Get access to container files

[mlagneaux]

Hello,

I have questions about this container :

• How can I modify tomcat-users.xml file ?
• How do I get access to the files of the container ?
• Which OS this container is based on ? Is it possible to install other packages ?

Thanks in advance for your answers.

[bryantrobbins]

Having the same problem here.

My first inclination was to mount a volume to the relevant locations, but volumes are mounted as "root" by default and not readable by the "tomcat" user running the default command of this container.

Another alternative would be to create a Dockerfile which builds FROM this image and adds its own files. This would mean rebuilding the container image for every version of a webapp. Can maintainers comment on whether this is the intended (long-term) design?

ETA: Asking about design because I'd be happy to contribute something that makes pushing in webapps simpler!

[yosifkit]

@bryantrobbins, as a complete noob when it comes to using tomcat I am all ears on what you think users of the image would want to use. I may push back with some of our design principles for the official images, but I am sure we can work to make this a more friendly image.

[bryantrobbins]

Thanks @yosifkit. I definitely have some ideas.

First and foremost, we are really running into a Docker limitation documented here: moby/moby#7198

I have a local PoC which adds a wrapper script to the tomcat:8.0 for copying around mounted files. This init.sh script could copy in anything from a mounted volume then change owner to tomcat so that users can override default Tomcat files, including deploying webapps. Currently I'm just copying in webapps, but it could be used to add tomcat-users.xml or other files.

Obviously this could potentially be merged into the Dockerfile of the Tomcat images directly if desired, so that there is no need for users to build their own images.

Let me know what you think!

Dockerfile:

FROM tomcat:8.0
MAINTAINER Bryan Robbins bryantrobbins@gmail.com

USER root
WORKDIR /

ADD init.sh /
RUN chmod +x /init.sh

CMD ["/init.sh"]

Where init.sh is:

#!/bin/bash

# Copy webapps from mount to CATALINA_HOME
cp /etc/tomcat/webapps/* $CATALINA_HOME/webapps

# Change owner of webapps copied back to tomcat
chown -R tomcat:tomcat $CATALINA_HOME/webapps

# Run catalina.sh as tomcat user
su -c "/usr/local/tomcat/bin/catalina.sh run" -s /bin/bash tomcat

[jgangemi]

is there a reason these directories can't be exposed as mount points?

[yosifkit]

You can docker run -it -v /my/webapp/:/catalina/dir/webapp/ tomcat but the files will be owned by whatever user you created them with and tomcat user in the container will not have access to them. We solve this on the database images like postgres and mongodb to just chown all the files in the entrypoint of the container, but then when the container stops all the files will still be owned by the user in the container.

[jgangemi]

mounting a local directory into the container is not an option, i need to do this using data containers.

[jgangemi]

anyone?

[yosifkit]

@jgangemi, that is just done with -v /place/in/container/for/volume and --volumes-from=myTomcat (https://docs.docker.com/userguide/dockervolumes/).

@bryantrobbins, I am not sure what we would gain with the script that copies files from the mounted volume and copy script that we could not just get by adding COPY webapp/ $CATALINA_HOME/webapps and chowning them. The reason for using a host mounted volume is so that local changes will reflect in the container, but your solution would not be able to do that.

[jgangemi]

odd - i thought i tried that but it didn't want to mount over $CATALINA_HOME/webapps which is what i would like to have happen so i don't need to copy files around in the container, etc.

i will try again.

[bryantrobbins]

@yosifkit So far, I have not been able to use a host-mounted volume with this container. I'm probably missing something.

If I run a command like this, where /tmp/webapps contains a war:
docker run -dit -v -p 8080:8080 /tmp/webapps:/usr/local/tomcat/webapps tomcat:8.0

I get one of these in the logs:
java.io.IOException: Unable to create the directory [/usr/local/tomcat/webapps/appname]

[yosifkit]

Yeah, the problem is that tomcat runs as the tomcat user, but all the files are still owned by your local user. We could change it so that on startup it chowns the files and then runs as tomcat, but then all your files are now chowned. I think the simpler solution is to just drop the tomcat user and run as root.

[jgangemi]

i'm hitting this issue now too - why does it matter if the files get chowned to tomcat? ownership/permissions would need to be set to something tomcat can handle if this was deployed outside of docker, so why is this any different?

making tomcat run as root inside docker is ok by me as well, i'm just looking to use the startup script that comes w/ the container instead of rolling my own, although that may still be required to enable jmx remoting.

[bryantrobbins]

@yosifkit agree that running as root makes sense

EDIT: Please see numerous comments below correcting this.

[yosifkit]

@jgangemi, true you should set permissions when you deploy, but if you are just build testing on your own box then chowning all of the files to the UID of tomcat in the container every time you change and want to run would get exhausting (even if we did it on startup of the container, you would still have to chown it back we you want to edit or overwrite it).

I'll put up a PR to change to root from the tomcat user, so that other users will not have to worry about permissions.

[JunkMail4MJD]

i just did "apt-get install nano" to install an editor then I edited tomcat-users.xml. Then I committed the change. Nano was very glitchy in terms of messing up the file display but i was eventually successful. it wipes out the default command though. So, you need to respecify bin/catalina.sh run when you docker run...

[brad-x]

This is a GREATLY risky thing to do. This container is going to end up in production and a lot of people are going to be unobservant about the privileges tomcat has.

Container security being what it is (exceedingly minimal) it would be better to recommend proper Dockerfile entries for changing file ownership rather than making this compromise.

EDIT: Or at the very least, mention that this container is configured for developer use only. Less attractive option though.

[tianon]

Wouldn't it be more productive to document how to use this image in a safe and secure manner, or at the very least to document the caveats?

(ie, in https://github.com/docker-library/docs/blob/master/tomcat/content.md)

[bryantrobbins]

I agree with @brad-x on second thought. I'm probably a bit naive in my understanding of the full implications of running as root, but I suppose any webapps are likewise running as root under this setup. At a minimum, it does differ from the typical Tomcat install.

If this does need to be rolled back, I'm happy to help more fully document any agreed-upon recommendations around using a separate Dockerfile to chown.

[mwelch-ptc]

Running as root might not be a great idea for the same reasons that Apache is almost never run as root. If an attacker compromises a poorly written web application (not uncommon unfortunately), with the process having root access you are exposing far more than should be. In theory, the fact that you are running in a container should give you some protection, but I think that the reality is that Docker is a thin enough layer that damage could be done nonetheless.

[yosifkit]

I am open to move it back, but do we have a solution for file permissions when using bind mounts? Or is this better to just improve documentation (content.md)?

[ryan1234]

I would second improving the documents. As a note though, I think this is the first image I've pulled (out of maybe 10?) that wasn't running as root when I connected to it. Really surprising for me.

It makes debugging code in a running container very difficult. I need to be able to connect to view logs, edit files, etc. so I don't have to constantly stop and start the container.

I think for the time being I'm going to find a different Dockerfile and build my own image.

[brad-x]

Veering offtopic slightly, but - ryan - how do you normally connect and debug?

[ryan1234]

docker exec -it <container id> /bin/bash

In this specific example I was hoping to temporarily install git and then pull a repo into the webapps folder. Then I wanted to restart tomcat and fiddle with things until I got the code running.

Quite often I need to change config files and it's easier to install vim inside of the container, edit files, and then test until I figure it out. Then I can copy down the steps and either make my own Dockerfile - or have a shell script modify the container after being started.

(Maybe I used the wrong word 'debug'. I don't mean debugging code, I mean debugging the deployment of code that should be ready to go.)

[brad-x]

What's the situation you're encountering when tomcat is not run as root? You're root when you enter the container right?

[ryan1234]

I'm actually not root when I enter the container. I'm the tomcat user. Is there some way around this?

I tried to elevate, but that didn't work. Can't really do anything with non-root access. =(

In the middle of building/running my own image based off of some other Dockerfile.

[yosifkit]

If you are using the most recent version of the tomcat image (docker pull tomcat:tag-I-use), then it will not have the tomcat user (6f1c628). The discussion here is of bringing that back.

[ryan1234]

That might be my problem. I'm "dockerizing" an existing application and they're using an older version of Tomcat (7.0.57).

[yosifkit]

@ryan1234, that is one of the current releases, available on java 7 or 8.

[DanailMinchev]

Hi,

+1 to run tomcat by non-root user.

According to tomcat security and use in production - tomcat must be run by non-root user (as @brad-x and @mwelch-ptc said as well).

Also if you roll back #6 : IMHO you have to chmod with tomcat user only webapps/ temp/ logs/ work/ directories and not the whole ${CATALINA_HOME}
(or for best security webapps/ should stay as root and the script should copy all war files from data-volume and unzip them into webapps/ directory).

I can create pull-request with full details if needed.

Thanks!

[yosifkit]

A PR seems appropriate, but I am not sure what consensus we have reached. We could look to make something like docker-library/elasticsearch#14 where the priviledge drop down is optional. I think possibly something like GOSU_AS. It would be nice if docker run --user could work.

[bryantrobbins]

Will +1 getting back to non-root, especially since it was my own question and naive suggestions that initiated this :)

After some seasoning with Docker myself, I think that extending the container to stage additional files is not very difficult, and its usually a reasonable option (IMO). I've put together one example of this so far (https://github.com/bryantrobbins/docker-tomcat-example), and if there are additional questions that could use examples or docs, I'm happy to contribute.

[yosifkit]

@bryantrobbins, feel free to suggest improvements to the docs via content.md. I am definitely not a tomcat expert, (or even a user) so I would gladly accept help in improving the documentation on using the container. I would also welcome PRs to improve the containerization for users (and not break current users).

[vikrambammidi]

Hi,

I am new to docker, In my local machine i created docker environment, I pulled the tomcat:8.0 image from docker hub. Also I am able to access tomcat manager page through my docker client, for login to tomcat manager page I need to update tomcat-users.xml file. But I am unable to find the "/usr/local/tomcat/webapps/" (tomcat root folder) in my docker host system.

i.e in $ docker-machine ssh
docker@default:/$ cd /usr/local/

I am unable to find "tomcat" folder in this location.

Is there any other process to edit or update on pulled image? Could you any one please help on this.

Thanks in advance for your answers.

[Bollemn]

Hello,

I have questions about this container :

i want to modify tomcat-users.xml file ?
How do I get access to the files of the container ?
how to deploy war file in webapps

[iammyr]

@vikrambammidi and @Bollemn you can access the image by doing:

$ docker ps
<list of images with container id image command created etc. columns>
$ docker exec -it <container id> bash

once you do that then try

$ echo $CATALINA_HOME

If you're actually running the docker tomcat module then $CATALINA_HOME must have been set to something. It is usually set to /usr/local/tomcat but maybe in your case it is set to something else for some reason.

@Bollemn from there you can modify all the files you wish. If they need to be modified from Dockerfile then just add the following to Dockerfile:
RUN <your command to modify a file>

To deploy your .war into your tomcat add the following to your Dockerfile:

ADD target/*.war $CATALINA_HOME/webapps/

@everyone: I've added a section on how to harden your Tomcat installation and file permissions in my pull request.

[charithf]

I wanted to access the tomcat folder. I am a beginner on Docker, found the following link helpful.

https://ligerlearn.com/how-to-edit-files-within-docker-containers/

[wglambert]

Since this issue seems unrelated to any errors in the image itself, and having been quite a while without a substantial comment, I'm going to prune the issue.
If you believe this to be in error then let me know and I'll re-open it

Given that the issue is more of a usability question, it would be more suited for the Docker Community Forums, the Docker Community Slack, or Stack Overflow.