Tomcat not working with openshift origin. Unable to load server.xml

Question

I am trying to deploy Tomcat on Openshift with

$oc new-app tomcat:latest

and when I do

$oc get pods

I am getting

NAME                            READY     *STATUS*             RESTARTS   *AGE*

tomcat-1-9j5qx                  0/1       *CrashLoopBackOff*   16         *1h*

when I check logs with $oc logs tomcat-1-9j5qx i get

Feb 05, 2018 11:26:41 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]

Feb 05, 2018 11:26:41 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]

Feb 05, 2018 11:26:41 AM org.apache.catalina.startup.Catalina start
SEVERE: Cannot start server. Server instance is not configured.

not sure what I should be doing to get rid of this CrashLoopBackOff

Answer 1

By default, OpenShift uses a random non-root uid to run pods, while this /usr/local/tomcat/conf/servers only allows root to read it. Run this command to allow OpenShift to run pods with any uid:

oc adm policy add-scc-to-user anyuid -z default

This change in policy can only be done by someone who is cluster admin. It cannot be done by a normal user, or even a project admin.

Because you are granting the right to run things as root, even if only in a container, it is better to create a separate service account to run just the applications requiring the extra privileges, and not use the default service account.

For example:

$ oc create serviceaccount supremo
serviceaccount "supremo" created
$ oc adm policy add-scc-to-user anyuid -z supremo
$ oc patch dc/tomcat --patch '{"spec":{"template":{"spec":{"serviceAccountName": "supremo"}}}}'
deploymentconfig "tomcat" patched

You should also only do this for third party images you pull down which you trust. Do not give arbitrary images the ability to run as root.