zap2docker: failed to create directory - running it on OpenShift Container Platform (OCP)

785 views
Skip to first unread message

Andre Guerra

unread,
Apr 9, 2019, 2:20:58 PM4/9/19
to OWASP ZAP User Group
I am currently working on getting zap2docker-bare up and running in an OpenShift container. I had to make a few modifications to the original Dockerfile because the network I am in doesn't have full internet access. One thing I did was to copy the ZAP 2.7 tar file locally so that it gets deployed without having to reach out and download it. I also had to disable the multi-stage docker build because the docker version we have running in OCP doesn't support it. The final dockerfile I've attached here builds successfully, but when I try to instantiate a container for it, I get the following:
--
Found Java version 1.8.0_201
Available memory: 64247 MB
Setting jvm heap size: -Xmx16061m
Failed to create directory /zap/?/.ZAP
Unable to initialize home directory! /zap/?/.ZAP/log4j.properties (No such file or directory)
java.io.FileNotFoundException: /zap/?/.ZAP/log4j.properties (No such file or directory)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
at org.parosproxy.paros.model.FileCopier.copyLegacy(FileCopier.java:52)
at org.parosproxy.paros.model.FileCopier.copy(FileCopier.java:44)
at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Constant.java:419)
at org.parosproxy.paros.Constant.<init>(Constant.java:320)
at org.parosproxy.paros.Constant.createInstance(Constant.java:905)
at org.parosproxy.paros.Constant.getInstance(Constant.java:897)
at org.zaproxy.zap.ZapBootstrap.start(ZapBootstrap.java:76)
at org.zaproxy.zap.DaemonBootstrap.start(DaemonBootstrap.java:48)
at org.zaproxy.zap.ZAP.main(ZAP.java:101)
--
I thought it could be related to the ZAP user in the container not having access to the directories of ZAP, so I added the chmod 777 -R to all required directories in the build instruction. I checked the build output and 777 was in fact applied to /zap and /home/zap folders:
--
Working directory:
/zap
Contents:
total 9448
drwxrwxrwx    1 zap      zap          173 Apr  9 17:40 .
drwxr-xr-x    1 root     root           6 Apr  9 17:41 ..
-rwxrwxrwx    1 zap      zap         2.4K Nov 28  2017 README
drwxrwxrwx    1 zap      zap          140 Apr  9 17:40 db
drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 lang
drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 lib
drwxrwxrwx    1 zap      zap          265 Apr  9 17:40 license
drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 plugin
drwxrwxrwx    1 zap      zap           23 Apr  9 17:40 scripts
drwxrwxrwx    1 zap      zap         4.0K Apr  9 17:40 xml
-rwxrwxrwx    1 zap      zap         9.1M Nov 28  2017 zap-2.7.0.jar
-rwxrwxrwx    1 zap      zap          192 Nov 28  2017 zap.bat
-rwxrwxrwx    1 zap      zap       120.9K Nov 28  2017 zap.ico
-rwxrwxrwx    1 zap      zap         3.7K Nov 28  2017 zap.sh
JAVA_HOME  /usr/lib/jvm/java-1.8-openjdk
ZAP_PATH  /zap/zap.sh
HOME  /home/zap/
PORT  80
--

It looks like zap.sh is attempting to create this /zap/?/ directory for the logs, but I've no idea why. It doesn't seem to be doing it when I run zap in daemon mode from my local Windows machine. 

Any insights on this are much appreciated.

Once again: thank you and best regards!

Andre
Dockerfile.txt

kingthorin+owaspzap

unread,
Apr 9, 2019, 3:47:40 PM4/9/19
to OWASP ZAP User Group
Granted I haven't really futzed with docker builds but: Where is "/zap/?/.ZAP" supposed to be?

Looking at the current build for the bare image: https://github.com/zaproxy/zaproxy/blob/develop/docker/Dockerfile-bare
You seem to be lacking something equivalent to lines 2, 17, and 18...


Andre Guerra

unread,
Apr 9, 2019, 4:13:40 PM4/9/19
to OWASP ZAP User Group
It is missing line 2 because I cannot do multi-staged docker builds in my running version of OCP. That's why I am running everything in the openjdk image.
Line 17 uses the previous build image and copies the /zap directory from it to the new openjdk container at its root. Since I am already doing everything in the openjdk container, I don't require this. I tested that the /zap folder exists later in the Docker build.
Line 18 is executed in the following: COPY policies /home/zap/.ZAP/policies/ . It is the exact same statement I used from the original bare Dockerfile. The only difference is I am copying the contents of the git repo "policies" directory.

I have read that the ? on the output is the way linux has of telling you "unprintable char". Next step on my journey: I'll try to run zap.sh on a Linux machine and see where it attempts to create the log directory.

thc...@gmail.com

unread,
Apr 9, 2019, 4:39:52 PM4/9/19
to zaprox...@googlegroups.com
Hi.

> Linux machine and see where it attempts to create the log directory.

By default it tries to use the value given by "user.home" system
property (that should be set by the JVM), or if not set the current
directory.

You can override that with -dir command line argument [1] (to see if it
makes any difference).


[1] https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Best regards.

Andre Guerra

unread,
Apr 9, 2019, 5:23:04 PM4/9/19
to OWASP ZAP User Group
Thank you, thc202! We're evolving:
Unable to initialize home directory! /home/zap/log4j.properties (Permission denied)

I am pretty confident I can get that one solved. :)

Andre Guerra

unread,
Apr 9, 2019, 6:03:21 PM4/9/19
to OWASP ZAP User Group
Thanks again for the help. It worked when I specified -dir /home/zap/.ZAP/.
Cheers! \o/

kingthorin+owaspzap

unread,
Apr 9, 2019, 8:18:16 PM4/9/19
to OWASP ZAP User Group
Thanks for letting us know.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages