WSO2 APIM OpenShift Deployment Experience

Hello Guys, In this blog I am going to share my experience in WSO2 API Manager OpenShift deployment where I faced some issues with respect to Persistent Volumes/ Persistent Volume Claims.

Environment
  • OpenShift Version 4.x
  • WSO2 APIM version 3.2.0.x
Use Case 1- runAsUser SecurityContext
I have tried to apply the template yaml to create the resources, following error encountered

[userdemo@mycustomhost yaml]$ oc get pods
NAME                                                          READY   STATUS   RESTARTS   AGE
wso2am-pattern-1-am-analytics-dashboard-deployment-1-deploy   0/1     Error    0          13m
wso2am-pattern-1-am-analytics-worker-2-deployment-1-deploy    0/1     Error    0          13m
wso2am-pattern-1-am-analytics-worker-deployment-1-deploy      0/1     Error    0          13m
[appadmin1@apiextappppsb01 yaml]$ oc logs -f wso2am-pattern-1-am-analytics-dashboard-deployment-1-deploy
--> Scaling wso2am-pattern-1-am-analytics-dashboard-deployment-1 to 1
-->  FailedCreate: wso2am-pattern-1-am-analytics-dashboard-deployment-1 Error creating: pods "wso2am-pattern-1-am-analytics-dashboard-deployment-1-" is forbidden: unable to validate against any security context constraint: [spec.initContainers[0].securityContext.runAsUser: Invalid value: 1000660802: must be in the ranges: [1000690000, 1000699999] spec.containers[0].securityContext.runAsUser: Invalid value: 1000660802: must be in the ranges: [1000690000, 1000699999]]
error: update acceptor rejected wso2am-pattern-1-am-analytics-dashboard-deployment-1: pods for rc 'apim-pp/wso2am-pattern-1-am-analytics-dashboard-deployment-1' took longer than 600 seconds to become available
Cause
The template yaml contains following configuration that caused the issue-

securityContext:
          runAsUser: 1000660802

Due to this configuration, OpenShift checks for the user id 1000660802 permissions. The permissions are not found for this user id hence error occured. Further error also provides a suggestion to use the runAsUser in range [1000690000, 1000699999]. 

Solution
So the template yaml value for runAsUser need to be changed as per the range suggested. 

Scenaio2- Permission issue on Persistent Volume
When template applied, the pods went CrashLoopBackOff with below error logs
[appadmin1@apiextappppsb01 yaml]$ oc logs -f wso2am-pattern-1-am-1-deployment-0
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_10PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_20PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_app_50PerMin.siddhiql': Permission denied
cp: cannot create regular file '/home/wso2carbon/wso2am-3.2.0.85/repository/deployment/server/executionplans/carbon.super_resource_10KPerMin_default.siddhiql': Permission denied
Cause
The user doesn't have necessary read/write permission on PVs attached to the pods/containers

Solution
OpenShift Administrator must grant the read/write permission to the user. E.g. the docker image built using the Dockerfile contains following code-
# set Docker image build arguments
# build arguments for user/group configurations
ARG USER=wso2carbon
ARG USER_ID=1000690802
ARG USER_GROUP=wso2
ARG USER_GROUP_ID=1000690802

So in this case, The template yaml should contain the same user id (runAsUser) and OpenShift Admin must grant read/write permission to the USER_ID 1000690802.

Comments

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

Migration of Oracle SOA Suite Composite from 11g to 12c