I am getting below error when trying to start the tomcat using systemd service
systemd[1]: tomcat.service: Failed to execute command: Permission denied
systemd[1]: tomcat.service: Failed at step EXEC spawning /opt/tomcat/bin/startup.sh: Permission denied
Below is my tomcat.service configuration
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
These are my permission on files in the bin directory
drwxrwx---. 2 tomcat tomcat 4096 Mar 22 05:56 .
drwx------. 9 tomcat tomcat 276 Mar 22 05:58 ..
-rw-r-----. 1 tomcat tomcat 35071 Mar 11 09:33 bootstrap.jar
-rw-r-----. 1 tomcat tomcat 15953 Mar 11 09:33 catalina.bat
-rwxr-x--x. 1 tomcat tomcat 23792 Mar 11 09:33 catalina.sh
-rw-r-----. 1 tomcat tomcat 1664 Mar 11 09:36 catalina-tasks.xml
-rw-r-----. 1 tomcat tomcat 2123 Mar 11 09:33 ciphers.bat
-rwxr-x--x. 1 tomcat tomcat 1997 Mar 11 09:33 ciphers.sh
-rw-r-----. 1 tomcat tomcat 25197 Mar 11 09:33 commons-daemon.jar
-rw-r-----. 1 tomcat tomcat 206895 Mar 11 09:33 commons-daemon-native.tar.gz
-rw-r-----. 1 tomcat tomcat 2040 Mar 11 09:33 configtest.bat
-rwxr-x--x. 1 tomcat tomcat 1922 Mar 11 09:33 configtest.sh
-rwxr-x--x. 1 tomcat tomcat 8675 Mar 11 09:33 daemon.sh
-rw-r-----. 1 tomcat tomcat 2091 Mar 11 09:33 digest.bat
-rwxr-x--x. 1 tomcat tomcat 1965 Mar 11 09:33 digest.sh
-rw-r-----. 1 tomcat tomcat 3606 Mar 11 09:33 makebase.bat
-rwxr-x--x. 1 tomcat tomcat 3382 Mar 11 09:33 makebase.sh
-rw-r-----. 1 tomcat tomcat 3460 Mar 11 09:33 setclasspath.bat
-rwxr-x--x. 1 tomcat tomcat 3708 Mar 11 09:33 setclasspath.sh
-rw-r-----. 1 tomcat tomcat 2020 Mar 11 09:33 shutdown.bat
-rwxr-x--x. 1 tomcat tomcat 1902 Mar 11 09:33 shutdown.sh
-rw-r-----. 1 tomcat tomcat 2022 Mar 11 09:33 startup.bat
-rwxr-x--x. 1 tomcat tomcat 1904 Mar 11 09:33 startup.sh
-rw-r-----. 1 tomcat tomcat 49372 Mar 11 09:33 tomcat-juli.jar
-rw-r-----. 1 tomcat tomcat 419428 Mar 11 09:33 tomcat-native.tar.gz
-rw-r-----. 1 tomcat tomcat 4574 Mar 11 09:33 tool-wrapper.bat
NOTE: I am able to start the tomcat using sudo ./startup.sh command by navigating to bin directory
Can you check your /opt and /opt/bin permissions
Looks like
chmod a+rx /opt /opt/tomcat/ /opt/tomcat/bin
should help
I suppose you followed one of the many copied online tutorials where the tomcat user is made with /opt/tomcat/ as its home directory by using something similar like:
sudo useradd -d /opt/tomcat -s /sbin/nologin tomcat
SELinux is preventing applications from being launched from a home directory, with a message like the following in /var/log/audit/audit.log
type=AVC msg=audit(1614250994.710:33614): avc: denied { execute } for pid=60244 comm="(artup.sh)" name="startup.sh" dev="dm-3" ino=19000615 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
I don't believe the tomcat user needs a home folder, so either remove it from an existing user with:
sudo usermod -d / tomcat
Or create your new user with the following instead:
sudo useradd -M -s /sbin/nologin tomcat
Reset the SELinux properties with the following afterwards:
sudo restorecon -rv /opt/tomcat
I encountered same problem and fix it by restorecon.
I don't know if the reason why the problem happened is same as the original question but I think it depends on how to install tomcat.
In general, we download the tar.gz onto a temp directory and tar xzvf at the temp directory. Next, we move it to /opt or /usr/local. At that time, if we use mv, SELinux context is not changed then permission denied happens. But you can change it by restorecon. If we use cp -R, SELinux context is changed then permission denied does not happen.
In case someone follows the google links to get here, there were three problems in my case that prevented Tomcat 9 (installed from TAR file) from starting on a RHEL 8 system that has CIS recommended security lock-downs on it. I think the DoD STIGs are similar, but not sure. I had the exact same messages in the system journal that the OP did.
First, our security folks went overboard and added the "noexec" option to the mount that the Tomcat was on, which is a separate partition and LVM volume for both security and organizational reasons. I had to modify the mount by removing the "noexec" option in the "/etc/fstab" file, to whit:
Before:
/dev/mapper/vg01-mymount /mymount xfs defaults,nodev,noexec 0 0
After:
/dev/mapper/vg01-mymount /mymount xfs defaults,nodev 0 0
Second, I found they had installed the "fapolicyd" daemon, and that acts like an application allow-listing for execution and access to files. Instead of using the standard method of adding individual binaries to a list in "/etc/fapolicyd/fapolicyd.trust", or creating files in "/etc/fapolicyd/trust.d/" directory, I followed recommendations from this reply on a blog entry here:https://computingforgeeks.com/install-apache-tomcat-9-on-linux-rhel-centos/#comment-7841 . This is the coward's way out, by adding all policy permissions for the tomcat user to access the whole tomcat directory, and depending on file-level permissions to do the security from there:
allow perm=any uid=tomcat gid=tomcat : dir=/mymount/tomcat/
I'm not really sure this will pass scrutiny with any security policies where you work, but it gets the thing running. Individual rules for fapolicyd can be made to run specific files, certain MIME types, read-only on whole directories, etc. The major flaw I found is that the logging from the daemon is less than stellar (or non-existent in my case), and left me scratching my head for a couple days as to what was blocking Tomcat starting. Just knowing fapolicyd is installed is half the battle won.
Third, checking SELinux reports (aureport binary) showed that the systemd binary context of "init_t" did not have permission to execute files in the Tomcat dir because they had the wrong context ("default_t"). Here I only changed the context of the script files in /tomcat/bin/ to "initrc_exec_t", which also may be bad, but it worked without disabling SELinux or doing weird things like compile a new SELinux policy file that allowed that access (i.e. allow init_t to execute default_t files, which seems like it would be much worse). I used a similar command set to the below:
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/startup.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/shutdown.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/catalina.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/setclasspath.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/setenv.sh
restorecon -rv /mymount/tomcat/
I don't know if it needed the last three (catalina.sh, setclasspath.sh, setenv.sh), but I added them to be sure. This fixed my issue with systemd.
Related
-- See Tl;dr below for a short version --
On my ubuntu-16.04 droplet apache2 and php7 both use the user www-data. At some point all three installations of wordpress-4.7.2 seemingly without reason started asking for FTP credentials, indicating they don't have sufficient rights. Each wp instance has it's own mysql database.
I tried to solve this for /site1 with
sudo chown www-data:www-data /var/www/site1/* -R
which shouldn't change anything as this is how the permissions were set already. For whatever reason this caused the browser to return a
HTTP ERROR 500
for the sites in /var/www/site1, /var/www/site2 and /var/www/site3 – nothing works anymore.
The only way I've found to get out of this is to restore the droplet. But each time I try to get the permissions right, I end up with all sites down again.
These are the current permission settings:
drwxr-xr-x 14 root root 4096 Feb 3 XX:14 /var/
drwxrwxr-x 8 www-data www-data 4096 Mar 5 XX:27 /var/www/
drwxr-sr-x 3 www-data www-data 4096 Mar 5 XX:13 /var/www/site1/
drwxrwxr-x 3 www-data www-data 4096 Feb 25 XX:51 /var/www/site2/
drwxrwxr-x 3 www-data www-data 4096 Feb 28 XX:06 /var/www/site3/
The sudo user is member of www-data:
user1#droplet:~$ members www-data
www-data user2 user1
A freshly installed Theme on /site1 caused dozens of PHP Fatal errors like this one:
[Sun Mar 05 19:24:04.003189 2017] [:error] [pid 5632] [client 31.10.138.238:50870]
PHP Fatal error: Uncaught Error: Call to undefined function mysql_escape_string()
in /var/www/site1/html/wp-content/themes/gloria/functions.php:60\nStack trace:\n#0
/var/www/site1/html/wp-settings.php(425): include()\n#1 /var/www/bw/html/wp-config.php(89):
require_once('/var/www/site1/htm...')\n#2 /var/www/bw/html/wp-load.php(37):
require_once('/var/www/site1/htm...')\n#3 /var/www/bw/html/wp-admin/admin.php(31):
require_once('/var/www/site1/htm...')\n#4 /var/www/bw/html/wp-admin/themes.php(10):
require_once('/var/www/site1/htm...')\n#5 {main}\n thrown in
/var/www/site1/html/wp-content/themes/gloria/functions.php on line 60
After deleting the theme, /site1 went back online. I have no idea why. The first two times I ended up restoring the droplet because of
HTTP ERROR 500
this theme wasn't involved. Even though /site1 is back up, /site2 and /site3 remain stuck with
HTTP ERROR 500
Since the removal of the theme in /site1 the Apache Error Log doesn't have any suspicious entries:
[Sun Mar 05 19:56:35.456584 2017] [mpm_prefork:notice] [pid 1671] AH00171: Graceful restart requested, doing restart
[Sun Mar 05 19:56:35.662742 2017] [mpm_prefork:notice] [pid 1671] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Sun Mar 05 19:56:35.662765 2017] [core:notice] [pid 1671] AH00094: Command line: '/usr/sbin/apache2'
Any ideas?
Edit: An instance of ActiveCollab in /var/www/site2/activecollab/ never stopped working during the whole issue. All connection and permission checks done by ActiveCollab for it's own files, folders and database are positive.
Tl;dr: WP1 asks for FTP, I say
sudo chown www-data:www-data /var/www/site1/* -R
WP1, WP2 and WP3 tell the browser to
HTTP ERROR 500
while ActiveCollab in a subfolder of WP2 doesn't give a sh*t and keeps running.
Try these
sudo chmod -R 774 /var/www/yourwordpressfolder
And then
sudo chown -R www-data:www-data /var/www/yourwordpress
Finally
sudo chmod -R 777 /var/www/yourwordpressfolder
I have run into a problem on CentOS 7 when attempting to map a volume to the host in a tomcat container. This happens with the public tomcat images as well as an image I have created (based on centos instead of debian).
instantiating a container as follows will succeed:
docker run -it -d tomcat:8
instantiating a container as follows will succeed, but with errors in the log and logs are not written to the host:
docker run -it -d -v /usr/local/tomcat:/usr/local/tomcat tomcat:8
[wpackard#eagle2 tomcat]$ dkr run -it -d -v
/usr/local/tomcat:/usr/local/tomcat tomcat:8
34075701b1436f83a24212170b4d2113ae698df244c449203b1c9af9814485c9
[wpackard#eagle2 tomcat]$ dkr ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34075701b143 tomcat:8 "catalina.sh run" 5 seconds ago Up 4 seconds 8080/tcp sharp_einstein
[wpackard#eagle2 tomcat]$ dkr logs sharp_einstein
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
java.util.logging.ErrorManager: 4
java.io.FileNotFoundException: /usr/local/tomcat/logs/catalina.2015-03-31.log (Permission denied)
...
31-Mar-2015 15:32:04.088 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.start Unable to create directory for deployment: /usr/local/tomcat/conf/Catalina/localhost
31-Mar-2015 15:32:04.097 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/ROOT
31-Mar-2015 15:32:04.468 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/ROOT] for context []
31-Mar-2015 15:32:05.966 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/ROOT is unusable.
31-Mar-2015 15:32:06.042 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/ROOT has finished in 1,929 ms
31-Mar-2015 15:32:06.043 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/docs
31-Mar-2015 15:32:06.093 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/docs] for context [/docs]
31-Mar-2015 15:32:06.216 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/docs is unusable.
31-Mar-2015 15:32:06.219 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/docs has finished in 176 ms
31-Mar-2015 15:32:06.220 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/examples
31-Mar-2015 15:32:06.272 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/examples] for context [/examples]
31-Mar-2015 15:32:07.952 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/examples is unusable.
[wpackard#eagle2 tomcat]$
Exec'ing to the container and attempting to write also fails.
[wpackard#eagle2 tomcat]$ dkr ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34075701b143 tomcat:8 "catalina.sh run" 5 minutes ago Up 5 minutes 8080/tcp sharp_einstein
[wpackard#eagle2 tomcat]$ dkr exec -it sharp_einstein /bin/bash
root#34075701b143:/usr/local/tomcat# ls -l
total 96
-rw-rw-r--. 1 root root 56977 Jan 23 11:59 LICENSE
-rw-rw-r--. 1 root root 1397 Jan 23 11:59 NOTICE
-rw-rw-r--. 1 root root 6779 Jan 23 11:59 RELEASE-NOTES
-rw-rw-r--. 1 root root 16204 Jan 23 11:59 RUNNING.txt
drwxrwxr-x. 2 root root 4096 Mar 31 12:14 bin
drwxrwxr-x. 2 root root 4096 Jan 23 11:59 conf
drwxrwxr-x. 2 root root 4096 Mar 31 12:14 lib
drwxrwxr-x. 2 root root 6 Jan 23 11:56 logs
drwxrwxr-x. 2 root root 29 Mar 31 12:14 temp
drwxrwxr-x. 7 root root 76 Jan 23 11:57 webapps
drwxrwxr-x. 2 root root 6 Jan 23 11:56 work
root#34075701b143:/usr/local/tomcat# cd logs
root#34075701b143:/usr/local/tomcat/logs# echo "test" > test.log
bash: test.log: Permission denied
I have created an instance of the postgresql container on centos and that successfully maps and uses the volume, verified by creating a db, stopping the instance and then re-running the container.
[wpackard#eagle2 ~]$ uname --all
Linux eagle2 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[wpackard#eagle2 ~]$
dkr is an alias to docker, I have created a docker group and added myself to the group to eliminate the need for sudo.
The volume mapping seems to work correctly on ubuntu. On CentOS I have tried both the package version (as below), and also updating it to 1.5.
[wpackard#eagle2 ~]$ dkr --version
Docker version 1.3.2, build 39fa2fa/1.3.2
[wpackard#eagle2 ~]$
How do I make volumes work on CentOS?
I think your volumes are working :-) You have a permission problem. I run into this fairly often with the mapping of user id between the host and the container. On your host, if you look at /usr/local/tomcat (ls -ld), you will see a owner, group and the permissions. You probably have something like 0755 (read/write/exec by owner, read/exec by group, read/exec by world. You can test this theory easily, simple remember the current settings for /usr/local/tomcat/logs, then do:
chmod 777 /usr/local/tomcat/logs
from the docker host (not the container). Then run your test on the container, the Permission denied should evaporate.
This is NOT a good fix, though. I don't know what the community says about user id mapping for docker. One thing you could do is figure out the user and group in your host for that directory. Then, when you create your image (or at run time) create a user with the same id and a group with the same id in the container. Then run your tomcat service using that user in the container.
This is due to SELinux.
You must attach correct type to host directory:
host$ chcon -Rt svirt_sandbox_file_t /usr/local/tomcat
So, my current setup looks like this:
Solr 4.10.4 with Tomcat7. Solr by itself is woring under localhost:8080/solr but as it wants to create a core it gets the following failure:
SolrCore Initialization Failures
atalanda_development: org.apache.solr.common.SolrException:org.apache.solr.common.SolrException: Could not load conf for core atalanda_development: Error loading solr config from /usr/share/solr/example/solr/development/conf/solrconfig.xml
So the first thought of mine was to check if the file is even there:
ll /usr/share/solr/example/solr/development/conf/solrconfig.xml
-rw-rw-r-- 1 tomcat7 gbeschbacher 71K Mar 16 13:56 /usr/share/solr/example/solr/development/conf/solrconfig.xml
So after this i knew the file was there and tomcat7 has the permission on it. I tried two versions of solrconfig.xml - a default one and a custom one. The error occured with both of these.
My Tomcat7 has the following solr.xml file which is pretty straight forward:
cat /etc/tomcat7/Catalina/localhost/solr.xml
<Context docBase="/usr/share/solr/example/solr/solr.war" debug="0" crossContext="true">
<Environment name="solr/home" type="java.lang.String" value="/usr/share/solr/example/solr" override="true" />
</Context>
All it does it to tell tomcat7 where my docbase and my environment of solr is. For more understanding i show you the folder-structure with the permissions of my usr/share/solr/example/solr folder:
/u/s/s/e/solr ❯❯❯
drwxr-xr-x 2 tomcat7 gbeschbacher 4.0K Sep 8 2014 bin
drwxr-xr-x 3 tomcat7 gbeschbacher 4.0K Mar 18 23:06 collection1
drwxr-xr-x 2 tomcat7 root 4.0K Mar 19 00:53 development
-rw-r--r-- 1 tomcat7 gbeschbacher 2.5K Sep 8 2014 README.txt
-rw-r--r-- 1 tomcat7 gbeschbacher 29M Mar 19 00:13 solr.war
-rw-r--r-- 1 tomcat7 gbeschbacher 333 Mar 19 00:52 solr.xml
-rw-r--r-- 1 tomcat7 gbeschbacher 501 Sep 8 2014 zoo.cfg
In here, the solr.xml contains the following code:
/u/s/s/e/solr ❯❯❯ cat solr.xml
<?xml version="1.0" encoding="UTF-8" ?>
<solr persistent="false">
<cores adminPath="/admin/cores" host="${host:}" hostPort="${jetty.port:}">
<core name="atalanda_development" instanceDir="development" dataDir="development/data"/>
</cores>
</solr>
So, at the moment i really have no clue anymore what i still could try to get my setup to work because i don't know what i am doing wrong in here. Any suggestions or try-out solutions are appreciated even it's only a comment on what i could change.
If someone needs any more information to be able to give some hints, please tell me so and I'll provide it!
I'm getting following error when using imagick:
Fontconfig error: Cannot load default config file
My script is working but i would like to fix this (is filling up log file).
OS is:
# cat /etc/redhat-release
CentOS release 5.10 (Final)
I was looking trough internet little bit and this is causing problem:
access("/etc/fonts/fonts.conf", R_OK) = -1 ENOENT (No such file or directory)
Folder exists:
# ls /etc/fonts/ -all
total 64
drwxr-xr-x 4 root root 4096 Jul 9 2010 ./
drwxr-xr-x 86 root root 12288 Jan 13 00:48 ../
drwxr-xr-x 2 root root 4096 Jan 3 2012 conf.avail/
drwxr-xr-x 2 root root 4096 Apr 14 2013 conf.d/
-rw-r--r-- 1 root root 5239 Jan 12 2008 fonts.conf
-rw-r--r-- 1 root root 6907 Jan 12 2008 fonts.dtd
But i see only this folder via root account, other account under with script is run doesn't see this folder. Permissions looks fine for me, but not so experienced with linux.
Account under with script is run is created with WHM.
Please help :)
I manage to solve my problem. chroot was making trouble.
I need to:
log with root account
find jailed environment of account on with i run script (in my case /home/virtfs/[username])
to create folder where i will mount real stuff mkdir /home/virtfs/[username]/etc/fonts
to mount /etc/fonts to this folder: mount --bind /etc/fonts /home/virtfs/[username]/etc/fonts
Posting an answer for CentOS 7 in 2021:
yum install fontconfig
More info here:
https://centos.pkgs.org/7/centos-x86_64/fontconfig-2.13.0-4.3.el7.x86_64.rpm.html
I setup svn on my local system /svn/repos/myproject by following this tutorial. I'm able to view the repo in browser.
But when it try to import new project I couldn't through svn client ( rapid svn ) it shows following error:
Execute: Import
Error while performing action:
Can't open file '/svn/repos/myproject/db/txn-current-lock': Permission denied
Svn directory permissions:
→ ls -l /svn
total 12
drwxrwxr-x 2 root root 4096 Feb 15 12:09 permissions
drwxrwxr-x 4 apache apache 4096 Feb 15 12:09 repos
drwxrwxr-x 2 root root 4096 Feb 15 12:09 users
Repo directory:
→ ls -l
total 8
drwxrwxr-x 3 root root 4096 Feb 15 12:09 conf
drwxrwxr-x 7 apache apache 4096 Feb 15 12:09 myproject
How to solve this issue?
I've given 777 permission to repos directory which solved this issue. But i got another issue like Couldn't perform atomic initialization.
I think this is due to incompatible sqlite version with subversion we're using, this can be solved by updating svnadmin command,
svnadmin create --pre-1.6-compatible --fs-type fsfs /svn/repos/myproject