debian/README.Debian

@@ -45,3 +45,5 @@ Getting started
     AUTHBIND="yes" to enable it, and then configure your Tomcat to listen
     on any port number you wish. See the "man authbind" for information on
     configuring authbind.
+
+    authbind isn't required when systemd is used to run the service.

debian/changelog

-tomcat8 (8.5.32-2) UNRELEASED; urgency=medium
+tomcat8 (8.5.32-2) unstable; urgency=medium
 
   * Team upload.
+  * Added a systemd service file (Closes: #832151, #817909)
+  * Look for the Java runtime in the paths used by java-package >= 0.61
+    (/usr/lib/jvm/oracle-java<n>-{jre,jdk}-*) (Closes: #894318)
+  * Install catalina.policy in the tomcat8-user package to be able to run
+    custom instances with a security manager (Closes: #736321)
   * Disabled the shutdown port (8005) by default
   * Updated the policy files in /etc/tomcat8/policy.d/
   * Added the missing Maven rules to use the 8.x generic version for
     tomcat-jaspic-api, tomcat-storeconfig and tomcat-util-scan
   * Set the gecos field when creating the tomcat8 user
   * No longer set JSSE_HOME in the init script (JSSE is enabled by default)
+  * Standards-Version updated to 4.2.0
 
- -- Emmanuel Bourg <ebourg@apache.org>  Tue, 07 Aug 2018 15:15:03 +0200
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 09 Aug 2018 17:53:44 +0200
 
 tomcat8 (8.5.32-1) unstable; urgency=medium
 

debian/control

@@ -24,7 +24,7 @@ Build-Depends:
  lsb-release,
  maven-repo-helper,
  po-debconf
-Standards-Version: 4.1.4
+Standards-Version: 4.2.0
 Vcs-Git: https://salsa.debian.org/java-team/tomcat8.git
 Vcs-Browser: https://salsa.debian.org/java-team/tomcat8
 Homepage: http://tomcat.apache.org

debian/libexec/tomcat-locate-java.sh

+#!/bin/sh
+#
+# Script looking for a Java runtime suitable for running Tomcat
+#
+# The script looks for the default JRE/JDK, OpenJDK and Oracle JDK
+# as packaged by java-package. The Java runtime found is exported
+# in the JAVA_HOME environment variable.
+#
+
+set -e
+
+# Find the Java runtime if JAVA_HOME isn't already defined
+if [ -z "$JAVA_HOME" ]; then
+    # This function sets the variable JDK_DIRS
+    find_jdks()
+    {
+        for java_version in 11 10 9 8
+        do
+            for jvmdir in /usr/lib/jvm/java-${java_version}-openjdk-* \
+                          /usr/lib/jvm/jdk-${java_version}-oracle-* \
+                          /usr/lib/jvm/jre-${java_version}-oracle-* \
+                          /usr/lib/jvm/java-${java_version}-oracle \
+                          /usr/lib/jvm/oracle-java${java_version}-jdk-* \
+                          /usr/lib/jvm/oracle-java${java_version}-jre-*
+            do
+                if [ -d "${jvmdir}" ]
+                then
+                    JDK_DIRS="${JDK_DIRS} ${jvmdir}"
+                fi
+            done
+        done
+    }
+
+    # The first existing directory is used for JAVA_HOME
+    JDK_DIRS="/usr/lib/jvm/default-java"
+    find_jdks
+
+    # Look for the right JVM to use
+    for jdir in $JDK_DIRS; do
+        if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
+            JAVA_HOME="$jdir"
+        fi
+    done
+    export JAVA_HOME
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+    echo "<2>No JDK or JRE found - Please set the JAVA_HOME variable or install the default-jdk package"
+    exit 1
+fi

debian/libexec/tomcat-start.sh

+#!/bin/sh
+#
+# Startup script for Apache Tomcat with systemd
+#
+
+set -e
+
+# Find the Java runtime and set JAVA_HOME
+. /usr/libexec/tomcat8/tomcat-locate-java.sh
+
+# Set the JSP compiler if configured in the /etc/default/tomcat8 file
+[ -n "$JSP_COMPILER" ] && JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
+
+export JAVA_OPTS
+
+# Enable the Java security manager?
+SECURITY=""
+[ "$TOMCAT_SECURITY" = "yes" ] && SECURITY="-security"
+
+
+# Start Tomcat
+cd $CATALINA_BASE && exec $CATALINA_HOME/bin/catalina.sh run $SECURITY

debian/libexec/tomcat-update-policy.sh

+#!/bin/sh
+#
+# Script regenerating the catalina.policy file from the collection
+# of files in /etc/tomcat8/policy.d/
+#
+# This script is run as root by systemd before starting Tomcat.
+#
+
+set -e
+
+if [ ! -d "$CATALINA_BASE/conf" ]; then
+    echo "<2>Invalid CATALINA_BASE, configuration files not found: $CATALINA_BASE"
+    exit 1
+fi
+
+# Regenerate the catalina.policy file
+POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"
+umask 022
+rm -rf "$CATALINA_BASE/policy"
+mkdir "$CATALINA_BASE/policy"
+echo "// AUTO-GENERATED FILE from /etc/tomcat8/policy.d/" > "$POLICY_CACHE"
+echo ""  >> "$POLICY_CACHE"
+cat $CATALINA_BASE/conf/policy.d/*.policy >> "$POLICY_CACHE"

debian/logging.properties

@@ -31,7 +31,7 @@ handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.jul
 2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
 
 java.util.logging.ConsoleHandler.level = FINE
-java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
+java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
 
 
 ############################################################

debian/patches/0024-systemd-log-formatter.patch

+Description: Adds a log formatter suitable for systemd
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: no
+--- /dev/null
++++ b/java/org/apache/juli/SystemdFormatter.java
+@@ -0,0 +1,98 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.juli;
++
++import java.io.PrintWriter;
++import java.io.StringWriter;
++import java.util.TreeMap;
++import java.util.logging.Formatter;
++import java.util.logging.Level;
++import java.util.logging.LogRecord;
++
++/**
++ * Formatter suitable for logs handled by systemd/journald:
++ * <ul>
++ *   <li>Timestamps are removed (already added by journald)</li>
++ *   <li>Messages are prefixed with a marker specifying the log level. For example:
++ *     <pre>    &lt;6&gt;Tomcat started</pre>
++ *   </li>
++ *   <li>Tabulations are replaced by spaces (they are escaped as <tt>#011</tt> in /var/log/syslog otherwise)</li>
++ * </ul>
++ */
++public class SystemdFormatter extends Formatter {
++
++    /** Mapping between JUL levels and systemd logging levels */
++    private TreeMap<Integer, String> levelMapping = new TreeMap<>();
++    {
++        levelMapping.put(Level.OFF.intValue(),     "<0>"); // emergency
++        levelMapping.put(Level.SEVERE.intValue(),  "<2>"); // critical
++        levelMapping.put(Level.WARNING.intValue(), "<4>"); // warning
++        levelMapping.put(Level.INFO.intValue(),    "<6>"); // info
++        levelMapping.put(Level.CONFIG.intValue(),  "<6>"); // info
++        levelMapping.put(Level.FINE.intValue(),    "<7>"); // debug
++        levelMapping.put(Level.FINER.intValue(),   "<7>"); // debug
++        levelMapping.put(Level.FINEST.intValue(),  "<7>"); // debug
++    }
++
++    @Override
++    public String format(LogRecord record) {
++        StringBuilder sb = new StringBuilder();
++
++        // Severity
++        String prefix = getSystemdLevel(record.getLevel());
++        sb.append(prefix);
++
++        // Message
++        sb.append(formatMessage(record));
++
++        // Stack trace
++        if (record.getThrown() != null) {
++            sb.append("\n").append(prefix);
++            sb.append(toString(record.getThrown())
++                            .replaceAll("\t", "    ")       // tabulations are escaped as #011 in /var/log/syslog
++                            .replaceAll("\\n", "\n" + prefix)
++            );
++        }
++
++        // New line for next record
++        sb.append(System.lineSeparator());
++
++        return sb.toString();
++    }
++
++    private String toString(Throwable t) {
++        StringWriter sw = new StringWriter();
++        PrintWriter pw = new PrintWriter(sw);
++        t.printStackTrace(pw);
++        pw.close();
++
++        return sw.toString();
++    }
++
++    /**
++     * Returns the systemd log level mapped to the specified JUL level.
++     */
++    private String getSystemdLevel(Level level) {
++        String systemdLevel = levelMapping.get(level.intValue());
++        if (systemdLevel == null) {
++            // no exact match (custom level?), pick the nearest one above
++            systemdLevel = levelMapping.ceilingEntry(level.intValue()).getValue();
++            levelMapping.put(level.intValue(), systemdLevel);
++        }
++        return systemdLevel;
++    }
++}

debian/patches/0025-invalid-configuration-exit-status.patch

+Description: Fix the exit status when Tomcat terminates because the configuration is invalid
+Author: Emmanuel Bourg <ebourg@apache.org>
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62607
+--- a/java/org/apache/catalina/startup/Bootstrap.java
++++ b/java/org/apache/catalina/startup/Bootstrap.java
+@@ -490,6 +490,10 @@
+             } else if (command.equals("start")) {
+                 daemon.setAwait(true);
+                 daemon.load(args);
++                if (null == daemon.getServer()) {
++                    log.fatal("Cannot start server. Server instance is not configured.");
++                    System.exit(1);
++                }
+                 daemon.start();
+             } else if (command.equals("stop")) {
+                 daemon.stopServer(args);

debian/patches/series

@@ -9,3 +9,5 @@
 0019-add-distribution-to-error-page.patch
 0021-dont-test-unsupported-ciphers.patch
 0023-disable-shutdown-by-socket.patch
+0024-systemd-log-formatter.patch
+0025-invalid-configuration-exit-status.patch

debian/rsyslog/tomcat8.conf

+# Send Tomcat messages to catalina.out when using systemd
+$template TomcatFormat,"[%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day% %timegenerated:::date-hour%:%timegenerated:::date-minute%:%timegenerated:::date-second%] [%syslogseverity-text%]%msg%\n"
+
+:programname, startswith, "tomcat8" {
+  /var/log/tomcat8/catalina.out;TomcatFormat
+  stop
+}

debian/tomcat8-user.install

 conf/*.xml                       /usr/share/tomcat8/skel/conf/
 conf/catalina.properties         /usr/share/tomcat8/skel/conf/
+conf/catalina.policy             /usr/share/tomcat8/skel/policy/
 debian/logging.properties        /usr/share/tomcat8/skel/conf/
 debian/setenv.sh                 /usr/share/tomcat8/skel/bin/
 debian/tomcat8-instance-create   /usr/bin/

debian/tomcat8.NEWS

+tomcat8 (8.5.32-2) unstable; urgency=medium
+
+  The tomcat8 package now provides a proper systemd service file.
+  Here are the notable differences with the init.d script previously used
+  to start Tomcat:
+
+  * The service assumes that Tomcat runs as the tomcat8 user. The user and
+    group defined in /etc/default/tomcat8 are ignored. If you've configured
+    a different user you have to override the default service file. This is
+    done by creating a /etc/systemd/system/tomcat8.service.d/override.conf
+    file containing:
+
+      [Service]
+      User=<username>
+      Group=<groupname>
+
+  * authbind is no longer necessary to bind to privileged ports (< 1024)
+
+  * Tomcat log messages are now sent to syslog and can be retrieved with:
+
+      journalctl -t tomcat8
+
+  * The log entries in catalina.out are now timestamped.
+
+  * The /var/run/tomcat8.pid file is no longer created.
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 09 Aug 2018 15:09:16 +0200
+
 tomcat8 (8.5.8-1) experimental; urgency=medium
 
   Migrating from Tomcat 8.0.x to 8.5.x

debian/tomcat8.init

@@ -53,38 +53,8 @@ fi
 TOMCAT8_USER=tomcat8
 TOMCAT8_GROUP=tomcat8
 
-# this is a work-around until there is a suitable runtime replacement
-# for dpkg-architecture for arch:all packages
-# this function sets the variable JDK_DIRS
-find_jdks()
-{
-    for java_version in 11 10 9 8
-    do
-        for jvmdir in /usr/lib/jvm/java-${java_version}-openjdk-* \
-                      /usr/lib/jvm/jdk-${java_version}-oracle-* \
-                      /usr/lib/jvm/jre-${java_version}-oracle-* \
-                      /usr/lib/jvm/java-${java_version}-oracle
-        do
-            if [ -d "${jvmdir}" ]
-            then
-                JDK_DIRS="${JDK_DIRS} ${jvmdir}"
-            fi
-        done
-    done
-}
-
-# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
-# defined in $DEFAULT)
-JDK_DIRS="/usr/lib/jvm/default-java"
-find_jdks
-
-# Look for the right JVM to use
-for jdir in $JDK_DIRS; do
-    if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
-	JAVA_HOME="$jdir"
-    fi
-done
-export JAVA_HOME
+# Find the Java runtime and set JAVA_HOME
+. /usr/libexec/tomcat8/tomcat-locate-java.sh
 
 # Directory where the Tomcat 8 binary distribution resides
 CATALINA_HOME=/usr/share/$NAME

debian/tomcat8.install

+debian/rsyslog/*           /etc/rsyslog.d/
 conf/catalina.properties   /etc/tomcat8/
 debian/logging.properties  /etc/tomcat8/
 conf/*.xml                 /etc/tomcat8/
 debian/policy/*.policy     /etc/tomcat8/policy.d/
+debian/libexec/*           /usr/libexec/tomcat8/
 debian/default_root        /usr/share/tomcat8-root/
 debian/defaults.template   /usr/share/tomcat8/
 debian/defaults.md5sum     /usr/share/tomcat8/

debian/tomcat8.service

+#
+# Systemd unit file for Apache Tomcat
+#
+
+[Unit]
+Description=Apache Tomcat 8.5 Web Application Server
+Documentation=https://tomcat.apache.org/tomcat-8.5-doc/index.html
+After=network.target
+
+[Service]
+
+# Configuration
+Environment="CATALINA_HOME=/usr/share/tomcat8"
+Environment="CATALINA_BASE=/var/lib/tomcat8"
+Environment="CATALINA_TMPDIR=/tmp"
+Environment="JAVA_OPTS=-Djava.awt.headless=true"
+EnvironmentFile=-/etc/default/tomcat8
+
+# Lifecycle
+Type=simple
+ExecStartPre=+/usr/libexec/tomcat8/tomcat-update-policy.sh
+ExecStart=/bin/sh /usr/libexec/tomcat8/tomcat-start.sh
+SuccessExitStatus=143
+
+# Logging
+SyslogIdentifier=tomcat8
+
+# Security
+User=tomcat8
+Group=tomcat8
+PrivateTmp=yes
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target