[jira] [Commented] (IGNITE-17032) Apache Ignite Docker container does not run correctly if image is run in read only file system mode

[Petar Tonkovic (Jira)]

    [ 
https://issues.apache.org/jira/browse/IGNITE-17032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563331#comment-17563331
 ] 

Petar Tonkovic commented on IGNITE-17032:
-----------------------------------------

Hi [~slukyanov],

Thanks for your comment. Indeed, we have already discovered the workaround with 
mounting the tmp folder in the yaml definition:

 
{code:java}
volumeMounts:       
- name: temp-vol
  mountPath: /tmp
  readOnly: false{code}
 

However, it might be a nice improvement to have everything working out of the 
box as we lost quite some time finding the workaround ourselves and it was not 
quite obvious.

Regarding the writable disk, sure Ignite needs to write on disk, but again 
usually you provide it the mount which is able to be written to do so, which is 
hopefully not in the installation folder. :)

In many cases Kubernetes clusters provided by company infrastructure teams 
enforce that the images are run with this read only file system flag as part of 
their security requirements and it makes total sense:
 # You prepare your installation file system pre-deployment with your Docker 
file by building it in the required image;
 # After said image is ran, there is no room for any kind of malicious software 
doing any kind of injections in your pods.

My company has exactly this security policy enforced and I have struggled a lot 
with various software that tries to write some temp files in the installation 
folder or something similar when trying to deploy it in a container. They 
either forget to let you set the log path somehow (usually via environment 
variable) and then connect it to a volume mount that is read/write.

I can imagine that these security measures might be a common occurrence in the 
industry, so could be a nice improvement. Thank you for looking into it.

P.S. We have noticed the same script being used in the web console agent (we 
used the one from GridGain, not sure if it is the case with the vanilla one as 
well), just FYI.

> Apache Ignite Docker container does not run correctly if image is run in read 
> only file system mode
> ---------------------------------------------------------------------------------------------------
>
>                 Key: IGNITE-17032
>                 URL: https://issues.apache.org/jira/browse/IGNITE-17032
>             Project: Ignite
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 2.13
>            Reporter: Petar Tonkovic
>            Priority: Major
>
> When following the Kubernetes deployment tutorials (online: 
> https://ignite.apache.org/docs/latest/installation/kubernetes/azure-deployment,
>  youtube: [https://youtu.be/38YgdAOs038]), trying to run the official docker 
> image () with the --read-only flag is causing errors:
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 52: cannot create 
> temp file for here-document: Read-only file system
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 85: [: -lt: unary 
> operator expected2022-05-25T14:27:34.504369604+02:00
>  
> Since most managed company Kubernetes clusters enforce this read-only flag as 
> a security requirement, it would be good to look into these errors.
>  
> Later on, we get the following error on starting up:
> class org.apache.ignite.IgniteException: Failed to instantiate Spring XML 
> application context (make sure all classes used in Spring configuration are 
> present at CLASSPATH) [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.IgniteUtils.convertException(IgniteUtils.java:1135)
> at org.apache.ignite.Ignition.start(Ignition.java:356)
> at 
> org.apache.ignite.startup.cmdline.CommandLineStartup.main(CommandLineStartup.java:365)
> Caused by: class org.apache.ignite.IgniteCheckedException: Failed to 
> instantiate Spring XML application context (make sure all classes used in 
> Spring configuration are present at CLASSPATH) 
> [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.applicationContext(IgniteSpringHelperImpl.java:364)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:102)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:96)
> at 
> org.apache.ignite.internal.IgnitionEx.loadConfigurations(IgnitionEx.java:729)2022-05-25T14:27:34.916588365+02:00
> at org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:930)
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:839)2022-05-25T14:27:34.916609431+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:709)2022-05-25T14:27:34.916622089+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:678)2022-05-25T14:27:34.916636146+02:00
> at 
> org.apache.ignite.Ignition.start(Ignition.java:353)2022-05-25T14:27:34.916650122+02:00
> ... 1 more2022-05-25T14:27:34.916671644+02:00
> Caused by: org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 
> 'org.apache.ignite.configuration.IgniteConfiguration#0' defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml]:
>  Cannot create inner bean 
> 'org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi#56ef9176' of type 
> [org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi] while setting bean 
> property 'discoverySpi'; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating bean 
> with name 'org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi#56ef9176' 
> defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml]:
>  Cannot create inner bean 
> 'org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder#13805618'
>  of type 
> [org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder]
>  while setting bean property 'ipFinder'; nested exception is 
> org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find 
> class 
> [org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder]
>  for bean with name 
> 'org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder#13805618'
>  defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml];
>  nested exception is java.lang.ClassNotFoundException: 
> org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:389)
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:127)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1702)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1447)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:516)2022-05-25T14:27:34.916861927+02:00
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:324)2022-05-25T14:27:34.916874946+02:00
> at 
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)2022-05-25T14:27:34.916887763+02:00
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:322)2022-05-25T14:27:34.916901908+02:00
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)2022-05-25T14:27:34.916915941+02:00
> at 
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:897)
> at 
> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:879)2022-05-25T14:27:34.916955867+02:00
> at 
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:551)2022-05-25T14:27:34.916968468+02:00
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.applicationContext(IgniteSpringHelperImpl.java:358)2022-05-25T14:27:34.916982593+02:00
> ... 9 more2022-05-25T14:27:34.916995138+02:00
> Caused by: org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 
> 'org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi#56ef9176' defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml]:
>  Cannot create inner bean 
> 'org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder#13805618'
>  of type 
> [org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder]
>  while setting bean property 'ipFinder'; nested exception is 
> org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find 
> class 
> [org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder]
>  for bean with name 
> 'org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder#13805618'
>  defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml];
>  nested exception is java.lang.ClassNotFoundException: 
> org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:389)
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:127)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1702)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1447)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593)2022-05-25T14:27:34.917162095+02:00
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:516)
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:374)
> ... 22 more2022-05-25T14:27:34.917205915+02:00
> Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: 
> Cannot find class 
> [org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder]
>  for bean with name 
> 'org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder#13805618'
>  defined in URL 
> [file:/ignite/config/node-configuration.xml|file://ignite/config/node-configuration.xml];
>  nested exception is java.lang.ClassNotFoundException: 
> org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1486)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:488)
> at 
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:374)
> ... 28 more2022-05-25T14:27:34.917347412+02:00
> Caused by: java.lang.ClassNotFoundException: 
> org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder
> at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:348)
> at org.springframework.util.ClassUtils.forName(ClassUtils.java:284)
> at 
> org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:469)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doResolveBeanClass(AbstractBeanFactory.java:1551)2022-05-25T14:27:34.917546706+02:00
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1478)2022-05-25T14:27:34.917560811+02:00
> ... 30 more2022-05-25T14:27:34.917573534+02:00
> Failed to start grid: Failed to instantiate Spring XML application context 
> (make sure all classes used in Spring configuration are present at CLASSPATH) 
> [springUrl=file:/ignite/config/node-configuration.xml]
>  
> It seems to be connected, as running the image without the --read-only flag 
> works just fine.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)