Look at this my article where you will find some details, how to build Cache in docker on centos.

Instead of COPY and tar I would recommend using ADD command because it doing extract at the same time.

And for doing such build, you should have file cache-2017.1.3.317.0.18571-lnxrhx64.tar.gz close to the Dockerfile, or in the root of build context.

If you do build this way. Cache distributive should be in the current folder.

docker build .

But, you will face an issue with Storage Driver. It will look like, successful build but PROTECT error during startup. With previous versions of Docker it was possible to change Storage driver to aufs, but not with the latest version, where support for such driver already removed. There are some tricks on how to manage to work with it, but I would not recommend it.

Nowadays only IRIS 2019.1 works quite well in Docker with the default storage driver out of the box.

I usually prefer ways when I can automate as most as possible. So, I would suggest, to use simple export but, and automate it, as you already use %Installer to automate installation.

If you would like to do it with %Installer Manifiest, it is not going to be easy, unfortunately. CSPApplication there quite limited.

I can't just do it this way.

<CSPApplication Url="${CSPApp}" Directory="${CSPAppDir}" iKnowEnabled="yes"/>

You should first create simple csp application

<CSPApplication Url="${CSPApp}" Directory="${CSPAppDir}"/>

Add something like this method

ClassMethod EnableiKnow(pCSPName As %String = "") As %Status
{
  new $namespace
  znspace "%SYS"
  set props("iKnowEnabled")=1
  d ##class(Security.Applications).Modify(pCSPName,.props)
  quit $$$OK
}

But unfortunately, I also can't just call it from an installer, Invoke tag should be placed in Namespace tag. which is actually current namespace, but you should compute it first. This may help to declare a couple more default variables. Just place two first lines before your Installer generator

  do %code.WriteLine($c(9)_"set pVars(""CURRENTCLASS"")="""_%classname_"""")
  do %code.WriteLine($c(9)_"set pVars(""CURRENTNS"")=$namespace")
  quit ##class(%Installer.Manifest).%Generate(%compiledclass, %code, "setup")

And finally, you can add this to your installer. Place it after CSPApplication creation, but outside of Namespace tag.

<Namespace Name="${CURRENTNS}">
    <Invoke Class="${CURRENTCLASS}" Method="EnableiKnow" CheckStatus="true">
      <Arg Value="${CSPAPP}"/>
    </Invoke>
  </Namespace>

To activate OS authentication in your docker image, you can run this code, in %SYS namespace

Do ##class(Security.System).Get(,.p) Set p("AutheEnabled")=p("AutheEnabled")+16 Do ##class(Security.System).Modify(,.p)

If you work with community edition, you can use my image, where you can easily define also user and password for external use.

Running server

$ docker run -d --rm --name iris \
 -p 52773:52773 \
 -e IRIS_USER=test \
 -e IRIS_PASSWORD=test \
 daimor/intersystems-iris:2019.1.0S.111.0-community

Terminal connect

$ docker exec -it iris iris session iris

Node: 413a4da758e7, Instance: IRIS

USER>write $username
root
USER>write $roles
%All

Or with docker-compose, something like this

  iris:
    image: daimor/intersystems-iris:2019.1.0S.111.0-community
    ports:
      - 52773:52773
    environment:
      IRIS_USER: ${IRIS_PASSWORD:-test}
      IRIS_PASSWORD: ${IRIS_PASSWORD:-test}

You can extend UrlMap only by splitting routes

While in one class you have this

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]
{
<Routes>
<Route Url="/class/:namespace/:classname" Method="GET" Call="GetClass" Cors="true"/>
<Map Prefix="/something" Forward="Some.Your.Class"/>
</Routes>
}

You can add one more class, whic will work only with routes started with /something with

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]
{
<Routes>
<Route Url="/more" Method="GET" Call="More" Cors="true"/>
</Routes>
}

Where real route will be /something/more

  Set ht = ##class(%Net.HttpRequest).%New()
  Set ht.Server = "server"
  Do ht.SetParam("param1", "true")
  Do ht.SetHeader("myheader", "headervalue")
  Set tSC = ht.Get("/api/get", 1)

Look at the second parameter in the call of Get method, it is a test flag, helps to understand how your request will actually go

GET /api/get?param1=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; InterSystems IRIS;)
Host: server
Accept-Encoding: gzip
myheader: headervalue

Look at this code, it will do the same

  Set ht = ##class(%Net.HttpRequest).%New()
  Set ht.Server = "server"
  Do ht.SetParam("param1", "true")
  Do ht.SetHeader("myheader", "headervalue")
  Set ht.Location = "/api/get"
  Set tSC = ht.Get(, 1)

Or even this code

  Set ht = ##class(%Net.HttpRequest).%New()
  Do ht.SetHeader("myheader", "headervalue")
  Set tSC = ht.Get("http://server/api/get?param1=true", 1)

It would be better if you could provide some of your code.

You should not forget that WebSockets is still used the HTTP protocol, so, you should send some headers first.

Look at this my code, it uses plain OPEN, and I'm not sure if my example 100% correct, but works.

  set securityKey = $SYSTEM.Util.CreateGUID()
  set securityKey = $SYSTEM.Encryption.MD5Hash(securityKey)
  set securityKey = $SYSTEM.Encryption.Base64Encode(securityKey)

  set host = "echo.websocket.org"
  set url = "/"
  set port = 80

  set device = "|TCP|"_port
  Open device:(host:port:"SCWD"::8192:8192:/TCPNOXY)
  Use device

  Write "GET ",url," HTTP/1.1",!
  Write "Accept: */*",!
  Write "Host: ",host,!
  Write "Connection: Upgrade",!
  Write "Upgrade: websocket",!
  Write "Sec-WebSocket-Key: ",securityKey,!
  Write "Sec-WebSocket-Version: 13",!
  Write !,*-3
  
  Use device:(::"A":$char(13))
  Set fullResponse = ""
  Do {
    Set response = ""
    Read response:1
    Quit:'$test
    Set fullResponse = fullResponse_response_$char(13)
  } While $test

  Use 0
  Close device

  Write !!,fullResponse

In this case, it only reads the first response, which actually should be with HTTP headers as well. Something like this.

HTTP/1.1 101 Web Socket Protocol Handshake
Connection: Upgrade
Date: Tue, 05 Feb 2019 10:51:37 GMT
Sec-WebSocket-Accept: qU2IAmlBvnSoEctnti8lcbc4bVA=
Server: Kaazing Gateway
Upgrade: websocket

It does not contain the first portion of data, which some WebSocket servers may send after initial connect. But if your server sends it, you should see it at the and of response. If you have to send something before, you should do it after the first response, which says that connection established and you can send any data. But not any, it should be in binary format, more details you can find here. Any responses also decoded.

first of all, you have to check

docker logs iristest2

And while you trying to use durable %SYS, you look at IRIS log /nfs/IRIS/iconfig/mgr/message.log.

And as Jim already noticed, you have double dash when defining the variable ICM_SENTINEL_DIR

If you can edit this code, you can try change to this.

<Data name="DESCRIP_2"> <RetrievalCode> S {DESCRIP_2}=$P($G(^PHPROP({L1},"DESC_CODES")),"\",2) S {DESCRIP_2}=$S($L({DESCRIP_2}):$Get(^SEDMIHP($P({DESCRIP_2},","),$P({DESCRIP_2},",",2))),1:{DESCRIP_2}) S {DESCRIP_2}=$E({DESCRIP_2},1,80) </RetrievalCode> </Data>

But not sure, if this correct.

What I did there, is, wrapped retrieving data from global ^SEDMIHP with the function $Get()

Or this way, with the default value

<Data name="DESCRIP_2"> <RetrievalCode> S {DESCRIP_2}=$P($G(^PHPROP({L1},"DESC_CODES")),"\",2) S {DESCRIP_2}=$S($L({DESCRIP_2}):$Get(^SEDMIHP($P({DESCRIP_2},","),$P({DESCRIP_2},",",2)),{DESCRIP_2}),1:{DESCRIP_2}) S {DESCRIP_2}=$E({DESCRIP_2},1,80) </RetrievalCode> </Data>

Well, such an interesting topic, and also quite wide.

Ok, TWAIN, is an API for image sources, it can be scanner or photo camera. You just asking about working with TWAIN, without any explanation of how you are going to use it and what sort of devices you going to utilize.

So, I'll just share some of my experience. How I've used only scanners, different types and with different workflows.

• Server way. One or more stream document scanner (sorry don't know right term in English). Just any scanner which can work in network and configured to place all scans to some network folder or send my emails. Before sending some documents to this scanner, the operator should stick some barcode, on the title page, or on added empty first page. On the server side, we have used ABBYY Recognition Server, which just watches some folder, and can decode barcode and recognize text in the document, pack it in XML and place it in another folder. This folder was watched by Ensemble, where we searched for barcode in our system and placed this as an attachment to this document. With recognized text, we also are able to search documents in our system by the content of this document.
• Client way. The operator working with a personal scanner connected right to his machine. While our application web-based and the server is far from this scanner, we used only client resources to scan images. We used java-applet which worked directly with TWAIN sources, so operator just called some functionality right from our application after finishing the scan, it has appeared as an attachment in the document. But this case now has some issues due to limitations for JAVA plugins in modern browsers. But it is now possible to find some modern solutions which may help to get access to twain on modern browsers, you can just google it.

CACHE.DAT or IRIS.DAT, can only grow during normal work. But you can shrink it manually. But it is not as easy as it maybe sounds. And depends on version which you use, only past few versions were added with the compact tool. On very old versions you have to copy data from old database to thew new one.

You can read my articles, about internal structure of CACHE.DAT, just to know what is this inside. And about database with visualization, where you can see how to compact database, and how it actually works.

SSO, can be achieved in some different ways. It can work over OAuth2, NTLM, Kerberos, SAML and so on. In different projects, I have used Kerberos/NTLM and OAuth2. But real SSO was only with Kerberos. And when you already have LDAP Auth in your application, it will be quite easy to add SSO. But also depends on which OS and which WEB server you have. On Windows much easier to start with IIS while so difficult to find a working module for Apache. On Linux there is also could be a problem to find the latest version of the module which will work with the latest version of apache. But when you will manage to get it worked on web-server side, on Caché side, almost nothing to do left. When you get first unauthorized request, you should return back with status 401, and say which method of authentication you need through header WWW-Authenticate: NTLM. Then if web server managed to get username, it will send it by header REMOTE_USER. Of course, you will not get password, you just use this username and authorize session.