Document that buildpacks use non-root users for building container images and running containers

[octopus-prime]

Version 2.3.0 still causes "Unable to start embedded Tomcat server" errors.

Used for test: v2.3.0.BUILD-SNAPSHOT

org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
	at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:229) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:309) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:165) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:553) ~[spring-context-5.2.6.BUILD-SNAPSHOT.jar:5.2.6.BUILD-SNAPSHOT]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at com.example.kunde.service.KundeServiceApplication.main(KundeServiceApplication.java:12) ~[classes/:na]
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
	at org.apache.catalina.core.StandardService.addConnector(StandardService.java:231) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) ~[spring-boot-2.3.0.BUILD-SNAPSHOT.jar:2.3.0.BUILD-SNAPSHOT]
	... 11 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	... 13 common frames omitted
Caused by: java.net.SocketException: Permission denied
	at java.base/sun.nio.ch.Net.bind0(Native Method) ~[na:na]
	at java.base/sun.nio.ch.Net.bind(Unknown Source) ~[na:na]
	at java.base/sun.nio.ch.Net.bind(Unknown Source) ~[na:na]
	at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) ~[na:na]
	at java.base/sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) ~[na:na]
	at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:229) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:212) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
	... 15 common frames omitted

[octopus-prime]

Back to v2.2.6.RELEASE ...

Tomcat started on port(s): 80 (http) with context path '/kunde-api'

[octopus-prime]

The problem occurs when building an image and running via docker run / helm install.

So it might be a problem of the new image-builder in the gradle-plugin?!

[octopus-prime]

2.2.6 (using com.bmuschko.docker-spring-boot-application) ->

docker {
    springBootApplication {
        baseImage = 'openjdk:11'
        ports = [80]
        images = ['localhost:32000/demo/kunde-service:latest']
    }
}

2.3.0 ->

bootBuildImage {
    imageName = 'localhost:32000/demo/kunde-service:latest'
}

[bclozel]

What do you mean by « still »? Are you referring to an existing issue (in this case could you link to it?).
Also, could you provide a sample application we could take a look at (with detailed instructions on how to reproduce the issue).
I don’t get how this could work in 2.2.6 since the container image building feature is brand new.
Thanks!

[octopus-prime]

Updated #21122 (comment)

Hope the change is clear now...

[octopus-prime]

"still" means: there where some other issues, like
#20167

These issues are close, so i hoped it's working now.

[octopus-prime]

Sample application
https://github.com/octopus-prime/demo/tree/test-2.3.0

Note:
bootBuildImage does not push to registry.
So you have to push the images by yourself

docker push localhost:32000/demo/kunde-service:latest
docker push localhost:32000/demo/produkt-service:latest
docker push localhost:32000/demo/rechnung-service:latest

[bclozel]

#20167 looks like a different issue. Connectors couldn’t start because of a Tomcat configuration change.

This stacktrace points to a user permission issue (binding to the 80 port is not allowed it seems for this user). Maybe the other build plugin has a different policy for the default user?

Thanks for the sample we’ll look into it.

[octopus-prime]

Doing a diff against master shows my changes.
May be I missed something for trying 2.3.0...

[philwebb]

I suspect that the buildpack runs processes as a user that does not have permission to use port 80 where as the com.bmuschko.docker-spring-boot-application process does.

Perhaps @ekcasey or @nebhale can confirm that and let us know if there's a way to override those restrictions?

[octopus-prime]

Yes, changing port from 80 to 8080 solves the problem...

Tomcat started on port(s): 8080 (http) with context path '/kunde-api'

[nebhale]

Images built with CNB-related system intentionally both build and run as non-root users as a security measure. There’s no real way to override those restrictions, nor would you want to, but instead you should make the changes necessary to run your application as a non-root users. AS @octopus-prime worked out, something as simple as changing the port is enough, and given how all Dockerimage running systems work, you can easily get the same behavior via port mapping (-p 8080:80).

[wilkinsona]

Thanks very much, @nebhale. I'd like to make a note of this in our reference documentation. Is there some CNB documentation that we could link to?

[nebhale]

@wilkinsona Let me look into that for you. It's part of our sales pitch, tag line, and spec, but I don't think there's any user-facing documentation that says it.

[snicoll]

I think the related issue is fixed now and we have a link to point users to https://buildpacks.io/docs/reference/spec/platform-api/#users