Docker Community Forums

Share and learn in the Docker community.

Docker starting numerous Java processes on host OS and as root


(Frank) #1

Was not even sure of the exact place to post this as crosses a couple of areas. But here seems like the best choice, dockerengine.

If Docker is truly self contained why when I run containers (example: docker run -it
–rm -p 8888:8080 macedemo/tomcat) does it start a java process for each one on the host OS? I used the official tomcat dockerfile from the hub (where java is the base image) to run these:

root 3451 1690
0 09:13 pts/28 00:01:17 /usr/bin/java -Dnop
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Dstringchararrayaccessor.disabled=true -server
-Djavax.net.ssl.trustStore=/usr/local/owf/apache-tomcat/certs/keystore.jks
-Djavax.net.ssl.keyStore=/usr/local/owf/apache-tomcat/certs/keystore.jks
-Djavax.net.ssl.keyStorePassword=XXXXX
-Djavax.net.ssl.trustStorePassword=XXXX -Xmx1024m -Xms512m
-XX:PermSize=128m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC
-XX:+ExplicitGCInvokesConcurrent
-Djava.endorsed.dirs=/usr/local/owf/apache-tomcat/endorsed -classpath
/usr/local/owf/apache-tomcat/bin/bootstrap.jar:/usr/local/owf/apache-tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/owf/apache-tomcat
-Dcatalina.home=/usr/local/owf/apache-tomcat
-Djava.io.tmpdir=/usr/local/owf/apache-tomcat/temp
org.apache.catalina.startup.Bootstrap start

root 3539 1690
0 09:14 pts/29 00:00:56 /usr/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp
org.apache.catalina.startup.Bootstrap start
docker 3730 2394
0 12:32 pts/11 00:00:00 grep --color=auto java

spawned from :
root 1690 1
0 Nov24 ? 00:00:40 /usr/bin/docker daemon

So now these processes are dependent upon the java version running on the host
system. Thus could run into issues running on different hosts based on the JVM installed on that server.

And to top it off it starts those processes as Root when I ran the docker run command as a
non privileged user, I guess because docker demon is running as root and spawned the processes. So now if the version of java I have on a host OS has a security vulnerability it’s now running as root. Sounds like a real bad idea and seems to be against guidance on the docker website to not run anything as root, which I certainly concur with.

Can anyone explain if I’m totally missing something?

v/r,

Frank


(John Axel Eriksson) #2

Yes you’re misunderstanding what a container is. It’s not like a virtual machine. The host can see all processes while from the containers pov only the processes within it’s namespace are visible. Same goes for networking, file system etc. Think of them more like chroots on steroids.

So tomcat isn’t running on the hosts jvm, it’s running on whatever jvm that came bundled in the docker image and is self contained.

John


Same container but different behaviour on different host
(Benitojcv) #3

Hi. I have the same problem, but in the easiest context. The problem occurs with a java “hello world” console application. Simplemente, añado un bucle para que la aplicación no termine.

public static void main(String[] args) {
System.out.println("Hello, World");
while (true) {}
}

When I run the application from within the docker, the process “java” is out of the docker !!!. The process can not be out of the docker because, for more complex as it has macedemo cases, may not include the libraries that are in the internal classpath docker.

Additionally, the problem occurs only in certain hosts. The same docker works in some hosts and not in others works.

This is a serious security problem!


(Frank) #4

Benitojcv,
John had me think about this more and I think he is right. On my VM I removed the java link in /usr/bin and restarted tomcat container. And it started fine. Thus as he stated it must be using the jvm within the container.

Now this still does not address why folks are seeing the issues they are WRT java. Someone figures this out I would be interested. For me Docker/containers is a research project and am looking at it from a security perspective and things like not working on one host and on another could lead to exploits. Need to understand what is shared and not.

Frank