NOM Server Docker container

For every NOM release, a Docker image for the NOM server is published to the Docker Hub verified repository.

Getting the NOM server Docker image

The latest NOM server image can be pulled from the verified repository by running the following command.

docker pull neo4j/neo4j-ops-manager-server:latest

NOM server in a Docker container can be run in several contexts such as a Docker compose environment or a in a Kubernetes cluster etc. In this chapter, we only focus on running a standalone NOM server in a Docker container (Henceforth referred as NOM server container).

Configuration

NOM server container run configuration involves setting required environment variables or passing them as commandline arguments.

Refer to Server installation for the list of configuration options to be provided to NOM server.

Security

NOM server security involves configuring keys and certificates for the TLS connections that the server makes with the UI and the agents. For NOM server container, keys, and certificates should be mounted into the container as shown below:

  1. As command line options

    docker run -v <path/to/pfx/file/on/the/host>:<path/to/pfx/file/on/the/container> \
    neo4j/neo4j-ops-manager-server \
    --server.ssl.key-store=<path/to/pfx/file/on/the/container> \
    --grpc.server.security.key-store=<path/to/pfx/file/on/the/container>

  2. As environment variables

    docker run -v <path/to/pfx/file/on/the/host>:<path/to/pfx/file/on/the/container> \
    neo4j/neo4j-ops-manager-server \
    -e "SERVER_SSL_KEY_STORE=<Value>" \
    -e "GRPC_SERVER_SECURITY_KEY_STORE=<path/to/pfx/file/on/the/container>"
NOM server also includes a command to generate self-signed certificates which can be used for testing purpose but not recommended for production. This command could be run within the container and generate the certificates for the server. Refer to Installation > Self-Signed-Certificate

Running a NOM server in a Docker container

To successfully start the NOM server container, mandatory runtime parameters should be set. There are two ways these parameters can be provided to the container:

Make sure to replace the arguments with values adjusted to your environment (<Value>). Refer to Installation > Server Installation
Make sure ports are set as per the below commands.

  1. As command line options

    docker run -e "JAVA_OPTS=<Value>" neo4j/neo4j-ops-manager-server \
    --spring.neo4j.uri=<Value> \
    --spring.neo4j.authentication.username=<Value> \
    --spring.neo4j.authentication.password=<Value> \
    --server.port=8080 \
    --server.ssl.key-store-type=PKCS12 \
    --server.ssl.key-store=<Value> \
    --server.ssl.key-store-password=<Value> \
    --grpc.server.port=9090 \
    --grpc.server.security.key-store-type=PKCS12 \
    --grpc.server.security.key-store=<Value> \
    --grpc.server.security.key-store-password=<Value> \
    --grpc.server.security.clientAuth=OPTIONAL
    --jwt.secret=<Value>

  2. As environment variables

    docker run \
    -e "JAVA_OPTS=<Value>"
    -e "SPRING_NEO4J_URI=<Value>" \
    -e "SPRING_NEO4J_USERNAME=<Value>" \
    -e "SPRING_NEO4J_PASSWORD=<Value>" \
    -e "SERVER_PORT=8080" \
    -e "SERVER_SSL_KEY_STORE_TYPE=PKCS12" \
    -e "SERVER_SSL_KEY_STORE=<Value>" \
    -e "SERVER_SSL_KEY_STORE_PASSWORD=<Value>" \
    -e "GRPC_SERVER_PORT=9090" \
    -e "GRPC_SERVER_SECURITY_KEY_STORE_TYPE=PKCS12" \
    -e "GRPC_SERVER_SECURITY_KEY_STORE=<Value>" \
    -e "GRPC_SERVER_SECURITY_KEY_STORE_PASSWORD=<Value>" \
    -e 'GRPC_SERVER_SECURITY_CLIENT_AUTH="OPTIONAL"'
    -e "JWT_SECRET=<Value>"
    neo4j/neo4j-ops-manager-server

Maintainance

For a standalone NOM server container resource contraints can be set as documented by Docker runtime constraints on resources.