A Dockerfile for building a Jamf Pro container.
Based on the official Tomcat image, version 8.0-jre8.
Based upon Nick McSpaddens original docker-jss repository. Apologies to Nick McSpadden.
Just recently JAMF released semi-official images for JAMF Pro.
-
You need to obtain these things on your own, due to EULA agreements. This is why I cannot distribute this as a Docker image:
- The Jamf Pro Manual Installer. This can be found in your Jamf Nation software assets section, under "Alternate Downloads."
Unzip the manual installer and place the "ROOT.war" file in the same directory as the Dockerfile. - JCE Unlimited Encryption for JRE8
- The Jamf Pro Manual Installer. This can be found in your Jamf Nation software assets section, under "Alternate Downloads."
-
To run the Jamf Pro and MySQL containers via
docker-compose
, you can simply rundocker-compose up
in this directory. If you have a different system for orchestrating your containers, you can use that with the suppliedDockerfile
. -
Open a web browser on the Docker host and navigate to https://localhost:8444/.
-
Accept the license agreement, enter in your activation code, set up your accounts and URLs, and you're good to go.
-
The MySQL Instance is available at
localhost:13306
There are several docker-compose files in the repository available other than the default to test out different configuration scenarios:
A basic JSS MySQL setup, adopted from Nick McSpadden's original idea.
Configurability has been removed for the sake of size. This uses static passwords in order to get a basic instance running with the least amount of intervention possible.
This compose file extends the default by adding the ELK stack.
It showcases how to use the log4j socket appender for JSS logs.
You can connect to the kibana instance at http://localhost:5601.
The default index pattern of logstash-*
has been used.
NOTE: Absolutely stupidly verbose level of logging.
This compose file extends the logging setup by adding a second JSS as a slave, and a HAProxy load balancer.
The master/slave cluster configuration is not handled for you.
This compose file is used to add all of the previous features and incorporate even more containers. It is presently a dumping ground for all kinds of integration.
-
Add a volume mapping that makes the file available inside the container at:
/server.p12
-
Provide the following environment variables:
SELF_SIGNED=0
, to indicate that you do not want a self-signed certificate.PKCS12_PASS=<password>
, must be set to the password you exported the PKCS#12 container with.PKCS12_SRCALIAS=<cn>
, keytool requires a source alias, which is basically the CN of the certificate, in my case this might be hostname.local, depending on how the certificate was generated.
-
Voila, as part of the container start script, your PKCS#12 certificate and key are imported into the tomcat keystore.
The container will automatically import certificates at certain points.
You can mount your TLS certificates into the container at the following points:
/server.crt - TLS Certificate
/server.key - RSA Private Key
- OR -
/server.p12 - PKCS#12
/ca.crt - ROOT CA Certificate (if required)
SELF_SIGNED=1 or SELF_SIGNED=0 (if using your own certs)
PKCS12_PASS: Password to import PKCS#12
JKS_PASS: Java keystore password, defaults to "changeit"