Using a different Operating System image with ForgeRock base images

Customers may find that the Operating System (OS) images referenced by the ForgeOps base images article sample Dockerfiles to contain vulnerabilities due to the ever changing landscape of software vulnerabilities. Occasionally organizations simply prefer to use an internally hardened OS for building container images.

ForgeRock currently does not provide full vulnerability resolution for the OS images referenced by the ForgeRock product sample Dockerfiles. As customers find the need to resolve vulnerabilities themselves, they may need to update their Dockerfile’s FROM reference to point to a different OS container image where they can resolve these vulnerabilities themselves. If customers need to do this, there are a few things they will need to understand to be successful.

First, the updated OS image must be chosen from the supported OS list for the product whose container image is being built. This will ensure the OS and version has been tested by ForgeRock for use with the product in question.

Second, the container image chosen should have a supported version of Java installed and configured as described by the product’s Java installation instructions. Several OS base images have versions with Java preinstalled but installing/configuring Java using the Dockerfile may also work.

Third, the ForgeRock product containers depend on a local user named forgerock created in a specific way. To add the forgerock user to a ForgeRock provided Dockerfile where you have updated the FROM reference, add the following immediately after the FROM reference and before other steps:

The Dockerfile will expect the forgerock user to have a uid of 11111 and will switch to this user referencing the uid by number later in its processing.

Fourth, the ForgeRock Access Manager sample Dockerfile references an official Apache Tomcat image from DockerHub with Java 11 built in. As such, ForgeRock depends in part on the Tomcat installation steps in this image. Customers wishing to use a different FROM reference for the AM base image will also need to include the Tomcat installation instructions found in the Dockerfile used by Apache to build their public image in addition to the steps described here.

These steps may assist customers to achieve the vulnerability remediation they require through modification of the ForgeRock product sample Dockerfiles. Please work with your ForgeRock Sales or Customer Success Outcome Manager to engage DSS should additional assistance be required.