fbpixel

How to run Jira in a docker container

Tommaso Doninelli}
Tommaso Doninelli
Share:

Deploy Jira Server with a container in Docker or in HakunaCloud with full TLS/SSL support

Official Docker images

Atlassian proposes an official docker image for almost all of their products. Unfortunately, those images do not support TLS/SSL configuration directly and are supposed to run behind an HTTPS proxy.

In this post, we’ll create our own JIRA server with TLS/SSL support and deploy it in HakunaCloud!

sbambolino bam bam
Un tizio che guarda una valle da paura

Atlassian JIRA is built on top of Apache Tomcat, an application server that has full support for SSL/TLS. To complete this post we need

  • a DNS name and a TLS/SSL certificate for it - you can grab one for free from Let’s Encrypt
  • Docker
  • (optional) an HakunaCloud account to deploy JIRA

Get the SSL certificate

The first step is to generate the certificate that will be embedded in our Jira Docker container.

1
sudo certbot certonly --standalone -d jira.example.com # Ubuntu

At the end, you will have the following files

1
2
3
4
/etc/letsencrypt/live/jira.example.com/cert1.pem
/etc/letsencrypt/live/jira.example.com/chain1.pem
/etc/letsencrypt/live/jira.example.com/fullchain1.pem
/etc/letsencrypt/live/jira.example.com/privkey1.pem

Then, create a PKCS12 archive that contains both your full chain and the private key. Set a password when prompted, do not leave it blank!

1
2
3
4
sudo openssl pkcs12  -export -out ./jira.example.com.p12 \
                -in /etc/letsencrypt/live/jira.example.com/fullchain.pem \
                -inkey /etc/letsencrypt/live/jira.example.com/privkey.pem \
                -name jira

Our custom image

Basic setup of JIRA in Docker container

The first block of our Dockerfile contains the instruction to perform a standard installation of Atlassian Jira :

1
2
3
4
5
6
7
8
9
10
FROM ubuntu:18.04

ENV JIRA_VERSION=8.5.1
RUN apt-get update && apt-get install -y wget xmlstarlet fontconfig

WORKDIR /opt

RUN wget https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-${JIRA_VERSION}-x64.bin

RUN chmod a+x atlassian-jira-software-${JIRA_VERSION}-x64.bin

We use Ubuntu as our base image, install few dependencies and download the JIRA installer from the Atlassian website

The installer asks some information during the installation procedure. Since we are running the command in a docker build, we must configure the installer to run an unattended installation. The default options are saved in jira-unhattended.varfile, also available in the GitHub repo:

1
2
COPY jira-unhattended.varfile /tmp/response.varfile
RUN ./atlassian-jira-software-${JIRA_VERSION}-x64.bin -q -varfile /tmp/response.varfile

Configure domain name and TLS/SSL

The next block of commands configure Apache Tomcat, the JIRA application server, to use TLS/SSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ENV DOMAIN=jira.example.com
WORKDIR /var/atlassian/application-data/jira/tls/
COPY ${DOMAIN}.p12 ./

RUN xmlstarlet ed --inplace --update '/Server/Service/Connector[@port=8080]/@port' -v "8443" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --update '/Server/Service/Connector[@protocol="HTTP/1.1"]/@protocol' -v "org.apache.coyote.http11.Http11NioProtocol" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --delete '/Server/Service/Connector[@redirectPort=8443]/@redirectPort' /opt/atlassian/jira/conf/server.xml  && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'SSLEnabled' -v "true" /opt/atlassian/jira/conf/server.xml  && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'scheme' -v "https" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'secure' -v "true" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'keyAlias' -v "jira" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'keystoreFile' -v "/var/atlassian/application-data/jira/tls/${DOMAIN}.keystore" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'keystorePass' -v "lopilopi" /opt/atlassian/jira/conf/server.xml && \
    xmlstarlet ed --inplace --insert '/Server/Service/Connector' -t attr -n 'keystoreType' -v "JKS" /opt/atlassian/jira/conf/server.xml

RUN /opt/atlassian/jira/jre/bin/keytool -importkeystore \
            -deststorepass 1234 \
            -destkeypass 1234 \
            -destkeystore ${DOMAIN}.keystore \
             -srckeystore ${DOMAIN}.p12 \
             -srcstoretype PKCS12 \
             -srcstorepass 1234 \
             -deststoretype pkcs12 \
             -alias jira

Let’s break down this block:

Copy the PKCS12 archive (line 1:3 and 16)

We import the pkcs12 archive we generated earlier in the docker image. Unfortunately we can’t use the certificates generated by Let’s Encrypt directly in Java - we have to import the certificate in the keystore, the Java certificate database (at line 16).

At line 16 we import the certificate in the Java certificate database called keystore

Edit the Jira server.xml configuration file (lines 5:14)

Jira’s Tomcat configurations are stored in server.xml. We can easily manipulate it using xmlstarlet, a handy tool to work with xml files.

Wrap Up

The full Dockerfile, and all the source files are publicly available in our Github repo. The Atlassian Jira docker-based container is ready to be deployed in your Kubernetes or in HakunaCloud.

Deploy in HakunaCloud

Bonus Track: you can deploy your Jira instance in HakunaCloud almost for free - did you know that if you sign up, we give you $30 in credits?

Follow these quick steps:

  1. If you haven’t done yet, signup and redeem your free credits;
  2. Install the HakunaCloud cli
  3. Push your image in your private registry - HakunaCloud support both AWS ECR and Dockerhub!
  4. Create a network and 2 persistent volumes

    1
    2
    3
    4
    
     beekube network create jira-net
        
     beekube volume create jira_data --size 20
     beekube volume create jira_pg --size 20
    
  5. Deploy a PostgreSQL database
    1
    2
    3
    4
    5
    6
    7
    8
    
     beekube run --name jira_pg \
         --network jira-net \
         -e POSTGRES_PASSWORD=123456 \
         -e POSTGRES_USER=jira \
         -e POSTGRES_DB=jira  \
         --cpus=8 --memory=4g \
         -v jira_pg:/var/lib/postgresql/data \
         postgres
    
  6. Deploy Jira
    1
    2
    3
    4
    5
    6
    
     beekube run --name jira  \
         --network jira-net \
         -v jira_data:/var/atlassian/application-data/jira \
         --cpus=8 --memory=4g \
         -p 443:8443 \        
         yourrepo/jira
    
  7. Create a DNS CNAME record that point to the record associated to your container (get it with beekupe ps)

Done!

Tommaso Doninelli

CEO @ HakunaCloud

10 years as CTO, former Software Engineer at Amazon AWS, Cloud Solution Architect with projects in US, Europe and United Arab Emirates.

"I am a DevOps and automation advocate; you can test, deploy, analyze and improve even your grandma recipes. "