfg 7 | src/drouter/local/foo/server.crt 8 | src/drouter/local/foo/server.key 9 | src/drouter/local/server.crt 10 | src/drouter/local/server.csr 11 | src/drouter/local/server.key 12 | Dockerfile 13 | .*.swp 14 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/Makefile: -------------------------------------------------------------------------------- 1 | # Instructions: 2 | # 3 | # This project: 4 | # A) Like a builder: make 5 | # This will build, run, test, and tag the resulting image. If this completes, 6 | # then the resulting image works. 7 | # 8 | # B) As a developer: 9 | # a) make rundev 10 | # b) Do development! 11 | # c) make test, if fail, goto b 12 | # d) make stop fixate clean build run test 13 | # f) Perform other manual tests. If tests fail, make rm rundev and goto b 14 | # g) If happy, check in any and all resulting files 15 | # 16 | # A note on naming conventions: 17 | # * The registry defaults to USER. Override at will. Add the registry prefix. 18 | # * The repository defaults to ibmcom-datapower-example. 19 | # * The default name for a running container is "ibmcom-datapower-example". Override at will, 20 | # remember that the name of a container must be unique on this docker engine. 21 | # * The repository of the committed image is the same as the name of the built image 22 | # * The tagged image is the same repository, except the tag is "latest". instead 23 | # of the value of TAG, which defaults to 0.1. 24 | # 25 | # A note on working with multiple containers: 26 | # * The default container name is "ibmcom-datapower-example" 27 | # * The "CONTAINER_NAME" variable can be specified on make or as an environment 28 | # variable. 29 | # * One option is to have a window for each of several DataPower containers 30 | # * And set CONTAINER_NAME=foo, where foo is unique in each window. 31 | # 32 | # How it works: 33 | # 34 | # We start from the publicly available ibmcom/datapower:7.5.2 image. This image is 35 | # DataPower "fresh from the factory". 36 | # 37 | # When we docker build the this image, we add DataPower configuration 38 | # to DataPower in /drouter/local and /drouter/config. We also use our own CMD so 39 | # we can run our own code prior to DataPower starting. The code looks at 40 | # the Docker environment and produces DataPower .cfg files in /datapower/config 41 | # that is then loaded by a DataPower include-config. 42 | # 43 | # We place all of our content inside the ./src directory. This aids 44 | # the docker build process since ./src can be copied into the new image 45 | # via the Dockerfile. For running as a developer (without needing to build 46 | # first), files under ./src are mapped as volumes on the 'docker run' line. 47 | # This allows "write mem" and WebGUI "Save" to cause DataPower to write 48 | # configuration to src/drouter/config/auto-startup.cfg and src/drouter/config/ 49 | # /.cfg. Additionally, direct editing on xsl and gatewayscript 50 | # files is possible using one's favorite editor. 51 | # 52 | # When we run the resulting image, we either run it in development mode (rundev) 53 | # or in unit test mode (run). The run target runs the built image without mounting 54 | # volumes, so only the files built into the docker image are used. The rundev 55 | # target runs the docker image using the datapower directory as a volume for 56 | # /datapower. 57 | # 58 | # Examples of DataPower configuration that is inherited from the Docker environment 59 | # include the DEBUG environment variable which controls some DataPower log targets and 60 | # the creation of a load balancer group that allows distribution among all linked 61 | # back-end servers on port 8080. 62 | # 63 | # This image can then be run and tested. Once the image's validity is verified, 64 | # it can be tagged as ibmcom-datapower-example:latest for use in the ibmcom-datapower-example project. 65 | # 66 | # The point of this step is to enable DataPower development workflows and 67 | # and release engineering process. This is what allows DataPower docker images 68 | # to be run everywhere, to adapt themselves to the running environment, and to 69 | # integrate with deployment methodology. 70 | # 71 | # The resulting DataPower docker image is one that would be "docker push"ed to 72 | # a private registry and deployed. 73 | # 74 | # The targets: 75 | # 76 | # rundev: Use this target for DataPower development. DataPower runs, and the 77 | # datapower/ directory is a volume. Clicking 'save' in DataPower causes files 78 | # to be saved in datapower/config and datapower/local where they can be used 79 | # with version control. 80 | # 81 | # build: Performs the docker build. After rundev and testing is working 82 | # satisfactorily, use the build target to put datapower/ into a Docker image. 83 | # 84 | # shell: Run a busybox shell inside the container 85 | # 86 | # gui: Load the DataPower WebGUI in firefox 87 | # 88 | # run: Run the built docker image 89 | # 90 | # test: Test the DataPower services deployed in the running container. The 91 | # DataPower container must be running with either rundev or run first. 92 | # 93 | # stop: Stop the running container 94 | # 95 | # rm: Delete the container 96 | # 97 | # clean: Remove files generated by the Makefile and the non-persisted results 98 | # of rundev 99 | # 100 | # fixate: Like a photocopier, fixate takes the docker/DataPower created files 101 | # from dev mode and fixes the permissions so the ownership is consistent with 102 | # the rest of the project. Use this step after rundev and before build or 103 | # version control operations. 104 | # 105 | # logs: Show the docker logs for the container 106 | # 107 | # tag: Add the :latest tag to the result docker image 108 | # 109 | # NUM_BACKENDS specifies how many back-end servers should be used. It 110 | # defaults to 3. It must be specified on the run, rundev, test, and rm 111 | # make targets. 112 | # 113 | # DEBUG can be used to enable a debug log target inside DataPower. It may 114 | # be specified on the rundev or run targets. 115 | 116 | BASEREPOSITORY ?= ibmcom/datapower 117 | FROMTAG ?= 7.5.2 118 | RESULTREPOSITORY ?= $(USER)/ibmcom-datapower-example 119 | REPOSITORY = $(RESULTREPOSITORY) 120 | TAG ?= 0.1 121 | CONTAINER_NAME ?= ibmcom-datapower-example 122 | NUM_BACKENDS ?= 3 123 | 124 | MAXWAIT = 30 125 | DEBUG ?= 126 | RESET_PASSWORD ?= true 127 | 128 | RUNFLAGS = -it -P -e DEBUG="$(DEBUG)" -e DP_RESET_PASSWORD="$(RESET_PASSWORD)" 129 | 130 | BACKEND_CONTAINER_NAMES = $(foreach backend, $(shell seq $(NUM_BACKENDS)), $(CONTAINER_NAME)-backend-$(backend)) 131 | 132 | .PHONY: all build shell crypto run rundev rm cli gui clean cryptoclean logs tag stop fixate test 133 | 134 | all: fixate build run test tag 135 | 136 | # Make sure a listener is on a port before trying to connect with it 137 | # Inside the container, check netstat once a second until the TCP 138 | # port is in LISTEN. 139 | define wait-for-listener 140 | @docker exec -it $(CONTAINER_NAME) /bin/sh -c \ 141 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 142 | NL=""; \ 143 | RC=1; \ 144 | for i in `seq 1 $(MAXWAIT)`; do \ 145 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 146 | && { RC=0; break; }; \ 147 | echo -n $$MSG; \ 148 | MSG=.; NL='\n' \ 149 | sleep 1; \ 150 | done; \ 151 | echo -ne "$$NL"; \ 152 | exit $$RC' 153 | endef 154 | 155 | # The DOCKER_HOST variable may be unset or may contain tcp://1.2.3.4:1234 156 | # We just want to know the address of the Docker Engine we're talking to 157 | # so it's either the IP address portion of DOCKER_HOST or it's 127.0.0.1. 158 | ifeq '$(DOCKER_HOST)' '' 159 | DP_DOCKER_HOST=127.0.0.1 160 | DP_VBOX_INOTIFY= 161 | else 162 | # remove the leading tcp://, then replace the : with a " " so we have 163 | # 2 words. Lastly take just the first word, which is just the IP address 164 | # portion of the DOCKER_HOST. 165 | DP_DOCKER_HOST=$(firstword $(subst :, ,$(patsubst tcp://%,%,$(DOCKER_HOST)))) 166 | DP_VBOX_INOTIFY=-e DP_VBOX_INOTIFY=true 167 | endif 168 | 169 | # On Mac, we still use the gnu utils, but they might be called by other names 170 | ifeq '$(shell uname -s)' 'Darwin' 171 | # Homebrew names the gnu utils by prepending 'g'. Note that they must be installed! 172 | FIND=gfind 173 | SED=gsed 174 | XARGS=gxargs 175 | else 176 | FIND=find 177 | SED=sed 178 | XARGS=xargs 179 | endif 180 | 181 | # The args we pass in to rundev have to be equivalent to the directives we put in the Dockerfile. 182 | # Rundev uses a stock IBM DataPower Gateway docker image as it is provided by IBM. 183 | # The only additions to that image are those controlled by this project. 184 | rundev: RUNFLAGS+=-v $(PWD)/src/drouter/config:/drouter/config -v $(PWD)/src/drouter/local:/drouter/local -v $(PWD)/src/start:/start -v $(PWD)/src/start.sh:/start.sh -p 443 $(DP_VBOX_INOTIFY) -e DATAPOWER_ACCEPT_LICENSE=true -e DATAPOWER_WORKDER_THREADS=2 -e DATAPOWER_INTERACTIVE=true -e DP_WEB_MGMT=true -p 9090 185 | rundev: LISTENPORT=2200 186 | rundev: REPOSITORY=$(BASEREPOSITORY) 187 | rundev: TAG=$(FROMTAG) 188 | rundev: src/drouter/config src/drouter/local run 189 | rundev: CONTAINER_CMD=/start.sh 190 | rundev: RESET_PASSWORD=false 191 | 192 | # The Dockerfile has to be generated so we can put the correct 193 | # BASEREPOSITORY into it 194 | Dockerfile: Makefile 195 | echo '# Dockerfile generated by Makefile $(shell date)' > $@ 196 | echo 'FROM $(BASEREPOSITORY):$(FROMTAG)' >> $@ 197 | echo 'ENV DATAPOWER_ACCEPT_LICENSE=true \' >> $@ 198 | echo ' DATAPOWER_WORKER_THREADS=2 \' >> $@ 199 | echo ' DATAPOWER_INTERACTIVE=true' >> $@ 200 | echo 'COPY src/ /' >> $@ 201 | echo 'EXPOSE 443' >> $@ 202 | echo 'CMD ["/start.sh"]' >> $@ 203 | 204 | 205 | build: Dockerfile crypto 206 | docker build --no-cache -t $(RESULTREPOSITORY):$(TAG) . 207 | 208 | shell: 209 | docker exec -it $(CONTAINER_NAME) /bin/sh 210 | 211 | # Attach to the docker console to get to the cli. Show the password if it was autogenerated at startup. 212 | # Don't grab all the logs, there might be too many. Instead just look at the first few hundred lines. 213 | cli: 214 | docker logs $(CONTAINER_NAME) 2>&1 | head -200 | sed -n '/^user /,/^exit/p' 215 | docker attach $(CONTAINER_NAME) 216 | 217 | gui: LISTENPORT=9090 218 | gui: 219 | $(wait-for-listener) 220 | docker logs $(CONTAINER_NAME) 2>&1 | head -200 | sed -n '/^user /,/^exit/p' 221 | firefox https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME)) > /dev/null 2>&1 & 222 | 223 | run: crypto 224 | $(foreach name, $(BACKEND_CONTAINER_NAMES), docker run -d --name $(name) --hostname $(name) hstenzel/nodejs-hostname; ) true 225 | docker run -itd --name $(CONTAINER_NAME) $(RUNFLAGS) $(EXTRA_RUNFLAGS) $(foreach name, $(BACKEND_CONTAINER_NAMES), --link $(name)) $(REPOSITORY):$(TAG) $(CONTAINER_CMD) 226 | 227 | test: LISTENPORT=443 228 | test: 229 | $(wait-for-listener) 230 | curl --insecure $(foreach name, $(BACKEND_CONTAINER_NAMES), https://$(DP_DOCKER_HOST):$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME))) | sort 231 | 232 | stop: 233 | docker stop $(CONTAINER_NAME) || true 234 | 235 | rm: stop 236 | docker rm $(CONTAINER_NAME) || true 237 | docker rm -f $(BACKEND_CONTAINER_NAMES) || true 238 | 239 | clean: 240 | rm -f Dockerfile src/drouter/config/foo/loadbalancer-group.cfg src/drouter/config/debug.cfg src/drouter/config/foo/debug.cfg src/drouter/config/vbox-inotify-workaround.cfg src/drouter/config/web-mgmt.cfg 241 | 242 | cryptoclean: 243 | rm -rf src/drouter/local/server.crt src/drouter/local/server.csr src/drouter/local/server.key src/drouter/local/foo/server.crt src/drouter/local/foo/server.key 244 | 245 | cleaner: clean cryptoclean 246 | 247 | # Fix permissions and ownership. 248 | # If new docker-created root files are present; save them. 249 | # Ensure that web-mgmt does not appear in auto-startup.cfg; we want web-mgmt to be completely under the control of the include-config. 250 | # The same is true for all the other generated config -- under no circumstances should they appear in the standard config files, 251 | # they should only ever appear in their include-config. 252 | # Also pull out system name; it's a gratitious change 253 | fixate: clean 254 | $(FIND) src/ -user root -print0 | $(XARGS) -0 --no-run-if-empty sudo chown --reference=. 255 | $(SED) -i \ 256 | -e '/^web-mgmt$$/,/^exit$$/d' \ 257 | -e '/^logging target "debug-log"$$/,/^exit$$/d' \ 258 | -e '/^system$$/,/^exit$$/{ /^ *name /d }' \ 259 | src/drouter/config/auto-startup.cfg 260 | $(SED) -i \ 261 | -e '/^logging target "debug-log"$$/,/^exit$$/d' \ 262 | -e '/^loadbalancer-group "lbg-backend"$$/,/^exit$$/d' \ 263 | src/drouter/config/foo/foo.cfg 264 | 265 | .PHONY: diff 266 | diff: fixate 267 | git diff 268 | 269 | logs: 270 | docker logs $(CONTAINER_NAME) 2>&1 271 | 272 | tag: 273 | docker tag $(REPOSITORY):$(TAG) $(REPOSITORY):latest 274 | 275 | datapower/%: 276 | mkdir -p $@ 277 | 278 | .PHONY: crypto 279 | DPPASS_CRYPTO?=superdupersecretpassword 280 | crypto: src/drouter/local/server.crt src/drouter/local/server.csr src/drouter/local/server.key src/drouter/local/foo/server.crt src/drouter/local/foo/server.key 281 | src/drouter/local/server.crt src/drouter/local/server.csr src/drouter/local/server.key src/drouter/local/foo/server.crt src/drouter/local/foo/server.key: 282 | mkdir -p src/drouter/local/foo 283 | cd src/drouter/local && rm -f server.crt server.csr server.key 284 | cd src/drouter/local && openssl genrsa -passout pass:$(DPPASS_CRYPTO) -des3 -out server.key 4096 285 | cd src/drouter/local && printf "$(DN_CountryCode)\n$(DN_State_Province)\n$(DN_City)\n$(DN_Organization)\n$(DN_OrgUnit)\n$(DN_CommonName)\n$(DN_EmailAddress)\n\n\n" | \ 286 | openssl req -passin pass:$(DPPASS_CRYPTO) -new -key server.key -out server.csr 287 | cd src/drouter/local && openssl x509 -passin pass:$(DPPASS_CRYPTO) -req -days 365 -in server.csr -signkey server.key -out server.crt 288 | cp src/drouter/local/server.key src/drouter/local/foo/server.key 289 | cp src/drouter/local/server.crt src/drouter/local/foo/server.crt 290 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/README.md: -------------------------------------------------------------------------------- 1 | # Purpose 2 | Use the [IBM DataPower Gateway for Docker](https://hub.docker.com/r/ibmcom/datapower/) to demonstrate basic concepts of using the DataPower Gateway in conjunction with a Docker friendly software development life cycle. 3 | 4 | This is applicable *only* to IBM DataPower Gateway for Docker which was introduced in DataPower v7.5.2. It does *not* apply to the IBM DataPower Gateway for Linux which is delivered as Debian and RPM packages. While the sample application is the same, the DataPower platform is different and the development speed, deployment speed, and Docker SDLC integration is much better when using DataPower for Docker instead of DataPower for Linux. 5 | 6 | This sample also does not apply to IBM DataPower Gateway v7.6.0 or later. This is because v7.6.0 defaults to a non-root container. This is a great enhancement, but it requires some adjustment to this sample. The author believes that it would be better to instead use `docker-compose` based samples or Kubernetes based samples instead of using the Makefile with `docker` directly. 7 | 8 | This project demonstrates how one might: 9 | 10 | * Use the DataPower WebGUI as an IDE for DataPower configuration 11 | * Easily edit Gatewayscript or xsl files such that they are immediately 12 | available inside DataPower with no further action required 13 | * Use version control with DataPower configuration with the docker 14 | run --volume flag 15 | * Customize containers at run time so they can consume Docker-provided 16 | environment variables and honor the docker run --link flag 17 | * Build and test new images 18 | * Use the same project directly from version control for both development and deployment 19 | * Have `web-mgmt` available for development but disable all management interfaces for deployment -- all management that needs to be done can be done from the Docker console. 20 | * Have a well-known password (`supersecret`) for development but use a randomly generated password for deployment 21 | 22 | ## Contents 23 | 24 | ./.dockerignore -- prevent artifacts from the `rundev` target from leaking into the `build`. 25 | 26 | ./.gitignore -- mark the files that are not under version control 27 | 28 | ./Makefile -- the orchestrator. See comments for details of operation. 29 | 30 | ./README.md -- this file 31 | 32 | ./src/drouter/config/auto-startup.cfg -- The saved DataPower default domain configuration file. It is updated by a developer via `write mem` in the CLI or save in `web-mgmt`. 33 | 34 | ./src/drouter/config/auto-user.cfg -- The DataPower config file for users. This one contains the `admin` user with the ciphertext password that corresponds to `supersecret` 35 | 36 | ./src/drouter/config/foo/foo.cfg -- The saved DataPower domain foo 37 | configuration. It is updated by a developer via `write mem` in the CLI or save in `web-mgmt`. 38 | 39 | ./src/drouter/local/foo/hello-too.js -- Gatewayscript in support of the domain foo Multi-Protocol gateway 40 | 41 | ./src/drouter/start.sh -- Startup script, runs the `/start/*` scripts and then starts drouter itself. This is the Dockerfile CMD for this image, so all the scriptlets in the `./src/drouter/start/` directory are run before `/bin/drouter` is exec'd. 42 | 43 | ./src/drouter/start/debug.sh -- Generates a log target at run time if the environment variable DEBUG is set, such as 'make DEBUG=true 44 | run' or 'make DEBUG=true rundev'. If set, this causes DataPower configuration in both the `default` and `foo` domains to be run via `include-config` that enables debug log targets. This is controlled by an environment variable and generates an `include-config` file. 45 | 46 | ./src/drouter/start/loadbalancer-group.sh -- Generates the `loadbalancer-group` used by domain `foo` for back end servers. The back end servers are all linked Docker containers and run on port 8080. An `include-config` reads the configuration created by this script. This is controlled by an environment variable and generates an `include-config` file. 47 | 48 | ./src/start/reset-password.sh -- Generates `config:///reset-password-imp.sh`, but only when a random password is desired for `admin`. It knows when this is desired by looking at an environment variable, which is set by the `Makefile` when the `run` target is used, but not when `rundev` is used. This is controlled by an environment variable and generates an `include-config` file. 49 | 50 | ./src/start/vbox-inotify-workaround.sh -- Disables Gatewayscript file caching when `rundev` is used, but only if the Docker Engine is remote to the Docker Client. Without this setting, when changes are made `*.js` files DataPower continues to use the old version. This is controlled by an environment variable and generates an `include-config` file. 51 | 52 | ./src/start/web-mgmt.sh -- Turns on `web-mgmt` for the developer but not when deployed. When in development, the `web-mgmt` is effectively DataPower's IDE. But the IDE is not needed or wanted for deployment, so `web-mgmt` is only enabled when the `rundev` target is used and not when the `run` target is used. This is controlled by an environment variable and generates an `include-config` file. 53 | 54 | ## Concepts 55 | 56 | The goal of this project is to completely, utterly, and unashamedly embrace the Docker SDLC (Software Development Life Cycle). At the same time, it is intended to be an extremely simple example with minimal prerequisites to demonstrate how DataPower may fit into an orchestration environment. 57 | 58 | For our orchestrator, we will use a simple Makefile. It has the ability to automate all the actions that we want to demonstrate. The focus is on how to build an application with DataPower -- it is an admittedly very interesting exercise to extend this example into the CI/CD or orchestration environment of your choice. 59 | 60 | A description of selected `Makefile` targets: 61 | - `build` 62 | - `docker build` the image 63 | - Used by a developer for unit test 64 | - Used by a builder to build an image 65 | - What the CI/CD system would do to get the Docker image for this DataPower Gateway 66 | - `rundev` 67 | - run `ibmcom/datapower:7.5.2` as a developer would. 68 | - `web-mgmt` is enabled; 69 | - volumes are used for configuration so that `write mem` or `Save config` inside DataPower cause the correct files to be saved in the source tree. 70 | - `run` 71 | - runs the built image generated by this project 72 | - Used by a developer for unit test 73 | - Something similar would be done by CI/CD to run tests, bring up in production, etc 74 | - `test` 75 | - runs the test harness to make sure that the container is working properly. 76 | - This is a stand in for any kind of automated testing that would be present in an orchestration environment. 77 | - `tag` 78 | - Adds the `latest` tag to the output image 79 | - This indicates a good build that has passed `test`. 80 | - `clean` `cleaner` 81 | - Remove generated files. 82 | - `clean` should always be run between `rundev` and `build` 83 | - `cleaner` also removes any generated keys. 84 | - `gui`, `cli`, `shell` 85 | - Connect to an already-running container on `web-mgmt`, the `cli`, and in `/bin/sh` respectively. 86 | - There is no `gui` running if using `run`, only for `rundev`. 87 | - If the password was reset at run time, the generated password will be printed for both `cli` and `gui`. The generated password is harvested from `docker logs`, meaning that anyone with access to Docker could get the password. 88 | - `rm` -- stop and remove running containers from `rundev` or `run`. 89 | - `all` -- `make clean build run test tag` 90 | - This is the target that the build farm would run when triggered by a checkin 91 | - This is the target that a developer would use prior to check in 92 | - The developer would have a different repository than the build farm so there would be no name collisions. 93 | 94 | A description of workflow for selected roles: 95 | - Developer role 96 | 1. `rundev` 97 | - `gui`, `cli` -- change configuration to DataPower itself 98 | - `shell` -- Work with early startup integration, such as the code that is run before `drouter` is started. 99 | - `test` -- run the test harness against the running container 100 | - Repeat until satisfied, then 101 | 1. `all` -- unit test the result, then 102 | 1. Check in changes 103 | - Release Engineering / Build-Farm role 104 | 1. `all` -- Does the complete build including test and tag 105 | 1. `docker push` -- makes the image available beyond the build machine. 106 | - This could be for the use of the Software Quality Assurance team 107 | - Could be for release to next steps of Continuous Integration / Continuous delivery 108 | - At this point, you have a tested, tagged, and pushed image that is ready for the next step of deployment. 109 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/drouter/config/auto-startup.cfg: -------------------------------------------------------------------------------- 1 | top; configure terminal; 2 | 3 | # configuration generated Tue Sep 13 15:52:09 2016; firmware version 280356beta4 4 | 5 | %if% available "domain-settings" 6 | 7 | domain-settings 8 | admin-state enabled 9 | password-treatment masked 10 | exit 11 | 12 | %endif% 13 | 14 | %if% available "include-config" 15 | 16 | include-config "debug" 17 | config-url "config:///debug.cfg" 18 | auto-execute 19 | no interface-detection 20 | exit 21 | 22 | exec "config:///debug.cfg" 23 | 24 | include-config "reset-password" 25 | config-url "config:///reset-password.cfg" 26 | auto-execute 27 | no interface-detection 28 | exit 29 | 30 | exec "config:///reset-password.cfg" 31 | 32 | include-config "vbox-inotify-workaround" 33 | config-url "config://vbox-inotify-workaround.cfg" 34 | auto-execute 35 | no interface-detection 36 | exit 37 | 38 | exec "config://vbox-inotify-workaround.cfg" 39 | 40 | include-config "web-mgmt" 41 | config-url "config:///web-mgmt.cfg" 42 | auto-execute 43 | no interface-detection 44 | exit 45 | 46 | %endif% 47 | 48 | exec "config:///web-mgmt.cfg" 49 | 50 | %if% available "radius" 51 | 52 | radius 53 | admin-state disabled 54 | timeout 1000 55 | retries 3 56 | exit 57 | 58 | %endif% 59 | 60 | %if% available "timezone" 61 | 62 | timezone "EST5EDT" 63 | 64 | %endif% 65 | 66 | %if% available "throttle" 67 | 68 | throttle 69 | admin-state disabled 70 | memory-throttle 20 71 | memory-terminate 5 72 | temp-fs-throttle 0 73 | temp-fs-terminate 0 74 | qcode-warn 10 75 | timeout 30 76 | no status-log 77 | status-loglevel debug 78 | sensors-log 79 | backlog-size 0 80 | backlog-timeout 30 81 | exit 82 | 83 | %endif% 84 | 85 | %if% available "snmp" 86 | 87 | snmp 88 | admin-state disabled 89 | version 2c 90 | ip-address 0.0.0.0 91 | port 161 92 | security-level authPriv 93 | access-level read-only 94 | trap-default-subscriptions 95 | trap-priority warn 96 | trap-code 0x00030002 97 | trap-code 0x00230003 98 | trap-code 0x00330002 99 | trap-code 0x00b30014 100 | trap-code 0x00e30001 101 | trap-code 0x00e40008 102 | trap-code 0x00f30008 103 | trap-code 0x01530001 104 | trap-code 0x01a2000e 105 | trap-code 0x01a40001 106 | trap-code 0x01a40005 107 | trap-code 0x01a40008 108 | trap-code 0x01b10006 109 | trap-code 0x01b10009 110 | trap-code 0x01b20002 111 | trap-code 0x01b20004 112 | trap-code 0x01b20008 113 | trap-code 0x02220001 114 | trap-code 0x02220003 115 | trap-code 0x02240002 116 | exit 117 | 118 | %endif% 119 | 120 | sslproxy "iop-mgmt-ssl" "reverse" "system-profile" sess-timeout "300" cache-size "20" 121 | 122 | sslproxy "system-wsgw-management-loopback" "forward" "system-default" client-cache "on" client-sess-timeout "300" client-cache-size "100" 123 | 124 | crypto 125 | 126 | %if% available "cert-monitor" 127 | 128 | cert-monitor 129 | admin-state enabled 130 | poll 1 131 | reminder 30 132 | log-level warn 133 | no disable-expired-certs 134 | exit 135 | 136 | %endif% 137 | 138 | exit 139 | 140 | crypto 141 | no crl 142 | 143 | exit 144 | 145 | %if% available "raid-volume" 146 | 147 | raid-volume "raid0" 148 | admin-state disabled 149 | no read-only 150 | exit 151 | 152 | %endif% 153 | 154 | %if% available "language" 155 | 156 | language "de" 157 | admin-state disabled 158 | exit 159 | 160 | language "en" 161 | admin-state enabled 162 | exit 163 | 164 | language "es" 165 | admin-state disabled 166 | exit 167 | 168 | language "fr" 169 | admin-state disabled 170 | exit 171 | 172 | language "it" 173 | admin-state disabled 174 | exit 175 | 176 | language "ja" 177 | admin-state disabled 178 | exit 179 | 180 | language "ko" 181 | admin-state disabled 182 | exit 183 | 184 | language "pt_BR" 185 | admin-state disabled 186 | exit 187 | 188 | language "ru" 189 | admin-state disabled 190 | exit 191 | 192 | language "zh_CN" 193 | admin-state disabled 194 | exit 195 | 196 | language "zh_TW" 197 | admin-state disabled 198 | exit 199 | 200 | %endif% 201 | 202 | %if% available "system" 203 | 204 | system 205 | admin-state enabled 206 | entitlement "0000001" 207 | audit-reserve 40 208 | no system-log-fixed-format 209 | exit 210 | 211 | %endif% 212 | logging event default-log "all" "error" 213 | logging event default-log "mgmt" "notice" 214 | logging event default-log "system" "notice" 215 | 216 | %if% available "rbm" 217 | 218 | rbm 219 | admin-state enabled 220 | au-method local 221 | no au-ldap-search 222 | ldap-prefix "cn=" 223 | no au-force-dn-ldap-order 224 | au-cache-mode absolute 225 | au-cache-ttl 600 226 | au-ldap-readtimeout 60 227 | mc-method local 228 | no mc-ldap-search 229 | mc-ldap-readtimeout 60 230 | fallback-login disabled 231 | no apply-cli 232 | no restrict-admin 233 | pwd-minimum-length 6 234 | no pwd-mixed-case 235 | no pwd-digit 236 | no pwd-nonalphanumeric 237 | no pwd-username 238 | no pwd-aging 239 | pwd-max-age 30 240 | no pwd-history 241 | pwd-max-history 5 242 | cli-timeout 0 243 | max-login-failure 0 244 | lockout-duration 1 245 | no mc-force-dn-ldap-order 246 | password-hash-algorithm md5crypt 247 | ssl-client-type proxy 248 | mc-ssl-client-type proxy 249 | exit 250 | 251 | %endif% 252 | 253 | acl "rest-mgmt" 254 | exit 255 | 256 | acl "ssh" 257 | exit 258 | 259 | acl "web-b2b-viewer" 260 | exit 261 | 262 | acl "web-mgmt" 263 | exit 264 | 265 | acl "xml-mgmt" 266 | exit 267 | 268 | no ssh 269 | 270 | user-agent "default" 271 | summary "Default User Agent" 272 | max-redirects 8 273 | timeout 300 274 | exit 275 | 276 | %if% available "urlmap" 277 | 278 | urlmap "default-attempt-stream-all" 279 | match "*" 280 | exit 281 | 282 | %endif% 283 | 284 | %if% available "compile-options" 285 | 286 | compile-options "default-attempt-stream" 287 | xslt-version XSLT10 288 | no strict 289 | try-stream default-attempt-stream-all 290 | stack-size 524288 291 | wsi-validate ignore 292 | wsdl-validate-body strict 293 | wsdl-validate-headers lax 294 | wsdl-validate-faults strict 295 | no wsdl-wrapped-faults 296 | no wsdl-strict-soap-version 297 | no xacml-debug 298 | exit 299 | 300 | %endif% 301 | 302 | stylepolicy "default" 303 | reset 304 | summary "Default Processing Policy" 305 | filter "store:///filter-reject-all.xsl" 306 | xsldefault "store:///identity.xsl" 307 | xquerydefault "store:///reject-all-json.xq" 308 | exit 309 | 310 | %if% available "metadata" 311 | 312 | metadata "ftp-usercert-metadata" 313 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 314 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 315 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 316 | exit 317 | 318 | metadata "ftp-username-metadata" 319 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 320 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 321 | meta-item "variable" "password" "var://context/INPUT/ftp/password" 322 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 323 | meta-item "variable" "username" "var://context/INPUT/ftp/username" 324 | exit 325 | 326 | metadata "oauth-scope-metadata" 327 | meta-item "variable" "scope" "var://context/INPUT/oauth/verified-scope" 328 | exit 329 | 330 | metadata "ssh-password-metadata" 331 | meta-item "variable" "password" "var://context/INPUT/ssh/password" 332 | meta-item "variable" "publickey" "var://context/INPUT/ssh/publickey" 333 | meta-item "variable" "username" "var://context/INPUT/ssh/username" 334 | exit 335 | 336 | %endif% 337 | 338 | xmlmgr "default" 339 | xsl cache size "default" "256" 340 | xsl checksummed cache default 341 | no tx-warn "default" 342 | memoization "default" 343 | 344 | xml parser limits "default" 345 | bytes-scanned 4194304 346 | element-depth 512 347 | attribute-count 128 348 | max-node-size 33554432 349 | forbid-external-references 350 | external-references forbid 351 | max-prefixes 1024 352 | max-namespaces 1024 353 | max-local-names 60000 354 | exit 355 | 356 | documentcache "default" 357 | no policy 358 | maxdocs "5000" 359 | size "0" 360 | max-writes "32768" 361 | exit 362 | no xml validate "default" * 363 | 364 | xml-manager "default" 365 | summary "Default XML-Manager" 366 | user-agent "default" 367 | exit 368 | 369 | xmlmgr "default-attempt-stream" 370 | xslconfig "default-attempt-stream" "default-attempt-stream" 371 | xsl cache size "default-attempt-stream" "256" 372 | xsl checksummed cache default-attempt-stream 373 | no tx-warn "default-attempt-stream" 374 | memoization "default-attempt-stream" 375 | 376 | xml parser limits "default-attempt-stream" 377 | bytes-scanned 268435456 378 | element-depth 512 379 | attribute-count 128 380 | max-node-size 268435456 381 | forbid-external-references 382 | external-references forbid 383 | max-prefixes 1024 384 | max-namespaces 1024 385 | max-local-names 60000 386 | exit 387 | 388 | documentcache "default-attempt-stream" 389 | no policy 390 | maxdocs "5000" 391 | size "0" 392 | max-writes "32768" 393 | exit 394 | no xml validate "default-attempt-stream" * 395 | 396 | xml-manager "default-attempt-stream" 397 | summary "Default Streaming XML-Manager" 398 | user-agent "default" 399 | exit 400 | 401 | xmlmgr "default-wsrr" 402 | xsl cache size "default-wsrr" "256" 403 | xsl checksummed cache default-wsrr 404 | no tx-warn "default-wsrr" 405 | memoization "default-wsrr" 406 | 407 | xml parser limits "default-wsrr" 408 | bytes-scanned 4194304 409 | element-depth 512 410 | attribute-count 128 411 | max-node-size 33554432 412 | forbid-external-references 413 | external-references forbid 414 | max-prefixes 1024 415 | max-namespaces 1024 416 | max-local-names 60000 417 | exit 418 | 419 | documentcache "default-wsrr" 420 | no policy 421 | maxdocs "5000" 422 | size "0" 423 | max-writes "32768" 424 | exit 425 | no xml validate "default-wsrr" * 426 | 427 | xml-manager "default-wsrr" 428 | summary "WSRR XML-Manager" 429 | user-agent "default" 430 | exit 431 | 432 | %if% available "aaapolicy" 433 | 434 | aaapolicy "iop-mgmt-aaa" 435 | extract-identity "http-basic-auth+client-ssl" "" "" "" "" "login" "off" "" "off" "" "xmlfile" "" "" "" "" "" "proxy" "" "" "" "" 436 | authenticate xmlfile "store:///iop-mgmt-aaa.xml" "" "" "" "absolute" "3" "" "" "" "" "" "on" "" "" "1.1" "cn=" "" "" "" "" "" "" "" "" "" "" "" "userPassword" "LTPA2" "" "" "" "" "" "off" "" "1.2" "off" "" "off" "32" "off" "32" "off" "off" "" "" "" "" "0" "off" "60" "proxy" "" "" "" "webagent" "" "" "" "default" 437 | map-credentials xmlfile "store:///iop-mgmt-aaa.xml" "" "" 438 | extract-resource "request-uri+request-opname" "" "" 439 | map-resource xmlfile "store:///iop-mgmt-aaa.xml" "" "WebSEAL" "" "" 440 | authorize xmlfile "store:///iop-mgmt-aaa.xml" "" "" "" "" "" "any" "" "" "absolute" "3" "" "" "" "1.1" "" "" "" "member" "" "" "subtree" "(objectClass=*)" "2.0" "deny-biased" "on" "" "" "custom" "" "" "" "off" "" "T" "" "off" "" "r" "" "0" "tfim" "" "off" "on" "off" "off" "60" "proxy" "" "" "webagent" "" "" "" "default" 441 | post-process "off" "" "off" "XS" "" "off" "" "" "" "off" "on" "0" "off" "2.0" "off" "" "" "off" "Digest" "0" "0" "on" "off" "LTPA2" "600" "" "" "" "off" "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" "off" "" "off" "" "off" "" "off" "1000" "off" "all" "CallTFIM" "hmac-sha1" "sha1" "off" "random" "" "0" "off" "off" "off" "off" "" "off" "assertion" "" "wssec-replace" "authentication+attribute" "bearer" "on" "" "" "" "off" "off" "off" "" "0" "AllHTTP" "" "on" "off" "iv-creds" "0" "off" "" "off" "mc-output" "" "" "" "" "as-is-string" "" "" "proxy" "" "" "off" "" 442 | log-allowed 443 | log-allowed-level info 444 | log-rejected 445 | log-rejected-level warn 446 | no ping-identity-compatibility 447 | dos-valve 3 448 | ldap-version v2 449 | enforce-actor-role 450 | dyn-config none 451 | exit 452 | 453 | %endif% 454 | 455 | %if% available "wsm-stylepolicy" 456 | 457 | wsm-stylepolicy "default" 458 | summary "Default Processing Policy" 459 | filter "store:///filter-reject-all.xsl" 460 | xsldefault "store:///identity.xsl" 461 | exit 462 | 463 | %endif% 464 | 465 | %if% available "audit-log-settings" 466 | 467 | audit-log-settings 468 | admin-state enabled 469 | size 1000 470 | rotate 3 471 | audit-level standard 472 | exit 473 | 474 | %endif% 475 | 476 | %if% available "smtp-server-connection" 477 | 478 | smtp-server-connection "default" 479 | summary "Default SMTP Server Connection" 480 | server-host smtp 481 | server-port 25 482 | auth plain 483 | ssl-client-type proxy 484 | exit 485 | 486 | %endif% 487 | 488 | %if% available "b2b-persistence" 489 | 490 | b2b-persistence 491 | admin-state disabled 492 | raid-volume raid0 493 | storage-size 1024 494 | no ha-enabled 495 | ha-other-hosts "" "1320" 496 | ha-local-ip 0.0.0.0 497 | ha-local-port 1320 498 | exit 499 | 500 | %endif% 501 | 502 | crypto 503 | 504 | %if% available "sshdomainclientprofile" 505 | 506 | sshdomainclientprofile 507 | no ciphers 508 | admin-state enabled 509 | ciphers CHACHA20-POLY1305_AT_OPENSSH.COM 510 | ciphers AES128-CTR 511 | ciphers AES192-CTR 512 | ciphers AES256-CTR 513 | ciphers AES128-GCM_AT_OPENSSH.COM 514 | ciphers AES256-GCM_AT_OPENSSH.COM 515 | ciphers ARCFOUR256 516 | ciphers ARCFOUR128 517 | ciphers AES128-CBC 518 | ciphers 3DES-CBC 519 | ciphers BLOWFISH-CBC 520 | ciphers CAST128-CBC 521 | ciphers AES192-CBC 522 | ciphers AES256-CBC 523 | ciphers ARCFOUR 524 | ciphers RIJNDAEL-CBC_AT_LYSATOR.LIU.SE 525 | exit 526 | 527 | %endif% 528 | 529 | exit 530 | 531 | crypto 532 | 533 | %if% available "sshserverprofile" 534 | 535 | sshserverprofile 536 | no ciphers 537 | admin-state enabled 538 | ciphers CHACHA20-POLY1305_AT_OPENSSH.COM 539 | ciphers AES128-CTR 540 | ciphers AES192-CTR 541 | ciphers AES256-CTR 542 | ciphers AES128-GCM_AT_OPENSSH.COM 543 | ciphers AES256-GCM_AT_OPENSSH.COM 544 | ciphers ARCFOUR256 545 | ciphers ARCFOUR128 546 | ciphers AES128-CBC 547 | ciphers 3DES-CBC 548 | ciphers BLOWFISH-CBC 549 | ciphers CAST128-CBC 550 | ciphers AES192-CBC 551 | ciphers AES256-CBC 552 | ciphers ARCFOUR 553 | ciphers RIJNDAEL-CBC_AT_LYSATOR.LIU.SE 554 | enable-legacy-kex no 555 | exit 556 | 557 | %endif% 558 | 559 | exit 560 | 561 | %if% available "domain-availability" 562 | 563 | domain-availability 564 | admin-state disabled 565 | exit 566 | 567 | %endif% 568 | 569 | %if% available "iop-mgmt" 570 | 571 | iop-mgmt 572 | admin-state disabled 573 | http-service 574 | http-ip-address 0.0.0.0 575 | http-port 9990 576 | https-service 577 | https-ip-address 0.0.0.0 578 | https-port 9991 579 | ssl-config-type proxy 580 | exit 581 | 582 | %endif% 583 | 584 | %if% available "nfs-client" 585 | 586 | nfs-client 587 | admin-state disabled 588 | mount-refresh-time 10 589 | exit 590 | 591 | %endif% 592 | 593 | %if% available "nfs-dynamic-mounts" 594 | 595 | nfs-dynamic-mounts 596 | admin-state disabled 597 | version 3 598 | transport tcp 599 | mount-type hard 600 | no read-only 601 | rsize 4096 602 | wsize 4096 603 | timeo 7 604 | retrans 3 605 | inactivity-timeout 900 606 | mount-timeout 30 607 | exit 608 | 609 | %endif% 610 | 611 | %if% available "odr" 612 | 613 | odr 614 | admin-state disabled 615 | exit 616 | 617 | %endif% 618 | 619 | %if% available "quota-enforcement-server" 620 | 621 | quota-enforcement-server 622 | admin-state enabled 623 | server-port 16379 624 | monitor-port 26379 625 | no enable-peer-group 626 | enable-ssl 627 | priority 100 628 | strict-mode 629 | exit 630 | 631 | %endif% 632 | 633 | %if% available "secure-mode" 634 | 635 | secure-mode 636 | admin-state enabled 637 | mode normal 638 | exit 639 | 640 | %endif% 641 | 642 | xml-mgmt 643 | admin-state "disabled" 644 | local-address "0.0.0.0" "5550" 645 | no ws-management 646 | slm-peering 10 647 | mode "any+soma+v2004+amp+slm+wsrr-subscription" 648 | ssl-config-type server 649 | exit 650 | 651 | rest-mgmt 652 | admin-state "disabled" 653 | local-address "0.0.0.0" "5554" 654 | ssl-config-type server 655 | exit 656 | 657 | %if% available "b2b-viewer-mgmt" 658 | 659 | b2b-viewer-mgmt 660 | admin-state "disabled" 661 | local-address "0.0.0.0" "9091" 662 | idle-timeout 600 663 | ssl-config-type proxy 664 | exit 665 | 666 | %endif% 667 | 668 | save-config overwrite 669 | 670 | 671 | %if% available "slm-action" 672 | 673 | slm-action "notify" 674 | type log-only 675 | log-priority warn 676 | exit 677 | 678 | slm-action "shape" 679 | type shape 680 | log-priority debug 681 | exit 682 | 683 | slm-action "throttle" 684 | type reject 685 | log-priority debug 686 | exit 687 | 688 | %endif% 689 | 690 | no statistics 691 | 692 | exec config:///auto-user.cfg 693 | 694 | %if% available "wsm-agent" 695 | 696 | wsm-agent 697 | admin-state disabled 698 | max-records 3000 699 | max-memory 64000 700 | capture-mode faults 701 | buffer-mode discard 702 | no mediation-enforcement-metrics 703 | push-interval 100 704 | push-priority normal 705 | exit 706 | 707 | %endif% 708 | 709 | domain "foo" 710 | base-dir foo: 711 | base-dir local: 712 | config-file foo.cfg 713 | url-permissions "http+https" 714 | file-permissions "CopyFrom+CopyTo+Delete+Display+Exec+Subdir" 715 | config-mode local 716 | import-format ZIP 717 | local-ip-rewrite 718 | maxchkpoints 3 719 | exit 720 | 721 | %endif% 722 | 723 | failure-notification 724 | admin-state "enabled" 725 | no upload-report 726 | no use-smtp 727 | internal-state 728 | no ffdc packet-capture 729 | no ffdc event-log 730 | no ffdc memory-trace 731 | no always-on-startup 732 | always-on-shutdown 733 | protocol ftp 734 | report-history 5 735 | exit 736 | 737 | %if% isfile temporary:///backtrace 738 | save error-report 739 | %endif% 740 | 741 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/drouter/config/auto-user.cfg: -------------------------------------------------------------------------------- 1 | top; configure terminal; 2 | 3 | # configuration generated Fri Oct 21 07:56:53 2016; firmware version 281259 4 | 5 | %if% available "user" 6 | 7 | user "admin" 8 | summary "Administrator" 9 | password-hashed "$1$8XiVJ8jq$hA1Ithlar3FdTO5PDMr4w0" 10 | access-level privileged 11 | exit 12 | 13 | %endif% 14 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/drouter/config/foo/foo.cfg: -------------------------------------------------------------------------------- 1 | top; configure terminal; 2 | 3 | # configuration generated Fri Oct 21 08:29:37 2016; firmware version 281259 4 | 5 | %if% available "domain-settings" 6 | 7 | domain-settings 8 | admin-state enabled 9 | password-treatment masked 10 | exit 11 | 12 | %endif% 13 | 14 | %if% available "password-alias" 15 | 16 | password-alias "crypto" 17 | password-encrypted "SW/Fqx1G1jDopSMDd5FC23bEgGz6T6jTojAj6f4xaqyqpivWye45EA==" 18 | exit 19 | 20 | %endif% 21 | 22 | %if% available "include-config" 23 | 24 | include-config "debug" 25 | config-url "config:///debug.cfg" 26 | auto-execute 27 | no interface-detection 28 | exit 29 | 30 | exec "config:///debug.cfg" 31 | 32 | include-config "loadbalancer-group" 33 | config-url "config:///loadbalancer-group.cfg" 34 | auto-execute 35 | no interface-detection 36 | exit 37 | 38 | %endif% 39 | 40 | exec "config:///loadbalancer-group.cfg" 41 | 42 | crypto 43 | certificate "crypto-certificate" "local:///server.crt" 44 | exit 45 | 46 | crypto 47 | key "crypto-key" "local:///server.key" password-alias "crypto" 48 | exit 49 | 50 | crypto 51 | idcred "crypto-identification-credentials" "crypto-key" "crypto-certificate" 52 | exit 53 | 54 | crypto 55 | 56 | %if% available "ssl-server" 57 | 58 | ssl-server "ssl-server-profile" 59 | protocols "TLSv1d2" 60 | ciphers ECDHE_RSA_WITH_AES_256_GCM_SHA384 61 | ciphers ECDHE_RSA_WITH_AES_256_CBC_SHA384 62 | ciphers ECDHE_RSA_WITH_AES_256_CBC_SHA 63 | ciphers DHE_DSS_WITH_AES_256_GCM_SHA384 64 | ciphers DHE_RSA_WITH_AES_256_GCM_SHA384 65 | ciphers DHE_RSA_WITH_AES_256_CBC_SHA256 66 | ciphers DHE_DSS_WITH_AES_256_CBC_SHA256 67 | ciphers DHE_RSA_WITH_AES_256_CBC_SHA 68 | ciphers DHE_DSS_WITH_AES_256_CBC_SHA 69 | ciphers RSA_WITH_AES_256_GCM_SHA384 70 | ciphers RSA_WITH_AES_256_CBC_SHA256 71 | ciphers RSA_WITH_AES_256_CBC_SHA 72 | ciphers ECDHE_RSA_WITH_AES_128_GCM_SHA256 73 | ciphers ECDHE_RSA_WITH_AES_128_CBC_SHA256 74 | ciphers ECDHE_RSA_WITH_AES_128_CBC_SHA 75 | ciphers DHE_DSS_WITH_AES_128_GCM_SHA256 76 | ciphers DHE_RSA_WITH_AES_128_GCM_SHA256 77 | ciphers DHE_RSA_WITH_AES_128_CBC_SHA256 78 | ciphers DHE_DSS_WITH_AES_128_CBC_SHA256 79 | ciphers DHE_RSA_WITH_AES_128_CBC_SHA 80 | ciphers DHE_DSS_WITH_AES_128_CBC_SHA 81 | ciphers RSA_WITH_AES_128_GCM_SHA256 82 | ciphers RSA_WITH_AES_128_CBC_SHA256 83 | ciphers RSA_WITH_AES_128_CBC_SHA 84 | ciphers ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 85 | ciphers DHE_RSA_WITH_3DES_EDE_CBC_SHA 86 | ciphers DHE_DSS_WITH_3DES_EDE_CBC_SHA 87 | ciphers RSA_WITH_3DES_EDE_CBC_SHA 88 | idcred crypto-identification-credentials 89 | no request-client-auth 90 | require-client-auth 91 | validate-client-cert 92 | send-client-auth-ca-list 93 | caching 94 | cache-timeout 300 95 | cache-size 20 96 | ssl-options "" 97 | max-duration 60 98 | max-renegotiation-allowed 0 99 | no prohibit-resume-on-reneg 100 | no compression 101 | no allow-legacy-renegotiation 102 | prefer-server-ciphers 103 | curves secp521r1 104 | curves secp384r1 105 | curves secp256k1 106 | curves secp256r1 107 | exit 108 | 109 | %endif% 110 | 111 | exit 112 | 113 | crypto 114 | 115 | %if% available "ssl-sni-mapping" 116 | 117 | ssl-sni-mapping "ssl-hostname-mapping" 118 | sni-mapping "*" "ssl-server-profile" 119 | exit 120 | 121 | %endif% 122 | 123 | exit 124 | 125 | crypto 126 | 127 | %if% available "ssl-sni-server" 128 | 129 | ssl-sni-server "ssl-sni-server-profile" 130 | protocols "TLSv1d2" 131 | sni-server-mapping ssl-hostname-mapping 132 | sni-server-default ssl-server-profile 133 | ssl-options "" 134 | max-duration 3600 135 | max-renegotiation-allowed 0 136 | exit 137 | 138 | %endif% 139 | 140 | exit 141 | logging event default-log "all" "error" 142 | logging event default-log "mgmt" "notice" 143 | 144 | user-agent "default" 145 | summary "Default User Agent" 146 | max-redirects 8 147 | timeout 300 148 | exit 149 | 150 | %if% available "urlmap" 151 | 152 | urlmap "default-attempt-stream-all" 153 | match "*" 154 | exit 155 | 156 | %endif% 157 | 158 | %if% available "compile-options" 159 | 160 | compile-options "default-attempt-stream" 161 | xslt-version XSLT10 162 | no strict 163 | try-stream default-attempt-stream-all 164 | stack-size 524288 165 | wsi-validate ignore 166 | wsdl-validate-body strict 167 | wsdl-validate-headers lax 168 | wsdl-validate-faults strict 169 | no wsdl-wrapped-faults 170 | no wsdl-strict-soap-version 171 | no xacml-debug 172 | exit 173 | 174 | %endif% 175 | 176 | action "__default-accept-service-providers-filter-action__" 177 | reset 178 | type filter 179 | input "NULL" 180 | transform "store:///filter-accept-service-providers.xsl" 181 | transform-language none 182 | named-inouts default 183 | ssl-client-type proxy 184 | no transactional 185 | soap-validation body 186 | sql-source-type static 187 | strip-signature 188 | no asynchronous 189 | results-mode first-available 190 | retry-count 0 191 | retry-interval 1000 192 | no multiple-outputs 193 | iterator-type XPATH 194 | timeout 0 195 | http-method GET 196 | http-method-limited POST 197 | http-method-limited2 POST 198 | exit 199 | 200 | action "__default-accept-service-providers-results-action__" 201 | reset 202 | type results 203 | input "INPUT" 204 | transform-language none 205 | named-inouts default 206 | ssl-client-type proxy 207 | no transactional 208 | soap-validation body 209 | sql-source-type static 210 | strip-signature 211 | no asynchronous 212 | results-mode first-available 213 | retry-count 0 214 | retry-interval 1000 215 | no multiple-outputs 216 | iterator-type XPATH 217 | timeout 0 218 | http-method GET 219 | http-method-limited POST 220 | http-method-limited2 POST 221 | exit 222 | 223 | action "__dp-policy-call-action__" 224 | reset 225 | summary "Call the next policy." 226 | type call 227 | input "INPUT" 228 | transform-language none 229 | output "INPUT" 230 | named-inouts default 231 | ssl-client-type proxy 232 | rule "var://context/policy/fw/call-rule" 233 | no transactional 234 | soap-validation body 235 | sql-source-type static 236 | strip-signature 237 | no asynchronous 238 | results-mode first-available 239 | retry-count 0 240 | retry-interval 1000 241 | no multiple-outputs 242 | iterator-type XPATH 243 | timeout 0 244 | http-method GET 245 | http-method-limited POST 246 | http-method-limited2 POST 247 | exit 248 | 249 | action "__dp-policy-init-xform-action__" 250 | reset 251 | summary "Set up context vars and annotate map XML." 252 | type xform 253 | input "NULL" 254 | transform "store://dp/policy-enforce-init.xsl" 255 | transform-language none 256 | output "NULL" 257 | named-inouts default 258 | ssl-client-type proxy 259 | no transactional 260 | soap-validation body 261 | sql-source-type static 262 | strip-signature 263 | no asynchronous 264 | results-mode first-available 265 | retry-count 0 266 | retry-interval 1000 267 | no multiple-outputs 268 | iterator-type XPATH 269 | timeout 0 270 | http-method GET 271 | http-method-limited POST 272 | http-method-limited2 POST 273 | exit 274 | 275 | action "__dp-policy-results-action__" 276 | reset 277 | summary "Results action for our policy enforcement rules." 278 | type results 279 | input "INPUT" 280 | transform-language none 281 | named-inouts default 282 | ssl-client-type proxy 283 | no transactional 284 | soap-validation body 285 | sql-source-type static 286 | strip-signature 287 | no asynchronous 288 | results-mode first-available 289 | retry-count 0 290 | retry-interval 1000 291 | no multiple-outputs 292 | iterator-type XPATH 293 | timeout 0 294 | http-method GET 295 | http-method-limited POST 296 | http-method-limited2 POST 297 | exit 298 | 299 | action "__dp-policy-traverse-xform-action__" 300 | reset 301 | summary "Identify next policy by traversing the annotated map." 302 | type xform 303 | input "NULL" 304 | transform "store://dp/policy-enforce-traverse.xsl" 305 | transform-language none 306 | output "NULL" 307 | named-inouts default 308 | ssl-client-type proxy 309 | no transactional 310 | soap-validation body 311 | sql-source-type static 312 | strip-signature 313 | no asynchronous 314 | results-mode first-available 315 | retry-count 0 316 | retry-interval 1000 317 | no multiple-outputs 318 | iterator-type XPATH 319 | timeout 0 320 | http-method GET 321 | http-method-limited POST 322 | http-method-limited2 POST 323 | exit 324 | 325 | action "mpgw-style-policy_rule_0_gatewayscript_1" 326 | reset 327 | type gatewayscript 328 | input "INPUT" 329 | transform-language none 330 | gatewayscript-location "local:///example-header.js" 331 | output "PIPE" 332 | named-inouts default 333 | ssl-client-type proxy 334 | no transactional 335 | soap-validation body 336 | sql-source-type static 337 | strip-signature 338 | no asynchronous 339 | results-mode first-available 340 | retry-count 0 341 | retry-interval 1000 342 | no multiple-outputs 343 | iterator-type XPATH 344 | timeout 0 345 | http-method GET 346 | http-method-limited POST 347 | http-method-limited2 POST 348 | exit 349 | 350 | action "mpgw-style-policy_rule_0_results_output_0" 351 | reset 352 | type results 353 | input "INPUT" 354 | transform-language none 355 | named-inouts default 356 | ssl-client-type proxy 357 | output-type default 358 | no transactional 359 | soap-validation body 360 | sql-source-type static 361 | strip-signature 362 | no asynchronous 363 | results-mode first-available 364 | retry-count 0 365 | retry-interval 1000 366 | no multiple-outputs 367 | iterator-type XPATH 368 | timeout 0 369 | http-method GET 370 | http-method-limited POST 371 | http-method-limited2 POST 372 | exit 373 | 374 | action "mpgw-style-policy_rule_1_gatewayscript_2" 375 | reset 376 | type gatewayscript 377 | input "INPUT" 378 | transform-language none 379 | gatewayscript-location "local:///hello-too.js" 380 | output "OUTPUT" 381 | named-inouts default 382 | ssl-client-type proxy 383 | no transactional 384 | soap-validation body 385 | sql-source-type static 386 | strip-signature 387 | no asynchronous 388 | results-mode first-available 389 | retry-count 0 390 | retry-interval 1000 391 | no multiple-outputs 392 | iterator-type XPATH 393 | timeout 0 394 | http-method GET 395 | http-method-limited POST 396 | http-method-limited2 POST 397 | exit 398 | 399 | rule "__default-accept-service-providers-request__" 400 | reset 401 | summary "Accept messages intended for known services, reject everything else." 402 | type request-rule 403 | input-filter none 404 | output-filter none 405 | no non-xml-processing 406 | no unprocessed 407 | action "__default-accept-service-providers-filter-action__" 408 | action "__default-accept-service-providers-results-action__" 409 | exit 410 | 411 | rule "__default-accept-service-providers-response__" 412 | reset 413 | summary "Accept responses received from known services." 414 | type response-rule 415 | input-filter none 416 | output-filter none 417 | no non-xml-processing 418 | no unprocessed 419 | action "__default-accept-service-providers-results-action__" 420 | exit 421 | 422 | rule "__dp-policy-begin__" 423 | reset 424 | summary "Initiate policy enforcement by annotating policy and determining first policy to enforce." 425 | type rule 426 | input-filter none 427 | output-filter none 428 | no non-xml-processing 429 | no unprocessed 430 | action "__dp-policy-init-xform-action__" 431 | action "__dp-policy-traverse-xform-action__" 432 | action "__dp-policy-call-action__" 433 | action "__dp-policy-results-action__" 434 | exit 435 | 436 | rule "mpgw-style-policy_rule_0" 437 | reset 438 | type request-rule 439 | input-filter none 440 | output-filter none 441 | no non-xml-processing 442 | no unprocessed 443 | action "mpgw-style-policy_rule_0_results_output_0" 444 | exit 445 | 446 | rule "mpgw-style-policy_rule_1" 447 | reset 448 | type response-rule 449 | input-filter none 450 | output-filter none 451 | no non-xml-processing 452 | no unprocessed 453 | action "mpgw-style-policy_rule_1_gatewayscript_2" 454 | exit 455 | 456 | matching "All" 457 | urlmatch ".*" 458 | match-with-pcre 459 | no combine-with-or 460 | exit 461 | 462 | matching "matching-rule-all-get" 463 | methodmatch "GET" 464 | no match-with-pcre 465 | no combine-with-or 466 | exit 467 | 468 | stylepolicy "default" 469 | reset 470 | summary "Default Processing Policy" 471 | filter "store:///filter-reject-all.xsl" 472 | xsldefault "store:///identity.xsl" 473 | xquerydefault "store:///reject-all-json.xq" 474 | exit 475 | 476 | stylepolicy "mpgw-style-policy" 477 | reset 478 | filter "store:///filter-reject-all.xsl" 479 | xsldefault "store:///identity.xsl" 480 | xquerydefault "store:///reject-all-json.xq" 481 | match "matching-rule-all-get" "mpgw-style-policy_rule_0" 482 | match "All" "mpgw-style-policy_rule_1" 483 | exit 484 | 485 | %if% available "metadata" 486 | 487 | metadata "ftp-usercert-metadata" 488 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 489 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 490 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 491 | exit 492 | 493 | metadata "ftp-username-metadata" 494 | meta-item "variable" "dn" "var://context/INPUT/ftp/tls/client-subject-dn" 495 | meta-item "variable" "issuer" "var://context/INPUT/ftp/tls/client-issuer-dn" 496 | meta-item "variable" "password" "var://context/INPUT/ftp/password" 497 | meta-item "variable" "serial" "var://context/INPUT/ftp/tls/client-serial-number" 498 | meta-item "variable" "username" "var://context/INPUT/ftp/username" 499 | exit 500 | 501 | metadata "oauth-scope-metadata" 502 | meta-item "variable" "scope" "var://context/INPUT/oauth/verified-scope" 503 | exit 504 | 505 | metadata "ssh-password-metadata" 506 | meta-item "variable" "password" "var://context/INPUT/ssh/password" 507 | meta-item "variable" "publickey" "var://context/INPUT/ssh/publickey" 508 | meta-item "variable" "username" "var://context/INPUT/ssh/username" 509 | exit 510 | 511 | %endif% 512 | 513 | xmlmgr "default" 514 | xsl cache size "default" "256" 515 | xsl checksummed cache default 516 | no tx-warn "default" 517 | memoization "default" 518 | 519 | xml parser limits "default" 520 | bytes-scanned 4194304 521 | element-depth 512 522 | attribute-count 128 523 | max-node-size 33554432 524 | forbid-external-references 525 | external-references forbid 526 | max-prefixes 1024 527 | max-namespaces 1024 528 | max-local-names 60000 529 | exit 530 | 531 | documentcache "default" 532 | no policy 533 | maxdocs "5000" 534 | size "0" 535 | max-writes "32768" 536 | exit 537 | no xml validate "default" * 538 | 539 | xml-manager "default" 540 | summary "Default XML-Manager" 541 | loadbalancer-group "lbg-backend" 542 | user-agent "default" 543 | exit 544 | 545 | xmlmgr "default-attempt-stream" 546 | xslconfig "default-attempt-stream" "default-attempt-stream" 547 | xsl cache size "default-attempt-stream" "256" 548 | xsl checksummed cache default-attempt-stream 549 | no tx-warn "default-attempt-stream" 550 | memoization "default-attempt-stream" 551 | 552 | xml parser limits "default-attempt-stream" 553 | bytes-scanned 268435456 554 | element-depth 512 555 | attribute-count 128 556 | max-node-size 268435456 557 | forbid-external-references 558 | external-references forbid 559 | max-prefixes 1024 560 | max-namespaces 1024 561 | max-local-names 60000 562 | exit 563 | 564 | documentcache "default-attempt-stream" 565 | no policy 566 | maxdocs "5000" 567 | size "0" 568 | max-writes "32768" 569 | exit 570 | no xml validate "default-attempt-stream" * 571 | 572 | xml-manager "default-attempt-stream" 573 | summary "Default Streaming XML-Manager" 574 | user-agent "default" 575 | exit 576 | 577 | xmlmgr "default-wsrr" 578 | xsl cache size "default-wsrr" "256" 579 | xsl checksummed cache default-wsrr 580 | no tx-warn "default-wsrr" 581 | memoization "default-wsrr" 582 | 583 | xml parser limits "default-wsrr" 584 | bytes-scanned 4194304 585 | element-depth 512 586 | attribute-count 128 587 | max-node-size 33554432 588 | forbid-external-references 589 | external-references forbid 590 | max-prefixes 1024 591 | max-namespaces 1024 592 | max-local-names 60000 593 | exit 594 | 595 | documentcache "default-wsrr" 596 | no policy 597 | maxdocs "5000" 598 | size "0" 599 | max-writes "32768" 600 | exit 601 | no xml validate "default-wsrr" * 602 | 603 | xml-manager "default-wsrr" 604 | summary "WSRR XML-Manager" 605 | user-agent "default" 606 | exit 607 | 608 | %if% available "source-https" 609 | 610 | source-https "https-fsph-foo" 611 | local-address 0.0.0.0 612 | port 443 613 | http-client-version HTTP/1.1 614 | allowed-features "HTTP-1.0+HTTP-1.1+POST+GET+QueryString+FragmentIdentifiers" 615 | persistent-connections 616 | max-persistent-reuse 0 617 | no compression 618 | no websocket-upgrade 619 | websocket-idle-timeout 0 620 | max-url-len 16384 621 | max-total-header-len 128000 622 | max-header-count 0 623 | max-header-name-len 0 624 | max-header-value-len 0 625 | max-querystring-len 0 626 | credential-charset protocol 627 | ssl-config-type sni 628 | ssl-sni-server ssl-sni-server-profile 629 | http2-max-streams 100 630 | http2-max-frame 16384 631 | no http2-stream-header 632 | exit 633 | 634 | %endif% 635 | 636 | %if% available "wsm-stylepolicy" 637 | 638 | wsm-stylepolicy "default" 639 | summary "Default Processing Policy" 640 | filter "store:///filter-reject-all.xsl" 641 | xsldefault "store:///identity.xsl" 642 | exit 643 | 644 | %endif% 645 | 646 | %if% available "smtp-server-connection" 647 | 648 | smtp-server-connection "default" 649 | summary "Default SMTP Server Connection" 650 | server-host smtp 651 | server-port 25 652 | auth plain 653 | ssl-client-type proxy 654 | exit 655 | 656 | %endif% 657 | 658 | crypto 659 | 660 | %if% available "sshdomainclientprofile" 661 | 662 | sshdomainclientprofile 663 | no ciphers 664 | admin-state enabled 665 | ciphers CHACHA20-POLY1305_AT_OPENSSH.COM 666 | ciphers AES128-CTR 667 | ciphers AES192-CTR 668 | ciphers AES256-CTR 669 | ciphers AES128-GCM_AT_OPENSSH.COM 670 | ciphers AES256-GCM_AT_OPENSSH.COM 671 | ciphers ARCFOUR256 672 | ciphers ARCFOUR128 673 | ciphers AES128-CBC 674 | ciphers 3DES-CBC 675 | ciphers BLOWFISH-CBC 676 | ciphers CAST128-CBC 677 | ciphers AES192-CBC 678 | ciphers AES256-CBC 679 | ciphers ARCFOUR 680 | ciphers RIJNDAEL-CBC_AT_LYSATOR.LIU.SE 681 | exit 682 | 683 | %endif% 684 | 685 | exit 686 | 687 | crypto 688 | 689 | %if% available "sshserverprofile" 690 | 691 | sshserverprofile 692 | no ciphers 693 | admin-state enabled 694 | ciphers CHACHA20-POLY1305_AT_OPENSSH.COM 695 | ciphers AES128-CTR 696 | ciphers AES192-CTR 697 | ciphers AES256-CTR 698 | ciphers AES128-GCM_AT_OPENSSH.COM 699 | ciphers AES256-GCM_AT_OPENSSH.COM 700 | ciphers ARCFOUR256 701 | ciphers ARCFOUR128 702 | ciphers AES128-CBC 703 | ciphers 3DES-CBC 704 | ciphers BLOWFISH-CBC 705 | ciphers CAST128-CBC 706 | ciphers AES192-CBC 707 | ciphers AES256-CBC 708 | ciphers ARCFOUR 709 | ciphers RIJNDAEL-CBC_AT_LYSATOR.LIU.SE 710 | enable-legacy-kex no 711 | exit 712 | 713 | %endif% 714 | 715 | exit 716 | 717 | %if% available "policy-attachments" 718 | 719 | policy-attachments "MPGW-foo" 720 | enforcement-mode enforce 721 | policy-references 722 | sla-enforcement-mode allow-if-no-sla 723 | exit 724 | 725 | %endif% 726 | 727 | %if% available "mpgw" 728 | 729 | mpgw "MPGW-foo" 730 | no policy-parameters 731 | priority normal 732 | front-protocol https-fsph-foo 733 | xml-manager default 734 | ssl-client-type proxy 735 | default-param-namespace "http://www.datapower.com/param/config" 736 | query-param-namespace "http://www.datapower.com/param/query" 737 | backend-url "http://lbg-backend:80" 738 | propagate-uri 739 | monitor-processing-policy terminate-at-first-throttle 740 | request-attachments strip 741 | response-attachments strip 742 | no request-attachments-flow-control 743 | no response-attachments-flow-control 744 | root-part-not-first-action process-in-order 745 | front-attachment-format dynamic 746 | back-attachment-format dynamic 747 | mime-front-headers 748 | mime-back-headers 749 | stream-output-to-back buffer-until-verification 750 | stream-output-to-front buffer-until-verification 751 | max-message-size 0 752 | no gateway-parser-limits 753 | element-depth 512 754 | attribute-count 128 755 | max-node-size 33554432 756 | forbid-external-references 757 | external-references forbid 758 | max-prefixes 1024 759 | max-namespaces 1024 760 | max-local-names 60000 761 | attachment-byte-count 2000000000 762 | attachment-package-byte-count 0 763 | debugger-type internal 764 | debug-history 25 765 | no flowcontrol 766 | soap-schema-url "store:///schemas/soap-envelope.xsd" 767 | front-timeout 120 768 | back-timeout 120 769 | front-persistent-timeout 180 770 | back-persistent-timeout 180 771 | no include-content-type-encoding 772 | http-server-version HTTP/1.1 773 | persistent-connections 774 | no loop-detection 775 | host-rewriting 776 | no chunked-uploads 777 | process-http-errors 778 | http-client-ip-label "X-Client-IP" 779 | http-global-tranID-label "X-Global-Transaction-ID" 780 | inorder-mode "" 781 | wsa-mode sync2sync 782 | wsa-require-aaa 783 | wsa-strip-headers 784 | wsa-default-replyto "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous" 785 | wsa-default-faultto "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous" 786 | no wsa-force 787 | wsa-genstyle sync 788 | wsa-http-async-response-code 204 789 | wsa-timeout 120 790 | no wsrm 791 | wsrm-sequence-expiration 3600 792 | wsrm-destination-accept-create-sequence 793 | wsrm-destination-maximum-sequences 400 794 | no wsrm-destination-inorder 795 | wsrm-destination-maximum-inorder-queue-length 10 796 | no wsrm-destination-accept-offers 797 | no wsrm-request-force 798 | no wsrm-response-force 799 | no wsrm-source-request-create-sequence 800 | no wsrm-source-response-create-sequence 801 | no wsrm-source-make-offer 802 | no wsrm-source-sequence-ssl 803 | wsrm-source-maximum-sequences 400 804 | wsrm-source-retransmission-interval 10 805 | wsrm-source-exponential-backoff 806 | wsrm-source-retransmit-count 4 807 | wsrm-source-maximum-queue-length 30 808 | wsrm-source-request-ack-count 1 809 | wsrm-source-inactivity-close-interval 360 810 | no force-policy-exec 811 | rewrite-errors 812 | delay-errors 813 | delay-errors-duration 1000 814 | request-type preprocessed 815 | response-type preprocessed 816 | follow-redirects 817 | no rewrite-location-header 818 | stylepolicy mpgw-style-policy 819 | type static-backend 820 | no compression 821 | no allow-cache-control 822 | policy-attachments MPGW-foo 823 | no wsmagent-monitor 824 | wsmagent-monitor-capture-mode all-messages 825 | no proxy-http-response 826 | transaction-timeout 0 827 | exit 828 | 829 | %endif% 830 | 831 | %if% available "domain-availability" 832 | 833 | domain-availability 834 | admin-state disabled 835 | exit 836 | 837 | %endif% 838 | 839 | %if% available "nfs-dynamic-mounts" 840 | 841 | nfs-dynamic-mounts 842 | admin-state disabled 843 | version 3 844 | transport tcp 845 | mount-type hard 846 | no read-only 847 | rsize 4096 848 | wsize 4096 849 | timeo 7 850 | retrans 3 851 | inactivity-timeout 900 852 | mount-timeout 30 853 | exit 854 | 855 | %endif% 856 | 857 | %if% available "slm-action" 858 | 859 | slm-action "notify" 860 | type log-only 861 | log-priority warn 862 | exit 863 | 864 | slm-action "shape" 865 | type shape 866 | log-priority debug 867 | exit 868 | 869 | slm-action "throttle" 870 | type reject 871 | log-priority debug 872 | exit 873 | 874 | %endif% 875 | 876 | no statistics 877 | 878 | %if% available "wsm-agent" 879 | 880 | wsm-agent 881 | admin-state enabled 882 | max-records 3000 883 | max-memory 64000 884 | capture-mode faults 885 | buffer-mode discard 886 | no mediation-enforcement-metrics 887 | push-interval 100 888 | push-priority normal 889 | exit 890 | 891 | %endif% 892 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/drouter/config/reset-password.cfg: -------------------------------------------------------------------------------- 1 | # When the password should be set to something random, 2 | # we will have reset-password-imp.cfg. So if reset-password-imp.cfg 3 | # exists, then the password will be reset and the imp will be removed. 4 | # 5 | # Otherwise, this is a noop. 6 | # 7 | # This config is referenced by an include-config in auto-startup.cfg. 8 | top; config 9 | 10 | %if% isfile config:///reset-password-imp.cfg 11 | exec config:///reset-password-imp.cfg 12 | %endif% 13 | 14 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/drouter/local/foo/hello-too.js: -------------------------------------------------------------------------------- 1 | var hm = require('header-metadata'); 2 | 3 | // Set the X-Hello-World header 4 | hm.current.set('X-Hello-World', 'Hello from DataPower domain foo'); 5 | 6 | session.input.readAsBuffer (function (error, buffer) { 7 | if (error) { 8 | // throw the error if there was one 9 | throw error; 10 | } 11 | // Since this simple application only returns a test hello world 12 | // string, we'll just prepend our placeholder string 13 | session.output.write("DataPower Proxied: " + buffer.toString()); 14 | }); 15 | 16 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This is rather like run-parts. The purpose of this script is 3 | # to call separate scriptlets that each generate some DataPower 4 | # configuration. Once all the DataPower configuration is generated, 5 | # then it exec's drouter. 6 | 7 | set -x 8 | 9 | # Ensure all the DATAPOWER_ env vars are available to drouter. 10 | export $(env | grep ^DATAPOWER_ | cut -d= -f1) 11 | 12 | # source each of the scriptlets ala run-parts: 13 | for f in $(find /start -type f -name \*.sh ! -name .\*) 14 | do 15 | echo "Processing $f" 16 | . "$f" 17 | set -x 18 | echo 19 | done 20 | 21 | # exec drouter with all orig args 22 | exec /bin/drouter "$@" 23 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start/debug.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ ! -z "$DEBUG" ] 4 | then 5 | # Have the DEBUG env var from Docker 6 | # This means we want the log level to be set to debug in both default and foo 7 | tee /drouter/config/debug.cfg <<-EOF 8 | # DEBUG log is enabled 9 | top; co 10 | logging target "debug-log" 11 | type file 12 | priority normal 13 | soap-version soap11 14 | format text 15 | timestamp zulu 16 | no fixed-format 17 | size 10000 18 | local-file "logtemp:///debug-log" 19 | archive-mode rotate 20 | rotate 4 21 | no ansi-color 22 | facility user 23 | rate-limit 100 24 | connect-timeout 60 25 | idle-timeout 15 26 | active-timeout 0 27 | no feedback-detection 28 | no event-detection 29 | suppression-period 10 30 | ssl-client-type proxy 31 | event "all" "debug" 32 | exit 33 | EOF 34 | tee /drouter/config/foo/debug.cfg <<-EOF 35 | # DEBUG log is enabled 36 | top; co 37 | logging target "debug-log" 38 | type file 39 | priority normal 40 | soap-version soap11 41 | format text 42 | timestamp zulu 43 | no fixed-format 44 | size 10000 45 | local-file "logtemp:///debug-log" 46 | archive-mode rotate 47 | rotate 4 48 | no ansi-color 49 | facility user 50 | rate-limit 100 51 | connect-timeout 60 52 | idle-timeout 15 53 | active-timeout 0 54 | no feedback-detection 55 | no event-detection 56 | suppression-period 10 57 | ssl-client-type proxy 58 | event "all" "debug" 59 | exit 60 | EOF 61 | else 62 | # The DEBUG env var is not set in Docker; use loglevel info 63 | tee /drouter/config/debug.cfg <<-EOF 64 | # DEBUG log is not enabled 65 | EOF 66 | tee /drouter/config/foo/debug.cfg <<-EOF 67 | # DEBUG log is not enabled 68 | EOF 69 | fi 70 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start/loadbalancer-group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | { 4 | cat <<-EOF 5 | top; co 6 | 7 | loadbalancer-group lbg-backend 8 | reset 9 | EOF 10 | 11 | env | grep '^[a-zA-Z0-9_-]*_PORT_8080_TCP_ADDR' | cut -d= -f2- | while read ADDR 12 | do 13 | echo " server $ADDR 1 8080 enabled" 14 | done 15 | cat <<-EOF 16 | exit 17 | 18 | xml-manager default 19 | loadbalancer-group lbg-backend 20 | exit 21 | EOF 22 | } | tee /drouter/config/foo/loadbalancer-group.cfg 23 | 24 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start/reset-password.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # If DP_RESET_PASSWORD=true, then set the admin password to one which is 3 | # random and automatically generated. Note that the password for 'admin' 4 | # is already persisted as standard config, and that password is the one 5 | # we'll use for development. But when we deploy we do *not* want a well- 6 | # known password to exist. Therefore we will reset it. 7 | 8 | rm -f /drouter/config/reset-password-imp.cfg 9 | 10 | if [ "$DP_RESET_PASSWORD" = "true" ] 11 | then 12 | tee /drouter/config/reset-password-imp.cfg <<- EOF 13 | top; co 14 | user admin 15 | password "$(tr -dc a-zA-Z0-9 < /dev/urandom | head -c 12)" 16 | exit 17 | delete config:///reset-password-imp.cfg 18 | EOF 19 | fi 20 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start/vbox-inotify-workaround.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Work around the VBox/Docker Toolbox inotify bug [1] by disabling 4 | # GatewayScript Cache. Note that if we had XSL, we would want 5 | # to disable caches for that too. 6 | # 7 | # [1] https://www.virtualbox.org/ticket/10660 8 | 9 | rm -f /drouter/config/vbox-inotify-workaround.cfg 10 | 11 | if [ "$DP_VBOX_INOTIFY" = "true" ] 12 | then 13 | tee /drouter/config/vbox-inotify-workaround.cfg <<-EOF 14 | # Working around https://www.virtualbox.org/ticket/10660 15 | # by disabling gatewayscript cache 16 | # We only do this when using GatewayScript with Docker 17 | # volumes when we expect to modify the GatewayScript itself 18 | # and want the changes to be immediately recognized. 19 | top; diag; set-gatewayscript-cache disable; top; config 20 | EOF 21 | else 22 | tee /drouter/config/vbox-inotify-workaround.cfg <<-EOF 23 | # No need to work around https://www.virtualbox.org/ticket/10660 24 | EOF 25 | fi 26 | -------------------------------------------------------------------------------- /docker/ibmcom-datapower-example/src/start/web-mgmt.sh: -------------------------------------------------------------------------------- 1 | { 2 | if [ "$DP_WEB_MGMT" = "true" ] 3 | then 4 | cat <<-EOF 5 | top; co 6 | 7 | web-mgmt 8 | reset 9 | admin enabled 10 | idle-timeout 0 11 | exit 12 | EOF 13 | else 14 | cat <<-EOF 15 | top; co 16 | 17 | web-mgmt 18 | admin disabled 19 | exit 20 | EOF 21 | fi 22 | } | tee /drouter/config/web-mgmt.cfg 23 | -------------------------------------------------------------------------------- /docker/rpm2img/.gitignore: -------------------------------------------------------------------------------- 1 | *.rpm 2 | -------------------------------------------------------------------------------- /docker/rpm2img/Dockerfile: -------------------------------------------------------------------------------- 1 | # Purpose: 2 | # Create a Docker image that contains a DataPower Gateway. The resulting 3 | # image will have the WebGUI enabled so the license can be accepted. 4 | # 5 | # Usage: 6 | # 1) Place the DataPower rpm packages in the docker build directory 7 | # 2) Rename the packages ibm-datapower-common.rpm and ibm-datapower-image.rpm 8 | # respectively. 9 | # 3) Issue the command " docker build " 10 | # 11 | # Notes: 12 | # After building the DataPower image, run it mapping port 9090. Browse to 13 | # the mapped port and accept the license. 14 | # 15 | # To access the cli, issue the following command: 16 | # docker run -it telnet localhost 2200 17 | 18 | FROM rhel7.2 19 | 20 | # Place *only* the one common rpm and one image rpm in the local directory 21 | # before running docker build 22 | COPY ibm-datapower-common.rpm ibm-datapower-image.rpm /tmp/ 23 | 24 | # Install dependencies, enable web-mgmt, prepare for first run. 25 | # Do not carry the rpm packages forward in the image 26 | RUN echo "Installing dependencies" \ 27 | && set -x \ 28 | && yum -y update \ 29 | && rpm -Uvh 'http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm' \ 30 | && yum -y install \ 31 | telnet \ 32 | net-tools \ 33 | e2fsprogs \ 34 | && echo "Installing DataPower Packages" \ 35 | && yum -y install /tmp/ibm-datapower-image.rpm \ 36 | && yum -y install /tmp/ibm-datapower-common.rpm \ 37 | && echo "Enabling WebGUI" \ 38 | && sed -i \ 39 | -e '/^web-mgmt/,/^exit/s/admin-state.*/admin-state "enabled"/g' \ 40 | /opt/ibm/datapower/datapower-external.cfg \ 41 | && echo "Removing intermediate package files" \ 42 | && rm /tmp/ibm-datapower-common.rpm tmp/ibm-datapower-image.rpm \ 43 | && echo "Preparing to run" \ 44 | && /opt/ibm/datapower/datapower-docker-build.sh \ 45 | && mkdir -p /datapower/config /datapower/local \ 46 | && echo "DataPowerConfigDir=/datapower/config" >> /opt/ibm/datapower/datapower.conf \ 47 | && echo "DataPowerLocalDir=/datapower/local" >> /opt/ibm/datapower/datapower.conf \ 48 | && echo "DataPowerCpuCount=4" >> /opt/ibm/datapower/datapower.conf 49 | 50 | # EXPOSE the port for the WebGUI. 51 | EXPOSE 9090 52 | 53 | CMD ["/opt/ibm/datapower/datapower-launch"] 54 | -------------------------------------------------------------------------------- /docker/rpm2img/Makefile: -------------------------------------------------------------------------------- 1 | # Instructions: 2 | # 3 | # 1) Place the DataPower RPM packages in the docker build directory 4 | # 2) Rename the packages ibm-datapower-common.rpm and ibm-datapower-image.rpm 5 | # respectively. 6 | # 3) make build -- this will give you a docker image of a just-installed 7 | # DataPower Gateway. This is the DataPower Factory Image. 8 | # 4) make evolve -- this starts the DataPower Gateway in a container; 9 | # It runs the factory image so the license can be accepted and initial 10 | # configuration performed. This will evolve into the base image. 11 | # 5) make cli -- Connect to the DataPower via the CLI. Initially this 12 | # is used for selecting secure backup and common criteria mode, 13 | # later it can be used for testing the resulting image. 14 | # 6) make gui -- asks Firefox to open the DataPower WebGUI 15 | # Initially, this is required for accepting the license. After, it can 16 | # be used for testing the result. Note that 'make gui' will stop running 17 | # instances of firefox. 18 | # 7) Accept the license in the DataPower WebGUI 19 | # 8) make stop. This stops the DataPower container but does not delete it. 20 | # 9) make commit -- creates a docker image of the license-accepted 21 | # DataPower Gateway. This image is called "-base" because it will be 22 | # used as the base for future DataPower images. 23 | # 10) make run -- runs the -base image. 24 | # 11) make tag -- tags the license-accepted image from the previous step 25 | # with the :latest suffix. 26 | # 27 | # This can be shortened to 3 steps: 28 | # 1) make build evolve cli gui 29 | # 2) accept license 30 | # 3) make stop commit rm tag 31 | # 32 | # And an optional test step, to verify that the resulting image works properly. 33 | # 4) make run cli rm 34 | # 35 | # For the especially brave, the whole process can be shortened to a single step: 36 | # A) Use the "all" target: "make" or "make all". 37 | # B) optional "make run cli rm" to test 38 | # 39 | # At the end of this process, you will have a DataPower Docker image suitable 40 | # for use as a base for application development. 41 | # 42 | # A note on naming conventions: 43 | # * The registry defaults to USER. Override at will. Add the registry prefix. 44 | # * The repository defaults to the package name of the -image rpm, with the 45 | # trailing "-image" removed and "-factory" appended. 46 | # * The default name for a running container is "datapower". Override at will, 47 | # remember that the name of a container must be unique on this docker engine. 48 | # * The repository of the committed image is the same as the name of the built image 49 | # with the addition of the "-base" suffix. This is because the committed, 50 | # license-accepted DataPower gateway is the image that will serve as the base 51 | # for other DataPower Gateway images created with docker build. 52 | # * The tagged image is the same repository as the "-base" repository, except that the 53 | # tag is "latest". 54 | # 55 | # A note on working with multiple containers: 56 | # * The default container name is "datapower" 57 | # * The "CONTAINER_NAME" variable can be specified on make or as an environment 58 | # variable. 59 | # * The "CONTAINER_HTTP_PROXY" variable can be specified to enable docker image 60 | # building behind a firewall, e.g. CONTAINER_HTTP_PROXY=http://9.138.237.58:3128 61 | # (you'll probably need http_proxy in /etc/default/docker as well) 62 | # (e.g. export http_proxy="http://9.138.237.58:3128") 63 | # * One option is to have a window for each of several DataPower containers 64 | # * And set CONTAINER_NAME=datapowerX, where X is 1..n, and is unique in each 65 | # window. 66 | 67 | # Windows notes: 68 | # 1) Use cygwin 69 | # 2) Make sure to place your build dir somewhere under c:\users or /cygdrive/c/users, 70 | # it's the only way Docker volumes work as of this writing 71 | # 3) Make sure that you can use Docker kMj 72 | BLDDIR=$(subst /cygdrive,,$(shell pwd)) 73 | REGISTRY ?= $(USER) 74 | PACKAGENAME ?= datapower 75 | FACTORYREPOSITORY=$(PACKAGENAME)-factory 76 | BASEREPOSITORY=$(PACKAGENAME)-base 77 | REPOSITORY=$(BASEREPOSITORY) 78 | TAG ?= 0.1 79 | CONTAINER_NAME ?= datapower 80 | 81 | MAXWAIT=120 82 | 83 | RUNFLAGS = --restart=on-failure --privileged -P 84 | 85 | .PHONY: all build shell evolve run rm cli gui clean logs commit tag stop 86 | 87 | all: build evolve cli gui stop commit rm tag 88 | 89 | # Make sure a listener is on a port before trying to connect with it 90 | # Inside the container, check netstat once a second until the TCP 91 | # port is in LISTEN. 92 | define wait-for-listener 93 | @docker exec -it $(CONTAINER_NAME) /bin/bash -c \ 94 | 'MSG="Waiting for port $(LISTENPORT) listener"; \ 95 | NL=""; \ 96 | for (( i=0, RC=1; i<$(MAXWAIT); i++ )); do \ 97 | netstat -ln | grep -q "^tcp.*:$(LISTENPORT).*LISTEN" \ 98 | && { RC=0; break; }; \ 99 | echo -n $$MSG; \ 100 | MSG=.; \ 101 | NL="\n"; \ 102 | sleep 1; \ 103 | done; \ 104 | echo -ne "$$NL"; \ 105 | exit $$RC' 106 | endef 107 | 108 | build: Dockerfile ibm-datapower-common.rpm ibm-datapower-image.rpm 109 | docker build --pull -t $(REGISTRY)/$(FACTORYREPOSITORY):$(TAG) . 110 | 111 | evolve: REPOSITORY=$(FACTORYREPOSITORY) 112 | evolve: run 113 | @echo "#############################################################" 114 | @echo "## It is a manual process to turn a factory image into a ##" 115 | @echo "## base image. You must perform the fillowing steps: ##" 116 | @echo "## ##" 117 | @echo "## 1) In the CLI, answer the initial questions DataPower ##" 118 | @echo "## normally asks upon reinitialization, such as enabling ##" 119 | @echo "## secure backup and common criteria mode. As soon as ##" 120 | @echo "## you receive a DataPower prompt, type 'exit'. ##" 121 | @echo "## ##" 122 | @echo "## 2) In the WebGUI, accept the license. When you are ##" 123 | @echo "## again presented with the DataPower login screen, close ##" 124 | @echo "## firefox. ##" 125 | @echo "#############################################################" 126 | 127 | shell: 128 | docker exec -it $(CONTAINER_NAME) /bin/bash 129 | 130 | # Start the CLI via telnet. But first wait up to $(MAXWAIT) sec for telnet to come up. 131 | cli: LISTENPORT=2200 132 | cli: 133 | $(wait-for-listener) 134 | docker exec -it $(CONTAINER_NAME) telnet 127.0.0.1 2200 ; true 135 | 136 | gui: LISTENPORT=9090 137 | gui: 138 | $(wait-for-listener) 139 | killall firefox 2>/dev/null; firefox https://127.0.0.1:$(shell docker inspect --format='{{(index (index .NetworkSettings.Ports "$(LISTENPORT)/tcp") 0).HostPort}}' $(CONTAINER_NAME) 2>/dev/null) > /dev/null 2>&1 140 | 141 | run: 142 | docker run -d --name $(CONTAINER_NAME) $(RUNFLAGS) $(REGISTRY)/$(REPOSITORY):$(TAG) 143 | 144 | stop: 145 | docker stop -t $(MAXWAIT) $(CONTAINER_NAME) || true 146 | 147 | rm: stop 148 | docker rm $(CONTAINER_NAME) || true 149 | 150 | clean: 151 | 152 | logs: 153 | docker logs $(CONTAINER_NAME) 2>&1 154 | 155 | commit: 156 | docker rmi $(REGISTRY)/$(BASEREPOSITORY):$(TAG) >/dev/null 2>&1 || true 157 | docker commit $(CONTAINER_NAME) $(REGISTRY)/$(BASEREPOSITORY):$(TAG) 158 | 159 | tag: 160 | docker tag -f $(REGISTRY)/$(BASEREPOSITORY):$(TAG) $(REGISTRY)/$(BASEREPOSITORY):latest 161 | -------------------------------------------------------------------------------- /docker/rpm2img/readme.md: -------------------------------------------------------------------------------- 1 | ## rpm2img Purpose: 2 | 3 | Given the DataPower Gateway RPM files, create a Docker Image suitable 4 | for further DataPower work. 5 | 6 | NOTICE: This is a legacy example that does not take advantage of DataPower Gateway for Docker. Consider using the [ibmcom-datapower-example](https://github.com/ibm-datapower/datapower-labs/tree/master/docker/ibmcom-datapower-example) instead. 7 | 8 | ## Usage: 9 | 10 | Prerequisites: 11 | Meet the documented DataPower Gateway Virtual Edition minimum requirements. 12 | Four cores and 8 GB RAM is a good starting place. 13 | Have Docker already installed and working properly. 14 | A browser must be available for accepting the license. 15 | The best experience is with Firefox available on the build host. 16 | This example is Makefile based; GNU make is required. 17 | This example requires schroot; [EPEL](https://fedoraproject.org/wiki/EPEL) is strongly suggested. 18 | 19 | 1. Download the DataPower Gateway Virtual Edition RPM files from 20 | IBM PassPort Advantage (PPA). 21 | 22 | 2. For all image versions, rename the files "ibm-datapower-common.rpm" and "ibm-datapower-image.rpm" 23 | respectively. Then place the image files and the Dockerfile in a directory such as `~/datapower-docker/` 24 | 25 | 3. Run `docker build -t ibm-datapower-factory .` 26 | (notice the trailing dot is part of the command) 27 | 28 | 4. Create a Docker container with the name `datapower`, run it with elevated privileges, and open port 9090 when you enter the following command: `docker run -d --name datapower --privileged -p 9090:9090 ibm-datapower-factory`. 29 | 30 | 5. To accept the license and perform initialization, log in to https://Docker_IP:9090, with password:admin and username:admin. 31 | 32 | 6. Try out your new "base image" 33 | * `make run` -- Run a container from the base image, named "datapower" by default 34 | * `make cli` -- Access the cli of the running "datapower" container 35 | * `make gui` -- Access the DataPower WebGUI 36 | * `make rm` -- Stop and remove the container "datapower" 37 | * Use it as the FROM in another Docker project! 38 | 39 | The Makefile itself contains extensive, detailed notes. 40 | 41 | This is the first step in taking advantage of a Dockerized 42 | DataPower Gateway. The next step is to create another image based upon 43 | this image. 44 | --------------------------------------------------------------------------------