App Connect

App Connect

Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#Applicationintegration
#App Connect
#AppConnect
 View Only
Back to discussions
Expand all | Collapse all

Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

  • 1.  Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Wed November 05, 2025 11:40 AM

    Description:

    Hello IBM Support Team,

    I have created a custom IBM ACE Docker image using the base image ibmcom/ace:11.0.0.6.3-amd64.
    The image builds successfully and runs locally, but when I deploy it to Red Hat OpenShift, the pod repeatedly goes into a CrashLoopBackOff state.

    Below are the key details:

    Dockerfile Used

    

    

    

    


    


    


    FROM ibmcom/ace:11.0.0.6.3-amd64

ENV LICENSE=accept
ENV LANG=en_US.UTF-8
ENV ACE_SERVER_NAME=MyIntegrationServer2
ENV ACE_WORK_DIR=/home/aceuser/ace-server

# Copy BAR file
COPY bar/http_app.bar /home/aceuser/initial-config/bars/

# Switch to root to set permissions
USER root

# Make all necessary directories and fix permissions
RUN mkdir -p /home/aceuser/ace-server \
    /var/mqsi/registry/utility/HASharedWorkPath && \
    chown -R 1001:0 /home/aceuser /var/mqsi && \
    chmod -R g+rwX /home/aceuser /var/mqsi && \
    chmod -R 777 /home/aceuser /var/mqsi

# Return to non-root user (OpenShift random UID)
USER 1001

EXPOSE 7600 7800

CMD ["IntegrationServer", "--name", "MyIntegrationServer2", "--work-dir", "/home/aceuser/ace-server"]

    Error Observed in Pod Logs

    

    

    

    


    


    


    BIP8081E: An error occurred while processing the command.
An error occurred while the command was running; the command has cleaned up and ended.
Use messages prior to this one to determine the cause of the error.
Check for some common problems:
Does the user id have the correct authorities (for example a member of the mqbrkrs group)?
Is any operating system limit set too low to allow the command to run?
Is the environment correctly set up?
Correct the problem and retry the command, otherwise, contact your IBM support center.
Error: Failed to find level

2025-11-04T12:55:56.025Z Error getting ACE build type: Output: Failed to open file /var/mqsi/registry/utility/HASharedWorkPath with error Permission denied
BIP2113E: IBM App Connect Enterprise internal error: diagnostic information ''Permission denied'', '13', ''/var/mqsi/registry/utility/HASharedWorkPath''.

    Additional Details

    • Platform: Red Hat OpenShift Developer Sandbox

    • Namespace: khotbaba-111-dev

    • Deployment Type: Custom-built ACE image deployed using oc new-app

    • Pod Status: CrashLoopBackOff

    • ACE Version: 11.0.0.6.3-amd64

    Request for Assistance

    Could you please review this configuration and suggest:

    1. If any specific directories under /var/mqsi or /home/aceuser require different permissions or ownerships when running on OpenShift's restricted SCC.

    2. Whether IBM recommends a different USER or file permission strategy for ACE base images on OpenShift.

    3. Any known fixes or ACE base image versions that resolve this "Permission denied" issue with /var/mqsi/registry/utility/HASharedWorkPath.



    ------------------------------
    HEMANT KHOT
    ------------------------------


  • 2.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Thu November 06, 2025 08:06 AM
    Edited by Francois Brandelik Thu November 06, 2025 08:10 AM

    Have you tried deploying the base image instead of the custom one and do you get the same result or a different one?

    What group has permissions on the Integration server's path?

    Is the user running the integration a member of the mqbrkrs group?



    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 3.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Thu November 06, 2025 09:44 AM

    Hi Francois,

    Thank you for the quick response.

    Here are my findings based on your questions:

    1. Base Image Deployment Result:
    Yes, I have also tried deploying the base image ibmcom/ace:11.0.0.6.3-amd64 directly on the same OpenShift project (khotbaba-111-dev).
    The result is the same - the pod immediately goes into a CrashLoopBackOff state with the same permission error on
    /var/mqsi/registry/utility/HASharedWorkPath.

    This confirms that the issue occurs even without any custom modifications to the image.

    2. Group Permissions on Integration Server Path:
    I have ensured that both /home/aceuser and /var/mqsi directories have the following permissions:

    

    

    

    

    

    

    chown -R 1001:0 /home/aceuser /var/mqsi
chmod -R g+rwX /home/aceuser /var/mqsi

    Additionally, for troubleshooting, I temporarily set full permissions:

    

    

    

    

    

    

    chmod -R 777 /home/aceuser /var/mqsi

    However, the error persists, suggesting it might be related to how OpenShift's restricted SCC assigns a random UID at runtime.

    3. mqbrkrs Group Membership:
    Since OpenShift runs the container under a random UID (not necessarily 1001 or a member of any predefined group like mqbrkrs), I suspect the integration process might not have the necessary group membership during runtime.

    Could you please confirm if IBM ACE requires the running user to belong specifically to the mqbrkrs group even when deployed on OpenShift with random UIDs?
    If so, would IBM recommend using a custom SCC or adding supplementalGroups in the Deployment definition to grant that access safely?

    Best regards,
    Hemant Khot



    ------------------------------
    HEMANT KHOT
    ------------------------------

    Original Message


  • 4.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Thu November 06, 2025 11:46 AM
    Edited by Francois Brandelik Thu November 06, 2025 11:47 AM

    I believe the problem is with your chown command.

    Who is group 0?

    why not do chown 1001:1001 ?

    It would probably be better to give it the group name instead of just the GID

    like chown mqbrkrs:mqbrkrs ...


    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 5.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Thu November 06, 2025 01:36 PM

    Hi Francois,

    Thank you for your suggestion.

    I have tried updating the chown command to use mqbrkrs:mqbrkrs as you recommended, and I also tried 1001:1001. Unfortunately, the pod still goes into a CrashLoopBackOff with the same permission error on /var/mqsi/registry/utility/HASharedWorkPath.

    I am deploying this on Red Hat OpenShift Developer Sandbox. I have the following available for review:

    • Dockerfile

    • BAR file

    • Pod logs

    • The exact steps I followed for building, pushing, and deploying the image on OpenShift

    Could you please check and guide if this issue can be resolved, or if there is a different recommended approach for running IBM ACE on OpenShift's restricted SCC?

    Best regards,
    Hemant Khot



    ------------------------------
    HEMANT KHOT
    ------------------------------

    Original Message


  • 6.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Fri November 07, 2025 01:07 AM

    Have you tried deploying using CP4I and the relevant operator?



    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 7.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Fri November 07, 2025 12:07 PM

    Hi Francois,

    Thanks for the suggestion. Unfortunately, I couldn't find any free or sandbox version of CP4I (Cloud Pak for Integration) available for hands-on use , so I haven't had the chance to deploy using the CP4I operator yet.

    If there's any trial environment or guide available for trying out CP4I, could you please share it? I'd really like to go through it and try deploying via the operator.



    ------------------------------
    HEMANT KHOT
    ------------------------------

    Original Message


  • 8.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Fri November 07, 2025 04:03 AM

    Hi Hemant,

    As per the document, 

    USER root
    RUN chown -R aceuser:aceuser /home/aceuser/initial-config /home/aceuser/ace-server
    USER aceuser

    this much changes are given but what you shared is:

    # Switch to root to set permissions USER root # Make all necessary directories and fix permissions RUN mkdir -p /home/aceuser/ace-server \ /var/mqsi/registry/utility/HASharedWorkPath && \ chown -R 1001:0 /home/aceuser /var/mqsi && \ chmod -R g+rwX /home/aceuser /var/mqsi && \ chmod -R 777 /home/aceuser /var/mqsi

    Could you please let me know why such changes are required? 



    ------------------------------
    Abhishek Sahani
    ------------------------------

    Original Message


  • 9.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Fri November 07, 2025 12:05 PM

    Hi Abhishek,

    In OpenShift environments, containers don't always run as the fixed user aceuser.
    Instead, OpenShift enforces Security Context Constraints (SCC) which run the container using a random non-root UID (for example, 1001), belonging to the root group (gid 0).

    Because of this:

    • Files owned only by aceuser:aceuser may become inaccessible when OpenShift assigns a different UID at runtime.

    • To ensure the container runs safely without requiring root privileges, we pre-set ownership and group permissions on all relevant directories (/home/aceuser and /var/mqsi).

    • The command chown -R 1001:0 and chmod -R g+rwX (or 777 in some cases) make sure that whichever user OpenShift assigns can still read/write the required paths.

    In short: These extra permission commands make the image OpenShift-compatible and non-root ready, following Red Hat container security guidelines.

    So, while the basic example (USER root → chown → USER aceuser) works fine on Docker or plain Kubernetes,
    OpenShift needs slightly broader permissions to support its security model.



    ------------------------------
    HEMANT KHOT
    ------------------------------

    Original Message


  • 10.  RE: Permission denied error while deploying IBM ACE Docker image on Red Hat OpenShift

    Posted Sat November 08, 2025 03:31 AM

    Hi Hemant,

     You just have to make a service acc and role bindings and apply it to your deployments.yaml file(Or else delete the deployment.yaml file and try this below):

    Copy and paste it from UI . click on the '+' icon and directly paste the below after deleting the .yaml file:

    # --- ServiceAccount for ACE ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: ace-sa
      namespace: ace-dev
    ---
    # --- RoleBinding to allow ace-sa to use anyuid SCC ---
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: ace-anyuid
      namespace: ace-dev
    subjects:
      - kind: ServiceAccount
        name: ace-sa
        namespace: ace-dev
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: system:openshift:scc:anyuid
    ---
    # --- Deployment for ACE app ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: my-ace-app
      namespace: ace-dev
      labels:
        app: my-ace-app
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: my-ace-app
      template:
        metadata:
          labels:
            app: my-ace-app
        spec:
          serviceAccountName: ace-sa       
          securityContext:
            runAsUser: 1000                
            fsGroup: 1000
          containers:
            - name: my-ace-app
              image: image-registry.openshift-image-registry.svc:5000/ace-dev/my-ace-app:latest
              imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 7600
                  protocol: TCP
                - containerPort: 7800
                  protocol: TCP
                - containerPort: 7843
                  protocol: TCP
                - containerPort: 9483
                  protocol: TCP
              resources: {}
              securityContext:
                runAsUser: 1000
                allowPrivilegeEscalation: false
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
          restartPolicy: Always
          dnsPolicy: ClusterFirst
          schedulerName: default-scheduler
          terminationGracePeriodSeconds: 30
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 25%
          maxSurge: 25%
      revisionHistoryLimit: 10
      progressDeadlineSeconds: 600

    Just change the namespace to your porject name. It will work.



    ------------------------------
    Abhishek Sahani
    ------------------------------

    Original Message


Related Content