Le 1/12/2016 à 21:49, paul.sz...@sydney.edu.au a écrit :

> Sorry for my previous outbursts. I was wrong.

No problem, thanks a lot for the review.

> However... will tomcat still "work"? On my machine, I have one XML file
>   /etc/tomcat8/Catalina/localhost/mapleta.xml
> in there, for the one application(?) that is installed. I guess it was
> tomcat that put it there: then tomcat needs write access to localhost.

That's a good question, and I think it should be ok.

Tomcat copies the META-INF/context.xml file from the web application
into this directory and renames it if the Host element in server.xml has
the copyXML attribute set to true (the default value is false).

When copyXML is true and the directory is read-only an error is
displayed in catalina.out and the web application is not loaded. The
error looks like this:

Error deploying web application directory /var/lib/tomcat8/webapps/foo
java.nio.file.AccessDeniedException: /etc/tomcat8/Catalina/localhost/foo.xml

The copyXML attribute was introduced in Tomcat 7, with Tomcat 6 the
context.xml file was always copied (the behavior was thus equivalent to
copyXML=true in later releases). In your case I guess you either
inherited the mapleta.xml file from a Tomcat 6 installation migrated to
Tomcat 7/8, put the file there manually and forgot about it, or have
copyXML=true in server.xml.

I'm not sure about the use case for copyXML=true. Once the context.xml
file has been copied, the original file is always ignored, even if the
web application is updated with a more recent context descriptor. Thus
the first deployment of the application blocks any subsequent change to
the context descriptor. That's a bit odd and I'd be interested to know
why people are doing this.

The use of context descriptors in /etc/tomcat8/Catalina/localhost is a
valid strategy to override the default configuration of the web
application, but the creation of this file is necessarily a manual
operation, an automatic copy brings nothing useful.

Due to the fact that copyXML defaults to false, and copyXML=true looks
dubious, I think it's ok to keep the localhost directory ready-only for
the tomcat8 user.

> Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from
> the DEB package, the ownership only to be fixed in postinst? In the
> current DEB, that directory is not group-writable.

This is worth trying. The catch is that other packages also install
files into /etc/tomcat8/Catalina/localhost, so they all have to set the
permissions properly. I'll probably go down this path if someone has a
good argument supporting the use of copyXML=true.

Emmanuel Bourg

Reply via email to