While trying to run docker image of apache nifi present in the docker hub in the open shift, it is giving me the permission issue as the docker image was running the user nifi which is not allowed via openshft. so I build the docker image using the below docker file but now I am not even able to run the build image in my local docker container.
FROM openjdk:8-jre
ARG NIFI_VERSION=1.12.1
ARG BASE_URL=https://archive.apache.org/dist
ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
ARG NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.zip}
ARG NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-toolkit-${NIFI_VERSION}-bin.zip}
ENV NIFI_BASE_DIR=/opt/nifi
ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current
ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current
ENV NIFI_PID_DIR=${NIFI_HOME}/run
ENV NIFI_LOG_DIR=${NIFI_HOME}/logs
USER root
ADD sh/ ${NIFI_BASE_DIR}/scripts/
# Setup NiFi user and create necessary directories
RUN mkdir -p ${NIFI_BASE_DIR} \
&& apt-get update \
&& apt-get install -y jq xmlstarlet procps
# Download, validate, and expand Apache NiFi Toolkit binary.
RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
&& echo "$(curl ${BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
&& unzip ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
&& rm ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
&& mv ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION} ${NIFI_TOOLKIT_HOME} \
&& ln -s ${NIFI_TOOLKIT_HOME} ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION} \
&& chmod -R g+rwX ${NIFI_TOOLKIT_HOME}
# Download, validate, and expand Apache NiFi binary.
RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
&& echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
&& unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
&& rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
&& mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \
&& mkdir -p ${NIFI_HOME}/conf \
&& mkdir -p ${NIFI_HOME}/database_repository \
&& mkdir -p ${NIFI_HOME}/flowfile_repository \
&& mkdir -p ${NIFI_HOME}/content_repository \
&& mkdir -p ${NIFI_HOME}/provenance_repository \
&& mkdir -p ${NIFI_HOME}/state \
&& mkdir -p ${NIFI_LOG_DIR} \
&& ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \
&& chgrp -R 0 ${NIFI_BASE_DIR} \
&& chmod -R g+rwX ${NIFI_BASE_DIR} \
&& chmod -R g=u ${NIFI_BASE_DIR}/ \
&& chmod -R g=u /etc/passwd
#ADD bootstrap.conf ${NIFI_HOME}/conf/bootstrap.conf
# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile
RUN echo "#!/bin/sh\n" > ${NIFI_HOME}/bin/nifi-env.sh
# Web HTTP(s) & Socket Site-to-Site Ports
EXPOSE 8080 8443 10000
WORKDIR ${NIFI_HOME}
USER 1001
# Apply configuration and start NiFi
#
# We need to use the exec form to avoid running our command in a subshell and omitting signals,
# thus being unable to shut down gracefully:
# https://docs.docker.com/engine/reference/builder/#entrypoint
#
# Also we need to use relative path, because the exec form does not invoke a command shell,
# thus normal shell processing does not happen:
# https://docs.docker.com/engine/reference/builder/#exec-form-entrypoint-example
ENTRYPOINT ["../scripts/start.sh"]
Getting this error while running in the docker container.
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
/opt/nifi/scripts/toolkit.sh: 18: /opt/nifi/scripts/toolkit.sh: cannot create //.nifi-cli.nifi.properties: Permission denied
This build is for the open shift, as the apache nifi user is not working in openshift and giving permission issue while starting the local docker
So I've passed for the same issue trying to run NIFI on a Openshift, I hope that could help you.
The steps used for me was:
As #JuanD shows, I added the config on openshift:
securityContext:
runAsUser: 1000
Further on that I also did:
RUN chmod -R g+rw ${NIFI_BASE_DIR} \
&& chmod -R g+rwX ${NIFI_BASE_DIR}/scripts \
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi
Another rearrange that I did was to move the copy files to be executed before this command.
And in order to avoid any unnecessary issue I also added the uid-entrypoint.sh
#!/bin/bash
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-nifi}:x:$(id -u):0:${USER_NAME:-nifi} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi
exec "$#"
The entire dockerfile:
ARG IMAGE_NAME=openjdk
ARG IMAGE_TAG=8-jre
FROM ${IMAGE_NAME}:${IMAGE_TAG}
ARG MAINTAINER="Apache NiFi <dev#nifi.apache.org>"
LABEL maintainer="${MAINTAINER}"
LABEL site="https://nifi.apache.org"
ARG UID=1000
ARG GID=0
ARG NIFI_VERSION=1.14.0
ARG BASE_URL=https://archive.apache.org/dist
ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}}
ARG NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.zip}
ARG NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-toolkit-${NIFI_VERSION}-bin.zip}
ENV NIFI_BASE_DIR=/opt/nifi
ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current
ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current
ENV NIFI_PID_DIR=${NIFI_HOME}/run
ENV NIFI_LOG_DIR=${NIFI_HOME}/logs
# Download, validate, and expand Apache NiFi Toolkit binary.
RUN mkdir -p ${NIFI_BASE_DIR} \
&& apt-get update \
&& apt-get install -y jq xmlstarlet procps \
&& curl -fSL ${MIRROR_BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
&& echo "$(curl ${BASE_URL}/${NIFI_TOOLKIT_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
&& unzip ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
&& rm ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}-bin.zip \
&& mv ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION} ${NIFI_TOOLKIT_HOME} \
&& ln -s ${NIFI_TOOLKIT_HOME} ${NIFI_BASE_DIR}/nifi-toolkit-${NIFI_VERSION}
# Download, validate, and expand Apache NiFi binary.
RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
&& echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \
&& unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \
&& rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \
&& mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \
&& mkdir -p ${NIFI_HOME}/conf \
&& mkdir -p ${NIFI_HOME}/database_repository \
&& mkdir -p ${NIFI_HOME}/flowfile_repository \
&& mkdir -p ${NIFI_HOME}/content_repository \
&& mkdir -p ${NIFI_HOME}/provenance_repository \
&& mkdir -p ${NIFI_HOME}/state \
&& mkdir -p ${NIFI_LOG_DIR} \
&& ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}
COPY scripts/ ${NIFI_BASE_DIR}/scripts/
RUN chmod -R g+rw ${NIFI_BASE_DIR} \
&& chmod -R g+rwX ${NIFI_BASE_DIR}/scripts \
&& useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi
# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile
RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
# Web HTTP(s) & Socket Site-to-Site Ports
EXPOSE 8080 8443 10000 8000
WORKDIR ${NIFI_HOME}
USER ${UID}
ENTRYPOINT [ "../scripts/uid-entrypoint.sh" ]
CMD [ "../scripts/start.sh" ]
I hope that could help.
I had a similar issue when deploying a custom nifi container to Openshift. Adding this to the deployment.yaml under spec: helped:
securityContext:
runAsUser: 1000
fsGroup: 1000
Related
I want to set up sawtooth with multiple validators and PoET engines.
Initially I am trying to set up with just 1 Validator, 1 PoET engine, 1 PoET registry, and the intkey Transaction processor(set up using NodeJs SDK). When I launch the network and connect the TP, it registers. But when I submit a transaction to the rest API, the response URL says PENDING. the validator logs say block validation passed but the block is not created.
version: "2.1"
volumes:
poet-shared:
services:
shell:
image: hyperledger/sawtooth-all:1.1
container_name: sawtooth-shell-default
entrypoint: "bash -c \"\
sawtooth keygen && \
tail -f /dev/null \
\""
validator-0:
image: hyperledger/sawtooth-validator:1.1
container_name: sawtooth-validator-default-0
expose:
- 4004
- 5050
- 8800
ports:
- "4004:4004"
volumes:
- poet-shared:/poet-shared
command: "bash -c \"\
sawadm keygen --force && \
mkdir -p /poet-shared/validator-0 || true && \
cp -a /etc/sawtooth/keys /poet-shared/validator-0/ && \
while [ ! -f /poet-shared/poet-enclave-measurement ]; do sleep 1; done && \
while [ ! -f /poet-shared/poet-enclave-basename ]; do sleep 1; done && \
while [ ! -f /poet-shared/poet.batch ]; do sleep 1; done && \
cp /poet-shared/poet.batch / && \
sawset genesis \
-k /etc/sawtooth/keys/validator.priv \
-o config-genesis.batch && \
sawset proposal create \
-k /etc/sawtooth/keys/validator.priv \
sawtooth.consensus.algorithm=poet \
sawtooth.poet.report_public_key_pem=\
\\\"$$(cat /poet-shared/simulator_rk_pub.pem)\\\" \
sawtooth.poet.valid_enclave_measurements=$$(cat /poet-shared/poet-enclave-measurement) \
sawtooth.poet.valid_enclave_basenames=$$(cat /poet-shared/poet-enclave-basename) \
-o config.batch && \
sawset proposal create \
-k /etc/sawtooth/keys/validator.priv \
sawtooth.poet.target_wait_time=5 \
sawtooth.poet.initial_wait_time=25 \
sawtooth.publisher.max_batches_per_block=100 \
-o poet-settings.batch && \
sawadm genesis \
config-genesis.batch config.batch poet.batch poet-settings.batch && \
sawtooth-validator -v \
--bind network:tcp://eth0:8800 \
--bind component:tcp://eth0:4004 \
--bind consensus:tcp://eth0:5050 \
--peering dynamic \
--endpoint tcp://validator-0:8800 \
--scheduler serial \
--network-auth trust
\""
environment:
PYTHONPATH: "/project/sawtooth-core/consensus/poet/common:\
/project/sawtooth-core/consensus/poet/simulator:\
/project/sawtooth-core/consensus/poet/core"
stop_signal: SIGKILL
rest-api-0:
image: hyperledger/sawtooth-rest-api:1.1
container_name: sawtooth-rest-api-default-0
expose:
- 8008
ports:
- "8008:8008"
command: |
bash -c "
sawtooth-rest-api \
--connect tcp://validator-0:4004 \
--bind rest-api-0:8008
"
stop_signal: SIGKILL
settings-tp-0:
image: hyperledger/sawtooth-settings-tp:1.1
container_name: sawtooth-settings-tp-default-0
expose:
- 4004
command: settings-tp -C tcp://validator-0:4004
stop_signal: SIGKILL
poet-engine-0:
image: hyperledger/sawtooth-poet-engine:1.1
container_name: sawtooth-poet-engine-0
volumes:
- poet-shared:/poet-shared
command: "bash -c \"\
if [ ! -f /poet-shared/poet-enclave-measurement ]; then \
poet enclave measurement >> /poet-shared/poet-enclave-measurement; \
fi && \
if [ ! -f /poet-shared/poet-enclave-basename ]; then \
poet enclave basename >> /poet-shared/poet-enclave-basename; \
fi && \
if [ ! -f /poet-shared/simulator_rk_pub.pem ]; then \
cp /etc/sawtooth/simulator_rk_pub.pem /poet-shared; \
fi && \
while [ ! -f /poet-shared/validator-0/keys/validator.priv ]; do sleep 1; done && \
cp -a /poet-shared/validator-0/keys /etc/sawtooth && \
poet registration create -k /etc/sawtooth/keys/validator.priv -o /poet-shared/poet.batch && \
poet-engine -C tcp://validator-0:5050 --component tcp://validator-0:4004 \
\""
poet-validator-registry-tp-0:
image: hyperledger/sawtooth-poet-validator-registry-tp:1.1
container_name: sawtooth-poet-validator-registry-tp-0
expose:
- 4004
command: poet-validator-registry-tp -C tcp://validator-0:4004
environment:
PYTHONPATH: /project/sawtooth-core/consensus/poet/common
stop_signal: SIGKILL
I found some errors here, but how to fix these?
You will need a minimum of two Transaction Processors per node to make the PoET work.
I have the same type of setup; but I am running TP's in Kubernetes and have three replica set(s) per Node in the network.
Besides look at the validator.toml and make sure that you have the bind to network 0.0.0.0, I have tried to bind it to a specific NIC ip and it does not work. Only 0.0.0.0 (all ips) seems to work fine.
I have a problem to connect with local mysql database from a docker container. I'm using docker-compose with two services in containers, database is not on container
I have this docker-compose file:
version: '2'
services:
web:
build:
context: ./
dockerfile: web-dev.dockerfile
volumes:
- ./:/var/www
ports:
- "8080:80"
links:
- app
network_mode: "bridge"
dns:
- 10.0.50.6
app:
build:
context: ./
dockerfile: app-dev.dockerfile
volumes:
- ./:/var/www
network_mode: "bridge"
dns:
- 10.0.50.6
the web container is an nginx service with this Dockerfile:
FROM nginx:1.10
ADD ./vhost.dev.conf /etc/nginx/conf.d/default.conf
WORKDIR /var/www
and this configuration file:
server {
listen 80;
index index.php index.html;
root /var/www/formapp/public;
location / {
try_files $uri /index.php?$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
the app container is an app service with this Dockerfile:
FROM php:7-fpm
ENV USER=pasquale
RUN apt-get update && apt-get install -y libmcrypt-dev mysql-client \
openssl zip unzip git nano wget libaio-dev iputils-ping
RUN mkdir -p /opt/oracle/instantclient_10_2
# Download files from in oracle folder:
# https://agora.zanichelli.it/downloads/basic-10.2.0.5.0-linux-x64.zip
# https://agora.zanichelli.it/downloads/sdk-10.2.0.5.0-linux-x64.zip
ADD oracle/basic-10.2.0.5.0-linux-x64.zip /opt/oracle/basic-10.2.0.5.0-linux-x64.zip
ADD oracle/sdk-10.2.0.5.0-linux-x64.zip /opt/oracle/sdk-10.2.0.5.0-linux-x64.zip
RUN unzip /opt/oracle/basic-10.2.0.5.0-linux-x64.zip -d /opt/oracle \
&& unzip /opt/oracle/sdk-10.2.0.5.0-linux-x64.zip -d /opt/oracle \
&& ln -s /opt/oracle/instantclient_10_2/libclntsh.so.10.1 /opt/oracle/instantclient_10_2/libclntsh.so \
&& ln -s /opt/oracle/instantclient_10_2/libclntshcore.so.10.1 /opt/oracle/instantclient_10_2/libclntshcore.so \
&& ln -s /opt/oracle/instantclient_10_2/libocci.so.10.1 /opt/oracle/instantclient_10_2/libocci.so
ADD oracle/tns-admin/tnsnames.ora /opt/oracle/instantclient_10_2/network/admin/tnsnames.ora
ENV LD_LIBRARY_PATH /opt/oracle/instantclient_10_2/
RUN docker-php-ext-install pdo_mysql \
&& pecl install mcrypt-1.0.1 \
&& docker-php-ext-enable mcrypt \
&& pecl install mongodb \
&& docker-php-ext-enable mongodb \
&& docker-php-ext-configure pdo_oci --with-pdo-oci=instantclient,/opt/oracle/instantclient_10_2,10.2 \
&& echo 'instantclient,/opt/oracle/instantclient_10_2' | pecl install oci8 \
&& docker-php-ext-install pdo_oci \
&& docker-php-ext-enable oci8
RUN yes | pecl install xdebug \
&& echo "zend_extension=$(find /usr/local/lib/php/extensions/ -name xdebug.so)" > /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_enable=1' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.default_enable=1' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_connect_back=1' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_autostart=1' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_handler="dbgp"' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_port=9000' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_host=0.0.0.0' >> /usr/local/etc/php/conf.d/xdebug.ini \
&& echo 'xdebug.remote_log=/var/www/xdebug.log' >> /usr/local/etc/php/conf.d/xdebug.ini
RUN mkdir -p /home/$USER
RUN groupadd -g 1000 $USER
RUN useradd -u 1000 -g $USER $USER -d /home/$USER
RUN chown $USER:$USER /home/$USER
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
WORKDIR /var/www
USER $USER
launching the containers with docker-compose -f docker-compose.dev.yml up --build -d works fine and docker ps command give me this output:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7202e2862ef5 190todb_web "nginx -g 'daemon of…" 9 hours ago Up About an hour 443/tcp, 0.0.0.0:8080->80/tcp 190todb_web_1_3c628ae1c69b
d45c04d353d5 190todb_app "docker-php-entrypoi…" 9 hours ago Up About an hour 9000/tcp 190todb_app_1_dd2ac7028b87
I install a lumen app in my project folder formapp and then I created a seeder to insert fake data in my database, and from bash, if I run /projectfolder/formapp$ php artisan db:seed the seeder works and I have this output:
Seeding: UsersTableSeeder
Database seeding completed successfully.
Then I created a route to access my users table from the lumen app:
$router->get('users', function () use ($router) {
return User::all();
});
my lumen env file is this:
APP_NAME=Lumen
APP_ENV=local
APP_KEY=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
APP_DEBUG=true
APP_URL=http://localhost
APP_TIMEZONE=UTC
LOG_CHANNEL=stack
LOG_SLACK_WEBHOOK_URL=
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=form_db
DB_USERNAME=root
DB_PASSWORD=radiohead
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
JWT_SECRET=JhbGciOiJIUzI1N0eXAiOiJKV1QiLC
but if I try to connect from http://localhost:8080/users I have this lumen error:
SQLSTATE[HY000] [2002] Connection refused (SQL: select * from `users`)
I tried to change the DB_HOST but I cannot solve the problem:
0.0.0.0 (SQLSTATE[HY000] [2002] Connection refused (SQL: select * from `users`));
172.17.0.1 (SQLSTATE[HY000] [1130] Host '172.17.0.2' is not allowed to connect to this MySQL server (SQL: select * from `users`));
172.17.0.1 is my docker0 inet address.
How can I config my project to work?
PS: the lumen app is up and running, is only the db connection that is not working
You cannot use localhost when the database and app are not on the same server.
You need to allow access by something like:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'172.17.0.2' IDENTIFIED BY '<password>';
You can replace 172.17.0.2 by wildcard %.
I am trying to write my own mariadb docker image. I wanted to execute some sql statements just after container starts (After exec mysqld). However I found mysqld --init-file option useful for my case. So my entrypoint script is something like below.
Dockerfile
FROM alpine:edge
RUN set -ex \
&& apk add mariadb mariadb-client \
&& mkdir -p /run/mysqld \
&& chown -R mysql:mysql /run/mysqld \
&& ln -snf /usr/lib/mariadb /usr/lib/mysql \
&& mysql_install_db --user=mysql --skip-name-resolve --auth-root-authentication-method=socket --auth-root-socket-user=root --force --rpm --skip-test-db
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
EXPOSE 3306
CMD ["mysqld"]
entrypoint.sh
#!/bin/sh
set -ex
{
echo "CREATE USER IF NOT EXISTS '${MYSQL_USER}'#'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};"
echo "GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'#'%';"
} > /tmp/mysqld-init.sql
exec $# --init-file="/tmp/mysqld-init.sql"
As you can see the temporary init file contains some sensitive information. I wanted to clean it after execution of exec $# --init-file="/tmp/mysqld-init.sql".
Now two ideas came to my mind. One is to create a named pipe (FIFO) file for temporary sql command or to use trap command.
Idea-1
But the problem here is a unnecessary child background process is keep running on container as I have used process control operator &. But I am in vain how can I exit that process.
if [ ! -p "/tmp/mysqld.init" ]; then
mkfifo /tmp/mysqld.init
fi
{
echo "CREATE USER IF NOT EXISTS '${MYSQL_USER}'#'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};"
echo "GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'#'%';"
} > /tmp/mysqld.init &
exec $# --init-file="/tmp/mysqld.init"
Idea-2
Use trap command and clean the temporary file when exec command gets executed. But I don't know how to catch the exec signal.
trap cleanup "the exec signal"
cleanup()
{
echo "Caught Signal ... cleaning up."
rm -rf /tmp/mysqld-init.sql
echo "Done cleanup ... quitting."
exit 1
}
set -ex
{
echo "CREATE USER IF NOT EXISTS '${MYSQL_USER}'#'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};"
echo "GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'#'%';"
} > /tmp/mysqld-init.sql
exec $# --init-file="/tmp/mysqld.init"
Use tini to solve this signal and zombie process issue.
FROM alpine:edge
RUN set -ex \
&& apk add --no-cache mariadb mariadb-client tini \
&& mkdir -p /run/mysqld \
&& chown -R mysql:mysql /run/mysqld \
&& ln -snf /usr/lib/mariadb /usr/lib/mysql \
&& mysql_install_db --user=mysql --skip-name-resolve --auth-root-authentication-method=socket --auth-root-socket-user=root --force --rpm --skip-test-db
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
EXPOSE 3306
CMD ["mysqld"]
entrypoint.sh
if [ ! -p "/tmp/mysqld.init" ]; then
mkfifo /tmp/mysqld.init
fi
{
echo "CREATE USER IF NOT EXISTS '${MYSQL_USER}'#'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};"
echo "GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'#'%';"
} > /tmp/mysqld.init &
exec tini -g -- "$#" --init-file="/tmp/mysqld.init"
I think trap is a best solution for this
function interrupt(){
local dir=$1
[ -e ${dir} ] && rm -rf ${dir}
exit 128
}
TMP_DIR=$(mktemp -d /tmp/entrypoint.XXXX)
trap "interrupt ${TMP_DIR}" SIGINT SIGTERM
trap "rm -rf ${TMP_DIR}" EXIT
set -ex
{
echo "CREATE USER IF NOT EXISTS '${MYSQL_USER}'#'%' IDENTIFIED BY '${MYSQL_PASSWORD}';"
echo "CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};"
echo "GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'#'%';"
} > ${TMP_DIR}/mysqld-init.sql
exec $# --init-file="${TMP_DIR}/mysqld-init.sql"
Websphere Liberty server running on openshift getting below error on startup. As the workarea in liberty is created during start time how can we grant r/w access to the same
JVMSHRC155E Error copying username into cache name
JVMSHRC686I Failed to startup shared class cache. Continue without using it as -Xshareclasses:nonfatal is specified
Launching defaultServer (WebSphere Application Server 18.0.0.2/wlp-1.0.21.cl180220180619-0403) on IBM J9 VM, version 8.0.5.21 - pxa6480sr5fp21-20180830_01(SR5 FP21) (en_US)
[AUDIT ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT ] CWWKG0028A: Processing included configuration resource: /config/project/server.xml
****[ERROR ] CWWKG0074E: Unable to update the configuration for webApplication with the unique identifier null because of the exception: /opt/ibm/wlp/output/defaultServer/workarea/org.eclipse.osgi/10/data/configs/webApplication!-908507812 (Permission denied)**.**
[WARNING ] CWWKG0076W: The previous configuration for webApplication with id null is still in use.
**[ERROR ] CWWKG0074E: Unable to update the configuration for applicationMonitor with the unique identifier null because of the exception: /opt/ibm/wlp/output/defaultServer/workarea/org.eclipse.osgi/10/data/configs/applicationMonitor!1812182506 (Permission denied).**
[WARNING ] CWWKG0076W: The previous configuration for applicationMonitor with id null is still in use.
**[ERROR ] CWWKG0074E: Unable to update the configuration for dataSource with the unique identifier null because of the exception: /opt/ibm/wlp/output/defaultServer/workarea/org.eclipse.osgi/10/data/configs/dataSource!1272470629 (Permission denied).**
[WARNING ] CWWKG0076W: The previous configuration for dataSource with id null is still in use.
**[ERROR ] CWWKG0074E: Unable to update the configuration for jdbcDriver with the unique identifier DB2 because of the exception: /opt/ibm/wlp/output/defaultServer/workarea/org.eclipse.osgi/10/data/configs/jdbcDriver_2!329917942 (Permission denied).**
Server.xml
<jdbcDriver id="DB2">
<library name="DB2JCC4Lib">
<fileset dir="${wlp.user.dir}/shared/resources" includes="db2jcc4.jar db2jcc_license_cisuz.jar" />
</library>
</jdbcDriver>
<dataSource jdbcDriverRef="DB2" jndiName="jdbc/abcdDB2DataSource">
<connectionManager maxPoolSize="25" minPoolSize="0" agedTimeout="21600s" connectionTimeout="180s" reapTime="180s" maxIdleTime="1800s"/>
<properties.db2.jcc databaseName="${env.DB_MF_DATABASENAME}" password="${env.DB_MF_PWD}" portNumber="${env.DB_MF_PORT}" serverName="${env.DB_MF_URL}" user="${env.DB_MF_USERID}" sslConnection="true"/>
</dataSource>
<applicationMonitor updateTrigger="mbean" />
<webApplication contextRoot="${env.APP_CONTEXT_ROOT}" location="abcd.war" />
DockerFile content
RUN mkdir -p /config/project && \
chown -R 1001:0 /config && \
chmod -R g+rw /config && \
mkdir -p /opt/ibm/wlp/installTmp && \
chown -R 1001:0 /opt/ibm/wlp && \
chmod -R g+rw /opt/ibm/wlp && \
chown -R 1001:0 /logs && \
chmod -R g+rw /logs && \
mkdir -p $HOME && \
chown -R 1001:0 $HOME && \
chmod -R g+rw $HOME && \
chown -R 1001:0 $JAVA_HOME/lib/security && \
chmod -R g+rw $JAVA_HOME/lib/security && \
mkdir -p /opt/ibm/wlp/output/defaultServer/workarea && \
chown -R 1001:0 /opt/ibm/wlp/output/defaultServer/workarea && \
chmod -R g+rw /opt/ibm/wlp/output/defaultServer/workarea
When using RHEL as the base OS we noticed that a sticky bit was being set on /output which was causing some troubles. Check out the places where we had to manipulate /output in this PR.
#ArthurDM, Thanks but was not able to get it working with sticky bit solution. But mounted the workarea folder in the container and got it to work
volumeMounts:
- name: lib-workarea-volume
mountPath: /opt/ibm/wlp/output/defaultServer/workarea
volumes:
- name: lib-workarea-volume
emptyDir: {}
Very confusing question I know, and it's a bit of a gobstopper for me!
I am trying to display bash script code in a Facelets page so that user can copy the scripts code from browser. This code is placed in a code element as posted below. But requesting the page gives me error(s) related to what I think is the cause (in bold). I have tried replacing the {, }, & - characters with the html replacements and I still get errors. Perhaps this is not allowed?
#!/bin/bash
#Author: Yucca Nel http://thejarbar.org
#Will restart system
#Modify these variables as needed...
tempWork=/tmp/work
defaultStartScript=/etc/init.d/rc.local
defaultMaven=3.0.4
locBin=/usr/local/bin
mavenUsrLib=/usr/lib/maven
sudo mkdir -p $mavenUsrLib
mkdir -p $HOME/.m2
read -p "Please [Enter] full path name of your local startup script ($defaultStartScript is the default). Please
make sure on this before providing a value by consulting documentation for your system:" locStartScript
locStartScript=${locStartScript:-$defaultStartScript}
read -p "Please [Enter] Maven Version ($defaultMaven is default):" mavenVersion
mavenVersion=${mavenVersion:-$defaultMaven}
if [ ! -f $locStartScript ]
then
echo "The file you provided could not be found. Remember to include the full path and try again. Exiting in 7 secs..."
sleep 7
exit 1
fi
mkdir -p /$tempWork
cd /$tempWork
wget http://mirrors.powertech.no/www.apache.org/dist//maven/binaries/apache-maven-$mavenVersion-bin.tar.gz
tar -zxvf ./
#Move it to a more logical location
sudo mv -f ./apache-maven-$mavenVersion $mavenUsrLib/
#If you have Maven on Windows and use VirtualBox, you can set up the maven to be a virtualbox shared folder.
#The name must match the name used below (ignore if irrelevant to you).
if [ -f /sbin/mount.vboxsf ]
then
sudo /sbin/umount $HOME/.m2
sudo /sbin/umount $mavenUsrLib
sudo /sbin/mount.vboxsf .m2 $HOME/.m2
sudo /sbin/mount.vboxsf maven $mavenUsrLib
fi
if mountpoint -q $HOME/.m2 && mountpoint -q $mavenUsrLib
then
#Add it to the start script to automate process...
if ! grep "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" $locStartScript
then
echo "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" | sudo tee -a $locStartScript
fi
if ! grep "sudo /sbin/mount.vboxsf maven $mavenUsrLib" $locStartScript
then
echo "sudo /sbin/mount.vboxsf maven $mavenUsrLib" | sudo tee -a $locStartScript
fi
echo "exit 0" | sudo tee -a $locStartScript
sudo chmod +x $locStartScript
#Create a mount and unmount script file...
rm -rf $tempWork/
echo '#!/bin/bash' > $tempWork/maven-mount.sh
echo "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" >> $tempWork/maven-mount.sh
echo "sudo /sbin/mount.vboxsf maven $mavenUsrLib" >> $tempWork/maven-mount.sh
echo "echo 'mounted maven'" >> $tempWork/maven-mount.sh
echo "exit 0" >> $tempWork/maven-mount.sh
echo '#!/bin/bash' > $tempWork/maven-umount.sh
echo "sudo umount $HOME/.m2" >> $tempWork/netbeans-umount.sh
echo "sudo umount $mavenUsrLib" >> $tempWork/netbeans-umount.sh
echo "echo 'unmounted maven'" >> $tempWork/maven-mount.sh
echo 'exit 0' >> $tempWork/maven-umount.sh
#Script for mounting ALL VirtualBox shared solders....
#If there isn't one create one...
if [ ! -f $locBin/mount-all-from-host.sh ]
then
echo '#!/bin/bash' > $tempWork/mount-all-from-host.sh
echo "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" | sudo tee -a $tempWork/mount-all-from-host.sh
echo "sudo /sbin/mount.vboxsf maven $mavenUsrLib" | sudo tee -a $tempWork/mount-all-from-host.sh
echo "exit 0" | sudo tee -a $tempWork/mount-all-from-host.sh
#Otherwise if there is one, but no mount, add one...
elif ! grep "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" $locBin/mount-all-from-host.sh
then
sudo sed -ie '$d' $locBin/mount-all-from-host.sh
echo "sudo /sbin/mount.vboxsf .m2 $HOME/.m2" | sudo tee -a $locBin/mount-all-from-host.sh
echo "exit 0" | sudo tee -a $locBin/mount-all-from-host.sh
elif ! grep "sudo /sbin/mount.vboxsf maven $mavenUsrLib" $locBin/mount-all-from-host.sh
then
sudo sed -ie '$d' $locBin/mount-all-from-host.sh
echo "sudo /sbin/mount.vboxsf maven $mavenUsrLib" | sudo tee -a $locBin/mount-all-from-host.sh
echo "exit 0" | sudo tee -a $locBin/mount-all-from-host.sh
fi
#Script for unmounting ALL VirtualBox shared folders...
#If there isn't one create one...
if [ ! -f $locBin/umount-all-from-host.sh ]
then
echo '#!/bin/bash' > $tempWork/umount-all-from-host.sh
echo "sudo umount -a -t vboxsf" | sudo tee -a $tempWork/umount-all-from-host.sh
echo "echo 'unmounted all VirtualBox shared folders'" | sudo tee -a $tempWork/umount-all-from-host.sh
echo "exit 0" | sudo tee -a $tempWork/umount-all-from-host.sh
fi
sudo chmod +x $tempWork/
sudo mv -f $tempWork/.sh $locBin/
rm -rf $tempWork
fi
sudo ln -f -s $mavenUsrLib/apache-maven-$mavenVersion/bin/* /usr/bin/
sudo rm -rf $tempWork
sudo /sbin/reboot
exit 0
Solved: mavenVersion=$<h:outputText value="{mavenVersion:-$defaultMaven}"/><br/>