Hi Ivy Team,

I'm trying to run Axon.ivy Engine on OpenShift, the first try with a Pod is working. Then I try to use DeploymentConfig to automate the Pod creation, it could not run because the running user didn't have permission on Axon.ivy Engine directory.

Here is the error detail:

<title>Invalid Configuration Location</title>The configuration area at '/usr/lib/axonivy-engine-8/?/.eclipse/1939981958_linux_gtk_x86_64/configuration' could not be created.  Please choose a writable location using the '-configuration' command line option.

I guest OpenShift runs Axon.ivy Engine by a different user than the one defined in Docker Image.

I think fixing the permission of /usr/lib/axonivy-engine-8 may solve the issue. By adding these line into Dockerfile

RUN chown -R ivy:root /usr/lib/axonivy-engine-8 && chmod 775 -R /usr/lib/axonivy-engine-8

Do you have any suggestion?

Update:

After fixing permission, I faced another issue, it's definitely related to OpenShift using different user.

java.lang.RuntimeException: Error initializing storage.
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:84)
    at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:34)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.startup(EclipseStarter.java:315)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:251)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:660)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:597)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1468)
    at org.eclipse.equinox.launcher.Main.main(Main.java:1441)
Caused by: java.io.IOException: Unable to create lock manager.
    at org.eclipse.osgi.storagemanager.StorageManager.open(StorageManager.java:713)
    at org.eclipse.osgi.storage.Storage.getChildStorageManager(Storage.java:2168)
    at org.eclipse.osgi.storage.Storage.getInfoInputStream(Storage.java:2185)
    at org.eclipse.osgi.storage.Storage.<init>(Storage.java:241)
    at org.eclipse.osgi.storage.Storage.createStorage(Storage.java:176)
    at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:82)
    ... 11 more
An error has occurred. See the log file
null.

asked 18.06 at 21:10

vinh_'s gravatar image

vinh_
6661015
accept rate: 40%

edited 18.06 at 23:00


We are creating a user and a group called ivy with id 1000, which seems best practice. Running a container in priviledge mode or changing folders for root access is not recommended at all.

I'm not familiar with OpenShift, do you have any docs about users and group in OpenShift?

link

answered 19.06 at 01:42

Alex%20Suter's gravatar image

Alex Suter ♦♦
3.1k102247
accept rate: 84%

I found the cause, OpenShift use Arbitrary User with un-predictable UID, this user has group root, I could fix this issue by using chown to ivy:root and chmod to 775 the following directories:

  • /usr/lib/axonivy-engine-8
  • /var/lib/axonivy-engine-8
  • /var/log/axonivy-engine-8
  • /var/cache/axonivy-engine-8
  • /etc/axonivy-engine-8

I think the better fix could go in Debian package and Dockerfile by set the owner to ivy:root and permission to 775 for all Ivy related directories.

(19.06 at 01:52) vinh_ vinh_'s gravatar image

This is in my opinion definitively no option! This is a security risk. Especially for the Debian package. If you have any docs about what is common practice, we will apply this to the image, but I think you may not use OpenShift the right way?

(19.06 at 01:58) Alex Suter ♦♦ Alex%20Suter's gravatar image

the root group is what OpenShift recommend in its image creation guideline, you could find reference in the URL bellow:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/creating_images/creating-images-guidelines

The default behavior of OpenShift is always creating Arbitrary User ID to prevent container escape and privilege escalation.

(19.06 at 02:03) vinh_ vinh_'s gravatar image

Thank you for this link, in the doc is stated

RUN chgrp -R 0 /some/directory && \
    chmod -R g+rwX /some/directory

This seems only to be necessary for OpenShift environment but not for docker and for Kubernetes environment. So we won't apply this to our image. You need to create your own image which is based on the official Axon.ivy Engine image. Then you can apply these changes to the directories.

(19.06 at 02:09) Alex Suter ♦♦ Alex%20Suter's gravatar image
1

Thanks Alex, this is what I'm doing right now, I may build the image from scratch base on official Axon.ivy Engine Dockerfile to reduce the image size (you know the files are duplicated only for changing permission).

(19.06 at 02:11) vinh_ vinh_'s gravatar image

Yes, this is anyway a good approach! So you can take as base image whatever you want to take!

(19.06 at 02:40) Alex Suter ♦♦ Alex%20Suter's gravatar image
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×147
×44
×1

Asked: 18.06 at 21:10

Seen: 254 times

Last updated: 19.06 at 02:40