A potential drawback of installing Tomcat from a binary distribution instead of using a Linux-packaged version is that you’ll have to do some extra legwork to make Tomcat start automatically when Linux boots up. To make this process easy and pain-free, follow this simple guide.
Step 1 – Create A Tomcat-Specific User and User Group
It’s a bad idea to run Tomcat as the root user, especially if you’re going to be starting Tomcat automatically. It’s much more secure to create a new group and user specifically to run Tomcat. You can do so with the following commands (in this example, we have created a user group named tomcat, and a user named tomcat with the password tomcat; you can certainly be more creative if you wish):
$ groupadd tomcat
$ useradd -s /sbin/nologin -g tomcat -d /path/to/tomcat tomcat
$ useradd -r -s /sbin/nologin tomcat
-r for system user
$ passwd tomcat
Create a system account.
System users will be created with no aging information in /etc/shadow, and their
numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
/etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
creation of groups).
Note that useradd will not create a home directory for such an user, regardless
of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the
-m options if you want a home directory for a system account to be created.
-s, –shell SHELL
The name of the user’s login shell. The default is to leave this field blank,
which causes the system to select the default login shell specified by the SHELL
variable in /etc/default/useradd, or an empty string by default.
useradd -m -d /home/thenewuser -s /bin/bash -c "the new user" -U thenewuser
-c “message” : extra information about the user.
-U thenewuser : Create a group with the same name as the user, and add the user to this group.
-N : the -N argument tells the system not to create a group having the user’s name
-m, –create-home are same: Create the user’s home directory if it does not exist.
-d, –home HOME_DIR : The new user will be created using HOME_DIR as the value for the user’s login directory.
if -d is not used the default homedirectory will be /home/thenewuser
-m -d /data/thenewuser : the -m argument creates the /data/thenewuser homedirectory, specified by the -d argument.
-M : the -M argument tells the system not to create a home directory
-s /bin/bash : the -s is used for specifing the user’s default shell, /bin/bash in this case.
-s or –shell are same.
-s /sbin/nologin : The /sbin/nologin for Fedora and /usr/sbin/nologin for Debian are two shells that return you a polite message like “this account is not available” and do not allow you to log into the system. This message can be customized.
-s /bin/false : Is an old shell used to deny a user’s login. The /bin/false exits immediatly when false exists. The user accounts with /bin/false or /bin/true as their default shells are locked.
-s /sbin/nologin belongs to unix-linux while /bin/false part of GNU Coreutils. These shells must be listed in the /etc/shells file, to work.
The users with /sbin/nologin (or /usr/sbin/nologin) can connect through ssh or ftp, but the users with /bin/false are completely locked out from the system.
with useradd -D : You can also view the default parameters set for new user to be created using
# useradd -D
Step 2 – Adjust Ownership For New Users And Groups
Now that you have created a user to run Tomcat, you’ll need to give them access to the correct directories. Use the following commands, substituting your own usernames and groups as necessary:
# chown -R tomcat.tomcat /path/to/tomcat
# chmod 775 /path/to/tomcat/webapps
The first gives ownership of the Tomcat directories to the Tomcat user, and the second gives the user write access for the webapps directory.
Step 3 – Relay Traffic For Non-Root Tomcat User
When running Tomcat as a user other than the root user, you will not be able to bind to port 80, which is where Tomcat listens for HTTP requests. To get around this, you can use Netfilter, which is packaged with all major Linux distributions:
# iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
# iptables -t nat -I OUTPUT -p tcp –dport 80 -j REDIRECT –to-ports 8080
To preserve these rules through re-boot, save them with the “ip-tables-save” command, and then follow the procedure appropriate for your Linux distribution (for most distributions, this means editing the iptables init script; Debian users should load the configuration via a script called by if-up.d or pre-up.d).
Step 3 – Create A Custom init Script
To start Tomcat at Linux boot time, we’ll need to create an init script that calls the startup.sh and shutdown.sh scripts included with Tomcat.
The actual creation of this script is outside the scope of this article, but there are many useful resources available online. All you need to know in order to use the basic init script format to call Tomcat is how the startup.sh and shutdown.sh scripts work.
For more information about these scripts, visit our Tomcat Start page, which includes a simple, step-by-step guide to Tomcat’s three start-up shell scripts.
chmod 774 /opt/apache-tomcat-8.0.12-1/ -Rf
/bin/su -s /bin/bash $TOMCAT_OWNER -c $CATALINA_HOME/bin/startup.sh