2

I run Tomcat 7 in my Centos 7 machine, with systemd, under a user webapp different from the default tomcat. I guess it should be easy to accomplish this but I'm having problems.

From what I see there are three places where the user and group can be specified:

  1. /etc/tomcat/tomcat.conf
  2. /etc/sysconfig/tomcat
  3. /lib/systemd/system/tomcat.service

The latest one, tomcat.service, has indeed the default settings 

User=tomcat
Group=tomcat

which I can change. The problem is that the tomcat.service file is overwritten in each update. This doesn't happen with tomcat.conf (here a tomcat.conf.rpmnew is created instead). However, I don't see how I can override the user there.

This behaviour seems strange to me. Does this imply that I'm not supposed to edit tomcat.service? Which is the recommended way to customize tomcat.service?

leonbloy
  • 2,118
  • 17
  • 23

2 Answers2

3

According systemd documentation you should create directory /lib/systemd/system/tomcat.service.d and put there file with .conf extension, then add to that file required changes for User and Group:

[Service]
User=webapp
Group=webapp

After this your changes to service would be permanent, because they stored in separate location, which not change after update. That solution was created for cases like you, when you want to change service parameters in .service file, but after each update it rewrites with new file.

Julien
  • 103
  • 2
Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
  • 1
    Thanks. However, the docs also say (table 9.2) that `/usr/lib/systemd/system/` is for unit files `distributed with installed RPM packages` while `/etc/systemd/system/` is ``for unit files created or customized by the system administrator`. Would that imply that my user/group setting is a "customization" that should be saved in `/etc/systemd/system/` ? – leonbloy May 27 '17 at 13:56
  • @leonbloy I don't think so, but to be honest, I've never change user/group in `.service` file, usually i do it for limits and it worked like it described in documentation. – Alexander Tolkachev May 27 '17 at 14:19
2

The file /lib/systemd/system/tomcat.service should not be changed. If you need to overwrite them, just copy the file to /etc/systemd/system/tomcat.service, and edit the /etc/systemd/system/tomcat.service file.

After you change the file, ask systemd to reload the config:

systemctl daemon-reload

Change the permissions so that the user has access to tomcat files (chown, chmod, setfacl) Then restart the service: systemctl restart tomcat

Edit: You can have a different $CATALINA_BASE pointing to a subfolder in /opt where your application is located. $CATALINA_HOME will point to where tomcat is installed by rpm. In this way when you upgrade tomcat package all instances of tomcat will get upgraded. Search for "Advanced Configuration - Multiple Tomcat Instances" in https://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt If you use this setup, $CATALINA_HOME should be owned by root with no write permission for tomcat or any other user, and $CATALINA_BASE should be owned by your application user (e.g tomcat-myapp)

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • Thanks. Now, if only the updater would not restore the ownership of tomcat's directories to the `tomcat` user, all would work nicely :-/ – leonbloy May 27 '17 at 17:40