The 2020 State of the Software Supply Chain Report is available!

Study Shows High-Performance Dev Teams Fix OSS Vulns 26x Faster | Press Release

blog-logo Sonatype Blog

Docker Compose for Nexus Platform - Part 2

December 29, 2017 By Curtis Yanko

In Part 1 we used a script and docker-compose to stand up both our Nexus Repository Manager and an IQ Server with out of the box configurations. In this article we'll dig into how configure your IQ Server as an example of how docker makes it easy to consume and customize stock images.

If you had looked close enough in Part 1 you'd have seen example of how to consume a vendor image. The Nexus Repo image we deployed was actually from our very own Brad Beck's nexus-https image. In the Dockerfile we can see that this is image is based on the Sonatype nexus image but makes some changes that configure inbound SSL..

Brad makes sure the latest openssl library is installed via yum then pulls down a su and sudo utility from the gosu project that we'll use later. Updates the properties file, overlays the entrypoint.sh script, adds the SSL volume and exposes the 8443 port we need for SSL. Given how much has to be done you can see why it is so convenient to use Brad's image along with a setup script to create the volume shares and copy in the SSL cert. That's a whole lot of documentation codified for us.

Thankfully, for the IQ Server we just need to override the config.yml file and instead of using sed to edit the properties file already in the image, we'll take advantage of the overlay file system and copy a new one in. This allows us to manage the file in source code in a format that we're already familiar with.

In the myiqserver sub folder we can see the Dockerfile we use to accomplish this.

FROM sonatype/nexus-iq-server
COPY config.yml /opt/sonatype/iq-server/

HEALTHCHECK CMD curl http://localhost:8071/ping

That's not so bad, right? I've provided a build-iq.sh script just to make it easy to run the build and tag the new docker image. The script shows my crude attempts to make it portable by assigning your username to the docker image namespace, curtyanko in my case, and some basic parameter checking.

docker build -t $DOCKERNAME/demo-iq-server:$1 .
docker tag $DOCKERNAME/demo-iq-server:$1 $DOCKERNAME/demo-iq-server:latest
docker tag $DOCKERNAME/demo-iq-server:latest mycompany.com:5000/$DOCKERNAME/demo-iq-server:$1
docker tag $DOCKERNAME/demo-iq-server:latest mycompany.com:5000/$DOCKERNAME/demo-iq-server:latest

So we build and tag it to the version with docker build, then tag it again as latest. I also create two more tags to prep for being pushed to a private docker registry in our Nexus Repo instance.

Now you can set your baseURL, proxy settings or plug into email or JIRA by making the needed changes to the config.yml file and then running the build-iq.sh script. To get it running, be sure to change the docker-compose file to reference the namespace you're using (replace 'curtyanko') and you should all set to have a custom configured IQ server up and running.

Hopefully this showed the basic patterns involved for extending/customizing existing docker images for your own use. Just add your license and our sample policies and you can get started scanning apps and containers. Going forward, I'd like to evolve this project to put both of these apps behind an Nginx server like this community offering.

Note: As of IQ Server 1.42 the property file has moved and should now be:

FROM sonatype/nexus-iq-server
COPY config.yml /etx/nexus-iq-server/

Tags: Docker, Nexus IQ, NXRM

Written by Curtis Yanko

Curtis Yanko is a Sr Principal Architect at Sonatype and a DevOps coach/evangelist. Prior to coming to Sonatype Curtis started the DevOps Center of Enablement at a Fortune 100 insurance company and chaired a Open Source Governance Committee. When he isn’t working with customers and partners on how to build security and governance into modern CI/CD pipelines he can be found raising service dogs or out playing ultimate frisbee during his lunch hour. Curtis is currently working on building strategic technical partnerships to help solve for the rugged devops tool chain.