EDC Docker Images

All EDC software packages are also available as docker images, to allow installation on users’ own infrastructure. The docker packages are available here.

Introduction

The EDCI ecosystem is composed of the EDCI Issuer, the EDCI Wallet and the EDCI Issuer. Moreover, a database and an Identity provider are required for the full functionality.

Because of this, and if you wish to use this dockerized version of the EDCI ecosystem, we recommend to use a docker-compose file to make the communication between containers easier.

An example of a full docker-compose file can be found below:

      version: "3.0"

services:

  mysqldb:

    image: kiceurope/mysqldb:latest

    container_name: mysqldb

    environment:

      - MYSQL_ROOT_PASSWORD=1234mraf

      - MYSQL_USER=edci

      - MYSQL_PASSWORD=1234mraf

    volumes:

      - "C://EDCIEcosystem/dockers/docker_mysql/datadir:/var/lib/mysql"

    ports:

      - 3307:3306

      - 33060:33060

  keycloak:

    image: quay.io/keycloak/keycloak:latest

    container_name: keycloak

    command: -b 0.0.0.0 -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled

    environment:

      - KEYCLOAK_USER=admin

      - KEYCLOAK_PASSWORD=admin

      - DB_VENDOR=MYSQL

      - DB_ADDR=mysqldb

      - DB_DATABASE=keycloak

      - DB_USER=keycloak

      - DB_PASSWORD=kyk1234

    ports:

      - "9000:8080"

    depends_on:

      - mysqldb

  viewer:

    image: kiceurope/viewer:QA

    container_name: viewer

    build: edci-viewer/

    environment:

      - JPDA_ENABLED=true

      - JPDA_TRANSPORT=dt_socket

      - JPDA_ADDRESS=8000

      - WAIT_FOR_HOST=mysqldb

      - WAIT_FOR_PORT=3306

      - WAIT_FOR_TIMEOUT=60

    volumes:

      - "C://EDCIEcosystem/dockers/docker_viewer/viewer:/usr/local/tomcat/conf/edci/viewer"

      - "C://EDCIEcosystem/dockers/docker_viewer/logs:/usr/local/tomcat/logs"

    ports:

      - "8282:8080"

      - "9282:8000"

  wallet:

    image: kiceurope/wallet:QA

    container_name: wallet

    build: edci-wallet/

    environment:

      - JPDA_ENABLED=true

      - JPDA_TRANSPORT=dt_socket

      - JPDA_ADDRESS=8000

      - WAIT_FOR_HOST=mysqldb

      - WAIT_FOR_PORT=3306

      - WAIT_FOR_TIMEOUT=60

    volumes:

      - "C://EDCIEcosystem/dockers/docker_wallet/wallet:/usr/local/tomcat/conf/edci/wallet"

      - "C://EDCIEcosystem/dockers/docker_wallet/logs:/usr/local/tomcat/logs"

    ports:

      - "8181:8080"

      - "9181:8000"

  issuer:

    image: kiceurope/issuer:QA

    container_name: issuer

    build: edci-issuer/

    environment:

      - JPDA_ENABLED=true

      - JPDA_TRANSPORT=dt_socket

      - JPDA_ADDRESS=8000

      - WAIT_FOR_HOST=mysqldb

      - WAIT_FOR_PORT=3306

      - WAIT_FOR_TIMEOUT=60

    volumes:

      - "C://EDCIEcosystem/dockers/docker_issuer/issuer:/usr/local/tomcat/conf/edci/issuer"

      - "C://EDCIEcosystem/dockers/docker_issuer/credentials:/usr/local/tomcat/temp/credentials"

      - "C://EDCIEcosystem/dockers/docker_issuer/logs:/usr/local/tomcat/logs"

    ports:

      - "8383:8080"

      - "9383:8000"

 

Here, a mysql database and a keycloak server are being used in conjunction with the issuer, viewer and wallet applications. Notice that in this case, all three EDCI applications have been configured with enabled JPDA for debugging purposes.

Keep in mind, when using the full Ecosystem in this way, that all EDCI dockers do have installed a wait-for-it script, meaning that you can use the WAIT_FOR_XX in order to wait for relevant dependencies. Also, notice that the keycloak docker is started with fine grain authorization and token exchange enabled, this is necessary if both viewer and wallet are present in the ecosystem and are required to interact.

For this setup, dockers must refer to each other by the internal service name (issuer/wallet/viewer), when doing internal calls. However, keycloak must still be accessed through "host.docker.internal" URL, or configured with a proper domain depending on the desired integration.

EDC Issuer
Starting EDC Issuer

For this image, the EDCI issuer is deployed in a tomcat server using port 8080, exposing that port will have a Starting an instance of the EDCI Issuer with a minimum setup will be done as follows:

 

      docker run -p 8080:8080 kiceurope/issuer

 

This will start the docker with the default localhost configuration, in order to change the configuration, a volume for the configuration files must be created.

Volumes and Configuration

The EDCI Issuer stores the configuration in a series of property files, if any change needs to be applied, the properties must be changed and the web app must be restarted. The configuration is stored by default at $CATALINA_HOME/conf/edci/issuer, meaning that there are only two ways of changing it in a permanent way:

  • Building a custom image FROM kiceurope/issuer
  • Mounting a volume for the configuration folder

The configuration is copied into directory after the container startup, meaning that even if the volume is already mounted, default configuration will be copied to the directory unless the configuration files already exists. Because of this, the best way to change the configuration and test the changes is to mount the configuration volume, set up the required changes and restart the docker container.

Another useful volume that can be mounted is the logs directory of the tomcat at $CATALINA_HOME/logs to be able to keep those logs available.

Lastly, the credentials generated on runtime are temporarily stored at $CATALINA_HOME/temp/credentials, a volume mounted on that folder may be useful for debug purposes.

Starting the issuer with all three volumes enabled will look similar to:

 

      docker run -p 8080:8080 -v /opt/issuer:/usr/local/tomcat/issuer -v /opt/logs:/usr/local/tomcat/logs -v /opt/credentials:/usr/local/tomcat/credentials kiceurope/issuer
Environment Variables

There are some optional environment variables that may be used for enabling JPDA debugging, and waiting for a host:

 

 

JPDA_ENABLED

enable JPDA for debug/development purpose

JPDA_TRANSPORT

define the JPDA transport, recommended is dt_socket

JPDA_ADDRESS

define the JPDA port, if enabled it must also be exposed to the host when running the container

WAIT_FOR_HOST

define a host to wait for, before starting this container, used mostly for dockerized dependencies

WAIT_FOR_PORT

the hostname for which the container must wait, required if used WAIT_FOR_HOST

WAIT_FOR_TIMEOUT

maximum waiting time in seconds before timing out

External Dependencies

The EDCI Issuer requires a database, you can use either a dockerized version of the database, or configure the properties of the edci-issuer in the issuer.properties file to the desired database.

Also, the EDCI Issuer's OCB templates are stored based on a user system, but for this to work an OIDC Identity provider must be configured. For this, we recommend keycloak. If a fully Identity Provider is not required, you can make use of a mocked user, using the security.properties and issuer_front.properties configuration files.

The OIDC provider must work using a proper hostname, if you are running the Identity provider inside a docker image, you can use docker's host.docker.internal URL to point to the Identity provider inside the issuer's configuration files.

For the preview, an instance of the EDCI Viewer must also be configured in the issuer.properties and issuer_front.properties files.

Most importantly, the issuer requires an instance of the EDCI Wallet configured in the issuer.properties file, to be able to issue the credentials to a wallet.

EDC Wallet
Starting EDCI Wallet

For this image, the EDCI Wallet is deployed in a tomcat server using port 8080, exposing that port will have a Starting an instance of the EDCI Wallet with a minimum setup wil be done as follows:

 

      docker run -p 8080:8080 kiceurope/wallet

 

This will start the docker with the default localhost configuration, in order to change the configuration, a volume for the configuration files must be created.

Volumes and Configuration

The EDCI wallet stores the configuration in a series of property files, if any change needs to be applied, the properties must be changed and the web app must be restarted. The configuration is stored by default at $CATALINA_HOME/conf/edci/wallet, meaning that there are only two ways of changing it in a permanent way:

  • Building a custom image FROM kiceurope/wallet
  • Mounting a volume for the configuration folder

The configuration is copied into directory after the container startup, meaning that even if the volume is already mounted, default configuration will be copied to the directory unless the configuration files already exists. Because of this, the best way to change the configuration and test the changes is to mount the configuration volume, set up the required changes and restart the docker container.

Another useful volume that can be mounted is the logs directory of the tomcat at $CATALINA_HOME/logs to be able to keep those logs available.

Starting the EDCI wallet with both volumes enabled could look like:

      docker run -p 8080:8080 -v /opt/wallet:/usr/local/tomcat/wallet -v /opt/logs:/usr/local/tomcat/logs  kiceurope/wallet
Environment Variables

There are some optional environment variables that may be used for enabling JPDA debbuging, and waiting for a host:

 

JPDA_ENABLED

enable JPDA for debug/development purposes

JPDA_TRANSPORT

define the JPDA transport, recommended is dt_socket

JPDA_ADDRESS

define the JPDA port, if enabled it must also be exposed to the host when running the container

WAIT_FOR_HOST

Define a host to wait for, before starting this container, used mostly for dockerized dependencies

WAIT_FOR_PORT

the hostname for which the container must wait, required if used WAIT_FOR_HOST

WAIT_FOR_TIMEOUT

maximum waiting time in seconds before timing out

External Dependencies

The EDCI wallet requires an instance of the EDCI Wallet configured in order to retrieve credentials stored in it and to validate those credentials. Moreover, the EDCI wallet requires an OIDC Identity provider configured, being keycloak the recommended choice. Also, the connection between this two systems requires that both, the EDCI Wallet and the EDCI wallet are configured with the same Identity provider.

The OIDC provider must work using a proper hostname, if you are running the Identity provider inside a docker image, you can use docker's host.docker.internal URL to point to the Identity provider inside the issuer's configuration files.

Also, the EDCI Wallet requires that a weasyprint server is configured in the wallet.properties file, in order to have the export functionality available.

EDCI Viewer
Starting EDCI Viewer

For this image, the EDCI Viewer is deployed in a tomcat server using port 8080, exposing that port will have a Starting an instance of the EDCI Viewer with a minimum setup will be done as follows:

 

      docker run -p 8080:8080 kiceurope/viewer

 

This will start the docker with the default localhost configuration, in order to change the configuration, a volume for the configuration files must be created

Volumes and Configuration

The EDCI Viewer stores the configuration in a series of property files, if any change needs to be applied, the properties must be changed and the web app must be restarted. The configuration is stored by default at $CATALINA_HOME/conf/edci/viewer, meaning that there are only two ways of changing it in a permanent way:

  • Building a custom image FROM kiceurope/viewer
  • Mounting a volume for the configuration folder

The configuration is copied into directory after the container startup, meaning that even if the volume is already mounted, default configuration will be copied to the directory unless the configuration files already exists. Because of this, the best way to change the configuration and test the changes is to mount the configuration volume, set up the required changes and restart the docker container.

Another useful volume that can be mounted is the logs directory of the tomcat at $CATALINA_HOME/logs to be able to keep those logs available.

Starting the EDCI Viewer with both volumes enabled could look like:

 

      docker run -p 8080:8080 -v /opt/viewer:/usr/local/tomcat/viewer -v /opt/logs:/usr/local/tomcat/logs  kiceurope/viewer
Environment Variable

There are some optional environment variables that may be used for enabling JPDA debugging, and waiting for a host:

 

JPDA_ENABLED

enable JPDA for debug/development purposes

JPDA_TRANSPORT

define the JPDA transport, recommended is dt_socket

JPDA_ADDRESS

define the JPDA port, if enabled it must also be exposed to the host when running the container

WAIT_FOR_HOST

define a host to wait for, before starting this container, used mostly for dockerized dependencies

WAIT_FOR_PORT

the hostname for which the container must wait, required if used WAIT_FOR_HOST

WAIT_FOR_TIMEOUT

maximum waiting time in seconds before timing out

External Dependencies

The EDCI Viewer requires an instance of the EDCI Wallet configured in order to retrieve credentials stored in it and to validate those credentials. Moreover, the EDCI Viewer requires an OIDC Identity provider configured, being keycloak the recommended choice. Also, the connection between this two systems requires that both, the EDCI Wallet and the EDCI Viewer are configured with the same Identity provider.

The OIDC provider must work using a proper hostname, if you are running the Identity provider inside a docker image, you can use docker's host.docker.internal URL to point to the Identity provider inside the issuer's configuration files.

 

Contact Us

For more information, please email us at this address: EMPL-ELM-SUPPORT@ec.europa.eu

Go to previous page