Skip to content

Advanced Docker Container Configuration

In many cases, you can use the Docker container as described in Getting-up-and-running. This page describes advanced aspects of Docker container configuration if this becomes necessary in your case.

Timezone

The default timezone in the sedex Client Docker container is "Europe/Zurich" (i.e. local Swiss time). If you have to set another timezone (e.g. UTC) then set the environment variable TZ by adding the following option to your container run statement: 

--env TZ=UTC

Running the sedex Client as a non-root user

Non-root container images add an extra layer of security and are generally recommended for production environments. The following steps describe how to set up a non-root group and user in case the host environment does not already provide these.

Step 1: Create a non-root group on the host machine

Determine a group ID (501 in the this example) that is unique on the host machine and create the group (the name does not have to be "sedex-group"). 

$ groupadd --gid 501 sedex-group

Step 2: Create a non-root user on the host machine

Determine a user ID (901 in this example) that is unique on the host machine and create the user (the name does not have to be "sedex-user"), assign it to the group created in the previous step, and specify its home directory. 

$ useradd --uid 901 --no-log-init --gid sedex-group --create-home --home-dir /opt/sedexclient/ sedex-user

Step 3: Set the group and owner of the sedex-data directories

If the sedex Client will run as a non-root user inside of the Docker container, set the group and owner of the whole "sedex-interface" and "sedex-data" directory trees and their contents so that the non-root user can access them. 

$ chown --recursive sedex-user:sedex-group /path/to/sedex-interface
$ chown --recursive sedex-user:sedex-group /path/to/sedex-data

Step 4: Run the sedex Client container as a non-root user

Run the sedex Client container using environment-specific values for the following options:

  • /path/to/sedex-interface - The path to the host's "sedex-interface" directory (containing persisted data)
  • /path/to/sedex-data - The path to the host's "sedex-data" directory (containing persisted data)
  • YOUR_MONITORING_PORT - The port at which the monitoring Web page of the sedex Client should be accessible from outside the container
  • YOUR_WS_PROXY_HTTP_PORT - The unsecured HTTP port at which the sedex Clients Webservice Proxy should be accessible from outside the container. Note: You can omit this line if the WS-Proxy will not be used or will only be used via HTTPS.
  • YOUR_WS_PROXY_HTTPS_PORT - The secured HTTPS port at which the sedex Clients Webservice Proxy should be accessible from outside the container. Note: You can omit this line if the WS-Proxy will not be used.
  • --stop-timeout 65 - When the Docker container is stopped (e.g. with "docker stop" command), the sedex Client's controller-stop.sh is executed to initiate a graceful shutdown of the client. This typically takes longer than the default 10 seconds that the Docker daemon waits before killing the container. The --stop-timeout option overrides the default. The required time will vary from one installation to another.
  • --restart unless-stopped - Restart Policy: Restart the container automatically after Docker daemon restarts, unless the container has been stopped intentionally.
  • --read-only- Security feature: Mounts the container's root filesystem as read-only. This makes the container immutable.
  • --user - User: Sets the UID and GID used to start the sedex Client.
  • -d - Detached: Start container in background without showing log output on console.

To run the sedex Client container as a non-root user, enter the following commands:

$ docker pull sedexch/sedex-client:container-1.1

$ docker run \
  --name sedex-client \
  --mount type=bind,source=/path/to/sedex-interface,destination=/sedex-interface/ \
  --mount type=bind,source=/path/to/sedex-data,destination=/sedex-data/ \
  --publish YOUR_MONITORING_PORT:8000 \
  --publish YOUR_WS_PROXY_HTTP_PORT:8080 \
  --publish YOUR_WS_PROXY_HTTPS_PORT:8443 \
  --stop-timeout 65 \
  --restart unless-stopped \
  --read-only \
  --user 901:501 \
  -d \
  sedexch/sedex-client:container-1.1

Running a specific version of the container

If no specific tag is specified when referencing a Docker container image, "latest" is typically used as the default tag. This means, that if you are referencing the container by its name "sedexch/sedex-client" (i.e. without a specific tag) the version assigned to the special tag "latest" would automatically be selected.

However, using the "latest" tag in production is fundamentally problematic because it references different versions of a container image over time. And these versions are possibly incompatible with each other, so that a reliable and reproducible operation is in question.

For this reason, sedex avoids offering a "latest" tag. Depending on your goals and policy, there are several tags available from which you can choose the one most suitable for your situation. See section Versions and Tags for details.

If you are unsure which tag to use, we recommend the tag "container-MAJOR.MINOR" (ex: container-1.1), which references the latest patch level of a particular container version.

View the page with all available tags of the image in the Docker hub registry for a list of all currently available versions of the Docker image.

Note: For simplicity all the necessary options of the docker run command are omitted in the following examples. These parameters have to be set as described in Getting up and running.

Example 1: Run a new container based on the image "container-1.1" (i.e. the latest patch level of this version): 

$ docker pull sedexch/sedex-client:container-1.1
$ docker run [...] sedexch/sedex-client:container-1.1

Example 2: Run the most current Docker container of the sedex Client 7.0.4: 

$ docker pull sedexch/sedex-client:7.0.4
$ docker run [...] sedexch/sedex-client:7.0.4

Example 3: Run the Docker container 1.1.0 of the sedex Client 7.0.4: 

$ docker pull sedexch/sedex-client:7.0.4_container-1.1.0
$ docker run sedexch/sedex-client:7.0.4_container-1.1.0

Pulling a specific image version

The "docker run" command does not automatically download a newer image from Docker hub, if an older image with that name and tag is already available in your local Docker image cache. In this case you have to manually issue a "docker pull" command to download the newest image from Docker hub.

Example: Get the Docker image for the most current patch level of the Docker container version container-1.1: 

$ docker pull sedexch/sedex-client:container-1.1

Example: Get the Docker image for the most current Docker container of the sedex Client 7.0.4: 

$ docker pull sedexch/sedex-client:7.0.4

Example: Get the Docker image for the container 1.1.0 of the sedex Client 7.0.4: 

$ docker pull sedexch/sedex-client:7.0.4_container-1.1.0