From 7db40a8dcf9cc877553e3127e10295e62fa2d64d Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Sun, 28 Apr 2024 18:01:49 +0200 Subject: [PATCH] Fix coturn that was failing with newer Nomad/Docker Coturn was failing to start with the following error: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/usr/local/bin/docker-entrypoint.sh": permission denied: unknown It seems to be caused by the recent NixOS update. Either because Docker/runc is now more strict when checking if the entrypoint is executable [1] And/or because Nomad may mount the secrets directory with "noexec" [2]. In any case, the "local" directory [2] looks more appropriate, because it's shared with the task while not being accessible to other tasks. [1] https://github.com/opencontainers/runc/issues/3715 [2] https://developer.hashicorp.com/nomad/docs/concepts/filesystem --- cluster/prod/app/coturn/deploy/coturn.hcl | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cluster/prod/app/coturn/deploy/coturn.hcl b/cluster/prod/app/coturn/deploy/coturn.hcl index bc92ef8..8923b2b 100644 --- a/cluster/prod/app/coturn/deploy/coturn.hcl +++ b/cluster/prod/app/coturn/deploy/coturn.hcl @@ -34,15 +34,13 @@ job "coturn" { ports = [ "prometheus", "turn_ctrl", "turn_data0", "turn_data1", "turn_data2", "turn_data3", "turn_data4", "turn_data5", "turn_data6", "turn_data7", "turn_data8", "turn_data9" ] + entrypoint = ["/local/docker-entrypoint.sh"] network_mode = "host" - volumes = [ - "secrets/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh", - ] } template { data = file("../config/docker-entrypoint.sh") - destination = "secrets/docker-entrypoint.sh" + destination = "local/docker-entrypoint.sh" perms = 555 }