4

I have a Java webapp that runs under Apache Tomcat on Ubuntu Linux. When I upgraded from Tomcat 9 from Tomcat 8, the application was no longer able to write log files to /var/log/myapp. I can't figure out why it doesn't have permission to log to this location.

My first thought was that the user changed. Tomcat 8 ran under the tomcat8:tomcat8 user. Tomcat 9 runs under tomcat:tomcat user. I updated the directory with those permissions. Both the tomcat user and tomcat group have write permission.

I also checked the write and execute permissions of that directory. That directory has write and execute permissions, and all parent directories have execute permissions.

/var/log/myapp/ drwxrwxr-x  tomcat tomcat
/var/log        drwxrwxr-x  root syslog 
/var            drwxr-xr-x  root root            
/               drwxr-xr-x  root root

If I run the following code under my web application

    File logdir =  new File("/var/log/myapp");
    setAttribute("debug", 
        "<br>user: " + System.getProperty("user.name") +
        "<br>execute: " + logdir.canExecute() +
        "<br>read: " + logdir.canRead() +
        "<br>write: " + logdir.canWrite()
    );

it prints out that there is no write permission

user: tomcat
execute: true
read: true
write: false

If I run similar code in a main method as the tomcat user

File logdir =  new File("/var/log/myapp");
    System.out.println("\n user: " + System.getProperty("user.name") +
        "\n execute: " + logdir.canExecute() +
        "\n read: " + logdir.canRead() +
        "\n write: " + logdir.canWrite()
        );

It prints that it has write permission

user: tomcat
execute: true
read: true
write: true

I've exhausted all the debugging that I know how to do. What is preventing my web application from writing to this directory under tomcat 9? What do I need to do to fix it.

Stephen Ostermiller
  • 432
  • 8
  • 21
  • I don't know too much about coding for Tomcat, but you set `new File("/var/log/myapp")`, but created a directory: `/var/log/myapp/ drwxrwxr-x tomcat tomcat`. Is Tomcat trying to write the **file** `myapp` instead of _into_ the **directory** `/var/log/myapp`? – Lenniey Oct 23 '19 at 16:14
  • I'm trying to create files in that directory and getting a permission denied error. It appears to be because the directory is not writable. However, it must be some restriction from within Tomcat itself, and something new in Tomcat 9. I can write to the directory just fine from outside Tomcat and I could do so from within the webapp under Tomcat 8. – Stephen Ostermiller Oct 23 '19 at 16:27
  • Tomcat 9 is running smoothly on its own? Using the `tomcat` user and group? Only logging from inside your webapp doesn't work? – Lenniey Oct 23 '19 at 16:30
  • Correct. Everything is running fine except logging from my webapp. (I actually have several webapps and they all have the same problem of not being able to write each to their own log directory). In fact the webapps themselves are running ok without logging. They ignore the exceptions from logging and just don't write any logs. It is making debugging a bit difficult though. – Stephen Ostermiller Oct 23 '19 at 16:43
  • Could you try setting `export UMASK=0022` in your `setenv.sh` and restart Tomcat9? – Lenniey Oct 23 '19 at 16:45
  • I haven't used `setenv.sh` since tomcat7. In tomcat 8 and 9, I put the settings that used to go in it into `/etc/default/tomcat9` – Stephen Ostermiller Oct 23 '19 at 16:51
  • @Lenniey thanks for your help. I found the issue from some other people posting about similar problems: [Tomcat - User - migrate to tomcat 9: application can not write files on system filder](http://tomcat.10.x6.nabble.com/migrate-to-tomcat-9-application-can-not-write-files-on-system-filder-td5087140.html) and [How to allow Tomcat war app to write in folder](https://stackoverflow.com/questions/56827735/how-to-allow-tomcat-war-app-to-write-in-folder) – Stephen Ostermiller Oct 23 '19 at 17:14

2 Answers2

9

This is caused by new systemd sandboxing around tomcat 9 as part of Debian/Ubuntu. To solve the problem you need to tell systemd to allow read write access to additional directories for Tomcat.

sudo mkdir -p /etc/systemd/system/tomcat9.service.d
echo -e "[Service]\nReadWritePaths=/var/log/" | sudo tee /etc/systemd/system/tomcat9.service.d/logging-allow.conf
sudo systemctl daemon-reload
sudo systemctl restart tomcat9

After making these changes, web apps can once again write to their own directories in /var/log.

Source: Debian Tomcat 9 release notes

Stephen Ostermiller
  • 432
  • 8
  • 21
  • 1
    OMG yes! I have been struggling with this one for a while. This post should rank higher in searches – Kikin-Sama Jun 12 '20 at 04:52
  • You have just saved me after hours of debugging! Systemd at it again ¯\\_(ツ)_/¯ – vikarjramun Jul 20 '20 at 01:10
  • @StephenOstermiller you're correct. I deleted my comment. I forgot that I also had to give the tomcat user permissions on the directory. – Jimmy D Apr 20 '22 at 16:14
1

Stephen Ostermiller's answer solves the problem.
Another way to do it would be:

systemctl edit tomcat9.service

put in

[Service]
ReadWritePaths=/var/log/

This will get written to /etc/systemd/system/tomcat9.service.d/override.conf.
Then do

systemctl daemon-reload
systemctl restart tomcat9.service

You can go back to the original with

systemctl revert tomcat9.service
Guido
  • 11
  • 1