What benefit do I get from JSVC over just using systemd?
The Tomcat documentation describes the process of compiling and installing JSVC which can be used to run Tomcat as a daemon. As per my understanding, JSVC has two benefits:
- It launches as root allowing for the use of a privileged port (like 80 or 443).
- It creates a "controller process" which will monitor a "controlled process" (the main Java thread) and restart the process on failure.
I've been learning systemd, including the service unit configuration. Based on my limited understanding, systemd is able to perform the same tasks as JSVC if I set User=tomcat (using the desired username) and Restart=on-failure in my tomcat.service configuration file.
Using JSVC, I would expect tomcat.service to look something like this:
[Unit]
Description=Apache Tomcat
After=network.target
[Service]
Environment=CATALINA_PID=/var/run/tomcat.pid
Environment=JAVA_HOME=/path/to/java
Environment=CATALINA_HOME=/opt/tomcat
...
ExecStart=/opt/tomcat/bin/jsvc \
-Dcatalina.home=${CATALINA_HOME} \
-user tomcat \
-java-home ${JAVA_HOME} \
-pidfile ${CATALINA_PID} \
...
org.apache.catalina.startup.Bootstrap
ExecStop=/opt/tomcat/bin/jsvc \
-pidfile ${CATALINA_PID} \
...
-stop \
org.apache.catalina.startup.Bootstrap
[Install]
WantedBy=multi-user.target
Using systemd, I would expect tomcat.service to look something like this:
[Unit]
Description=Apache Tomcat
After=network.target
[Service]
Type=forking
PIDFile=/var/run/tomcat.pid
User=tomcat
Group=tomcat
Environment=JAVA_HOME=/path/to/java
Environment=CATALINA_HOME=/opt/tomcat
...
Restart=on-failure
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
My preference is using just systemd as it's already there and I have to (should) use it anyway. I am however uncertain as to whether or not I will be missing any benefit of using JSVC that I am overlooking.
What can be achieved by JSVC that cannot be achieved by systemd if I want to run Tomcat as a daemon?
Also, if systemd is able to perform the same tasks as JSVC as well as JSVC, I'd also like to ask for any configuration tips you may offer to best achieve the benefits of JSVC using just systemd.
Answer
In general, most of the functionality provided by jsvc is provided by systemd, with the exception of opening of privileged ports (see below). If possible, it is a very good idea to switch to using systemd functionality directly, since things become simpler and more efficient.
Your unit file looks mostly OK, with the exception of
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
This part looks like another wrapper which can be replaced with a direct to
java -jar ....
Opening privileged sockets
Under Systemd this is usually done through socket activation. Systemd opens the socket and hands it to the daemon as an open file descriptor (like stdin, stdout, stderr).
The daemon can then be started as unprivileged user, and does not drop privileges itself. The daemon has to support this, and instead of opening the socket by itself, it should use the one it was given. Under Java this is made very problematic by the lack of support in the Java stdlib.
AFAIK, tomcat does not support socket activation, so if you want to use an privileged port and run the daemon under an unprivileged user, jsvc might still be necessary.