tomcat9 preview
Hi all,
I've started working on the tomcat9 packaging. Since this is a new
package I've investigated disruptive changes that we couldn't afford
with the tomcat8 package. In the latest update of tomcat8 (8.5.32-2)
I've added a systemd service file, and with tomcat9 I've tried
leveraging more systemd features. The current work in progress is
available on Salsa [1], here is a quick summary of the changes:
* The system user running Tomcat is now fixed and no longer
configurable. I did this for several reasons:
- Updating the owner of the webapp directories when upgrading
from tomcat<n> to tomcat<n+1> is inconvenient.
- The system user is rarely configurable is other packages.
Apache, MySQL/MariaDB, Exim, Postgres, OpenLDAP... all have
a non configurable user.
- systemd dosen't seem to support environment variables
in the User/Group directives on the service files.
* The debconf integration has been removed. With the user/group
becoming non configurable, there is only the JAVA_OPTS variable
left configurable with debconf. JAVA_OPTS often contains
parameters for fine tuning the JVM (memory settings, garbage
collector, crash reporting and other advanced VM options),
that's a quite complex item to configure for a simple debconf
dialog. Moreover it's affected by a debconf bug that has bitten
many of us (see #658554).
* The Servlet API package has been removed (as discussed)
* The catalina.out log file is no more. It duplicates the content
of the catalina*.log files already generated by Tomcat since the
version 5.5, and with the systemd integration the latest logs are
available in /var/log/syslog and through 'journalctl -t tomcat9'
anyway.
* The logs are now rotated directly by Tomcat instead of a cron job.
The cron job is still used to compress the logs though.
* The sysv init script has been removed and the service is now
exclusively started with systemd. systemd brings so many
benefits in terms of simplicity and security that I think it's
worth going with it exclusively. Our tomcat8 package has been
affected by several vulnerabilities in its init script that could
have been avoided with systemd.
- In terms of simplicity, with systemd the authbind package is no
longer necessary to bind to privileged ports, and the startup
script is now ridiculously short and readable [2].
- Security wise, Tomcat is sandboxed and unable to write on the
system besides its work directories. It also has a private tmp
directory which prevents a whole class of vulnerabilities.
I've tried to further isolate Tomcat from the system by using
the chroot features (with the RootDirectory directive) but
I haven't figured out how to use it properly.
* Tomcat is now automatically restarted if the JVM crashes
(another systemd feature).
* The common, shared and server directories in CATALINA_BASE are
no longer added to the classpath. This is in line with the
upstream releases since the version 5.5.
Please give it a try and post your feedback, I plan to upload tomcat9
next month when I'm back from vacation.
Emmanuel Bourg
[1] https://salsa.debian.org/ebourg/tomcat9
[2]
https://salsa.debian.org/ebourg/tomcat9/blob/master/debian/libexec/tomcat-start.sh
Reply to: