From 94b7c9627f7802e2626cb64135c697436808c78b Mon Sep 17 00:00:00 2001 From: Ivan Afonichev Date: Thu, 12 Jan 2012 02:58:04 +0400 Subject: [PATCH] Move jsvc support to subpackage --- tomcat-7.0-jsvc.service | 19 ++++++ tomcat-7.0-jsvc.wrapper | 83 ++++++++++++++++++++++++++ tomcat-7.0-tomcat-jsvc-sysd | 113 ++++++++++++++++++++++++++++++++++++ tomcat-7.0-tomcat-sysd | 12 ---- tomcat-7.0.wrapper | 9 --- tomcat.spec | 39 +++++++++++-- 6 files changed, 250 insertions(+), 25 deletions(-) create mode 100644 tomcat-7.0-jsvc.service create mode 100644 tomcat-7.0-jsvc.wrapper create mode 100644 tomcat-7.0-tomcat-jsvc-sysd diff --git a/tomcat-7.0-jsvc.service b/tomcat-7.0-jsvc.service new file mode 100644 index 0000000..3792cef --- /dev/null +++ b/tomcat-7.0-jsvc.service @@ -0,0 +1,19 @@ +# Systemd unit file for tomcat +# +# To create clones of this service: +# 1) By default SERVICE_NAME=tomcat. When cloned, the value must be defined +# before tomcat-sysd is called. +# 2) Create /etc/sysconfig/${SERVICE_NAME} from /etc/sysconfig/tomcat +# to override tomcat defaults + +[Unit] +Description=Apache Tomcat Web Application Container JSVC wrapper +After=syslog.target network.target + +[Service] +Type=forking +ExecStart=/usr/sbin/tomcat-jsvc-sysd start +ExecStop=/usr/sbin/tomcat-jsvc-sysd stop + +[Install] +WantedBy=multi-user.target diff --git a/tomcat-7.0-jsvc.wrapper b/tomcat-7.0-jsvc.wrapper new file mode 100644 index 0000000..56fcc09 --- /dev/null +++ b/tomcat-7.0-jsvc.wrapper @@ -0,0 +1,83 @@ +#!/bin/bash + +if [ -r /usr/share/java-utils/java-functions ]; then + . /usr/share/java-utils/java-functions +else + echo "Can't read Java functions library, aborting" + exit 1 +fi + +# Get the tomcat config (use this for environment specific settings) +#if [ -z "${TOMCAT_CFG}" ]; then +# TOMCAT_CFG="/etc/tomcat/tomcat.conf" +#fi + +#if [ -r "$TOMCAT_CFG" ]; then +# . $TOMCAT_CFG +#fi + +set_javacmd + +# CLASSPATH munging +if [ -n "$JSSE_HOME" ]; then + CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)" +fi +CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" +CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" +CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)" + +# if jsvc installed and USE_JSVC=true +# then use jsvc instead of calling java directly +if [ -x /usr/bin/jsvc ]; then + JAVACMD="/usr/bin/jsvc -nodetach -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out" + if [ "$1" = "stop" ]; then + JAVACMD="${JAVACMD} -stop" + fi +fi + +if [ "$1" = "start" ]; then + ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ + -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ + -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ + org.apache.catalina.startup.Bootstrap start \ + >> ${CATALINA_BASE}/logs/catalina.out 2>&1 & + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi +elif [ "$1" = "start-security" ]; then + ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ + -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + -Djava.security.manager \ + -Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy" \ + -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ + -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ + org.apache.catalina.startup.Bootstrap start \ + >> ${CATALINA_BASE}/logs/catalina.out 2>&1 & + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi +elif [ "$1" = "stop" ]; then + ${JAVACMD} $JAVA_OPTS \ + -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap stop \ + >> ${CATALINA_BASE}/logs/catalina.out 2>&1 +elif [ "$1" = "version" ]; then + ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \ + org.apache.catalina.util.ServerInfo +else + echo "Usage: $0 {start|start-security|stop|version}" + exit 1 +fi diff --git a/tomcat-7.0-tomcat-jsvc-sysd b/tomcat-7.0-tomcat-jsvc-sysd new file mode 100644 index 0000000..9134d5b --- /dev/null +++ b/tomcat-7.0-tomcat-jsvc-sysd @@ -0,0 +1,113 @@ +#!/bin/bash +# +# This script provides systemd activation of the tomcat service +# To create clones of this service: +# 1) SERVICE_NAME must be defined before calling this script +# 2) Create /etc/sysconfig/${SERVICE_NAME} from /etc/sysconfig/tomcat +# to override tomcat defaults + +# SERVICE_NAME is a required value only if the service name is +# different from 'tomcat' +# +NAME="${SERVICE_NAME:-tomcat}" + +#I'll bet this isn't required. +# unset ISBOOT + +# For SELinux we need to use 'runuser' not 'su' +if [ -x "/sbin/runuser" ]; then + SU="/sbin/runuser -s /bin/sh" +else + SU="/bin/su -s /bin/sh" +fi + +# Path to the tomcat launch script +TOMCAT_SCRIPT="/usr/sbin/tomcat-jsvc" + +# Define the tomcat username +TOMCAT_USER="${TOMCAT_USER:-tomcat}" + +# TOMCAT_LOG should be different from catalina.out. +# Usually the below config is all that is necessary +TOMCAT_LOG=/var/log/${NAME}/${NAME}-sysd.log + +# Get the tomcat config (use this for environment specific settings) +TOMCAT_CFG="/etc/tomcat/tomcat.conf" +if [ -r "$TOMCAT_CFG" ]; then + . $TOMCAT_CFG +fi + +# Get instance specific config file +if [ -r "/etc/sysconfig/${NAME}" ]; then + . /etc/sysconfig/${NAME} +fi + +function parseOptions() { + options="" + options="$options $( + awk '!/^#/ && !/^$/ { ORS=" "; print "export ", $0, ";" }' \ + $TOMCAT_CFG + )" + if [ -r "/etc/sysconfig/${NAME}" ]; then + options="$options $( + awk '!/^#/ && !/^$/ { ORS=" "; + print "export ", $0, ";" }' \ + /etc/sysconfig/${NAME} + )" + fi + TOMCAT_SCRIPT="$options ${TOMCAT_SCRIPT}" +} + +# See how we were called. +function start() { + # fix permissions on the log and pid files + export CATALINA_PID="/var/run/${NAME}.pid" + touch $CATALINA_PID 2>&1 + if [ "$?" -eq "0" ]; then + chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID + fi + + touch $TOMCAT_LOG 2>&1 + if [ "$?" -eq "0" ]; then + chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG + fi + + # if jsvc installed and USE_JSVC=true + # then start as root and use jsvc to drop privileges + if [ -x /usr/bin/jsvc ]; then + TOMCAT_USER="root" + fi + + parseOptions + if [ "$SECURITY_MANAGER" = "true" ]; then + $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" >> $TOMCAT_LOG 2>&1 + else + $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1 + fi +} + +function stop() { + # if jsvc installed and USE_JSVC=true + # then start as root and use jsvc to drop privileges + if [ -x /usr/bin/jsvc ]; then + TOMCAT_USER="root" + fi + + parseOptions + $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} stop" >> $TOMCAT_LOG 2>&1 +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; +esac + diff --git a/tomcat-7.0-tomcat-sysd b/tomcat-7.0-tomcat-sysd index af3ed17..1e79816 100644 --- a/tomcat-7.0-tomcat-sysd +++ b/tomcat-7.0-tomcat-sysd @@ -72,12 +72,6 @@ function start() { chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG fi - # if jsvc installed and USE_JSVC=true - # then start as root and use jsvc to drop privileges - if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then - TOMCAT_USER="root" - fi - parseOptions if [ "$SECURITY_MANAGER" = "true" ]; then $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" >> $TOMCAT_LOG 2>&1 @@ -87,12 +81,6 @@ function start() { } function stop() { - # if jsvc installed and USE_JSVC=true - # then start as root and use jsvc to drop privileges - if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then - TOMCAT_USER="root" - fi - parseOptions $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} stop" >> $TOMCAT_LOG 2>&1 } diff --git a/tomcat-7.0.wrapper b/tomcat-7.0.wrapper index 5a81ae2..ad3091b 100644 --- a/tomcat-7.0.wrapper +++ b/tomcat-7.0.wrapper @@ -26,15 +26,6 @@ CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar" CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar" CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)" -# if jsvc installed and USE_JSVC=true -# then use jsvc instead of calling java directly -if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then - JAVACMD="/usr/bin/jsvc -nodetach -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out" - if [ "$1" = "stop" ]; then - JAVACMD="${JAVACMD} -stop" - fi -fi - if [ "$1" = "start" ]; then ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath "$CLASSPATH" \ diff --git a/tomcat.spec b/tomcat.spec index 51a7fc6..18ac73f 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -54,7 +54,7 @@ Name: tomcat Epoch: 0 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 4%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -78,6 +78,11 @@ Source14: jasper-OSGi-MANIFEST.MF Source15: tomcat-api-OSGi-MANIFEST.MF Source16: tomcat-juli-OSGi-MANIFEST.MF Source17: %{name}-%{major_version}.%{minor_version}-tomcat-sysd +Source18: %{name}-%{major_version}.%{minor_version}-tomcat-jsvc-sysd +Source19: %{name}-%{major_version}.%{minor_version}-jsvc.wrapper +Source20: %{name}-%{major_version}.%{minor_version}-jsvc.service + + Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch #https://issues.apache.org/bugzilla/show_bug.cgi?id=52450 @@ -160,6 +165,17 @@ Requires: %{name} = %{epoch}:%{version}-%{release} %description systemv SystemV scripts to start and stop tomcat service +%package jsvc +Group: System Environment/Daemons +Summary: Apache jsvc wrapper for Apache Tomcat as separate service +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: apache-commons-daemon-jsvc + +%description jsvc +Systemd service and wrapper scripts to start tomcat with jsvc, +which allows tomcat to perform some privileged operations +(e.g. bind to a port < 1024) and then switch identity to a non-privileged user. + %package jsp-%{jspspec}-api Group: Development/Libraries Summary: Apache Tomcat JSP API implementation classes @@ -351,6 +367,12 @@ popd ${RPM_BUILD_ROOT}%{_unitdir}/%{name}.service %{__install} -m 0644 %{SOURCE17} \ ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-sysd +%{__install} -m 0644 %{SOURCE19} \ + ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-jsvc +%{__install} -m 0644 %{SOURCE20} \ + ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-jsvc.service +%{__install} -m 0644 %{SOURCE18} \ + ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-jsvc-sysd %{__ln_s} %{name} ${RPM_BUILD_ROOT}%{_sbindir}/d%{name} %{__sed} -e "s|\@\@\@TCLOG\@\@\@|%{logdir}|g" %{SOURCE5} \ > ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name} @@ -616,7 +638,19 @@ fi %{_sbindir}/d%{name} %{_initrddir}/%{name} +%files jsvc +%defattr(755,root,root,0755) +%{_sbindir}/%{name}-jsvc +%{_sbindir}/%{name}-jsvc-sysd +%attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service + %changelog +* Wed Jan 12 2012 Ivan Afonichev 0:7.0.23-4 +- Move jsvc support to subpackage + +* Wed Jan 11 2012 Alexander Kurtakov 0:7.0.23-2 +- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream). + * Mon Dec 12 2011 Joseph D. Wagner 0:7.0.23-3 - Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for starting tomcat with jsvc, which allows tomcat to perform some @@ -624,9 +658,6 @@ fi identity to a non-privileged user. Must add USE_JSVC="true" to /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat. -* Wed Jan 11 2012 Alexander Kurtakov 0:7.0.23-2 -- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream). - * Mon Nov 28 2011 Ivan Afonichev 0:7.0.23-1 - Updated to 7.0.23