Hi all, I just configured a tomcat instance started/stopped by systemd. This instance is managed as a resource by pacemaker: when tomcat is moved to a machine, its systemd unit is started. There are several machines in the cluster, but only one at a time run tomcat.
The unit is something like this:
[Unit] Description=... After=syslog.target network.target [Service] Type=forking User=... Group=... WorkingDirectory=... NoNewPrivileges=true AmbientCapabilities=CAP_NET_BIND_SERVICE Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" ExecStart=/bin/sh -c .../apache-tomcat-9.0.109/bin/startup.sh ExecStop=/bin/sh -c .../apache-tomcat-9.0.109/bin/shutdown.sh Environment="CATALINA_PID=.../apache-tomcat-9.0.109/logs/tomcat.pid" ExecStartPre=+/usr/bin/firewall-cmd --zone=public --add-service=tomcat ExecStopPost=+/usr/bin/firewall-cmd --zone=public --remove-service=tomcat SocketBindDeny=any SocketBindAllow=ipv4:tcp:443 OOMScoreAdjust=-1000 ProtectSystem=true ReadWritePaths=... [Install] WantedBy=multi-user.target
as you see, I am enabling rules via ExecStartPre. Of course this is something not permanent, so if anyone issue "firewalld-cmd --reload" command will disable this rule.
What is the best method to keep this rule working while tomcat is on this node?
Thank you, Giuseppe
09.10.2025 18:29, Giuseppe S. via firewalld-users wrote:
Hi all, I just configured a tomcat instance started/stopped by systemd. This instance is managed as a resource by pacemaker: when tomcat is moved to a machine, its systemd unit is started. There are several machines in the cluster, but only one at a time run tomcat.
The unit is something like this:
[Unit] Description=... After=syslog.target network.target [Service] Type=forking User=... Group=... WorkingDirectory=... NoNewPrivileges=true AmbientCapabilities=CAP_NET_BIND_SERVICE Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" ExecStart=/bin/sh -c .../apache-tomcat-9.0.109/bin/startup.sh ExecStop=/bin/sh -c .../apache-tomcat-9.0.109/bin/shutdown.sh Environment="CATALINA_PID=.../apache-tomcat-9.0.109/logs/tomcat.pid" ExecStartPre=+/usr/bin/firewall-cmd --zone=public --add-service=tomcat ExecStopPost=+/usr/bin/firewall-cmd --zone=public --remove-service=tomcat SocketBindDeny=any SocketBindAllow=ipv4:tcp:443 OOMScoreAdjust=-1000 ProtectSystem=true ReadWritePaths=... [Install] WantedBy=multi-user.target
as you see, I am enabling rules via ExecStartPre. Of course this is something not permanent, so if anyone issue "firewalld-cmd --reload" command will disable this rule.
This applies to anything any cluster resource does. If someone modifies any cluster resource outside of cluster the behavior is undefined.
What is the best method to keep this rule working while tomcat is on this node?
Save the modification as permanent so it survives reload/restart?
Hi Andrei, thank you for your quick answer.
Il giorno gio, 09/10/2025 alle 19.32 +0300, Andrei Borzenkov ha scritto:
09.10.2025 18:29, Giuseppe S. via firewalld-users wrote:
[...] as you see, I am enabling rules via ExecStartPre. Of course this is something not permanent, so if anyone issue "firewalld-cmd --reload" command will disable this rule.
This applies to anything any cluster resource does. If someone modifies any cluster resource outside of cluster the behavior is undefined.
Right: this is a usual problem related to clusters.
What is the best method to keep this rule working while tomcat is on this node?
Save the modification as permanent so it survives reload/restart?
I was reluctant to save them as permanent, since in case of any crash, these rules would be applied at reboot even without tomcat running on the node. BTW, I think I'll add a second ExecStartPre command with "--permanent" in the systemd unit.
Thank you again, Giuseppe
firewalld-users@lists.fedorahosted.org
-
Andrei Borzenkov -
Giuseppe S. -
Giuseppe Sacco