Hi all, I've started working on the tomcat9 packaging. Since this is a new package I've investigated disruptive changes that we couldn't afford with the tomcat8 package. In the latest update of tomcat8 (8.5.32-2) I've added a systemd service file, and with tomcat9 I've tried leveraging more systemd features. The current work in progress is available on Salsa [1], here is a quick summary of the changes:
* The system user running Tomcat is now fixed and no longer configurable. I did this for several reasons: - Updating the owner of the webapp directories when upgrading from tomcat<n> to tomcat<n+1> is inconvenient. - The system user is rarely configurable is other packages. Apache, MySQL/MariaDB, Exim, Postgres, OpenLDAP... all have a non configurable user. - systemd dosen't seem to support environment variables in the User/Group directives on the service files. * The debconf integration has been removed. With the user/group becoming non configurable, there is only the JAVA_OPTS variable left configurable with debconf. JAVA_OPTS often contains parameters for fine tuning the JVM (memory settings, garbage collector, crash reporting and other advanced VM options), that's a quite complex item to configure for a simple debconf dialog. Moreover it's affected by a debconf bug that has bitten many of us (see #658554). * The Servlet API package has been removed (as discussed) * The catalina.out log file is no more. It duplicates the content of the catalina*.log files already generated by Tomcat since the version 5.5, and with the systemd integration the latest logs are available in /var/log/syslog and through 'journalctl -t tomcat9' anyway. * The logs are now rotated directly by Tomcat instead of a cron job. The cron job is still used to compress the logs though. * The sysv init script has been removed and the service is now exclusively started with systemd. systemd brings so many benefits in terms of simplicity and security that I think it's worth going with it exclusively. Our tomcat8 package has been affected by several vulnerabilities in its init script that could have been avoided with systemd. - In terms of simplicity, with systemd the authbind package is no longer necessary to bind to privileged ports, and the startup script is now ridiculously short and readable [2]. - Security wise, Tomcat is sandboxed and unable to write on the system besides its work directories. It also has a private tmp directory which prevents a whole class of vulnerabilities. I've tried to further isolate Tomcat from the system by using the chroot features (with the RootDirectory directive) but I haven't figured out how to use it properly. * Tomcat is now automatically restarted if the JVM crashes (another systemd feature). * The common, shared and server directories in CATALINA_BASE are no longer added to the classpath. This is in line with the upstream releases since the version 5.5. Please give it a try and post your feedback, I plan to upload tomcat9 next month when I'm back from vacation. Emmanuel Bourg [1] https://salsa.debian.org/ebourg/tomcat9 [2] https://salsa.debian.org/ebourg/tomcat9/blob/master/debian/libexec/tomcat-start.sh