FAQ
Hello and thank you for reading my post.

My question is about how can Tomcat be started at boot time as a non-root
user.

The OS is Debian Wheezy.

Below is what I did already:

root> chown -R tomcat7.tomcat7 /opt/tomcat7/

I created a new file: "/etc/init.d/tomcat7"
Owner and owner group: root
Permissions: 755
-------------------------------------------------------
#! /bin/sh

export JAVA_HOME=/opt/jdk1.7.0_67/
case $1 in

start)
   /bin/bash /opt/tomcat7/bin/startup.sh
   ;;

stop)
   /bin/bash /opt/tomcat7/bin/shutdown.sh
   ;;

restart)
   /bin/bash /opt/tomcat7/bin/shutdown.sh
   /bin/bash /opt/tomcat7/bin/startup.sh
   ;;
esac

exit 0
-------------------------------------------------------

I ran:
root> update-rc.d tomcat7 defaults

Added to /etc/rc0.d/ : K01tomcat7
Added to /etc/rc1.d/ : K01tomcat7
Added to /etc/rc2.d/ : S17tomcat7
Added to /etc/rc3.d/ : S17tomcat7
Added to /etc/rc4.d/ : S17tomcat7
Added to /etc/rc5.d/ : S17tomcat7
Added to /etc/rc6.d/ : K01tomcat7

At boot time, tomcat is started as root.
How can it be started as tomcat7?

Best regards.



--
View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Search Discussions

  • Daniel Mikusa at Oct 14, 2014 at 11:23 am

    On Tue, Oct 14, 2014 at 7:06 AM, Léa Massiot wrote:

    Hello and thank you for reading my post.

    My question is about how can Tomcat be started at boot time as a non-root
    user.

    The OS is Debian Wheezy.

    Below is what I did already:

    root> chown -R tomcat7.tomcat7 /opt/tomcat7/

    I created a new file: "/etc/init.d/tomcat7"
    Owner and owner group: root
    Permissions: 755
    -------------------------------------------------------
    #! /bin/sh

    export JAVA_HOME=/opt/jdk1.7.0_67/
    case $1 in

    start)
    /bin/bash /opt/tomcat7/bin/startup.sh
    ;;

    stop)
    /bin/bash /opt/tomcat7/bin/shutdown.sh
    ;;

    restart)
    /bin/bash /opt/tomcat7/bin/shutdown.sh
    /bin/bash /opt/tomcat7/bin/startup.sh
    ;;
    esac

    exit 0
    -------------------------------------------------------

    I ran:
    root> update-rc.d tomcat7 defaults

    Added to /etc/rc0.d/ : K01tomcat7
    Added to /etc/rc1.d/ : K01tomcat7
    Added to /etc/rc2.d/ : S17tomcat7
    Added to /etc/rc3.d/ : S17tomcat7
    Added to /etc/rc4.d/ : S17tomcat7
    Added to /etc/rc5.d/ : S17tomcat7
    Added to /etc/rc6.d/ : K01tomcat7

    At boot time, tomcat is started as root.
    How can it be started as tomcat7?
    What about this?

        http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

    Dan

    Best regards.



    --
    View this message in context:
    http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Léa Massiot at Oct 14, 2014 at 4:10 pm
    Hello Dan and thank you for your answer.

    I installed the JSVC tool as indicated in your document
    http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

    I copied the "jsvc" executable into "/opt/tomcat7/bin/".

    I also copied "/opt/tomcat7/bin/daemon.sh" into "/etc/init.d" and renamed it
    as "tomcat7".

    I added the following lines at the beginning of "/etc/init.d/tomcat7":
    -------------------------------------------------------------------------
    CATALINA_HOME=/opt/tomcat7
    export CATALINA_HOME
    TOMCAT_USER=webadmin
    export TOMCAT_USER
    JAVA_HOME=/opt/jdk1.7.0_67
    -------------------------------------------------------------------------

    I hope I did all this the right way... ?

    Now, if I reboot, log in as root and launch the command:
    root> ps aux | grep tomcat7

    I notice that there are two "jsvc.exec" processes, one run by "root" and the
    other one run by "webadmin" which UID is 1000:

    -------------------------------------------------------------------------
    root 2841 0.0 0.0 16752 412 ? Ss 16:30 0:00 jsvc.exec
    -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile
    /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
    /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
    /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
    -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
    -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
    -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
    org.apache.catalina.startup.Bootstrap

    1000 2842 8.9 1.1 2434512 97444 ? Sl 16:30 0:03 jsvc.exec
    -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile
    /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
    /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
    /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
    -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
    -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
    -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
    org.apache.catalina.startup.Bootstrap
    -------------------------------------------------------------------------

    If I "kill -9" the process owned by user 1000, another process is
    immediately created to replace the killed one.

    If I kill the process owned by "root", no new process is created.
    And if I kill the last remaining process, the one owned by user 1000, no new
    process is created either.

    I noticed that the $CATALINA_PID file contain the PID of the process owned
    by user 1000.

    I am wondering if this is normal behavior and if it is, why is it behaving
    like this?

    Thank you for helping.
    Best regards.



    --
    View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810p5023823.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • George Sexton at Oct 14, 2014 at 4:19 pm

    On 10/14/2014 10:09 AM, Léa Massiot wrote:
    Hello Dan and thank you for your answer.

    I installed the JSVC tool as indicated in your document
    http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

    I copied the "jsvc" executable into "/opt/tomcat7/bin/".

    I also copied "/opt/tomcat7/bin/daemon.sh" into "/etc/init.d" and renamed it
    as "tomcat7".

    I added the following lines at the beginning of "/etc/init.d/tomcat7":
    -------------------------------------------------------------------------
    CATALINA_HOME=/opt/tomcat7
    export CATALINA_HOME
    TOMCAT_USER=webadmin
    export TOMCAT_USER
    JAVA_HOME=/opt/jdk1.7.0_67
    -------------------------------------------------------------------------

    I hope I did all this the right way... ?

    Now, if I reboot, log in as root and launch the command:
    root> ps aux | grep tomcat7

    I notice that there are two "jsvc.exec" processes, one run by "root" and the
    other one run by "webadmin" which UID is 1000:
    The root process forks the child process and then sticks around. You'll
    see why below.
    -------------------------------------------------------------------------
    root 2841 0.0 0.0 16752 412 ? Ss 16:30 0:00 jsvc.exec
    -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile
    /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
    /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
    /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
    -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
    -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
    -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
    org.apache.catalina.startup.Bootstrap

    1000 2842 8.9 1.1 2434512 97444 ? Sl 16:30 0:03 jsvc.exec
    -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile
    /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
    /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
    /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
    -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
    -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
    -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
    org.apache.catalina.startup.Bootstrap
    -------------------------------------------------------------------------

    If I "kill -9" the process owned by user 1000, another process is
    immediately created to replace the killed one.
    The parent process which runs as ROOT re-starts the child process if it
    accidentally dies. So, if you have a segfault, your app gets re-started.
    If I kill the process owned by "root", no new process is created.
    And if I kill the last remaining process, the one owned by user 1000, no new
    process is created either.
    That's expected.
    I noticed that the $CATALINA_PID file contain the PID of the process owned
    by user 1000.
    Which is the UID of your webadmin user that you specified on the command
    line to jsvc.
    I am wondering if this is normal behavior and if it is, why is it behaving
    like this?
    It's behaving that way by design. If you stop and think about what it's
    doing, it makes perfect sense.

    If you want to shut the app down, you need to use the JSVC executable to
    do so, or do a "killall -9 jsvc".

    --
    George Sexton
    *MH Software, Inc.*
    Voice: 303 438 9585
    http://www.mhsoftware.com
  • Christopher Schultz at Oct 14, 2014 at 4:47 pm
    Léa,
    On 10/14/14 7:06 AM, Léa Massiot wrote:
    My question is about how can Tomcat be started at boot time as a
    non-root user.

    The OS is Debian Wheezy.

    Below is what I did already:

    root> chown -R tomcat7.tomcat7 /opt/tomcat7/

    I created a new file: "/etc/init.d/tomcat7" Owner and owner group:
    root Permissions: 755
    ------------------------------------------------------- #! /bin/sh

    export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in

    start) /bin/bash /opt/tomcat7/bin/startup.sh
    Change this to:

    su -c "/bin/bash /opt/tomcat7/bin/startup.sh" tomcat7

    Look at the man page for "su" to see what's going on.

    Or you can use jsvc as others have suggested. I think jsvc is probably
    more robust (because it can restart Tomcat if it dies) but it's a bit
    more hassle, too.

    - -chris


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Mark Eggers at Oct 14, 2014 at 5:22 pm
    Chris,
    On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Léa,
    On 10/14/14 7:06 AM, Léa Massiot wrote:
    My question is about how can Tomcat be started at boot time as a
    non-root user.

    The OS is Debian Wheezy.

    Below is what I did already:

    root> chown -R tomcat7.tomcat7 /opt/tomcat7/

    I created a new file: "/etc/init.d/tomcat7" Owner and owner group:
    root Permissions: 755
    ------------------------------------------------------- #! /bin/sh

    export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in

    start) /bin/bash /opt/tomcat7/bin/startup.sh
    Change this to:

    su -c "/bin/bash /opt/tomcat7/bin/startup.sh" tomcat7
    You might need to use runuser in the above line if you're running SELinux.
    Look at the man page for "su" to see what's going on.

    Or you can use jsvc as others have suggested. I think jsvc is probably
    more robust (because it can restart Tomcat if it dies) but it's a bit
    more hassle, too.
    I've not tried the jsvc route yet, but I'm sorely tempted (especially now with systemd).

    Writing an init script that takes care of all the issues is complicated.
    - -chris

    . . . just my two cents
    /mde/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Oct 14, 2014 at 6:47 pm
    Mark,
    On 10/14/14 1:21 PM, Mark Eggers wrote:
    Chris,
    On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz
    wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Léa,
    On 10/14/14 7:06 AM, Léa Massiot wrote:
    My question is about how can Tomcat be started at boot time as
    a non-root user.

    The OS is Debian Wheezy.

    Below is what I did already:

    root> chown -R tomcat7.tomcat7 /opt/tomcat7/

    I created a new file: "/etc/init.d/tomcat7" Owner and owner group:
    root Permissions: 755
    ------------------------------------------------------- #!
    /bin/sh

    export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in

    start) /bin/bash /opt/tomcat7/bin/startup.sh
    Change this to:

    su -c "/bin/bash /opt/tomcat7/bin/startup.sh" tomcat7
    You might need to use runuser in the above line if you're running
    SELinux.
    Oh, I wasn't aware of that. I don't use SELinux myself.
    Look at the man page for "su" to see what's going on.

    Or you can use jsvc as others have suggested. I think jsvc is
    probably more robust (because it can restart Tomcat if it dies)
    but it's a bit more hassle, too.
    I've not tried the jsvc route yet, but I'm sorely tempted
    (especially now with systemd).
    I'm interested to hear what you have to say about systemd and how it
    relates to Tomcat deployments. systemd can (allegedly) work just fine
    with plain-old "init" scripts if you want to use them.
    Writing an init script that takes care of all the issues is
    complicated.
    We have one that works just fine under both Debian and RHEL, with
    dependencies, etc. It's a bare-bones script that basically just calls
    our ant build script which understands how to launch Tomcat with all
    the right environment variables set. We do this because we have
    multiple VMs running -- one per webapp -- and everything is configured
    in one place. Basically, "/etc/init.d/webapp start" for us just
    translates into "ant tomcat-start", etc.

    - -chris


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Mark Eggers at Oct 14, 2014 at 9:35 pm
    Chris,

    On Tuesday, October 14, 2014 11:47 AM, Christopher Schultz wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Mark,
    On 10/14/14 1:21 PM, Mark Eggers wrote:
    Chris,
    On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz
    wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Léa,
    On 10/14/14 7:06 AM, Léa Massiot wrote:
    My question is about how can Tomcat be started at boot time as
    a non-root user.

    The OS is Debian Wheezy.

    Below is what I did already:

    root> chown -R tomcat7.tomcat7 /opt/tomcat7/

    I created a new file: "/etc/init.d/tomcat7" Owner and
    owner
    group:
    root Permissions: 755
    ------------------------------------------------------- #!
    /bin/sh

    export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in

    start) /bin/bash /opt/tomcat7/bin/startup.sh
    Change this to:

    su -c "/bin/bash /opt/tomcat7/bin/startup.sh" tomcat7
    You might need to use runuser in the above line if you're running
    SELinux.
    Oh, I wasn't aware of that. I don't use SELinux myself.
    We use SELinux, and so far it's not bitten us too hard.
    Look at the man page for "su" to see what's going on.

    Or you can use jsvc as others have suggested. I think jsvc is
    probably more robust (because it can restart Tomcat if it dies)
    but it's a bit more hassle, too.
    I've not tried the jsvc route yet, but I'm sorely tempted
    (especially now with systemd).
    I'm interested to hear what you have to say about systemd and how it
    relates to Tomcat deployments. systemd can (allegedly) work just fine
    with plain-old "init" scripts if you want to use them.
    I've seen that, but it seems more like a hack (and some of the systemd people think so as well). I'd rather look at some examples and see if I can do things "correctly". My biggest systemd complaints so far are service level logging, feedback, and status information.
    Writing an init script that takes care of all the issues is
    complicated.
    We have one that works just fine under both Debian and RHEL, with
    dependencies, etc. It's a bare-bones script that basically just calls
    our ant build script which understands how to launch Tomcat with all
    the right environment variables set. We do this because we have
    multiple VMs running -- one per webapp -- and everything is configured
    in one place. Basically, "/etc/init.d/webapp start" for us just
    translates into "ant tomcat-start", etc.
    Ours works more or less like that. One script per Tomcat, and the script name matches the service name, matches the configuration file name. Our script is a bit more complex, since it does some of the RedHat / CentOS housekeeping. It also has some checks for sane starts and restarts (checks to see if things are running cleanly or not, etc.).
    - -chris

    We have a nice environment based on $CATALINA_HOME, $CATALINA_BASE, separate appBase directories, and soft links. This allows us to upgrade Tomcat without impacting production.

    The final (production impact) upgrade steps are:

    1. Shut down service
    2. Move links
    3. Bring up service

    One of these days, we'll look at Chef / Puppet / et. al.

    . . . just my two cents
    /mde/

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Léa Massiot at Oct 15, 2014 at 1:48 pm
    Thank you George Sexton for your explanations.
    Best regards to you all.



    --
    View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810p5023899.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedOct 14, '14 at 11:07a
activeOct 15, '14 at 1:48p
posts9
users5
websitetomcat.apache.org
irc#tomcat

People

Translate

site design / logo © 2018 Grokbase