No Logging for IdP4.0.0

Peter Schober peter.schober at univie.ac.at
Sat Apr 18 07:14:45 EDT 2020 

* Cantor, Scott <cantor.2 at osu.edu> [2020-04-17 19:31]:
> On 4/17/20, 1:16 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
> > I haven't yet looked at Jetty (I know... ) but then all my service
> > does is call /usr/bin/java (managed by the alternatives system) in
> > ExecStart, so that should work any other servlet container just as
> > well.
> 
> It's the setuid issue that creates problems, and I run Jetty on 443,
> since it doesn't have AJP support. That creates requirements for
> weird startup behavior to get it forking properly, or has in the
> past. I have a really nasty init script that I try not to touch
> because it works.

I don't use setuid but run Tomcat as the TLS webserver on port 443
just the same, using systemd's built-in support for POSIX Capabilities.
Again from Debian 10's default service unit for Tomcat9:

AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

(I've been doing that since before systemd, by running setcap on the
java binary but that was tedious -- had to be repeated after every JVM
update -- and ugly. The above is simple and Just Works™.)

I've attached both the default service and my override to this email to
make it easier to see what the full union is (and so I don't have to
hunt down a public URL for Tomcat's default service in Debian's VCSs).

-peter
-------------- next part --------------
#
# Systemd unit file for Apache Tomcat
#

[Unit]
Description=Apache Tomcat 9 Web Application Server
Documentation=https://tomcat.apache.org/tomcat-9.0-doc/index.html
After=network.target

[Service]

# Configuration
Environment="CATALINA_HOME=/usr/share/tomcat9"
Environment="CATALINA_BASE=/var/lib/tomcat9"
Environment="CATALINA_TMPDIR=/tmp"
Environment="JAVA_OPTS=-Djava.awt.headless=true"

# Lifecycle
Type=simple
ExecStartPre=+/usr/libexec/tomcat9/tomcat-update-policy.sh
ExecStart=/bin/sh /usr/libexec/tomcat9/tomcat-start.sh
SuccessExitStatus=143
Restart=on-abort

# Logging
SyslogIdentifier=tomcat9

# Security
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
RequiresMountsFor=/var/log/tomcat9

[Install]
WantedBy=multi-user.target
-------------- next part --------------
[Service]
Environment="JAVA_OPTS=-Djava.awt.headless=true -Xmx1g"
Environment="JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048"
ExecStart=
ExecStart=/usr/bin/java \
  $JAVA_OPTS $JSSE_OPTS \
  -classpath ${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
  -Dcatalina.base=${CATALINA_BASE} \
  -Dcatalina.home=${CATALINA_HOME} \
  -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \
  -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
  -Djava.io.tmpdir=${CATALINA_TMPDIR} \
  org.apache.catalina.startup.Bootstrap
ReadWritePaths=/opt/shibboleth-idp/logs/
ReadWritePaths=/opt/shibboleth-idp/metadata/

More information about the users mailing list