5.32.1(5.32.1/Dockerfile)5.32.1-secure(5.32.1-secure/Dockerfile)5.32.1-secure-ui(5.32.1-secure-ui/Dockerfile)
See Running on Docker at the dcm4che Archive 5 Wiki.
Below explained environment variables can be set as per one's application to override the default values if need be.
An example of how one can set an env variable in docker run command is shown below :
-e ARCHIVE_DEVICE_NAME=my-dcm4chee-arc
Note : If default values of any environment variables were overridden in startup of slapd or postgres containers,
then ensure that the same values are also used for overriding the defaults during startup of archive container.
URL for accessing LDAP (optional, default is ldap://ldap:389).
Base domain name for LDAP (optional, default is dc=dcm4che,dc=org).
Password to use to authenticate to LDAP (optional, default is secret).
Password to use to authenticate to LDAP via file input (alternative to LDAP_ROOTPASS).
Indicates to disable the verification of the hostname of the certificate of the LDAP server,
if using TLS (LDAP_URL=ldaps://<host>:<port>) (optional, default is true).
Device name to lookup in LDAP for Audit Logging configuration (optional, default is dcm4chee-arc).
Space separated list of URL(s) of Archive RESTful services deployed in this and other Archive docker container(s).
E.g.: http://dcm4chee-arc-1:8080/dcm4chee-arc http://dcm4chee-arc-2:8080/dcm4chee-arc (optional, default is /dcm4chee-arc).
Hostname/IP-Address of the PostgreSQL host. Required for using external PostgreSQL database to persist data.
If absent, embedded Java-based relational database H2 will be used to persist data (optional, default is db).
Port of the PostgreSQL host (optional, default is 5432)
Name of the database to use (optional, default is pacsdb).
User to authenticate to PostgreSQL (optional, default is pacs).
User to authenticate to PostgreSQL via file input (alternative to POSTGRES_USER).
User's password to use to authenticate to PostgreSQL (optional, default is pacs).
User's password to use to authenticate to PostgreSQL via file input (alternative to DB_PASSWORD).
Optional JDBC Connection Parameters (e.g.: connectTimeout=30).
This environment variable is used to set the initial and maximal Java heap size,
the size of the allocated class metadata space that will trigger a garbage collection the first time it is exceeded and
the maximum amount of native memory that can be allocated for class metadata (optional, default is
"-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m").
This environment variable is used to set the JAVA_OPTS during archive startup (optional, default is
"$JBOSS_JAVA_SIZING -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true").
Specifies if reverse DNS lookup is enabled for incoming DICOM and HL7 connections (optional, default is true).
Specifies subdirectories of - typically host mounted - /opt/wildfly/standalone/ which files and subdirectories get
updated by newer versions from corresponding subdirectories of /docker-entrypoint.d/ provided by the image on each
container start. (optional, default is configuration deployments).
If file /opt/wildfly/standalone/configuration/VERSION does not contain $WILDFLY_CONFIGURATION_VERSION,
XML configuration files in /opt/wildfly/standalone/configuration will be replaced by versions from
/docker-entrypoint.d/configuration provided by the image on first container start, even if the modification time of
existing files is newer than the files from the docker image, backing up existing files as XY.xml~.
File /opt/wildfly/standalone/configuration/VERSION will be created/updated to contain $WILDFLY_CONFIGURATION_VERSION
to ensure that the configuration files does not get overwritten on next container start, as long
WILDFLY_CONFIGURATION_VERSION is not set to a different value.
By default, it is set to $ARCHIVE_ARC_VERSION, which ensures that the configuration files are replaced if the
archive version provided by the image changes.
Specifies a subset of subdirectories of /opt/wildfly/standalone/ specified by WILDFLY_STANDALONE,
which files shall not be overwritten by newer versions from corresponding subdirectories of
/docker-entrypoint.d/ provided by the image on each container start.
Force the container to mutate the ownership of specified space separated list of directories recursively to uid:gid 1023:1023,
which provides the required read/write access to the Wildfly process. Enables to let the container create the storage directory
specified by LDAP docker container environment variable STORAGE_DIR
on first start up. Directories and files below /opt/wildfly - and so default storage directory /opt/wildfly/standalone/data/fs1 -
get owned by the user and group of the Wildfly process by default, without the need to refer them by that environment variable.
Indicates to delay the start of the archive until specified TCP ports become accessible. Format: <host>:<port> ..., e.g.: ldap:389 db:5432.
Start cron daemon to execute scheduled commands (optional, default is false).
Delete /opt/wildfly/standalone/log/server.log* files older than specified number of days automatically (optional, default is 7).
Delete /opt/wildfly/standalone/log/audit-log.log* files older than specified number of days automatically (optional, default is 7).
Suffix string for /opt/wildfly/standalone/log/server.log* files. The period of the rotation is automatically calculated
based on the suffix (optional, default is .yyyy-MM-dd).
Suffix string for /opt/wildfly/standalone/log/audit-log.log* files. The period of the rotation is automatically calculated
based on the suffix (optional, default is .yyyy-MM-dd).
The maximum size of a HTTP POST request that will be accepted, in bytes. (optional, default is 10000000000).
If this is enabled then the X-Forwarded-For and X-Forwarded-Proto headers will be used to determine the peer address.
This allows applications that are behind a proxy to see the real address of the client, rather than the address
of the proxy. (optional, default is false).
HTTP port of Wildfly (optional, default is 8080).
HTTPS port of Wildfly (optional, default is 8443).
HTTPS port to redirect requests that require security too. (optional, default is 8443).
Have to be set different to HTTPS_PORT, if running behind a HTTPS/SSL reverse proxy listing on a different port.
HTTP port of Wildfly Administration Console (optional, default is 9990).
HTTPS port of Wildfly Administration Console (optional, default is 9993).
HTTPS URL used by the browser based Archive UI to access the Wildfly Administration Console.
Only necessary, if running behind a HTTPS/SSL reverse proxy listing on a different port from MANAGEMENT_HTTPS_PORT or
using different virtual hosts for forwarding HTTP requests to the Wildfly Administration Console than to regular Wildfly
HTTP/HTTPS interfaces.
Controls deployment of the Archive UI. Enumerated values:
true; deploys the Archive UI additionally to the Archive backend (= default)false; deploys the Archive backend without the Archive UIonly; deploys only the Archive UI without the Archive backend (requiresDCM4CHEE_ARC_URLS](#dcm4chee_arc_urls))
Protect Wildfly Adminstration Console with Keycloak (optional, default is true).
By default there is no admin user created so you won't be able to login to the Wildfly Administration Console.
User to authenticate to the Wildfly Administration Console.
(At archive versions secured by Keycloak and WILDFLY_ADMIN_OIDC=true, any user with assigned role ADMINISTRATOR
is authorized to access the Wildfly Administration Console.)
WILDFLY_ADMIN_USER_FILE (Ignored by archive versions secured by Keycloak and WILDFLY_ADMIN_OIDC=true)
User to authenticate to the Wildfly Administration Console via file input (alternative to WILDFLY_ADMIN_USER).
WILDFLY_ADMIN_PASSWORD (Ignored by archive versions secured by Keycloak and WILDFLY_ADMIN_OIDC=true)
User's password to use to authenticate to the Wildfly Administration Console.
WILDFLY_ADMIN_PASSWORD_FILE (Ignored by archive versions secured by Keycloak and WILDFLY_ADMIN_OIDC=true)
User's password to use to authenticate to the Wildfly Administration Console via file input (alternative to WILDFLY_ADMIN_PASSWORD).
User role required to access the UI and RESTful services of the Archive (optional, default is auth).
User role to identify super users, which have unrestricted access to all UI functions of the Archive, bypassing the
verification of user permissions (optional, default is root).
User role required to access HTTP services over a proxy. (optional, default is user).
Path to keystore file with private key and certificate for HTTPS (optional, default is
/opt/wildfly/standalone/configuration/keystore/key.p12, with sample key + certificate:
Owner: CN=dcm4che, O=dcm4che.org, C=AT
Issuer: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Serial number: 4b3
Valid from: Fri Sep 30 11:24:50 CEST 2022 until: Thu Sep 30 11:24:50 CEST 2032
Certificate fingerprints:
SHA1: B4:F5:09:33:B8:56:F0:D5:65:E9:3E:3D:02:1B:9D:00:F8:F8:F4:BA
SHA256: BD:60:1C:19:D4:ED:87:18:B3:EC:F6:53:52:91:00:C8:A2:70:21:0F:04:87:E6:B7:ED:15:23:A7:97:D8:28:AC
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 1024-bit RSA key (weak)
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by KEYSTORE (optional, default is secret).
Password used to protect the integrity of the keystore specified by KEYSTORE via file input
(alternative to KEYSTORE_PASSWORD).
Password used to protect the private key in the keystore specified by KEYSTORE
(optional, default is value of KEYSTORE_PASSWORD).
Password used to protect the private key in the keystore specified by KEYSTORE via file input
(alternative to KEY_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by KEYSTORE (optional, default is PKCS12).
Path to keystore file with trusted certificates for TLS (optional, default is the default Java truststore
$JAVA_HOME/lib/security/cacerts). s.o. EXTRA_CACERTS.
Password used to protect the integrity of the keystore specified by TRUSTSTORE (optional, default is changeit).
Password used to protect the integrity of the keystore specified by TRUSTSTORE via file input
(alternative to TRUSTSTORE_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by TRUSTSTORE (optional, default is JKS).
Path to keystore file with CA certificates imported to default Java truststore (optional, default is
/opt/wildfly/standalone/configuration/keystore/cacerts.p12, with sample CA certificate:
Owner: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Issuer: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Serial number: 1
Valid from: Tue Nov 27 11:21:33 CET 2018 until: Mon Nov 27 11:21:33 CET 2028
Certificate fingerprints:
SHA1: 95:B3:01:BD:8B:97:46:D3:17:C4:E6:96:42:C9:84:FC:17:8D:E9:6F
SHA256: 21:EB:CA:86:4A:08:E9:A2:D2:1F:6E:84:37:8D:60:BB:14:92:4D:1B:B0:DD:B0:DC:75:03:0C:2E:F3:B2:6E:DD
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS (optional, default is secret).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS via file input
(alternative to EXTRA_CACERTS_PASSWORD).
Enables mutual TLS authentication for incoming HTTP connections: request HTTPS clients to provide a certificate and
reject the connection if that is not signed by a trusted certificate (see TRUSTSTORE)
(optional, default is false). environment
Comma separated list of enabled TLS protocols (SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
(optional, default is TLSv1.2).
The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. See
javadoc
for possible values. (optional, default is DEFAULT).
Predicate to enable gzip compression of HTTP responses. See
Textual Representation of Predicates
for possible formats. (optional, default is method(GET) and path-suffix(studies,series,instances,metadata).
Backend Endpoint URL of the Keycloak server for direct communication between the archive application and Keycloak for
authenticating client requests.
Default value is https://keycloak:8443.
Frontend Endpoint URL of the Keycloak server used by the browser based Archive UI to access Keycloak. If there is a
reverse proxy in front of Keycloak, the URL has to reflect hostname and port of the reverse proxy.
Default value is ${AUTH_SERVER_URL}.
Name of the realm configured in Keycloak for securing the UI and RESTful services of the archive,
and the Wildfly Administration Console and Management API (optional, default is dcm4che).
Defining the SSL/HTTPS requirements for interacting with the Keycloak server:
none- HTTPS is not required for any client IP addressexternal- private IP addresses can access without HTTPSall- HTTPS is required for all IP addresses
(optional, default is external).
If the Keycloak server requires HTTPS and this config option is set to true the Keycloak server’s certificate is
validated via the truststore, but host name validation is not done (optional, default value set is true).
If the Keycloak server requires HTTPS and this config option is set to true the Keycloak server’s certificate is
is not validated via the truststore (optional, default value set is false).
Keycloak client ID for securing the UI of the archive (optional, default is dcm4chee-arc-ui).
Keycloak client ID for securing RESTful services of the archive (optional, default is dcm4chee-arc-rs).
Keycloak client ID for securing the Wildfly Administration Console
(optional, default is wildfly-console).
Keycloak client ID for securing the Wildfly Management API.
(optional, default is wildfly-management).
Maximum threads allowed for the managed-executor-service in the Wildfly configuration
(optional, default is 100).
Enable the use of a cached connection manager
(optional, default is true).
Maximum pool size allowed for the PacsDS datasource in the Wildfly configuration
(optional, default is 50).
Controls if Wildfly Undertow servlet container should set headers to disable caching for secured pages
(optional, default is false).
Enables host DNS lookup of peer address by Wildfly Undertow servlet container
(optional, default is false).
Logstash/GELF Logger configuration:
Hostname/IP-Address of the Logstash host. Required for emitting system logs to Logstash.
Name of the Facility (optional, default is wildfly).
Log-Level threshold (optional, default is WARN).
Indicates if the Stack-Trace shall be sent in the StackTrace field (optional, default is true).
Indicates if Stack-Trace filtering shall be performed (optional, default is true).
You may extend the image by creating a new one and place your application(s) inside the
/docker-entrypoint.d/deployments/ directory with the COPY command. E.g.:
$ ls
Dockerfile weasis-pacs-connector.war$ cat Dockerfile
FROM dcm4che/dcm4chee-arc-psql:5.32.1
COPY weasis-pacs-connector.war /docker-entrypoint.d/deployments$ docker build -t dcm4chee-arc-psql-with-weasis-pacs-connector:5.32.1 .
Sending build context to Docker daemon 1.924MB
Step 1/2 : FROM dcm4che/dcm4chee-arc-psql:5.32.1
5.32.1: Pulling from dcm4che/dcm4chee-arc-psql
c7b7d16361e0: Already exists
b7a128769df1: Already exists
1128949d0793: Already exists
667692510b70: Already exists
5352881f31d4: Already exists
9c5c547fc9af: Already exists
1425a6f5654d: Already exists
5686d3c45e41: Already exists
d26ca0854059: Already exists
b04b5d1d48ca: Already exists
73f6e4c54635: Already exists
495a8a1a3634: Pull complete
01e5664d91d6: Pull complete
22267eaaa65e: Pull complete
Digest: sha256:efd76ca282504bc3e7284cc544434dd769a84b45af5f96ff84ed462a6425780d
Status: Downloaded newer image for dcm4che/dcm4chee-arc-psql:5.32.1
---> c84231dce4d2
Step 2/2 : COPY weasis-pacs-connector.war /docker-entrypoint.d/deployments
---> b0f94489c0cb
Successfully built b0f94489c0cb
Successfully tagged dcm4chee-arc-psql-with-weasis-pacs-connector:5.32.1
