IBM Security Verify

 View Only

  • 1.  IBM Application Gateway (IAG) and readOnly filesystem in kubernetes pod

    Posted Tue March 29, 2022 06:28 AM
    There are several good reasons to have readOnly filesystem for containers running in kubernetes.
    For instance:

    When I run the ibm-application-gateway image in a container with readOnly filesystem, I get some error messages, among those:
    DPWIV1219E An SSL toolkit failure occurred while calling GSKKM_CreateNewKeyDbEx. Error: GSKKM_ERR_DATABASE_CREATE.
    IAGPD0136E Failed to apply configuration data from: 'default'.
    DPWIV1219E An SSL toolkit failure occurred while calling GSKKM_OpenKeyDb. Error: GSKKM_ERR_KEYDB_NOT_EXIST.

    Normally to get around this we mount a emptyDir at the location where the application need to write files, which allows for write operation. However, I did not succeed with this. Would it be possible to list all the locations IAG need to write files at statup, so I can try to mount emptyDirs at those locations? Currently to get it to work I have to run with readonlyFilesistem = false, which is not ideal


    ------------------------------
    S Kjemp
    ------------------------------


  • 2.  RE: IBM Application Gateway (IAG) and readOnly filesystem in kubernetes pod

    Posted Tue March 29, 2022 05:07 PM

    Unfortunately, IAG does not currently support running on a read-only file system.  It is true that time could be spent to work out where it needs to write files, and then you could individually mount these directories as volumes, but this would not be reliable because it is not officially supported – and the developers are at liberty to change these directories at any time.  I would suggest that if you need this capability that you raise an 'Idea' against the product.

     

    Thanks.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     

     




    Original Message


  • 3.  RE: IBM Application Gateway (IAG) and readOnly filesystem in kubernetes pod

    IBM Champion
    Posted Wed March 30, 2022 08:41 AM
    If you open an idea on this I'd be willing to "vote" on it if there is a way to do that.  This is an interesting conversation.  I'm surprised I have not been asked about this for the ISVA containers we run, but I suspect because containers are a rather new technology that just has not made it to their checklists.  However, knowing these products over the years and seeing how they were adapted to containers, I suspect this would be a difficult ask for the developers.

    ------------------------------
    Matt Jenkins
    ------------------------------

    Original Message


  • 4.  RE: IBM Application Gateway (IAG) and readOnly filesystem in kubernetes pod

    Posted Mon April 25, 2022 09:36 AM
    Hello, I created a idea on this subject: Support running IAG with readOnly filesystem in | IBM Security Verify

    ------------------------------
    S Kjemp
    ------------------------------

    Original Message