Announcement
· Apr 1, 2022

Using InterSystems IRIS containers with Docker 20.10.14+

Docker 20.10.14 (released March 23, 2022) changes the Linux capabilities given to containers in a manner that is incompatible with the Linux capability checker in InterSystems IRIS 2021.1 (and up) containers. 

Users running Docker 20.10.14 on Linux will find that IRIS 2021.1+ containers will fail to start and the logs will incorrectly report that required Linux capabilities are missing.  For example:

[ERROR] Required Linux capability cap_setuid is missing.
[ERROR] Required Linux capability cap_dac_override is missing.
[ERROR] Required Linux capability cap_fowner is missing.
[ERROR] Required Linux capability cap_setgid is missing. 
[ERROR] Required Linux capability cap_kill is missing.
[FATAL] Your IRIS container is missing one or more required Linux capabilities.

Resolution

Users experiencing this problem will need to adjust the command line passed to the container’s entrypoint to disable checking for Linux capabilities.  From the command line, add --check-caps false after the image in your docker run or docker start command.  For example:

docker run containers.intersystems.com/intersystems/iris-community:2022.1.0.152.0 --check-caps false

If you're using docker-compose, the corresponding change would be as follows:

  command: --check-caps false

The capability check acts as a way of checking for common misconfigurations before starting the IRIS processes.  Disabling the Linux capability check has no impact on the IRIS processes running in the container.

More Reading

Discussion (9)6
Log in or sign up to continue

In the docker-compose file the command is still 

command: --check-caps false

If the = is left in the command the following error will be returned  

PARSE ERROR: Argument: --check-caps=false

iris_1  |              Couldn't find match for argument

  | Brief USAGE:

iris_1  |    /iris-main  [--ISCAgentPort <integer>] [--ISCAgent <bool>] [--check-caps

iris_1  |                <bool>] [-k <license key>] [-L <<licenseID> <host1>,<port1>[

iris_1  |                ,<dir1>] [<host2>,<port2>[,<dir2>]]>] [-p <password file>]

iris_1  |                [-t <command>] [-c <command>] [-e <command>] [-a <command>]

iris_1  |                [-b <command>] [-l <log file>] [-s <bool>] [-u <bool>] [-d

iris_1  |                <bool>] [-i <instance>] [--] [--version] [-h]

iris_1  |

iris_1  | For complete USAGE and HELP type:

iris_1  |    /iris-main --help

If you're using IKO, you can pass the "--check-caps false" argument in your iriscluster yaml like this: 

apiVersion: intersystems.com/v1alpha1
kind: IrisCluster
metadata:
  name: ephelps-1
spec:
  licenseKeySecret:
    name: license-key
  configSource:
    name: iris-cpf
  imagePullSecrets:
    - name: docker-secret
  updateStrategy:
    type: RollingUpdate
  topology:
    data:
      mirrored: true
      shards: 1
      image: containers.intersystems.com/intersystems/iris:2021.2.0.651.0
      podTemplate:
        spec:
          args:
            - --check-caps
            - "false"
  serviceTemplate:
    spec:
      type: LoadBalancer
      externalTrafficPolicy: Local

Please, next time, when you spontaneously add flags and remove flags or features that prevent starting IRIS in Docker, think about end-users, who would need, to run different versions of IRIS, it makes it more complicated to follow all those changes. One version does not work with flags, another does not work with this flag. We need something more stable. When I need to configure the CI process for multiple versions, now I should somehow decide which version has this flag and which has not.