Custom Docker Image with Neo4j

Integrations Docker
1

Hi,

I would like to build a custom Docker image to inject certificates via environment variables and hence have a custom entrypoint, what command should I use at the end to start Neo4j?

#!/bin/sh

echo "Starting....."

mkdir -p /var/lib/neo4j/certificates/https/

if [ -n "$NEO4J_TLS_CA_CONTENT" ]; then
    if echo "$NEO4J_TLS_CA_CONTENT" | head -n 1 | grep -q "^----"; then
        echo "$NEO4J_TLS_CA_CONTENT" > /var/lib/neo4j/certificates/https/ca.ca
    else
        echo "$NEO4J_TLS_CA_CONTENT" | base64 -d > /var/lib/neo4j/certificates/https/ca.ca
    fi
    export NEO4J_TLS_CAFILEPATH=/var/lib/neo4j/certificates/https/ca.pem
fi

if [ -n "$NEO4J_TLS_CERT_CONTENT" ]; then
    if echo "$NEO4J_TLS_CERT_CONTENT" | head -n 1 | grep -q "^----"; then
        echo "$NEO4J_TLS_CERT_CONTENT" > /var/lib/neo4j/certificates/https/public.crt
    else
        echo "$NEO4J_TLS_CERT_CONTENT" | base64 -d > /var/lib/neo4j/certificates/https/public.crt
    fi
    export NEO4J_TLS_CERTFILEPATH=/var/lib/neo4j/certificates/https/public.pem
fi

if [ -n "$NEO4J_TLS_KEY_CONTENT" ]; then
    if echo "$NEO4J_TLS_KEY_CONTENT" | head -n 1 | grep -q "^----"; then
        echo "$NEO4J_TLS_KEY_CONTENT" > /var/lib/neo4j/certificates/https/private.key
    else
        echo "$NEO4J_TLS_KEY_CONTENT" | base64 -d > /var/lib/neo4j/certificates/https/private.key
    fi
    export NEO4J_TLS_KEYFILEPATH=/var/lib/neo4j/certificates/https/private.pem
fi


echo "🚀 Starting Neo4j..."

# What command to execute here to start Neo4j ?
2

I assume your Dockerfile is doing FROM neo4j:<whatever>, in which case you can start neo4j by running the entrypoint script at /startup/docker-entrypoint.sh. That script takes care of configuration settings, plugins etc basically all the features mentioned in Docker - Operations Manual
I think it might have trouble with environment variables starting with $NEO4J_ though because it will interpret them as being configuration settings.

Another option is that you can provide a script path with the variable EXTENSION_SCRIPT and the neo4j container will run that script just before starting Neo4j. You could provide your certificate script that way? Here's the entrypoint source. That feature is undocumented, but it's been around for a long time.

Otherwise, if you aren't using FROM neo4j:<whatever> then neo4j console is the best way to start the database.

1 Like
3

Thanks I did something similar
exec /startup/docker-entrypoint.sh neo4j

and yes, discovered the issue with environment variables starting with NEO4J_ so added a prefix :+1:

1 Like