This projects packages and configures Wildfly in a Docker image. The goal of this project is to run JEE8/MicroProfile based microservices in containers that are secure by default and respect Twelve-Factor App principles. When the container starts, it must be fully configured without baking secrets into the image.
Wildfly is configured in standalone mode, since clustering should be managed from the container orchestrator and not some JEE application server.
For fast startup, Wildfly is configured at build time, with references to dummy credentials and a self signed certificate. At run time, credential stores are regenerated with actual secrets from the environment.
A Makefile
builds the images and their depencies.
The Wildfly image is built as follows:
- Jboss base image (CentOS-7, OpenJDK-8, jboss user)
- Installation of Wildlfy 17 via Galleon
- Generatibaon of self-signed certificate for development environment
- Creation of credential stores with dummy passwords
- Offline configuration of Wildfly via CLI
Run the following command to build the Wildfy image:
$ make
Type the following command to run a Wildfly container:
$ make run
Containers launched from the Wildfly image can be configured with the following environment variables:
JAVA_OPTS
: JVM options (memory settings)JAVA_EXTRA_OPTS
: additional JVM optionsWILDFLY_SERVER_OPTS
: Wildfly server propertiesWILDFLY_ADMIN_USER
: admin user nameWILDFLY_ADMIN_PASSWORD
: admin user passwordWILDFLY_KEYSTORE_PASSWORD
: keystore password for TLSWILDFLY_KEY_PASSWORD
: key password for TLSWILDFLY_DEBUG
: if true, enable JVM debuggingWILDFLY_DEBUG_PORT
: JVM debug portTIME_ZONE
: passed asuser.timezone
property to WildflyTX_NODE_ID
: passed asjboss.tx.node.id
property to Wildfly
See base-env.sh for defaults.
When running the container, all environment variables of the form WILDFLY_*_PASSWORD
are stored
as aliases in an Elytron credential store. The WILDFLY_
prefix is stripped, the name is converted to lower case,
and underscores are replaced with dashes. For example, WILDFLY_DATASOURCE_PASSWORD
results in
alias datasource-password
.
The following ports are exposed:
- 5005: for remote debugging
- 8080: HTTP port
- 8443: HTTPS port
- 9990: management port (redirected to secure port)
- 9993: secure management port (remote+https)
When the container is running, the management console can be accessed at:
$ jboss-cli.sh --connect --controller=remote+https://localhost:9993
Newer versions of Java 8 and higher should respect CPU and memory limits.
To use all available heap configured from a container orchestrator, specify the following JVM option: -XX:MaxRAMFraction=1
.
A self-signed certificate is stored in $JBOSS_HOME/standalone/configuration/security/keystore.jks
.
For production, replace the certificate with a proper certificate.
When the container starts, the wrapper scripts creates an admin user with the specified password. If no admin password is specified, a random password is generated, rendering the management interface inaccessible.
When the container starts, the wrapper script stores passwords in an Elytron Credential Store. The credential store is encrypted with a random master password.
The base image can be extended by adding shell or CLI scripts that are ran during build or startup:
- Scripts in
$JBOSS_HOME/setup
are executed when building the image - Scripts in
$JBOSS_HOME/environment
are sourced before running the startup scripts - Scripts in
$JBOSS_HOME/startuo
are executed and before starting Wildlfy
See docker-wildlfy-oracle for an example.
The docker-wildlfy-oracle extends the Wildfly base image with an Oracle JDBC driver and datasource. The datasource can be configured via environment variables.
To build the image, download ojdbc8.jar
from
https://www.oracle.com/technetwork/database/features/jdbc/jdbc-ucp-122-3110062.html
to docker-wildfly-oracle/modules/com/oracle/jdbc/main/ojdbc8.jar
.
Then run:
make wildfly-oracle.build
Environment variables for configuring the datasource are:
WILDFLY_DATASOURCE_URL
: connection URLWILDFLY_DATASOURCE_JNDINAME
: JDNI name for the datasourceWILDFLY_DATASOURCE_USERNAME
: user nameWILDFLY_DATASOURCE_PASSWORD
: password
See oracle-env.sh for defaults.
See docker-compose for an example setup of Wildfly with an Oracle database.
- First create an Oracle database image (see docker-oracle)
- Build the Wildfly Oracle image:
make wildfly-oracle.build
- Go to the docker-compose directory
- Start the database:
docker-compose up -d oracledb
- Wait for the database to start:
docker logs -f <container-id>
- Start the Wildlfy image:
docker-compose up -d wildfly-oracle
- Go to the management console at https://localhost:9993/, login with
admin:changeit
and test the datasource connection.
Wildfly:
- Wildfly documentation
- Galleon documentation
- WildFly quickstarts
- Elytron blog
- JBoss EAP documentation
Oracle RDBMS in Docker: