Customize the Container Gateway

You can customize your Container Gateway by creating a derived image with the customizations. These customizations are included whenever you start a new container from that image.
gateway93
You can customize your Container Gateway by creating a derived image with the customizations. These customizations are included whenever you start a new container from that image.
The following sections provide a few useful ways to customize new containers:
 
 
2
 
 
 For best practices, start with the 
USER root
 command, followed by commands that you intend to run. At the end of the Dockerfile, you can switch back to the entrypoint user using the 
USER ${ENTRYPOINT_UID}
 command. The 
ENTRYPOINT_UID
 is referenced from the original image.
Customize the Container Time Zone
Some Container Gateway features use the local time zone set on the server; for example, system logs or date/time context variables with the 
.local
 suffix (
${gateway.time.local}
). By default, the Container Gateway uses the UTC time zone. You can change it to the local time zone or to another time zone in your network.
To change the time zone, create a symbolic link to the time zone you want, from 
/usr/share/zoneinfo/<your_timezone>
 to 
/etc/localtime
. The following example shows how to change the time zone to Vancouver PST:
FROM image:latest USER root RUN ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime USER ${ENTRYPOINT_UID}
Set the Locale
To set the locale inside a Docker container, use the following example as a reference. By default, locale is set as "POSIX". To find out the locale setting, run the 
locale
 command inside the container.
FROM image:latest USER root RUN localedef -c -i en_US -f UTF-8 en_US.UTF-8 --quiet ENV LANG="en_US.UTF-8" ENV LANGUAGE="en_US:en" USER ${ENTRYPOINT_UID}
Set User Permissions
For security reasons, the container must not run as the root user. After performing commands that requires root access, switch back to the ENTRYPOINT_UID user. To do this, modify the permission and ownership of files or folders. This can be done using commands such as 
chmod
 or 
chown
.
The following example shows how to change file permissions in the Dockerfile:
FROM image:latest USER root COPY "misc_files" "/opt/docker/rc.d/folders/" RUN chmod -R 750 '/opt/docker/rc.d/folders/' USER ${ENTRYPOINT_UID}
Run Pre-Boot Scripts
There are numerous ways to customize the Container Gateway image, as described in this topic. If you require customization beyond what is described here, you can create your own pre-boot posix-compatible script. One common use for pre-boot scripts is to modify bundle files to replace some run-time values that may not be known during the design-time.
You can use these pre-boot scripts to customize the image at run-time. For more information, see Run Custom Shell Scripts at Gateway Startup.
Auto-Provision Internal Services
You can auto-provision internal services to the Container Gateway, similar to the traditional Appliance Gateway. To do this:
  • Update your Dockerfile using either of the following commands:
    #The below command will expose the /restman internal service.
    RUN touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/restman
    #The below command will expose the /wsman internal service.
    RUN touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/wsman
Auto-Provision Gateway Entities
You can auto-provision migration bundles to the Container Gateway, similar to a traditional Appliance Gateway. Run the commands below to embed your migration bundles. When the Container Gateway starts, the entities are available for use. The entities may include, but not limited to services, configuration, and trusted certificates.
  1. Copy the bundle files to this directory within the Gateway Docker image:
    /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle
  2. Place the files by updating your Dockerfile using the following command, where "<FILENAME>" is the name of your bundle file:
    COPY
    <FILENAME>
    /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/
Copy Gateway License Files
The CA API Gateway can load Gateway license files from within this directory:
/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/
  • Copy the license file from your local directory to the image:
    COPY "CA_SSG_License1.xml" "/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/"
Install Library Files
The CA API Gateway supports the loading of external libraries, for example: the Install the JDBC Interface and Install the JMS Interface. To add those library files to the Container Gateway, do the following:
  1. Copy the library files to this directory within the Gateway Docker image:
    /opt/SecureSpan/Gateway/runtime/lib/ext/
  2. To place the files, update your Dockerfile using the following command:
    COPY custom.jar /opt/SecureSpan/Gateway/runtime/lib/ext/
Customize Default Health Check Behavior
The default health check behavior of the Container Gateway evaluates whether there is a problem starting the Container Gateway server process. You can customize this default health check behavior based on your business requirements. For example, you want to publish a service on the Container Gateway that is important to your business. You want to ensure that the service is ready to accept traffic after the Container Gateway starts up. To do this, create a bootstrap health check service that checks the status of the Container Gateway service.
To customize the default health check behavior of the Container Gateway:
  1. Create the service endpoint 
    /healthcheck
    .  This service should return response code 200 when the Container Gateway is ready to accept traffic.
  2. Install the service endpoint using the steps in "auto_provision".
  3. Create a 
    health_check.sh
     script file that checks the response code of the service endpoint. For example:
    response=$(curl -s -o /dev/null -w "%{http_code}" http://gatewayurl:port/healthcheck) if [ "$response" -eq "200" ]; then exit 0 fi exit 1
  4. In Dockerfile, copy the 
    health_check.sh
     script from your local directory to derived images, and then change the permission of the 
    health_check.sh
     script. For example:
    COPY path_to_healthcheck/health_check.sh /opt/docker/rc.d/diagnostic/ RUN chmod 750 /opt/docker/rc.d/diagnostic/health_check.sh
  5. Include HEALTHCHECK instructions in your Dockerfile and call the 
    health_check.sh
     script:
    HEALTHCHECK --interval=5s --timeout=5s --retries=1 --start-period=120s CMD /opt/docker/rc.d/diagnostic/health_check.sh || exit 1
     If the container is behind a load balancer, then the load balancer should have access to the
    /healthcheck
    endpoint.
Create a Derived Image
The following sample Dockerfile uses the features that are described in this topic to create a derived image that you can use with your customization.   
FROM CA_GATEWAY_IMAGE:latest ? #use root user to run commands past this point of the dockerfile USER root # Copy license files COPY "CA_SSG_License1.xml" "/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/" COPY "CA_SSG_License2.xml" "/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/" # Or COPY the whole folder containing license(s) # COPY "licenses_folder" "/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/" #set the time zone to America/Vancouver RUN ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime #set locale RUN localedef -c -i en_US -f UTF-8 en_US.UTF-8 --quiet ENV LANG="en_US.UTF-8" ENV LANGUAGE="en_US:en" #permission change COPY "misc_files" "/opt/docker/rc.d/folders/" RUN chmod -R 750 '/opt/docker/rc.d/folders/' ? #create restman internal service RUN touch /opt/SecureSpan/Gateway/node/default/etc/bootstrap/service/restman ? #copy bundle files to bootstrap folder COPY migrationbundle1.req.bundle /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/ COPY migrationbundle2.bundle /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/ ? #copy extension libraries to the Gateway COPY custom.jar /opt/SecureSpan/Gateway/runtime/lib/ext/ ? #override container gateway's default health check behavior COPY path_to_healthcheck/health_check.sh /opt/docker/rc.d/diagnostic/ RUN chmod 750 /opt/docker/rc.d/diagnostic/health_check.sh HEALTHCHECK --interval=5s --timeout=5s --retries=1 --start-period=120s CMD /opt/docker/rc.d/diagnostic/health_check.sh || exit 1 #switch user back to the entrypoint user so the container does not run as root USER ${ENTRYPOINT_UID} ?
custom.jar /opt/SecureSpan/Gateway/runtime/lib/ext/