Skip to content

Frequently asked questions

AWS

What storage option should I use for container volumes on EKS? Ping recommends the use of EBS volumes for container volumes on EKS. EFS is not supported. For more information, please visit AWS Storage Considerations.

Docker Images

What OS and Java versions are included in Ping Docker images? The operating system (OS) shims used for our images are Alpine and Red Hat UBI. The UBI-based images are intended for Openshift deployments, while Alpine should be used in most other situations. For more information on the choice of Alpine, please visit Supported OS Shim. The Java version currently included in our images is OpenJDK 11 and the distribution used is BellSoft Liberica.
When are new Ping product Docker images released? Typically, Docker images are released on a monthly basis during the first full week of the month. The images are tagged YYMM, with the month indicating the complete month prior. So, tag "2303", representing the work from March 2023, would be released in early April. As we mature our processes, the frequency and timing of these images will more closely align with product releases.
How can I be informed when new images are available? You can watch the docker-builds GitHub repository for the Ping Identity product line. Select the "custom" option to receive notification when a release occurs. Releases in the docker-builds repository correspond to the publishing of images in Docker Hub.
What are the latest Ping product versions available as Docker images? The latest Ping product images are tagged with {RELEASE}-{PRODUCT VERSION}. You can find more information about our latest product images by consulting the Product Version matrix.
Do the images come as product only or combined with an OS layer? The DevOps program uses Alpine as its base OS shim for all images. For more information please visit Supported OS Shim.
I have created a custom product installation. If we require a specific image, can that be supplied by Ping? We do not provide custom images, but you are welcome to build the image locally with your customized bits. For more information, see Build Local Images.
It is important to note using a custom image might affect support options and timing.

Container Operations

How do files move around when the container starts up? To find out how our files are moved at start up, please visit File Flowchart.
How do I turn off the calls to the Message of the Day (MOTD)? Set the environment variable in PingBase to: MOTD_URL=""

For more information about the PingBase environment variables, please visit PingBase.

How do I get more verbosity in log outputs? Set the environment variables in PingBase to: VERBOSE=“true”

For more information about the PingBase environment variables, please visit PingBase

Orchestration / Helm / Kubernetes

How can I be informed when a new release of the Helm charts are available? You can watch the Ping helm-charts GitHub repository. Select the "custom" option to receive notification when a release occurs. As with the product Docker images, the Helm charts are usually updated once a month.
Kubernetes has dropped direct integration support for Docker. Does this change impact Ping product containers?

No. The underlying container runtime has not caused problems with our images. Please let us know if you encounter errors. The CRI-O and containerd runtimes have been tested without any known issues.

For more background:

 The Kubernetes blog post on Docker removal is here.

 An excellent write up of how it looks is on this page.
My container environment is not allowed to make any external calls to services such as Github or Docker
Hub. Can I still use Ping Identity containers?

Yes. This practice is common in production scenarios. To use Ping Identity containers in this situation:


 1. Use an Existing License.

 2. Use an empty remote profile SERVER_PROFILE_URL="". Optionally, you can build your profile into the image, visit Server Profiles for more information.

 3. Turn off license verification with MUTE_LICENSE_VERIFICATION="true".

 4. Turn off calls to the Message of the Day (MOTD) with MOTD_URL="".
How do we run the console and engines in a container environment? The helm chart supports instantiating both consoles and engines. Ingress to the consoles would have to be laid out for UI access.

For more information about the Ping's Helm Charts, please visit Ping Helm

Can I use Podman instead of Docker? Yes, just like Docker, you will be able to use Podman for container orchestration.
Why does Ping recommand K8s vs docker?
 1. Docker or a pure container solution like ECS by itself is generally not as robust or resilient as a K8s environment. While managed Docker services like ECS provide some of the functionality of Kubernetes, you are locked into that provider and you would have a different experience at Google, Azure, or another cloud provider. Kubernetes, even managed services like EKS, provides more flexibility and portability.

 2. It is the model we use for our SaaS offerings, so internal teams at Ping are more familiar with this model.

 3. Orchestration among multiple applications and services is native to Kubernetes, a bit of an add-on with Container-only services.

 4. Workload management using Kubernetes native objects, such as Horizontal Pod Autoscaling, Node scaling and so on.

 5. Management through Infrastructure-as-Code principles using Helm Charts and Values files.

Configuration and Server Profile

How do I customize a container? There are many ways to customize the container for a Ping product. For example, you can create a customized server profile to save a configuration.

To find more ways on how to customize a container, see Customizing Containers.

How do I save product configurations? In order to save configurations, create a server profile and store in a server profile repository. This repository can be used to pass the configuration into the runtime environment. For help with creating a custom server profile, visit Server Profiles.

Examples of how to get the profile data from the different products:

PingFederate Profile 
curl -k https://localhost:9999/pf-admin-api/v1/bulk/export?includeExternalResources=false \
-u administrator:2FederateM0re \
-H 'X-XSRF-Header: PingFederate' \
-o data.json
  PingAccess Profile 
curl -k https://localhost:9000/pa-admin-api/v3/config/export \
-u administrator:2FederateM0re \
-H "X-XSRF-Header: PingAccess" \
-o data.json
PingDirectory Profile 
kubectl exec -it pingdirectory-0 \
-- manage-profile generate-profile \
--profileRoot /tmp/pd.profile
What should be in my server profile? For more information about what information should be in the server profile consist, please visit Container Anatomy and Profile Structures.
Does my server profile have to be hosted on Github? No, it can be any Public or Private git repository.

You are also able to use a Local Directory as your repository, which is convenient for testing and development.

How do I access various product consoles? For a Helm-deployed stack, there are two basic ways you can access the consoles.

1. PortForward to the pod to access with localhost.

kubectl port-forward <podName> <containerPort>:<localPort>

2. Using Helm, add the ingress definition in the yaml file in order to access the container with a URL. See Creating Ingresses. You must have an ingress controller in your cluster for the ingress to work.
How do I use an existing license? You can mount the license in the container's opt/in directory. Please see using existing licenses for more information.
Where do I get a license? How do I obtain a trial license?

The DevOps team at Ping is not responsible for issuing supported product licenses. We provide a temporary license through the DevOps program. After signing up, you can use the provided credentials to get a short-term license to use in evaluating Ping products running in containers.

If you want to use Ping products in production environments, you are required to purchase a valid license. Contact our sales department for more information.
How do I turn off the license verification? Set the environment variable in PingBase to: MUTE_LICENSE_VERIFICATION="true"

For more information about the PingBase environment variables, please visit PingBase.

Troubleshoot

How do I run Collect-Support-Data in the devops environment? You will need to modify the liveness probe to always exit 0 and the readiness probe to always exit 1. These changes will give you enough time to capture the CSD without it crashing or trying to serve live traffic.

For more information about the Collect-Support-Data, please visit CSD.

How much overhead memory and CPU is needed to run the Collect-Support-Data tool? By default, this value is set to 1GB. You would need to add additional memory (1GB to 2GB) to the heap for the server. In terms of CPU, the CSD uses whatever is available.

For more information about the Collect-Support-Data, please visit CSD.