Hi all,

I've started working on the tomcat9 packaging. Since this is a new
package I've investigated disruptive changes that we couldn't afford
with the tomcat8 package. In the latest update of tomcat8 (8.5.32-2)
I've added a systemd service file, and with tomcat9 I've tried
leveraging more systemd features. The current work in progress is
available on Salsa [1], here is a quick summary of the changes:

* The system user running Tomcat is now fixed and no longer
  configurable. I did this for several reasons:
  - Updating the owner of the webapp directories when upgrading
    from tomcat<n> to tomcat<n+1> is inconvenient.
  - The system user is rarely configurable is other packages.
    Apache, MySQL/MariaDB, Exim, Postgres, OpenLDAP... all have
    a non configurable user.
  - systemd dosen't seem to support environment variables
    in the User/Group directives on the service files.

* The debconf integration has been removed. With the user/group
  becoming non configurable, there is only the JAVA_OPTS variable
  left configurable with debconf. JAVA_OPTS often contains
  parameters for fine tuning the JVM (memory settings, garbage
  collector, crash reporting and other advanced VM options),
  that's a quite complex item to configure for a simple debconf
  dialog. Moreover it's affected by a debconf bug that has bitten
  many of us (see #658554).

* The Servlet API package has been removed (as discussed)

* The catalina.out log file is no more. It duplicates the content
  of the catalina*.log files already generated by Tomcat since the
  version 5.5, and with the systemd integration the latest logs are
  available in /var/log/syslog and through 'journalctl -t tomcat9'

* The logs are now rotated directly by Tomcat instead of a cron job.
  The cron job is still used to compress the logs though.

* The sysv init script has been removed and the service is now
  exclusively started with systemd. systemd brings so many
  benefits in terms of simplicity and security that I think it's
  worth going with it exclusively. Our tomcat8 package has been
  affected by several vulnerabilities in its init script that could
  have been avoided with systemd.
  - In terms of simplicity, with systemd the authbind package is no
    longer necessary to bind to privileged ports, and the startup
    script is now ridiculously short and readable [2].
  - Security wise, Tomcat is sandboxed and unable to write on the
    system besides its work directories. It also has a private tmp
    directory which prevents a whole class of vulnerabilities.
    I've tried to further isolate Tomcat from the system by using
    the chroot features (with the RootDirectory directive) but
    I haven't figured out how to use it properly.

* Tomcat is now automatically restarted if the JVM crashes
  (another systemd feature).

* The common, shared and server directories in CATALINA_BASE are
  no longer added to the classpath. This is in line with the
  upstream releases since the version 5.5.

Please give it a try and post your feedback, I plan to upload tomcat9
next month when I'm back from vacation.

Emmanuel Bourg

[1] https://salsa.debian.org/ebourg/tomcat9

Reply via email to