NOM Server and Persistence Docker compose

Docker compose can be used to provision a set of related containers as services to experiment with or to run in test environments.

But Docker doesn’t recommend using compose for production.

Following are a set of steps to create a two container compose setup to experiment with NOM server container and an Enterprise Neo4j persistence container as storage:

  • Define a storage service that uses an Enterprise Neo4j image. Follow the below template and replace appropriate user defined values.

    storage:
    hostname: <user defined>
    image: neo4j:<Neo4j version>-enterprise
    networks:
      - <user defined>
    ports:
      - <map http and bolt ports>
    environment:
      NEO4J_ACCEPT_LICENSE_AGREEMENT: "yes"
      NEO4J_AUTH: <user defined username>/<user defined password>
      NEO4J_dbms_default__advertised__address: <user defined>
      NEO4J_dbms_connector_http_listen__address: <user defined>
      NEO4J_dbms_connector_bolt_listen__address: <user defined to be used in the NOM server>
    healthcheck:
      test: [ "CMD-SHELL", "echo RETURN 1 | cypher-shell -a <NEO4J_dbms_connector_bolt_listen__address> -u <user defined username> -p <user defined password> || exit 1" ]

  • Define a server service that uses NOM server image. Follow the below template and replace appropriate user defined values.

      server:
    hostname: server
    image: neo4j/neo4j-ops-manager-server:latest
    networks:
      - <user defined but should be the same as storage service>
    ports:
      - "<user defined>:8080"
      - "<user defined>:9090"
    environment:
      SPRING_NEO4J_URI: <bolt address from the storage service defined before>
      SPRING_NEO4J_AUTHENTICATION_USERNAME: <username from the storage service defined before>
      SPRING_NEO4J_AUTHENTICATION_PASSWORD: <password from the storage service defined before>
      SERVER_SSL_KEY_STORE_TYPE: PKCS12
      SERVER_SSL_KEY_STORE: <path to a self signed cert file with pfx extension mounted into this container>
      SERVER_SSL_KEY_STORE_PASSWORD: <user defined for mounted certs>
      GRPC_SERVER_SECURITY_KEY_STORE_TYPE: PKCS12
      GRPC_SERVER_SECURITY_KEY_STORE: <path to a self signed cert file with pfx extension mounted into this container>
      GRPC_SERVER_SECURITY_KEY_STORE_PASSWORD: <user defined for mounted certs>
      GRPC_SERVER_SECURITY_CLIENT_AUTH: "OPTIONAL"
      CORS_ALLOWEDHEADERS: "*"
      CORS_ALLOWEDORIGINS: "http://localhost:[*],https://localhost:[*]"
      JWT_SECRET: <user defined>
    volumes:
      - <path to certs self signed certs>:<mounted path to certs self signed certs>
    Self signed certificates can be generated within the container using a server sub command as mentioned here Refer to Installation > Self-Signed-Certificate. In this case mounting the certs into the container is not required.

  • Once the services are defined and saved to a compose file, run the following command:

    docker compose -f <compose file> up <folder for context, typically current folder>

Following is an example Docker compose file that can be used to start up a NOM server and Enterprise Neo4j Persistence system. You can use it to quickly setup a NOM test environment and add DBMSs for monitoring and customize it with additional configuration:

Create a directory ~/.nom/ssc before running Docker compose.
Certificates are generated as by-products of running below compose file at ~/.nom/ssc directory which can be used to configure the NOM agent as given here.
For sudo docker compose command, make sure the correct path to .nom/ssc is set in the bind section below.
docker-compose.yaml
networks:
  lan:

services:
  storage:
    hostname: storage
    image: neo4j:enterprise
    networks:
      - lan
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      NEO4J_ACCEPT_LICENSE_AGREEMENT: "yes"
      NEO4J_AUTH: neo4j/passw0rd
      NEO4J_dbms_default__advertised__address: storage
      NEO4J_dbms_connector_http_listen__address: storage:9000
      NEO4J_dbms_connector_bolt_listen__address: storage:9001
    healthcheck:
      test: [ "CMD-SHELL", "echo RETURN 1 | cypher-shell -a bolt://storage:9001 -u neo4j -p passw0rd || exit 1" ]

  server:
    hostname: server
    image: neo4j/neo4j-ops-manager-server:latest
    depends_on:
      storage:
        condition: service_healthy
    networks:
      - lan
    ports:
      - "8080:8080"
      - "9090:9090"
    environment:
      SPRING_NEO4J_URI: bolt://storage:9001
      SPRING_NEO4J_AUTHENTICATION_USERNAME: neo4j
      SPRING_NEO4J_AUTHENTICATION_PASSWORD: passw0rd
      SERVER_SSL_KEY_STORE_TYPE: PKCS12
      SERVER_SSL_KEY_STORE: file:/certificates/localhost.pfx
      SERVER_SSL_KEY_STORE_PASSWORD: changeit
      GRPC_SERVER_SECURITY_KEY_STORE_TYPE: PKCS12
      GRPC_SERVER_SECURITY_KEY_STORE: file:/certificates/localhost.pfx
      GRPC_SERVER_SECURITY_KEY_STORE_PASSWORD: changeit
      GRPC_SERVER_SECURITY_CLIENT_AUTH: "OPTIONAL"
      CORS_ALLOWEDHEADERS: "*"
      CORS_ALLOWEDORIGINS: "http://localhost:[*],https://localhost:[*]"
      JWT_SECRET: please-set-a-random-secret-string-here-for-jwt-signing
    volumes:
      - type: bind
        source: ~/.nom/ssc
        target: /certificates
    entrypoint:
      - "sh"
      - "-c"
      - "java -jar app.jar ssc -n localhost -o /certificates -p changeit -d localhost.localdomain -i 127.0.0.1 && java -jar app.jar"