From 10441129fca3082bbf59ec03b4fa645e24f175c9 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 16 Jul 2015 13:25:02 +0200 Subject: [PATCH] library/roles/dnet_user_services_perms: Manage more directories. Logs in /var/log/dnet library/roles/iptables/templates/iptables-rules.v6.j2: Fix the reject options library/roles/tomcat: Install a catalina.properties that matches the one used by the multiple instances role library/roles/tomcat/templates/tomcat-server.xml.j2: Do not generate a random password when the shutdown port is disabled --- dnet_user_services_perms/defaults/main.yml | 4 + dnet_user_services_perms/tasks/main.yml | 95 +++++++++++-- iptables/templates/iptables-rules.v6.j2 | 4 +- openldap-server/defaults/main.yml | 12 ++ .../files/catalina.properties | 27 ++-- tomcat/defaults/main.yml | 6 + tomcat/files/catalina.properties | 131 ++++++++++++++++++ tomcat/tasks/tomcat-pkgs.yml | 42 +++--- tomcat/templates/tomcat-server.xml.j2 | 7 +- 9 files changed, 282 insertions(+), 46 deletions(-) create mode 100644 tomcat/files/catalina.properties diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml index 368374e9..c5769562 100644 --- a/dnet_user_services_perms/defaults/main.yml +++ b/dnet_user_services_perms/defaults/main.yml @@ -4,3 +4,7 @@ dnet_group: dnet dnet_data_directories: - /var/lib/dnet + +dnet_log_directories: + - /var/log/dnet + - /var/log/dnet/search diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml index f4251003..fad72845 100644 --- a/dnet_user_services_perms/tasks/main.yml +++ b/dnet_user_services_perms/tasks/main.yml @@ -13,18 +13,95 @@ with_items: dnet_data_directories tags: [ 'tomcat', 'dnet', 'users' ] -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs +- name: Create the dnet log dirs + file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read/write permissions on the dnet data dirs acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present - with_items: -# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ] - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ] + with_items: dnet_data_directories tags: [ 'tomcat', 'dnet', 'users' ] -- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs +- name: Set the default read/write permissions on the dnet data dirs acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - with_items: -# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ] - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ] + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +# +# Acls for the single tomcat instance +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# +# Same steps, but when we are using multiple tomcat instances +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is defined + with_nested: + - ' {{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is not defined + when: tomcat_m_instances is defined + with_nested: + - ' {{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is defined + with_items: tomcat_m_instances + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is defined + with_items: tomcat_m_instances tags: [ 'tomcat', 'dnet', 'users' ] diff --git a/iptables/templates/iptables-rules.v6.j2 b/iptables/templates/iptables-rules.v6.j2 index 3d66444b..204f38b9 100644 --- a/iptables/templates/iptables-rules.v6.j2 +++ b/iptables/templates/iptables-rules.v6.j2 @@ -3,8 +3,8 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] {% if iptables_default_policy == 'REJECT' %} --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited +-A INPUT -j REJECT --reject-with icmp6-addr-unreachable +-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable {% else %} -A INPUT -j {{ iptables_default_policy }} -A FORWARD -j {{ iptables_default_policy }} diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml index ee47a4f9..761c9485 100644 --- a/openldap-server/defaults/main.yml +++ b/openldap-server/defaults/main.yml @@ -11,6 +11,18 @@ openldap_slapd_tcp_port: 389 openldap_slapd_ssl_port: 636 openldap_slapd_ssl_only: False +# Set slapd_admin_pwd in a vault file +slapd_debconf_params: + - { question: 'slapd/password1', value: '{{ slapd_admin_pwd }}', vtype: 'password' } + - { question: 'slapd/password2', value: '{{ slapd_admin_pwd }}', vtype: 'password' } + - { question: 'slapd/internal/adminpw', value: '{{ slapd_admin_pwd }}', vtype: 'password' } + - { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' } + - { question: 'shared/organization', value: 'Organization', vtype: 'text' } + - { question: 'slapd/purge_database', value: 'false', vtype: 'boolean' } + - { question: 'slapd/allow_ldap_v2', value: 'true', vtype: 'boolean' } + - { question: 'slapd/backend', value: 'HDB', vtype: 'select' } + - { question: 'slapd/domain', value: 'DNS Domain Name', vtype: 'text' } + # openldap_allowed_clients: # - ip/32 # - net/24 diff --git a/tomcat-multiple-instances/files/catalina.properties b/tomcat-multiple-instances/files/catalina.properties index 8dae2554..a3bb7bc4 100644 --- a/tomcat-multiple-instances/files/catalina.properties +++ b/tomcat-multiple-instances/files/catalina.properties @@ -87,13 +87,15 @@ shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/*.jar # - Apple JDK JARs tomcat.util.scan.DefaultJarScanner.jarsToSkip=\ bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ -annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\ +annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\ catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\ jasper.jar,jasper-el.jar,ecj-*.jar,\ tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\ +tomcat-jni.jar,tomcat-spdy.jar,\ tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ tomcat-jdbc.jar,\ +tools.jar,\ commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ @@ -101,15 +103,22 @@ commons-math*.jar,commons-pool*.jar,\ jstl.jar,\ geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ -jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\ +jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\ xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ -dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\ -sunpkcs11.jar,jhall.jar,tools.jar,\ -sunec.jar,zipfs.jar,\ -apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\ -j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\ -mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\ -junit.jar,junit-*.jar,ant-launcher.jar +junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\ +cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\ +jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\ +xom-*.jar + +# Additional JARs (over and above the default JARs listed above) to skip when +# scanning for Servlet 3.0 pluggability features. These features include web +# fragments, annotations, SCIs and classes that match @HandlesTypes. The list +# must be a comma separated list of JAR file names. +org.apache.catalina.startup.ContextConfig.jarsToSkip= + +# Additional JARs (over and above the default JARs listed above) to skip when +# scanning for TLDs. The list must be a comma separated list of JAR file names. +org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar # # String cache configuration. diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml index d993e23f..a876f054 100644 --- a/tomcat/defaults/main.yml +++ b/tomcat/defaults/main.yml @@ -2,6 +2,11 @@ tomcat_version: 7 tomcat_pkg_state: installed tomcat_service_enabled: True +tomcat_pkgs: + - tomcat'{{ tomcat_version }}' + - libtomcat'{{ tomcat_version }}'-java + - tomcat'{{ tomcat_version }}'-common + - libapr1 tomcat_user: tomcat7 tomcat_max_threads: 200 tomcat_min_heap_size: 2048m @@ -31,6 +36,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}' tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}' tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}' tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps' +tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/' tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes' tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat' diff --git a/tomcat/files/catalina.properties b/tomcat/files/catalina.properties new file mode 100644 index 00000000..c57b4e84 --- /dev/null +++ b/tomcat/files/catalina.properties @@ -0,0 +1,131 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar,${catalina.base}/server/classes,${catalina.base}/server/*.jar + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar,${catalina.base}/shared/classes,${catalina.base}/shared/*.jar + +# List of JAR files that should not be scanned using the JarScanner +# functionality. This is typically used to scan JARs for configuration +# information. JARs that do not contain such information may be excluded from +# the scan to speed up the scanning process. This is the default list. JARs on +# this list are excluded from all scans. Scan specific lists (to exclude JARs +# from individual scans) follow this. The list must be a comma separated list of +# JAR file names. +# The JARs listed below include: +# - Tomcat Bootstrap JARs +# - Tomcat API JARs +# - Catalina JARs +# - Jasper JARs +# - Tomcat JARs +# - Common non-Tomcat JARs +# - Test JARs (JUnit, Cobertura and dependencies) +tomcat.util.scan.DefaultJarScanner.jarsToSkip=\ +bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ +annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\ +catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\ +jasper.jar,jasper-el.jar,ecj-*.jar,\ +tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\ +tomcat-jni.jar,tomcat-spdy.jar,\ +tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ +tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ +tomcat-jdbc.jar,\ +tools.jar,\ +commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ +commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ +commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ +commons-math*.jar,commons-pool*.jar,\ +jstl.jar,\ +geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ +ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ +jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\ +xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ +junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\ +cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\ +jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\ +xom-*.jar + +# Additional JARs (over and above the default JARs listed above) to skip when +# scanning for Servlet 3.0 pluggability features. These features include web +# fragments, annotations, SCIs and classes that match @HandlesTypes. The list +# must be a comma separated list of JAR file names. +org.apache.catalina.startup.ContextConfig.jarsToSkip= + +# Additional JARs (over and above the default JARs listed above) to skip when +# scanning for TLDs. The list must be a comma separated list of JAR file names. +org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/tomcat/tasks/tomcat-pkgs.yml b/tomcat/tasks/tomcat-pkgs.yml index d40a52e8..b7817854 100644 --- a/tomcat/tasks/tomcat-pkgs.yml +++ b/tomcat/tasks/tomcat-pkgs.yml @@ -1,38 +1,31 @@ --- - name: Install the tomcat packages apt: pkg={{ item }} state={{ tomcat_pkg_state }} - with_items: - - tomcat'{{ tomcat_version }}' - - libtomcat'{{ tomcat_version }}'-java - - tomcat'{{ tomcat_version }}'-common - - libapr1 - tags: - - tomcat + with_items: tomcat_pkgs + tags: tomcat - name: Create the tomcat tmp directory file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} - notify: - tomcat restart - tags: - - tomcat + notify: tomcat restart + tags: tomcat - name: Configure tomcat defaults template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }} - when: - - tomcat_install_default_conf is defined and tomcat_install_default_conf - notify: - tomcat restart - tags: - - tomcat + when: tomcat_install_default_conf + notify: tomcat restart + tags: tomcat - name: Configure tomcat server.xml template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml - when: - - tomcat_install_default_conf is defined and tomcat_install_default_conf - notify: - tomcat restart - tags: - - tomcat + when: tomcat_install_default_conf + notify: tomcat restart + tags: tomcat + +- name: Install a slightly modified catalina.properties + copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644 + when: tomcat_install_default_conf + notify: tomcat restart + tags: tomcat - name: Create some directories that the package do not creates itself file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755 @@ -40,5 +33,4 @@ - common/classes - server/classes - shared/classes - tags: - - tomcat + tags: tomcat diff --git a/tomcat/templates/tomcat-server.xml.j2 b/tomcat/templates/tomcat-server.xml.j2 index fbfca056..1bc13376 100644 --- a/tomcat/templates/tomcat-server.xml.j2 +++ b/tomcat/templates/tomcat-server.xml.j2 @@ -18,8 +18,13 @@ + --> +{% if tomcat_shutdown_port == -1 %} + +{% else %} + {% endif %}