I've been working with Docker Compose to put together a docker-compose.yml file to rapidly deploy a Maker container. Everything is working great with the exception of passing the third party modules during container creation.
Upon launching the Maker Gateway, the third party modules are stuck in quarantine, requiring install and signing. Is this expected behavior? What can I do differently, if anything? Although this is for dev, recommendations for an enterprise production environment are welcome. Here is my docker-compose.yml for reference:
services:
scada:
image: inductiveautomation/ignition:8.1.47
ports:
- 80:8088
- 443:8043
command:
-n scada
-a localhost
-h 80
-s 443
-m 3072
environment:
ACCEPT_IGNITION_EULA: Y
GATEWAY_ADMIN_USERNAME_FILE: /run/secrets/username
GATEWAY_ADMIN_PASSWORD_FILE: /run/secrets/password
TZ: US/Eastern
GATEWAY_MODULES_ENABLED: alarm-notification,opc-ua,perspective,reporting,sfc,sql-bridge,tag-historian,web-developer,udp-tcp-drivers,modbus-driver-v2
DISABLE_QUICKSTART: true
IGNITION_EDITION: maker
IGNITION_LICENSE_KEY_FILE: /run/secrets/license-key
IGNITION_ACTIVATION_TOKEN_FILE: /run/secrets/activation-token
IGNITION_UID: 2003
IGNITION_GID: 2003
user: "0:0"
volumes:
- scada-data:/usr/local/bin/ignition/data
- ./modules/MQTT-Distributor-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Distributor-signed.modl
- ./modules/MQTT-Engine-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Engine-signed.modl
- ./modules/MQTT-Transmission-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Transmission-signed.modl
secrets:
- username
- password
- license-key
- activation-token
secrets:
username:
file: ./secrets/username
password:
file: ./secrets/password
license-key:
file: ./secrets/license-key
activation-token:
file: ./secrets/activation-token
volumes:
scada-data:
Yes, this is expected behavior.
The simplest solution is to supply a gateway backup that has those modules approved.
1 Like
Getting out-of-box behavior right with third-party modules in 8.1.x typically requires building a derived image (note: this will no longer be required when Ignition 8.3 is released, as we're offering some better mechanisms here). If you're running Docker Compose, you can also bind-mount the modules directly into place as you're already doing.
If you're looking for inspiration for building a derived image with third-party modules in place and approved, you can look at this repo: GitHub - thirdgen88/ignition-derived-example: Derived Image Example using Official Ignition Docker Image as Base.
3 Likes
Thank you for the clear and concise reply.
I'll look at adding this to my compose project.
Looking forward to 8.3!
While creating this project that was where I started based on the Ignition - Docker documentation until I realized that some community members were able to bind-mount the modules. I'll revisit the derived images if @pturmel's suggestion of restoring a gateway backup gives me any trouble.
Thanks for the link and the work you've published. Didn't realize that your derived solution could be used to solve my problem. Your ignition-examples repo has already helped significantly.
1 Like
Hmm I'm being asked to activate pending 3rd-party modules in an 8.3.7 Docker container. I'm mounting MQTT Distributor, Engine, and Transmission into the container, and mounting a backup into the container and restoring from this backup on creation. I've absolutely chosen to trust the certificates (etc.) for these modules *before* creating this backup.
What's strange is that if I complete gateway commissioning by approving the modules and then perform a gateway restore to the OLD backup (the one that was mounted into the container and restored from), I am not prompted to activate 3rd party modules, and the gateway starts with the 3rd-party modules running fine. I'm guessing that wherever the config that stores that I've trusted the certificates isn't reset on restore, or included with a backup? Not sure.
If the licenses or EULAs have changed, your old backup wouldn't cover that.
Sorry I guess "old backup" wasn't the right term - I'm creating a backup immediately after accepting the current EULAs and then trying to restore from it when the container is created. From what I can tell this is acceptable practice (as per the Ignition with Docker: Gateway Backups lesson on IU), but EULA/certificate approval for 3rd-party modules doesn't seem to be saved in that backup.
I did some testing this morning and it appears to be a regression in 8.3(.7), see the test procedures I used below.
Folder structure
├── backups/
│ ├── 81-accepted.gwbk
│ └── 83-accepted.gwbk
├── modules81/
│ ├── MQTT-Distributor-signed.modl
│ ├── MQTT-Engine-signed.modl
│ └── MQTT-Transmission-signed.modl
├── modules83/
│ ├── MQTT-Distributor-signed.modl
│ ├── MQTT-Engine-signed.modl
│ └── MQTT-Transmission-signed.modl
└── docker-compose.yml
Note the modules in modules81 and modules83 are the latest 8.1 and 8.3 versions of the modules, respectively.
8.1 test info
services:
gateway:
image: inductiveautomation/ignition:8.1 #.53
ports:
- 9088:8088
volumes:
- ./backups/81-accepted.gwbk:/restore.gwbk
- ./modules81/MQTT-Distributor-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Distributor-signed.modl
- ./modules81/MQTT-Engine-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Engine-signed.modl
- ./modules81/MQTT-Transmission-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Transmission-signed.modl
command: >
-n module-test
-m 1024
-r /restore.gwbk
environment:
- IGNITION_EDITION=standard
- ACCEPT_IGNITION_EULA=Y
- GATEWAY_ADMIN_PASSWORD=pass
- DISABLE_QUICKSTART=true
- Comment out the lines that restore a gateway backup and create the container.
- The third-party modules will start quarantined and their EULAs/certificates must be accepted.
- After accepting, the modules will be hot-started.
- Create a backup and place it at
./backups/81-accepted.gwbk.
- Uncomment the lines that restore a gateway backup.
- Bring the container down then back up again.
- The third-party modules will start (expected behaviour).
8.3 test info
services:
gateway:
image: inductiveautomation/ignition:8.3 #.7
ports:
- 9088:8088
volumes:
- ./backups/83-accepted.gwbk:/restore.gwbk
- ./modules83/MQTT-Distributor-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Distributor-signed.modl
- ./modules83/MQTT-Engine-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Engine-signed.modl
- ./modules83/MQTT-Transmission-signed.modl:/usr/local/bin/ignition/user-lib/modules/MQTT-Transmission-signed.modl
command: >
-n module-test
-m 1024
-r /restore.gwbk
environment:
- IGNITION_EDITION=standard
- ACCEPT_IGNITION_EULA=Y
- GATEWAY_ADMIN_PASSWORD=pass
- DISABLE_QUICKSTART=true
- Comment out the lines that restore a gateway backup and create the container.
- The Activate Pending Modules page will appear before the gateway begins, and you will need to accept the EULAs/certificates.
- After accepting, the gateway will start.
- Verify the modules are running.
- Make an extraneous change (such as changing the gateway notes) to verify the gateway is actually being restored from a backup.
- Create a backup and place it at
./backups/83-accepted.gwbk.
- Uncomment the lines that restore a gateway backup.
- Bring the container down then back up again.
- The Activate Pending Modules page will appear again, and the gateway will not start.
I'm still able to see the extraneous change (eg. changed gateway notes) after proceeding with gateway commissioning, so the backup is being loaded, but the EULA/certificate acceptance is not.
Note that I'm using Maker edition but get similar behaviour (wrt. the modules) whether IGNITION_EDITION is set to maker or standard.
You can use ACCEPT_MODULE_LICENSES and ACCEPT_MODULE_CERTS to automate acceptance of EULAs and signing certs for third party modules, much like ACCEPT_IGNITION_EULA. See the environment variable docs.
Note that module acceptance state is stored in /usr/local/bin/ignition/data/modules.json, which shows you the fully-qualified module paths you'll need. For example:
"com.cirruslink.mqtt.distributor.gateway": {
"filename": "/usr/local/bin/ignition/data/var/ignition/modl/MQTT-Distributor-signed.modl",
"onStartup": "enabled",
"certFingerprint": "b3d50508d45e1703dea19b80f6cdc3d7030c1f03",
"licenseAgreementHash": 2517188037
},
1 Like
This worked! I wasn't able to find that page before. Thank you 
1 Like