[jira] [Commented] (IGNITE-17032) Apache Ignite Docker container does not run correctly if image is run in read only file system mode

2022-07-06 Thread Petar Tonkovic (Jira) 


[ 
https://issues.apache.org/jira/browse/IGNITE-17032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17563331#comment-17563331
 ] 

Petar Tonkovic commented on IGNITE-17032:
-

Hi [~slukyanov],

Thanks for your comment. Indeed, we have already discovered the workaround with 
mounting the tmp folder in the yaml definition:

 
{code:java}
volumeMounts:       
- name: temp-vol
  mountPath: /tmp
  readOnly: false{code}
 

However, it might be a nice improvement to have everything working out of the 
box as we lost quite some time finding the workaround ourselves and it was not 
quite obvious.

Regarding the writable disk, sure Ignite needs to write on disk, but again 
usually you provide it the mount which is able to be written to do so, which is 
hopefully not in the installation folder. :)

In many cases Kubernetes clusters provided by company infrastructure teams 
enforce that the images are run with this read only file system flag as part of 
their security requirements and it makes total sense:
 # You prepare your installation file system pre-deployment with your Docker 
file by building it in the required image;
 # After said image is ran, there is no room for any kind of malicious software 
doing any kind of injections in your pods.

My company has exactly this security policy enforced and I have struggled a lot 
with various software that tries to write some temp files in the installation 
folder or something similar when trying to deploy it in a container. They 
either forget to let you set the log path somehow (usually via environment 
variable) and then connect it to a volume mount that is read/write.

I can imagine that these security measures might be a common occurrence in the 
industry, so could be a nice improvement. Thank you for looking into it.

P.S. We have noticed the same script being used in the web console agent (we 
used the one from GridGain, not sure if it is the case with the vanilla one as 
well), just FYI.

> Apache Ignite Docker container does not run correctly if image is run in read 
> only file system mode
> ---
>
> Key: IGNITE-17032
> URL: https://issues.apache.org/jira/browse/IGNITE-17032
> Project: Ignite
>  Issue Type: Bug
>  Components: build
>Affects Versions: 2.13
>Reporter: Petar Tonkovic
>Priority: Major
>
> When following the Kubernetes deployment tutorials (online: 
> https://ignite.apache.org/docs/latest/installation/kubernetes/azure-deployment,
>  youtube: [https://youtu.be/38YgdAOs038]), trying to run the official docker 
> image () with the --read-only flag is causing errors:
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 52: cannot create 
> temp file for here-document: Read-only file system
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 85: [: -lt: unary 
> operator expected2022-05-25T14:27:34.504369604+02:00
>  
> Since most managed company Kubernetes clusters enforce this read-only flag as 
> a security requirement, it would be good to look into these errors.
>  
> Later on, we get the following error on starting up:
> class org.apache.ignite.IgniteException: Failed to instantiate Spring XML 
> application context (make sure all classes used in Spring configuration are 
> present at CLASSPATH) [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.IgniteUtils.convertException(IgniteUtils.java:1135)
> at org.apache.ignite.Ignition.start(Ignition.java:356)
> at 
> org.apache.ignite.startup.cmdline.CommandLineStartup.main(CommandLineStartup.java:365)
> Caused by: class org.apache.ignite.IgniteCheckedException: Failed to 
> instantiate Spring XML application context (make sure all classes used in 
> Spring configuration are present at CLASSPATH) 
> [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.applicationContext(IgniteSpringHelperImpl.java:364)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:102)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:96)
> at 
> org.apache.ignite.internal.IgnitionEx.loadConfigurations(IgnitionEx.java:729)2022-05-25T14:27:34.916588365+02:00
> at org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:930)
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:839)2022-05-25T14:27:34.916609431+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:709)2022-05-25T14:27:34.916622089+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:678)2022-05-25T14:27:34.916636146+02:00
> at 
>

[jira] [Commented] (IGNITE-17032) Apache Ignite Docker container does not run correctly if image is run in read only file system mode

2022-07-06 Thread Stanislav Lukyanov (Jira) 


[ 
https://issues.apache.org/jira/browse/IGNITE-17032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17563063#comment-17563063
 ] 

Stanislav Lukyanov commented on IGNITE-17032:
-

Thanks for reporting [~tonkovic].

TLDR: this is fixable, and I think there is a workaround - see it at the end of 
the comment.

My first read of this was - well, Ignite should normally be used with a 
writable disk, so "Not an issue".

BUT reading the second time I realized that the problem is that we're trying to 
write into the *root* volume. We shouldn't do that.

 

Apparently, the thing that doesn't work is the following line
```
version=$(awk -F[\"\.] '{print $2}' <<< ${version})
```
In particular, the `<<<` is at fault.

Turns out, in Bash the `<<<` ("here-string") is implemented via `<<` 
("here-document") which is in turn implemented via temp files. The root file 
system is read-only, hence `/tmp` is also read-only, hence `<<` and `<<<` can't 
work. You learn something new everyday, don't you? 
[This](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash)
 explains it.

I'm quite surprised that basic Bash syntax can be unfriendly to cloud but here 
we are.

Two things we should do (each of them will suffice, but I'd do both):

1. Get rid of the `<<<` and `<<` in the scripts, just in case.

2. Mount `/tmp` as tmpfs. It should always be tmpfs in all environments, for 
many good reasons. I'm a bit surprised it's not tmpfs now, and I'd certainly 
change that. The question is whether we can and should do this right in the 
Dockerfile, or ask everyone to mount `/tmp` as tmpfs when running. The latter 
requires at least docs changes.

As a workaround, I think running the container with an [explicit tmpfs 
mount](https://stackoverflow.com/questions/34698620/docker-and-volatile-volumes-ala-tmp)
 will do the trick:
```
docker run --tmpfs /tmp ...
```

Disclaimer: I haven't got my hands dirty yet, so all of the above needs to be 
confirmed with tests.

> Apache Ignite Docker container does not run correctly if image is run in read 
> only file system mode
> ---
>
> Key: IGNITE-17032
> URL: https://issues.apache.org/jira/browse/IGNITE-17032
> Project: Ignite
>  Issue Type: Bug
>  Components: build
>Affects Versions: 2.13
>Reporter: Petar Tonkovic
>Priority: Major
>
> When following the Kubernetes deployment tutorials (online: 
> https://ignite.apache.org/docs/latest/installation/kubernetes/azure-deployment,
>  youtube: [https://youtu.be/38YgdAOs038]), trying to run the official docker 
> image () with the --read-only flag is causing errors:
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 52: cannot create 
> temp file for here-document: Read-only file system
> /opt/ignite/apache-ignite/bin/include/functions.sh: line 85: [: -lt: unary 
> operator expected2022-05-25T14:27:34.504369604+02:00
>  
> Since most managed company Kubernetes clusters enforce this read-only flag as 
> a security requirement, it would be good to look into these errors.
>  
> Later on, we get the following error on starting up:
> class org.apache.ignite.IgniteException: Failed to instantiate Spring XML 
> application context (make sure all classes used in Spring configuration are 
> present at CLASSPATH) [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.IgniteUtils.convertException(IgniteUtils.java:1135)
> at org.apache.ignite.Ignition.start(Ignition.java:356)
> at 
> org.apache.ignite.startup.cmdline.CommandLineStartup.main(CommandLineStartup.java:365)
> Caused by: class org.apache.ignite.IgniteCheckedException: Failed to 
> instantiate Spring XML application context (make sure all classes used in 
> Spring configuration are present at CLASSPATH) 
> [springUrl=file:/ignite/config/node-configuration.xml]
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.applicationContext(IgniteSpringHelperImpl.java:364)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:102)
> at 
> org.apache.ignite.internal.util.spring.IgniteSpringHelperImpl.loadConfigurations(IgniteSpringHelperImpl.java:96)
> at 
> org.apache.ignite.internal.IgnitionEx.loadConfigurations(IgnitionEx.java:729)2022-05-25T14:27:34.916588365+02:00
> at org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:930)
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:839)2022-05-25T14:27:34.916609431+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:709)2022-05-25T14:27:34.916622089+02:00
> at 
> org.apache.ignite.internal.IgnitionEx.start(IgnitionEx.java:678)2022-05-25T14:27:34.916636146+02:00
> at 
>