search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
370 stars 27 forks source link

Pod fails to start on OpenShift: Error: runc create failed: unable to start container process: eaccess /atlas: permission denied #922

Closed hanygirgis closed 4 months ago

hanygirgis commented 4 months ago

I'm trying to deploy Chainloop on an OpenShift environment, using a command similar to the following:

helm install chainloop oci://ghcr.io/chainloop-dev/charts/chainloop \ --set global.openshift=true \ --set development=true \ --set controlplane.auth.oidc.url=url \ --set controlplane.auth.oidc.clientID=client \ --set controlplane.auth.oidc.clientSecret=secret \ --set controlplane.image.repository=local/chainloop/control-plane \ --set controlplane.image.tag=v0.91.0 \ --set controlplane.migration.image.repository=local/chainloop/control-plane-migrations \ --set controlplane.migration.image.tag=v0.91.0 \ --set cas.image.repository=local/chainloop/artifact-cas \ --set cas.image.tag=v0.91.0

However, the chainloop-controlplane pod fails during initialization (Init:CreateContainerError) with error:

Error: container create failed: time="2024-06-07T12:16:22Z" level=error msg="runc create failed: unable to start container process: eaccess /atlas: permission denied"

Any idea how to solve this issue?

migmartri commented 4 months ago

Hi @hanygirgis.

Do you mind sharing some more information about your openshift environment (mainly version)? We are in the process of adding support for customizable podsecuritycontext, which might be a good fit to fix your issue.

Thanks!

hanygirgis commented 4 months ago

Hi @migmartri,

I'm using this version:

OpenShift version: 4.13.27
Kubernetes version: v1.26.11

A suggestion is to maybe use the same global.openshift boolean flag that is used by Vault to configure the podsecuritycontext, to allow openshift compatibility with just one setting (if possible).

Thanks!

migmartri commented 4 months ago

That's a great pointer! Summoning @javirln, who's currently working on some Helm Chart changes to discuss next steps.

In any case, @hanygirgis we are open to contributions if you want to give it a try, we'll be happy to assist, either here at Github or also in our Slack :)

Thanks

hanygirgis commented 4 months ago

Thanks for the invitation : ) Sure, I'll be glad to contribute.

javirln commented 4 months ago

Thanks for the invitation : ) Sure, I'll be glad to contribute.

Hello @hanygirgis :)

We are migrating our current Chart approach to Bitnami Charts. There, you can see how to set up pod security policies and container security policies, which we will need to add to our configurations.

Each chart includes a common chart that provides examples of how to inject these security policies. Since we are adopting Bitnami's contributing guidelines, this is the approach we should follow.

For an example, see how OpenShift is handled in this helper.

Aaand thank you so much for your interest on Chainloop :D

hanygirgis commented 4 months ago

Hello @javirln :) thanks for your answer.

I'm now checking the Bitnami compatibility helper you pointed to (but so far it's not clear what changes I need to make).

Initially I tried just setting runAsUser to 1001, but got Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1000880000, 1000889999]

hanygirgis commented 4 months ago

It now works with helm chart 1.61.0 (and image versions v0.91.6) Thanks a lot!

migmartri commented 4 months ago

Awesome, thanks for your help :)

migmartri commented 4 months ago

https://github.com/chainloop-dev/chainloop/issues/1009