Overview

The Ignition Platform offers a container image for use on popular container runtimes such as Docker.  You can find the image on Docker Hub at https://hub.docker.com/r/inductiveautomation/ignition.  Our official image is a Linux container, based on Ubuntu Linux.

The following feature is new in Ignition version 8.1.16
Click here to check out the other new features

Ignition's Docker Image build is now multi-architecture and supports linux/amd64, linux/arm64, and linux/arm/v7. Users can docker pull inductiveautomation/ignition and get an image that automatically matches their system architecture.



Getting Started

In order to get started with Ignition running as a container, you'll need a container runtime.  Docker Desktop, available for Windows and macOS, includes both the Docker Engine container runtime as well as container tooling and supporting tools such as Docker Compose.  If you are running Linux, you'll need to download and install the container runtime and tools such as Docker Compose individually.  Guidance for the installation and configuration of Docker (on all platforms) are available here: Get Docker

Configuration

Various aspects of the Ignition Gateway can be configured through the use of either command-line arguments to the container, or environment variables.  This section will detail the available configuration options and how best to use them.

Environment Variables

The available environment variables can either accept explicit values or load the target values from a file.  Specifying any of the environment variables below with a _FILE suffix will direct the system to take that environment variable value as a path to a file containing the value of interest.  This is useful for secrets management systems where you want to keep the values out of the process environment (which might be able to be inspected by individuals with access to docker inspect <container>, for example).

Note: 

Some of the variables descriptions below make use of a # character. In these cases you can specify the same variables multiple times. Replace the # character with a number. 

GATEWAY_NETWORK_0_HOST=1.2.3.4
GATEWAY_NETWORK_0_PORT=8088

GATEWAY_NETWORK_1_HOST=5.6.7.8
GATEWAY_NETWORK_1_PORT=8089

VariableRequiresDescription
ACCEPT_IGNITION_EULA8.1.7+

Set to Y to accept the Ignition EULA automatically (see Licensing section below).

GATEWAY_RESTORE_DISABLED8.1.7+Set to true to have the restored gwbk disabled on startup.
GATEWAY_ADMIN_USERNAME 8.1.8+Defaults to admin when not specified, used to set value for initial gateway auto-commissioning.
GATEWAY_ADMIN_PASSWORD 8.1.8+Password value or salted hash to be used for initial gateway auto-commissioning.
GATEWAY_HTTP_PORT 8.1.8+Defaults to 8088 when not specified, used to override the HTTP port used by the gateway container.
GATEWAY_HTTPS_PORT 8.1.8+Defaults to 8043 when not specified, used to override the HTTPS port used by the gateway container.
GATEWAY_GAN_PORT 8.1.8+Defaults to 8060 when not specified, used to override the Gateway Network port used by the gateway container.
IGNITION_EDITION 8.1.8+Set to standardedge , or maker , used to set value for initial gateway auto-commissioning.
IGNITION_LICENSE_KEY 8.1.8+

8-character license key (XXXX-XXXX) for leased activation (e.g. Maker Edition), used to set value for initial gateway auto-commissioning

This feature was changed in Ignition version 8.1.20:
Changes to this variable will now update the leased activation license configuration after initial commissioning. Previously, they would only be absorbed if an existing leased activation configuration was not present.

IGNITION_ACTIVATION_TOKEN 8.1.8+

Activation token for the license key

This feature was changed in Ignition version 8.1.20:
Changes to this variable will now update the leased activation license configuration after initial commissioning. Previously, they would only be absorbed if an existing leased activation configuration was not present.

TZAnySet to a valid TZ database name, like America/Los_Angeles. See List of tzdata Entries for complete selection.
GATEWAY_NETWORK_#_HOST8.1.10+Hostname (or IP) for Outgoing GAN Connection Definition for #. 
GATEWAY_NETWORK_#_PORT8.1.10+Port Number to use for connection n (defaults to 8060 when not specified)
GATEWAY_NETWORK_#_PINGRATE8.1.10+Ping Rate (ms) for connection # (defaults to 1000 when not specified)
GATEWAY_NETWORK_#_PINGMAXMISSED8.1.10+Number of missed pings allowed for connection # (defaults to 30 when not specified)
GATEWAY_NETWORK_#_ENABLED8.1.10+Set true or false to mark connection # enabled or disabled
GATEWAY_NETWORK_#_WEBSOCKETTIMEOUT8.1.10+Timeout (ms) for web socket # (defaults to 10000 when not specified)
EAM_SETUP_INSTALLSELECTION8.1.10+Set Agent or Controller to define the EAM target config (defaults to Agent when not specified)
EAM_AGENT_CONTROLLERSERVERNAME8.1.10+Gateway Name (not hostname) of EAM Controller to bind to
EAM_AGENT_SENDSTATSINTERVAL8.1.10+Interval (seconds) to send statistics to the EAM Controller (defaults to 5 when not specified)
EAM_CONTROLLER_ARCHIVEPATH8.1.10+Filesystem path to store EAM Archives (gateway backups, etc) (defaults to data/eam_archive when not specified)
EAM_CONTROLLER_DATASOURCE8.1.10+The database connection name to use for recording agent history.
EAM_CONTROLLER_ARCHIVELOCATION8.1.10+When set to MANUAL, the path set in EAM_CONTROLLER_ARCHIVEPATH will be used. Defaults to AUTOMATIC, if omitted.
EAM_CONTROLLER_LOWDISKTHRESHOLDMB8.1.10+

Value is in megabytes. Errors will be reported in this Gateway when the disk used for archiving drops below this value. 

GATEWAY_MODULES_ENABLED8.1.17+

A comma-delimited set of identifiers that will whitelist the set of built-in modules that will remain installed prior to gateway startup. This feature will help with container re-creation events where you want to ensure only a subset of modules remain enabled.


Module IdentifierModule Filename
alarm-notificationAlarm Notification-module.modl
allen-bradley-driversAllen-Bradley Drivers-module.modl
bacnet-driverBACnet Driver-module.modl
dnp3-driverDNP3-Driver.modl
enterprise-administrationEnterprise Administration-module.modl
logix-driverLogix Driver-module.modl
modbus-driver-v2Modbus Driver v2-module.modl
omron-driverOmron-Driver.modl
opc-uaOPC-UA-module.modl
perspectivePerspective-module.modl
reportingReporting-module.modl
serial-support-clientSerial Support Client-module.modl
serial-support-gatewaySerial Support Gateway-module.modl
sfcSFC-module.modl
siemens-driversSiemens Drivers-module.modl
sms-notificationSMS Notification-module.modl
sql-bridgeSQL Bridge-module.modl
symbol-factorySymbol Factory-module.modl
tag-historianTag Historian-module.modl
udp-tcp-driversUDP and TCP Drivers-module.modl
visionVision-module.modl
voice-notificationVoice Notification-module.modl
web-browserWeb Browser Module.modl
web-developerWeb Developer Module.modl
IGNITION_UID8.1.17+Numeric user ID for the target user. Passing this variable and IGNITION_GID allows Ignition to run within a container as an ignition user rather than as the root user. When set, the entrypoint will automatically update file ownerships for the Ignition installation on startup to match the target user prior to stepping down from the root user to launch the gateway.
IGNITION_GID8.1.17+

Numeric group ID for the target user. Passing this variable and IGNITION_UID allows Ignition to run within a container as an ignition user rather than as the root user. When set, the entrypoint will automatically update file ownerships for the Ignition installation on startup to match the target user prior to stepping down from the root user to launch the gateway.

On this page ...


Runtime Arguments

The following are accepted by the container as runtime arguments.  Options should be followed by a value, flags are stand-alone.  Note that these arguments are passed after the image name in a Docker Run statement.

Options

OptionRequiresArgumentsDescription
-n 8.1.0+StringGateway name to be applied to the Ignition Gateway on startup
-a 8.1.0+StringPublic web address*
-h 8.1.0+IntegerPublic HTTP port*
-s 8.1.0+IntegerPublic HTTPS port*
-m 8.1.0+IntegerMax memory for JVM
-r 8.1.7+StringPath to Gateway Backup for Automated Restore

* - Specify Public address/HTTP/HTTPS ports together, all three must be specified

Flags

FlagRequiresDescription
-d 8.1.0+Debug mode, applicable to development - attaches port 8000 for remote JVM debugging.  Port 8000 will also likely need to be published on the container.

Supplemental JVM and Wrapper Arguments

The following feature is new in Ignition version 8.1.8
Click here to check out the other new features
You can also specify JVM and Java Service Wrapper arguments to your Docker containers runtime arguments by adding a double-hyphen to delimit these arguments from the other runtime arguments listed above.  Wrapper arguments (starting with wrapper.* ) will be merged and JVM arguments added to those specified in the ignition.conf file.  

Gateway Arguments

The following feature is new in Ignition version 8.1.10
Click here to check out the other new features
The image also supports the use of gateway arguments, allowing you to modify the gateway.xml file when launching a container. Like JVM and wrapper arguments, gateway arguments must be specified after a double-hyphen. Only entries in the file that follow the pattern of "gateway.#" can be modified in this way. 
This feature was changed in Ignition version 8.1.16:

Docker image entrypoint will no longer forcibly recreate the gateway.xml file on each launch, allowing for settings adjustments from the gateway web UI to properly persist without static definition in the container configuration.



Examples

This section will contain some example run configurations for the Ignition Docker image.  Review these examples to learn a bit more about how to run and configure the Ignition Docker image, as well as some typical best practices.

Deploying an Ephemeral Gateway for Testing

The run statement below will launch a container in detached mode -d, publishing port 9088 from the host to port 8088 in the container.  The container will be named ignition-test and use the 8.1.7 image.  Finally, the runtime arguments provided will set the Gateway name to docker-test with public address of localhost on HTTP port 9088 and HTTPS port 9043.

docker run -d -p 9088:8088 --name ignition-test inductiveautomation/ignition:8.1.7 \
    -n docker-test -a localhost -h 9088 -s 9043

Multiline commands

Note that for Linux/macOS/WSL, you can use the backslash for multi-line commands for better readability.  You can substitute the backtick ` for Powershell and caret ^  for Windows Command prompt, these characters technically "escape" the newline character, so make sure they are the last character on a given line.

Preserving Gateway State

When using containers, it is common for stateful applications (such as the Ignition Gateway) to leverage volumes to persist that state across image updates, container remove/create cycles, etc. This can be done by applying a named volume to the /usr/local/bin/ignition/data path within the container.  This is especially important if you need to make a change to your container configuration.  Since container configurations are immutable, the only way to change it is to stop/remove the old container and start a new one (with a new configuration).

Similar to the above, but this time with a named volume gw-data attached to /usr/local/bin/ignition/data within the container. If the volume doesn't already exist, it will be created automatically. Note the additional --pull option to make sure that the latest tag is always pulled before running--without this, the latest tag is only pulled if one isn't already present on your system.

docker run -d -p 9088:8088 --name ignition-test \
    -v gw-data:/usr/local/bin/ignition/data \
    --pull always inductiveautomation/ignition:latest \
    -n docker-test -a localhost -h 9088 -s 9043

By using named volumes, you're now able to stop and remove the ignition-test container and create a new one with a different configuration.  As long as you attach your volume, your gateway will start up with all of your tags and projects in their previous state.

Preserving KeyStores

The following feature is new in Ignition version 8.1.12
Click here to check out the other new features
Starting in 8.1.12, the following KeyStores are also preserved across image updates.

Gateway Network Certificate

This PKCS #12 KeyStore contains the certificate and private key used for gateway network communications, and is created automatically on Gateway startup if not present. Typically this is maintained independently on a per-installation basis to avoid issues from operations such as gateway backup restorations. The situation within a container is somewhat different, and it is usually preferable to track this KeyStore with the rest of the gateway state preserved by a volume. Docker image now redirects, via sym-link, Gateway Network KeyStore creation from webserver/metro-keystore to data/local. This will allow the underlying image for the container to be upgraded without generating a new Gateway Network certificate (thus breaking existing approved certificates and connections).

SSL Configuration

When SSL is enabled on a Gateway, ssl.pfx is created as a PKCS #12 KeyStore with the private key, server certificate, and root/intermediate CA certificates. This file is automatically read by the Gateway on startup to enable SSL. Similar to the Gateway Network Certificate, this resides outside of the data/ volume since it is intended to persist across a gateway restore operation. Docker image now redirects, via sym-links, SSL KeyStore creation from webserver/ssl.pfx and webserver/csr.pfx to data/local. This allows a Docker container's SSL configuration to persist via the data volume without relying on extra bind-mounts. Disabling SSL now recognizes the presence of sym-links when removing the KeyStore and removes the final target of the link, leaving the sym-link in place. 


Automating the Restore of a Gateway Backup

The following feature is new in Ignition version 8.1.8
Click here to check out the other new features
You can automate the restore of a gateway backup on first-launch of your gateway container. This allows for having a new Ignition Gateway restore to a known initial state automatically, without waiting for the commissioning steps.

To leverage this feature, bind-mount a gateway backup into the container and then use the -r runtime argument to specify the location and command the restore. Additionally, supply the ACCEPT_IGNITION_EULA=Y environment variable to accept the Ignition EULA (see the Licensing section below) and bypass that gateway commissioning step.

docker run -d -p 9088:8088 --name ignition-test \
    -v gw-data:/usr/local/bin/ignition/data \
    -v /path/to/gateway.gwbk:/restore.gwbk \
    -e ACCEPT_IGNITION_EULA=Y \
    inductiveautomation/ignition:8.1.7 \
    -n docker-test -a localhost -h 9088 -s 9043 \
    -r /restore.gwbk

What if I restart the container?

The gateway restore will only apply on a fresh gateway launch. Subsequent restarts of the container will not restore the indicated gateway backup.


Automate the Commissioning of a Fresh Gateway

The following feature is new in Ignition version 8.1.8
Click here to check out the other new features
You can automate the commissioning steps that normally require manual user interaction on the very first launch of the Ignition Gateway.  By supplying specific  environment variables , you can seed the commissioning steps with the required information to start the rest of the Gateway automatically.

docker run -d -p 9088:8088 --name ignition-test \
    -e ACCEPT_IGNITION_EULA=Y \
    -e GATEWAY_ADMIN_PASSWORD=password \
    -e IGNITION_EDITION=standard\
    inductiveautomation/ignition:8.1.8 \
    -n docker-test

Reading Environment Variables from a file

You can also specify environment variables in the form of <env var>_FILE=/path/to/file in order to have the environment variable value resolved by reading it from a file.  This is helpful for secrets management systems within container orchestrators such as Docker Swarm and Kubernetes.

Customizing JVM/Wrapper/Gateway Arguments on Container Launch

This example shows how to leverage the supplemental JVM/wrapper args feature. 

docker run -d -p 9088:8088 --name args-test \
    -e ACCEPT_IGNITION_EULA=Y \
	-e GATEWAY_ADMIN_PASSWORD=changeme \
    -e IGNITION_EDITION=standard\
    inductiveautomation/ignition:8.1.8 \
    -n args-test \
    -- wrapper.java.initmemory=256 -Dignition.allowunsignedmodules=true \
    -XX:MaxGCPauseMillis=200

The following feature is new in Ignition version 8.1.10
Click here to check out the other new features
The following demonstrates how to  enable the gateway's Resolve Host Names and Use Proxy Forwarded Headers settings by modifying the entries in the gateway.xml:

docker run -d -p 9088:8088 --name ignition-test inductiveautomation/ignition:8.1.10 -n docker-test -a localhost -h 9088 -s 9043 \
   -- gateway.resolveHostNames=true gateway.useProxyForwardedHeader=true


Using Docker Compose

A common practice is to leverage Docker Compose to start your container and bundle the configuration with other services, such as databases and MQTT brokers.  Below is an example docker-compose.yml file that you can create inside of a new, empty folder.  The example below incorporates many of the configurability features mentioned in the various sections above.

Compose Example
# Docker Compose Example for inductiveautomation/ignition
# Compose Spec: https://github.com/compose-spec/compose-spec/blob/master/spec.md
---
services:
  # Ignition Gateway
  gateway:
    image: inductiveautomation/ignition:8.1.8
    ports:
      - 9088:8088
      - 9043:8043
    volumes:
      - gw-data:/usr/local/bin/ignition/data
    # env_file: ignition.env  # optionally specify variables in a file, or using `environment:` below
    environment:
      - ACCEPT_IGNITION_EULA=Y
      - GATEWAY_ADMIN_USERNAME=admin
      - GATEWAY_ADMIN_PASSWORD_FILE=/run/secrets/gateway-admin-password
      - IGNITION_EDITION=standard
      - TZ=America/Chicago  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
    secrets:
      - gateway-admin-password
    command: >
      -n docker-test
      -m 1024
      --
      wrapper.java.initmemory=512
      -Dignition.allowunsignedmodules=true

secrets:
  gateway-admin-password:
    file: secrets/GATEWAY_ADMIN_PASSWORD

volumes:
  gw-data:

Once defined, you can bring up the solution using `docker compose` commands.  See the animated example below:

Docker Compose Demo GIF


Licensing

The Inductive Automation software contained in this Docker container image is licensed under the terms of the Inductive Automation Software License Agreement.

By passing the value ACCEPT_IGNITION_EULA=Y, you agree that your use of Inductive Automation software running in this Docker container image is governed by the terms of the Inductive Automation Software License Agreement.

All third party software (whether open or closed) running in this Docker container image is licensed as indicated in this Docker Hub “License” section or in the container itself, usually as a NOTICE or LICENSE file. You agree to comply with any relevant licenses for third party software contained in this Docker container image.


  • No labels