Re: run tomcat as tomcat user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rusty, Rusty Wright wrote: It's set up so that tomcat runs as the user tomcat. In order to do that you'll need to tweak the ownership of the files in the tomcat directory. I would recommend that, instead of modifying the ownership of the Tomcat installation directory, you instead use CATALINA_BASE set to somewhere that has appropriate permissions for the user in question. Something like /home/tomcat. This also allows you to upgrade Tomcat much more easily just by adjusting the path to startup.bat and bouncing Tomcat. If the OP is using this script as part of the system startup (that is, it is running as root), then you'll need to adjust the startup command to be: su - tomcat -c /path/to/tomcat/bin/startup.sh This will switch to the tomcat user before launching Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl6EF8ACgkQ9CaO5/Lv0PDolACgwG/Rx+cpzb8GuX4BOzjEhakU Yq8An05jNk9mz17qCMpo44i1NfrIUDX2 =1D1X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run tomcat as tomcat user
Thanks, I like that suggestion. So, to use your method, using the su below, would I do export CATALINA_BASE=/home/tomcat su - tomcat -c /path/to/tomcat/bin/startup.sh Do I need to copy anything from the original tomcat directory to /home/tomcat, or do I need to make any directories in it? Or is it simply a replacement for the tomcat/webapps directory? Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rusty, Rusty Wright wrote: It's set up so that tomcat runs as the user tomcat. In order to do that you'll need to tweak the ownership of the files in the tomcat directory. I would recommend that, instead of modifying the ownership of the Tomcat installation directory, you instead use CATALINA_BASE set to somewhere that has appropriate permissions for the user in question. Something like /home/tomcat. This also allows you to upgrade Tomcat much more easily just by adjusting the path to startup.bat and bouncing Tomcat. If the OP is using this script as part of the system startup (that is, it is running as root), then you'll need to adjust the startup command to be: su - tomcat -c /path/to/tomcat/bin/startup.sh This will switch to the tomcat user before launching Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl6EF8ACgkQ9CaO5/Lv0PDolACgwG/Rx+cpzb8GuX4BOzjEhakU Yq8An05jNk9mz17qCMpo44i1NfrIUDX2 =1D1X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run tomcat as tomcat user
To answer my own question; I did some google searching and figured out that you need to copy the tomcat conf directory to ~tomcat and also create the directories ~/tomcat/logs, ~/tomcat/temp, and ~/tomcat/work; all owned by tomcat. Then copy over the webapps directory, or make a new one in ~tomcat and copy over the wars. So my ~tomcat looks like the following: r...@test1:/home/tomcat# ls -l total 20 drwxr-xr-x 2 tomcat tomcat 4096 2009-01-23 11:41 conf/ drwxr-xr-x 2 tomcat tomcat 4096 2009-01-23 11:41 logs/ drwxr-xr-x 2 tomcat tomcat 4096 2009-01-23 11:42 temp/ drwxrwxr-x 8 rusty tomcat 4096 2009-01-23 11:42 webapps/ drwxr-xr-x 3 tomcat tomcat 4096 2009-01-23 11:41 work/ r...@wss-test1:/home/tomcat# ls -l conf total 92 -rw-r--r-- 1 tomcat tomcat 8690 2008-07-21 17:01 catalina.policy -rw-r--r-- 1 tomcat tomcat 3665 2008-07-21 17:01 catalina.properties -rw-r--r-- 1 tomcat tomcat 1395 2008-11-19 14:22 context.xml -rw-r--r-- 1 tomcat tomcat 3664 2008-07-21 17:01 logging.properties -rw-r--r-- 1 tomcat tomcat 6460 2008-07-21 17:01 server.xml -rw-r--r-- 1 tomcat tomcat 165 2009-01-23 11:41 tomcat-users.xml -rw-r--r-- 1 tomcat tomcat 50105 2008-11-19 14:23 web.xml I love shell script hacks so my /etc/init.d/tomcat script has the following in the upper part where it's setting variables: TOMCAT_HOME=`grep ^tomcat /etc/passwd | sed -e 's/.*:.*:.*:.*:.*:\(.*\):.*/\1/'` export CATALINA_BASE=${TOMCAT_HOME} Perhaps instead of .* I could have used [^:]* Rusty Wright wrote: Thanks, I like that suggestion. So, to use your method, using the su below, would I do export CATALINA_BASE=/home/tomcat su - tomcat -c /path/to/tomcat/bin/startup.sh Do I need to copy anything from the original tomcat directory to /home/tomcat, or do I need to make any directories in it? Or is it simply a replacement for the tomcat/webapps directory? Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rusty, Rusty Wright wrote: It's set up so that tomcat runs as the user tomcat. In order to do that you'll need to tweak the ownership of the files in the tomcat directory. I would recommend that, instead of modifying the ownership of the Tomcat installation directory, you instead use CATALINA_BASE set to somewhere that has appropriate permissions for the user in question. Something like /home/tomcat. This also allows you to upgrade Tomcat much more easily just by adjusting the path to startup.bat and bouncing Tomcat. If the OP is using this script as part of the system startup (that is, it is running as root), then you'll need to adjust the startup command to be: su - tomcat -c /path/to/tomcat/bin/startup.sh This will switch to the tomcat user before launching Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl6EF8ACgkQ9CaO5/Lv0PDolACgwG/Rx+cpzb8GuX4BOzjEhakU Yq8An05jNk9mz17qCMpo44i1NfrIUDX2 =1D1X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: run tomcat as tomcat user
From: Rusty Wright [mailto:rusty.wri...@gmail.com] Subject: Re: run tomcat as tomcat user To answer my own question; I did some google searching and figured out that you need to copy the tomcat conf directory to ~tomcat and also create the directories ~/tomcat/logs, ~/tomcat/temp, and ~/tomcat/work; all owned by tomcat. Or you could have read RUNNING.txt from the Tomcat installation directory, where all this is documented. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run tomcat as tomcat user
Kaushal Shriyan wrote: Hi I am not able to start tomcat as tomcat user on ubutu 8.04 Linux, Below is my start/stop script Any ideas as what is going wrong ? I think the way you are using the su command is wrong. Try : su - (userid) -c command + params You also probably want to re-direct the output of command to /dev/null etc.. Using another of the scripts existing in /etc/init.d as template, and modifying it, may be a better idea. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run tomcat as tomcat user
André Warnier wrote: Kaushal Shriyan wrote: Hi I am not able to start tomcat as tomcat user on ubutu 8.04 Linux, Below is my start/stop script Any ideas as what is going wrong ? I think the way you are using the su command is wrong. Try : su - (userid) -c command + params You also probably want to re-direct the output of command to /dev/null etc.. Using another of the scripts existing in /etc/init.d as template, and modifying it, may be a better idea. As André Warnier suggests, install an init script to handle the startup and shutdown of Tomcat as a non-privileged user. The following notes assume a RedHat like Linux distro, such as Fedora or CentOS, but should be helpful to Ubuntu or Debian users: 1. Configure the environment for the non-privileged user by adding the following lines to the end of the file .bash_profile found in the user's home directory: JAVA_HOME=/usr/java/default CATALINA_HOME=$HOME/tomcat CATALINA_OPTS=-Xms256M -Xmx1000M -XX:MaxPermSize=128M export JAVA_HOME CATALINA_HOME CATALINA_OPTS Adjust the heap settings to suit your requirements. 2. As root, install an init script like the following to the /etc/init.d directory: #!/bin/sh # Start the webapp container TOMCAT_USER=web tomcat_start () { su -l -c /home/$TOMCAT_USER/tomcat/bin/startup.sh $TOMCAT_USER } tomcat_stop () { su -l -c /home/$TOMCAT_USER/tomcat/bin/shutdown.sh $TOMCAT_USER } case $1 in start) tomcat_start ;; stop) tomcat_stop ;; restart) tomcat_stop sleep 30 tomcat_start ;; *) echo Usage: /etc/init.d/tomcat {start|stop|restart} exit 1 ;; esac exit 0 3. Assuming that the init script has been installed as /etc/init.d/tomcat, then run the following commands as root: # chmod 755 /etc/init.d/tomcat # ln /etc/init.d/tomcat /etc/rc0.d/K13tomcat # ln /etc/init.d/tomcat /etc/rc1.d/K13tomcat # ln /etc/init.d/tomcat /etc/rc2.d/S69tomcat # ln /etc/init.d/tomcat /etc/rc3.d/S69tomcat # ln /etc/init.d/tomcat /etc/rc4.d/S69tomcat # ln /etc/init.d/tomcat /etc/rc5.d/S69tomcat # ln /etc/init.d/tomcat /etc/rc6.d/K13tomcat I find that using hard links rather than sym links makes it easier to find all links to an init script using find(1). 4. Tomcat will have to listen on unprivileged ports, such as 8080 and 8443, so you can either proxy from Apache, or if you have no need to run a web server as well as Tomcat then you can use the following commands to enable port forwarding: # /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT # /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080 # /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT # /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443 # /sbin/service iptables save # chkconfig iptables on # service iptables start Hope this helps, Chris -- Chris Wareham Senior Software Engineer Visit London Ltd 6th floor, 2 More London Riverside, London SE1 2RR Tel: +44 (0)20 7234 5848 Fax: +44 (0)20 7234 5753 www.visitlondon.com 'Visit London Limited' is registered in England under No.761149; Registered Office: Visit London, 2 More London Riverside, London SE1 2RR. Visit London is the official visitor organisation for London. Visit London is partly funded by Partnership, the Mayor's London Development Agency and London Councils. The information contained in this e-mail is confidential and intended for the named recipient(s) only. If you have received it in error, please notify the sender immediately and then delete the message. If you are not the intended recipient, you must not use, disclose, copy or distribute this email. The views expressed in this e-mail are those of the individual and not of Visit London. We reserve the right to read and monitor any email or attachment entering or leaving our systems without prior notice. Please don't print this e-mail unless you really need to. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run tomcat as tomcat user
(Repeating a reply I sent a week or so ago.) I made this by modifying one for a different service. It's set up so that tomcat runs as the user tomcat. In order to do that you'll need to tweak the ownership of the files in the tomcat directory. I just made everything owned by tomcat except webapps, which I own, but which is group owned and writable by tomcat so it can explode the wars. I'm on ubuntu (notice the two flavors of the functions file it sources). You may not need the HUDSON_HOME stuff and I'm sure you won't need the Dwaitlistd.host=${HOST} so delete stuff as necessary. If you want it to run as root I'm guessing that you'd need to delete the --chuid and --user lines. #!/bin/sh PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH export JAVA_OPTS=-server export JAVA_HOME=/usr/java export TOMCAT_DIR=/usr/local/tomcat export HUDSON_HOME=/usr/local/hudson TOMCAT_START=${TOMCAT_DIR}/bin/startup.sh TOMCAT_STOP=${TOMCAT_DIR}/bin/shutdown.sh TOMCAT_USER=tomcat HOST=`/bin/hostname | sed -e 's/\..*//'` export JAVA_OPTS=-server -Dwaitlistd.host=${HOST} test -f ${TOMCAT_START} || exit 0 # redhat # . /etc/init.d/functions # debian . /lib/lsb/init-functions case $1 in 'start') log_daemon_msg Starting tomcat tomcat cd /var/log # ${TOMCAT_START} eval /sbin/start-stop-daemon \ --start \ --quiet \ --chuid ${TOMCAT_USER} \ --user ${TOMCAT_USER} \ --startas ${TOMCAT_START} log_end_msg $? ;; 'stop') log_daemon_msg Stopping tomcat tomcat # ${TOMCAT_STOP} eval /sbin/start-stop-daemon \ --stop \ --quiet \ --user ${TOMCAT_USER} \ --startas ${TOMCAT_STOP} log_end_msg $? ;; 'restart') ${0} stop log_action_msg sleeping for several seconds ... sleep 13 ${0} start ;; *) log_action_msg Usage: ${0} {start|stop|restart} ;; esac Kaushal Shriyan wrote: Hi I am not able to start tomcat as tomcat user on ubutu 8.04 Linux, Below is my start/stop script Any ideas as what is going wrong ? Thanks and Regards Kaushal ### #!/bin/sh # # Startup script for Tomcat JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun export JAVA_HOME CATALINA_OPTS=-Xms512m -Xmx1m export CATALINA_OPTS start_tomcat=/usr/local/apache-tomcat-5.5.27/bin/startup.sh stop_tomcat=/usr/local/apache-tomcat-5.5.27/bin/shutdown.sh start() { echo -n Starting tomcat: su -c ${start_tomcat} tomcat echo done. } stop() { echo -n Shutting down tomcat: ${stop_tomcat} echo done. } # See how we were called case $1 in start) start ;; stop) stop ;; restart) stop sleep 10 start ;; *) echo Usage: $0 {start|stop|restart} esac ### - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org