Base Docker images
ForgeRock provides 13 Docker images for deploying the Ping Identity Platform:
-
Eight unsupported, evaluation-only base images:
-
amster -
am-cdk -
am-config-upgrader -
ds -
idm-cdk -
ig -
java-11 -
java-17
-
-
Five supported base images that implement the platform’s user interface elements and ForgeOps operators:
-
ds-operator -
platform-admin-ui -
platform-enduser-ui -
platform-login-ui -
secret-agent
-
The Docker images are publicly available in ForgeRock’s Docker repository,
gcr.io/forgerock-io.
Which Docker images do I deploy?
-
I am a developer using the CDK.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Deploy either:
-
The evaluation-only images from ForgeRock.
-
Docker images that are based on the evaluation-only images, but contain a customized configuration profile.
-
-
-
I am doing a proof-of-concept CDM deployment.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Deploy either:
-
The evaluation-only images from ForgeRock.
-
Docker images that are based on the evaluation-only images, but contain a customized configuration profile.
-
-
-
I am deploying the platform in production.
-
UI elements. Deploy the supported images from ForgeRock.
-
Other platform elements. Deploy Docker images that are based on your own base images, but contain a customized configuration profile. ForgeRock does not support production deployments with Docker images based on the evaluation-only images.
-
Your own base Docker images
Perform the following steps to build base images for the eight unsupported, evaluation-only Docker images. After you’ve built your own base images, push them to your Docker repository:
-
Download the latest versions of the AM, Amster, IDM, and DS
.zipfiles from the Ping Identity Download Center. Optionally, you can also download the latest version of the PingGateway.zipfile. -
If you haven’t already done so, clone the
forgeopsandforgeops-extrasrepositories. For example:$ git clone https://github.com/ForgeRock/forgeops.git $ git clone https://github.com/ForgeRock/forgeops-extras.git
Both repositories are public; you do not need credentials to clone them.
-
Check out the
forgeopsrepository’srelease/7.3-20240131branch:$ cd /path/to/forgeops $ git checkout
release/7.3-20240131 -
Check out the
forgeops-extrasrepository’smainbranch:$ cd /path/to/forgeops-extras $ git checkout
main -
Build Java base images, which are required by several of the other Dockerfiles:
-
Build the Java 11 Docker image:
$ cd /path/to/forgeops-extras/images/java-11 $ docker build --tag my-repo/java-11 . ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 2.42kB 0.0s ⇒ [internal] load metadata for docker.io/library/debian:buster-slim 2.9s ⇒ [internal] load metadata for docker.io/azul/zulu-openjdk-debian:11-latest 2.7s ⇒ [stage-0 1/4] FROM docker.io/azul/zulu-openjdk-debian:11-latest@sha256:aa1df513d9f6d0025e4e1a890732192a1aee473437a01a885136fc0f5db2622e 22.4s ... ⇒ exporting to image 0.3s ⇒ ⇒ exporting layers 0.3s ⇒ ⇒ writing image sha256:76742b285ddf975ab6b36e1ad91d63cd6d5920d0f096d222f93ffa6026b7f7f5 0.0s ⇒ ⇒ naming to docker.io/my-repo/java-11 -
Build the Java 17 Docker image:
$ cd /path/to/forgeops-extras/images/java-17 $ docker build --tag my-repo/java-17 . ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 2.38kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/debian:bullseye-slim 1.1s ⇒ [internal] load metadata for docker.io/azul/zulu-openjdk-debian:17 1.3s ⇒ [jdk 1/3] FROM docker.io/azul/zulu-openjdk-debian:17@sha256:420a137d0576e3fd0d6f6332f5aa1aef85314ed83b3797d7f965e0b9169cbc57 17.7s ... ⇒ exporting to image 0.3s ⇒ ⇒ exporting layers 0.3s ⇒ ⇒ writing image sha256:cc52e9623b3cd411682ca221a6722e83610b6b7620f126d3f7c4686e79ff1797 0.0s ⇒ ⇒ naming to docker.io/my-repo/java-17 0.0s
-
-
Build the base image for Amster. This image must be available to build the base image for AM in the next step:
-
Make a directory named
amster. -
Unzip the Amster
.zipfile into the newamsterdirectory. -
Change to the samples/docker directory in the expanded
.zipfile output. -
Run the setup.sh script:
$ ./setup.sh + mkdir -p build + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/ ';' + cp ../../docker/amster-install.sh ../../docker/docker-entrypoint.sh ../../docker/export.sh ../../docker/tar.sh build -
Edit the Dockerfile in the samples/docker directory. Change the line:
FROM gcr.io/forgerock-io/java-11:latest
to:
FROM my-repo/java-11 -
Build the
amsterDocker image:$ docker build --tag amster:7.3.0 . ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.67kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/my-repo/java-11:latest 1.1s ⇒ [1/8] FROM docker.io/my-repo/java-11 ... ⇒ exporting to image ⇒ ⇒ exporting layers ⇒ ⇒ writing image sha256:bc47...f9e52 0.0s ⇒ ⇒ naming to docker.io/library/amster:7.3.0
-
-
Build the AM empty image:
-
Unzip the AM
.zipfile. -
Change to the openam/samples/docker directory in the expanded
.zipfile output. -
Run the setup.sh script:
$ chmod +x ./setup.sh ./setup.sh
-
Change to the images/am-empty directory.
-
Edit the Dockerfile in the samples/docker directory. Change the line:
FROM tomcat:9-jdk11 AS base
to:
FROM my-repo/java-11 -
Build the
am-emptyDocker image:$ docker build --tag am-empty:7.3.0 . ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 3.60kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/tomcat:9-jdk11-openjdk-slim-bullseye 1.8s ⇒ [internal] load build context 5.6s ⇒ ⇒ transferring context: 231.59MB 5.6s ⇒ [base 1/14] FROM docker.io/library/tomcat:9-jdk11-openjdk-slim-bullseye@... ... ⇒ exporting to image 1.7s ⇒ ⇒ exporting layers 1.6s ⇒ ⇒ writing image sha256:9784a73...1d36018c9 0.0s ⇒ ⇒ naming to docker.io/library/am-empty:7.3.0
-
-
Build the AM image:
-
Change to the ../am-base directory.
-
Edit the Dockerfile in the ../am-base directory and change the line:
FROM amster:${docker_tag} as amster FROM am-empty:${docker_tag} AS generatorto:
FROM amster:7.3.0 FROM am-empty:7.3.0
-
Build the
am-baseDocker image:$ docker build --build-arg docker_tag=7.3.0 --tag am-base:7.3.0 . ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 2.72kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/amster:7.3.0 0.0s ⇒ [internal] load metadata for docker.io/library/am-empty:7.3.0 0.0s ⇒ [internal] load build context 0.4s ⇒ ⇒ transferring context: 35.66MB 0.4s ⇒ [generator 1/15] FROM docker.io/library/am-empty:7.3.0 0.4s ⇒ [amster 1/1] FROM docker.io/library/amster:7.3.0 0.2s ⇒ [generator 2/15] RUN apt-get update -y && apt-get install -y git jq unzip ... ⇒ [am-base 7/11] COPY --chown=forgerock:root docker-entrypoint.sh /home/forgerock/ 0.0s ⇒ [am-base 8/11] COPY --chown=forgerock:root scripts/import-pem-certs.sh /home/forgerock/ 0.0s ⇒ [am-base 9/11] RUN rm "/usr/local/tomcat"/webapps/am/WEB-INF/lib/click-extras-*.jar 0.2s ⇒ [am-base 10/11] RUN rm "/usr/local/tomcat"/webapps/am/WEB-INF/lib/click-nodeps-*.jar 0.3s ⇒ [am-base 11/11] RUN rm "/usr/local/tomcat"/webapps/am/WEB-INF/lib/velocity-*.jar 0.2s ⇒ exporting to image 0.2s ⇒ ⇒ exporting layers 0.2s ⇒ ⇒ writing image sha256:2c06...87c6c 0.0s ⇒ ⇒ naming to docker.io/library/am-base:7.3.0
-
Change to the ../am-cdk directory.
-
Edit the Dockerfile in the ../am-cdk directory. Change the line:
FROM am-base:${docker_tag}to:
FROM am-base:7.3.0
-
Build the
amDocker image:$ docker build --build-arg docker_tag=7.3.0 --tag my-repo/am:7.3.0 . [+] Building 8.7s (11/11) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 2.02kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/library/am-base:7.3.0 0.0s ⇒ [1/6] FROM docker.io/library/am-base:7.3.0 0.3s ⇒ [internal] load build context 0.1s ⇒ ⇒ transferring context: 397.45kB 0.1s ⇒ [2/6] RUN apt-get update && apt-get install -y git && apt-get clean && rm -r /var/lib 6.7s ⇒ [3/6] RUN cp -R /usr/local/tomcat/webapps/am/XUI /usr/local/tomcat/webapps/am/OAuth2_XUI 0.8s ⇒ [4/6] COPY --chown=forgerock:root /config /home/forgerock/cdk/config 0.0s ⇒ [5/6] COPY --chown=forgerock:root logback.xml /usr/local/tomcat/webapps/am/WEB-INF/classes 0.0s ⇒ [6/6] RUN rm -rf /home/forgerock/openam/config/services && mkdir /home/forgerock/openam/config/services 0.3s ⇒ exporting to image 0.5s ⇒ ⇒ exporting layers 0.5s ⇒ ⇒ writing image sha256:9b1119bd37c8810cebb446d1b1fb67841bbeba6416a0aed73e7a5bf2b84deff3 0.0s ⇒ ⇒ naming to my-repo/am:7.3.0 0.0s
-
-
Now that the AM image is built, tag the base image for Amster in advance of pushing it to your private repository:
$ docker tag amster:7.3.0 my-repo/amster:7.3.0 -
Build the
am-config-upgraderbase image:-
Change to the
openamdirectory in the expanded AM.zipfile output. -
Unzip the
Config-Upgrader-7.3.0.zipfile. -
Change to the
amupgrade/samples/dockerdirectory in the expandedConfig-Upgrader-7.3.0.zipfile output. -
Edit the Dockerfile in the amupgrade/samples/docker directory. Change the line:
FROM gcr.io/forgerock-io/java-11:latest
to:
FROM my-repo/java-11 -
Run the setup.sh script:
$ ./setup.sh + mkdir -p build/amupgrade + find ../.. '!' -name .. '!' -name samples '!' -name docker -maxdepth 1 -exec cp -R '{}' build/amupgrade ';' + cp ../../docker/docker-entrypoint.sh . -
Create the base
am-config-upgraderimage:$ docker build --tag my-repo/am-config-upgrader:7.3.0 . ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.14kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for docker.io/my-repo/java-11:latest 0.2s ⇒ [internal] load build context 0.4s ⇒ ⇒ transferring context: 15.44MB 0.4s ⇒ CACHED [1/4] FROM docker.io/my-repo/java-11 0.0s ⇒ [2/4] RUN apt-get update && apt-get upgrade -y 4.3s ⇒ [3/4] COPY --chown=forgerock:root docker-entrypoint.sh /home/forgerock/ 0.0s ⇒ [4/4] COPY build/ /home/forgerock/ 0.1s ⇒ exporting to image 0.1s ⇒ ⇒ exporting layers 0.1s ⇒ ⇒ writing image sha256:c06eb12006468f50eb79621a3e945ce52dec0775c46879d2ad4d07296fd5b818 0.0s ⇒ ⇒ naming to my-repo/am-config-upgrader:7.3.0
-
-
Build the base image for DS:
-
Unzip the DS
.zipfile. -
Change to the opendj directory in the expanded
.zipfile output. -
Run the samples/docker/setup.sh script to create a server:
$ ./samples/docker/setup.sh + rm -f template/config/tools.properties + cp -r samples/docker/Dockerfile samples/docker/README.md ... + rm -rf — README README.md bat '*.zip' opendj_logo.png setup.bat upgrade.bat setup.sh + ./setup --serverId docker --hostname localhost ... Validating parameters... Done Configuring certificates... Done ...
-
Edit the Dockerfile in the opendj directory. Change the line:
FROM gcr.io/forgerock-io/java-17:latest
to:
FROM my-repo/java-17 -
Build the
dsbase image:$ docker build --tag my-repo/ds-empty:7.3.0 . [+] Building 11.0s (9/9) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.23kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for my-repo/java-17:latest 1.7s ⇒ [internal] load build context 1.2s ⇒ ⇒ transferring context: 60.85MB 1.2s ⇒ CACHED [1/4] FROM my-repo/java-17:latest ... ⇒ [4/4] WORKDIR /opt/opendj 0.0s ⇒ exporting to image 0.4s ⇒ ⇒ exporting layers 0.3s ⇒ ⇒ writing image sha256:713ac...b107e0f 0.0s ⇒ ⇒ naming to my-repo/ds:7.3.0
-
-
Build the base image for IDM:
-
Unzip the IDM
.zipfile. -
Change to the openidm directory in the expanded
.zipfile output. -
Edit the Custom.Dockerfile in the openidm/bin directory. Change the line:
FROM gcr.io/forgerock-io/java-11:latest
to:
FROM my-repo/java-11 -
Build the
idmbase image:$ docker build . --file bin/Custom.Dockerfile --tag my-repo/idm:7.3.0 [+] Building 8.1s (9/9) FINISHED ⇒ [internal] load build definition from Custom.Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 648B 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for my-repo/java-11:latest 0.3s ⇒ CACHED [1/4] FROM my-repo/java-11:latest ⇒ [internal] load build context 9.7s ⇒ ⇒ transferring context: 322.62MB 9.7s ⇒ [2/4] RUN apt-get update && apt-get install -y ttf-dejavu 10.3s ⇒ [3/4] COPY --chown=forgerock:root . /opt/openidm 2.3s ⇒ [4/4] WORKDIR /opt/openidm 0.0s ⇒ exporting to image 3.3s ⇒ ⇒ exporting layers 3.3s ⇒ ⇒ writing image sha256:9550...5788 0.0s ⇒ ⇒ naming to my-repo/idm:7.3.0
-
-
(Optional) Build the base image for PingGateway:
-
Unzip the PingGateway
.zipfile. -
Change to the identity-gateway directory in the expanded
.zipfile output. -
Edit the Dockerfile in the identity-gateway/docker directory. Change the line:
FROM gcr.io/forgerock-io/java-11:latest
to:
FROM my-repo/java-11 -
Build the
igbase image:$ docker build . --file docker/Dockerfile --tag my-repo/ig:2023.9.0 [+] Building 2.1s (8/8) FINISHED ⇒ [internal] load build definition from Dockerfile 0.0s ⇒ ⇒ transferring dockerfile: 1.43kB 0.0s ⇒ [internal] load .dockerignore 0.0s ⇒ ⇒ transferring context: 2B 0.0s ⇒ [internal] load metadata for my-repo/java-11:latest 0.3s ⇒ [internal] load build context 2.2s ⇒ ⇒ transferring context: 113.60MB 2.2s ⇒ CACHED [1/3] FROM my-repo/java-11:latest ⇒ [2/3] COPY --chown=forgerock:root . /opt/ig 0.7s ⇒ [3/3] RUN mkdir -p "/var/ig" && chown -R forgerock:root "/var/ig" "/opt/ig" && -R g+rwx "/var/ig" "/opt/ig" 0.9s ⇒ exporting to image 0.6s ⇒ ⇒ exporting layers 0.6s ⇒ ⇒ writing image sha256:77fc5...6e63 0.0s ⇒ ⇒ naming to my-repo/ig:2023.9.0
-
-
Run the docker images command to verify that you built the base images:
$ docker images | grep my-repo REPOSITORY TAG IMAGE ID CREATED SIZE my-repo/am 7.3.0 552073a1c000 1 hour ago 795MB my-repo/am-config-upgrader 7.3.0 d115125b1c3f 1 hour ago 795MB my-repo/amster 7.3.0 d9e1c735f415 1 hour ago 577MB my-repo/ds-empty 7.3.0 ac8e8ab0fda6 1 hour ago 196MB my-repo/idm 7.3.0 0cc1b7f70ce6 1 hour ago 387MB my-repo/ig 2023.9.0 cc52e9623b3c 1 hour ago 249MB my-repo/java-11 latest 76742b285ddf 1 hour ago 146MB my-repo/java-17 latest a504925c2672 1 hour ago 144MB
-
Push the new base Docker images to your Docker repository.
Refer to your registry provider documentation for detailed instructions. For most Docker registries, you run the docker login command to log in to the registry. Then, you run the docker push command to push a Docker image to the registry.
Be sure to configure your Docker registry so that you can successfully push your Docker images. Each cloud-based Docker registry has its own specific requirements. For example, on Amazon ECR, you must create a repository for each image.
Push the following images:
-
my-repo/am:7.3.0 -
my-repo/am-config-upgrader:7.3.0 -
my-repo/amster:7.3.0 -
my-repo/ds-empty:7.3.0 -
my-repo/idm:7.3.0 -
my-repo/java-11 -
my-repo/java-17
If you’re deploying your own PingGateway base image, also push the
my-repo/ig:2023.9.0image. -
Create Docker images for use in production
After you’ve built and pushed your own base images to your Docker registry, you’re ready to build customized Docker images that can be used in a production deployment of the Ping Identity Platform. These images:
-
Contain customized configuration profiles for AM, IDM, and, optionally, PingGateway.
-
Must be based on your own base Docker images.
-
Must not be based on ForgeRock’s evaluation-only Docker images.
Create your production-ready Docker images, create a Kubernetes cluster to test them, and delete the cluster when you’ve finished testing the images:
-
Clone the
forgeopsrepository. -
Obtain custom configuration profiles that you want to use in your Docker images from your developer, and copy them into your
forgeopsrepository clone:-
Obtain the AM configuration profile from the /path/to/forgeops/docker/am/config-profiles directory.
-
Obtain the IDM configuration profile from the /path/to/forgeops/docker/idm/config-profiles directory.
-
(Optional) Obtain the PingGateway configuration profile from the /path/to/forgeops/docker/ig/config-profiles directory.
-
-
Change the
FROMlines of Dockerfiles in theforgeopsrepositories to refer to your own base Docker images:In the forgeopsrepository file:Change the FROMline to:docker/am/Dockerfile
FROM my-repo/am:7.3.0[1]docker/amster/Dockerfile
FROM my-repo/amster:7.3.0docker/ds/ds-new/Dockerfile
FROM my-repo/ds-empty:7.3.0docker/idm/Dockerfile
FROM my-repo/idm:7.3.0[2](Optional) docker/ig/Dockerfile
FROM my-repo/ig:2023.9.0 -
If necessary, log in to your Docker registry.
-
Build Docker images that are based on your own base images. The AM and IDM images contain your customized configuration profiles:
$ cd /path/to/forgeops/bin $ ./forgeops build ds --push-to my-repo $ ./forgeops build amster --push-to my-repo $ ./forgeops build am --push-to my-repo --config-profile my-profile $ ./forgeops build idm --push-to my-repo --config-profile my-profile
The forgeops build command:
-
Builds Docker images. The AM and IDM images incorporate customized configuration profiles.
-
Pushes Docker images to the repository specified in the --push-to argument.
-
Updates the image defaulter file, which the forgeops install command uses to determine which Docker images to run.
-
-
(Optional) Build and push an PingGateway Docker image that’s based on your own base image and contains your customized configuration profile:
$ ./forgeops build ig --config-profile my-profile --push-to my-repo
-
Prepare a Kubernetes cluster to test your images:
-
Create the cluster. This example assumes that you create a cluster suitable for a small-sized CDM deployment.
-
Make sure your cluster can access and pull Docker images from your repository.
-
Create a namespace in the new cluster, and then make the new namespace the active namespace in your local Kubernetes context.
-
-
Install the CDM in your cluster:
$ ./forgeops install --small --fqdn cdm.example.com
-
Access the AM admin UI and the IDM admin UI, and verify that your customized configuration profiles are active.
-
Delete the Kubernetes cluster that you used to test images.
At the end of this process, the artifacts that you’ll need to deploy the Ping Identity Platform in production are available:
-
Docker images for the Ping Identity Platform, in your Docker repository
-
An updated image defaulter file, in your
forgeopsrepository clone
You’ll need to copy the image defaulter file to your production deployment, so that when you run the forgeops install command, it will use the correct Docker images.
Typically, you model the image creation process in a CI/CD pipeline. Then, you run the pipeline at milestones in the development of your customized configuration profile.