[pkg-java] r11447 - trunk/tomcat6/debian
Jason Brittain
jasonb-guest at alioth.debian.org
Sat Jan 30 06:39:49 UTC 2010
Author: jasonb-guest
Date: 2010-01-30 06:39:47 +0000 (Sat, 30 Jan 2010)
New Revision: 11447
Added:
trunk/tomcat6/debian/NEWS.Debian
trunk/tomcat6/debian/tomcat6.prerm
Modified:
trunk/tomcat6/debian/changelog
trunk/tomcat6/debian/control
trunk/tomcat6/debian/tomcat6.default
trunk/tomcat6/debian/tomcat6.init
trunk/tomcat6/debian/tomcat6.postinst
Log:
Refactored the init script:
* JSVC is no longer used by the package. Instead, the init script invokes
the stock catalina.sh script.
* Authbind is now the standard method for binding Tomcat to ports lower
than 1024 (when using IPv4).
* The security manager now defaults to the disabled state, and is commented
that way in /etc/default/tomcat6.
* Reliable restarts are now implemented in the init script.
(Closes: #561559)
* Tomcat now sends STDOUT and STDERR to its usual, stock log file
CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this
package's case.
Added: trunk/tomcat6/debian/NEWS.Debian
===================================================================
--- trunk/tomcat6/debian/NEWS.Debian (rev 0)
+++ trunk/tomcat6/debian/NEWS.Debian 2010-01-30 06:39:47 UTC (rev 11447)
@@ -0,0 +1,29 @@
+tomcat6 (6.0.20-10) unstable; urgency=low
+
+ * The tomcat6 package no longer uses the jsvc native service runner.
+ Instead, by default, the init script invokes the catalina.sh
+ script, and Tomcat does not attempt to open any server sockets on
+ ports below 1024. If you configure your Tomcat to listen on one
+ or more privileged ports (such as port 80 or port 443), then you
+ may now enable authbind in your /etc/default/tomcat6 file. The
+ authbind package can allow your Tomcat JVM user (a non-root user)
+ to listen on privileged ports. Set AUTHBIND="yes" to enable it,
+ and then configure your Tomcat to listen on any port number you
+ wish. See the "man authbind" for information on configuring
+ authbind.
+ * The Tomcat security manager is now disabled by default. Previous
+ versions of this package enabled the Tomcat security manager by
+ default. A large number of users reported exceptions where the
+ root cause was that the security manager was enabled by default.
+ In nearly all of these cases, the users are unfamiliar with the
+ Java security manager, and are not interested in trying to define
+ security manager rules for their webapps -- they just want it to
+ run. Disabling the security manager fixes it for them. Today,
+ most Tomcat users run Tomcat with the security manager disabled.
+ Those who intentionally enable it are the minority, and they tend
+ to know how it works. If you are currently using the security
+ manager, and would like to continue using it after upgrading to
+ tomcat6-6.0.20-10 or higher, edit your /etc/default/tomcat6 file
+ and set TOMCAT6_SECURITY="yes".
+
+ -- Jason Brittain <jason.brittain at mulesoft.com> Thu, 28 Jan 2010 17:15:03 +0000
Modified: trunk/tomcat6/debian/changelog
===================================================================
--- trunk/tomcat6/debian/changelog 2010-01-30 00:34:14 UTC (rev 11446)
+++ trunk/tomcat6/debian/changelog 2010-01-30 06:39:47 UTC (rev 11447)
@@ -1,3 +1,19 @@
+tomcat6 (6.0.20-10) unstable; urgency=low
+
+ * JSVC is no longer used by the package. Instead, the init script invokes
+ the stock catalina.sh script.
+ * Authbind is now the standard method for binding Tomcat to ports lower
+ than 1024 (when using IPv4).
+ * The security manager now defaults to the disabled state, and is commented
+ that way in /etc/default/tomcat6.
+ * Reliable restarts are now implemented in the init script.
+ (Closes: #561559)
+ * Tomcat now sends STDOUT and STDERR to its usual, stock log file
+ CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this
+ package's case.
+
+ -- Jason Brittain <jason.brittain at mulesoft.com> Wed, 27 Jan 2010 01:08:57 +0000
+
tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low
* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
Modified: trunk/tomcat6/debian/control
===================================================================
--- trunk/tomcat6/debian/control 2010-01-30 00:34:14 UTC (rev 11446)
+++ trunk/tomcat6/debian/control 2010-01-30 06:39:47 UTC (rev 11447)
@@ -18,8 +18,7 @@
Description: Servlet and JSP engine -- common files
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains common files needed by the tomcat6 and tomcat6-user
packages (Tomcat 6 scripts and libraries).
@@ -27,8 +26,8 @@
Package: tomcat6
Architecture: all
Depends: tomcat6-common (>= ${source:Version}),
- adduser,
- jsvc, ${misc:Depends}
+ adduser, ${misc:Depends}
+Recommends: authbind
Suggests: tomcat6-docs (>= ${source:Version}),
tomcat6-admin (>= ${source:Version}),
tomcat6-examples (>= ${source:Version})
@@ -48,8 +47,7 @@
Description: Servlet and JSP engine -- tools to create user instances
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains files needed to create a user Tomcat instance.
@@ -65,8 +63,7 @@
Description: Servlet and JSP engine -- core libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the Tomcat core classes which can be used by other
Java applications to embed Tomcat.
@@ -78,8 +75,7 @@
Description: Servlet 2.5 and JSP 2.1 Java API classes
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the Java Servlet and JSP library.
@@ -90,8 +86,7 @@
Description: Servlet 2.5 and JSP 2.1 Java API documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the documentation for the Java Servlet and JSP library.
@@ -101,8 +96,7 @@
Description: Servlet and JSP engine -- admin web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the administrative web interfaces.
@@ -112,8 +106,7 @@
Description: Servlet and JSP engine -- example web applications
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the default Tomcat example webapps.
@@ -124,8 +117,7 @@
Description: Servlet and JSP engine -- documentation
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP web
- server environment for Java code to run. Tomcat 6 is the reference
- implementation for the Java Servlet 2.5 and JavaServer Pages 2.1 technologies.
+ server environment for Java code to run.
.
This package contains the online documentation web application.
Modified: trunk/tomcat6/debian/tomcat6.default
===================================================================
--- trunk/tomcat6/debian/tomcat6.default 2010-01-30 00:34:14 UTC (rev 11446)
+++ trunk/tomcat6/debian/tomcat6.default 2010-01-30 06:39:47 UTC (rev 11447)
@@ -2,19 +2,27 @@
# default of tomcat6.
#TOMCAT6_USER=tomcat6
+# Run Tomcat as this group ID. Not setting this or leaving it blank will use
+# the default of tomcat6.
+#TOMCAT6_GROUP=tomcat6
+
# The home directory of the Java development kit (JDK). You need at least
# JDK version 1.5. If JAVA_HOME is not set, some common directories for
# OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried.
#JAVA_HOME=/usr/lib/jvm/openjdk-6-jdk
+# Directory where the Tomcat 6 binary distribution resides. This a read-only
+# directory that can be shared by all Tomcat instances running on the machine.
+# Default: /usr/share/tomcat6
+#CATALINA_HOME=/usr/share/$NAME
+
# Directory for per-instance configuration files and webapps. It contains the
# directories conf, logs, webapps, work and temp. See RUNNING.txt for details.
# Default: /var/lib/tomcat6
-#CATALINA_BASE=/var/lib/tomcat6
+#CATALINA_BASE=/var/lib/$NAME
-# Arguments to pass to JSVC (*not* to the JVM as the name may suggest).
-# -D and -X arguments are however passed on to the JVM by JSVC.
-#JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"
+# You may pass JVM startup parameters to Java here.
+#JAVA_OPTS="-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx128m"
# To enable remote debugging uncomment the following line.
# You will then be able to use a java debugger on port 8000.
@@ -24,10 +32,8 @@
# compilers that are accepted by Ant's build.compiler property.
#JSP_COMPILER=javac
-# Use the Java security manager? (yes/no, default: yes)
-# WARNING: Do not disable the security manager unless you understand
-# the consequences!
-#TOMCAT6_SECURITY=yes
+# Use the Java security manager? (yes/no, default: no)
+#TOMCAT6_SECURITY=no
# Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days.
#LOGFILE_DAYS=14
@@ -36,5 +42,8 @@
# WARNING: This directory will be destroyed and recreated at every startup !
#JVM_TMP=/tmp/tomcat6-temp
-# JSVC ClassPath
-#JSVC_CLASSPATH="/usr/share/java/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar"
+# If you run Tomcat on port numbers that are all higher than 1023, then you
+# do not need authbind. It is used for binding Tomcat to lower port numbers.
+# NOTE: authbind works only with IPv4. Do not enable it when using IPv6.
+# (yes/no, default: no)
+#AUTHBIND=no
Modified: trunk/tomcat6/debian/tomcat6.init
===================================================================
--- trunk/tomcat6/debian/tomcat6.init 2010-01-30 00:34:14 UTC (rev 11446)
+++ trunk/tomcat6/debian/tomcat6.init 2010-01-30 06:39:47 UTC (rev 11447)
@@ -6,6 +6,7 @@
# Modified for Debian GNU/Linux by Ian Murdock <imurdock at gnu.ai.mit.edu>.
# Modified for Tomcat by Stefan Gybas <sgybas at debian.org>.
# Modified for Tomcat6 by Thierry Carrez <thierry.carrez at ubuntu.com>.
+# Additional improvements by Jason Brittain <jason.brittain at mulesoft.com>.
#
### BEGIN INIT INFO
# Provides: tomcat6
@@ -24,11 +25,8 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=tomcat6
DESC="Tomcat servlet engine"
-DAEMON=/usr/bin/jsvc
-CATALINA_HOME=/usr/share/$NAME
DEFAULT=/etc/default/$NAME
JVM_TMP=/tmp/tomcat6-tmp
-JSVC_CLASSPATH="/usr/share/java/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar"
if [ `id -u` -ne 0 ]; then
echo "You need root privileges to run this script"
@@ -50,8 +48,9 @@
# The following variables can be overwritten in $DEFAULT
-# Run Tomcat 6 as this user ID
+# Run Tomcat 6 as this user ID and group ID
TOMCAT6_USER=tomcat6
+TOMCAT6_GROUP=tomcat6
# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
# defined in $DEFAULT)
@@ -65,11 +64,14 @@
done
export JAVA_HOME
+# Directory where the Tomcat 6 binary distribution resides
+CATALINA_HOME=/usr/share/$NAME
+
# Directory for per-instance configuration files and webapps
CATALINA_BASE=/var/lib/$NAME
# Use the Java security manager? (yes/no)
-TOMCAT6_SECURITY=yes
+TOMCAT6_SECURITY=no
# Default Java options
# Set java.awt.headless=true if JAVA_OPTS is not set so the
@@ -92,36 +94,70 @@
exit 1
fi
-[ -f "$DAEMON" ] || exit 0
-
POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
-JAVA_OPTS="$JAVA_OPTS -Djava.endorsed.dirs=$CATALINA_HOME/endorsed -Dcatalina.base=$CATALINA_BASE -Dcatalina.home=$CATALINA_HOME -Djava.io.tmpdir=$JVM_TMP"
+if [ -z "$CATALINA_TMPDIR" ]; then
+ CATALINA_TMPDIR="$JVM_TMP"
+fi
# Set the JSP compiler if set in the tomcat6.default file
if [ -n "$JSP_COMPILER" ]; then
- JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=$JSP_COMPILER"
+ JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
fi
+SECURITY=""
if [ "$TOMCAT6_SECURITY" = "yes" ]; then
- JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY_CACHE"
+ JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=\"$POLICY_CACHE\""
+ SECURITY="-security"
fi
-# Set juli LogManager if logging.properties is provided
-if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then
- JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" "-Djava.util.logging.config.file="$CATALINA_BASE/conf/logging.properties"
-fi
-
# Define other required variables
CATALINA_PID="/var/run/$NAME.pid"
-BOOTSTRAP_CLASS=org.apache.catalina.startup.Bootstrap
+CATALINA_SH="$CATALINA_HOME/bin/catalina.sh"
# Look for Java Secure Sockets Extension (JSSE) JARs
if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
JSSE_HOME="${JAVA_HOME}/jre/"
fi
-export JSSE_HOME
+catalina_sh() {
+ # Escape any double quotes in the value of JAVA_OPTS
+ JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')"
+
+ AUTHBIND_COMMAND=""
+ if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
+ JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
+ AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
+ fi
+
+ # Define the command to run Tomcat's catalina.sh as a daemon
+ # set -a tells sh to export assigned variables to spawned shells.
+ TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \
+ CATALINA_HOME=\"$CATALINA_HOME\"; \
+ CATALINA_BASE=\"$CATALINA_BASE\"; \
+ JAVA_OPTS=\"$JAVA_OPTS\"; \
+ CATALINA_PID=\"$CATALINA_PID\"; \
+ CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \
+ LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \
+ cd \"$CATALINA_BASE\"; \
+ \"$CATALINA_SH\" $@"
+
+ if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
+ TOMCAT_SH="'$TOMCAT_SH'"
+ fi
+
+ # Run the catalina.sh script as a daemon
+ set +e
+ touch "$CATALINA_PID"
+ chown $TOMCAT6_USER "$CATALINA_PID"
+ start-stop-daemon --start -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \
+ -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" \
+ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH" >/dev/null
+ status="$?"
+ set +a -e
+ return $status
+}
+
case "$1" in
start)
if [ -z "$JAVA_HOME" ]; then
@@ -136,7 +172,7 @@
log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
- --user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
# Regenerate POLICY_CACHE file
@@ -149,20 +185,16 @@
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
- mkdir "$JVM_TMP" || {
+ mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary directory"
exit 1
}
chown $TOMCAT6_USER "$JVM_TMP"
- cd "$JVM_TMP"
- $DAEMON -user "$TOMCAT6_USER" -cp "$JSVC_CLASSPATH" \
- -outfile SYSLOG -errfile SYSLOG \
- -pidfile "$CATALINA_PID" $JAVA_OPTS "$BOOTSTRAP_CLASS"
-
+ catalina_sh start $SECURITY
sleep 5
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
- --user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
log_end_msg 1
else
@@ -175,21 +207,35 @@
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
- if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
- --user "$TOMCAT6_USER" --startas "$JAVA_HOME/bin/java" \
- >/dev/null; then
+
+ set +e
+ start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+ --user "$TOMCAT6_USER" --exec "$JAVA_HOME/bin/java" \
+ >/dev/null
+ if [ "$?" = "0" ]; then
log_progress_msg "(not running)"
else
- $DAEMON -cp "$JSVC_CLASSPATH" -pidfile "$CATALINA_PID" \
- -stop "$BOOTSTRAP_CLASS"
+ start-stop-daemon --stop --pidfile "$CATALINA_PID" \
+ --user "$TOMCAT6_USER" \
+ --retry=TERM/20/KILL/5 >/dev/null
+ if [ $? -eq 3 ]; then
+ PID="`cat $CATALINA_PID`"
+ log_failure_msg "Failed to stop $NAME (pid $PID)"
+ exit 1
+ else
+ rm -f "$CATALINA_PID"
+ fi
fi
rm -rf "$JVM_TMP"
log_end_msg 0
+ set -e
;;
status)
- if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
- --user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
- >/dev/null; then
+ set +e
+ start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \
+ >/dev/null 2>&1
+ if [ "$?" = "0" ]; then
if [ -f "$CATALINA_PID" ]; then
log_success_msg "$DESC is not running, but pid file exists."
@@ -201,10 +247,11 @@
else
log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
fi
+ set -e
;;
restart|force-reload)
if start-stop-daemon --test --stop --pidfile "$CATALINA_PID" \
- --user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
$0 stop
sleep 1
@@ -213,7 +260,7 @@
;;
try-restart)
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
- --user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
$0 start
fi
Modified: trunk/tomcat6/debian/tomcat6.postinst
===================================================================
--- trunk/tomcat6/debian/tomcat6.postinst 2010-01-30 00:34:14 UTC (rev 11446)
+++ trunk/tomcat6/debian/tomcat6.postinst 2010-01-30 06:39:47 UTC (rev 11447)
@@ -18,6 +18,19 @@
chown -Rh tomcat6:adm /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared
chmod 775 /var/lib/tomcat6/webapps
chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost
+
+ # Authorize user tomcat6 to open privileged ports via authbind.
+ TOMCAT_UID="`id -u tomcat6`"
+ if [ ! -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then
+ if [ ! -d "/etc/authbind/byuid" ]; then
+ mkdir -p /etc/authbind/byuid
+ chmod 755 /etc/authbind
+ chmod 755 /etc/authbind/byuid
+ fi
+ echo '0.0.0.0/32:1,1023' >/etc/authbind/byuid/$TOMCAT_UID
+ chown tomcat6:tomcat6 /etc/authbind/byuid/$TOMCAT_UID
+ chmod 700 /etc/authbind/byuid/$TOMCAT_UID
+ fi
;;
esac
Added: trunk/tomcat6/debian/tomcat6.prerm
===================================================================
--- trunk/tomcat6/debian/tomcat6.prerm (rev 0)
+++ trunk/tomcat6/debian/tomcat6.prerm 2010-01-30 06:39:47 UTC (rev 11447)
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+ remove)
+ # Remove auth for tomcat6 to open privileged ports via authbind.
+ TOMCAT_UID="`id -u tomcat6`"
+ if [ -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then
+ rm -f /etc/authbind/byuid/$TOMCAT_UID
+ fi
+ ;;
+esac
+
+#DEBHELPER#
More information about the pkg-java-commits
mailing list