WSO2 APIM OpenShift Deployment Experience

-

Hello Guys, In this blog I am going to share my experience in WSO2 API Manager OpenShift deployment where I faced some issues with respect to Persistent Volumes/ Persistent Volume Claims.

Environment
  • OpenShift Version 4.x
  • WSO2 APIM version 3.2.0.x
Use Case 1- runAsUser SecurityContext
I have tried to apply the template yaml to create the resources, following error encountered

[userdemo@mycustomhost yaml]$ oc get pods
NAME                                                          READY   STATUS   RESTARTS   AGE
wso2am-pattern-1-am-analytics-dashboard-deployment-1-deploy   0/1     Error    0          13m
wso2am-pattern-1-am-analytics-worker-2-deployment-1-deploy    0/1     Error    0          13m
wso2am-pattern-1-am-analytics-worker-deployment-1-deploy      0/1     Error    0          13m
[appadmin1@apiextappppsb01 yaml]$ oc logs -f wso2am-pattern-1-am-analytics-dashboard-deployment-1-deploy
--> Scaling wso2am-pattern-1-am-analytics-dashboard-deployment-1 to 1
-->  FailedCreate: wso2am-pattern-1-am-analytics-dashboard-deployment-1 Error creating: pods "wso2am-pattern-1-am-analytics-dashboard-deployment-1-" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.runAsUser: Invalid value: 1000660802: must be in the ranges: [1000690000, 1000699999] spec.containers[0].securityContext.runAsUser: Invalid value: 1000660802: must be in the ranges: [1000690000, 1000699999]]
error: update acceptor rejected wso2am-pattern-1-am-analytics-dashboard-deployment-1: pods for rc 'apim-pp/wso2am-pattern-1-am-analytics-dashboard-deployment-1' took longer than 600 seconds to become available
Cause
The template yaml contains following configuration that caused the issue-

securityContext:
          runAsUser: 1000660802

Due to this configuration, OpenShift checks for the user id 1000660802 permissions. The permissions are not found for this user id hence error occured. Further error also provides a suggestion to use the runAsUser in range [1000690000, 1000699999]. 

Solution
So the template yaml value for runAsUser need to be changed as per the range suggested. 

Scenaio2- Permission issue on Persistent Volume
When template applied, the pods went CrashLoopBackOff with below error logs
[appadmin1@apiextappppsb01 yaml]$ oc logs -f wso2am-pattern-1-am-1-deployment-0
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_10PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_20PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_50PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_resource_10KPerMin_default.siddhiql': Permission denied
Cause
The user doesn't have necessary read/write permission on PVs attached to the pods/containers

Solution
OpenShift Administrator must grant the read/write permission to the user. E.g. the docker image built using the Dockerfile contains following code-
# set Docker image build arguments
# build arguments for user/group configurations
ARG USER=wso2carbon
ARG USER_ID=1000690802
ARG USER_GROUP=wso2
ARG USER_GROUP_ID=1000690802

So in this case, The template yaml should contain the same user id (runAsUser) and OpenShift Admin must grant read/write permission to the USER_ID 1000690802.

Comments

Post a Comment

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

-
Image
In this post, I am going to show how to implement email notifications in Oracle SOA Suite using BPEL process. So let's get started- Implementing email notification in Oracle SOA Suite consists of below steps: Environment- IDE- Oracle jDeveloper 11g Weblogic Server 12c Oracle SOA Suite 12c High Level Steps Keep ready email server settings. Configure & enable usermessagingdriver-email for target SOA servers via console. Setting up Email driver (usermessagingdriver-email )with email server settings via enterprise manager. Enable notifications for SOA workflows(make sure either All or EMail option is selected).. Create SOA composite application Deploy it on SOA server. Testing & done. 1. Keep ready email server settings. Keep ready your below email server settings: Outgoing Mail Server          : smtp.domain.com Outgoing Mail Server Port   : xxx Default From Address         : username@doamin.com Outgoing Username            : actualemailid@doma
Read more

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

-
Image
Hi Everyone, in this blog I'll be writing one of the strange issue that has been encountered while working with a Oracle SOA composite running in Oracle IDAM environment and trying to invoke a SSL based remote service where SSL certification based exception has been thrown during the service invocation. Environment Oracle SOA Suite 12c  (HA Mode) Oracle IDAM 12c (HA Mode) Oracle Linux 7 External Web Service (SOAP Service) Problem Below is the exception thrown when trying to invoke an external webservice (SSL Based) via BPEL process- <bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://idam.uppclonline.com/soa-infra/services/default/DefaultOperationalApproval!5.12*soa_69e4734b-d8fe-4edf-b44e-e287f61c2ddf/SMSNotification%23ApprovalProcess/SMSNotification" succe
Read more

Migration of Oracle SOA Suite Composite from 11g to 12c

-
Image
Recently I have came across a scenario where I have a business requirement of  migration of Oracle SOA Suite 11g(11.1.1.7.0) to 12c(12.1.3.0). Below are the different mechanisms I have tried to do, few of them failed and one succeeded. Working in Oracle SOA Suite 11g is completely different from 12c. In 11g, we need to install the jDeveloper(11.1.1.7) then SOA extension separately to be installed either via offline file  (download available at  https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml ) or through jDeveloper top menu >>  Help >> Check for Updates >> SOA Extension.  While working with 12c doesn't involves such tedious job. Only single installer is required for jDeveloper/SOA/Weblogic and is available as QuickStart Installer(download available at https://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html). Approach 1- Compress(Zip) SOA composite code of 11g version (11.1.1.7.0) and unzip to a differe
Read more