[gentoo-java] tomcat permissions

[gentoo-java] tomcat permissions

[Jesse V Griffis]

Hi,

Okay, I'm totally new to interacting with Gentoo mailing lists but have been 
using it for a while, so if I step in some poo, don't flame too harshly. :)

I'm actually interested in helping out the java crowd, having read the pleas 
in GWN.  I'd basically fit into the "generalist" camp, and I'm probably 
begging for pain since I'm messing around with the whole 1.4/1.5 business 
(and screwing it up royally along the way).

However, this morning I have a different curious issue: umask and tomcat.  I 
have 5.5.17-r1 installed, running with sun-jdk-1.5.0.07.  The tomcat-5.5 
init.d script uses start-stop-daemon to get the thing up and running, 
ignoring the traditional startup.sh script that's in tomcat's bin dir.

Curiously, the version running using start-stop-daemon is completely ignoring 
the system umask (002 - I'd like to make deployed webapps automatically 
group-writeable), but running the startup.sh script uses it.

Any ideas?  I don't want to have to hack the startup script to call startup.sh 
if possible.

Thanks,

Jesse
-- 
gentoo-java@gentoo.org mailing list

Re: [gentoo-java] tomcat permissions

[William L. Thomson Jr.]

On Mon, 2006-08-07 at 12:45 -0400, Jesse V Griffis wrote:
> 
> Curiously, the version running using start-stop-daemon is completely ignoring 
> the system umask (002 - I'd like to make deployed webapps automatically 
> group-writeable), but running the startup.sh script uses it.

I am not clear what is going on? Are your webapps or tomcat running
under a different group or etc? Why do you need group writable access to
webapps? Owner writable should work fine for most all needs. I can't
recall the bug, but I believe there were bugs in the past. I saw a few
referenced in ebuild, but I removed them because they were resolve quite
some time ago. Not sure if any pertain to this issue.

> Any ideas? 

I need more info.

>  I don't want to have to hack the startup script to call startup.sh 
> if possible.

Absolutely not. The old ebuilds and etc used to hack and wrap Tomcat's
provided init scripts. For a variety of reasons we no longer use them,
and made our own init script. If anything, as documented in the future
section
http://www.gentoo.org/proj/en/java/tomcat-guide.xml

At some point I would like to use a init script developed by a Tomcat
developer, over an extended period of time.
http://www.webdroid.org:8080/repo/viewcvs.cgi/tomcat-package/trunk/bin/

Let me know what you are trying to do and etc. What's not working or etc
so I can look further into it. Thanks.


-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
http://www.obsidian-studios.com

-- 
gentoo-java@gentoo.org mailing list

Re: [gentoo-java] tomcat permissions

[Jesse V Griffis]

Hi William,

On Monday 07 August 2006 13:03, William L. Thomson Jr. wrote:
> On Mon, 2006-08-07 at 12:45 -0400, Jesse V Griffis wrote:
> > Curiously, the version running using start-stop-daemon is completely
> > ignoring the system umask (002 - I'd like to make deployed webapps
> > automatically group-writeable), but running the startup.sh script uses
> > it.
>
> I am not clear what is going on? Are your webapps or tomcat running
> under a different group or etc? Why do you need group writable access to
> webapps? Owner writable should work fine for most all needs. I can't
> recall the bug, but I believe there were bugs in the past. I saw a few
> referenced in ebuild, but I removed them because they were resolve quite
> some time ago. Not sure if any pertain to this issue.

Thanks for the insight so far, and apologies for not being more clear.  I've 
done a little more investigation, and here's what I can tell you:

Essentially, the reason I want group writeable webapps is for simplicity in 
deploying new .war files over the top of existing ones on my development 
machine.

I use a simple ant script that removes all traces of a web app, then copies a 
newly-built .war into webapps (akin to a 'make install'), and then tomcat 
auto-deploys it.

I have tomcat running as tomcat:tomcat.  I have my normal user added to the 
'tomcat' group, so that after tomcat auto-deploys the new webapp and then 
I've gone and done some more work, I can run ant again and the delete of the 
existing webapp works quietly - without being group writable I can't do that 
automatically.

I just recently upgraded to tomcat 5.5; With earlier versions (and when using 
catalina.sh now), use whatever system-wide umask I happened to set 
in /etc/profile (I've used 002 for a long time).  Now, however, that's 
ignored and it appears to be forcing 022.

As for my "little more investigation", it's apparently not in 
start-stop-daemon at all.  I found an older machine with a different init 
script that just calls catalina.sh:

start-stop-daemon --start --quiet --chuid tomcat:tomcat --exec 
${CATALINA_HOME}/bin/catalina.sh -- start

That works as expected.  The ps output appears nearly identical whether I use 
this or the current 5.5 script, the only difference being that the current 
one includes more under "-classpath".

Thanks,

Jesse
-- 
gentoo-java@gentoo.org mailing list

Re: [gentoo-java] tomcat permissions

[William L. Thomson Jr.]

On Mon, 2006-08-07 at 14:09 -0400, Jesse V Griffis wrote:
>
> I have tomcat running as tomcat:tomcat.  I have my normal user added to the 
> 'tomcat' group, so that after tomcat auto-deploys the new webapp and then 
> I've gone and done some more work, I can run ant again and the delete of the 
> existing webapp works quietly - without being group writable I can't do that 
> automatically.

Ok that makes sense and I was assuming you were doing something along
those lines. I don't will see if I can find a reason why group writable
permissions are not set. If I can't then I will address ebuilds so the
webapps dir is group writable.
> 
> As for my "little more investigation", it's apparently not in 
> start-stop-daemon at all.  I found an older machine with a different init 
> script that just calls catalina.sh:

Yeah that's the nastiness. Avoid that, all new Tomcat ebuilds 5.0.28 and
5.5.17 use a gentoo specific init script. We don't hack or call
catalina.sh anymore.

> start-stop-daemon --start --quiet --chuid tomcat:tomcat --exec 
> ${CATALINA_HOME}/bin/catalina.sh -- start
> 
> That works as expected.  The ps output appears nearly identical whether I use 
> this or the current 5.5 script, the only difference being that the current 
> one includes more under "-classpath".

Well catalina.sh is part of several scripts for Tomcat. One of the ones
it calls is setclasspath.sh. Our init script basically consists of the
*nix specific parts of catalina.sh and setclasspath.sh compacted :)

Our init script should start and stop tomcat more reliably. With a
occasional hiccup on restart. Eventually I will replace it with the init
script a Tomcat dev made, but I have to hack/patch that to make it
Gentoo specific. So it is down the road a bit. Unless there is a dire
need.

-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
http://www.obsidian-studios.com

-- 
gentoo-java@gentoo.org mailing list