IBM Verify

 View Only
  • 1.  Docker vs. general clustered appliances (IVIA)

    Posted 29 days ago

    Dear All!

    I try to find an answer how to configure cluster solution in a docker environment. Normally I have general docker images (rp, runtime dsc etc.). 

    In case of non-docker situation I can create cluster and share runtime information also have primary master secondary etc.

    What is the case in docker? I don't see any option, or I don't understand yet fully IVIA services in docker...

    Can someone from you provide some documentation link where I can get more information?  

    Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------


  • 2.  RE: Docker vs. general clustered appliances (IVIA)

    Posted 29 days ago

    Hello Janos,

    Since in a Docker or Containerized environment the AAC/Federation JVM is separated into the 'Runtime Container' it's not necessary to use the 'clustering' feature. This is because you have a singular configuration container that acts as the LMI for configuring your policy. You can either use an external Configuration Database or the latest containers will use an internal H2 database for the Configuration Database as it runs without using a TCP socket for communications.

    To achieve High Availability you'd want to still use external High Volume Database with backups. Whether that's containerized is your decision.

    As far as the Runtime Containers or the Reverse Proxy containers go, you achieve high availability by using a Stateful Set type deployment or by defining a deployment that has multiple containers per pod.

    There are many solutions for HA in the containerized environment.

    IVIA clustering does not exist in a containerized environment.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: Docker vs. general clustered appliances (IVIA)

    Posted 27 days ago

    Hello Jack,

    Thank for the reply. 

    Now I try to follow instructions from here (a bit old but didn't find recent post)

    https://community.ibm.com/community/user/security/blogs/shane-weeden1/2018/01/08/running-isam-on-ibm-cloud

    But for some reason for openldap I always get an error:

    NAME                          READY   STATUS             RESTARTS     AGE
    openldap-5766786c88-fpll4     0/1     CrashLoopBackOff

    Image can be downloaded from icr.io but cannot started. I tired different images always same error. Unfortunately in logs didn't find exact reason for this.

    Do you have any idea?

    Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------



  • 4.  RE: Docker vs. general clustered appliances (IVIA)

    Posted 26 days ago

    Hello Janos,


    What OS are you running these containers on?

    Our product only supports x86 emulation so running it on Apple Silicon doesn't work unless you use Rancher Desktop in experimental mode.

    Also, you can use 'docker inspect container' to see all the output and that should tell you more about the problems with the container.
    You can also use 'docker logs -F container' to follow the logs as the container tries to start up.

    Another issue I've encountered is in the YAML definition.

    I hit issues with Volume claims when trying to setup the IBM Security Verify Bridge for Provisioning (which is a different product but a container issue that I hit) which was defined this way in the YAML:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata: 
      namespace: isv
      name: broker-vol
    spec:
      storageClassName: "standard"
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
    #  volumeName: pv-broker

    ---

    So, if you have a specified 'volumeName' then there has to be an existing volume with that name already in the environment.
    Also, if there is a 'namespace' defined in the 'metadata' spec of the YAML then that namespace has to already exist.

    Those are more Kubernetes related issues though.

    Long story short, from just the error you've shown I can't tell you what the problem is.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 5.  RE: Docker vs. general clustered appliances (IVIA)

    Posted 24 days ago

    Hello Jack,

    First of all thank you for the answer. 

    I use Linux OS. Finally I was able to solve the starting problem (of course I have got another   :- ) )

    As you highlighted the kubernetes YAML definition file has some problems. 

    These were changed my side:

    ADD:

      selector:
        matchLabels:
          app:  /containerapp/

    REPACE:

    image: icr.io/isva/...   -- use current container image from icr

    Change the mount path, it was "readonly" therefore it couldn't write by container itself

     mountPath: /home/ldap/service/slapd/assets/certs
     name: keys

    After these changes LDAP container can start.  

    Now I'm facing another kubernetes related issue which is not related to IVIA product.

    Again thank you for the hints...



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------