NetIQ / Microfocus / OpenText Identity Manager Designer docker installation

12.07.2024 added sysctl max file limit raise. designer with larger projects eats files.

Designer for OpenText NetIQ Identity Manager is an excellent Eclipse based IDM design and simulation tool which enables design, testing, documenting and deploying in a very convenient way. This guide shows how to install and use this tool from Docker container using any Linux distribution with docker support.

Designer is a beautiful tool for identity management work but it is certified only to be used in SLES or RHEL environments only which may not be the first choices of Linux for every expert as many prefer Ubuntu, Fedora, Arc and OpenSuse environments. Especially if one works with laptop.

My problem rose out when I decided to switch my laptop strategy from enterprise laptops to those sexy bleeding edge consumer ones and got me 2024 Asus Zenbook oled which requires 6.8 kernel to even boot up. Kernel 6.8 is light years ahead of any RHEL or SLES distro so I ended up putting Fedora 40 to my sleek laptop. Of course Designer did not work there so I could try match libraries and hack it to work somehow but I wanted to make more permanent solution.

Docker can cater any Linux environment in a more portable way and we can do just that by setting up a container using Rocky Linux 8 which is a clone of RHEL8 without that one branding package. In addition to that we get a very convenient image versioning, upgradeability and a very easy rollback ability.

I write this using Fedora 40 as host but the effect of host distro is quite minimal.

As a bonus feature we have capability to run multiple designer instances using same image with multiple docker configurations. Also the base OS install is better protected to malicious attacks do to image read only property and our designer app is easy to transfer to other hosts.

Make sure you are on GUI desktop to be able to run Designer. Not text console without display redirect.

sudo su
xhost +local:docker

Base install stuff.

dnf in docker
systemctl enable docker --now


  • Acquire Designer install package from OpenText
  • Make necessary directories for container
    • actual install destination
    • workspace
    • installation source
  • Extract installer to be available to the container

Actual actions - excluding designer package which you must download from OpenText

mkdir /opt/designer
mkdir /opt/designer/designer
mkdir /opt/designer/designer_workspace
cd /opt/designer
tar -xzf /xxx/Identity_Manager_4.8_Designer_Linux.tar.gz

If you are using SELinux set file contexts to the directories with

semanage fcontext -a -t container_file_t '/opt/designer/designer'
semanage fcontext -a -t container_file_t '/opt/designer/designer_workspace'
semanage fcontext -a -t container_file_t '/opt/designer/designer_install'
restorecon -R /opt/designer/designer*

We now have /opt/designer with empty sub directory designerworkspace, designerinstall and Designer installer at designer_install

This is just workstation install and we could optimize this a lot by just installing minimal libraries needed by Designer. Create /opt/designer/Dockerfile:

FROM rockylinux:8
RUN dnf -y groupinstall "Workstation" --allowerasing && \
    dnf -y install libcanberra libcanberra-gtk2 && \
    dnf clean all

Build the image with

docker build . -t designer-base

You can skip this if not using SELinux. If using SELinux we need to do following

  • setenforce 0
  • install and run designer
  • create rule to selinux
  • setenforce 1 and run again

Set SELinux to permissive.

setenforce 0

Create new container with display redirection and correct folder mounts:

docker run --name designer-app -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-base

Now in container prompt raise max files limit for Designer, install Designer and run it. Update it all the way and DO NOT EXIT the container:

echo "root soft nofile 1024000" > /etc/security/limits.d/designer.conf
echo "root hard nofile 1024000" >> /etc/security/limits.d/designer.conf

Then we catch SELinux errors, create module and add it:

journalctl -e -t audit | grep denied | audit2allow -M designer-docker
cat designer-docker.te #verify we got containerd rules
semodule -i designer-docker.pp
setenforce 1

If the above somehow fails you can try following:

journalctl -t audit -e
ausearch -m avc -ts recent > selinux.log
vim selinux.log #delete irrelevant lines
cat selinux.log | audit2allow -M designer-docker
semodule -i designer-docker.pp

Continue to finalizing Designer installation and DO NOT EXIT the container.

Create new container with display redirection and correct folder mounts:

docker run --name designer-app -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-base

Now in container prompt start installer, run designer and let it update itself and packages and DO NOT exit the container yet:


Lets commit changes to new image and set container to run Designer on start by opening another terminal with root access and commit changes as new image.

docker commit --change='CMD /root/designer/' [CONTAINER_ID] designer-image-v1
docker rm designer-app
docker run --name designer-app -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-image-v1

Now Designer starts when container is started and it stops when Designer is stopped. TODO: desktop shortcut.

xhost +local:docker
docker start designer-app

Designer updates should land normally since the files live under /opt/designer.


  1. run the container with Designer, do not exit Designer
  2. connect to shell with docker exec -it designer-app bash
  3. dun dnf update
  4. use another shell to commit container image to new version
  5. remove current container
  6. add new container using new image
#while container running update designer or enter container shell and do dnf update
docker commit [CONTAINER_ID] designer-image-vN #replace N with version number
docker rm designer-app
docker run --name designer-app -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-image-vN
  • Start new container from image in interactive mode
  • Do necessary uninstalls, installs, updates
  • Set SELinux to permissive if problems occur
  • Do not exit container
  • Commit the image to new version
  • Set container to use new image
  • Tune SELinux policies using above help

Update software in docker container interactive session

setenfoce 0
docker run -it --name designer-app-vN -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-image-vN /bin/bash
dnf up
#remove old designer, install new designer, update everything
#do not exit container

Generate new image

Do not exit the container interactive session. Just exit Designer so that you are in bash session. Use another terminal to commit docker to another image.

docker commit --change='CMD /root/designer/' [CONTAINER_ID] designer-image-vN #replace N with version number
docker rm designer-app #remove previous container UNLESS you want access to older version

Exit docker interactive session and generate new container

After committing changes to new image exit the interactive session, remove intermediate container and re-create it using new image.

docker rm designer-app-vN
docker run --name designer-app-vN -it --net=host --env DISPLAY=$DISPLAY --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" --volume="/opt/designer/designer_workspace:/root/designer_workspace" --volume="/opt/designer/designer:/root/designer" --volume="/opt/designer/designer_install:/opt/designer_install" designer-image-vN

Remember to set setenforce 1 if you had to disarm it.

  • tips_and_howtos/designer_docker.txt
  • Last modified: 2024/07/12 15:00
  • by