IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2018-06-27T02:09:54Z by yousuke@jp.ibm.com
B@t
B@t
2 Posts

Pinned topic ISAM-OpenLDAP image fails to start on IBM Cloud

‏2018-06-26T07:30:45Z | isam isam9.0.4

I'm following Shane Weeden's blog to deploy ISAM 9.0.4.0 on IBM Cloud. 

https://www.ibm.com/blogs/sweeden/running-isam-ibm-cloud/

 

However, after deploying-openldap image to IBM Cloud, instance is unable to start. Status says "CrashLoopBackOff"

 

openldap-7f6c9fd748-d7kqz                              0/1       CrashLoopBackOff   1          18s

 

 

Log says:

 

$ kubectl logs openldap-bdd6c6994-2l8lq

*** CONTAINER_LOG_LEVEL = 3 (info)

*** Search service in CONTAINER_SERVICE_DIR = /container/service :

*** link /container/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools

*** link /container/service/slapd/startup.sh to /container/run/startup/slapd

*** link /container/service/slapd/process.sh to /container/run/process/slapd/run

*** Set environment for startup files

*** Environment files will be proccessed in this order :

Caution: previously defined variables will not be overriden.

/container/environment/99-default/default.startup.yaml

/container/environment/99-default/default.yaml

 

To see how this files are processed and environment variables values,

run this container with '--loglevel debug'

*** Running /container/run/startup/:ssl-tools...

*** Running /container/run/startup/slapd...

chown: changing ownership of '/container/service/slapd/assets/certs/..data': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/ldap.key': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/ldap.crt': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/dhparam.pem': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/ca.crt': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/..2018_06_26_05_30_08.056875284/ldap.key': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/..2018_06_26_05_30_08.056875284/ldap.crt': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/..2018_06_26_05_30_08.056875284/dhparam.pem': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/..2018_06_26_05_30_08.056875284/ca.crt': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs/..2018_06_26_05_30_08.056875284': Read-only file system

chown: changing ownership of '/container/service/slapd/assets/certs': Read-only file system

*** /container/run/startup/slapd failed with status 1

 

*** Killing all processes...

 

I'm able to provision original OpenLDAP image (osixia/openldap:1.2.1) to IBM Cloud, so I'm suspecting there's something wrong with image ibmcom/isam-openldap:9.0.4.0. 

 

 

Attachments

Updated on 2018-06-26T07:32:41Z at 2018-06-26T07:32:41Z by B@t
  • IAM.Jon
    IAM.Jon
    14 Posts
    ACCEPTED ANSWER

    Re: ISAM-OpenLDAP image fails to start on IBM Cloud

    ‏2018-06-26T09:44:07Z  

    Hello,

     

    This issue is seen because, in the latest versions of Kubernetes, secrets are mounted as read-only filesystems.  This causes a number of operations performed by the openldap start-up scripts to fail.

    Luckily, openldap provides a fix for these situations.  You simply need to start the image with the flag --copy-service.  This tells the startup scripts to make a local (read-write) copy of the service directory tree (which includes the secret) and run against that instead.

     

    To add args option to your Kubernetes definition file:

          containers:
            - name: openldap

    ...
    # This line is needed when running on Kubernetes 1.9.4 or above
              args: [ "--copy-service"]

     

    I hope this helps.

     

    Cheers... Jon.

  • yousuke@jp.ibm.com
    yousuke@jp.ibm.com
    2 Posts

    Re: ISAM-OpenLDAP image fails to start on IBM Cloud

    ‏2018-06-26T09:32:18Z  

    I encountered exactly the same issue as . I would appreciate if anybody could help.

     

    I added "--logleve=debug" option and got slightly more detailed error messages as attached.

     

    Here is some environment information about my environment that I think might be relevant.

     

    aa308320:isam-kube yosuke$ docker -v
    Docker version 18.05.0-ce, build f150324

    aa308320:isam-kube yosuke$ kubectl version --short
    Client Version: v1.10.2
    Server Version: v1.9.8-2+af27ab4b096122

    aa308320:isam-kube yosuke$ uname -a
    Darwin aa308320 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

    aa308320:isam-kube yosuke$ ic -v
    ic version 0.7.1+8a6d40e-2018-06-07T07:13:39+00:00
    aa308320:isam-kube yosuke$ ic plugin list
    Listing installed plug-ins...

    Plugin Name          Version   
    cloud-functions      1.0.12   
    container-registry   0.1.316   
    container-service    0.1.504   
    dev                  1.3.3   
    schematics           1.3.4   
    sdk-gen              0.1.9   
    IBM-Containers       1.0.1058 

     

    Attachments

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: ISAM-OpenLDAP image fails to start on IBM Cloud

    ‏2018-06-26T09:44:07Z  

    Hello,

     

    This issue is seen because, in the latest versions of Kubernetes, secrets are mounted as read-only filesystems.  This causes a number of operations performed by the openldap start-up scripts to fail.

    Luckily, openldap provides a fix for these situations.  You simply need to start the image with the flag --copy-service.  This tells the startup scripts to make a local (read-write) copy of the service directory tree (which includes the secret) and run against that instead.

     

    To add args option to your Kubernetes definition file:

          containers:
            - name: openldap

    ...
    # This line is needed when running on Kubernetes 1.9.4 or above
              args: [ "--copy-service"]

     

    I hope this helps.

     

    Cheers... Jon.

  • B@t
    B@t
    2 Posts

    Re: ISAM-OpenLDAP image fails to start on IBM Cloud

    ‏2018-06-26T09:55:22Z  
    • IAM.Jon
    • ‏2018-06-26T09:44:07Z

    Hello,

     

    This issue is seen because, in the latest versions of Kubernetes, secrets are mounted as read-only filesystems.  This causes a number of operations performed by the openldap start-up scripts to fail.

    Luckily, openldap provides a fix for these situations.  You simply need to start the image with the flag --copy-service.  This tells the startup scripts to make a local (read-write) copy of the service directory tree (which includes the secret) and run against that instead.

     

    To add args option to your Kubernetes definition file:

          containers:
            - name: openldap

    ...
    # This line is needed when running on Kubernetes 1.9.4 or above
              args: [ "--copy-service"]

     

    I hope this helps.

     

    Cheers... Jon.

    Thanks Jon!

    After adding --copy-service to yaml file, it worked!

  • yousuke@jp.ibm.com
    yousuke@jp.ibm.com
    2 Posts

    Re: ISAM-OpenLDAP image fails to start on IBM Cloud

    ‏2018-06-27T02:09:54Z  
    • IAM.Jon
    • ‏2018-06-26T09:44:07Z

    Hello,

     

    This issue is seen because, in the latest versions of Kubernetes, secrets are mounted as read-only filesystems.  This causes a number of operations performed by the openldap start-up scripts to fail.

    Luckily, openldap provides a fix for these situations.  You simply need to start the image with the flag --copy-service.  This tells the startup scripts to make a local (read-write) copy of the service directory tree (which includes the secret) and run against that instead.

     

    To add args option to your Kubernetes definition file:

          containers:
            - name: openldap

    ...
    # This line is needed when running on Kubernetes 1.9.4 or above
              args: [ "--copy-service"]

     

    I hope this helps.

     

    Cheers... Jon.

    Thanks, Jon.

     

    It worked for me, too!