Browse Source

Restore tip of “master” from April 2019

ca0f08fc57
but gitlab does not allow fetching by commit id; even a --mirror
clone lacks this object, but downloading from the webinterface yields
tomcat9-ca0f08fc57c5617268815752f3d206a5b9358a0b.tar.gz which this is
tags/debian/9.0.16-5
mirabilos mirabilos 1 year ago
parent
commit
7ca3792446
17 changed files with 271 additions and 13 deletions
  1. +7
    -0
      debian/README.Debian
  2. +18
    -0
      debian/changelog
  3. +1
    -1
      debian/control
  4. +1
    -0
      debian/copyright
  5. +4
    -3
      debian/default.template
  6. +15
    -0
      debian/libexec/sysv-getjre.sh
  7. +33
    -0
      debian/libexec/sysv-start.sh
  8. +0
    -1
      debian/libexec/tomcat-locate-java.sh
  9. +1
    -1
      debian/libexec/tomcat-start.sh
  10. +2
    -0
      debian/logging.properties
  11. +1
    -1
      debian/setenv.sh
  12. +163
    -0
      debian/tomcat9.init
  13. +1
    -0
      debian/tomcat9.install
  14. +2
    -0
      debian/tomcat9.lintian-overrides
  15. +17
    -4
      debian/tomcat9.postinst
  16. +2
    -2
      debian/tomcat9.service
  17. +3
    -0
      debian/tomcat9.tmpfile

+ 7
- 0
debian/README.Debian View File

@@ -54,6 +54,13 @@ Getting started
systemctl daemon-reload
systemctl restart tomcat9

⚠ This is supported only when Tomcat is started with the systemd unit.

Using Tomcat with other init systems is supported, however that will
negate the security hardening detailed above, make Tomcat not have
its own temporary directory, not drop privileges/capabilities after
start, and not be restarted on crashing. Use at your own risk.

* To run more than one Tomcat instance on your server, install the package
tomcat9-user and run the tomcat9-instance-create utility.
You should remove the tomcat9 package if you don't want Tomcat to


+ 18
- 0
debian/changelog View File

@@ -1,3 +1,21 @@
tomcat9 (9.0.16-4) unstable; urgency=medium

* Team upload.
* debian/logging.properties: Add commented-out non-systemd configuration
* Make tomcat9 installable without systemd:
- Readd logic to create the system user via adduser
- Add sysvinit script, for init independence (Closes: #925473)
* debian/README.Debian: Document non-systemd risks
* debian/libexec/tomcat-locate-java.sh: Remove shebang and make
not executable as this is only ever sourced (makes no sense otherwise)
* Make the systemd startup script honour the (renamed) $SECURITY_MANAGER
* Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
a suitable GC automatically anyway (Closes: #925928)
* Correct the ownership and permissions on the log directory:
group adm and setgid (Closes: #925929)

-- Thorsten Glaser <tg@mirbsd.de> Tue, 02 Apr 2019 22:54:17 +0200

tomcat9 (9.0.16-3) unstable; urgency=medium

* Removed read/write access to /var/lib/solr (Closes: #923299)


+ 1
- 1
debian/control View File

@@ -47,7 +47,7 @@ Package: tomcat9
Architecture: all
Depends:
lsb-base (>= 3.0-6),
systemd (>= 215),
systemd (>= 215) | adduser,
tomcat9-common (>= ${source:Version}),
ucf,
${misc:Depends}


+ 1
- 0
debian/copyright View File

@@ -49,6 +49,7 @@ Copyright: 2008,2011, Canonical Ltd.
2013-2014, Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
2013-2018, Emmanuel Bourg <ebourg@apache.org>
2001-2017, Markus Koschany <apo@debian.org>
2015–2019, mirabilos <t.glaser@tarent.de>
License: Apache-2.0

License: Apache-2.0


+ 4
- 3
debian/default.template View File

@@ -3,9 +3,10 @@
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-8-openjdk

# You may pass JVM startup parameters to Java here. If unset, the default
# options will be: -Djava.awt.headless=true -XX:+UseG1GC
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
# You may pass JVM startup parameters to Java here. If you run Tomcat with
# Java 8 instead of 9 or newer, add "-XX:+UseG1GC" to select a suitable GC.
# If unset, the default options will be: -Djava.awt.headless=true
JAVA_OPTS="-Djava.awt.headless=true"

# To enable remote debugging uncomment the following line.
# You will then be able to use a Java debugger on port 8000.


+ 15
- 0
debian/libexec/sysv-getjre.sh View File

@@ -0,0 +1,15 @@
#!/bin/sh
#
# SYSVinit script helper to determine the JRE (for start-stop-daemon)
#

. /usr/libexec/tomcat9/tomcat-locate-java.sh
set +e

. /usr/share/tomcat9/bin/setclasspath.sh

if test -n "$_RUNJAVA"; then
printf "OK<%s>" "$_RUNJAVA"
else
echo UNSET
fi

+ 33
- 0
debian/libexec/sysv-start.sh View File

@@ -0,0 +1,33 @@
#!/bin/sh
#
# SYSVinit script helper to wrap the systemd startup script
#

set -e

# redirect stdio
exec </dev/null
exec >>/var/log/tomcat9/catalina.out
exec 2>&1
# write an initial log entry
echo "[$(date +'%FT%T%z')] starting..."

# make sure Tomcat is started with system locale

# restore LC_ALL that was (un)set at initscript startup
case $saved_LC_ALL in
(x*) LC_ALL=${saved_LC_ALL#x} ;;
(*) unset LC_ALL ;;
esac
# read global locale configuration
test -r /etc/default/locale && . /etc/default/locale
# export all POSIX locale-relevant environment variables if set
for v in LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE \
LC_MEASUREMENT LC_IDENTIFICATION LC_ALL; do
eval "x=\${$v-x}"
test x"$x" = x"x" || eval export "$v"
done

# hand control to the systemd startup script we wrap
exec /usr/libexec/tomcat9/tomcat-start.sh "$@"

+ 0
- 1
debian/libexec/tomcat-locate-java.sh View File

@@ -1,4 +1,3 @@
#!/bin/sh
#
# Script looking for a Java runtime suitable for running Tomcat
#


+ 1
- 1
debian/libexec/tomcat-start.sh View File

@@ -15,7 +15,7 @@ export JAVA_OPTS

# Enable the Java security manager?
SECURITY=""
[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security"


# Start Tomcat


+ 2
- 0
debian/logging.properties View File

@@ -33,7 +33,9 @@ handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.jul
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90

java.util.logging.ConsoleHandler.level = FINE
# use one of these depending on whether you use systemd or not, or roll your own
java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter


############################################################


+ 1
- 1
debian/setenv.sh View File

@@ -8,5 +8,5 @@ CATALINA_HOME=/usr/share/tomcat9

# Default Java options
if [ -z "$JAVA_OPTS" ]; then
JAVA_OPTS="-Djava.awt.headless=true -XX:+UseG1GC"
JAVA_OPTS="-Djava.awt.headless=true"
fi

+ 163
- 0
debian/tomcat9.init View File

@@ -0,0 +1,163 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: tomcat9
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Tomcat 9
# Description: The Tomcat 9 servlet engine runs Java Web Archives.
### END INIT INFO

# stuff away, used later
saved_LC_ALL=${LC_ALL+x$LC_ALL}
export saved_LC_ALL

# absolute basics
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin
export LC_ALL PATH
unset LANGUAGE

# exit cleanly if disabled or not installed
test -x /usr/libexec/tomcat9/sysv-start.sh || exit 0
test -x /usr/libexec/tomcat9/sysv-getjre.sh || exit 0
test -x /usr/libexec/tomcat9/tomcat-update-policy.sh || exit 0
test -x /usr/libexec/tomcat9/tomcat-start.sh || exit 0

# Debian/LSB init script foobar
DESC='Tomcat 9 servlet engine'
NAME=tomcat9
readonly DESC NAME
. /lib/init/vars.sh
test -t 0 && VERBOSE=yes
. /lib/lsb/init-functions

# somewhat LSB-compliant exit with failure
if test x"$1" = x"status"; then
exit_failure_msg() {
log_failure_msg "$@"
exit 4
}
else
exit_failure_msg() {
log_failure_msg "$@"
exit 1
}
fi

# set defaults for options
CATALINA_HOME=/usr/share/tomcat9
CATALINA_BASE=/var/lib/tomcat9
CATALINA_TMPDIR=/tmp/tomcat9-tmp
export CATALINA_HOME CATALINA_BASE CATALINA_TMPDIR
JAVA_HOME= # determined later if empty
JAVA_OPTS=-Djava.awt.headless=true
JSP_COMPILER= # only used if nonempty
SECURITY_MANAGER=false
export JAVA_HOME JAVA_OPTS JSP_COMPILER SECURITY_MANAGER
UMASK=022
export UMASK
# read options
test -r /etc/default/tomcat9 && . /etc/default/tomcat9

# ensure the temporary directory exist and change to it
rm -rf "$CATALINA_TMPDIR"
mkdir "$CATALINA_TMPDIR" || \
exit_failure_msg 'could not create JVM temporary directory'
chown -h tomcat "$CATALINA_TMPDIR"
cd "$CATALINA_TMPDIR"

# figure out the JRE executable catalina.sh will use
# (we need it for start-stop-daemon --exec for reliability)
_RUNJAVA=$(su tomcat -s /bin/sh -c /usr/libexec/tomcat9/sysv-getjre.sh) || \
_RUNJAVA="FAIL:$?"
case $_RUNJAVA in
('OK<'*'>')
_RUNJAVA=${_RUNJAVA#'OK<'}
_RUNJAVA=${_RUNJAVA%'>'}
;;
(*)
exit_failure_msg "could not determine JRE: $_RUNJAVA"
;;
esac

# prepare for actions
case $1 in
(start|stop|restart|force-reload)
# handled below
;;
(try-restart|status)
start-stop-daemon --status --quiet \
--pidfile /var/run/tomcat9.pid \
--exec "$_RUNJAVA" --user tomcat
rv=$?
# clean up stale pidfile if necessary
(test x"$rv" = x"1" && rm -f /var/run/tomcat9.pid || :)
# process status result
case $1 in
(try-restart)
test x"$rv" = x"0" || {
# service is not running, or status is unknown
log_success_msg "$NAME is not running"
exit 0
}
# service running, restart it
;;
(status)
case $rv in
(0)
log_success_msg "$NAME is running"
;;
(4)
log_failure_msg "could not access PID file for $NAME"
;;
(*)
log_failure_msg "$NAME is not running"
;;
esac
exit $rv
;;
esac
;;
(reload|*)
# not supported
echo >&2 "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
exit 3
;;
esac

# handle stopping/starting
rv=0

case $1 in
(stop|restart|try-restart|force-reload)
test x"$VERBOSE" = x"no" || log_daemon_msg "Stopping $DESC"
start-stop-daemon --stop --quiet \
--retry=10 --oknodo --remove-pidfile \
--pidfile /var/run/tomcat9.pid \
--exec "$_RUNJAVA" --user tomcat
rv=$?
test x"$VERBOSE" = x"no" || log_end_msg $rv
;;
esac

test x"$rv" = x"0" || exit $rv

case $1 in
(start|restart|try-restart|force-reload)
/usr/libexec/tomcat9/tomcat-update-policy.sh || \
exit_failure_msg 'could not regenerating catalina.policy file'
rm -f /var/run/tomcat9.pid
test x"$VERBOSE" = x"no" || log_daemon_msg "Starting $DESC"
start-stop-daemon --start --quiet \
--chuid tomcat --umask "$UMASK" \
--startas /usr/libexec/tomcat9/sysv-start.sh \
--background --make-pidfile \
--pidfile /var/run/tomcat9.pid \
--exec "$_RUNJAVA" --user tomcat
rv=$?
test x"$VERBOSE" = x"no" || log_end_msg $rv
;;
esac

exit $rv

+ 1
- 0
debian/tomcat9.install View File

@@ -8,5 +8,6 @@ debian/default.template /usr/share/tomcat9/
debian/logrotate.template /usr/share/tomcat9/
debian/sysusers/*.conf /usr/lib/sysusers.d/

debian/libexec/sysv-* /usr/libexec/tomcat9/
debian/libexec/tomcat-start.sh /usr/libexec/tomcat9/
debian/libexec/tomcat-update-policy.sh /usr/libexec/tomcat9/

+ 2
- 0
debian/tomcat9.lintian-overrides View File

@@ -0,0 +1,2 @@
# handled in dependencies and maintainer script as alternative
tomcat9: maintainer-script-needs-depends-on-adduser postinst

+ 17
- 4
debian/tomcat9.postinst View File

@@ -12,8 +12,19 @@ CONFFILES="tomcat-users.xml web.xml server.xml logging.properties context.xml ca

case "$1" in
configure)
# Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
systemd-sysusers
# Check whether the tomcat user needs to be created
if id tomcat >/dev/null 2>&1; then
: no, it already exists
elif which systemd-sysusers >/dev/null; then
# Create the tomcat user as defined in /usr/lib/sysusers.d/tomcat9.conf
systemd-sysusers
else
# Create the tomcat user without systemd
adduser --system --home /var/lib/tomcat9 \
--shell /usr/sbin/nologin --no-create-home \
--group --disabled-password --disabled-login \
--gecos 'Apache Tomcat' tomcat
fi

# Install the configuration files
for conffile in $CONFFILES;
@@ -63,8 +74,10 @@ case "$1" in
chmod 775 /var/lib/tomcat9/webapps

# Grant read/write access to tomcat to the log and cache directories
chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/log/tomcat9/ /var/cache/tomcat9/
chmod 750 /var/log/tomcat9/ /var/cache/tomcat9/
chown -Rh $TOMCAT_USER:adm /var/log/tomcat9/
chmod 2750 /var/log/tomcat9/
chown -Rh $TOMCAT_USER:$TOMCAT_GROUP /var/cache/tomcat9/
chmod 750 /var/cache/tomcat9/
;;
esac



+ 2
- 2
debian/tomcat9.service View File

@@ -32,13 +32,13 @@ Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
LogsDirectory=tomcat9
LogsDirectoryMode=750
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
RequiresMountsFor=/var/log/tomcat9 /var/lib/tomcat9

[Install]
WantedBy=multi-user.target

+ 3
- 0
debian/tomcat9.tmpfile View File

@@ -0,0 +1,3 @@
# type path mode uid gid age arg(symlink target)

d /var/log/tomcat9 2750 tomcat adm -

Loading…
Cancel
Save