Server Fault Asked on December 27, 2021
I have a Java webapp that runs under Apache Tomcat on Ubuntu Linux. When I upgraded from Tomcat 9 from Tomcat 8, the application was no longer able to write log files to /var/log/myapp. I can’t figure out why it doesn’t have permission to log to this location.
My first thought was that the user changed. Tomcat 8 ran under the tomcat8:tomcat8 user. Tomcat 9 runs under tomcat:tomcat user. I updated the directory with those permissions. Both the tomcat user and tomcat group have write permission.
I also checked the write and execute permissions of that directory. That directory has write and execute permissions, and all parent directories have execute permissions.
/var/log/myapp/ drwxrwxr-x tomcat tomcat
/var/log drwxrwxr-x root syslog
/var drwxr-xr-x root root
/ drwxr-xr-x root root
If I run the following code under my web application
File logdir = new File("/var/log/myapp");
setAttribute("debug",
"<br>user: " + System.getProperty("user.name") +
"<br>execute: " + logdir.canExecute() +
"<br>read: " + logdir.canRead() +
"<br>write: " + logdir.canWrite()
);
it prints out that there is no write permission
user: tomcat
execute: true
read: true
write: false
If I run similar code in a main method as the tomcat user
File logdir = new File("/var/log/myapp");
System.out.println("n user: " + System.getProperty("user.name") +
"n execute: " + logdir.canExecute() +
"n read: " + logdir.canRead() +
"n write: " + logdir.canWrite()
);
It prints that it has write permission
user: tomcat
execute: true
read: true
write: true
I’ve exhausted all the debugging that I know how to do. What is preventing my web application from writing to this directory under tomcat 9? What do I need to do to fix it.
Stephen Ostermiller's answer solves the problem.
Another way to do it would be:
systemctl edit tomcat9.service
put in
[Service]
ReadWritePaths=/var/log/
This will get written to /etc/systemd/system/tomcat9.service.d/override.conf.
Then do
systemctl daemon-reload
systemctl restart tomcat9.service
You can go back to the original with
systemctl revert tomcat9.service
Answered by Guido on December 27, 2021
This is caused by new systemd sandboxing around tomcat 9 as part of Debian/Ubuntu. To solve the problem you need to tell systemd to allow read write access to additional directories for Tomcat.
sudo mkdir -p /etc/systemd/system/tomcat9.service.d
echo -e "[Service]nReadWritePaths=/var/log/" | sudo tee /etc/systemd/system/tomcat9.service.d/logging-allow.conf
sudo systemctl daemon-reload
sudo systemctl restart tomcat9
After making these changes, web apps can once again write to their own directories in /var/log.
Source: Debian Tomcat 9 release notes
Answered by Stephen Ostermiller on December 27, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP