Db2

 View Only
  • 1.  How to run Docker ibmcom/db2 image as non-root

    IBM Champion
    Posted Mon February 08, 2021 01:52 PM
    Is it possible to build an image from the DB2 Docker image that can run as non-root?  Though we have a production DB2 server deployed on-prem, I would like to create a simple cloud image that can be deployed to our Kubernetes environment for test and development purposes.  The catch is we are restricted to deploy our services as non-root.  

    I've looked at the ibmcom/db2 image a bit.  It seems the non-root support was either not installed, or perhaps removed before publishing.  For example, one of the steps for non-root setup is to run the db2rfe command, but I'm not able to find this command on the image.

    Thanks,
    Jim

    ------------------------------
    Jim Creasman
    ------------------------------

    #Db2


  • 2.  RE: How to run Docker ibmcom/db2 image as non-root

    Posted Mon December 27, 2021 04:34 PM
    Edited by Pablo Ojea Mon May 22, 2023 07:15 AM

    Hi Jim,

    I have the same problem. Were you able to build a DB2 image that did not use root?

    Thanks

    Original Message:
    Sent: Mon February 08, 2021 10:27 AM
    From: Jim Creasman
    Subject: How to run Docker ibmcom/db2 image as non-root

    Is it possible to build an image from the DB2 Docker image that can run as non-root?  Though we have a production DB2 server deployed on-prem, I would like to create a simple cloud image that can be deployed to our Kubernetes environment for test and development purposes.  The catch is we are restricted to deploy our services as non-root.  

    I've looked at the ibmcom/db2 image a bit.  It seems the non-root support was either not installed, or perhaps removed before publishing.  For example, one of the steps for non-root setup is to run the db2rfe command, but I'm not able to find this command on the image.

    Thanks,
    Jim

    ------------------------------
    Jim Creasman
    ------------------------------

    #Db2



  • 3.  RE: How to run Docker ibmcom/db2 image as non-root

    IBM Champion
    Posted Mon December 27, 2021 07:41 PM
    Hi Pablo,

         Yes, I was able (eventually) to get this to work.  In our case we only run DB2 in a container for development and testing purposes, and not in a production setting.  Below is the Dockerfile I created.  I haven't built this in several months since the image runs and meets our requirements.  You may need to make some updates for your local environment.  

    Hope it helps,
    Jim

    FROM <<<Your Ubuntu image here.  I used ubuntu:18.04>>>
    
    USER root
    
    # Copy and extract DB2 installation files.
    RUN mkdir -p /tmp/db2
    ADD "<<<Path to DB2 install image., eg., <root>/com.ibm.db2/11.5.5/com.ibm.db2-11.5.5.tar.gz>>>" /tmp/db2/
    RUN cd /tmp/db2 \
        && tar -zxf ./*.tar.gz \
        && chmod -R a+rx /tmp/db2
    
    # Add local DB2 response files.
    COPY "install/db2server.rsp" /tmp/db2/
    COPY "install/services.db2" /tmp/db2/
    COPY "install/db2rfe.cfg" /tmp/db2/
    
    RUN mkdir -p /var/custom/sql
    COPY "setup/*.sh" /var/custom/
    RUN chmod -R a+rwx /var/custom
    
    # Install required pre-req packages
    RUN apt-get update -y \
        && apt update && apt upgrade -y \
        && apt-get install -y libnuma1 \
        && apt-get install -y libaio1 \
        && apt-get install -y file \
        && apt-get install -y binutils \
        && apt-get install -y lib32stdc++6 \
        && apt-get install -y libxml2
    
    # Fix up services file
    RUN touch /etc/services \
        && cat /tmp/db2/services.db2 >> /etc/services
    
    # Create the users and groups needed.
    RUN groupadd -g 3000 db2iadm1 \
        && groupadd -g 998 db2fadm1 \
        && groupadd -g 997 dasadm1
    
    RUN useradd -u 1000 -g db2iadm1 -m -d /home/db2inst1 db2inst1 \
        && useradd -u 1003 -g db2fadm1 -m -d /home/db2fenc1 db2fenc1 \
        && useradd -u 1002 -g dasadm1 -m -d /home/dasusr1 dasusr1
    
    ENV initial_password=<<<some-password>>>
    RUN echo 'db2inst1:<<<new-password>>>' | chpasswd
    
    # Docker startup and runtime scripts.
    COPY docker-entrypoint.sh /usr/local/bin/
    COPY docker-db2cfg.sh /usr/local/bin/
    RUN chmod +x /usr/local/bin/docker-*.sh
    
    # Install DB2 as non-root
    USER db2inst1
    RUN /tmp/db2/server_dec/db2setup -r /tmp/db2/db2server.rsp
    
    # Run below commands as root before switching back to instance user.
    USER root
    
    # -- Create and activate DB2 database
    RUN echo "0 "$HOSTNAME" 0" > /home/db2inst1/sqllib/db2nodes.cfg \
        && cat /home/db2inst1/sqllib/db2nodes.cfg \
        && cd /home/db2inst1/sqllib/instance && ./db2rfe -f /tmp/db2/db2rfe.cfg \
        && su - db2inst1 -c "db2start" \
        && su - db2inst1 -c "db2 create db psdb using codeset utf-8 territory us collate using identity" \
        && su - db2inst1 -c "db2 activate db psdb" \
        && su - db2inst1 -c "db2stop" 
    
    # -- Remove  DB2 install binaries
    RUN rm -rf /tmp/db2
    
    # -- Enable password to be changed by user.
    RUN pam-auth-update --package
    
    USER db2inst1
    
    ENTRYPOINT [ "docker-entrypoint.sh" ]​


    ------------------------------
    Jim Creasman
    ------------------------------



  • 4.  RE: How to run Docker ibmcom/db2 image as non-root

    Posted Wed December 29, 2021 07:13 AM
    Edited by Pablo Ojea Mon May 22, 2023 07:16 AM

    Hi Jim,

    Thank you very much for your help. I have a question, the files that you copy in the Dockerfile (db2server.rsp, services.db2, db2rfe.cfg, setup/*.sh, docker-entrypoint.sh, docker-db2cfg.sh) can be obtained from any repository?

    I'm testing on my local with version v11.5.6 (v11.5.6_linuxx64_server_dec.tar.gz) but I have this question.

    Thank you very much and best regards#Db2



  • 5.  RE: How to run Docker ibmcom/db2 image as non-root

    Posted Tue September 12, 2023 10:51 AM

    Hi @jim-creasman  

    Could you please provide those rsp files? Im having huge difficulty installing and no matter how I configure RSP files. They end up in error:

    Installing: ITLM

    Installing: CLPPLUS

    Installing: ESE_PRODUCT_SIGNATURE

    Installing DB2 file sets :.......Success
    Executing control tasks :.......Success
    Updating global registry :.......Success
    Registering DB2 licenses :.......Success
    Setting default global profile registry variables :.......Success
    Initializing instance list :.......Success
    ERROR: DBI1084E  An attempt to create /home/db2inst1/sqllib/db2dump failed.

    Explanation:

    An error occurred when creating the given file or directory.

    User response:

    Check that there is enough space in the file system and that you have
    write permission for the required directory. Suggested directory
    permissions are u=rwx,go=rx.

    .

    And /home/db2inst1 sure has privileges for the db2inst1 user.  chmod -R a+wrx /home/db2inst1;chown -R db2inst1 /home/db2inst1



    ------------------------------
    Mauno Haukila
    ------------------------------



  • 6.  RE: How to run Docker ibmcom/db2 image as non-root

    IBM Champion
    Posted Wed September 13, 2023 02:44 PM

    Mauno,

         These are the ones I'm using.  Hope they help.

    Jim

    db2rfe.cfg

    INSTANCENAME=db2inst1
    ENABLE_OS_AUTHENTICATION=YES

    db2server.rsp

    PROD                      = DB2_SERVER_EDITION
    LIC_AGREEMENT             = ACCEPT            ** ACCEPT or DECLINE
    INSTALL_TYPE              = COMPACT           ** TYPICAL, COMPACT, CUSTOM
    INTERACTIVE               = YES               ** YES to provide feedback as install runs

    services.db2

    db2c_db2inst1      50000/tcp 
    db2c_db2inst1_ssl  50001/tcp 
    db2j_db2inst1      55000/tcp 
    DB2_db2inst1       60000/tcp 
    DB2_db2inst1_1     60001/tcp 
    DB2_db2inst1_2     60002/tcp 
    DB2_db2inst1_3     60003/tcp 
    DB2_db2inst1_4     60004/tcp 
    DB2_db2inst1_END   60005/tcp 



    ------------------------------
    Jim Creasman
    ------------------------------



  • 7.  RE: How to run Docker ibmcom/db2 image as non-root

    Posted Wed October 04, 2023 11:14 AM

    Hi @Jim Creasman,

    We have also created a similar db2 non root image. It works as expected when creating docker containers. However, when we use this image for deploying db2 container on kubernetes, we get the following error when we try to connect to container with username and password:

    DB2 SQL Error: SQLCODE=-1639, SQLSTATE=08001, SQLERRMC=null

    Everything else looks fine in container except for some reason authentication seems to be broken. db2rfe file was used to enable OS_authentication. We even tried fix suggested here: https://www.ibm.com/support/pages/database-connection-fails-authentication-error-sql1639n but it did not help.

    Did you face similar issue before/ do you have any idea what might be the rootcause?



    ------------------------------
    Siddhant Saha
    ------------------------------