Storage and volumes

The Airlock IAM docker image is designed for containers to be ephemeral. For this reason, we have used "--rm" in the previous examples, which deletes the container storage upon completion.

In order to keep the configuration directory persistent, Docker volumes or bind mounts can be used.

Inside the Docker image, Airlock IAM expects the configuration directory at:

/home/airlock/iam.

For production-use, creating and copying the complete configuration directory during the build-phase is a viable alternative.

During integration, bind mounts are more convenient to use because config files can be edited locally.

With Docker volumes, the container's root filesystem can be made read-only. Read-only filesystems provide improved security through stronger isolation.

The work directory /home/airlock/work must always be writable. Typically, the config root directory /home/airlock/iam should also be writable, otherwise some functions such as activating a config through the Config Editor won't be available.

For the work directory ephemeral "tmpfs" mounts can be used since its contents are always re-created during start-up:

Docker CLI

docker run --rm --read-only --mount type=volume,target=/home/airlock/iam --mount type=tmpfs,target=/home/airlock/work docker.io/ergon/airlock-iam:7.7

docker-compose.yml

version: '3.7'
services:
  iam:
    image: docker.io/ergon/airlock-iam:7.7    read_only: true
    volumes:
      - type: volume
        target: "/home/airlock/iam"
      - type: tmpfs
        target: "/home/airlock/work"

You may also use "type=volume" instead of "type=tmpfs" to create an anonymous volume. See https://docs.docker.com/storage/ for a complete overview of all Docker storage options and how they differ.