In order to use the image, it is necessary to accept the terms of the IBM MQ license. This is achieved by specifying the environment variable LICENSE
equal to accept
when running the image. You can also view the license terms by setting this variable to view
. Failure to set the variable will result in the termination of the container with a usage statement. You can view the license in a different language by also setting the LANG
environment variable.
Note: You can use
podman
instead ofdocker
in any of the examples on this page.
You can run a queue manager with the default configuration and a listener on port 1414 using the following command. For example, the following command creates and starts a queue manager called QM1
, and maps port 1414 on the host to the MQ listener on port 1414 inside the container, as well as port 9443 on the host to the web console on port 9443 inside the container:
docker run \
--env LICENSE=accept \
--env MQ_QMGR_NAME=QM1 \
--publish 1414:1414 \
--publish 9443:9443 \
--detach \
icr.io/ibm-messaging/mq
The above example will not persist any configuration data or messages across container runs. In order to do this, you need to use a volume. For example, you can create a volume with the following command:
docker volume create qm1data
You can then run a queue manager using this volume as follows:
docker run \
--env LICENSE=accept \
--env MQ_QMGR_NAME=QM1 \
--publish 1414:1414 \
--publish 9443:9443 \
--detach \
--volume qm1data:/mnt/mqm \
icr.io/ibm-messaging/mq
The Docker image always uses /mnt/mqm
for MQ data, which is correctly linked for you under /var/mqm
at runtime. This is to handle problems with file permissions on some platforms.
You can run a queue manager with Prometheus metrics enabled. The following command will generate Prometheus metrics for your queue manager on /metrics
port 9157
:
docker run \
--env LICENSE=accept \
--env MQ_QMGR_NAME=QM1 \
--env MQ_ENABLE_METRICS=true \
--publish 1414:1414 \
--publish 9443:9443 \
--publish 9157:9157 \
--detach \
icr.io/ibm-messaging/mq
You can customize the configuration in several ways:
- For getting started, you can use the default developer configuration, which is available out-of-the-box for the MQ Advanced for Developers image
- By creating your own image and adding your own MQSC file into the
/etc/mqm
directory on the image. This file will be run when your queue manager is created. - By using remote MQ administration, via an MQ command server, the MQ HTTP APIs, or using a tool such as the MQ web console or MQ Explorer.
Note that a listener is always created on port 1414 inside the container. This port can be mapped to any port on the Docker host.
The following is an example Dockerfile
for creating your own pre-configured image, which adds a custom MQ configuration file:
FROM icr.io/ibm-messaging/mq
USER 1001
COPY 20-config.mqsc /etc/mqm/
Here is an example corresponding 20-config.mqsc
script, which creates two local queues:
DEFINE QLOCAL(MY.QUEUE.1) REPLACE
DEFINE QLOCAL(MY.QUEUE.2) REPLACE
The file 20-config.mqsc
should be saved into the same directory as the Dockerfile
.
It is recommended that you configure MQ in your own custom image. However, you may need to run MQ commands directly inside the process space of the container. To run a command against a running queue manager, you can use docker exec
, for example:
docker exec \
--tty \
--interactive \
${CONTAINER_ID} \
dspmq
Using this technique, you can have full control over all aspects of the MQ installation. Note that if you use this technique to make changes to the filesystem, then those changes would be lost if you re-created your container unless you make those changes in volumes.
If you wish to supply TLS Certificates that the queue manager and MQ Console should use for TLS operations then you must supply a PKCS#1 or unencrypted PKCS#8 PEM files for both the certificates and private keys in the following directories:
/etc/mqm/pki/keys/<Label>
- for certificates with public and private keys/etc/mqm/pki/trust/<index>
- for certificates with only the public key
For example, if you have an identity certificate you wish to add with the label mykey
and 2 certificates you wish to add as trusted then you would need to add the files into the following locations where files ending in .key
contain private keys and .crt
contain certificates:
/etc/mqm/pki/keys/mykey/tls.key
/etc/mqm/pki/keys/mykey/tls.crt
/etc/mqm/pki/keys/mykey/ca.crt
/etc/mqm/pki/trust/0/tls.crt
/etc/mqm/pki/trust/1/tls.crt
This can be achieved by either mounting the directories or files into the container when you run it or by baking the files into the correct location in the image.
If you supply multiple identity certificates then the first label alphabetically will be chosen as the certificate to be used by the MQ Console and the default certificate for the queue manager. If you wish to use a different certificate on the queue manager then you can change the certificate to use at runtime by executing the MQSC command ALTER QMGR CERTLABL('<newlabel>')
It must be noted that queue manager certificate with a Subject Distinguished Name (DN) same as it's Issuer certificate (CA) is not supported. Certificates must have a unique Subject Distinguished Name.
Starting with version 9.3.4.0, you can run MQ container with a read-only root filesystem. In order to do this, you need to mount three volumes into the MQ container, one for queue manager data, one for run
directory that will contain files used for queue manager configuration and one for tmp
directory that will be used for collecting diagnostic data. You also need specify --read-only
parameter while starting the container. Following describes the steps to run MQ container with a read-only root filesystem.
docker volume create qm1data
docker volume create run
docker volume create tmp
You can then run a queue manager with a read-only root filesystem as follows:
docker run \
--env LICENSE=accept \
--env MQ\_QMGR\_NAME=QM1 \
--mount type=volume,source=run,destination=/run \
--mount type=volume,source=tmp,destination=/tmp \
--mount type=volume,source=qm1data,destination=/mnt/mqm \
--read-only \
--publish 1414:1414 \
--detach \
icr.io/ibm-messaging/mq