Ping Identity DevOps Docker Image - pingaccess
¶
This docker image includes the Ping Identity PingAccess product binaries and associated hook scripts to create and run both PingAccess Admin and Engine nodes.
Related Docker Images ¶
pingidentity/pingbase
- Parent ImageThis image inherits, and can use, Environment Variables from pingidentity/pingbase
pingidentity/pingcommon
- Common Ping files (i.e. hook scripts)
Environment Variables ¶
In addition to environment variables inherited from pingidentity/pingbase,
the following environment ENV
variables can be used with
this image.
ENV Variable | Default | Description |
---|---|---|
BASE | ${BASE:-/opt} | Location of the top level directory where everything is located in image/container |
ROOT_USER | administrator | the default administrative user for PingData |
JAVA_HOME | /opt/java | |
STAGING_DIR | ${BASE}/staging | Path to the staging area where the remote and local server profiles can be merged |
OUT_DIR | ${BASE}/out | Path to the runtime volume |
SERVER_ROOT_DIR | ${OUT_DIR}/instance | Path from which the runtime executes |
IN_DIR | ${BASE}/in | Location of a local server-profile volume |
SERVER_BITS_DIR | ${BASE}/server | Path to the server bits |
BAK_DIR | ${BASE}/backup | Path to a volume generically used to export or backup data |
LOGS_DIR | ${BASE}/logs | Path to a volume generically used for logging |
PING_IDENTITY_ACCEPT_EULA | NO | Must be set to 'YES' for the container to start |
PING_IDENTITY_DEVOPS_FILE | devops-secret | File name for devops-creds passed as a Docker secret |
STAGING_MANIFEST | ${BASE}/staging-manifest.txt | Path to a manifest of files expected in the staging dir on first image startup |
CLEAN_STAGING_DIR | false | Whether to clean the staging dir when the image starts |
SECRETS_DIR | /run/secrets | Default path to the secrets |
TOPOLOGY_FILE | ${STAGING_DIR}/topology.json | Path to the topology file |
HOOKS_DIR | ${STAGING_DIR}/hooks | Path where all the hooks scripts are stored |
CONTAINER_ENV | ${STAGING_DIR}/.env | Environment Property file use to share variables between scripts in container |
SERVER_PROFILE_DIR | /tmp/server-profile | Path where the remote server profile is checked out or cloned before being staged prior to being applied on the runtime |
SERVER_PROFILE_URL | A valid git HTTPS URL (not ssh) | |
SERVER_PROFILE_URL_REDACT | true | When set to "true", the server profile git URL will not be printed to container output. |
SERVER_PROFILE_BRANCH | A valid git branch (optional) | |
SERVER_PROFILE_PATH | The subdirectory in the git repo | |
SERVER_PROFILE_UPDATE | false | Whether to update the server profile upon container restart |
SECURITY_CHECKS_STRICT | false | Requires strict checks on security |
SECURITY_CHECKS_FILENAME | .jwk .pin | Perform a check for filenames that may violate security (i.e. secret material) |
UNSAFE_CONTINUE_ON_ERROR | If this is set to true, then the container will provide a hard warning and continue. | |
LICENSE_DIR | ${SERVER_ROOT_DIR} | License directory |
PD_LICENSE_DIR | ${STAGING_DIR}/pd.profile/server-root/pre-setup | PD License directory. Separating from above LICENSE_DIR to differentiate for different products |
STARTUP_FOREGROUND_OPTS | The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container | |
STARTUP_BACKGROUND_OPTS | The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container | |
PING_IDENTITY_DEVOPS_KEY_REDACT | true | |
TAIL_LOG_FILES | A whitespace separated list of log files to tail to the container standard output - DO NOT USE WILDCARDS like /path/to/logs/*.log | |
COLORIZE_LOGS | true | If 'true', the output logs will be colorized with GREENs and REDs, otherwise, no colorization will be done. This is good for tools that monitor logs and colorization gets in the way. |
LOCATION | Docker | Location default value If PingDirectory is deployed in multi cluster mode, that is, K8S_CLUSTER, K8S_CLUSTERS and K8S_SEED_CLUSTER are defined, LOCATION is ignored and K8S_CLUSTER is used as the location |
LOCATION_VALIDATION | true | Any string denoting a logical/physical location |
MAX_HEAP_SIZE | 384m | Heap size (for java products) |
JVM_TUNING | AGGRESSIVE | |
JAVA_RAM_PERCENTAGE | 75.0 | Percentage of the container memory to allocate to PingFederate JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate |
VERBOSE | false | Triggers verbose messages in scripts using the set -x option. |
PING_DEBUG | false | Set the server in debug mode, with increased output |
PING_PRODUCT | The name of Ping product, i.e. PingFederate, PingDirectory - must be a valid Ping product type. This variable should be overridden by child images. | |
PING_PRODUCT_VALIDATION | true | i.e. PingFederate,PingDirectory |
ADDITIONAL_SETUP_ARGS | List of setup arguments passed to Ping Data setup-arguments.txt file | |
LDAP_PORT | 1389 | Port over which to communicate for LDAP |
LDAPS_PORT | 1636 | Port over which to communicate for LDAPS |
HTTPS_PORT | 1443 | Port over which to communicate for HTTPS |
JMX_PORT | 1689 | Port for monitoring over JMX protocol |
ORCHESTRATION_TYPE | The type of orchestration tool used to run the container, normally set in the deployment (.yaml) file. Expected values include: - compose - swarm - kubernetes Defaults to blank (i.e. No type is set) | |
USER_BASE_DN | dc=example,dc=com | Base DN for user data |
DOLLAR | '$' | Variable with a literal value of '$', to avoid unwanted variable substitution |
PD_ENGINE_PUBLIC_HOSTNAME | localhost | PD (PingDirectory) public hostname that may be used in redirects |
PD_ENGINE_PRIVATE_HOSTNAME | pingdirectory | PD (PingDirectory) private hostname |
PDP_ENGINE_PUBLIC_HOSTNAME | localhost | PDP (PingDirectoryProxy) public hostname that may be used in redirects |
PDP_ENGINE_PRIVATE_HOSTNAME | pingdirectoryproxy | PDP (PingDirectoryProxy) private hostname |
PDS_ENGINE_PUBLIC_HOSTNAME | localhost | PDS (PingDataSync) public hostname that may be used in redirects |
PDS_ENGINE_PRIVATE_HOSTNAME | pingdatasync | PDS (PingDataSync) private hostname |
PAZ_ENGINE_PUBLIC_HOSTNAME | localhost | PAZ (PingAuthorize) public hostname that may be used in redirects |
PAZ_ENGINE_PRIVATE_HOSTNAME | pingauthorize | PAZ (PingAuthorize) private hostname |
PAZP_ENGINE_PUBLIC_HOSTNAME | localhost | PAZP (PingAuthorize-PAP) public hostname that may be used in redirects |
PAZP_ENGINE_PRIVATE_HOSTNAME | pingauthorizepap | PAZP (PingAuthorize-PAP) private hostname |
PF_ENGINE_PUBLIC_HOSTNAME | localhost | PF (PingFederate) engine public hostname that may be used in redirects |
PF_ENGINE_PRIVATE_HOSTNAME | pingfederate | PF (PingFederate) engine private hostname |
PF_ADMIN_PUBLIC_BASEURL | https://localhost:9999 | PF (PingFederate) admin public baseurl that may be used in redirects |
PF_ADMIN_PUBLIC_HOSTNAME | localhost | PF (PingFederate) admin public hostname that may be used in redirects |
PF_ADMIN_PRIVATE_HOSTNAME | pingfederate-admin | PF (PingFederate) admin private hostname |
PA_ENGINE_PUBLIC_HOSTNAME | localhost | PA (PingAccess) engine public hostname that may be used in redirects |
PA_ENGINE_PRIVATE_HOSTNAME | pingaccess | PA (PingAccess) engine private hostname |
PA_ADMIN_PUBLIC_HOSTNAME | localhost | PA (PingAccess) admin public hostname that may be used in redirects |
PA_ADMIN_PRIVATE_HOSTNAME | pingaccess-admin | PA (PingAccess) admin private hostname |
ROOT_USER_DN | cn=${ROOT_USER} | DN of the server root user |
ENV | ${BASE}/.profile | |
MOTD_URL | https://raw.githubusercontent.com/pingidentity/pingidentity-devops-getting-started/master/motd/motd.json | Instructs the image to pull the MOTD json from the following URL. If this MOTD_URL variable is empty, then no motd will be downloaded. The format of this MOTD file must match the example provided in the url: https://raw.githubusercontent.com/pingidentity/pingidentity-devops-getting-started/master/motd/motd.json |
PS1 | \${PING_PRODUCT}:\h:\w\n> | Default shell prompt (i.e. productName:hostname:workingDir) |
PATH | ${JAVA_HOME}/bin:${BASE}:${SERVER_ROOT_DIR}/bin:${PATH} | PATH used by the container |
SHIM | ${SHIM} | |
IMAGE_VERSION | ${IMAGE_VERSION} | |
IMAGE_GIT_REV | ${IMAGE_GIT_REV} | |
DATE | ${DATE} | |
PING_PRODUCT_VERSION | ${VERSION} | |
PING_PRODUCT | PingAccess | Ping product name |
LICENSE_DIR | ${SERVER_ROOT_DIR}/conf | License directory |
LICENSE_FILE_NAME | pingaccess.lic | Name of license file |
LICENSE_SHORT_NAME | PA | Short name used when retrieving license from License Server |
LICENSE_VERSION | ${LICENSE_VERSION} | Version used when retrieving license from License Server |
OPERATIONAL_MODE | STANDALONE | PA_RUN_PA_OPERATIONAL_MODE will override this value for PingAccess 7.3 and later. |
PA_ADMIN_PASSWORD_INITIAL | 2Access | |
PING_IDENTITY_PASSWORD | 2FederateM0re | Specify a password for administrator user for interaction with admin API |
STARTUP_COMMAND | ${SERVER_ROOT_DIR}/bin/run.sh | The command that the entrypoint will execute in the foreground to instantiate the container |
TAIL_LOG_FILES | ${SERVER_ROOT_DIR}/log/pingaccess.log | Files tailed once container has started |
PA_ADMIN_PORT | 9000 | Default port for PA Admin API and console Ignored when using PingIdentity Helm charts |
PA_ADMIN_CLUSTER_PORT | 9090 | Default port when clustering PA primary administrative node Ignored when using PingIdentity Helm charts |
JAVA_RAM_PERCENTAGE | 60.0 | Percentage of the container memory to allocate to PingAccess JVM DO NOT set to 100% or your JVM will exit with OutOfMemory errors and the container will terminate |
FIPS_MODE_ON | false | Turns on FIPS mode (currently with the Bouncy Castle FIPS provider) set to exactly "true" lowercase to turn on set to anything else to turn off PA_FIPS_MODE_PA_FIPS_MODE will override this for PingAccess 7.3 and later. |
SHOW_LIBS_VER | true | Defines a variable to allow showing library versions in the output at startup default to true |
SHOW_LIBS_VER_PRE_PATCH | false | Defines a variable to allow showing library version prior to patches being applied default to false This is helpful to ensure that the patch process updates all libraries affected |
PA_ENGINE_PORT | 3000 | |
ADMIN_WAITFOR_TIMEOUT | 300 | wait-for timeout for 80-post-start.sh hook script How long to wait for the PA Admin console to be available |
Ports Exposed ¶
The following ports are exposed from the container. If a variable is used, then it may come from a parent container
- ${PA_ADMIN_PORT}
- ${PA_ENGINE_PORT}
- ${HTTPS_PORT}
Running a PingAccess container ¶
To run a PingAccess container:
docker run \
--name pingaccess \
--publish 9000:9000 \
--publish 443:1443 \
--detach \
--env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \
--env SERVER_PROFILE_PATH=getting-started/pingaccess \
--env PING_IDENTITY_ACCEPT_EULA=YES \
--env PING_IDENTITY_DEVOPS_USER \
--env PING_IDENTITY_DEVOPS_KEY \
--tmpfs /run/secrets \
pingidentity/pingaccess:edge
Follow Docker logs with:
docker logs -f pingaccess
If using the command above with the embedded server profile, log in with:
- https://localhost:9000
- Username: Administrator
- Password: 2FederateM0re
Docker Container Hook Scripts ¶
Please go here for details on all pingaccess hook scripts
This document is auto-generated from pingaccess/Dockerfile
Copyright © 2024 Ping Identity Corporation. All rights reserved.