CentOS - May 2017 - running tomcat as non-root user.. (/var/run pidfile issue)

hey folks, we are migrating our tomcat setup over to centos 7. Im 
converting init-scripts over to systemd services and whatnot.. One thing 
that Ive noticed is that my systemd startup script cant seem to write to 
/var/run as a non-root user to drop a pidfile.. If I create a directory 
in /var/run owned by my user, it gets wiped out on reboot.

Ive searched and found this

https://blog.hqcodeshop.fi/archives/93-Handling-varrun-with-systemd.html

which says to use ExecStartPre to fudge creating directories in /var/run 
so what non-root users can write there..

Is that the suggested way to do this? It seems awful kludgey.


Jason

On Thu, 4 May 2017, Jason Welsh wrote:
> hey folks, we are migrating our tomcat setup over to centos 7. Im 
> converting init-scripts over to systemd services and whatnot.. One 
> thing that Ive noticed is that my systemd startup script cant seem 
> to write to /var/run as a non-root user to drop a pidfile.. If I 
> create a directory in /var/run owned by my user, it gets wiped out 
> on reboot.
>
> Ive searched and found this
>
> https://blog.hqcodeshop.fi/archives/93-Handling-varrun-with-systemd.html
>
> which says to use ExecStartPre to fudge creating directories in 
> /var/run so what non-root users can write there..
>
> Is that the suggested way to do this? It seems awful kludgey.
There are a couple of systemd-ish ways to handle this: tmpfiles or 
within the tomcat service file.

The canonical method is to drop a configuration into /etc/tmpfiles.d/:

# /etc/tmpfiles.d/tomcat.conf
# this assumes tomcat daemon runs as user tomcat and
# group tomcat. alter as necessary.
d /run/tomcat 0700 tomcat tomcat -

See the systemd-tmpfiles(8) and tmpfiles.d(5) man pages. After you 
install that file, do

   systemd-tmpfiles --create

The second method is to add an ExecStartPre to 
/usr/lib/systemd/system/tomcat.service, e.g.,

[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/tomcat
# this assumes that TOMCAT_USER is defined correctly
# in the EnvironmentFile
ExecStartPre=/usr/bin/install -d \
   -o ${TOMCAT_USER} -m 0700 /run/tomcat
ExecStart=/usr/libexec/tomcat/server start
# etc etc

If you go that route, then after editing the service file, do

   systemctl daemon-reload
   systemctl start tomcat

I'd recommend the tmpfiles route myself, but either will get you where 
you want to go.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/

Am 04.05.2017 um 18:35 schrieb Paul Heinlein:
> The second method is to add an ExecStartPre to 
> /usr/lib/systemd/system/tomcat.service, e.g.,
Sorry, no. Better not touch the service files in /usr/lib/systemd/system 
which ship with the associated packages. You create user custom service 
files in /etc/systemd/system/. Easiest by "systemctl edit
foo.service".

Alexander