Announcement
Bob Kuszewski · Apr 1

Using InterSystems IRIS containers with Docker 20.10.14+

Docker 20.10.14 (released March 23, 2022) changes the Linux capabilities given to containers in a manner that is incompatible with the Linux capability checker in InterSystems IRIS 2021.1 (and up) containers. 

Users running Docker 20.10.14 on Linux will find that IRIS 2021.1+ containers will fail to start and the logs will incorrectly report that required Linux capabilities are missing.  For example:

[ERROR] Required Linux capability cap_setuid is missing.
[ERROR] Required Linux capability cap_dac_override is missing.
[ERROR] Required Linux capability cap_fowner is missing.
[ERROR] Required Linux capability cap_setgid is missing. 
[ERROR] Required Linux capability cap_kill is missing.
[FATAL] Your IRIS container is missing one or more required Linux capabilities.

Resolution

Users experiencing this problem will need to adjust the command line passed to the container’s entrypoint to disable checking for Linux capabilities.  From the command line, add --check-caps false after the image in your docker run or docker start command.  For example:

docker run containers.intersystems.com/intersystems/iris-community:2022.1.0.152.0 --check-caps false

If you're using docker-compose, the corresponding change would be as follows:

  command: --check-caps false

The capability check acts as a way of checking for common misconfigurations before starting the IRIS processes.  Disabling the Linux capability check has no impact on the IRIS processes running in the container.

More Reading

11
0 1,203
Discussion (8)5
Log in or sign up to continue

In the docker-compose file the command is still 

command: --check-caps false

If the = is left in the command the following error will be returned  

PARSE ERROR: Argument: --check-caps=false

iris_1  |              Couldn't find match for argument

  | Brief USAGE:

iris_1  |    /iris-main  [--ISCAgentPort <integer>] [--ISCAgent <bool>] [--check-caps

iris_1  |                <bool>] [-k <license key>] [-L <<licenseID> <host1>,<port1>[

iris_1  |                ,<dir1>] [<host2>,<port2>[,<dir2>]]>] [-p <password file>]

iris_1  |                [-t <command>] [-c <command>] [-e <command>] [-a <command>]

iris_1  |                [-b <command>] [-l <log file>] [-s <bool>] [-u <bool>] [-d

iris_1  |                <bool>] [-i <instance>] [--] [--version] [-h]

iris_1  |

iris_1  | For complete USAGE and HELP type:

iris_1  |    /iris-main --help

version: '3.6'
services:
  iris:
    build:
      context: .
      dockerfile: Dockerfile
    restart: always
    command: --check-caps false
    ports:
      - 1972
      - 52773:52773
      - 53773
    volumes:
      - ./:/irisrun/repo

If you're using IKO, you can pass the "--check-caps false" argument in your iriscluster yaml like this: 

apiVersion: intersystems.com/v1alpha1
kind: IrisCluster
metadata:
  name: ephelps-1
spec:
  licenseKeySecret:
    name: license-key
  configSource:
    name: iris-cpf
  imagePullSecrets:
    - name: docker-secret
  updateStrategy:
    type: RollingUpdate
  topology:
    data:
      mirrored: true
      shards: 1
      image: containers.intersystems.com/intersystems/iris:2021.2.0.651.0
      podTemplate:
        spec:
          args:
            - --check-caps
            - "false"
  serviceTemplate:
    spec:
      type: LoadBalancer
      externalTrafficPolicy: Local

Using cap-add might allow for a more fine-grained control:

--cap-add SETUID --cap-add DAC_OVERRIDE --cap-add FOWNER --cap-add SETGID --cap-add KILL

Or in docker compose:

version: '2'
services:
  iris:
    cap_add:
    - SETUID
    - DAC_OVERRIDE
    - FOWNER
    - SETGID 
    - KILL

Please, next time, when you spontaneously add flags and remove flags or features that prevent starting IRIS in Docker, think about end-users, who would need, to run different versions of IRIS, it makes it more complicated to follow all those changes. One version does not work with flags, another does not work with this flag. We need something more stable. When I need to configure the CI process for multiple versions, now I should somehow decide which version has this flag and which has not.

How would I go about creating an image using a Dockerfile that is based on one of these images? How can I get the docker build to include the --check-cap false?