Login/Register
'Permission denied' error for standalone-full.xml while creating custom image from official jboss/wildfly image
Asked Answered
Solved linuxdockerjbosswildfly
P

2

5

I am working to build a custom image derived from the official jboss/wildfly image.

It's working perfectly if I just add the .war file and run, but problems arise when I try to add a custom standalone-full.xml file

This is my Dockerfile:

FROM jboss/wildfly:10.1.0.Final

COPY standalone-full.xml /opt/jboss/wildfly/standalone/configuration/standalone-full.xml

COPY sample.war /opt/jboss/wildfly/standalone/deployments/

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-c", "standalone-full.xml", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]

This is my source directory:

link to screenshot of ls -la command inside the source directory

As recommended, I have given 755 permission to the standalone-full.xml file.

However, after building the image with the following command:

docker build -t sample-app .

and running the image as follows:

docker run -it -p 8080:8080 -p 80:80 -p 443:443 sample-app

I receive the following error:

13:18:06,274 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.undertow.listener.default: org.jboss.msc.service.StartException in service jboss.undertow.listener.default: WFLYUT0082: Could not start 'default' listener.
    at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:153)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: Permission denied
    at sun.nio.ch.Net.bind0(Native Method)
    at sun.nio.ch.Net.bind(Net.java:433)
    at sun.nio.ch.Net.bind(Net.java:425)
    at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
    at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
    at org.xnio.nio.NioXnioWorker.createTcpConnectionServer(NioXnioWorker.java:190)
    at org.xnio.XnioWorker.createStreamConnectionServer(XnioWorker.java:243)
    at org.wildfly.extension.undertow.HttpListenerService.startListening(HttpListenerService.java:126)
    at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:142)

I exec'd into the running container to look at the file permissions of the standalone file:

link to screenshot of ls -la command inside the container's /opt/jboss/wildfly/standalone/configuration/ directory

I am able to get the app running if I change the user to root before running the CMD instruction, but that's not a good practice I think:

FROM jboss/wildfly:10.1.0.Final

COPY standalone-full.xml /opt/jboss/wildfly/standalone/configuration/standalone-full.xml

COPY sample.war /opt/jboss/wildfly/standalone/deployments/

USER root

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-c", "standalone-full.xml", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]

How do I correctly set the permissions of the standalone file so that I can run the application with the 'jboss' user?

I also tried changing the permissions within the Dockerfile as follows to match the permissions of other files:

FROM jboss/wildfly:10.1.0.Final

USER root

COPY standalone-full.xml /opt/jboss/wildfly/standalone/configuration/standalone-full.xml

RUN chown jboss:root /opt/jboss/wildfly/standalone/configuration/standalone-full.xml

USER jboss

COPY sample.war /opt/jboss/wildfly/standalone/deployments/

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-c", "standalone-full.xml", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]

But, the permissions don't get applied and I still get the same error. Can anyone please point to me to the right direction as to where I am making a mistake?

I am using Docker version 17.06.0-ce and overlay2 storage driver

Perineurium answered 13/7, 2017 at 13:31 Comment(0)
M
10

You have configured your wildfly instance to listen on TCP/IP port numbers < 1024.

Ports 80 and 443 in fact.

Normally only the root user has permission to do this on any unix based operating system, including Linux.

Mouse answered 13/7, 2017 at 14:11 Comment(1)
Thank you so much. Feeling stupid for having missed such an innocuous detail :)Perineurium
L
0

"I don't know if this will help, but to start WildFly 10.1.0.Final with a wildfly user, I used the authbind tool.

  1. Install authbind if it's not already installed:

    sudo rpm -Uvh https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm

or

sudo yum install authbind

2.Configure authbind to allow the wildfly user to access port 443. You need to create a specific configuration file for this. Let's call it authbind:

sudo touch /etc/authbind/byport/443
sudo chown wildfly /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443

  1. Edit the WildFly systemd configuration file to start the server using authbind. Open the WildFly service file:

    sudo nano /etc/systemd/system/wildfly.service

  2. Within the service file, modify the ExecStart command to include authbind. The authbind command needs to be placed before the WildFly startup command. The file may look something like this:

    [Unit] Description=WildFly Application Server After=syslog.target network.target

    [Service] Type=forking User=wildfly Group=wildfly ExecStart=/usr/bin/authbind --deep /opt/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 TimeoutStartSec=600 TimeoutStopSec=600 RestartSec=5 Restart=always

    [Install] WantedBy=multi-user.target

  3. Reload the systemd daemon to apply the changes:

    sudo systemctl daemon-reload

  4. Restart the WildFly service for the changes to take effect:

    sudo systemctl restart wildfly

Lengthways answered 12/3 at 14:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.