Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: Feature Request: support jsvc for starting tomcat
https://bugzilla.redhat.com/show_bug.cgi?id=761623
Summary: Feature Request: support jsvc for starting tomcat Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Severity: low Priority: unspecified Component: tomcat AssignedTo: ivan.afonichev@gmail.com ReportedBy: joe@josephdwagner.info QAContact: extras-qa@fedoraproject.org CC: akurtako@redhat.com, java-sig-commits@lists.fedoraproject.org, ivan.afonichev@gmail.com Classification: Fedora Story Points: --- Type: ---
Created attachment 542672 --> https://bugzilla.redhat.com/attachment.cgi?id=542672 Proof of concept patches.
Currently, systemd starts tomcat as using the unprivileged account 'tomcat' for security reasons. This has the side effect of not being able to run tomcat on privileged ports.
There are two workarounds for this: 1) use iptables to forward port 80 traffic to port 8080, or 2) use mod_proxy on apache.
A third workaround is to use jsvc to start tomcat as root and then drop privileges once tomcat has bound to the ports. However, this option is not supported out-of-the-box.
My attached patches to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat change this so that the third workaround is supported out-of-the-box. It uses systemd to start and stop jsvc, which in turn controls tomcat. These patches were tested successfully on my own system.
Unfortunately, I do not believe these patches are of production quality. I consider them more to be proof-of-concept code. In addition to the cleanliness of the code, I have two concerns: 1) my code automatically chooses jsvc when present; for production, you may want to make it an option in /etc/sysconfig/tomcat instead, and 2) I'm not sure my patches correctly handle the pidfile and logging files under jsvc.
I hope, however, that my patches will kickstart the development process. I believe supporting this third workaround would be a real benefit to RedHat and Fedora.