Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: Feature Request: support jsvc for starting tomcat
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Summary: Feature Request: support jsvc for starting tomcat Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Severity: low Priority: unspecified Component: tomcat AssignedTo: ivan.afonichev@gmail.com ReportedBy: joe@josephdwagner.info QAContact: extras-qa@fedoraproject.org CC: akurtako@redhat.com, java-sig-commits@lists.fedoraproject.org, ivan.afonichev@gmail.com Classification: Fedora Story Points: --- Type: ---
Created attachment 542672 --> https://bugzilla.redhat.com/attachment.cgi?id=542672 Proof of concept patches.
Currently, systemd starts tomcat as using the unprivileged account 'tomcat' for security reasons. This has the side effect of not being able to run tomcat on privileged ports.
There are two workarounds for this: 1) use iptables to forward port 80 traffic to port 8080, or 2) use mod_proxy on apache.
A third workaround is to use jsvc to start tomcat as root and then drop privileges once tomcat has bound to the ports. However, this option is not supported out-of-the-box.
My attached patches to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat change this so that the third workaround is supported out-of-the-box. It uses systemd to start and stop jsvc, which in turn controls tomcat. These patches were tested successfully on my own system.
Unfortunately, I do not believe these patches are of production quality. I consider them more to be proof-of-concept code. In addition to the cleanliness of the code, I have two concerns: 1) my code automatically chooses jsvc when present; for production, you may want to make it an option in /etc/sysconfig/tomcat instead, and 2) I'm not sure my patches correctly handle the pidfile and logging files under jsvc.
I hope, however, that my patches will kickstart the development process. I believe supporting this third workaround would be a real benefit to RedHat and Fedora.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Joseph D. Wagner joe@josephdwagner.info changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |FutureFeature
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
--- Comment #1 from Ivan Afonichev ivan.afonichev@gmail.com 2011-12-08 14:02:19 EST --- I think tomcat is not so good as frontend server... I think for productions usage it's match better to use some lightweight http frontend server(like nginx) or apache with ajp mod_proxy, and for small dev usage unprivileged port is not a big issue...
But i think we can create some tomcat-jsvc subpackage for funs of "third workaround".
Also I think your patches could be rather interesting for mainteiners of tomcat6 package. (tomcat scripts are only ported versions of tomcat6 scripts)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
--- Comment #2 from Joseph D. Wagner joe@josephdwagner.info 2011-12-08 22:38:16 EST --- I would think that with enough sanity checks a separate package wouldn't be necessary.
I'm going to try to come up with a better patch this weekend, one which will hopefully address my own concerns.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Joseph D. Wagner joe@josephdwagner.info changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #542672|0 |1 is obsolete| |
--- Comment #3 from Joseph D. Wagner joe@josephdwagner.info 2011-12-11 20:01:00 EST --- Created attachment 545466 --> https://bugzilla.redhat.com/attachment.cgi?id=545466 More robust implementation.
I reworked my original proposed patches. I believe these to be of a much higher caliber and ready for peer review. I made sure to address the issues I brought up earlier.
Issue #1: This revised patch checks for both /usr/sbin/jsvc AND the option USE_JSVC="true". It does not assume that jsvc should be used simply because it is installed.
Issue #2: This revised patch correctly handles the pidfile and logging.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
--- Comment #4 from Joseph D. Wagner joe@josephdwagner.info 2011-12-11 20:03:35 EST --- I thought of another case where this feature may be useful. This might be installed on a development box where the administrators don't want to bother setting up a front-end/forward to port 8080.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
--- Comment #5 from Ivan Afonichev ivan.afonichev@gmail.com 2011-12-12 07:04:24 EST --- I would prefer adding tomcat-jsvc subpackage with independent tomcat-jsvc systemd service, that would depends on apache-commons-daemon-jsvc package.
But if this patch would be accepted in tomcat6 package I'll accept it too. http://pkgs.fedoraproject.org/gitweb/?p=tomcat6.git
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
--- Comment #6 from Fedora Update System updates@fedoraproject.org 2012-01-22 13:30:51 EST --- tomcat-7.0.25-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/tomcat-7.0.25-2.fc16
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #7 from Fedora Update System updates@fedoraproject.org 2012-01-22 17:55:39 EST --- Package tomcat-7.0.25-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing tomcat-7.0.25-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0805/tomcat-7.0.25-2.fc1... then log in and leave karma (feedback).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Fixed In Version| |tomcat-7.0.25-2.fc16 Resolution| |ERRATA Last Closed| |2012-01-30 15:54:54
--- Comment #8 from Fedora Update System updates@fedoraproject.org 2012-01-30 15:54:54 EST --- tomcat-7.0.25-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
java-sig-commits@lists.fedoraproject.org