Important: NGINX Plus R33 requires NGINX Instance Manager 2.18 or later
To ensure uninterrupted traffic processing, upgrade to NGINX Instance Manager 2.18 or later if your NGINX data plane instances are running NGINX Plus R33. This upgrade is necessary to support usage reporting.

NGINX Plus R33 instances must send usage data to the F5 licensing endpoint or NGINX Instance Manager. If they don’t, they will stop processing traffic.

For more information about usage reporting and enforcement, see About solution licenses.

Deploy using Docker Compose

Overview

This guide will show you how to deploy and use F5 NGINX Instance Manager in Docker using Docker Compose.

This NGINX Instance Manager docker compose deployment is a single Docker image containing NGINX Instance Manager, Security Monitoring, and the latest App Protect compilers, which is orchestrated using a Docker Compose docker-compose.yaml definition.

The ClickHouse database is deployed in a separate container to improve resilience and make this a fault tolerant solution. You can also configure persistent storage

What you need

A working version of Docker
Your NGINX Instance Manager subscription’s JSON Web Token from MyF5 You can use the same JSON Web Token as NGINX Plus in your MyF5 portal.
This pre-configured docker-compose.yaml file:
- Download docker-compose.yaml file .

Minimum requirements

Deploying NGINX Instance Manager with docker requires a minimum of 4 CPU cores and 4 GB of memory for basic use cases. However, every environment is unique, primarily due to variations in the NGINX configurations being managed. For instance, managing NGINX instances with hundreds of configuration files or those with WAF (NGINX App Protect) enabled can significantly increase resource demands.

If your use case is limited to usage tracking without active management or agent communication, the minimum requirements should suffice. For more complex deployments, we recommend reviewing the technical specifications guide to ensure the resources allocated are sufficient to handle an increased workload, particularly for the ClickHouse database, which may need to manage a higher volume of reads and writes.

Before you start

Legacy 'nms' references
Some commands, file paths, and configuration references still use nms due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.

Set up Docker for NGINX container registry

To set up Docker to communicate with the NGINX container registry located at private-registry.nginx.com, follow these steps:

Download your NGINX Instance Manager subscription’s JSON Web Token from MyF5. You can use the same JSON Web Token as NGINX Plus in your MyF5 portal.
1. Log in to MyF5.
2. Go to My Products & Plans > Subscriptions to see your active subscriptions.
3. Find your NGINX products or services subscription, and select the Subscription ID for details.
4. Download the JSON Web Token from the subscription page.
Open the JSON Web Token file you downloaded from MyF5 and copy its contents.

Copying the JWT token
Make sure there are no extra characters or spaces when copying the contents of the JWT token: they can invalidate the token and cause 401 errors during authentication.

        docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none

docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none

Compose deployment

Configuring a forward proxy:
If you are configuring a forward proxy, follow the steps in the Forward Proxy Configuration Guide to modify docker-compose.yaml with the correct proxy settings before deploying NGINX Instance Manager.

Go to the directory where you downloaded docker-compose.yaml. Use the following commands to log in to private-registry.nginx.com and deploy NGINX Instance Manager.

        docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=noneecho "admin" > admin_password.txtdocker compose up -d

docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none
echo "admin" > admin_password.txt
docker compose up -d

If the deployment succeeds, you’ll see output similar to this:

        [+] Running 6/6 ✔ Network nim_clickhouse        Created   0.1s ✔ Network nim_external_network  Created   0.2s ✔ Network nim_default           Created   0.2s ✔ Container nim-precheck-1      Started   0.8s ✔ Container nim-clickhouse-1    Healthy   6.7s ✔ Container nim-nim-1           Started   7.4s

[+] Running 6/6
 ✔ Network nim_clickhouse        Created   0.1s
 ✔ Network nim_external_network  Created   0.2s
 ✔ Network nim_default           Created   0.2s
 ✔ Container nim-precheck-1      Started   0.8s
 ✔ Container nim-clickhouse-1    Healthy   6.7s
 ✔ Container nim-nim-1           Started   7.4s

Supported environment variables

Variable	Category	Description
NIM_LOG_LEVEL	General	Sets the logging level for NGINX Instance Manager.
NIM_METRICS_TTL	General	Specifies the number of days to retain metrics.
NIM_EVENTS_TTL	General	Specifies the number of days to retain event logs.
NIM_SECURITY_TTL	General	Specifies the number of days to retain security violation logs.
NIM_MAINTENANCE	General	Enables maintenance mode for backup, restore, and troubleshooting (`true` or `false`).
NIM_WATCHDOG_TIMEOUT	General	Sets the timeout (in seconds) for the Data Plane Monitoring (DPM) watchdog.
NIM_LICENSE_MODE_OF_OPERATION	General	Sets the license mode to either `connected` (default) or `disconnected`.
PROXY_ENABLE	Forward Proxy	Enables or disables the use of a forward proxy (`true` or `false`).
PROXY_HOST	Forward Proxy	The IP address or hostname of the proxy server.
PROXY_PORT	Forward Proxy	The port number of the proxy server.
PROXY_PROTOCOL	Forward Proxy	The proxy protocol (`http` or `https`).
PROXY_AUTH_REQUIRED	Forward Proxy	Specifies whether authentication is required for the proxy (`true` or `false`).
PROXY_USERNAME	Forward Proxy	(Required if `PROXY_AUTH_REQUIRED=true`) The username for proxy authentication.
PROXY_PASSWORD	Forward Proxy	(Required if `PROXY_AUTH_REQUIRED=true`) The password for proxy authentication.
PROXY_SSL_VERIFY	Forward Proxy	Enables or disables SSL verification when `PROXY_PROTOCOL=https`. Default is `true`, meaning the proxy must have a valid certificate issued by a trusted Certificate Authority (CA). Set to `false` to allow self-signed or untrusted certificates (not recommended).

See also:
For details on configuring a forward proxy, see the Forward Proxy Configuration Guide.

Compose stop or tear down

Navigate to the directory where you downloaded docker-compose.yaml. If you started NIM with docker compose up -d, stop NIM services once you’ve finished with them by running docker compose stop. You can bring everything down, removing the containers entirely, with the docker compose down command.

        docker compose down

docker compose down

        [+] Running 6/6 ✔ Container nim-nim-1           Removed   30.6s ✔ Container nim-clickhouse-1    Removed    1.4s ✔ Container nim-precheck-1      Removed    0.0s ✔ Network nim_default           Removed    0.9s ✔ Network nim_external_network  Removed    0.4s ✔ Network nim_clickhouse        Removed    0.6s

[+] Running 6/6
 ✔ Container nim-nim-1           Removed   30.6s
 ✔ Container nim-clickhouse-1    Removed    1.4s
 ✔ Container nim-precheck-1      Removed    0.0s
 ✔ Network nim_default           Removed    0.9s
 ✔ Network nim_external_network  Removed    0.4s
 ✔ Network nim_clickhouse        Removed    0.6s

Secrets

In the same docker-compose.yaml file, you can modify the following credentials:

Set the admin password (required)

        secrets:  nim_admin_password:    file: admin_password.txt

secrets:
  nim_admin_password:
    file: admin_password.txt

Pass a custom .htpasswd file (Optional)

          nim_credential_file:    file: nim_creds.txt

  nim_credential_file:
    file: nim_creds.txt

Optionally, you can also set the external SSL certificate, key, and CA files, in PEM format for the NGINX Instance Manager Ingress proxy.

        secrets:  nim_proxy_cert_file:    file: ./certs/nim_cert.pem  nim_proxy_cert_key:    file: ./certs/nim_key.pem  nim_proxy_ca_cert:    file: ./certs/nim_ca.pem

secrets:
  nim_proxy_cert_file:
    file: ./certs/nim_cert.pem
  nim_proxy_cert_key:
    file: ./certs/nim_key.pem
  nim_proxy_ca_cert:
    file: ./certs/nim_ca.pem

Backup

Once you’ve set up your Docker containers, use the following command to back them up:

        ~$ docker exec nim-nim-1 nim-backup...Backup has been successfully created: /data/backup/nim-backup-<date>.tgz

~$ docker exec nim-nim-1 nim-backup
...
Backup has been successfully created: /data/backup/nim-backup-<date>.tgz

If your system uses named volumes, inspect the Mountpoint. Alternatively, if you’re using a shared NFS volume, then collect the data directly from the mount point.

        ~/compose$ docker inspect volume nim_nim-data | jq '.[0].Mountpoint'"/var/lib/docker/volumes/nim_nim-data/_data"ubuntu@ip-<address>:~/compose$ sudo ls -l /var/lib/docker/volumes/nim_nim-data/_data/backup-rw-r--r-- 1 root root 5786953 Sep 27 02:03 nim-backup-<date>.tgz

~/compose$ docker inspect volume nim_nim-data | jq '.[0].Mountpoint'
"/var/lib/docker/volumes/nim_nim-data/_data"
ubuntu@ip-<address>:~/compose$ sudo ls -l /var/lib/docker/volumes/nim_nim-data/_data/backup
-rw-r--r-- 1 root root 5786953 Sep 27 02:03 nim-backup-<date>.tgz

Restore

Before you can restore a backup, set your containers to maintenance mode in the same docker-compose.yaml file:

            environment:      NIM_MAINTENANCE: "true"

    environment:
      NIM_MAINTENANCE: "true"

        ~$ docker exec nim-nim-1 nim-restore /data/backup/nim-backup-<date>.tgz...NGINX Instance Manager has been restored.

~$ docker exec nim-nim-1 nim-restore /data/backup/nim-backup-<date>.tgz
...
NGINX Instance Manager has been restored.

Once the process is complete set NIM_MAINTENANCE to false and then run docker-compose up -d.

Storage

By default, the storage uses named volumes. Alternatively, you can use optional driver_opts settings to support other storage formats such as NFS. For all storage volumes, make sure to mount them, before running docker compose up -d. For a mounted NFS volume, you might use the following commands:

        ~$ sudo mount -t nfs <<nfs-ip>>:/mnt/nfs_share/clickhouse /mnt/nfs_share/clickhouse~$ sudo mount -t nfs <<nfs-ip>>:/mnt/nfs_share/data /mnt/nfs_share/data

~$ sudo mount -t nfs <<nfs-ip>>:/mnt/nfs_share/clickhouse /mnt/nfs_share/clickhouse
~$ sudo mount -t nfs <<nfs-ip>>:/mnt/nfs_share/data /mnt/nfs_share/data

        volumes:   By default docker compose will create a named volume    Refer to https://docs.docker.com/reference/compose-file/volumes/ for additional storage options such as NFS   nim-data:    driver: local    driver_opts:      type: "nfs"      o: "addr=<<nfs-ip>>,rw"      device: ":/mnt/nfs_share/data"  clickhouse-data:    driver: local    driver_opts:      type: "nfs"      o: "addr=<<nfs-ip>>,rw"      device: ":/mnt/nfs_share/clickhouse"

volumes:
  # By default docker compose will create a named volume 
  # Refer to https://docs.docker.com/reference/compose-file/volumes/ for additional storage options such as NFS 
  nim-data:
    driver: local
    driver_opts:
      type: "nfs"
      o: "addr=<<nfs-ip>>,rw"
      device: ":/mnt/nfs_share/data"
  clickhouse-data:
    driver: local
    driver_opts:
      type: "nfs"
      o: "addr=<<nfs-ip>>,rw"
      device: ":/mnt/nfs_share/clickhouse"

Support Data

In case of problems, it’s a good practice to:

Collect logs docker-compose logs --since 24h > my-logs-$(date +%Y-%m-%d).txt
Collect backup information docker exec nim-nim-1 nim-backup