ansible-role-tomcat-multipl.../templates/tomcat-service.j2

#
# Systemd unit file for Apache Tomcat
#

[Unit]
Description=Apache Tomcat {{ tomcat_version}} Web Application Server
After=syslog.target network.target
StartLimitIntervalSec=500
StartLimitBurst=5
RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} {{ item.instance_path }}

[Service]
{% if limits_nofile_value is defined %}
LimitNOFILE={{ limits_nofile_value }}
{% endif %}
Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"
Environment="CATALINA_BASE={{ item.instance_path }}"
Environment="CATALINA_TMPDIR={{ item.catalina_tmp_directory }}"
Type=simple
ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh
ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh
SuccessExitStatus=143
RestartSec=10
Restart=on-failure
# Logging
SyslogIdentifier=tomcat{{ tomcat_version }}

User={{ item.user }}
Group={{ item.user }}
{% if tomcat_systemd_security %}
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory={{ tomcat_m_cache_base }}/{{ item.http_port }}
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths={{ item.instance_path }}/conf/Catalina/
ReadWritePaths={{ item.instance_path }}/webapps
ReadWritePaths={{ item.instance_path }}/lib
ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}
{% for path in tomcat_systemd_additional_rw_paths %}
ReadWritePaths={{ path }}
{% endfor %}

{% if tomcat_systemd_security_enhanced %}
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_INET6 AF_INET
SystemCallArchitectures=native
SystemCallFilter=@system-service
{% endif %}
{% endif %}

[Install]
WantedBy=multi-user.target
Add a systemd unit. 2024-07-31 19:12:46 +02:00			`#`
			`# Systemd unit file for Apache Tomcat`
			`#`

			`[Unit]`
			`Description=Apache Tomcat {{ tomcat_version}} Web Application Server`
			`After=syslog.target network.target`
			`StartLimitIntervalSec=500`
			`StartLimitBurst=5`
Fix the systemd unit security section. 2024-08-02 12:45:02 +02:00			`RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} {{ item.instance_path }}`
Add a systemd unit. 2024-07-31 19:12:46 +02:00
			`[Service]`
Move the ulimit settings inside the systemd unit. 2024-08-02 13:33:24 +02:00			`{% if limits_nofile_value is defined %}`
			`LimitNOFILE={{ limits_nofile_value }}`
			`{% endif %}`
Add a systemd unit. 2024-07-31 19:12:46 +02:00			`Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"`
			`Environment="CATALINA_BASE={{ item.instance_path }}"`
			`Environment="CATALINA_TMPDIR={{ item.catalina_tmp_directory }}"`
			`Type=simple`
			`ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh`
			`ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh`
			`SuccessExitStatus=143`
			`RestartSec=10`
Fix the systemd unit security section. 2024-08-02 12:45:02 +02:00			`Restart=on-failure`
Add a systemd unit. 2024-07-31 19:12:46 +02:00			`# Logging`
			`SyslogIdentifier=tomcat{{ tomcat_version }}`

			`User={{ item.user }}`
			`Group={{ item.user }}`
			`{% if tomcat_systemd_security %}`
			`PrivateTmp=yes`
			`AmbientCapabilities=CAP_NET_BIND_SERVICE`
			`NoNewPrivileges=true`
			`CacheDirectory={{ tomcat_m_cache_base }}/{{ item.http_port }}`
			`CacheDirectoryMode=750`
			`ProtectSystem=strict`
			`ReadWritePaths={{ item.instance_path }}/conf/Catalina/`
			`ReadWritePaths={{ item.instance_path }}/webapps`
Fix the systemd unit security section. 2024-08-02 12:45:02 +02:00			`ReadWritePaths={{ item.instance_path }}/lib`
Add a systemd unit. 2024-07-31 19:12:46 +02:00			`ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}`
Fix the systemd unit security section. 2024-08-02 12:45:02 +02:00			`{% for path in tomcat_systemd_additional_rw_paths %}`
			`ReadWritePaths={{ path }}`
			`{% endfor %}`

Add a systemd unit. 2024-07-31 19:12:46 +02:00			`{% if tomcat_systemd_security_enhanced %}`
			`ProtectSystem=strict`
			`ProtectHome=yes`
			`PrivateDevices=yes`
			`PrivateUsers=yes`
			`ProtectKernelTunables=yes`
			`ProtectKernelLogs=yes`
			`RestrictAddressFamilies=AF_INET6 AF_INET`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
			`{% endif %}`
Fix the systemd unit security section. 2024-08-02 12:45:02 +02:00			`{% endif %}`
Add a systemd unit. 2024-07-31 19:12:46 +02:00
			`[Install]`
			`WantedBy=multi-user.target`