EdgeX Foundry Project
Replies: 2 comments 2 replies
-
|
I think I made a small amount of progress by modifying the Vault deployment to not require running as root anymore: # vault.Dockerfile
FROM hashicorp/vault:1.14.5
RUN setcap cap_ipc_lock=+ep /bin/vaultdocker build -t hashicorp-vault:local -f vault.Dockerfile .# vault.compose-overrides.yml
services:
vault:
image: hashicorp-vault:local
environment:
# being done in the Dockerfile with extra permissions
SKIP_SETCAP: "true"
tmpfs:
# /vault/config already exists with other permissions, so mode must be set here to avoid permissions error
- /vault/config:mode=01777
# non-root user
user: vaultExecuting task: docker exec -it db860af3e647e38af50dc83aaee3e7664b85ba3f7adc39d0eb038efb7bf63d00 sh
/ $ whoami
vaultThe It does seem to work correctly in the default (non-rootless) Docker context, though (tokens get generated and I can run application and device services), so it may be an improvement for the existing Vault service definition. Not requiring a root user for any of the services in the future would be best case scenario, in my opinion. |
Beta Was this translation helpful? Give feedback.
-
|
Note A downside to rebuilding the image like this is that it grows in size equal to the size of the |
Beta Was this translation helpful? Give feedback.
-
|
One solution that we were able to find is to disable Vault's use of services:
vault:
environment:
VAULT_DISABLE_MLOCK: "true"
mem_limit: 200M
memswap_limit: 200MThis leaves all the defined user accounts and settings in place. Containers are still allowed to use their own For spiffe/spire, the only modification is changing the services:
security-spire-agent:
volumes:
- type: bind
source: /run/user/1000/docker.sock
target: /var/run/docker.sock
bind:
create_host_path: truePlease let me know if you have any other suggestions. |
Beta Was this translation helpful? Give feedback.
-
|
Something else I noticed - it seems that vault is the only container not to specify |
Beta Was this translation helpful? Give feedback.
-
Have there been any attempts to make EdgeX Foundry work with Docker running in rootless mode?
Rootless mode has been installed via the official Docker documentation on Ubuntu 22.04.
$ docker context ls NAME DESCRIPTION DOCKER ENDPOINT ERROR default Current DOCKER_HOST based configuration unix:///var/run/docker.sock rootless * Rootless mode unix:///run/user/1000/docker.sockI did a quick test and found that the no-security build (Napa) works well (confirmed UI is running, and device-virtual is generating data). 👍🏻
However, the build with security enabled fails when Vault accepts requests from secretstore-setup and runs out of memory. The containers then restart and this process continues indefinitely.
secretstore-setup logs
vault logs
Thanks in advance for any information you're able to provide. I'll update here if I find anything interesting while I'm looking into it on my own.
Beta Was this translation helpful? Give feedback.
All reactions