From 39f3a8b96e7b44fa09b690f182560d77c1633f29 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 24 Jul 2024 18:19:10 +0200 Subject: [PATCH] Add some tasks that add a systemd unit when it's not part of the package. --- defaults/main.yml | 5 ++ tasks/tomcat-pkgs.yml | 163 +++++++++++++++++++++++++---------- templates/tomcat-service.j2 | 55 ++++++++++++ templates/tomcat-start.sh.j2 | 25 ++++++ 4 files changed, 203 insertions(+), 45 deletions(-) create mode 100644 templates/tomcat-service.j2 create mode 100644 templates/tomcat-start.sh.j2 diff --git a/defaults/main.yml b/defaults/main.yml index f61eeed..f73c9e8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,10 @@ # tomcat_fixed_version: 9 tomcat_pkg_state: present tomcat_service_enabled: true +tomcat_use_systemd_unit: "{% if ansible_distribution_major_version is version_compare('18.04', '>=') %}true{{ tomcat_version }}{% else %}false{% endif %}" +tomcat_systemd_security_enhanced: false +tomcat_systemd_security: "{% if tomcat_systemd_security_enhanced %}true{% else %}false{% endif %}" + tomcat_pkgs: - 'tomcat{{ tomcat_version }}' - 'libtomcat{{ tomcat_version }}-java' @@ -60,6 +64,7 @@ tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}' tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}' tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps' tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/' +tomcat_work_dir: '{{ tomcat_catalina_base_dir }}/work' tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes' tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat' tomcat_enable_catalina_shared_loader: true diff --git a/tasks/tomcat-pkgs.yml b/tasks/tomcat-pkgs.yml index dde6c0c..0be3ca4 100644 --- a/tasks/tomcat-pkgs.yml +++ b/tasks/tomcat-pkgs.yml @@ -1,93 +1,166 @@ --- -- name: Set the tomcat version for ubuntu Trusy - set_fact: +- name: tomcat-pkgs | Set the tomcat version for ubuntu Trusy + ansible.builtin.set_fact: tomcat_version: 7 when: - ansible_distribution_major_version is version_compare('16.04', '<') - tomcat_fixed_version is not defined - tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] + tags: ['tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody'] -- name: Set the tomcat version for Ubuntu bionic - set_fact: +- name: tomcat-pkgs | Set the tomcat version for Ubuntu bionic + ansible.builtin.set_fact: tomcat_version: 8 when: - ansible_distribution_major_version is version_compare('18.04', '==') - tomcat_fixed_version is not defined - tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] + tags: ['tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody'] -- name: Set the tomcat version for Ubuntu bionic - set_fact: +- name: tomcat-pkgs | Set the tomcat version for Ubuntu bionic + ansible.builtin.set_fact: tomcat_version: 10 when: - ansible_distribution_major_version is version_compare('24.04', '==') - tomcat_fixed_version is not defined - tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] + tags: ['tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody'] -- name: Impose a tomcat version - set_fact: +- name: tomcat-pkgs | Impose a tomcat version + ansible.builtin.set_fact: tomcat_version: '{{ tomcat_fixed_version }}' when: tomcat_fixed_version is defined - tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] + tags: ['tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody'] -- name: Print the Tomcat version - debug: - msg: "The Tomcat version we are going to install is {{ tomcat_version }}" - tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] +- name: tomcat-pkgs | Print the Tomcat version + ansible.builtin.debug: + msg: "The Tomcat version we are going to install is {{ tomcat_version }}" + tags: ['tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody'] -- name: Install the tomcat packages - apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800 +- name: tomcat-pkgs | Install the tomcat packages + ansible.builtin.apt: + pkg: "{{ tomcat_pkgs }}" + state: "{{ tomcat_pkg_state }}" + cache_valid_time: 1800 tags: tomcat -- name: Install additional packages needed by tomcat 8+ - apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800 +- name: tomcat-pkgs | Install additional packages needed by tomcat 8+ + ansible.builtin.apt: + pkg: "{{ tomcat8_additional_pkgs }}" + state: "{{ tomcat_pkg_state }}" + cache_valid_time: 1800 when: tomcat_version is version_compare('8', '>=') - tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ] + tags: ['tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody'] -- name: Create the tomcat tmp directory - file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} +- name: tomcat-pkgs | Create the tomcat tmp directory + ansible.builtin.file: + dest: "{{ tomcat_tmp_dir }}" + state: directory + owner: "{{ tomcat_user }}" + group: "{{ tomcat_user }}" + mode: "0750" notify: tomcat restart tags: tomcat - -- name: Create the catalina temp directory, if different from the default - file: dest={{ catalina_tmp_directory }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} + +- name: tomcat-pkgs | Create the catalina temp directory, if different from the default + ansible.builtin.file: + dest: "{{ catalina_tmp_directory }}" + state: directory + owner: "{{ tomcat_user }}" + group: "{{ tomcat_user }}" + mode: "0750" when: catalina_tmp_directory is defined - notify: tomcat restart + notify: tomcat restart tags: tomcat - -- name: Configure tomcat defaults - template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }} + +- name: tomcat-pkgs | Configure tomcat defaults + ansible.builtin.template: + src: tomcat-default.j2 + dest: "/etc/default/tomcat{{ tomcat_version }}" + owner: root + group: "{{ tomcat_user }}" + mode: "0640" when: tomcat_install_default_conf | bool notify: tomcat restart - tags: [ 'tomcat', 'tomcat_default', 'tomcat_conf' ] + tags: ['tomcat', 'tomcat_default', 'tomcat_conf'] -- name: Configure tomcat server.xml - template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml +- name: tomcat-pkgs | Configure tomcat server.xml + ansible.builtin.template: + src: tomcat-server.xml.j2 + dest: "{{ tomcat_conf_dir }}/server.xml" + owner: root + group: "{{ tomcat_user }}" + mode: "0640" when: tomcat_install_server_xml | bool notify: tomcat restart - tags: [ 'tomcat', 'tomcat_serverxml', 'tomcat_conf' ] + tags: ['tomcat', 'tomcat_serverxml', 'tomcat_conf'] -- name: Configure tomcat web.xml - template: src=tomcat-web.xml.j2 dest={{ tomcat_conf_dir }}/web.xml +- name: tomcat-pkgs | Configure tomcat web.xml + ansible.builtin.template: + src: tomcat-web.xml.j2 + dest: "{{ tomcat_conf_dir }}/web.xml" + owner: root + group: "{{ tomcat_user }}" + mode: "0640" notify: tomcat restart - tags: [ 'tomcat', 'tomcat_serverxml', 'tomcat_conf' ] + tags: ['tomcat', 'tomcat_serverxml', 'tomcat_conf'] -- name: Install a slightly modified catalina.properties - template: src=catalina.properties.j2 dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644 +- name: tomcat-pkgs | Install the startup script used by the systemd unit + ansible.builtin.template: + src: tomcat-start.sh.j2 + dest: "/usr/libexec/tomcat{{ tomcat_version }}/tomcat-start.sh" + owner: root + group: root + mode: "0755" + notify: tomcat restart + when: + - tomcat_use_systemd_unit + - ansible_distribution_major_version is version_compare('24.04', '<') + tags: ['tomcat', 'tomcat_serverxml', 'tomcat_conf'] + +- name: tomcat-pkgs | Install the systemd unit + ansible.builtin.template: + src: tomcat-service.j2 + dest: "/etc/systemd/system/tomcat{{ tomcat_version }}" + owner: root + group: root + mode: "0644" + notify: tomcat restart + when: + - tomcat_use_systemd_unit + - ansible_distribution_major_version is version_compare('24.04', '<') + tags: ['tomcat', 'tomcat_serverxml', 'tomcat_conf'] + +- name: tomcat-pkgs | Install a slightly modified catalina.properties + ansible.builtin.template: + src: catalina.properties.j2 + dest: "{{ tomcat_conf_dir }}/catalina.properties" + owner: root + group: "{{ tomcat_user }}" + mode: "0644" when: tomcat_install_default_conf | bool notify: tomcat restart - tags: [ 'tomcat', 'tomcat_catalinaprops' ] + tags: ['tomcat', 'tomcat_catalinaprops'] -- name: Create some directories that the package do not creates itself - file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755 +- name: tomcat-pkgs | Create some directories that the package do not creates itself + ansible.builtin.file: + dest: "{{ tomcat_catalina_home_dir }}/{{ item }}" + state: directory + owner: "{{ tomcat_user }}" + group: "{{ tomcat_user }}" + mode: "0755" with_items: - common/classes - server/classes - shared/classes tags: tomcat -- name: On tomcat8, create a link to commons-daemon.jar to avoid exceptions at startup - file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link owner=root group=root mode=0644 +- name: tomcat-pkgs | On tomcat8, create a link to commons-daemon.jar to avoid exceptions at startup + ansible.builtin.file: + src: "/usr/share/java/{{ item }}" + dest: "{{ tomcat_catalina_home_dir }}/bin/{{ item }}" + state: link + owner: root + group: root + mode: "0644" with_items: - commons-daemon.jar when: tomcat_version is version_compare('8', '>=') - tags: [ 'tomcat', 'tomcat_conf' ] + tags: ['tomcat', 'tomcat_conf'] diff --git a/templates/tomcat-service.j2 b/templates/tomcat-service.j2 new file mode 100644 index 0000000..9b45fea --- /dev/null +++ b/templates/tomcat-service.j2 @@ -0,0 +1,55 @@ +# +# Systemd unit file for Apache Tomcat +# + +[Unit] +Description=Apache Tomcat {{ tomcat_version}} Web Application Server +After=syslog.target network.target +StartLimitIntervalSec=500 +StartLimitBurst=5 +RequiresMountsFor=/var/log/tomcat{{ tomcat_version }} /var/lib/tomcat{{ tomcat_version }} + +[Service] +Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}" +Environment="CATALINA_BASE=/var/lib/tomcat{{ tomcat_version }}" +Environment="CATALINA_TMPDIR={{ tomcat_tmp_dir }}" +Environment="JAVA_OPTS=-Djava.awt.headless=true" + +Type=simple +ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh +ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-start.sh +SuccessExitStatus=143 +RestartSec=10 +Restart=on-failure on-abort +# Logging +SyslogIdentifier=tomcat{{ tomcat_version }} + +User={{ tomcat_user }} +Group={{ tomcat_user }} +{% if tomcat_systemd_security %} +PrivateTmp=yes +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +CacheDirectory=tomcat{{ tomcat_version }} +CacheDirectoryMode=750 +ProtectSystem=strict +ReadWritePaths=/etc/tomcat{{ tomcat_version }}/Catalina/ +ReadWritePaths={{ tomcat_webapps_dir }} +ReadWritePaths={{ tomcat_logdir }} +{% endif %} +{% if tomcat_systemd_security_enhanced %} +ProtectSystem=strict +ProtectHome=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ReadWritePaths={{ tomcat_work_dir }} +ReadWritePaths={{ tomcat_tmp_dir }} +RestrictAddressFamilies=AF_INET6 AF_INET +SystemCallArchitectures=native +SystemCallFilter=@system-service +{% endif %} + +[Install] +WantedBy=multi-user.target diff --git a/templates/tomcat-start.sh.j2 b/templates/tomcat-start.sh.j2 new file mode 100644 index 0000000..101199e --- /dev/null +++ b/templates/tomcat-start.sh.j2 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Startup script for Apache Tomcat with systemd +# + +set -e + +# Load the service settings +. /etc/default/tomcat{{ tomcat_version}} + +# Find the Java runtime and set JAVA_HOME +. /usr/libexec/tomcat{{ tomcat_version }}/tomcat-locate-java.sh + +# Set the JSP compiler if configured in the /etc/default/tomcat10 file +[ -n "$JSP_COMPILER" ] && JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\"" + +export JAVA_OPTS + +# Enable the Java security manager? +SECURITY="" +[ "$SECURITY_MANAGER" = "true" ] && SECURITY="-security" + + +# Start Tomcat +cd $CATALINA_BASE && exec $CATALINA_HOME/bin/catalina.sh run $SECURITY