[Docker] Set web.xml Parameters in Docker Compose

Davide3i · April 19, 2023, 12:45pm

I've started to play around with the Docker image for Ignition and I've a question: is there a way to set web.xml parameters in Docker Compose? For example I need to set <max-file-size> to 41.697.640, instead of the default value. I can't find any hint about that here.
Thank you.

PGriffith · April 19, 2023, 3:14pm

Look further down in the document; if you're on 8.1.10 or newer, you can pass any arbitrary gateway.xml parameters by prefixing the additional arguments with gateway., as in:

docker run -d -p 9088:8088 \
   --name ignition-test \
   inductiveautomation/ignition:8.1.10 \
   -n docker-test \
   -a localhost \
   -h 9088 \
   -s 9043 \
   -- \
   gateway.resolveHostNames=true \
   gateway.useProxyForwardedHeader=true

So I'm pretty sure you would just pass gateway.max-file-size=41697640 after the -- to begin the arguments section.

@Kevin.Collins, how'd I do?

kcollins1 · April 19, 2023, 11:03pm

Yup, you've got it! Here is the specific docs link that mentions the gateway.xml arguments.

Davide3i · April 20, 2023, 6:01am

Thank you both!

Davide3i · April 20, 2023, 6:43am

I have another question.
How should I hash my Gateway's admin password to store it in a file that is then passed as an environment variable (GATEWAY_ADMIN_PASSWORD_FILE)?

From the docs:

GATEWAY_ADMIN_PASSWORD 	8.1.8+	Password value or salted hash to be used for initial gateway auto-commissioning.

I've tried using GatewaySec, but I cannot understand how the salted password should be input inside of the aforementioned file.

kcollins1 · April 20, 2023, 1:25pm

I've got a helper script for generating the proper format salted hash here:

gist.github.com

https://gist.github.com/thirdgen88/c4257bd4c47b6cc7194d1f5e7cbd6444

generate-gw-password-hash.sh

#!/usr/bin/env bash
set -eo pipefail

###############################################################################
# Processes password input and translates to salted hash
###############################################################################
function main() {
  local -u auth_salt
  local auth_pwhash auth_pwsalthash auth_password

This file has been truncated. show original

generate-gw-password-hash-demo

Davide3i · April 20, 2023, 1:31pm

Thank you.
Then I just need to paste the string inside of the file and Ignition Gateway will automatically interpret it as a salted hash, right?

kcollins1 · April 20, 2023, 1:31pm

Correct, it will recognize that specific format and store it directly.

pturmel · April 20, 2023, 1:46pm

Ewww! You are using a timestamp to produce your salt. Consider reading eight bytes from /dev/random instead. Or mixing that in with the timestamp fed to sha256sum.

Davide3i · April 20, 2023, 2:11pm

So you would simply do like this?

auth_salt="$(dd if=/dev/random bs=8 count=1)"

pturmel · April 20, 2023, 2:15pm

Not quite. You need hex characters, not the raw bytes, and with /dev/random, not /dev/urandom. That is the high-quality pool on older distros. (They are synonymous on current kernels, IIRC.)

kcollins1 · April 20, 2023, 2:23pm

I've updated the gist above with revision 6. And yeah, okay to use /dev/random here which will block to ensure sufficient entropy (versus nonblocking urandom).

Revision #6 now adds a new -s salt method flag with the following options:

timestamp - the previous usage of timestamp as input to salt

random - now reads 8 hexadecimal characters from /dev/random as input to salt

The random option is the new default.

pturmel · April 20, 2023, 2:25pm

Hmm. Eight freaking minutes from suggestion to published code.

I love this community.

Davide3i · April 21, 2023, 7:12am

I have a further question.

Let's say I'd like to also map a network drive. How should I manage wrapper.share.1.target=Z: parameter considering Linux doesn't use letters? Should I write something similar to wrapper.share.1.target=/mnt/custom_network_drive?

Moreover, it seems like my Wrapper arguments don't get saved inside of ignition.conf. This is my docker-compose.yaml:

version: "3.8"
services:
    # Ignition Gateway
    gateway:
        container_name: test
        image: inductiveautomation/ignition:8.1.26
        restart: unless-stopped
        mem_limit: 8192m
        ports:
            - "9088:8088"
            - "9043:8043"
        volumes:
            - gw-data:/usr/local/bin/ignition/data
            - ./backup:/mnt/backup  # Bind mount backup folder.
        env_file: ignition.env
        secrets:
            - gateway-admin-password
        command: >
            -n GDM-DEV
            -m 8192
            --
            wrapper.java.initmemory=512

secrets:
    gateway-admin-password:
        file: secrets/GATEWAY_ADMIN_PASSWORD

volumes:
    gw-data:
        name: ignition-gw-data

But ignition.conf (under /usr/local/bin/ignition/data/) looks like this:

# Java Additional Parameters
# Initial Java Heap Size (in MB)
wrapper.java.initmemory=256

# Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=1024

If I may, I would suggest to add @kcollins1 script to this doc page and how to map network drives on Linux to this doc page.

pturmel · April 21, 2023, 12:40pm

You will have to rethink how you expect this to work, and dedicate a "/remote" or "/mnt" folder to such network resources. You can mount windows network resources in Linux using the kernel's SMB functionality with entries in /etc/fstab. Not sure how to configure docker to do so.

Consider getting this working on a conventional Linux box or VM before trying to get it to work in docker.

kcollins1 · April 21, 2023, 12:50pm

The wrapper.share.* functionality is Windows-only, so it won't work on Linux (and therefore the container image).

As to JVM and Wrapper args that follow the -- delimiter in the command definition, those are intentionally treated as ephemeral overrides. We do have a ticket in our system to have the -m flag actually update the ignition.conf setting. You'd then still be able to use the JVM/wrapper args to set ephemeral values for other testing.

Davide3i · April 21, 2023, 12:53pm

Thanks for clarifying. So I suppose there isn't a way to share a remote network folder with the container? I think at this point I can just use a bind mount (but I've to sort out how to authenticate with the network share username and password).

kcollins1 · April 21, 2023, 1:12pm

It looks like there might be some options with creating a SMB/CIFS volume (and then attaching that volume to your container). I've not done it before, though. Some starting reference material here: Create CIFS/Samba volumes

Davide3i · April 21, 2023, 1:24pm

Yep, it works. Complete docker-compose.yaml for anyone with the same issue.

version: "3.8"
services:
    # Ignition Gateway
    gateway:
        container_name: test
        image: inductiveautomation/ignition:8.1.26
        restart: unless-stopped
        mem_limit: 8192m
        ports:
            - "9088:8088"
            - "9043:8043"
        volumes:
            - gw-data:/usr/local/bin/ignition/data
            - nas:/mnt/nas
            - ./backup:/mnt/backup  # Bind mount backup folder.
        env_file: ignition.env
        secrets:
            - gateway-admin-password
        command: >
            -n Ignition
            -m 8192
            -r /mnt/backup/test.gwbk
            --
            wrapper.java.initmemory=4096
            -Dignition.allowunsignedmodules=true
            gateway.resolveHostNames=true
            gateway.useProxyForwardedHeader=true
            gateway.max-file-size=41697640

secrets:
    gateway-admin-password:
        file: secrets/GATEWAY_ADMIN_PASSWORD

volumes:
    gw-data:
        name: ignition-gw-data
    nas:
        name: nas
        driver: local
        driver_opts:
            type: cifs
            device: "//192.168.125.XXX/scada"
            o: "addr=192.168.125.XXX,username=admin,password=mildlyComplexPassword,file_mode=0777,dir_mode=0777"

My ignition.env file:

ACCEPT_IGNITION_EULA=Y
GATEWAY_ADMIN_USERNAME=admin
GATEWAY_ADMIN_PASSWORD_FILE=/run/secrets/gateway-admin-password
IGNITION_EDITION=standard
#IGNITION_LICENSE_KEY=XXXX-XXXX
TZ=Europe/Rome