Axon.ivy Engine 8 could not start on OpenShift with DeploymentConfig

Question

Hi Ivy Team,

I'm trying to run Axon.ivy Engine on OpenShift, the first try with a Pod is working. Then I try to use DeploymentConfig to automate the Pod creation, it could not run because the running user didn't have permission on Axon.ivy Engine directory.

Here is the error detail:

<title>Invalid Configuration Location</title>The configuration area at '/usr/lib/axonivy-engine-8/?/.eclipse/1939981958_linux_gtk_x86_64/configuration' could not be created.  Please choose a writable location using the '-configuration' command line option.

I guest OpenShift runs Axon.ivy Engine by a different user than the one defined in Docker Image.

I think fixing the permission of /usr/lib/axonivy-engine-8 may solve the issue. By adding these line into Dockerfile

RUN chown -R ivy:root /usr/lib/axonivy-engine-8 && chmod 775 -R /usr/lib/axonivy-engine-8

Do you have any suggestion?

Update:

After fixing permission, I faced another issue, it's definitely related to OpenShift using different user.

java.lang.RuntimeException: Error initializing storage.
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:84)
    at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:34)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.startup(EclipseStarter.java:315)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:251)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:660)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:597)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1468)
    at org.eclipse.equinox.launcher.Main.main(Main.java:1441)
Caused by: java.io.IOException: Unable to create lock manager.
    at org.eclipse.osgi.storagemanager.StorageManager.open(StorageManager.java:713)
    at org.eclipse.osgi.storage.Storage.getChildStorageManager(Storage.java:2168)
    at org.eclipse.osgi.storage.Storage.getInfoInputStream(Storage.java:2185)
    at org.eclipse.osgi.storage.Storage.<init>(Storage.java:241)
    at org.eclipse.osgi.storage.Storage.createStorage(Storage.java:176)
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:82)
    ... 11 more
An error has occurred. See the log file
null.

Answer 1

1

We are creating a user and a group called ivy with id 1000, which seems best practice. Running a container in priviledge mode or changing folders for root access is not recommended at all.

I'm not familiar with OpenShift, do you have any docs about users and group in OpenShift?

link

answered 19.06.2020 at 01:42

Alex Suter ♦♦
3.1k●12●22●47
accept rate: 84%

I found the cause, OpenShift use Arbitrary User with un-predictable UID, this user has group root, I could fix this issue by using chown to ivy:root and chmod to 775 the following directories:

/usr/lib/axonivy-engine-8
/var/lib/axonivy-engine-8
/var/log/axonivy-engine-8
/var/cache/axonivy-engine-8
/etc/axonivy-engine-8

I think the better fix could go in Debian package and Dockerfile by set the owner to ivy:root and permission to 775 for all Ivy related directories.

(19.06.2020 at 01:52) vinh_

This is in my opinion definitively no option! This is a security risk. Especially for the Debian package. If you have any docs about what is common practice, we will apply this to the image, but I think you may not use OpenShift the right way?

(19.06.2020 at 01:58) Alex Suter ♦♦

the root group is what OpenShift recommend in its image creation guideline, you could find reference in the URL bellow:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/creating_images/creating-images-guidelines

The default behavior of OpenShift is always creating Arbitrary User ID to prevent container escape and privilege escalation.

(19.06.2020 at 02:03) vinh_

Thank you for this link, in the doc is stated

RUN chgrp -R 0 /some/directory && \
    chmod -R g+rwX /some/directory

This seems only to be necessary for OpenShift environment but not for docker and for Kubernetes environment. So we won't apply this to our image. You need to create your own image which is based on the official Axon.ivy Engine image. Then you can apply these changes to the directories.

(19.06.2020 at 02:09) Alex Suter ♦♦

1

Thanks Alex, this is what I'm doing right now, I may build the image from scratch base on official Axon.ivy Engine Dockerfile to reduce the image size (you know the files are duplicated only for changing permission).

(19.06.2020 at 02:11) vinh_

Yes, this is anyway a good approach! So you can take as base image whatever you want to take!

(19.06.2020 at 02:40) Alex Suter ♦♦

showing 5 of 6 show 1 more comments

Axon.ivy Engine 8 could not start on OpenShift with DeploymentConfig

Follow this question

Related questions