Installing Containerized Java Agents
As an administrator, you set up your system to run a Java Agent in a container by building and running a Docker image hosting a Java Agent.
The Broadcom Software Academy provides examples on how to deploy an Automic Automation Java, Windows or UNIX agent in a container. To access this additional information please select the relevant link:
This page includes the following:
Prerequisites
Make sure that you have all the resources required by the agents at build time in place. These are the following:
-
Base image
-
Agent binaries
-
INI files
-
Third-party dependencies such as jdbc drivers, sap libraries and so on
Note: The image should be generic so that it can be reused for several instances. Therefore, it is recommended adding only resources that do no change for several instances. Make sure not to add any instance-specific configuration.
Dockerfile example
FROM openjdk:11 RUN mkdir /opt/agent-sql COPY ucxjsqlx.tar.gz /opt/agent-sql WORKDIR /opt/agent-sql RUN tar -xzf ucxjsqlx.tar.gz WORKDIR /opt/agent-sql/bin COPY ./jdbc/* ./jdbc COPY --chmod=0755 run.sh . ENTRYPOINT [ "/opt/agent-sql/bin/run.sh" ]
Connecting to the Automation Engine
The Automation Engine and the Windows, UNIX, and Java Agents communicate using TLS/SSL. These agents establish a connection with the Java communication process (JCP), which uses trusted certificates to prove their identity to other communication partners.
Important! Make sure you are familiar with the TLS/SSL and certificate implementation before installing and/or upgrading the respective component. For more information, see:
When you used certificates signed by a CA, the certificates are stored in the respective Java or OS store by default; that is the Java trust store for Java components and Java Agents, the Windows OS store for Windows Agents, or the TLS/SSL store for UNIX Agents. In this case, you only have to check that the root certificates already are in the respective store.
If you do not want to use the default locations for the components and Agents listed above, make sure you use the trustedCertFolder=, agentSecurityFolder=, and keyPassword= parameters (if applicable) in the respective configuration (INI) file to define the path to the folder where the trusted certificates are stored.
Important! TLS/SSL Agents (in containers and on-premises) as well as the TLS Gateway, when used for the Automic Automation Kubernetes Edition, establish a connection to an ingress / HTTPS load balancer, which requires a certificate for authentication.
Make sure that address of the load balancer is defined on both sides: the Automation Engine and the Agent / TLS Gateway and that your HTTPS load balancer has the required certificates in place. For more information, see Connecting to AWI, the JCP and REST Processes Using an Ingress.
Configuring Containers
You customize the container configuration for a specific container (instance of an image) at runtime.
Starting the Image
You can use a plain docker script to start the image.
Example SQL agent - _start.sh
Make sure that the definition of the -v ${PWD}/security: and -v ${PWD}/trustedcert: variables point to the relevant certificates.
#!/bin/sh
# add '--entrypoint bash' for debugging
docker run -it \
--env-file env.file \
-v ${PWD}/security:/opt/agent-sql/bin/security \
-v ${PWD}/trustedcert:/opt/agent-sql/trustedcert \
agent-sql:21.0
The env.file comprises the following information:
automic_global_name=Linux-Docker-V210 automic_global_system=AUTOMIC automic_global_logging=CON: automic_tcpip_connection_DNS=myAEServer.local:8443 automic_tcpip_connection=1.2.3.4:8443 automic_variables_uc_ex_ip_addr=192.168.1.2 automic_variables_uc_ex_ip_port=12300 automic_variables_uc_ex_job_md_ip_addr=localhost not_used_automic_misc_msgtostdout=yes automic_keypass=changeit
You can also use k8s scripts to start the image.
Example k8s deployment.yaml
Make sure that the definition of the - name: security-volume and - name: trustedcert-volume parameters point to the relevant certificates.
Note: This example uses PVCs to mount the certificates and so on. In this case, you have to create the PV and PVCs before deploying the agents and configure them accordingly.
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-sql
labels:
app: agent-sql
spec:
replicas: 1
selector:
matchLabels:
app: agent-sql
template:
metadata:
labels:
app: agent-sql
spec:
containers:
- name: agent-sql
image: agent-sql:21.0
imagePullPolicy: Never
envFrom:
- configMapRef:
name: docker-sql-config
volumeMounts:
- name: security-volume
mountPath: /opt/agent-sql/bin/security
- name: trustedcert-volume
mountPath: /opt/agent-sql/trustedcert
volumes:
- name: security-volume
persistentVolumeClaim:
claimName: pvc-securityfolder
- name: trustedcert-volume
persistentVolumeClaim:
claimName: pvc-trustedcertfolder
The configmap comprises the following information:
TheapiVersion: v1 kind: ConfigMap metadata: name: k8s-sql-config data: automic_global_name: sql-k8s-v210 automic_global_system: AUTOMIC automic_tcpip_connection_DNS: myAEServer.local:8443 automic_tcpip_connection: 1.2.3.4:8443 automic_authorization_keypassword: changeit automic_misc_msgtostdout: "yes" automic_variables_uc_ex_ip_addr: 192.168.1.2 automic_variables_uc_ex_ip_port: "22300" automic_variables_uc_ex_job_md_ip_addr: localhost
Configuring the Agent
There are several areas that are relevant to successfully configure the agents:
-
If you have not done so yet, configure the JCP certificate.
Make sure the agent trusts the JCP. If you do not use a public trusted certificate, make sure to add the relevant certificate to the trustedCertFolder. For more information, see Securing Connections to the AE (TLS/SSL).
-
Configure the Agent certificate.
The Agent uses the files (private keys, signed certificates and root certificates) stored in its security folder to authenticate against the Automation Engine. You have to preserve this folder in a volume. Otherwise, the certificate (and private key) is lost and the Automation Engine does not recognize the agent and rejects it. For more information, see TLS/SSL Certificate Considerations.
-
Authenticate the Agent.
If you use the authentication methods LOCAL or LOCAL_REMOTE, you require an authentication package for the initial start. For more information, see Agent Authentication andChanging the Authentication Method .
The easiest way to mount the authentication package for the initial start is setting a volume and defining it in the
InitialPackage=parameter of the INI file.
-
Configure the INI file.
It is recommended using environment variables to configure the INI file. You can do so by defining the parameters that correspond to the INI file settings in the run.sh file. For more information see, Agents INI files.
You can also provide the INI file with a volume which is passed at the start of an agent.
Example SQL run.sh file
#!/bin/sh echo "1. adopt agent configuration" mv ucxjsqlx.ori.ini ucxjsqlx.ini sed -i "s/^name.*=.*/name=$automic_global_name/g" ucxjsqlx.ini sed -i "s/^system.*=.*/system=$automic_global_system/g" ucxjsqlx.ini sed -i "s/^logging.*=.*/logging=$automic_global_logging/g" ucxjsqlx.ini sed -i "s/^connection.*=.*/connection=$automic_tcpip_connection/g" ucxjsqlx.ini sed -i "s/^keyPassword.*=.*/keyPassword=$automic_authorization_keypassword/g" ucxjsqlx.ini sed -i "s/^type.*=.*/type=$automic_sql_type/g" ucxjsqlx.ini sed -i "s#^trustedCertFolder.*=.*#trustedCertFolder=../trustedcert#g" ucxjsqlx.ini sed -i "s#^initialPackage.*=.*#initialPackage=./package#g" ucxjlx6.ini echo "2. start agent" java -jar -Xmx256M ucxjsqlx.jar
Configuring the Network
Make sure that the hostnames required are resolvable inside the cluster either by configuring a DNS or services with ExternalName.
Resetting the Agent Key
If, for any reason, you do not want to store the public/private key in a volume, you can reset the agent key in the Automation Engine before the agent can connect again. You can do so using the REST API before starting the agent.
Example
curl -f --request POST -u "$CLIENT0_USER/$CLIENT0_DEPARTMENT:$CLIENT0_PASSWORD" \
"http://$REST_CONNECTION/ae/api/v1/0/system/agents/$AGENT_NAME/resetpublickey" -v
See also: