Unable to run with policy from local OCI store

Question

Unable to run with policy from local OCI store

ronenh opened this issue 3 years ago · 0 comments

The -l <image>:<tag> option in topaz configure should cause topaz start to load the specified image from the local OCI store. But topaz fails to start because the local store (in ~/.policy by default) isn't mounted into the topaz container.

❯ topaz configure -d -s -l ghcr.io/my-policies/policy:latest
>>> configure policy
using local policy image: ghcr.io/my-policies/policy:latest

 ❯ topaz run
>>> starting topaz...
{"level":"info","component":"config","existing-files":["/certs/grpc-ca.crt","/certs/grpc.crt","/certs/grpc.key","/certs/gateway-ca.crt","/certs/gateway.crt","/certs/gateway.key"],"time":"2023-04-18T20:14:21Z","message":"some cert files already exist, skipping generation"}
{"level":"info","name":"ds.user","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.object","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.relation","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.graph","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.check_relation","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.check_permission","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","name":"ds.identity","time":"2023-04-18T20:14:21Z","message":"registering builtin1"}
{"level":"info","component":"runtime","instance-id":"-","time":"2023-04-18T20:14:21Z","message":"creating OPA plugins manager"}
{"level":"warn","component":"runtime","instance-id":"-","error":"open /root/.policy/policies-root/index.json: no such file or directory","time":"2023-04-18T20:14:22Z","message":"Could not load configured local policy image"}
{"level":"info","component":"runtime","instance-id":"-","path":"","time":"2023-04-18T20:14:22Z","message":"Loading local bundle"}
{"level":"info","component":"api.edge-server","time":"2023-04-18T20:14:22Z","message":"Server stopping."}
{"level":"info","log-source":"std","time":"2023-04-18T20:14:22Z","message":"2023/04/18 20:14:22 failed to setup plugin manager: local bundle load error: load bundle from local path '': error reading \"\": stat : no such file or directory\n"}
topaz: error: running "docker run -ti --rm --name topaz --platform=linux/amd64 -p 8282:8282 -p 8383:8383 -p 8484:8484 -p 9292:9292 -v /Users/foo/.config/topaz/certs:/certs:rw -v /Users/foo/.config/topaz/cfg:/config:ro -v /Users/foo/.config/topaz/db:/db:rw ghcr.io/aserto-dev/topaz:latest run --config-file /config/config.yaml" failed with exit code 1