Kanela agent 1.0.6 in a read-only container

Question

Kanela agent 1.0.6 in a read-only container

Closed this issue 2 years ago · 7 comments

I am trying to run an application with Kamon monitoring and the Kanela agent running in a read-only container (e.g. docker run --read-only ...).
I am getting the following exception:

Unable to start Kanela Agent. Please remove -javaagent from your startup arguments and contact Kanela support.: java.io.IOException: Read-only file system
	at java.io.UnixFileSystem.createFileExclusively(Native Method)
	at java.io.File.createTempFile(File.java:2024)
	at java.io.File.createTempFile(File.java:2070)
	at kanela.agent.util.Jar.lambda$getEmbeddedFile$e1c0ab03$1(Jar.java:44)
	at kanela.agent.libs.io.vavr.control.Try.of(Try.java:75)
	at kanela.agent.util.Jar.getEmbeddedFile(Jar.java:43)
	at kanela.agent.util.Jar.getEmbeddedJar(Jar.java:39)
	at kanela.agent.util.BootstrapInjector.injectJar(BootstrapInjector.java:36)
	at kanela.agent.Kanela.lambda$null$0(Kanela.java:71)
	at kanela.agent.util.classloader.InstrumentationClassPath.use(InstrumentationClassPath.java:84)
	at kanela.agent.Kanela.lambda$start$1(Kanela.java:68)
	at kanela.agent.util.Execution.timed(Execution.java:32)
	at kanela.agent.util.Execution.runWithTimeSpent(Execution.java:41)
	at kanela.agent.Kanela.start(Kanela.java:67)
	at kanela.agent.Kanela.premain(Kanela.java:47)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
	at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:401)

This seems to be related to bootstrapping a jar, maybe the Kanela jar.
Is it possible to put the necessary jar upfront, so no extra copying is required?

Answer 1 · 2020-11-19T07:42:32.000Z

Ok, I see now what is happening, and I believe the answer to my own question is yes, but it will require some code changes.

Answer 2 · 2020-11-25T15:00:04.000Z

This might be a showstopper for us - not running immutable containers in production.

Answer 3 · 2020-11-25T15:03:08.000Z

a self sufficient jar with the expanded agent which can be added in a docker image would make the resulting image truly immutable

Answer 4 · 2023-01-09T13:39:21.000Z

Anything new about this topic? I got recently same problem (kanela agent 1.0.16) with readonly kubernetes pods and Lagom (1.6.7)

Answer 5 · 2023-01-10T10:35:36.000Z

Hey folks! I took a look at this and seems like the main issue is that Kanela is preparing a temp folder for bootstrap injection. That bootstrap injection thing is necessary if we want to instrument JDK classes and we have it there since the very start of Kanela, but it is almost never used.

I think we could hide everything related to bootstrap injection behind a flag to fix this issue. I'll add this issue to my work queue. Subscribe to get notified when this gets done. Thanks for the update!

Answer 6 · 2023-01-23T13:51:36.000Z

Thanks for fix of this issue @ivantopo.
It is known aproximately when release will be done with this fix?
Until then i am forced to use containers with root write permissions turned on.

Answer 7 · 2023-01-23T18:09:43.000Z

hey @Randerspl, I think this should be out this week. I have a few piled up fixed that hopefully will ship this week 🙏