Experimenting with OpenDJ in CoreOS / Docker



CoreOS is new minimal Linux based OS designed to run applications in containers.  The design concept is similar to Joyent's SmartOS (aside: I would love to see the CoreOS team adopt ZFS. It has so many compelling features for hosting containers. But I digress...)


CoreOS uses Docker lightweight containers, which are in turn based on Linux LXC containers. You will want to check out the excellent getting started guide, but the readers digest summary is that Docker containers are built up incrementally and inherit from their parent containers.  Each new container contains only the deltas from the parent - making it possible to distribute a small incremental feature set.

When you run a Docker container, you are running only the processes that are needed for your service (for example, OpenDJ). You are not running an entire copy of the OS, making these containers super lightweight (OpenSolaris fans have had this feature for years in the form of zones).

For my OpenDJ experiments, I started with a Fedora 20 docker image:

 docker pull mattdm/fedora:f20 

That command pulls down the image from the Docker repository.  You can start a shell on that image by running:


docker run -i -t mattdm/fedora:f20 /bin/bash

In the shell we can install additional packages using yum. For example:

yum install java-1.7.0-openjdk-devel.x86_64
curl -O http://download.forgerock.org/downloads/opendj/20131204020001/opendj-2.7.0-1.20131204.noarch.rpm
yum install opendj-2.7.0-1.20131204.noarch.rpm
cd /opt/opendj
bin/setup 
.... continue OpenDJ install...

If we exit our bash shell at this point we will find that our changes vanish.  To persist these changes we must create a new container. In a second coreOS shell, we use:


docker commit 4ee0ae2b1bb1 wstrange/f20dj

This command tells Docker to create a new container. The container id from above came from the "docker ps" command and represents our (still) running container. The new container is saved to a container named wstrange/f20dj. 

This new container will provide the JDK and OpenDJ.  Under the covers, the container requires only the incremental bits that we added on top of the original Fedora 20 image. 

Now that we have a new image, we can fire up an instance of OpenDJ:

docker run -p 3389:389 -p 4444:4444 -p 8989:8989  -d wstrange/f20dj /opt/opendj/bin/start-ds -N

This tells Docker to start the container and run the "start-ds" command to start OpenDJ. 

Docker containers are NATed by default. The -p options is used to redirect local ports to container ports. In the above example, DJ listens on port 389. This is wired to port 3389 on our host. We set up redirection for 4444 (management) and 8989 (replication) as well. 

At this time should be able to fire up your favourite LDAP browser and connect to port 3389.

Now let's have some fun with replication. To replicate we need a second DJ installation. That turns out to be quite easy:

docker run -p 4389:389 -p 4446:4444 -p 8988:8989  -d wstrange/f20dj /opt/opendj/bin/start-ds -N

You will note that we simply fire up a second instance of our DJ container - changing the port numbers so that we do not collide with our first instance.  We now have two instances running:

docker ps
CONTAINER ID        IMAGE                   COMMAND                CREATED             STATUS              PORTS                                                                   NAMES
7ce9a470f422        wstrange/f20dj:latest   /opt/opendj/bin/star   46 minutes ago      Up 46 minutes       0.0.0.0:4389->389/tcp, 0.0.0.0:4446->4444/tcp, 0.0.0.0:8988->8989/tcp   berserk_darwin       
8c1c4160f01f        wstrange/f20dj:latest   /opt/opendj/bin/star   46 minutes ago      Up 46 minutes       0.0.0.0:3389->389/tcp, 0.0.0.0:4444->4444/tcp, 0.0.0.0:8989->8989/tcp   romantic_engelbart   

And sure enough, if you connect your LDAP browser to port 4389, you can browse the second DJ server. 

But wouldn't it be nice to enable replication between those instances?   Let's create another interactive container so we can get access to the OpenDJ commands:

docker run  -i -t wstrange/f20dj /bin/bash  

Now we enable replication between the two instances:

# This is our HOST only network for our containers
export HOST=192.168.50.4
# enable replication
bin/dsreplication enable --host1  $HOST --port1 4444\
  --bindDN1 "cn=directory manager" \
  --bindPassword1 password --replicationPort1 8989 \
  --host2 $HOST --port2 4446 --bindDN2 "cn=directory manager" \
  --bindPassword2 password --replicationPort2 8988 \
  --adminUID admin --adminPassword password --baseDN "dc=example,dc=com" -X -n

# initialize replication
bin/dsreplication initialize --baseDN "dc=example,dc=com" \
  --adminUID admin --adminPassword password \
  --hostSource $HOST --portSource 4444 \
  --hostDestination $HOST --portDestination 4446 -X -n

[Note: For reasons that escape me, the dsreplication command must be issued twice. You will get an error on the first try - but the second attempt will work]

You now have two OpenDJ instances that are replicating between each other. Try this out by changing an entry on one instance and verifying that it is updated on the other (DJ has multi-master replication - so it does not matter where you make the change). 

The next step in this experiment will be to automate more of the above using Ansible.  A task for another day...



Comments

Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

OAM R2 REST APIs for Policy Management

Image
Oracle Access Manager 11g R2 provides several new REST APIs. This continues a trend to expose key functionality via Web Services. The OAM Mobile and Social service provides APIs for Authentication, Authorization  and User Profile services.  I will cover those APIs in a future article (have a look here for examples) - but today I want to focus on the  policy management APIs. The Policy Administration API  enables to you to interact with OAM to create a variety of Policy objects such as Application Domains, Resources, AuthN Schemes, and AuthN/AuthZ policies. The policy model is shown below: For example, if you want to retrieve all of the resources in an Application Domain you can perform a GET against the /resource URI: curl -u USER:PASSWORD http://<SERVER>:<PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource?appdomain="IAM Suite" Note: The port above is where the OAM Admin Server is deployed (often 7001). It is NOT the managed server (oa
Read more