catalina.sh: Permission denied when deploying on Openshift

[joanna-polec]

Building image from WAR with usage of Apache Tomcat buildpacks resulting with below error when pod is starting.

Setting Active Processor Count to 80Calculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M -Xmx475156K -XX:MaxMetaspaceSize=61419K -XX:ReservedCodeCacheSize=240M -Xss1M (Total Memory: 1G, Thread Count: 250, Loaded Class Count: 8430, Headroom: 0%)Enabling Java Native Memory TrackingUsing readonly truststore: /tmp/truststoreAdding 137 container CA certificates to JVM truststoresh: 0: cannot open /layers/paketo-buildpacks_apache-tomcat/tomcat/bin/catalina.sh: Permission denied

Problem exists when image is built on Openshift where random users are used to run a pod. In this case we are using 255000 for UID and GUI.
Building this app locally works without any problems, because application is run with User having the same GUI, which was used in buildpacks during build phase.

Buildpacks used to build image: builder-jammy-full:0.3.323

I found this similar discussion but here even read permission is lacking for others users.

Dive on this image:

Do you have any advice on this? Does tomcat buildpacks support using differrent UID and GUI during build and run phases?

[dmikusa]

The CNB spec & tools do have some requirements in terms of user/groups. It is flexible, but I'm not sure it's flexible enough that you can pick a random uid/gid every time.

I was trying to find some more documentation about the user/group requirements, and this was the best I could come up with. The build/run images used by the stack have some uid/gid information in them. It's used by the CNB tooling.

https://buildpacks.io/docs/operator-guide/create-build-base/#set-required-cnb-user-information

My anecdotal experience has been that you can change the uid on-the-fly, but changing the gid is more difficult. I don't think I've tried changing them at build time though, some testing I did a while back with Paketo buildpacks was with the uid changing at runtime.

At any rate, you may be better off reaching out to the CNB folks on this one. Hope that helps!

[joanna-polec]

Yes, permissions are the same on the TAR contents. Tomcat is downloaded from https://archive.apache.org/dist/tomcat/...

[keskad]

So, it seems I was right 😎 The TAR archive from JRE has enough permissions for "others", but Tomcat TAR archive does not.

Question is if the Tomcat buildpack could do some kind of chmod after unpackaging?

[dmikusa]

Ohh, ok. That makes sense. I know Tomcat locks down file permissions as an out-of-the-box security practice. I assume you'd want to have r+x world permissions added?

I think we could probably add that as an option to enable. I'm not 100% sure off the top of my head if we could do that by default. I'd have to think about that. There are reasons why Tomcat sets the permissions that way, but I'd have to think through them and see if they make sense in the context of buildpacks and containers.

In the meantime, you can work around this by adding an inline buildpack with a script to make the permission changes.

[keskad]

Wow, inline buildpack sounds like a cool solution to workaround this and similar issues.

[joanna-polec]

Yes, it would be great to add r+x world permissions for catalina.sh file in buildpacks - same as it's added for a group.

Workaround with inline buildpack is not so easily applicable for our use case. From what I've tested, we need to define exact list of buildpacks which given application requires - when we add project.toml, detector pull only buildpacks specified in this file. Pipeline which builds application images needs to handle various Tomcat apps (some can require maven, gradle buildpacks, some not etc.). So we would need to detect which buildpacks are needed and dynamically create proper toml file.