Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS deployment failed: Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK #90

Open
Anton-Sagurov opened this issue Jul 29, 2022 · 1 comment
Open

EKS deployment failed: Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK #90

Anton-Sagurov opened this issue Jul 29, 2022 · 1 comment

Comments

@Anton-Sagurov
Copy link

Hello, I tried to deploy the Boundary controller to EKS Kubernetes version 1.22, but container does not have enough privileges to chown the /boundary directory:

chown: /boundary/..2022_07_29_07_35_20.877353490/controller.hcl: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/controller.hcl: Read-only file system
chown: /boundary/..data: Read-only file system
chown: /boundary: Read-only file system
chown: /boundary: Read-only file system
Could not chown /boundary (may not have appropriate permissions)
Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK

The boundary docker image: 0.9

I modified a bit example resources:
controller.tf:

resource "kubernetes_namespace" "boundary" {
  metadata {
    name = var.namespace
  }
}

resource "kubernetes_secret" "boundary_url" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]
  metadata {
    name = "boundary-rds-url"
    labels = var.controller_labels
    namespace = var.namespace
  }
  data = {
    POSTGRESS_URL="postgresql://${var.database_username}:${var.database_password}@${var.database_address}:${var.database_port}/${var.database_name}"
  }
}

resource "kubernetes_deployment" "boundary" {
  depends_on = [
    kubernetes_namespace.boundary,
    kubernetes_secret.boundary_url
  ]
  metadata {
    name   = var.controller_deployment
    labels = var.controller_labels
    namespace = var.namespace
  }

  spec {
    replicas = 1

    selector {
      match_labels = var.controller_labels
    }

    template {
      metadata {
        labels = var.controller_labels
      }

      spec {
        volume {
          name = "controller-config"

          config_map {
            name = "controller-config"
          }
        }

        container {
          image = "hashicorp/boundary:${var.image_ver}"
          name  = "controller"

          image_pull_policy = var.image_pull_pilicy
          volume_mount {
            name       = "controller-config"
            mount_path = "/boundary"
            read_only  = false
          }

          args = [
            "server",
            "-config",
            "/boundary/controller.hcl"
          ]

          env {
            name  = "POSTGRESS_URL"
            value_from  {
              secret_key_ref {
                name = "boundary-rds-url"
                key  = "POSTGRESS_URL"
              }
            }
          }

          env {
            name  = "HOSTNAME"
            value = "controller"
          }

          port {
            container_port = 9200
          }
          port {
            container_port = 9201
          }
          port {
            container_port = 9202
          }

          liveness_probe {
            http_get {
              path = "/"
              port = 9200
            }
          }

          readiness_probe {
            http_get {
              path = "/"
              port = 9200
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_config_map" "controller_config" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]

  metadata {
    name = "controller-config"
    labels = var.controller_labels
    namespace = var.namespace
  }
  
  data = {
    "controller.hcl" = <<EOF

disable_mlok = true

controller {
  name = "scylla-cloud-boundary"
  description = "Boundary controller" 
  database {
    url = "env://POSTGRESS_URL"
  }
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "api"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "cluster"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "proxy"
  tls_disable = true
}

kms "awskms" {
  purpose    = "root"
  kms_key_id = aws_kms_alias.root.kms_id
}

kms "awskms" {
  purpose = "worker-auth"
  kms_key_id = aws_kms_alias.worker_auth.kms_id
}

kms "awskms" {
  purpose = "recovery"
  kms_key_id = aws_kms_alias.recovery.kms_id
}
EOF
  }

}

resource "kubernetes_service" "boundary_controller" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]
  metadata {
    name   = var.controller_deployment
    labels = var.controller_labels
    namespace = var.namespace
  }

  spec {
    type = "ClusterIP"
    selector = var.controller_labels

    port {
      name        = "api"
      port        = 9200
      target_port = 9200
    }
    port {
      name        = "cluster"
      port        = 9201
      target_port = 9201
    }
    port {
      name        = "data"
      port        = 9202
      target_port = 9202
    }
  }
}
@Anton-Sagurov
Copy link
Author

The "fix" - is to rewrite the entrypoint:

command = [
  "boundary",
  "server",
  "-config",
  "/boundary/controller.hcl"
]

But then pod will run in the privileged mode (root user)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Anton-Sagurov