Move jsvc support to subpackage

tomcat-7.0-jsvc.service

@@ -0,0 +1,19 @@
+# Systemd unit file for tomcat
+# 
+# To create clones of this service:
+# 1) By default SERVICE_NAME=tomcat. When cloned, the value must be defined 
+# before tomcat-sysd is called.
+# 2) Create /etc/sysconfig/${SERVICE_NAME} from /etc/sysconfig/tomcat
+# to override tomcat defaults
+
+[Unit]
+Description=Apache Tomcat Web Application Container JSVC wrapper
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/tomcat-jsvc-sysd start
+ExecStop=/usr/sbin/tomcat-jsvc-sysd stop
+
+[Install]
+WantedBy=multi-user.target

tomcat-7.0-jsvc.wrapper

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+if [ -r /usr/share/java-utils/java-functions ]; then
+  . /usr/share/java-utils/java-functions
+else
+  echo "Can't read Java functions library, aborting"
+  exit 1
+fi
+
+# Get the tomcat config (use this for environment specific settings)
+#if [ -z "${TOMCAT_CFG}" ]; then
+#  TOMCAT_CFG="/etc/tomcat/tomcat.conf"
+#fi
+
+#if [ -r "$TOMCAT_CFG" ]; then
+#  . $TOMCAT_CFG
+#fi
+
+set_javacmd
+
+# CLASSPATH munging
+if [ -n "$JSSE_HOME" ]; then
+  CLASSPATH="${CLASSPATH}:$(build-classpath jcert jnet jsse 2>/dev/null)"
+fi
+CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar"
+CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar"
+CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)"
+
+# if jsvc installed and USE_JSVC=true
+# then use jsvc instead of calling java directly
+if [ -x /usr/bin/jsvc ]; then
+  JAVACMD="/usr/bin/jsvc -nodetach -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out"
+  if [ "$1" = "stop" ]; then
+    JAVACMD="${JAVACMD} -stop"
+  fi
+fi
+
+if [ "$1" = "start" ]; then
+  ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \
+    -classpath "$CLASSPATH" \
+    -Dcatalina.base="$CATALINA_BASE" \
+    -Dcatalina.home="$CATALINA_HOME" \
+    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
+    -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+    -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \
+    -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \
+    org.apache.catalina.startup.Bootstrap start \
+    >> ${CATALINA_BASE}/logs/catalina.out 2>&1 &
+    if [ ! -z "$CATALINA_PID" ]; then
+      echo $! > $CATALINA_PID
+    fi
+elif [ "$1" = "start-security" ]; then
+  ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \
+    -classpath "$CLASSPATH" \
+    -Dcatalina.base="$CATALINA_BASE" \
+    -Dcatalina.home="$CATALINA_HOME" \
+    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
+    -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+    -Djava.security.manager \
+    -Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy" \
+    -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \
+    -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \
+    org.apache.catalina.startup.Bootstrap start \
+    >> ${CATALINA_BASE}/logs/catalina.out 2>&1 &
+    if [ ! -z "$CATALINA_PID" ]; then
+      echo $! > $CATALINA_PID
+    fi
+elif [ "$1" = "stop" ]; then
+  ${JAVACMD} $JAVA_OPTS \
+    -classpath "$CLASSPATH" \
+    -Dcatalina.base="$CATALINA_BASE" \
+    -Dcatalina.home="$CATALINA_HOME" \
+    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
+    -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+    org.apache.catalina.startup.Bootstrap stop \
+    >> ${CATALINA_BASE}/logs/catalina.out 2>&1
+elif [ "$1" = "version" ]; then
+  ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \
+    org.apache.catalina.util.ServerInfo
+else
+  echo "Usage: $0 {start|start-security|stop|version}"
+  exit 1
+fi

tomcat-7.0-tomcat-jsvc-sysd

@@ -0,0 +1,113 @@
+#!/bin/bash
+#
+# This script provides systemd activation of the tomcat service
+# To create clones of this service:
+# 1) SERVICE_NAME must be defined before calling this script
+# 2) Create /etc/sysconfig/${SERVICE_NAME} from /etc/sysconfig/tomcat
+# to override tomcat defaults
+
+# SERVICE_NAME is a required value only if the service name is 
+# different from 'tomcat'
+#
+NAME="${SERVICE_NAME:-tomcat}"
+
+#I'll bet this isn't required. 
+# unset ISBOOT
+
+# For SELinux we need to use 'runuser' not 'su'
+if [ -x "/sbin/runuser" ]; then
+    SU="/sbin/runuser -s /bin/sh"
+else
+    SU="/bin/su -s /bin/sh"
+fi
+
+# Path to the tomcat launch script
+TOMCAT_SCRIPT="/usr/sbin/tomcat-jsvc"
+        
+# Define the tomcat username
+TOMCAT_USER="${TOMCAT_USER:-tomcat}"
+
+# TOMCAT_LOG should be different from catalina.out.
+# Usually the below config is all that is necessary
+TOMCAT_LOG=/var/log/${NAME}/${NAME}-sysd.log
+
+# Get the tomcat config (use this for environment specific settings)
+TOMCAT_CFG="/etc/tomcat/tomcat.conf"
+if [ -r "$TOMCAT_CFG" ]; then
+    . $TOMCAT_CFG
+fi
+
+# Get instance specific config file
+if [ -r "/etc/sysconfig/${NAME}" ]; then
+    . /etc/sysconfig/${NAME}
+fi
+
+function parseOptions() {
+    options=""
+    options="$options $(
+                 awk '!/^#/ && !/^$/ { ORS=" "; print "export ", $0, ";" }' \
+                 $TOMCAT_CFG
+             )"
+    if [ -r "/etc/sysconfig/${NAME}" ]; then
+        options="$options $(
+                     awk '!/^#/ && !/^$/ { ORS=" ";
+                                           print "export ", $0, ";" }' \
+                     /etc/sysconfig/${NAME}
+                 )"
+    fi
+    TOMCAT_SCRIPT="$options ${TOMCAT_SCRIPT}"
+}
+
+# See how we were called.
+function start() {
+    # fix permissions on the log and pid files
+    export CATALINA_PID="/var/run/${NAME}.pid"
+    touch $CATALINA_PID 2>&1 
+    if [ "$?" -eq "0" ]; then
+      chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID
+    fi
+
+    touch $TOMCAT_LOG 2>&1 
+    if [ "$?" -eq "0" ]; then
+      chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG
+    fi
+
+    # if jsvc installed and USE_JSVC=true
+    # then start as root and use jsvc to drop privileges
+    if [ -x /usr/bin/jsvc ]; then
+      TOMCAT_USER="root"
+    fi
+
+    parseOptions  
+    if [ "$SECURITY_MANAGER" = "true" ]; then
+       $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" >> $TOMCAT_LOG 2>&1 
+    else
+       $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1
+    fi
+}
+
+function stop() {
+    # if jsvc installed and USE_JSVC=true
+    # then start as root and use jsvc to drop privileges
+    if [ -x /usr/bin/jsvc ]; then
+      TOMCAT_USER="root"
+    fi
+
+    parseOptions  
+    $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} stop" >> $TOMCAT_LOG 2>&1
+}
+
+# See how we were called.
+case "$1" in
+    start)
+        start
+        ;;
+    stop)
+        stop
+        ;;
+    restart)
+        stop
+        start
+        ;;
+esac
+

tomcat-7.0-tomcat-sysd

@@ -72,12 +72,6 @@ function start() {
       chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG
     fi
 
-    # if jsvc installed and USE_JSVC=true
-    # then start as root and use jsvc to drop privileges
-    if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then
-      TOMCAT_USER="root"
-    fi
-
     parseOptions  
     if [ "$SECURITY_MANAGER" = "true" ]; then
        $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start-security" >> $TOMCAT_LOG 2>&1 
@@ -87,12 +81,6 @@ function start() {
 }
 
 function stop() {
-    # if jsvc installed and USE_JSVC=true
-    # then start as root and use jsvc to drop privileges
-    if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then
-      TOMCAT_USER="root"
-    fi
-
     parseOptions  
     $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} stop" >> $TOMCAT_LOG 2>&1
 }

tomcat-7.0.wrapper

@@ -26,15 +26,6 @@ CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/bootstrap.jar"
 CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar"
 CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)"
 
-# if jsvc installed and USE_JSVC=true
-# then use jsvc instead of calling java directly
-if [ -x /usr/bin/jsvc ] && [ "$USE_JSVC" = "true" ]; then
-  JAVACMD="/usr/bin/jsvc -nodetach -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out"
-  if [ "$1" = "stop" ]; then
-    JAVACMD="${JAVACMD} -stop"
-  fi
-fi
-
 if [ "$1" = "start" ]; then
   ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \
     -classpath "$CLASSPATH" \

tomcat.spec

@@ -54,7 +54,7 @@
 Name:          tomcat
 Epoch:         0
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       4%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group:         System Environment/Daemons
@@ -78,6 +78,11 @@ Source14:      jasper-OSGi-MANIFEST.MF
 Source15:      tomcat-api-OSGi-MANIFEST.MF
 Source16:      tomcat-juli-OSGi-MANIFEST.MF
 Source17:      %{name}-%{major_version}.%{minor_version}-tomcat-sysd
+Source18:      %{name}-%{major_version}.%{minor_version}-tomcat-jsvc-sysd
+Source19:      %{name}-%{major_version}.%{minor_version}-jsvc.wrapper
+Source20:      %{name}-%{major_version}.%{minor_version}-jsvc.service
+
+
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 #https://issues.apache.org/bugzilla/show_bug.cgi?id=52450
@@ -160,6 +165,17 @@ Requires: %{name} = %{epoch}:%{version}-%{release}
 %description systemv
 SystemV scripts to start and stop tomcat service
 
+%package jsvc
+Group: System Environment/Daemons
+Summary: Apache jsvc wrapper for Apache Tomcat as separate service
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: apache-commons-daemon-jsvc
+
+%description jsvc
+Systemd service and wrapper scripts to start tomcat with jsvc, 
+which allows tomcat to perform some privileged operations
+(e.g. bind to a port < 1024) and then switch identity to a non-privileged user.
+
 %package jsp-%{jspspec}-api
 Group: Development/Libraries
 Summary: Apache Tomcat JSP API implementation classes
@@ -351,6 +367,12 @@ popd
     ${RPM_BUILD_ROOT}%{_unitdir}/%{name}.service
 %{__install} -m 0644 %{SOURCE17} \
     ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-sysd
+%{__install} -m 0644 %{SOURCE19} \
+    ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-jsvc
+%{__install} -m 0644 %{SOURCE20} \
+    ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-jsvc.service
+%{__install} -m 0644 %{SOURCE18} \
+    ${RPM_BUILD_ROOT}%{_sbindir}/%{name}-jsvc-sysd
 %{__ln_s} %{name} ${RPM_BUILD_ROOT}%{_sbindir}/d%{name}
 %{__sed} -e "s|\@\@\@TCLOG\@\@\@|%{logdir}|g" %{SOURCE5} \
     > ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}
@@ -616,7 +638,19 @@ fi
 %{_sbindir}/d%{name}
 %{_initrddir}/%{name}
 
+%files jsvc
+%defattr(755,root,root,0755)
+%{_sbindir}/%{name}-jsvc
+%{_sbindir}/%{name}-jsvc-sysd
+%attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service
+
 %changelog
+* Wed Jan 12 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-4
+- Move jsvc support to subpackage
+
+* Wed Jan 11 2012 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.23-2
+- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).
+
 * Mon Dec 12 2011 Joseph D. Wagner <joe@josephdwagner.info> 0:7.0.23-3
 - Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for
   starting tomcat with jsvc, which allows tomcat to perform some
@@ -624,9 +658,6 @@ fi
   identity to a non-privileged user. Must add USE_JSVC="true" to
   /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.
 
-* Wed Jan 11 2012 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.23-2
-- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).
-
 * Mon Nov 28 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-1
 - Updated to 7.0.23