Closed ghost closed 5 years ago
lgrateau
commented
5 years ago Hi Stephen,
Could you give the procedure to reproduce this issue ? Does it work on pure docker ? what is the docker image ? We have tested the container on OpenShift. It's seem the error raised permission issue. What is the user used to run the docker ? (it should be 1001)
ghost
commented
5 years ago Hi Luarent,
Thank you for your response.
Open OpenShift Origin web console.
Click on existing Project.
Click Add to Project, and select Deploy Image.
For Image Name, enter “ibmcom/odm:8.10”, search for the image.
Enter Environmental Variable with name of “LICENSE” and value of “accept”.
Click Deploy.
The status comes back as Crash Loop Back-off, and here are the error messages from the log: JVMSHRC155E Error copying username into cache name JVMSHRC686I Failed to startup shared class cache. Continue without using it as -Xshareclasses:nonfatal is specified CWWKE0005E: The runtime environment could not be launched. CWWKE0044E: There is no write permission for server directory /opt/ibm/wlp/output/defaultServer/workarea
[cid:image003.jpg@01D4F11A.0925C160]
We haven’t changed anything on the image, and am not sure how to check which user id it is running under. I’m working to get access to a server running pure docker, so can test running there. Will let you know the results when we can complete that step.
Just so you know, I have experience running ODM on z/OS, Liberty, and JBoss, but this is the first time I have tried running in a container or used OpenShift. Am also reaching out to resources in my company (like Amit) who have run ODM in a container before. I think previously he had got an older version running in pure docker, but not sure if he has tried running this in OpenShift before.
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Friday, April 12, 2019 8:42 AM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Hi Stephen,
Could you give the procedure to reproduce this issue ? Does it work on pure docker ? what is the docker image ? We have tested the container on OpenShift. It's seem the error raised permission issue. What is the user used to run the docker ? (it should be 1001)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-482559912, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfe5_1Z4lftS-uR-9SaucNuRgxcgGks5vgH8lgaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
ghost
commented
5 years ago The pod was ran as user 1020390000.
I think previously he had got an older version running in pure docker, but not sure if he has tried running this in OpenShift before
That was built on pure docker and ran at the openshift with permissions fix.
Thanks,
Amit Dixit | Optum Technology Claims Highway +91-124-382-0412 amit_dixit1@optum.commailto:amit_dixit1@optum.com www.optum.com<../../../Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.IE5/420WBX5R/www.optum.com>
"There are no problems,Just solutions."
[Description: Description: Description: Description: cid:image001.jpg@01CEE469.03CFEBA0]
From: St Peter, Stephen L Sent: Friday, April 12, 2019 10:25 AM To: ODMDev/odm-ondocker; ODMDev/odm-ondocker Cc: Author; Dixit, Amit; Marquez, Jesus M Subject: RE: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Hi Luarent,
Thank you for your response.
Open OpenShift Origin web console.
Click on existing Project.
Click Add to Project, and select Deploy Image.
For Image Name, enter “ibmcom/odm:8.10”, search for the image.
Enter Environmental Variable with name of “LICENSE” and value of “accept”.
Click Deploy.
The status comes back as Crash Loop Back-off, and here are the error messages from the log: JVMSHRC155E Error copying username into cache name JVMSHRC686I Failed to startup shared class cache. Continue without using it as -Xshareclasses:nonfatal is specified CWWKE0005E: The runtime environment could not be launched. CWWKE0044E: There is no write permission for server directory /opt/ibm/wlp/output/defaultServer/workarea
[cid:image002.jpg@01D4F11B.6CDB0110]
We haven’t changed anything on the image, and am not sure how to check which user id it is running under. I’m working to get access to a server running pure docker, so can test running there. Will let you know the results when we can complete that step.
Just so you know, I have experience running ODM on z/OS, Liberty, and JBoss, but this is the first time I have tried running in a container or used OpenShift. Am also reaching out to resources in my company (like Amit) who have run ODM in a container before. I think previously he had got an older version running in pure docker, but not sure if he has tried running this in OpenShift before.
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Friday, April 12, 2019 8:42 AM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Hi Stephen,
Could you give the procedure to reproduce this issue ? Does it work on pure docker ? what is the docker image ? We have tested the container on OpenShift. It's seem the error raised permission issue. What is the user used to run the docker ? (it should be 1001)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-482559912, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfe5_1Z4lftS-uR-9SaucNuRgxcgGks5vgH8lgaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
lgrateau
commented
5 years ago You could not proceed like that in the Web Console.
We have put a deployment documentation for the ODM commercial offering here : https://github.com/dbamc/cert-kubernetes/blob/master/ODM/platform/README_Openshift.md If you have an ODM Contract you can follow this documentation. I will tryied to write instructions as soon as possible for the free ODM docker image edition.
lgrateau
commented
5 years ago I have successfully installed odm in minishift with your procedure:
ghost
commented
5 years ago Thanks. Have tested the image in Docker, and works as expected there. Have tried opening up the permissions, and created a new image, but is still not working in OpenShift Origins. Will keep working on this on Monday. Am assuming more permissions may need to be opened up.
Update permissions in image: default@fbe386b6b0c8:/opt/ibm/wlp$ chgrp -R 0 /opt/ibm/wlp default@fbe386b6b0c8:/opt/ibm/wlp$ chmod -R g+rwX /opt/ibm/wlp default@fbe386b6b0c8:/$ chgrp -R 0 /tmp/spring.log default@fbe386b6b0c8:/$ chmod -R g+rwX /tmp/spring.log
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Friday, April 12, 2019 1:19 PM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
I have successfully installed odm in minishift with your procedure:
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-482654284, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfZcq8k0RuXQ21h-LG5WLFiUklif0ks5vgMAOgaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
lgrateau
commented
5 years ago Hi Stephen
It seems you user have not enough OpenShift roles and priviledges to run the odm image. You don't needs to change something in container image. What is the results of the cmd : oc get scc ? (https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html)
At least this privilege : oc adm policy add-scc-to-user privileged --serviceaccount=SERVICEACCOUNT --namespace=YOURPROJECTNAME oc adm policy add-scc-to-user privileged --serviceaccount=default --namespace=YOURPROJECTNAME
Laurent
ghost
commented
5 years ago Thanks for your help. We got this running in OpenShift today. We had to make some modifications to get this work in our environment due to the fact that this does not run as root, and it runs under a random id, but have identified several work-arounds to resolve.
Change permission in container and create new image.
Modify dockerfile to run as required user (1001).
Modify deployment config in OpenShift to run as required user (1001).
We are planning on doing our proof-of-concept testing using this version, but will plan to use the Production/licensed version if we decide to build our new infrastructure in the cloud instead of distributed VM.
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Monday, April 15, 2019 3:23 AM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Hi Stephen
It seems you user have not enough OpenShift roles to run the odm image. You don't needs to change something in container image. Laurent
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-483137090, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfbiiwSze_XDFm_hcNBld2eYzF7Hjks5vhCi_gaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
lgrateau
commented
5 years ago Hi Stephen,
Here is instruction to run evaluation without modification of the ODM for developer docker image.
The OpenShift Container Platform CLI exposes commands for managing your applications, as well as lower level tools to interact with each component of your system. Refer to the OpenShift documentation.
Copy eval-odm.yaml.txt in your machine
As <ODMUSER>, create a Project:
$ oc login --username=<ODMUSER>
$ oc new-project odmdeval
$ oc project odmdeval
As privilege user:
Grant Access to the privileged SCC to <ODMUSER> for project odmdeval:
$ oc adm policy add-scc-to-user privileged -z default -n odmdeval
Grant Access to the privileged SCC to default Service Account for project odmdeval:
$ oc adm policy add-scc-to-user privileged --serviceaccount=default -n odmeval
As <ODMUSER>, install the evaluation:
oc create -f ./eval-odm.yaml.txteval-odm.yaml (is in attachment)
Monitor the ODM component until the evaluation pod shows a STATUS of Running or Completed:
while oc get pods | grep -E "(Running|Completed|STATUS)"; do sleep 5; doneWhen the pod is in Running state, you can access the status of your application with the following command.
$ oc status
In project freeodm on server https://x.xx.xxx.xx:8443
svc/odm-free-ibm-odm-dev (all nodes):30341 -> 9060
deployment/odm-free-ibm-odm-dev deploys ibmcom/odm:8.10.x.x_2.x.x-amd64
deployment #1 running for 34 minutes - 1 pod
1 info identified, use 'oc status --suggest' to see details.You can now expose the service to your users.
ghost
commented
5 years ago My company policy prohibits modifications to the SCC. I had been told this, but tried to follow your procedure anyway to find out what would happen.
C:\Users\sstpete>oc adm policy add-scc-to-user privileged -z default -n odmdeval Error from server: securitycontextconstraints "privileged" is forbidden: User "sstpete" cannot get securitycontextconstraints at the cluster scope: User "sstpete" cannot get securitycontextconstraints at the cluster scope
When I discussed with someone who has experience running in OpenShift, he suggested these are the only 3 options for getting this to work in our environment under the existing security policies:
Change permission in container and create new image.
Modify dockerfile to run as required user (1001).
Modify deployment config in OpenShift to run as required user (1001).
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Wednesday, April 17, 2019 4:54 AM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Hi Stephen,
Here is instruction to run evaluation without modification of the ODM for developer docker image.
Evaluate IBM Operational Decision Manager on Red Hat OpenShift Step 1: Install the OpenShift command line interface (CLI) and Helm
The OpenShift Container Platform CLI exposes commands for managing your applications, as well as lower level tools to interact with each component of your system. Refer to the OpenShift documentationhttps://docs.openshift.com/container-platform/3.11/cli_reference/get_started_cli.html.
Step 2: Install an evaluation of the Operational Decision Manager in OpenShift
Copy eval-odm.yaml.txthttps://github.com/ODMDev/odm-ondocker/files/3088693/eval-odm.yaml.txt in your machine
As
$ oc login --username=
$ oc new-project odmdeval
$ oc project odmdeval
As privilege user:
Grant Access to the privileged SCC to
$ oc adm policy add-scc-to-user privileged -z default -n odmdeval
Grant Access to the privileged SCC to default Service Account for project odmdeval:
$ oc adm policy add-scc-to-user privileged --serviceaccount=default -n odmeval
As
oc create -f ./eval-odm.yaml.txt
eval-odm.yaml (is in attachment)
Step 3: Verify that the deployment is running
Monitor the ODM component until the evaluation pod shows a STATUS of Running or Completed:
while oc get pods | grep -E "(Running|Completed|STATUS)"; do sleep 5; done
When the pod is in Running state, you can access the status of your application with the following command.
$ oc status
In project freeodm on server https://x.xx.xxx.xx:8443
svc/odm-free-ibm-odm-dev (all nodes):30341 -> 9060
deployment/odm-free-ibm-odm-dev deploys ibmcom/odm:8.10.x.x_2.x.x-amd64
deployment #1 running for 34 minutes - 1 pod1 info identified, use 'oc status --suggest' to see details.
You can now expose the service to your users.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-483997735, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfWFQJ7494uwCSLL_nthPfqn-e_YTks5vhuE1gaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
lgrateau
commented
5 years ago Thanks for the update. Can i close the ticket ?
ghost
commented
5 years ago Yes. Thanks for your help!
From: Laurent GRATEAU [mailto:notifications@github.com] Sent: Wednesday, April 17, 2019 9:28 AM To: ODMDev/odm-ondocker Cc: St Peter, Stephen L; Author Subject: Re: [ODMDev/odm-ondocker] Unable to Run in OpenShift (#205)
Thanks for the update. Can i close the ticket ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ODMDev/odm-ondocker/issues/205#issuecomment-484089386, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AvQvfd4L7DgfV1Mo1qPMmZtluZTrxBV0ks5vhyFGgaJpZM4cr6Jr.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
When attempting to run this image, I'm getting the following error:
FIND_SERVER_EXT_CLASS set to matches ServerExt class found. Use /config/server-configurations.json server definition Use H2 as database by default No DC_PERSISTENCE_LOCALE set use default en_US Configure the TLS keystore password Configure the TLS truststore password
JVMSHRC155E Error copying username into cache name JVMSHRC686I Failed to startup shared class cache. Continue without using it as -Xshareclasses:nonfatal is specified CWWKE0005E: The runtime environment could not be launched. CWWKE0044E: There is no write permission for server directory /opt/ibm/wlp/output/defaultServer/workarea