zap2docker: failed to create directory - running it on OpenShift Container Platform (OCP)

[Andre Guerra]

I am currently working on getting zap2docker-bare up and running in an OpenShift container. I had to make a few modifications to the original Dockerfile because the network I am in doesn't have full internet access. One thing I did was to copy the ZAP 2.7 tar file locally so that it gets deployed without having to reach out and download it. I also had to disable the multi-stage docker build because the docker version we have running in OCP doesn't support it. The final dockerfile I've attached here builds successfully, but when I try to instantiate a container for it, I get the following:

--

Found Java version 1.8.0_201

Available memory: 64247 MB

Setting jvm heap size: -Xmx16061m

Failed to create directory /zap/?/.ZAP

Unable to initialize home directory! /zap/?/.ZAP/log4j.properties (No such file or directory)

java.io.FileNotFoundException: /zap/?/.ZAP/log4j.properties (No such file or directory)

at java.io.FileOutputStream.open0(Native Method)

at java.io.FileOutputStream.open(FileOutputStream.java:270)

at java.io.FileOutputStream.<init>(FileOutputStream.java:213)

at java.io.FileOutputStream.<init>(FileOutputStream.java:162)

at org.parosproxy.paros.model.FileCopier.copyLegacy(FileCopier.java:52)

at org.parosproxy.paros.model.FileCopier.copy(FileCopier.java:44)

at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Constant.java:419)

at org.parosproxy.paros.Constant.<init>(Constant.java:320)

at org.parosproxy.paros.Constant.createInstance(Constant.java:905)

at org.parosproxy.paros.Constant.getInstance(Constant.java:897)

at org.zaproxy.zap.ZapBootstrap.start(ZapBootstrap.java:76)

at org.zaproxy.zap.DaemonBootstrap.start(DaemonBootstrap.java:48)

at org.zaproxy.zap.ZAP.main(ZAP.java:101)

--

I thought it could be related to the ZAP user in the container not having access to the directories of ZAP, so I added the chmod 777 -R to all required directories in the build instruction. I checked the build output and 777 was in fact applied to /zap and /home/zap folders:

--

Working directory:

/zap

Contents:

total 9448

drwxrwxrwx    1 zap      zap          173 Apr  9 17:40 .

drwxr-xr-x    1 root     root           6 Apr  9 17:41 ..

-rwxrwxrwx    1 zap      zap         2.4K Nov 28  2017 README

drwxrwxrwx    1 zap      zap          140 Apr  9 17:40 db

drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 lang

drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 lib

drwxrwxrwx    1 zap      zap          265 Apr  9 17:40 license

drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 plugin

drwxrwxrwx    1 zap      zap           23 Apr  9 17:40 scripts

drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 xml

-rwxrwxrwx    1 zap      zap         9.1M Nov 28  2017 zap-2.7.0.jar

-rwxrwxrwx    1 zap      zap          192 Nov 28  2017 zap.bat

-rwxrwxrwx    1 zap      zap       120.9K Nov 28  2017 zap.ico

-rwxrwxrwx    1 zap      zap         3.7K Nov 28  2017 zap.sh

JAVA_HOME  /usr/lib/jvm/java-1.8-openjdk

ZAP_PATH  /zap/zap.sh

HOME  /home/zap/

PORT  80

--

It looks like zap.sh is attempting to create this /zap/?/ directory for the logs, but I've no idea why. It doesn't seem to be doing it when I run zap in daemon mode from my local Windows machine. 

Any insights on this are much appreciated.

Once again: thank you and best regards!

Andre

[kingthorin+owaspzap]

Granted I haven't really futzed with docker builds but: Where is "/zap/?/.ZAP" supposed to be?

Looking at the current build for the bare image: https://github.com/zaproxy/zaproxy/blob/develop/docker/Dockerfile-bare

You seem to be lacking something equivalent to lines 2, 17, and 18...

[Andre Guerra]

It is missing line 2 because I cannot do multi-staged docker builds in my running version of OCP. That's why I am running everything in the openjdk image.

Line 17 uses the previous build image and copies the /zap directory from it to the new openjdk container at its root. Since I am already doing everything in the openjdk container, I don't require this. I tested that the /zap folder exists later in the Docker build.

Line 18 is executed in the following: COPY policies /home/zap/.ZAP/policies/ . It is the exact same statement I used from the original bare Dockerfile. The only difference is I am copying the contents of the git repo "policies" directory.

I have read that the ? on the output is the way linux has of telling you "unprintable char". Next step on my journey: I'll try to run zap.sh on a Linux machine and see where it attempts to create the log directory.

[thc...@gmail.com]

Hi.

> Linux machine and see where it attempts to create the log directory.

By default it tries to use the value given by "user.home" system
property (that should be set by the JVM), or if not set the current
directory.

You can override that with -dir command line argument [1] (to see if it
makes any difference).


[1] https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Best regards.

[Andre Guerra]

Thank you, thc202! We're evolving:

Unable to initialize home directory! /home/zap/log4j.properties (Permission denied)

I am pretty confident I can get that one solved. :)

[Andre Guerra]

Thanks again for the help. It worked when I specified -dir /home/zap/.ZAP/.

Cheers! \o/

[kingthorin+owaspzap]

Thanks for letting us know.