Installing Containerized Java Agents
As an administrator, you set up your system to run a Java Agent in a container by building and running a Docker image hosting a Java Agent.
The Enterprise Software Academy provides examples on how to deploy an Automic Automation Java, Windows or UNIX agent in a container. To access this additional information please select the relevant link:
This page includes the following:
Prerequisites
Make sure that you have all the resources required by the agents at build time in place. These are the following:
-
Base image
-
Agent binaries
-
INI files
-
Third-party dependencies such as jdbc drivers, sap libraries and so on
Note: The image should be generic so that it can be reused for several instances. Therefore, it is recommended adding only resources that do no change for several instances. Make sure not to add any instance-specific configuration.
Dockerfile example
FROM openjdk:11 RUN mkdir /opt/agent-sql COPY ucxjsqlx.tar.gz /opt/agent-sql WORKDIR /opt/agent-sql RUN tar -xzf ucxjsqlx.tar.gz WORKDIR /opt/agent-sql/bin COPY ./jdbc/* ./jdbc COPY --chmod=0755 run.sh . ENTRYPOINT [ "/opt/agent-sql/bin/run.sh" ]
Connecting to the Automation Engine
The Automation Engine and the Windows, UNIX, and Java Agents communicate using TLS/SSL. These agents establish a connection with the Java communication process (JCP), which uses trusted certificates to prove their identity to other communication partners.
Note: The TLS/SSL implementation does not apply to the HP-UX Agent, as it is no longer supported in this version.
You can use the trustedCertFolder=, agentSecurityFolder=, and keyPassword= parameters in the respective INI file to point to the relevant certificates. If the trustedCertFolder= parameter is not set, the certificates should be installed in the respective store; that is the Java trust store for Java Agents, the Windows OS store for Windows Agents, or the TLS/SSL store for UNIX Agents. For more information, see Securing Connections to the AE (TLS/SSL).
For more information about the different certificate types and for detailed instructions on how to create and use them, see What Kind of Certificates Should I Use for Automic Automation v21.
Important! When you install or upgrade containerized Agents for an Automic Automation Kubernetes Edition system, you have to make sure that you configure your Agents to reach the TCP or HTTPS load balancer and not the JCP directly. Also, make sure that your HTTPS load balancer has the required certificates in place. For more information, see Connecting to the AAKE Cluster.
Configuring Containers
You customize the container configuration for a specific container (instance of an image) at runtime.
Starting the Image
You can use a plain docker script to start the image.
Example SQL agent - _start.sh
Make sure that the definition of the -v ${PWD}/security: and -v ${PWD}/trustedcert: variables point to the relevant certificates.
#!/bin/sh # add '--entrypoint bash' for debugging docker run -it \ --env-file env.file \ -v ${PWD}/security:/opt/agent-sql/bin/security \ -v ${PWD}/trustedcert:/opt/agent-sql/trustedcert \ agent-sql:21.0
The env.file comprises the following information:
automic_global_name=Linux-Docker-V210 automic_global_system=AUTOMIC automic_global_logging=CON: automic_tcpip_connection_DNS=myAEServer.local:8443 automic_tcpip_connection=1.2.3.4:8443 automic_variables_uc_ex_ip_addr=192.168.1.2 automic_variables_uc_ex_ip_port=12300 automic_variables_uc_ex_job_md_ip_addr=localhost not_used_automic_misc_msgtostdout=yes automic_keypass=changeit
You can also use k8s scripts to start the image.
Example k8s deployment.yaml
Make sure that the definition of the - name: security-volume and - name: trustedcert-volume parameters point to the relevant certificates.
apiVersion: apps/v1 kind: Deployment metadata: name: docker-sql labels: app: agent-sql spec: replicas: 1 selector: matchLabels: app: agent-sql template: metadata: labels: app: agent-sql spec: containers: - name: agent-sql image: agent-sql:21.0 imagePullPolicy: Never envFrom: - configMapRef: name: docker-sql-config volumeMounts: - name: security-volume mountPath: /opt/agent-sql/bin/security - name: trustedcert-volume mountPath: /opt/agent-sql/trustedcert volumes: - name: security-volume hostPath: path: /tmp/docker-sql/security type: Directory - name: trustedcert-volume hostPath: path: /tmp/docker-sql/trustedcert type: Directory
The configmap comprises the following information:
TheapiVersion: v1 kind: ConfigMap metadata: name: k8s-sql-config data: automic_global_name: sql-k8s-v210 automic_global_system: AUTOMIC automic_tcpip_connection_DNS: myAEServer.local:8443 automic_tcpip_connection: 1.2.3.4:8443 automic_authorization_keypassword: changeit automic_misc_msgtostdout: "yes" automic_variables_uc_ex_ip_addr: 192.168.1.2 automic_variables_uc_ex_ip_port: "22300" automic_variables_uc_ex_job_md_ip_addr: localhost
Configuring the Agent
There are several areas that are relevant to successfully configure the agents:
-
If you have not done so yet, configure the JCP certificate.
Make sure the agent trusts the JCP. If you do not use a public trusted certificate, make sure to add the relevant certificate to the trustedCertFolder. For more information, see Securing Connections to the AE (TLS/SSL).
-
Configure the Agent certificate.
The Agent uses the files (private keys, signed certificates and root certificates) stored in its security folder to authenticate against the Automation Engine. You have to preserve this folder in a volume. Otherwise, the certificate (and private key) is lost and the Automation Engine does not recognize the agent and rejects it. For more information, see Preparing TLS/SSL Certificates.
-
Authenticate the Agent.
If you use the authentication methods LOCAL or LOCAL_REMOTE, you require an authentication package for the initial start. For more information, see Agent Authentication andChanging the Authentication Method .
The easiest way to mount the authentication package for the initial start is setting a volume and defining it in the
InitialPackage=
parameter of the INI file.
-
Configure the INI file.
It is recommended using environment variables to configure the INI file. You can do so by defining the parameters that correspond to the INI file settings in the run.sh file. For more information see, Agents INI files.
You can also provide the INI file with a volume which is passed at the start of an agent.
Example SQL run.sh file
#!/bin/sh echo "1. adopt agent configuration" mv ucxjsqlx.ori.ini ucxjsqlx.ini sed -i "s/^name.*=.*/name=$automic_global_name/g" ucxjsqlx.ini sed -i "s/^system.*=.*/system=$automic_global_system/g" ucxjsqlx.ini sed -i "s/^logging.*=.*/logging=$automic_global_logging/g" ucxjsqlx.ini sed -i "s/^connection.*=.*/connection=$automic_tcpip_connection/g" ucxjsqlx.ini sed -i "s/^keyPassword.*=.*/keyPassword=$automic_authorization_keypassword/g" ucxjsqlx.ini sed -i "s/^type.*=.*/type=$automic_sql_type/g" ucxjsqlx.ini sed -i "s#^trustedCertFolder.*=.*#trustedCertFolder=../trustedcert#g" ucxjsqlx.ini sed -i "s#^initialPackage.*=.*#initialPackage=./package#g" ucxjlx6.ini echo "2. start agent" java -jar -Xrs -Xmx256M ucxjsqlx.jar
Configuring the Network
Make sure that the hostnames required are resolvable inside the cluster either by configuring a DNS or services with ExternalName.
Resetting the Agent Key
If, for any reason, you do not want to store the public/private key in a volume, you can reset the agent key in the Automation Engine before the agent can connect again. You can do so using the REST API before starting the agent.
Example
curl -f --request POST -u "$CLIENT0_USER/$CLIENT0_DEPARTMENT:$CLIENT0_PASSWORD" \ "http://$REST_CONNECTION/ae/api/v1/0/system/agents/$AGENT_NAME/resetpublickey" -v
See also: