When I run tomcat using Docker I am seeing the Permission Issue
anudina opened this issue · 3 comments
Hi All,
I have below Dockerfile
FROM go0v-vzdocker.oneartifactoryprod.verizon.com/tomcat:10.0.2-3
EXPOSE 8080 443
USER root
RUN mkdir -p /apps/opt/vzontime/config/vzot_config_repo/proxy-config
COPY /config/log4j-gateway.xml /apps/opt/vzontime/config/vzot_config_repo/proxy-config/log4j-gateway.xml
ADD /dist/vzot-proxy-gateway.war /usr/local/tomcat/webapps/vzot-proxy-gateway.war
RUN chmod -R 0777 /apps/opt
RUN chmod -R 0777 /usr/local/tomcat
RUN chown -R tomcat:tomcat /apps/opt
RUN chown -R tomcat:tomcat /usr/local/tomcat
CMD ["catalina.sh","run"]
When I run the docker I am facing the below error
ava.util.logging.ErrorManager: 4
java.io.FileNotFoundException: /usr/local/tomcat/logs/catalina.2022-06-01.log (Read-only file system)
at java.io.FileOutputStream.open0(Native Method)
01-Jun-2022 12:17:28.915 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/10.0.2
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at org.apache.juli.FileHandler.openWriter(FileHandler.java:514)
at org.apache.juli.FileHandler.publish(FileHandler.java:285)
01-Jun-2022 12:17:28.916 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jan 28 2021 18:48:46 UTC
at org.apache.juli.AsyncFileHandler.publishInternal(AsyncFileHandler.java:145)
at org.apache.juli.AsyncFileHandler$LogEntry.flush(AsyncFileHandler.java:184)
at org.apache.juli.AsyncFileHandler$LoggerThread.run(AsyncFileHandler.java:160)
01-Jun-2022 12:17:28.916 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 10.0.2.0
01-Jun-2022 12:17:28.916 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
01-Jun-2022 12:17:28.916 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.10.0-1160.59.1.el7.x86_64
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/local/openjdk-8/jre
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_282-b08
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /usr/local/tomcat
01-Jun-2022 12:17:28.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/tomcat
01-Jun-2022 12:17:28.918 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
01-Jun-2022 12:17:28.918 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
01-Jun-2022 12:17:28.918 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
01-Jun-2022 12:17:28.918 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
01-Jun-2022 12:17:28.918 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
01-Jun-2022 12:17:28.919 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
01-Jun-2022 12:17:28.919 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
01-Jun-2022 12:17:28.919 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
01-Jun-2022 12:17:28.919 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
01-Jun-2022 12:17:28.922 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.26] using APR version [1.6.5].
01-Jun-2022 12:17:28.922 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
01-Jun-2022 12:17:28.924 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d 10 Sep 2019]
01-Jun-2022 12:17:29.916 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
01-Jun-2022 12:17:29.928 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1514] milliseconds
01-Jun-2022 12:17:30.023 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
01-Jun-2022 12:17:30.023 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/10.0.2]
01-Jun-2022 12:17:30.025 SEVERE [main] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/usr/local/tomcat/conf/Catalina/localhost]
01-Jun-2022 12:17:30.028 SEVERE [main] org.apache.catalina.valves.AccessLogValve.open Failed to open access log file [/usr/local/tomcat/logs/localhost_access_log.2022-06-01.txt] Note: running as user [tomcat]
java.io.FileNotFoundException: /usr/local/tomcat/logs/localhost_access_log.2022-06-01.txt (Read-only file system)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at org.apache.catalina.valves.AccessLogValve.open(AccessLogValve.java:651)
at org.apache.catalina.valves.AccessLogValve.startInternal(AccessLogValve.java:685)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:176)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:933)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:843)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:434)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:795)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:342)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
01-Jun-2022 12:17:30.117 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/tomcat/webapps/vzot-proxy-gateway.war]
01-Jun-2022 12:17:30.132 SEVERE [main] org.apache.catalina.startup.ContextConfig.beforeStart Exception fixing docBase for context [/vzot-proxy-gateway]
java.io.IOException: Unable to create the directory [/usr/local/tomcat/webapps/vzot-proxy-gateway]
at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:116)
at org.apache.catalina.startup.ContextConfig.fixDocBase(ContextConfig.java:820)
at org.apache.catalina.startup.ContextConfig.beforeStart(ContextConfig.java:959)
at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:305)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:182)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:946)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1792)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:757)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:426)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1520)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:843)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
when I get into the pod and check the permission is given as full see the below
There could be differences in the image you're using go0v-vzdocker.oneartifactoryprod.verizon.com/tomcat:10.0.2-3
vs the official image
The default permissions should be fine, I'd try dropping the chmod/chown lines since everything in the container is running under the root user
ls -al /usr/local/tomcat/logs
total 24
drwxr-xr-x 1 root root 4096 Jun 1 16:33 .
drwxr-sr-x 1 root staff 4096 Mar 31 2015 ..
-rw-r--r-- 1 root root 5973 Jun 1 16:33 catalina.2022-06-01.log
-rw-r--r-- 1 root root 0 Jun 1 16:33 host-manager.2022-06-01.log
-rw-r--r-- 1 root root 280 Jun 1 16:33 localhost.2022-06-01.log
-rw-r--r-- 1 root root 0 Jun 1 16:33 localhost_access_log.2022-06-01.txt
-rw-r--r-- 1 root root 0 Jun 1 16:33 manager.2022-06-01.log
Even after dropping the default docker filesystem is readonly hence I cant explode the war file when container start running.
Looking at your logs again there's definitely some differences in the image you're using than the one we maintain: Note: running as user [tomcat]
The Tomcat image for this repo runs as the root user https://github.com/docker-library/tomcat/blob/master/10.0/jre8/openjdk-slim-buster/Dockerfile
$ docker run -d --rm --name tomcat tomcat:8.0.20
b2c683eb2ba7ac25f3821209b1e972a0eaa9a2cb96ba5e88800d076e80cf35b0
$ docker run -it --rm --pid container:tomcat tianon/network-toolbox
root@6b94dc2bc522:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 14.0 3.8 2446040 156956 ? Ssl 17:24 0:03 /usr/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.loggin
root 37 2.5 0.0 4756 4008 pts/0 Ss 17:25 0:00 bash --login -i
root 47 0.0 0.0 6696 2764 pts/0 R+ 17:25 0:00 ps aux
Perhaps this could be part of the permissions errors, it could also be host-related like the filesystem type or some odd SELinux/Apparmor configuration
I would try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow