2

I have been getting some unexpected failures with the execution of my Docker images when running on my Ubuntu 16.04.3 LTS machine. I'm using Docker version 18.02.0-ce (edge), installed from apt. I've narrowed down the problem enough to demonstrate it with this Dockerfile:

FROM tomcat:8.5.24-jre8-alpine

RUN adduser -D test

RUN chown -R test "$CATALINA_HOME"

USER test

RUN ls "$CATALINA_HOME"/webapps

When I attempt to build this, here's the result:

$ docker build -t test test/
Sending build context to Docker daemon  163.4MB
Step 1/5 : FROM tomcat:8.5.24-jre8-alpine
 ---> 134d23a9a14e
Step 2/5 : RUN adduser -D test
 ---> Using cache
 ---> a6f70ba83b8d
Step 3/5 : RUN chown -R test "$CATALINA_HOME"
 ---> Using cache
 ---> 8a0fae3db0a8
Step 4/5 : USER test
 ---> Using cache
 ---> 45fdf333232b
Step 5/5 : RUN ls "$CATALINA_HOME"/webapps
 ---> Running in 48711dfb9569
ls: /usr/local/tomcat/webapps/ROOT: Permission denied
ls: /usr/local/tomcat/webapps/examples: Permission denied
ls: /usr/local/tomcat/webapps/docs: Permission denied
ls: /usr/local/tomcat/webapps/host-manager: Permission denied
ls: /usr/local/tomcat/webapps/manager: Permission denied
The command '/bin/sh -c ls "$CATALINA_HOME"/webapps' returned a non-zero code: 1

These "Permission denied" errors are very strange to me, since the chown command should have given ownership of the whole /usr/local/tomcat folder, including the subfolders.

I have tried this same scenario with many different versions of Docker on my Ubuntu host, all with the same result. However, when I tried building this image on my Mac OS machine, it worked fine.

One slight variation that I have found which works around the problem is to give the "test" user access to the "root" group, like so:

RUN adduser -D test -G root

With this simple change, the Dockerfile builds. So it seems obvious to me that somehow group membership permissions are involved, but I can't imagine why that would matter since the user is the owner. Also I can't imagine why building on Linux is different than building on Mac OS.

Improve this question
10
  • I just ran your Dockerfile exactly, and had no errors. ~/test $ docker build -t tomcat-test . It successfully listed everything in the 'webapps' dir. Try deleting the pulled image for tomcat:8.5.24-jre8-alpine (or even all your images) and rebuilding. Commented Feb 23, 2018 at 19:56
  • @BoomShadow I've cleared out everything, even so far as to use docker system prune -a to clear the local cache. Unfortunately, the problem somehow persists. I assume you built on Linux? Commented Feb 23, 2018 at 22:06
  • May worth doing a ls -al $CATALINA_HOME to see ownership and permissions on its content instead of listing webapps content... But that sounds strange indeed (maybe an apparmor/selinux Config somewhere) Commented Feb 23, 2018 at 22:12
  • Is selinux running? Does it work if disabled? Commented Feb 23, 2018 at 22:44
  • @JamesShewey there is no selinux on my system. Commented Feb 23, 2018 at 23:09

1 Answer 1

Reset to default
2

As described in https://github.com/docker-library/tomcat/issues/35, this is related to the storage driver used (aufs). Changing to use overlay2 solved the issue:

https://docs.docker.com/storage/storagedriver/overlayfs-driver/

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.