h-mdm / hmdm-docker Goto Github PK

An official Docker image for Headwind MDM

Dockerfile 25.45% Shell 74.55%

hmdm-docker's Introduction

Docker image for Headwind MDM

Headwind MDM is an open source mobile device management software for Android devices. It has been originally designed for Ubuntu Linux. This image helps to run Headwind MDM on any Linux.

Headwind MDM project URL: https://h-mdm.com

Summary

The image is based on Ubuntu 22.04 and Tomcat 9.

It doesn't include PostgreSQL and certbot, so they need to be started in separate containers or on the host machine.

As an alternative, you can use docker-compose to run Headwind MDM and all required packages (certbot, PostgreSQL) on a fresh virtual machine with the most common options (see below).

Building the image from the source code

Before building the image, review the default variables (in particular the Headwind MDM URL) in the Dockerfile and change them if required.

The build command is:

docker build -t headwindmdm/hmdm:0.1.4 .

Prerequisites

Create the PostgreSQL database for Headwind MDM, and use the environment variables SQL_HOST, SQL_BASE, SQL_USER, SQL_PASS to define the database access credentials.

Default values are: SQL_HOST=localhost, SQL_BASE=hmdm, SQL_USER=hmdm, SQL_PASS=topsecret

If you want to use HTTPS, install certbot and generate the certificate for the domain where Headwind MDM should be installed.

certbot certonly --standalone --force-renewal -d your-mdm-domain.com

Running the Docker container

Works with the external PostgreSQL database only. Default database installation on localhost DOES NOT WORK!

Please set up your domain name when running Headwind MDM!

To create the container, use the command:

docker run -d -p 443:8443 -p 31000:31000 -e SQL_HOST=database.host -e SQL_BASE=hmdm -e SQL_USER=hmdm -e SQL_PASS=password -e BASE_DOMAIN=build.h-mdm.com -v /etc/letsencrypt:/etc/letsencrypt -v $(pwd)/volumes/work:/usr/local/tomcat/work --name="hmdm" headwindmdm/hmdm:0.1.2

If everything is fine, Headwind MDM will become available via the url https://your-mdm-domain.com in a few seconds.

To view logs, use the command:

docker logs hmdm

Stop and start the container:

docker stop hmdm
docker start hmdm

Connect to the container for debugging:

docker exec -it hmdm /bin/bash

Configuration of Headwind MDM

The container is configured by the environment variables.

The full list of variables can be found in the Dockerfile.

First start and subsequent starts

At first start, Headwind MDM performs the initialization:

Creates the config files using the environment
Initializes the database
Converts the LetsEncrypt's (or your own) SSL certificates to a JKS keystore

Subsequent starts of the container skip this step, but you can force the configuration renewal by setting the following environment variable:

FORCE_RECONFIGURE=true

When this variable is set to true, the configuration is always re-created by the Headwind MDM entry point script.

Running with the most common options by Docker Compose

Docker-Compose requires just two files to start Headwind MDM: .env docker-compose.yaml

For a simple start of Headwind MDM on a fresh virtual machine, run the following commands.

apt install -y docker-compose
cd hmdm-docker
cp .env.example .env
vim .env              # Replace ADMIN_EMAIL and BASE_DOMAIN to your values
docker-compose up

The command docker-compose up will start Headwind MDM in the interactive mode where you can easily trace and fix errors.

Once Headwind MDM start is successful, you can start it in the background (detached) mode by using the command:

docker-compose up -d

To view logs, use the command:

docker-compose logs hmdm -f

To stop (but not remove) the service, use the command:

docker-compose stop

Using this Docker container with the Premium version

To run Premium version, you need to change the HMDM_VARIANT, DOWNLOAD_CREDENTIALS and HMDM_URL variables in the .env file. To get the trial URLs, credentials and license keys, please fill the form at

https://h-mdm.com/contact-us/

Attaching to the container

You may need to attach to the container to change the Headwind MDM configuration in order to adjust some advanced settings.

To find the container ID, use the command

docker ps

Find the container ID of the image headwindmdm/hmdm:0.1.4, then run the command

docker exec -it containerid /bin/bash

For example:

docker exec -it e81d47acec21 /bin/bash

Notice: the container needs to be started before attaching to it.

Resetting the container

If something goes wrong, you may wish to reset the container and reinstall it from scratch. The command

docker-compose down

may not be enough, as it doesn't clear the downloaded files and initialized database.

To wipe all data, remove all entries in the volumes subdirectory:

rm -rf volumes/db volumes/work

(we recommend to keep the volumes/letsencrypt subdirectory to avoid problems with exceeding the LetsEncrypt certificate generation threshold).

There is also an interactive script removing the data:

./remove-all.sh

As an alternative, you can set the parameter in the .env file:

FORCE_RECONFIGURE=true

Important: this parameter should be unset after the initial setup, otherwise you may lose the application settings.

hmdm-docker's People

Contributors

Stargazers

Watchers

hmdm-docker's Issues

Please update the official docker repository

Latest Version of HeadWindMDM

fixes like: #10 are not yet rolled out.

Try to reach you

Hello really nice great work is the entrprise license is still available is there any number to contact plz thanks

Provide regular rebuilds of the container

Right now the container is not built very frequently at all, which is bad for an MDM as it is security critical. I think it will be better to do weekly builds of the container and scan it with Trivvy for vulnerabilities. There are a lot that needs to be patched.

An example of a workflow for this can be found on one of the containers I maintain: https://github.com/TommyTran732/Synapse-Docker/tree/main/.github/workflows

Disabling https

Hello,

I'd like to test (and use) hmdm on LAN only, using docker, in order to manager/setup/lock/unlock my wms devices.
Is it possible to start the docker without tls keys ?

I use a local non-routable hostname and my docker-server is not open on the web, so certbot cannot validate the http challenge.

Thanks

ARM architecture support

Are you planning on supporting the ARM architecture?

Waiting for postgresql does not respect the given SQL_PORT

I got my container running in a loop since the wait script in entrypoint.sh tries to connect at :5432 and not to $SQL_PORT

[FEAT] Allow use of reverse proxies with docker-compose

Basically, it is not possible to get the software to work when running the docker container from e. g. Portainer and behind a reverse proxy. At least not without rebuilding the whole image.

Please provide a straightforward way to configure the stack to run behind a reverse proxy like most of modern software does.

Problem with suggested solution

Hello!
I configured #13.
The problem is everything works fine now, but the apks won't download as they seem to be still retriven from 443 instead of the custom port.
Why?

best regards

Use a different base than Ubuntu LTS

Ubuntu no longer supports tomcat9, so the container will permanently be stuck on an old release of Ubuntu LTS. Some other distros I have looked at:

Fedora: the tomcat package is version 9. No nice way to pin the major version though.
openSUSE: the tomcat package is version 9, and they provide a separate tomcat10 package. It probably will be okay for awhile, though it will be nice to be able to explicitly say tomcat9 because I don't know when tomcat will default to 10.
Arch: tomcat9 as a package actually exists, so this can easily be pinned.

How to deploy using docker-compose but without https?

I could not find any option to disable https when deploying with docker-compose.

How to do it?

Support for Postgres >= 14

Using postgres:14-alpine in the given docker-compose.yaml gives the following error:

The authentication type 10 is not supported. Check that you have configured the pg_hba.conf file to include the client's IP address or subnet, and that it is using an authentication scheme supported by the driver.

License for the container image

Headwind MDM itself is Apache so I am guessing this repo is also under the Apache license?

[FEAT] Add Option to define password for admin user

At the moment the initial password is hard-coded somewhere to admin. It would be nice to have it configurable via environment variable like ADMIN_PASSWORD. Could be set to admin by default to stay backwards compatible.

[FEAT] Add Option to define username for admin user

At the moment the initial username is hard-coded somewhere to admin. It would be nice to have it configurable via environment variable like ADMIN_USERNAME. Could be set to admin by default to stay backwards compatible.

I am running into this funny error can you give me some context into it please

17-Dec-2022 09:08:32.729 SEVERE [main] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class [com.hmdm.guice.Initializer]
java.lang.NullPointerException
at com.google.inject.servlet.GuiceServletContextListener.contextInitialized(GuiceServletContextListener.java:47)
at com.hmdm.guice.Initializer.contextInitialized(Initializer.java:126)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4716)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5177)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1848)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:843)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:342)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
17-Dec-2022 09:08:33.344 INFO [main] org.apache.catalina.core.ApplicationContext.log ContextListener: contextInitialized()
17-Dec-2022 09:08:33.346 INFO [main] org.apache.catalina.core.ApplicationContext.log SessionListener: contextInitialized()
17-Dec-2022 09:08:33.347 INFO [main] org.apache.catalina.core.ApplicationContext.log ContextListener: attributeAdded('StockTicker', 'async.Stockticker@221577de')

Docker Image does use SQL_USER as Database Name for Startup as well

Executing

docker run -d -p 443:8443 -p 31000:31000 -e SQL_HOST=database.host -e SQL_BASE=test -e SQL_USER=hmdm -e SQL_PASS=password -e BASE_DOMAIN=build.h-mdm.com -v /etc/letsencrypt:/etc/letsencrypt -v $(pwd)/volumes/work:/usr/local/tomcat/work --name="hmdm" headwindmdm/hmdm:0.1.0

does try to connect to database hmdm instead of test.

update to latest mdm

There is already version 5.13 ;)

Не проходит авторизация /rest/public/jwt/login

Всем привет, использую образ headwindmdm/hmdm:0.1.0 согласно инструкции
Все работает, создал пользователя с полными правами

пароль 123456

Пытаюсь выполнить метод для получения Токена "/rest/public/jwt/login", выдает ошибку 401. Помогите разобраться

пароль переведен в МД5-хеш согласно инструкции из Свеггера

Running into this error in my catalina.out

Uploading catalina_out_log.txt…

support for custom ports

Even if the ports are mapped to outside like to port 8443 instead of 443, the QR-Code URL in mdm is still on 443.
It would be nice if there would be a variable to define the servers ports especially if port forwarding is in use.