tomcat7 fail to start inside Ubuntu Docker container

Question

The initial situation

In Ubuntu (14.04 / 14.10) a ran the following commands:

apt-get update && apt-get install tomcat7
service tomcat7 start

On the one hand I tried this in a VirtualBox VM and tomcat7 startet as expected:

vagrant init hashicorp/precise32
vagrant up

On the other hand I tried this inside a Docker container, started as shown here:

sudo docker run -it --name tomcattest ubuntu bash

The problem

There the service tomcat7 start command outputs [fail]. Nevertheless tomcat is running, but /var/log/tomcat7/catalina.out says following:

Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/common/classes], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/common], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/server/classes], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/server], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/shared/classes], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [/usr/share/tomcat7/shared], exists: [false], isDirectory: [false], canRead: [false]
Apr 16, 2015 5:52:40 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Apr 16, 2015 5:52:40 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 514 ms
Apr 16, 2015 5:52:41 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Apr 16, 2015 5:52:41 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu)
Apr 16, 2015 5:52:41 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
Apr 16, 2015 5:52:42 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Apr 16, 2015 5:52:42 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1150 ms

explanation searched

Could anybody exlain the different behavior and tell me if it is possible to install tomcat7 the easy way via apt-get inside a docker container without warnings?

Answer 1

The solution

The tomcat startup script needs some special privileges. Concrete it needs to check all running processes, to verify itself is running. You can give the Docker container following privilege in order to make the tomcat start script exiting with success:

sudo docker run --cap-add SYS_PTRACE -it ubuntu bash

The important option is --cap-add SYS_PTRACE, all other options may vary. There is (at least one) an issue discussing this problem on docker github:

https://github.com/docker/docker/issues/6800

subsequent problems

Nevertheless I've found no way to set this privilege for the docker build of an image. My ultimate goal is to run a docker build which executes an Ansible playbook inside. The build just fails because of the service start, which I won't take out of the playbook. I'll make further investigations, but possible solutions are welcome.