From 6ba09084f6b3f4360393b49153c76c9d4dcb608d Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 12 Sep 2013 15:05:47 -0400 Subject: fixing for new tomcat systemd files tomcat now uses systemd unit files. We will reuse and customize those files accordingly. As a result, startup is simplified considerably - and pkidaemon has been gutted accordingly. We'll need to add migration scripts for older instances in a subsequent patch. --- base/server/etc/default.cfg | 4 +- .../deployment/scriptlets/slot_substitution.py | 2 +- base/server/scripts/operations | 361 ++++----------------- base/server/scripts/pkidaemon | 22 +- base/server/share/conf/tomcat.conf | 2 +- .../share/lib/systemd/system/pki-tomcatd@.service | 15 +- 6 files changed, 76 insertions(+), 330 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index facdf5f38..641ed7881 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -215,7 +215,7 @@ pki_enable_java_debugger=False pki_enable_proxy=False pki_proxy_http_port=80 pki_proxy_https_port=443 -pki_security_manager=true +pki_security_manager=false pki_tomcat_server_port=8005 # Paths @@ -232,7 +232,7 @@ pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_sys pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s pki_tomcat_bin_path=/usr/share/tomcat/bin pki_tomcat_lib_path=/usr/share/tomcat/lib -pki_tomcat_systemd=/usr/sbin/tomcat-sysd +pki_tomcat_systemd=/usr/sbin/tomcat pki_source_catalina_properties=%(pki_source_server_path)s/catalina.properties pki_source_servercertnick_conf=%(pki_source_server_path)s/serverCertNick.conf pki_source_server_xml=%(pki_source_server_path)s/server.xml diff --git a/base/server/python/pki/server/deployment/scriptlets/slot_substitution.py b/base/server/python/pki/server/deployment/scriptlets/slot_substitution.py index 726b6dfc0..a6c21e166 100644 --- a/base/server/python/pki/server/deployment/scriptlets/slot_substitution.py +++ b/base/server/python/pki/server/deployment/scriptlets/slot_substitution.py @@ -41,7 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.master_dict['pki_target_cs_cfg']) deployer.file.copy_with_slot_substitution(deployer.master_dict['pki_source_registry'], deployer.master_dict['pki_target_registry'], - uid=0, gid=0, overwrite_flag=True) + overwrite_flag=True) if deployer.master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: deployer.file.copy_with_slot_substitution( deployer.master_dict['pki_source_catalina_properties'], diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 35d0e5e1a..1537e3461 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -40,13 +40,10 @@ lockfile="/var/lock/subsys/${SERVICE_NAME}" default_error=0 case $command in - start|stop|restart|condrestart|force-restart|try-restart) + start) # 1 generic or unspecified error (current practice) default_error=1 ;; - reload) - default_error=3 - ;; status) # 4 program or service status is unknown default_error=4 @@ -106,19 +103,6 @@ elif [ '${PKI_TYPE}' == "tomcat" ] ; then fi fi -# This script must be run as root! -RV=0 -if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$PROG_NAME'!" - if [ "${command}" != "status" ]; then - # 4 user had insufficient privilege - exit 4 - else - # 4 program or service status is unknown - exit 4 - fi -fi - PKI_INSTANCE_TYPES="apache tomcat" PKI_REGISTRY_ENTRIES="" PKI_SUBSYSTEMS="" @@ -149,31 +133,9 @@ if [ -n "${pki_instance_id}" ]; then fi usage() -{ - echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -usage_systemd() { echo -n "Usage: /usr/bin/pkidaemon " echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" echo -n "|status} " echo -n "instance-type " echo -n "[instance-name]" @@ -181,7 +143,7 @@ usage_systemd() echo } -list_systemd_instance_types() +list_instance_types() { echo for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do @@ -191,16 +153,6 @@ list_systemd_instance_types() } list_instances() -{ - echo - for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do - instance_name=`basename $PKI_REGISTRY_ENTRY` - echo " $instance_name" - done - echo -} - -list_systemd_instances() { echo for INSTANCE in /etc/sysconfig/pki/apache/*; do @@ -253,74 +205,40 @@ get_subsystems() } # Check arguments -if [ $SYSTEMD ]; then - if [ $# -lt 2 ] ; then - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 2 - elif [ $# -gt 3 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi - fi -else - if [ $# -lt 1 ] ; then - # 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances +if [ $# -lt 2 ] ; then + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage + echo "where valid instance types include:" + list_instance_types + echo "and where valid instance names include:" + list_instances + exit 3 +elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage + echo "where valid instance types include:" + list_instance_types + echo "and where valid instance names include:" + list_instances + exit 2 +elif [ $# -gt 3 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage + echo "where valid instance types include:" + list_instance_types + echo "and where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments exit 2 - elif [ $# -gt 2 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi + else + # 4 program or service status is unknown + exit 4 fi fi @@ -341,9 +259,6 @@ if [ -n "${pki_instance_id}" ]; then else echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" fi - if [ ! $SYSTEMD ]; then - echo_failure - fi echo if [ "${command}" != "status" ]; then @@ -1093,7 +1008,6 @@ verify_symlinks() { # declare associative arrays declare -A base_symlinks - declare -A root_symlinks declare -A ca_symlinks declare -A kra_symlinks declare -A ocsp_symlinks @@ -1133,9 +1047,6 @@ verify_symlinks() [conf]=/etc/pki/${PKI_INSTANCE_NAME} [logs]=/var/log/pki/${PKI_INSTANCE_NAME}) - # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) - root_symlinks[${PKI_INSTANCE_NAME}]=/usr/sbin/tomcat-sysd - # '${PKI_INSTANCE_PATH}/ca' symlinks ca_symlinks=( [alias]=${PKI_INSTANCE_PATH}/alias @@ -1278,15 +1189,6 @@ verify_symlinks() return $rv fi - # Detect and correct 'root_symlinks' - root_symlinks_string=$(declare -p root_symlinks) - eval "declare -A symlinks=${root_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH} "root" "root" - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - if [ -e ${PKI_INSTANCE_PATH}/ca ]; then # Detect and correct 'ca_symlinks' ca_symlinks_string=$(declare -p ca_symlinks) @@ -1400,98 +1302,33 @@ start_instance() return $rv fi - # Invoke the initscript for this instance - case $PKI_WEB_SERVER_TYPE in - tomcat) + # Generate catalina.policy dynamically. + cat /usr/share/pki/server/conf/catalina.policy \ + /usr/share/tomcat/conf/catalina.policy \ + /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy - # Generate catalina.policy dynamically. - cat /usr/share/pki/server/conf/catalina.policy \ - /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ - /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ - /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy - - # We must export the service name so that the systemd version - # of the tomcat init script knows which instance specific - # configuration file to source. - export SERVICE_NAME=$PKI_INSTANCE_NAME - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - apache) - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - esac + # We no longer start tomcat instances here. + # instead we rely on the tomcat unit scripts - if [ $rv -ne 0 ] ; then - return $rv - fi - - # On Tomcat subsystems, make certain that the service has started - case $PKI_WEB_SERVER_TYPE in - tomcat) - count=0 - tries=30 - port=${PKI_UNSECURE_PORT} - while [ $count -lt $tries ] - do - netstat -antl | grep ${port} > /dev/null - netrv=$? - if [ $netrv -eq 0 ] ; then - break; - fi - sleep 1 - let count=$count+1; - done - if [ $netrv -ne 0 ] ; then - return 1 - fi - ;; - esac - - if [ $rv -eq 0 ] ; then - # From the PKI point of view a returned error code of 6 implies - # that the program is not "configured". An error code of 1 implies - # that the program was "configured" but must still be restarted. - # - # If the return code is 6 return this value unchanged to the - # calling routine so that the total number of configuration errors - # may be counted. Other return codes are ignored. - # - check_pki_configuration_status - rv=$? - if [ $rv -eq 6 ]; then - # 6 program is not configured - return 6 - else - # 0 success - return 0 - fi - fi - return $rv -} - -stop_instance() -{ - rv=0 - - export SERVICE_NAME=$PKI_INSTANCE_NAME - # Invoke the initscript for this instance - $PKI_INSTANCE_INITSCRIPT stop + # From the PKI point of view a returned error code of 6 implies + # that the program is not "configured". An error code of 1 implies + # that the program was "configured" but must still be restarted. + # + # If the return code is 6 return this value unchanged to the + # calling routine so that the total number of configuration errors + # may be counted. Other return codes are ignored. + # + check_pki_configuration_status rv=$? - - # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks - # that were previously associated with the Tomcat 'pid' and 'lock' files. - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ -f ${PKI_PIDFILE} ]; then - rm -f ${PKI_PIDFILE} - fi - ;; - esac - - return $rv + if [ $rv -eq 6 ]; then + # 6 program is not configured + return 6 + else + # 0 success + return 0 + fi } start() @@ -1585,80 +1422,6 @@ start() return $rv } -stop() -{ - error_rv=0 - rv=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 5 program is not installed - return 5 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - rv=$? - if [ $rv != 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - -restart() -{ - stop - sleep 2 - start - - return $? -} - registry_status() { error_rv=0 @@ -1686,11 +1449,7 @@ registry_status() case $PKI_WEB_SERVER_TYPE in tomcat) - if [ $SYSTEMD ]; then - display_instance_status_systemd - else - display_instance_status - fi + display_instance_status_systemd rv=$? ;; apache) diff --git a/base/server/scripts/pkidaemon b/base/server/scripts/pkidaemon index 6ad91114c..ce7d13ce1 100755 --- a/base/server/scripts/pkidaemon +++ b/base/server/scripts/pkidaemon @@ -30,7 +30,6 @@ pki_instance_id="$3" PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" PKI_TYPE="${pki_instance_type}" PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" -SYSTEMD=1 # Source the PKI function library . /usr/share/pki/scripts/operations @@ -45,31 +44,14 @@ case $command in start exit $? ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - echo "The '${command}' action is TBD." - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; *) echo "unknown action ($command)" echo - usage_systemd + usage echo "where valid instance types include:" list_instance_types echo "and where valid instance names include:" - list_systemd_instances + list_instances exit ${default_error} ;; esac diff --git a/base/server/share/conf/tomcat.conf b/base/server/share/conf/tomcat.conf index 9457b0ce7..f4070ee81 100644 --- a/base/server/share/conf/tomcat.conf +++ b/base/server/share/conf/tomcat.conf @@ -33,7 +33,7 @@ CATALINA_TMPDIR=[PKI_TMPDIR] #JAVA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M" # RESTEasy -JAVA_OPTS="$JAVA_OPTS -DRESTEASY_LIB=[PKI_RESTEASY_LIB]" +JAVA_OPTS="-DRESTEASY_LIB=[PKI_RESTEASY_LIB]" # What user should run tomcat TOMCAT_USER="[PKI_USER]" diff --git a/base/server/share/lib/systemd/system/pki-tomcatd@.service b/base/server/share/lib/systemd/system/pki-tomcatd@.service index 18d92dd60..c003126b5 100644 --- a/base/server/share/lib/systemd/system/pki-tomcatd@.service +++ b/base/server/share/lib/systemd/system/pki-tomcatd@.service @@ -1,14 +1,19 @@ [Unit] Description=PKI Tomcat Server %i -After=pki-tomcatd.target +After=pki-tomcatd.target syslog.target network.target PartOf=pki-tomcatd.target [Service] -Type=forking -ExecStart=/usr/bin/pkidaemon start tomcat %i -ExecStop=/usr/bin/pkidaemon stop tomcat %i +Type=simple +EnvironmentFile=/etc/tomcat/tomcat.conf +Environment="NAME=%i" +EnvironmentFile=-/etc/sysconfig/%i +ExecStartPre=/usr/bin/pkidaemon start tomcat %i +ExecStart=/usr/libexec/tomcat/server start +ExecStop=/usr/libexec/tomcat/server stop SuccessExitStatus=143 +User=pkiuser +Group=pkiuser [Install] WantedBy=multi-user.target - -- cgit