TSO container tips

Version 3
    Share This:

    I've created this document mainly for my own benefit, but since the information might help someone else I'll share it publicly. It's just a few notes I've made whilst installing the containerised version of TrueSight Orchestration 8.2.

     

    None of this should be considered official advice from BMC and, if in doubt, speak to Support about any configuration changes.

     

    Installation

    Repository Check or Docker Image Tagging Failure

    During installation, the docker images are tagged with your Docker repository hostname. The curl command is used to check the Docker repo is running, and this requires the protocol to be specified. It might be necessary to modify the setup.sh so that the curl check is:

     

    if curl -k --output /dev/null --silent --head --fail "https://$registryUrl"
    

     

    You can then enter the registry as hostname:port rather than https://hostname:port.

     

    Certificates (Repo/RSSO)

    NOTE: This process not confirmed working yet.

     

    This config is a bit rough and incomplete at the moment, but assuming you've got a root certificate, private key and web-server certificate (and in my case an intermediate CA certificate):

     

    openssl pkcs12 -export -in /opt/ca/intermediate/certs/myserver.cert.pem -inkey /opt/ca/intermediate/private/myserver.key.pem -name tomcat -out myserver.pkcs12 -password pass:mypassword
    keytool -importkeystore -srckeystore myserver.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass changeit -destkeystore tomcat.pkcs12 -deststoretype pkcs12 -destkeypass changeit
    keytool -importcert -keystore ./tomcat.pkcs12 -storepass changeit -file /opt/ca/certs/ca.cert.pem  -alias ca_root
    keytool -importcert -keystore ./tomcat.pkcs12 -storepass changeit -file /opt/ca/intermediate/certs/intermediate.cert.pem  -alias ca_inter
    

     

    You can then copy the tomcat.pkcs12 file into place in the container (I recommend backing up the existing .keystore first as a precaution):

     

    docker cp tomcat.pkcs12 tso_stack_tso-repo-service.1.s17j7f8kwtfj2gavr69jx8b8o:/opt/bmc/BAO/REPO/tomcat/conf/.keystore
    

     

    Replace the container ID above with your own ID as determined by "docker ps".

     

    In the connector definition in /opt/bmc/BAO/REPO/tomcat/conf/server.xml, after:

     

    keystoreFile="/opt/bmc/BAO/REPO/tomcat/conf/.keystore"
    

     

    Add:

     

    keystoreType="PKCS12"
    

     

    Note: to do this slightly more securely, a password other than "changeit" should be used, and the keystorepass should be specified in the Tomcat connector definition:

     

    keystorePass="MySecurePassword"
    

     

    Restart your TSO repo using the bao.sh stop/start commands. Stopping the container will result in a refresh of the filesystem, so one option is to add new volume mounts to the docker compose file, e.g. add the following to the tso-repo-service config under volumes:

     

    - tso_repo_tomcat_config_volume:/opt/bmc/BAO/REPO/tomcat/conf
    

     

    And then to the volumes at the root level of the file (typically shown at the end):

     

    tso_repo_tomcat_config_volume:
    

     

    Certificates (CDP)

    If you have your own signed certificates, you can configure the Traefik load balancer to use these. Modify the Docker compose file such that the HTTPS configuration in the loadbalancer section reads:

     

    - "--entrypoints=Name:https Address::443 TLS:/certs/myserver.crt,/certs/myserver.key"
    

     

    Then, in the volumes configuration later in that section, add:

     

    - /opt/bao/traefik/certs:/certs
    

     

    Feel free to change the first path to a suitable location on your host machine(s). Finally, copy the PEM-formatted cert and key files into this folder, using the names specified above. Determine the repository hostname used:

     

    docker stack ps tso_stack | grep tso-repo | awk -F" " {'print $4'}
    

     

    Finally, re-deploy the stack using the modified compose file, changing <repo_host> below for the result of the previous command (assumes the repository is running).

     

    ENV_REPO_HOSTNAME="<repo_host>" docker stack deploy --compose-file /opt/bao/docker-compose-cdp.yml tso_stack --with-registry-auth
    

     

    Note: the compose file will either be docker-compose.yml or docker-compose-cdp.yml depending on whether you did separate component installations or an all-in-one.

     

    Hostnames

    By default, you are instructed to create hosts-file entries on machines running, for example, Development Studio. If this is an issue, you can modify the broker configuration inside the container. However: this configuration will be lost whenever a new container image is deployed.

    Edit the file:

     

    /opt/bmc/BAO/CDP/server/.jms/broker-config.xml
    

     

    You can get to this on your host machine as:

     

    /var/lib/docker/volumes/tso_stack_tso_cdp_server_volume/_data/.jms/broker-config.xml
    

     

    Add the "advertise-addresses" tag as below and set the DNS-resolvable hostname of your CDP:

     

    <broker-config>
      <external>false</external>
      <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
      <enable-jmx>false</enable-jmx>
      <broker-name>ao-grid-framework-embedded-broker-5df8f3aa-05c1-414d-80d9-50bc99eb5353</broker-name>
      <uri>ssl://10.0.0.6:61719?connectionTimeout=1000&amp;socket.verifyHostName=false</uri>
      <advertise-addresses>
        <address>myserver.example.com</address>
      </advertise-addresses>
    

     

    The stop/start your CDP. You can either do this using the bao.sh script in the bin folder, or just stop the Docker container using "docker stop" and it should automatically be restarted.

     

    Operational

    Log Files

    The Tomcat log-files folders are exposed on the host machine in the following folders (at least on Ubuntu):

     

    /var/lib/docker/volumes/tso_stack_tso_cdp_tomcat_logs_volume/_data
    /var/lib/docker/volumes/tso_stack_tso_repo_tomcat_logs_volume/_data
    

     

    Container Command-line Access

    To get a command-line in one of the containers, first get the container ID from:

     

    docker ps | grep tso_stack
    

     

    Then use this ID in the command:

     

    docker exec -it tso_stack_tso-cdp-service.1.pvi2gddts2hakbp852ghwwk1e /bin/bash