Airlock Gateway as Docker host
6.4.2. Airlock Gateway (WAF) as Docker host

Airlock IAM can be deployed on the Airlock Gateway (WAF) docker host. While this is technically possible, we do not recommend to do so. The installation requires several manual steps.

IAM cannot be installed on Airlock WAF 7.0 - it strictly requires Airlock WAF 7.1 or newer.

The deployment of Airlock IAM on the Airlock Gateway (WAF) has been deprecated. It is no longer supported as of Airlock Gateway 8.0 (or newer) and Airlock IAM 8.0 (or newer).

Prerequisites

  • You need the following information and software for the installation:
  • Airlock WAF 7.1 or newer capable of running Docker (see https://techzone.ergon.ch/dockerhost)
  • SSH and SCP client (e.g. putty and WinSCP)
  • SSH access to Airlock Gateway (WAF) as user "root"
  • Airlock IAM Docker image (airlock-iam-docker-image-<version>.tar.gz)
  • A license that covers both Airlock Gateway (WAF) and Airlock IAM. The IAM part of the license must not be bound to a MAC address because running it in docker will not work otherwise.
    Please contact order@airlock.com or open a support ticket to have your existing license converted.

Step 1 - Enabling Docker host on Airlock Gateway (WAF)

Airlock Gateway (WAF) can act as a Docker host to run Airlock IAM inside a Docker container. This feature must be enabled on the Gateway (WAF).

The following example describes the basics, but more information is available on Techzone: https://techzone.ergon.ch/dockerhost

Resource allocation for Docker host should match the usual Airlock IAM guidelines: https://techzone.ergon.ch/hardware-iam

root@<airlock-waf-host>

copy
airlock-optional-component -i docker-tools
airlock-docker-host-setup -i

# Use airlock-docker-cli instead of /usr/bin/docker
airlock-docker-cli info

Step 2 - Image import and volume handling

Upload the Airlock IAM Docker image to the Airlock Gateway (WAF) host and connect to the Gateway (WAF) as root:

copy
scp airlock-iam-docker-image-*.tar.gz root@<airlock-waf-host>:/var
ssh root@<airlock-waf-host>

Import the image using airlock-docker-cli:

root@<airlock-waf-host>

copy
airlock-docker-cli load --input /var/airlock-iam-docker-image-*.tar.gz
airlock-docker-cli run --rm airlock-iam:7.6 -h

Step 3 - Running the Docker container

To see all available options for docker run, see: https://docs.docker.com/engine/reference/commandline/run/

General information on how to run Airlock IAM in Docker, see 6.4. IAM as Docker image.

The following command will run Airlock IAM:

  • "--restart": automatically restart it along with the Docker host
  • "-p": expose the HTTP port. Use "7880" to enable linking from Airlock Gateway (WAF) Config Center
  • "--mount": mount the persistent volume named "iam-config"
  • "--name": give the container the name "iam"
  • "airlock-iam:<version>": base the container on the "airlock-iam" image with the given version
copy
airlock-docker-cli run \
	--restart=always --detach \
	-p 7880:8080 \
	--mount source=iam-config,target=/home/airlock/iam \
	--name iam \
	airlock-iam:7.6airlock-docker-cli ps

To stop/restart the container, use the stop/restart commands and the previously assigned container name:

copy
airlock-docker-cli stop iam
airlock-docker-cli restart iam