Using InterSystems IRIS containers with Docker 20.10.14+
Docker 20.10.14 (released March 23, 2022) changes the Linux capabilities given to containers in a manner that is incompatible with the Linux capability checker in InterSystems IRIS 2021.1 (and up) containers.
Users running Docker 20.10.14 on Linux will find that IRIS 2021.1+ containers will fail to start and the logs will incorrectly report that required Linux capabilities are missing. For example:
[ERROR] Required Linux capability cap_setuid is missing. [ERROR] Required Linux capability cap_dac_override is missing. [ERROR] Required Linux capability cap_fowner is missing. [ERROR] Required Linux capability cap_setgid is missing. [ERROR] Required Linux capability cap_kill is missing. [FATAL] Your IRIS container is missing one or more required Linux capabilities.
Resolution
Users experiencing this problem will need to adjust the command line passed to the container’s entrypoint to disable checking for Linux capabilities. From the command line, add --check-caps false after the image in your docker run or docker start command. For example:
docker run containers.intersystems.com/intersystems/iris-community:2022.1.0.152.0 --check-caps false
If you're using docker-compose, the corresponding change would be as follows:
command: --check-caps false
The capability check acts as a way of checking for common misconfigurations before starting the IRIS processes. Disabling the Linux capability check has no impact on the IRIS processes running in the container.
In the docker-compose file the command is still
If the = is left in the command the following error will be returned
PARSE ERROR: Argument: --check-caps=false
iris_1 | Couldn't find match for argument
| Brief USAGE:
iris_1 | /iris-main [--ISCAgentPort <integer>] [--ISCAgent <bool>] [--check-caps
iris_1 | <bool>] [-k <license key>] [-L <<licenseID> <host1>,<port1>[
iris_1 | ,<dir1>] [<host2>,<port2>[,<dir2>]]>] [-p <password file>]
iris_1 | [-t <command>] [-c <command>] [-e <command>] [-a <command>]
iris_1 | [-b <command>] [-l <log file>] [-s <bool>] [-u <bool>] [-d
iris_1 | <bool>] [-i <instance>] [--] [--version] [-h]
iris_1 |
iris_1 | For complete USAGE and HELP type:
iris_1 | /iris-main --help
Thanks Bob for the timely post.
If you're using IKO, you can pass the "--check-caps false" argument in your iriscluster yaml like this:
Using cap-add might allow for a more fine-grained control:
Or in docker compose:
Please, next time, when you spontaneously add flags and remove flags or features that prevent starting IRIS in Docker, think about end-users, who would need, to run different versions of IRIS, it makes it more complicated to follow all those changes. One version does not work with flags, another does not work with this flag. We need something more stable. When I need to configure the CI process for multiple versions, now I should somehow decide which version has this flag and which has not.
How would I go about creating an image using a Dockerfile that is based on one of these images? How can I get the docker build to include the --check-cap false?
Hi Mike!
You can check this or that example, the simplest dockerfiles with IRIS.
The command with check-caps false can be found e.g. here in Docker-compose
Glad this was the first Google result for "docker required linux capability is missing"
Social networks
InterSystems resources
Log in or sign up
Log in or create a new account to continue
Log in or sign up
Log in or create a new account to continue
Log in or sign up
Log in or create a new account to continue