Closed allamand closed 4 years ago
Unfortunately not.
setcap will not work with some Docker storage drivers
- https://github.com/docker-library/httpd/issues/118#issuecomment-439207960
See also https://github.com/docker-library/logstash/pull/14#issuecomment-268670305
@yosifkit do you have other recommendation to achieve the goal ?
We didn't encountered any problem with this for more than 1 year, and this feature (to be able to lock memory as non root user) is mandatory for us.
Increase RLIMIT_MEMLOCK
$ docker run -it --rm --ulimit=memlock=-1 cassandra
...
INFO [main] 2019-09-27 22:35:10,827 NativeLibrary.java:174 - JNA mlockall successful
@yosifkit, It's not sufficient when user is not root. See https://github.com/kubernetes/kubernetes/issues/3595#issuecomment-469928432
It works fine here. See also that the image does not run as root for long, see #48 and this part of the entrypoint.
$ docker run -it --rm --ulimit=memlock=-1 --user 999 cassandra
...
INFO [main] 2019-09-30 19:47:04,083 NativeLibrary.java:174 - JNA mlockall successful
@yosifkit it works fine with docker not Kubernetes. To convince you, you can test a deployment with this config
You'll get
WARN [main] 2019-10-02 03:14:55,781 NativeLibrary.java:187 - Unable to lock JVM memory (ENOMEM). This can result in part of the JVM being swapped out, especially with mmapped I/O enabled. Increase RLIMIT_MEMLOCK or run Cassandra as root.
Then look at https://github.com/kubernetes/kubernetes/issues/3595#issuecomment-438507708
setcap
and the related part of the yaml are just working around the problem and not the correct fix.
securityContext:
capabilities:
add:
- IPC_LOCK
You need to instead set the ulimit
for memlock
to unlimited or something big enough for java/cassandra to not complain. The fact that kubernetes has yet to support ulimit
does not mean that we will change the image just to support their lack of configuration.
Users are free to make an image FROM
this that adds the setcap
(that might not work on some hosts) or something similar to https://github.com/kubernetes/kubernetes/issues/3595#issuecomment-288451522. Combine that with automated builds and it's reasonably easy to have an up-to-date image built FROM
this one with the required modifications.
To correctly run Cassandra in Kiubernetes, we need to be able to correctly lock the JVM memory.
With correct parameters we shoudl see line like this at Cassandra startup:
With the current image we got this error instead:
In Kubernetes, we need to have IPC_LOCK capability in order to do so, but this is not sufficient.
We should add this line in the Dockerfile in order to be able to correctly lock the memory
Exemple with this specific Dockerfile
With this Cassandra is now able to correctly lock memory.
Do you think I can do a PR to add this in the repo ?