Deploy NGINX Instance Manager in a Single Docker Container

Overview

This guide will show you how to deploy and use F5 NGINX Instance Manager with Docker. The NGINX Instance Manager container is a single Docker image that includes all dependencies, making it easy to quickly set up NGINX Instance Manager with NGINX Open Source.

This deployment is ideal for:

  • Product demos
  • Instance counting
  • Small-scale environments (20 instances or fewer)

By the end of this guide, you’ll be able to:

  • Perform a quick test without persistent storage.
  • Persist data to a volume.
  • Set the admin password with an environment variable.
  • Override self-signed API gateway certificates.
  • Configure user access to the container using an .htpasswd file.

What You Need

  • A working version of Docker
  • Your NGINX Instance Manager subscription’s JSON Web Token from MyF5

Before You Start

Set Up Docker for NGINX Container Registry

To set up Docker to communicate with the NGINX container registry located at private-registry.nginx.com, follow these steps:

  1. Download your NGINX Instance Manager subscription’s JSON Web Token and license from MyF5.

    • Log in to the MyF5 customer portal.
    • Go to My Products and Plans > Subscriptions.
    • Select the product subscription.
    • Download the JSON Web Token and license files.
  2. Open the JSON Web Token file you downloaded from MyF5 and copy its contents.

  3. Log in to the Docker registry using the contents of the JSON Web Token file:

    docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none
    

Data Persistence

  • A single volume mount is required to persist the NGINX Instance Manager databases. For example: --volume=/myvolume/nim:/data
  • An optional volume can be used to add a custom .htpasswd file for admin and user authentication. For example: --volume=/myvolume/pass/.htpasswd:/.htpasswd

Supported Environment Variables

  • NMS_PERSIST_DISABLE: Do not persist data to a volume. All data will be lost after the container stops or restarts.
  • NMS_ADMIN_PASSWORD: Set an admin password.
  • NMS_APIGW_CERT: Override the API gateway self-signed certificate.
  • NMS_APIGW_KEY: Override the API gateway self-signed key.
  • NMS_APIGW_CA: Override the API gateway self-signed CA.
  • LOG_LEVEL: Set the logging level for NGINX Instance Manager.

Build Examples

Quick Test Without Persistent Storage

  1. Run the following Docker command, replacing the placeholders with the appropriate values:

    • <HOSTNAME>: desired hostname
    • <ADMIN_PASSWORD>: password for the admin account
    • <VERSION_TAG>: specific release version you want to use (note: latest is not supported)
    docker run -it --rm \
      --hostname=<HOSTNAME> \
      -e NMS_PERSIST_DISABLE \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      -p 8443:443 \
      private-registry.nginx.com/nms/nim-bundle:<VERSION_TAG>
    

    Example:

    To pull the NGINX Instance Manager 2.17.0 image, set the hostname to “mynim,” and set the admin password to “<ADMIN_PASSWORD>”, run:

    docker run -it --rm \
      --hostname=mynim \
      -e NMS_PERSIST_DISABLE \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      -p 8443:443 \
      private-registry.nginx.com/nms/nim-bundle:2.17.0
    
  2. Upload the license:

    • In a web browser, go to https://<YOUR_HOST_IP>:8443 and log in. Replace <YOUR_HOST_IP> with the actual IP address or hostname of the machine running the Docker container. If you are accessing it locally, use https://localhost:8443.
    • Select the Settings gear icon.
    • On the Settings menu, select Licenses.
    • Select Get Started.
    • Select Browse to upload the license, or simply drag and drop the license onto the form.
    • Select Add.
  3. Close the browser to completely log off.

  4. Stop and restart the container.

  5. Log back in and verify that the license isn’t applied.

Set Up a Persistent Storage

  1. Create or mount a directory for persistent storage to keep your data if the container restarts.

  2. Run the following Docker command, replacing the placeholders with the appropriate values:

    • <HOSTNAME>: desired hostname
    • <ADMIN_PASSWORD>: password for the admin account
    • <DATA_VOLUME>: path to the persistent data directory on the host machine
    • <VERSION_TAG>: specific release version you want to use (note: latest is not supported)
    docker run -it --rm \
      --hostname=<HOSTNAME> \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      --volume=<DATA_VOLUME>:/data \
      -p 8443:443 \
      private-registry.nginx.com/nms/nim-bundle:<VERSION_TAG>
    

    Example:

    To pull the NGINX Instance Manager 2.17.0 image, set the hostname to “mynim,” set the admin password to “<ADMIN_PASSWORD>”, and write data to ~/nms_storage, run:

    docker run -it --rm \
      --hostname=mynim \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      --volume=/myvolume/nim-storage:/data \
      -p 8443:443 \
      private-registry.nginx.com/nms/nim-bundle:2.17.0
    
  3. Upload the license:

    • In a web browser, go to https://<YOUR_HOST_IP>:8443 and log in. Replace <YOUR_HOST_IP> with the actual IP address or hostname of the machine running the Docker container. If you are accessing it locally, use https://localhost:8443.
    • Select the Settings gear icon.
    • On the Settings menu, select Licenses.
    • Select Get Started.
    • Select Browse to upload the license, or simply drag and drop the license onto the form.
    • Select Add.
    • Select Done.
  4. Close the browser to completely log off.

  5. Stop and restart the container.

  6. Log back in and verify that the license is still applied.

Override Self-Signed API Gateway Certificates

  1. Ensure you have access to the required certificates:

    • mycert.pem
    • mykey.pem
    • myca.pem
  2. Run the following Docker command, replacing the placeholders with the appropriate values:

    • <HOSTNAME>: desired hostname
    • <ADMIN_PASSWORD>: password for the admin account
    • <DATA_VOLUME>: path to the persistent data directory on the host machine
    • <VERSION_TAG>: specific release version you want to use (Note: latest is not supported)
    docker run -it --rm \
      --hostname=<HOSTNAME> \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      -e NMS_APIGW_CERT="$(cat mycert.pem)" \
      -e NMS_APIGW_KEY="$(cat mykey.pem)" \
      -e NMS_APIGW_CA="$(cat myca.pem)" \
      --volume=<DATA_VOLUME>:/data \
      -p 8443:443 private-registry.nginx.com/nms/nim-bundle:<VERSION_TAG>
    

    Example:

    To pull the NGINX Instance Manager 2.17.0 image, set the hostname to “mynim,” use the password “<ADMIN_PASSWORD>”, pass in the certificates mycert.pem, mykey.pem, and myca.pem, and write data to /myvolume/nim-storage, run:

    docker run -it --rm \
      --hostname=mynim \
      -e NMS_ADMIN_PASSWORD="<ADMIN_PASSWORD>" \
      -e NMS_APIGW_CERT="$(cat mycert.pem)" \
      -e NMS_APIGW_KEY="$(cat mykey.pem)" \
      -e NMS_APIGW_CA="$(cat myca.pem)" \
      --volume=/myvolume/nim-storage:/data \
      -p 8443:443 private-registry.nginx.com/nms/nim-bundle:2.17.0
    
  3. Log in and verify that the certificates are applied correctly.

    In a web browser, go to https://<YOUR_HOST_IP>:8443 and log in. Replace <YOUR_HOST_IP> with the actual IP address or hostname of the machine running the Docker container. If you are accessing it locally, use https://localhost:8443.

Create and Use an .htpasswd File

In previous examples, the admin password was set using the NMS_ADMIN_PASSWORD environment variable. You can also set passwords for the admin and other users using an .htpasswd file.

  1. Create an .htpasswd file on the host machine with an admin user. You will be prompted to enter a password:

    htpasswd -c .htpasswd admin
    
  2. To add more user passwords, use one of the following commands depending on the desired hashing method:

    Required: Create new users in the web interface
    Additional users must be created using the web interface first. If users are added only to the .htpasswd file and not in the web interface, they will not be able to log in. The web interface creates the users but doesn’t support adding passwords, while the .htpasswd file adds the passwords but doesn’t create the users. For instructions on adding users using the web interface, see Creating Users.
    • For MD5 hash:

      htpasswd -m .htpasswd user1
      
    • For SHA hash:

      htpasswd -s .htpasswd user2
      
    Note:
    NGINX does not support bcrypt password hashing.
  3. To pass the .htpasswd file at runtime, run the following command, replacing the placeholders with the appropriate values:

    • <HOSTNAME>: desired hostname
    • <HTPASSWD_VOLUME>: path to the directory containing the .htpasswd file on the host machine
    • <DATA_VOLUME>: path to the persistent data directory on the host machine
    • <VERSION_TAG>: specific release version you want to use (Note: latest is not supported)
    docker run -it --rm \
      --hostname=<HOSTNAME> \
      --volume=<HTPASSWD_VOLUME>/.htpasswd:/.htpasswd \
      --volume=<DATA_VOLUME>:/data \
      -p 8443:443 private-registry.nginx.com/nms/nim-bundle:<VERSION_TAG>
    
    Important:
    The admin user must be included in the .htpasswd file, or the container will not start.

    Example:

    To pull the NGINX Instance Manager 2.17.0 image, set the hostname to “mynim,” pass in the /myvolume/nim-auth/.htpasswd file, and write data to /myvolume/nim-storage, run:

    docker run -it --rm \
      --hostname=mynim \
      --volume=/myvolume/nim-auth/.htpasswd:/.htpasswd \
      --volume=/myvolume/nim-storage:/data \
      -p 8443:443 private-registry.nginx.com/nms/nim-bundle:2.17.0
    
  4. To copy an updated .htpasswd file to a running container, use the following command, replacing the placeholders with the appropriate values:

    • <HTPASSWD_VOLUME>: path to the directory containing the .htpasswd file on the host machine
    • <CONTAINER_NAME>: name of the running container
    docker cp <HTPASSWD_VOLUME>/.htpasswd <CONTAINER_NAME>:/data/local-auth/.htpasswd
    

    Example:
    docker cp /home/ubuntu/nim-auth/.htpasswd nginx-instance:/data/local-auth/.htpasswd
    

    Tip: How to find a container's name
    To find a container’s name, use the docker ps command, which lists all running containers along with their names.
  5. Verify you can log in with the provided usernames and passwords.

    In a web browser, go to https://<YOUR_HOST_IP>:8443 and log in. Replace <YOUR_HOST_IP> with the actual IP address or hostname of the machine running the Docker container. If you are accessing it locally, use https://localhost:8443.


Last modified September 11, 2024