How to run Tomcat Docker image on Openshift

A common issue when porting Docker images on Openshift is that the image might be engineered to run with a root user. Let’s see how to deal with Security Context Contraints on Openshift.

So let’s say you want to try deploying a Docker image like tomcat:latest to Openshift

tomcat openshift tutorial

As you can see from the above warning, the image runs with a Root user. What this means in practice is that, when the Pod will be created and started with a non-root user (hence with an UID not 0), you will end up with your Pod crashing with:

Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]
Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load
WARNING: Permissions incorrect, read permission is not allowed on the file.
Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]
Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load
WARNING: Permissions incorrect, read permission is not allowed on the file.
Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina start
SEVERE: Cannot start server. Server instance is not configured.

In order to relax the security in your cluster so that you are allowed to run as the root UID if no USER is specified in the Dockerfile execute:

$ oadm policy add-scc-to-group anyuid system:authenticated

Once done, you will be able to deploy your tomcat image like a charm:

tomcat openshift tutorial

Finish off by creating a route to expose your Service:

tomcat openshift tutorial

Now your Tomcat web server is available to be accessed through the Openshift router:

tomcat openshift tutorial

Thanks to Slava Semushin for providing a tip on how to solve this issue.