IAP Container Image

IAP Containerization

While Itential Automation Platform (IAP) can be deployed using a traditional server architecture, in which each server runs a single instance of IAP, many benefits arise from its containerization:

To facilitate containerization, Itential provides pre-made images of IAP. In this guide, you will learn:

• The prerequisites for running IAP containers.
• How to run IAP containers.
• How to configure IAP containers.

Prerequisites

Before proceeding, the following prerequisites must be met.

Container Management Platform

IAP images are compliant with Open Container Initiative (OCI) specifications; however, this guide assumes the use of Docker. Specific instruction for using technologies that manage OCI containers, such as Docker Compose and Kubernetes, falls outside the scope of this guide.

Docker Repository Access

IAP images are hosted on the Itential Docker repository. Contact your Itential Account Manager to obtain the credential information needed to download images from this repository, including your:

• Access key ID
• Secret access key
• Bundle name

AWS Command Line Interface

Amazon Web Services Command Line Interface (AWS CLI) must be installed on your host operating system (OS).

Logging into the Itential Docker Repository

Before you can begin working with IAP containers, you must log into the Itential Docker repository. To do so, issue the following command.

export AWS_ACCESS_KEY_ID=<access_key_id>
export AWS_SECRET_ACCESS_KEY=<secret_access_key>

aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 497639811223.dkr.ecr.us-east-2.amazonaws.com

...in which:

Pulling Container Images

To download images from the container registry, issue a Docker Pull command.

docker pull 497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

...in which:

Starting an IAP Container

To start an IAP container, issue the following command.

docker run -d -p 3000:3000 -p 3443:3443 \
    497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

Environment Variables

The following environment variables can be used to alter the startup behavior of the IAP container.

To set an environment variable, use the -e flag of the docker run command. For example:

docker run -d -p 3000:3000 -p 3443:3443 \
  -e WAIT_FOR:"mongodb:27017" \
  497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

Configuring the IAP Container

Configuration of the IAP container can be customized via the following files.

To use a configuration file, mount it to its corresponding mount location with a bind mount. For example:

docker run -d -p 3000:3000 -p 3443:3443 \
  --mount type=bind,source=./volumes/iap/config/custom-properties.json,target=/opt/itential/automation-platform/config/custom-properties.json \
  497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

Configuration Modes

How configuration files are applied to the IAP container is dependent on what configuration mode the container is set to. Two configuration modes are available:

• Override Mode (default): Enabled if the IAP_CUSTOM_PROPERTIES environment variable is set to "false" or is not present. Any configuration file mounted to the /opt/itential/automation-platform/config directory will override the corresponding default configuration file (located in the /opt/itential/automation-platform/defaults directory).
• Custom Properties Mode: Enabled if the IAP_CUSTOM_PROPERTIES environment variable is set to "true". The image will ignore any default configuration files. As such, all custom configuration files must be present in the /opt/itential/automation-platform/config directory for IAP to start.

Common Configuration Tasks

Though an IAP application can function without a custom configuration of its component containers, the following changes are common in production environments.

Mounting IAP Logs to the Host OS

By default, any logs stored by IAP containers are lost when the containers and their volumes are removed. To ensure log persistence:

1. Create a mount directory on the host OS (the OS that your container daemon is running on). This is where the logs are stored.

   mkdir -p ./volumes/iap/logs
   

2. Use a bind mount to mount the directory into your IAP container.

   docker run -d -p 3000:3000 -p 3443:3443 \
     --mount type=bind,source=./volumes/iap/logs,target=/opt/itential/logs \
     497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>
   

Adding SSH Keys and Certificates to IAP

To add custom SSH keys and certificates to IAP:

1. Create a mount directory on the host OS (the OS that your container daemon is running on). Place any SSH keys and certificates you would like to add to IAP here.

   mkdir -p ./volumes/iap/keys
   

2. Ensure all SSH keys and certificates have the proper permissions. The file owner should only have read access; all others should have no access (numeric permission 0400).

   chmod 0400 custom_key.key
   

3. Create another mount directory on the host OS, this time to house a custom IAP Profile configuration file. Create the configuration file, custom-profile.json, here.

   mkdir -p ./volumes/iap/config
   cd ./volumes/iap/config
   touch custom-profile.json
   

4. Update the custom-profile.json file to reference your custom SSH keys and certificates.

   {
     "expressProps": {
       "description": "Express Server",
       "cacheControl": true,
       "timeout": 600000,
       "express_http": {
         "enable": false,
         "port": 3000
       },
       "express_https": {
         "enable": true,
         "port": 3443,
         "key": "/opt/itential/keys/custom_key.key",
         "cert": "/opt/itential/keys/custom_key.cert",
         "secureProtocol": "TLSv1_2_method",
         "ciphers": "ECDHE-RSA-AES128-GCM-SHA256",
         "client_reneg_limit": 1,
         "client_reneg_window": 600
       }
     }
   }
   

5. Use bind mounts to mount both directories into your IAP container.

   docker run -d -p 3000:3000 -p 3443:3443 \
     --mount type=bind,source=./volumes/iap/keys,target=/opt/itential/keys \
     --mount type=bind,source=./volumes/iap/config/custom-profile.json,target=/opt/itential/automation-platform/config/custom-profile.json \
     497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>
   

Implementing High Availability (HA) for IAP

Multiple IAP containers can run in a single application to provide HA. When using such a setup:

• Each IAP container must be bound to a unique port.
• IAP containers must be configured to start with staggered timing. This can be accomplished using the WAIT_FOR and WAIT_FOR_TIMEOUT environment variables.

For example, an application containing two IAP containers might be configured as follows:

# We create a docker network so that they can talk to each other.
docker network create IAP_ha_network

# IAP_instance1
local_port_node_1_http=3000
local_port_node_1_https=3443
docker run -d -p 3000:$local_port_node_1 -p 3443:$local_port_node_1_https \
  --name IAP_instance1 -d --network IAP_ha_network \
  497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

# IAP_instance2
local_port_node_2_http=3001
local_port_node_2_https=3444
docker run -d -p 3000:$local_port_node_2_http -p 3443:$local_port_node_2_https \
  --name IAP_instance2 -d --network IAP_ha_network \
  -e WAIT_FOR:"IAP_instance1" \
  -e WAIT_FOR_DELAY:60 \
  -e WAIT_FOR_TIMEOUT:300 \
  497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>

Adding Open Source Adapters and Applications to IAP

To add open source adapters and applications to IAP:

1. Create a mount directory on the host OS (the OS that your container daemon is running on). Install any open source adapters or applications you would like to add to IAP to this directory.

   mkdir -p ./volumes/iap/opensource_adapters_apps/@itentialopensource
   cd ./volumes/iap/opensource_adapters_apps/@itentialopensource
   
   # Clone your open source adapter / application here. Then, install it:
   
   cd open_source_adapter
   npm install --legacy-bundling --prod
   

2. Use a bind mount to mount the directory into your IAP container.

   docker run -d -p 3000:3000 -p 3443:3443 \
     --mount type=bind,source=./volumes/iap/opensource_adapters_apps/@itentialopensource,target=/opt/itential/automation-platform/node_modules/@itentialopensource \
     497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>
   

Adding Custom Adapters and Applications to IAP

To add custom adapters and applications to IAP:

1. Create a mount directory on the host OS (the OS that your container daemon is running on). Install any custom adapters or applications you would like to add to IAP to this directory.

   mkdir -p ./volumes/iap/automation-platform-custom
   cd ./volumes/iap/automation-platform-custom
   
   # Clone your custom adapter / application here. Then, install it:
   
   cd custom_adapter
   npm install --legacy-bundling --prod
   

2. Use a bind mount to mount the directory into your IAP container.

   docker run -d -p 3000:3000 -p 3443:3443 \
     --mount type=bind,source=./volumes/iap/automation-platform-custom,target=/opt/custom/node_modules \
     497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag>
   

Encrypting Passwords

By default, some configuration files may contain passwords written in plaintext. To generate an encrypted password value for use in such files, run the following command to use the IAP Encrypt tool.

docker run -it --entrypoint node 497639811223.dkr.ecr.us-east-2.amazonaws.com/automation-platform-<bundle_name>:<tag> \ 
  /opt/itential/automation-platform/node_modules/@itential/pronghorn-core/utils/encrypt.js <password_value>

...in which <password_value> is the plaintext password to be encrypted.

Further Reading

Example Docker Compose files can be found in the Itential Open Source GitLab repository. Documentation for these examples is provided in the README files located throughout the project.