OCI Container Deployment

OCI Container Deployment

This guide covers deploying TMI to Oracle Cloud Infrastructure (OCI) using container images built on Oracle Linux 9 with Oracle Autonomous Database (ADB) support.

Overview

TMI provides specialized container images for OCI deployment:

Container	Base Image	Purpose	Size
TMI Server	Oracle Linux 9	API server with Oracle ADB support	~737MB
Redis	Oracle Linux 9-slim	Cache and session storage	~272MB
TMI-UX	Oracle Linux 10-slim	Angular frontend (from tmi-ux repo)	~350MB

Key features:

• Oracle Instant Client 23ai - Native Oracle ADB connectivity via godror driver
• Security patches - Applied during container build
• CGO enabled - Required for Oracle database driver
• Multi-architecture - Supports both amd64 and arm64
• Multi-container support - TMI API and Redis run in a single instance for Free Tier optimization

Prerequisites

Required Tools

• Docker or Podman
• OCI CLI installed and configured
• Access to an OCI tenancy with Container Registry

OCI Resources

• Container Repository in OCI Container Registry
• Oracle Autonomous Database (for production)
• Auth Token for registry authentication

Quick Start

1. Set Environment Variables

# Required: Your container repository OCID
export CONTAINER_REPO_OCID="ocid1.containerrepo.oc1.<region>.0.<namespace>.<unique-id>"

# Optional: Override region (default: us-ashburn-1)
export OCI_REGION="us-ashburn-1"

2. Build Containers

# Build TMI server with Oracle ADB support
make build-container-oracle

# Build Redis on Oracle Linux
make build-container-redis-oracle

# Or build both at once
make build-containers-oracle

3. Authenticate with OCI Container Registry

# Get your tenancy namespace
NAMESPACE=$(oci os ns get --query 'data' --raw-output)

# Login to registry (requires Auth Token from OCI Console)
docker login <region>.ocir.io
# Username: <namespace>/<your-email>
# Password: <auth-token>

4. Push to Registry

# Push server image
docker push <region>.ocir.io/<namespace>/tmi:latest

# Push Redis image
docker push <region>.ocir.io/<namespace>/tmi-redis:latest

Or use the automated push:

make build-containers-oracle-push

Container Images

TMI Server (Dockerfile.server-oracle)

Multi-stage build:

1. Builder stage - Oracle Linux 9 with Go 1.25.6 and Oracle Instant Client
2. Runtime stage - Oracle Linux 9-slim with minimal dependencies

Features:

• Oracle Instant Client 23ai for ADB connectivity
• Built with -tags oracle for Oracle driver support
• Non-root user (tmi) for security
• Health check endpoint at /
• Wallet mount point at /wallet

Environment Variables:

Variable	Required	Description
TMI_DB_USER	Yes	Database username
TMI_DB_PASSWORD	Yes	Database password
TMI_ORACLE_CONNECT_STRING	Yes	TNS alias or Easy Connect string
TMI_ORACLE_WALLET_LOCATION	No	Wallet path (default: /wallet)

Redis (Dockerfile.redis-oracle)

Multi-stage build:

1. Builder stage - Compiles Redis 8.4.0 from source
2. Runtime stage - Oracle Linux 9-slim

Features:

• Redis 8.4.0 compiled from source
• Dangerous commands disabled by default (FLUSHDB, FLUSHALL, DEBUG)
• Non-root user (redis, UID 6379)
• Configurable via environment variables

Environment Variables:

Variable	Default	Description
REDIS_PASSWORD	(none)	Redis authentication password
REDIS_PORT	6379	Listen port
REDIS_PROTECTED_MODE	yes	Enable protected mode
REDIS_DISABLE_COMMANDS	FLUSHDB,FLUSHALL,DEBUG	Commands to disable

Build Script Options

The scripts/build-container-oracle.sh script provides flexible build options:

./scripts/build-container-oracle.sh [options]

Options:
  --component COMP      Component: server, redis, or all (default: server)
  --region REGION       OCI region (default: us-ashburn-1)
  --repo-ocid OCID      Container repository OCID (required)
  --tag TAG             Image tag (default: latest)
  --version VERSION     Version string (default: from .version file)
  --push                Push to OCI Container Registry
  --no-cache            Build without Docker cache
  --scan                Run security scan after build
  --help                Show help

Examples

# Build server only
./scripts/build-container-oracle.sh --component server

# Build and push Redis with security scan
./scripts/build-container-oracle.sh --component redis --push --scan

# Build all with custom tag
./scripts/build-container-oracle.sh --component all --tag v1.0.0 --push

Makefile Targets

Target	Description
build-container-oracle	Build TMI server container
build-container-oracle-push	Build and push server to OCI
build-container-redis-oracle	Build Redis container
build-container-redis-oracle-push	Build and push Redis to OCI
build-containers-oracle	Build both containers
build-containers-oracle-push	Build and push both to OCI

Running Containers Locally

TMI Server

docker run -p 8080:8080 \
  -v /path/to/wallet:/wallet:ro \
  -e TMI_DB_USER=your_user \
  -e TMI_DB_PASSWORD=your_password \
  -e TMI_ORACLE_CONNECT_STRING=your_tns_alias \
  -e REDIS_URL=redis://localhost:6379 \
  <region>.ocir.io/<namespace>/tmi:latest

Redis

docker run -p 6379:6379 \
  -e REDIS_PASSWORD=your_secure_password \
  -v redis-data:/var/lib/redis \
  <region>.ocir.io/<namespace>/tmi-redis:latest

Docker Compose Example

version: '3.8'

services:
  tmi:
    image: us-ashburn-1.ocir.io/<namespace>/tmi:latest
    ports:
      - "8080:8080"
    volumes:
      - ./wallet:/wallet:ro
    environment:
      - TMI_DB_USER=${DB_USER}
      - TMI_DB_PASSWORD=${DB_PASSWORD}
      - TMI_ORACLE_CONNECT_STRING=${ORACLE_TNS}
      - REDIS_URL=redis://:${REDIS_PASSWORD}@redis:6379
    depends_on:
      - redis

  redis:
    image: us-ashburn-1.ocir.io/<namespace>/tmi-redis:latest
    ports:
      - "6379:6379"
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}
    volumes:
      - redis-data:/var/lib/redis

volumes:
  redis-data:

OCI Deployment

Terraform Deployment (Recommended)

The recommended way to deploy TMI to OCI is using the Terraform modules. See Terraform Deployment for complete instructions.

The Terraform deployment creates a multi-container architecture optimized for OCI Free Tier:

Container Instance #1: TMI API + Redis (combined)
Container Instance #2: TMI-UX (optional)
Load Balancer: Hostname-based routing

Manual Container Instances

For manual deployment using OCI Container Instances:

# Create combined TMI API + Redis container instance
oci container-instances container-instance create \
  --compartment-id <compartment-ocid> \
  --display-name tmi-api-redis \
  --availability-domain <ad> \
  --shape CI.Standard.E4.Flex \
  --shape-config '{"ocpus": 2, "memoryInGBs": 6}' \
  --containers '[
    {
      "imageUrl": "<region>.ocir.io/<namespace>/tmi:latest",
      "displayName": "tmi-server",
      "environmentVariables": {
        "TMI_DB_USER": "admin",
        "TMI_ORACLE_CONNECT_STRING": "tmi_high",
        "TMI_REDIS_URL": "redis://:password@localhost:6379"
      }
    },
    {
      "imageUrl": "<region>.ocir.io/<namespace>/tmi-redis:latest",
      "displayName": "redis",
      "environmentVariables": {
        "REDIS_PASSWORD": "your-redis-password"
      }
    }
  ]'

# Create TMI-UX container instance (optional)
oci container-instances container-instance create \
  --compartment-id <compartment-ocid> \
  --display-name tmi-ux \
  --availability-domain <ad> \
  --shape CI.Standard.E4.Flex \
  --shape-config '{"ocpus": 1, "memoryInGBs": 2}' \
  --containers '[{
    "imageUrl": "<region>.ocir.io/<namespace>/tmi-ux:latest",
    "displayName": "tmi-ux",
    "environmentVariables": {
      "PORT": "8080",
      "NODE_ENV": "production"
    }
  }]'

Kubernetes (OKE)

For Oracle Kubernetes Engine deployment, see Kubernetes Deployment.

Oracle Wallet Configuration

The TMI server requires an Oracle wallet for ADB authentication:

1. Download wallet from OCI Console (Autonomous Database > DB Connection > Download Wallet)
2. Extract to a directory
3. Mount as volume at /wallet

The wallet directory should contain:

• tnsnames.ora - TNS aliases
• sqlnet.ora - SQL*Net configuration
• cwallet.sso - Auto-login wallet

Security Considerations

Container Security

• Non-root users in all containers
• Security patches applied during build
• Minimal runtime dependencies
• Dangerous Redis commands disabled

Network Security

• Use OCI VCN security lists to restrict access
• Enable TLS for Redis in production
• Use OCI Vault for secrets management

Image Scanning

The build script supports Grype vulnerability scanning:

make build-container-oracle-push  # Includes --scan

Security reports are saved to security-reports/oracle-container/.

Troubleshooting

Authentication Errors

If you see 403 Forbidden when pushing:

1. Verify your Auth Token is valid
2. Check username format: <namespace>/<email>
3. Ensure repository exists in the correct compartment

Oracle Connection Issues

1. Verify wallet is mounted correctly
2. Check TNS alias matches tnsnames.ora
3. Ensure TNS_ADMIN points to wallet directory
4. Verify database user has required permissions

Build Failures

For architecture-related build errors:

• The Dockerfile auto-detects architecture (amd64/arm64)
• Ensure Docker buildx is available for cross-platform builds

TMI-UX Container

The TMI-UX frontend is built from a separate repository (tmi-ux). It uses:

• Base Image: Oracle Linux 10-slim
• Runtime: Node.js 22 LTS with Express.js
• Port: 8080
• Health Check: HTTP GET on /

Building TMI-UX for OCI

From the tmi-ux repository:

# Build the OCI-optimized container
docker build -f Dockerfile.oci -t tmi-ux:latest .

# Push to OCI Container Registry
docker tag tmi-ux:latest <region>.ocir.io/<namespace>/tmi-ux:latest
docker push <region>.ocir.io/<namespace>/tmi-ux:latest

Or use the provided script:

./scripts/push-oci.sh [tag]

TMI-UX Environment

The Angular application is built with the API URL baked in at build time. The OCI build uses environment.oci.ts:

apiUrl: 'https://api.tmi.dev',

If you need a different API URL, update src/environments/environment.oci.ts before building.

Related Documentation

• Terraform Deployment
• Deploying TMI Server
• Database Setup
• Setting Up Authentication
• Configuration Reference