oneidentity/oneim-job
This image runs an instance of a One Identity Manager Service. It downloads the necessary files for a specific job server at startup. The behavior can be controlled by secret values and environment variables.
All images tagged with windows-amd64
are compatible with Windows Server hosts. Please check the supported Windows Server version for each tag using the list below.
All images tagged with linux-amd64
are compatible with Linux OS hosts.
latest
, 9.3
, 9.2
, 9.1
, 9.0
, 8.2
, windows-amd64-9.2-windowsservercore-ltsc2022
, windows-amd64-9.1-windowsservercore-ltsc2022
, windows-amd64-9.0-windowsservercore-ltsc2022
, windows-amd64-8.2-windowsservercore-ltsc2022
, windows-amd64-latest-windowsservercore-ltsc2022
latest
, 9.3
, 9.2
, 9.1
, 9.0
, 8.2
, windows-amd64-9.2-windowsservercore-ltsc2019
, windows-amd64-9.1-windowsservercore-ltsc2019
, windows-amd64-9.0-windowsservercore-ltsc2019
, windows-amd64-8.2-windowsservercore-ltsc2019
, windows-amd64-latest-windowsservercore-ltsc2019
9.2
, 9.1
, 9.0
, 8.2
, windows-amd64-9.2-windowsservercore-ltsc2016
, windows-amd64-9.1-windowsservercore-ltsc2016
, windows-amd64-9.0-windowsservercore-ltsc2016
, windows-amd64-8.2-windowsservercore-ltsc2016
latest
, 9.3
, 9.2
, 9.1
, 9.0
, 8.2
, linux-amd64-9.2
, linux-amd64-9.1
, linux-amd64-9.0
, linux-amd64-8.2
, linux-amd64-latest
Disclaimer reagrding Linux images
Please note that not all functions on Identity Manager are supported in Linux containers. Identity Manager < 9.3 runs on Mono and not all underlying components are available with Mono. For example report generation and on-prem target synchronization may fail running in Linux containers.
Identity Manager 9.3 runs on .NET 8 and not all underlying components are compatible with .NET 8 on Linux. For example on-prem target synchronization may fail running in Linux containers.
DBSYSTEM
Database or application server system to connect during installation and runtime. Valid values are
MSSQL
: Microsoft SQL ServerAPPSERVER
: Connect using an application serverIf no DBSYSTEM
value is provided, MSSQL
is being used as default.
This value can also be provided as a file in the secrets folder.
CONNSTRING
Connection string to be used to connect to the system. This is a mandatory parameter. The content depends on the used database system.
Samples of connection strings for the different systems are:
MSSQL
:
Data Source=[Server];Initial Catalog=[DB];User ID=[User];Password=[Password]
APPSERVER
:
Url=https://servername/
This value can also be provided as a file in the secrets folder.
RUNDBAGENT
:
Run database agent in this job server. Only valid with DBSYSTEM
= MSSQL
. The value can either be empty, true
, or false
.
AUTHSTRING
The user needs to be authenticated when running against an application server. This value is mandatory when DBSYSTEM
is set to APPSERVER
. Any valid One Identity Manager authentication string can be used.
Sample:
Module=DialogUser;User=[User name];Password=[Password]
This value can also be provided as a file in the secrets folder.
SERVERNAME
A mandatory parameter that is used to find the matching QBMServer
entry in the connected system. This defines the behavior of the started service regarding used deployment targets and the queue it is working on.
This value can also be provided as a file in the secrets folder.
QUEUE
Set a queue name, if it is different from the server name. The default is
\\${SERVERNAME}
.
CONFIGFROMDB
By default, the container generates a configuration for the Job server that is based on the values provided and matches the configured system.
If you want to override this behavior, set the CONFIGFROMDB
environment variable. This means the configuration data for the Job server is loaded from the database.
Attention: In this case, you have full responsibility for configuring the connection strings, private key paths, logging and so on. Ensure that the Job server configuration exists in the database. For example, use the Job Server Editor in the Designer to set up the configuration and save it in the database.
You can use the following placeholders in the configuration: #CONNSTRING#
, #AUTHSTRING#
, #DEBUGMODE#
, #HTTP_USER#
, #HTTP_PWD#
, #REQUESTINTERVAL#
, #SECRETS#
. They are then replaced during startup.
HTTP_USER
The status web frontend is protected by a user/password combination. This config option sets the username.
If no username is provided the container generates a random username and provides it in the log at startup.
This value can also be provided as a file in the secrets folder.
HTTP_PWD
The status web frontend is protected by a user/password combination. This config option sets the password.
If no password is provided the container generates a random password and provides it in the log at startup.
This value can also be provided as a file in the secrets folder.
DEBUGMODE
Set this variable to True
to enable debug mode in the service.
REQUESTINTERVAL
Set the job request interval in seconds. The default value of this parameter is 90 seconds.
EXTERNALSLOTS
Number of slots running jobs out-of-process. Default: 10
EXTERNALSLOTS32
Number of slots running jobs out-of-process in a 32 bit process. Default: 4
INTERNALSLOTS
Number of slots running jobs in-process. Default: 20
REQUESTQUEUELIMIT
Maximum number of process requests waiting to be handled by the database. Default: 1000
RESULTQUEUELIMIT
Maximum number of process results waiting to be handled by the database. Default: 10000
FLUSHTIMEOUTSECONDS
Number of seconds the service is allowed to write back pending results before shutting down. Default: 10
SUPPORTREADSCALEOUT
Set to true
if the service should use read scale-out handling of Azure Managed Instances.
APPINSIGHTS_KEY
Key to use for logging to AppInsights. If it is not set no logging to AppInsights will be done.
APPINSIGHTS_LOGLEVEL
Log level to use for logging to AppInsights. Default: Info
LOG_TENANT
Tenant ID to be assiociated with every log message sent to AppInsights.
CONSOLE_LOGLEVEL
Log level to use for logging to console. Default: Info
FILE_LOGLEVEL
Log level to use for raw logs into log file. Default: Off
SESSIONAUTH
Use the Identity Manager authentication modules to authenticate the user against the JobService web frontend. Set it to true
to switch
on session based authentication.
BASEURL
Set the base URL to find the right web application configuration. This is needed if the user should be authentified by OAuth2 or OpenID Connect.
Only valid for session based authentication with SESSIONAUTH
.
ALLOW_SECRETS_FOR_REPLACEMENT
Comma separated list of secret names that are allowed for replacement in job parameters.
REMOTECONNECT_SECRET
If this value is set the remote connect plugin for the synchronization engine will be installed and initialized with this secret as authentication method.
The volume mount points differ between the Windows and Linux based images. Please specify the volume points according to the type of image used.
secrets
C:/ProgramData/Docker/secrets
/run/secrets
The directory secrets
should contain the private.key
file to decrypt any values, that are stored encrypted in the system.
It can contain the following settings as files that have their value as content: DBSYSTEM
, CONNSTRING
, AUTHSTRING
, SERVERNAME
, HTTP_USER
, HTTP_PWD
.
This mount point should be mounted read-only.
ca-certificates
C:/ca-certificates
/run/ca-certificates
Place custom certificates that should be trusted here. Any certificate with a .crt file extension will be imported to the container (or mono) local machine trusted root certificate store during startup of the container.
Alternatively, an archive called "ca-certificates.zip" can also be placed in this directory. This archive will be extracted during startup and all containing .crt files are imported to the store.
This may be required when the application is performing HTTPS calls to a server that is using a certificate signed by a private PKI. Like AppServer with enforced HTTPS.
The lookup path may be controlled by changing the CA_CERTIFICATE environment variable.
This mount point should be mounted read-only.
Remarks: For Linux the certificates are required to be in base64 PEM format, binary DER format is not supported.
logs
C:/Logs
/var/log/jobservice
This directory should be mounted to a volume if the service logs should be persisted between runs. These are the log files that the service shows in its web interface.
Additionally the service logs to standard output, these logs can be fetched using docker logs
or aggregated by a container runtime.
results
root/.oneim/AppData/JobService
This directory should be mounted to a volume, to allow the service to persist pending results between runs. Pending results are the results that have not been signaled to the job queue when the container will be stopped.
Remarks: Due to some issues in the official Windows Server versions (2016 LTSC and 1709), a graceful shutdown of the Job Service container is not supported, therefore pending results will not be persisted. Graceful shutdown of Windows containers running the Job Service is available starting with Windows Server, version 1803.
The port 1880 is been used by the service to show it's status frontend. It is protected by the account and password provided in the environment variables HTTP_USER
and HTTP_PWD
.
The port 2880 is been used by the remote connect plugin for the synchronization engine. The plugin is used if the environment variable REMOTECONNECT_SECRET
is set.
Run the Jobserver for the QBMServer
entry with identifier DockerServer1
against a Microsoft SQL Server database:
docker run -it --rm `
-p 1880:1880 `
-p 2880:2880 `
-e "CONNSTRING=Data Source=[Server];Initial Catalog=[DB];User ID=[User];Password=[Password]" `
-e "SERVERNAME=DockerServer1" `
-e "HTTP_USER=admin" `
-e "HTTP_PWD=fg(&R8f&Rf" `
-v C:/Path/To/secrets:C:/ProgramData/Docker/secrets:ro `
-v C:/Path/To/logs:C:/logs `
oneidentity/oneim-job:latest
Run the container in the background and get parameters from entries in the secrets folder:
docker run -d `
-p 1880:1880 `
-p 2880:2880 `
-v C:/Path/To/secrets:C:/ProgramData/Docker/secrets:ro `
-v C:/Path/To/logs:C:/logs `
oneidentity/oneim-job:latest
The secrets folder looks like:
secrets
├── CONNSTRING
├── HTTP_PWD
├── HTTP_USER
├── private.key
└── SERVERNAME
Run the service for the QBMServer
entry with identifier Docker42
against an application server:
docker run -it --rm `
-p 1880:1880 `
-p 2880:2880 `
-e "DBSYSTEM=APPSERVER" `
-e "CONNSTRING=Url=https://appserver/" `
-e "AUTHSTRING=Module=DialogUser;User=[Username];Password=[Password]" `
-e "SERVERNAME=Docker42" `
-e "HTTP_USER=admin" `
-e "HTTP_PWD=fg(&R8f&Rf" `
-v C:/Path/To/secrets:C:/ProgramData/Docker/secrets:ro `
-v C:/Path/To/logs:C:/logs `
oneidentity/oneim-job:latest
Run the service for the QBMServer
entry with identifier DockerServer1
against a Microsoft SQL Server database:
docker run -it --rm \
-p 1880:1880 \
-e "CONNSTRING=Data Source=[Server];Initial Catalog=[DB];User ID=[User];Password=[Password]" \
-e "SERVERNAME=DockerServer1" \
-e "HTTP_USER=admin" \
-e "HTTP_PWD=fg(&R8f&Rf" \
-v $PWD/secrets:/run/secrets:ro \
-v $PWD/logs:/var/log/jobservice \
oneidentity/oneim-job:latest
Run the container in the background and get parameters from entries in the secrets folder:
docker run -d \
-p 1880:1880 \
-v $PWD/secrets:/run/secrets:ro \
-v $PWD/logs:/var/log/jobservice \
oneidentity/oneim-job:latest
The secrets folder looks like:
secrets
├── CONNSTRING
├── HTTP_PWD
├── HTTP_USER
├── private.key
└── SERVERNAME
Run the service for the QBMServer
entry with identifier Docker42
against an application server:
docker run -it --rm \
-p 1880:1880 \
-e "DBSYSTEM=APPSERVER" \
-e "CONNSTRING=Url=https://appserver/" \
-e "AUTHSTRING=Module=DialogUser;User=[Username];Password=[Password]" \
-e "SERVERNAME=Docker42" \
-e "HTTP_USER=admin" \
-e "HTTP_PWD=fg(&R8f&Rf" \
-v $PWD/secrets:/run/secrets:ro \
-v $PWD/logs:/var/log/jobservice \
oneidentity/oneim-job:latest
docker pull oneidentity/oneim-job