Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

azure - How to allow Tomcat war app to write in folder

I'd like for my webapp which is deployed as a war ROOT.war to have write access to /var/www/html/static/images so that it can write uploaded and converted images to that folder so nginx can serve it statically. Currently it doesn't work and triggers a java.nio.file.FileSystemException exception together with the Filesystem is read-only message.

But the filesystem is not read-only and is in great condition. The folder has already been chmodded 777.

Extra info: The tomcat setup is running on an Ubuntu 18.04 Azure VM with managed disk. The folder is residing on an Ext4 formatted drive

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Let's start with: chmod 777 is great for testing, but absolutely unfit for the real world and you shouldn't get used to this setting. Rather set the owner/group correctly, before you give world write permissions.

Edit: A similar question just came up on the Tomcat mailing list, and Emmanuel Bourg pointed out that Debian Tomcat is sandboxed by systemd. Read your /usr/share/doc/tomcat9/README.Debian which contains this paragraph:

Tomcat is sandboxed by systemd and only has write access to the following directories:

  • /var/lib/tomcat9/conf/Catalina (actually /etc/tomcat9/Catalina)
  • /var/lib/tomcat9/logs (actually /var/log/tomcat9)
  • /var/lib/tomcat9/webapps
  • /var/lib/tomcat9/work (actually /var/cache/tomcat9)

    If write access to other directories is required the service settings have to be overridden. This is done by creating an override.conf file in /etc/systemd/system/tomcat9.service.d/ containing:

[Service]

ReadWritePaths=/path/to/the/directory/

The service has to be restarted afterward with:

  systemctl daemon-reload
  systemctl restart tomcat9

End of edit, continuing with the passage that didn't solve OP's problem, but should stay in:

If - all things tested - Tomcat should have write access to that directory, but doesn't have it, the error message points me to an assumption: Could it be that

  • Tomcat is running as root?
  • The directory is mounted through NFS?

The default configuration for NFS is that root has no permissions whatsoever on that external filesystem (or was it no write-permission? this is ancient historical memory - look up "NFS root squash" to get the full story)

If this is a condition that matches what you are running, you should stop running Tomcat as root, and rather run it as an unprivileged user. Then you can set the permissions on the directory in question to be writeable by your tomcat-user, and readable by nginx, and you're done.

Running Tomcat as root is a recipe for disaster: You don't want a process that's available from the internet to run as root.

If these conditions don't meet your configuration: Elaborate on the configuration. I'd still stand by this description for others who might find this question/answer later.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...