Announcement
Bob Kuszewski · Apr 1

Using InterSystems IRIS containers with Docker 20.10.14+

Docker 20.10.14 (released March 23, 2022) changes the Linux capabilities given to containers in a manner that is incompatible with the Linux capability checker in InterSystems IRIS 2021.1 (and up) containers. 

Users running Docker 20.10.14 on Linux will find that IRIS 2021.1+ containers will fail to start and the logs will incorrectly report that required Linux capabilities are missing.  For example:

[ERROR] Required Linux capability cap_setuid is missing.
[ERROR] Required Linux capability cap_dac_override is missing.
[ERROR] Required Linux capability cap_fowner is missing.
[ERROR] Required Linux capability cap_setgid is missing. 
[ERROR] Required Linux capability cap_kill is missing.
[FATAL] Your IRIS container is missing one or more required Linux capabilities.

Resolution

Users experiencing this problem will need to adjust the command line passed to the container’s entrypoint to disable checking for Linux capabilities.  From the command line, add --check-caps false after the image in your docker run or docker start command.  For example:

docker run containers.intersystems.com/intersystems/iris-community:2022.1.0.152.0 --check-caps false

If you're using docker-compose, the corresponding change would be as follows:

  command: --check-caps false

The capability check acts as a way of checking for common misconfigurations before starting the IRIS processes.  Disabling the Linux capability check has no impact on the IRIS processes running in the container.

More Reading

9
0 554
Discussion (5)4
Log in or sign up to continue

In the docker-compose file the command is still 

command: --check-caps false

If the = is left in the command the following error will be returned  

PARSE ERROR: Argument: --check-caps=false

iris_1  |              Couldn't find match for argument

  | Brief USAGE:

iris_1  |    /iris-main  [--ISCAgentPort <integer>] [--ISCAgent <bool>] [--check-caps

iris_1  |                <bool>] [-k <license key>] [-L <<licenseID> <host1>,<port1>[

iris_1  |                ,<dir1>] [<host2>,<port2>[,<dir2>]]>] [-p <password file>]

iris_1  |                [-t <command>] [-c <command>] [-e <command>] [-a <command>]

iris_1  |                [-b <command>] [-l <log file>] [-s <bool>] [-u <bool>] [-d

iris_1  |                <bool>] [-i <instance>] [--] [--version] [-h]

iris_1  |

iris_1  | For complete USAGE and HELP type:

iris_1  |    /iris-main --help

version: '3.6'
services:
  iris:
    build:
      context: .
      dockerfile: Dockerfile
    restart: always
    command: --check-caps false
    ports:
      - 1972
      - 52773:52773
      - 53773
    volumes:
      - ./:/irisrun/repo

If you're using IKO, you can pass the "--check-caps false" argument in your iriscluster yaml like this: 

apiVersion: intersystems.com/v1alpha1
kind: IrisCluster
metadata:
  name: ephelps-1
spec:
  licenseKeySecret:
    name: license-key
  configSource:
    name: iris-cpf
  imagePullSecrets:
    - name: docker-secret
  updateStrategy:
    type: RollingUpdate
  topology:
    data:
      mirrored: true
      shards: 1
      image: containers.intersystems.com/intersystems/iris:2021.2.0.651.0
      podTemplate:
        spec:
          args:
            - --check-caps
            - "false"
  serviceTemplate:
    spec:
      type: LoadBalancer
      externalTrafficPolicy: Local

Using cap-add might allow for a more fine-grained control:

--cap-add SETUID --cap-add DAC_OVERRIDE --cap-add FOWNER --cap-add SETGID --cap-add KILL

Or in docker compose:

version: '2'
services:
  iris:
    cap_add:
    - SETUID
    - DAC_OVERRIDE
    - FOWNER
    - SETGID 
    - KILL