From 8a8375f80fdb8a4990d52c42a35a49dfd75ec3a4 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 31 Jul 2024 19:12:46 +0200 Subject: [PATCH] Add a systemd unit. --- tasks/main.yml | 40 +++++++++++++++++++++++++--- templates/tomcat-service.j2 | 51 ++++++++++++++++++++++++++++++++++++ templates/tomcat-start.sh.j2 | 25 ++++++++++++++++++ 3 files changed, 113 insertions(+), 3 deletions(-) create mode 100644 templates/tomcat-service.j2 create mode 100644 templates/tomcat-start.sh.j2 diff --git a/tasks/main.yml b/tasks/main.yml index 433e532..d80e8e5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -47,7 +47,7 @@ state: directory with_nested: - '{{ tomcat_m_instances }}' - - ['common/classes', 'conf/Catalina/localhost', 'conf/policy.d', 'lib', 'server/classes', 'shared/classes', 'webapps'] + - ['common/classes', 'conf/Catalina/localhost', 'conf/policy.d', 'lib', 'server/classes', 'shared/classes', 'webapps', policy] register: tomcat_first_install - name: Create the tomcat logs base directory @@ -237,7 +237,7 @@ notify: tomcat multiple-instances restart tags: ['tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager'] -- name: Install the instances startup scripts +- name: Install the instances SYSV startup scripts ansible.builtin.template: src: tomcat-instance.init.j2 dest: "/etc/init.d/tomcat-instance-{{ item.http_port }}" @@ -245,9 +245,43 @@ owner: root group: root loop: '{{ tomcat_m_instances }}' + when: not tomcat_use_systemd_unit register: reload_systemd tags: ['tomcat', 'tomcat_instances', 'tomcat_init'] +- name: Remove the instances SYSV startup scripts when we prefer the systemd unit + ansible.builtin.file: + dest: "/etc/init.d/tomcat-instance-{{ item.http_port }}" + state: absent + loop: '{{ tomcat_m_instances }}' + when: tomcat_use_systemd_unit + tags: ['tomcat', 'tomcat_instances', 'tomcat_init'] + +- name: Install the instances systemd unit + ansible.builtin.template: + src: tomcat-service.j2 + dest: "/etc/systemd/system//tomcat-instance-{{ item.http_port }}" + mode: "0644" + owner: root + group: root + loop: '{{ tomcat_m_instances }}' + when: tomcat_use_systemd_unit + register: reload_systemd + notify: tomcat multiple-instances restart + tags: ['tomcat', 'tomcat_instances', 'tomcat_init'] + +- name: Install the helper script used by the systemd unit + ansible.builtin.template: + src: tomcat-start.sh.j2 + dest: "/usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh" + mode: "0755" + owner: root + group: root + loop: '{{ tomcat_m_instances }}' + when: tomcat_use_systemd_unit + notify: tomcat multiple-instances restart + tags: ['tomcat', 'tomcat_instances', 'tomcat_init'] + - name: Install the tomcat instances default file ansible.builtin.template: src: tomcat-default.j2 @@ -264,7 +298,7 @@ daemon-reload: true when: - ansible_service_mgr == 'systemd' - - reload_systemd | bool + - tomcat_use_systemd_unit - name: Install a custom context.xml file ansible.builtin.template: diff --git a/templates/tomcat-service.j2 b/templates/tomcat-service.j2 new file mode 100644 index 0000000..08eb9ee --- /dev/null +++ b/templates/tomcat-service.j2 @@ -0,0 +1,51 @@ +# +# Systemd unit file for Apache Tomcat +# + +[Unit] +Description=Apache Tomcat {{ tomcat_version}} Web Application Server +After=syslog.target network.target +StartLimitIntervalSec=500 +StartLimitBurst=5 +RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} /var/lib/tomcat{{ tomcat_version }} + +[Service] +Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}" +Environment="CATALINA_BASE={{ item.instance_path }}" +Environment="CATALINA_TMPDIR={{ item.catalina_tmp_directory }}" +Type=simple +ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh +ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh +SuccessExitStatus=143 +RestartSec=10 +Restart=on-failure on-abort +# Logging +SyslogIdentifier=tomcat{{ tomcat_version }} + +User={{ item.user }} +Group={{ item.user }} +{% if tomcat_systemd_security %} +PrivateTmp=yes +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +CacheDirectory={{ tomcat_m_cache_base }}/{{ item.http_port }} +CacheDirectoryMode=750 +ProtectSystem=strict +ReadWritePaths={{ item.instance_path }}/conf/Catalina/ +ReadWritePaths={{ item.instance_path }}/webapps +ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} +{% endif %} +{% if tomcat_systemd_security_enhanced %} +ProtectSystem=strict +ProtectHome=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +RestrictAddressFamilies=AF_INET6 AF_INET +SystemCallArchitectures=native +SystemCallFilter=@system-service +{% endif %} + +[Install] +WantedBy=multi-user.target diff --git a/templates/tomcat-start.sh.j2 b/templates/tomcat-start.sh.j2 new file mode 100644 index 0000000..c1c14c7 --- /dev/null +++ b/templates/tomcat-start.sh.j2 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Startup script for Apache Tomcat with systemd +# + +set -e + +# Load the service settings +. /etc/default/tomcat-instance-{{ item.http_port }} + +# Find the Java runtime and set JAVA_HOME +. /usr/libexec/tomcat{{ tomcat_version }}/tomcat-locate-java.sh + +# Set the JSP compiler if configured in the /etc/default/tomcat10 file +[ -n "$JSP_COMPILER" ] && JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\"" + +export JAVA_OPTS + +# Enable the Java security manager? +SECURITY="" +[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security" + + +# Start Tomcat +cd $CATALINA_BASE && exec $CATALINA_HOME/bin/catalina.sh run $SECURITY