Hi Ivy Team,

I'm trying to run Axon.ivy Engine on OpenShift, the first try with a Pod is working. Then I try to use DeploymentConfig to automate the Pod creation, it could not run because the running user didn't have permission on Axon.ivy Engine directory.

Here is the error detail:

<title>Invalid Configuration Location</title>The configuration area at '/usr/lib/axonivy-engine-8/?/.eclipse/1939981958_linux_gtk_x86_64/configuration' could not be created.  Please choose a writable location using the '-configuration' command line option.

I guest OpenShift runs Axon.ivy Engine by a different user than the one defined in Docker Image.

I think fixing the permission of /usr/lib/axonivy-engine-8 may solve the issue. By adding these line into Dockerfile

RUN chown -R ivy:root /usr/lib/axonivy-engine-8 && chmod 775 -R /usr/lib/axonivy-engine-8

Do you have any suggestion?


After fixing permission, I faced another issue, it's definitely related to OpenShift using different user.

java.lang.RuntimeException: Error initializing storage.
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:84)
    at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:34)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.startup(EclipseStarter.java:315)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:251)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:660)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:597)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1468)
    at org.eclipse.equinox.launcher.Main.main(Main.java:1441)
Caused by: java.io.IOException: Unable to create lock manager.
    at org.eclipse.osgi.storagemanager.StorageManager.open(StorageManager.java:713)
    at org.eclipse.osgi.storage.Storage.getChildStorageManager(Storage.java:2168)
    at org.eclipse.osgi.storage.Storage.getInfoInputStream(Storage.java:2185)
    at org.eclipse.osgi.storage.Storage.<init>(Storage.java:241)
    at org.eclipse.osgi.storage.Storage.createStorage(Storage.java:176)
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:82)
    ... 11 more
An error has occurred. See the log file

asked 18.06.2020 at 21:10

vinh_'s gravatar image

accept rate: 40%

edited 18.06.2020 at 23:00

We are creating a user and a group called ivy with id 1000, which seems best practice. Running a container in priviledge mode or changing folders for root access is not recommended at all.

I'm not familiar with OpenShift, do you have any docs about users and group in OpenShift?


answered 19.06.2020 at 01:42

Alex%20Suter's gravatar image

Alex Suter ♦♦
accept rate: 84%

I found the cause, OpenShift use Arbitrary User with un-predictable UID, this user has group root, I could fix this issue by using chown to ivy:root and chmod to 775 the following directories:

  • /usr/lib/axonivy-engine-8
  • /var/lib/axonivy-engine-8
  • /var/log/axonivy-engine-8
  • /var/cache/axonivy-engine-8
  • /etc/axonivy-engine-8

I think the better fix could go in Debian package and Dockerfile by set the owner to ivy:root and permission to 775 for all Ivy related directories.

(19.06.2020 at 01:52) vinh_ vinh_'s gravatar image

This is in my opinion definitively no option! This is a security risk. Especially for the Debian package. If you have any docs about what is common practice, we will apply this to the image, but I think you may not use OpenShift the right way?

(19.06.2020 at 01:58) Alex Suter ♦♦ Alex%20Suter's gravatar image

the root group is what OpenShift recommend in its image creation guideline, you could find reference in the URL bellow:


The default behavior of OpenShift is always creating Arbitrary User ID to prevent container escape and privilege escalation.

(19.06.2020 at 02:03) vinh_ vinh_'s gravatar image

Thank you for this link, in the doc is stated

RUN chgrp -R 0 /some/directory && \
    chmod -R g+rwX /some/directory

This seems only to be necessary for OpenShift environment but not for docker and for Kubernetes environment. So we won't apply this to our image. You need to create your own image which is based on the official Axon.ivy Engine image. Then you can apply these changes to the directories.

(19.06.2020 at 02:09) Alex Suter ♦♦ Alex%20Suter's gravatar image

Thanks Alex, this is what I'm doing right now, I may build the image from scratch base on official Axon.ivy Engine Dockerfile to reduce the image size (you know the files are duplicated only for changing permission).

(19.06.2020 at 02:11) vinh_ vinh_'s gravatar image

Yes, this is anyway a good approach! So you can take as base image whatever you want to take!

(19.06.2020 at 02:40) Alex Suter ♦♦ Alex%20Suter's gravatar image
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 18.06.2020 at 21:10

Seen: 2,820 times

Last updated: 19.06.2020 at 02:40