Fix the systemd unit security section.

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+        "ansible.python.interpreterPath": "/opt/local/bin/python3.10"
+}

defaults/main.yml

@@ -79,6 +79,8 @@ tomcat_m_enable_instances: True
 tomcat_m_jndi_pool: False
 tomcat_m_direct_access: False
 
+tomcat_systemd_additional_rw_paths: []
+
 # JMX and debugging
 tomcat_m_enable_remote_debugging: False
 tomcat_m_remote_debugging_host: '0.0.0.0'

templates/tomcat-service.j2

@@ -7,7 +7,7 @@ Description=Apache Tomcat {{ tomcat_version}} Web Application Server
 After=syslog.target network.target
 StartLimitIntervalSec=500
 StartLimitBurst=5
-RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} /var/lib/tomcat{{ tomcat_version }}
+RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} {{ item.instance_path }}
 
 [Service]
 Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"
@@ -18,7 +18,7 @@ ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh
 ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh
 SuccessExitStatus=143
 RestartSec=10
-Restart=on-failure on-abort
+Restart=on-failure
 # Logging
 SyslogIdentifier=tomcat{{ tomcat_version }}
 
@@ -33,8 +33,12 @@ CacheDirectoryMode=750
 ProtectSystem=strict
 ReadWritePaths={{ item.instance_path }}/conf/Catalina/
 ReadWritePaths={{ item.instance_path }}/webapps
+ReadWritePaths={{ item.instance_path }}/lib
 ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}
-{% endif %}
+{% for path in tomcat_systemd_additional_rw_paths %}
+ReadWritePaths={{ path }}
+{% endfor %}
+
 {% if tomcat_systemd_security_enhanced %}
 ProtectSystem=strict
 ProtectHome=yes
@@ -46,6 +50,7 @@ RestrictAddressFamilies=AF_INET6 AF_INET
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 {% endif %}
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target