[英]Jetty bash script works only with root user
I have installed Jetty 9
(latest version) by extracting the archive in /opt/jetty
. 我通过解压缩
/opt/jetty
的存档安装了Jetty 9
(最新版本)。
The start.jar
runs fine, but I want the bash service bin/jetty.sh
, to be run by a non-root user. start.jar
运行正常,但我希望bash服务bin/jetty.sh
由非root用户运行。
The issue I'm having with the bash script is that : when I dont specify a value for $JETTY_USER
in /etc/default/jetty
(it uses root
user), Jetty
works. 我对bash脚本的问题是:当我没有在
/etc/default/jetty
指定$JETTY_USER
的值(它使用root
用户)时, Jetty
可以工作。 But when I assign a value to it, Jetty fail with the message: Starting Jetty: FAILED
, and no log. 但是当我为它分配一个值时,Jetty会失败并显示以下消息:
Starting Jetty: FAILED
,并且没有日志。
So, how do I create a user that can run the jetty? 那么,我如何创建一个可以运行码头的用户呢?
I know that this question is old, but since this behaviour bugged me recently as well, here it's my hint. 我知道这个问题已经过时了,但是由于这种行为最近也让我感到困扰,所以这是我的暗示。 In my case it was Jetty 8.x on Centos 6.5, and I had the exact similar behaviour: jetty starting flawlessly when launched on command line both as root and as the newly created jetty user, but failing to start whenever trying to run it as a service and specifying a user through the variable JETTY_USER in /etc/default/jetty.
在我的情况下,它是Centos 6.5上的Jetty 8.x,我有完全类似的行为:jetty在命令行上以root用户身份和新创建的jetty用户启动时完美无缺,但是无论何时尝试运行它都无法启动服务并通过/ etc / default / jetty中的变量JETTY_USER指定用户。 Logs were completely empty.
日志完全是空的。
The trick in my case was that no directory was openly specified for logs in the JETTY_LOGS variable. 我的例子就是没有为JETTY_LOGS变量中的日志公开指定目录。 When run directly as a user, when Jetty can't access a normal directory for logs it will try to create one for the user.
当直接作为用户运行时,当Jetty无法访问日志的正常目录时,它将尝试为用户创建一个。 With the startup script in Centos/RH systems, though, the process is ran by a 'su - -c "command" user' which seems to break that kind of behaviour.
但是,使用Centos / RH系统中的启动脚本,该过程由“su - -c”命令“user”运行,该命令似乎打破了这种行为。 No complain is filed in the logs file, as the process breaks right when trying to access them, and both stdout and stderr are redirected to the logs.
日志文件中没有提交任何抱怨,因为在尝试访问它们时进程中断了,并且stdout和stderr都被重定向到日志。
To debug you exact permissions problem, try running the server through a "su -c" like the script does; 要调试确切的权限问题,请尝试通过脚本执行的“su -c”运行服务器; the difference is that you will finally have your stderr on the console.
区别在于你最终会在控制台上安装你的stderr。 And for the future, also manually create a jetty logs directory with the right permissions, and specify it inside the JETTY_LOGS variable: much less of an headache!
并且在未来,还可以手动创建具有正确权限的jetty日志目录,并在JETTY_LOGS变量中指定它:更不用说了!
I faced the same issue. 我遇到了同样的问题。 In my case I installed Jetty v 9.2.10.v201503 on pcDuino v3, Ubuntu 14.04 following step-by-step installation guidelines “Startup a Unix Service using jetty.sh” (see documentation on eclipse.org).
在我的例子中,我按照逐步安装指南“使用jetty.sh启动Unix服务”在pcDuino v3,Ubuntu 14.04上安装了Jetty v 9.2.10.v201503(参见eclipse.org上的文档)。
Since the steps are run as root, I ended up with mixed ownership (root and jetty) of files and directories in $JETTY_BASE directory. 由于这些步骤是以root身份运行的,因此我最终得到了$ JETTY_BASE目录中文件和目录的混合所有权(root和jetty)。
I added JETTY_LOGS=$JETTY_BASE/logs and JETTY_USER=jetty to the /etc/default/jetty file and reissued chown –R jetty:jetty $JETTY_BASE. 我将JETTY_LOGS = $ JETTY_BASE / logs和JETTY_USER = jetty添加到/ etc / default / jetty文件中,然后重新发出chown -R jetty:jetty $ JETTY_BASE。
After these steps Jetty runs under credentials of jetty user. 在这些步骤之后,Jetty在jetty用户的凭据下运行。 Though it was pretty easy, I hope that this note might be useful for others who are not professional admins.
虽然这很容易,但我希望这个说明可能对那些不是专业管理员的人有用。
Your question seems a little bit mixed up, so it's not 100% clear what outcome you are actually looking for. 你的问题似乎有些混乱,所以你不是100%清楚你实际上在寻找什么结果。
The steps you're taking won't work, and there's very little you can do to make them work, but if you can explain what outcome you're after, then we may offer an alternative. 你正在采取的步骤是行不通的,你可以做的很少,但是如果你可以解释你所追求的结果,那么我们可能会提供另一种选择。
The short answer is: 简短的回答是:
JETTY_USER
then jetty.sh
has to be run by root. JETTY_USER
那么jetty.sh
必须由root运行。 JETTY_USER
, or su
to JETTY_USER
, both of which assume you're running as root. JETTY_USER
启动,或者su
作为JETTY_USER
,两者都假设您以root身份运行。 So, that path isn't going to work for you. 所以,这条道路不适合你。
Here's what you can do: 这是你可以做的:
If you simply want to run Jetty as a specific user (eg jetty
) 如果您只是想以特定用户身份运行Jetty (例如
jetty
)
JETTY_USER
JETTY_USER
jetty
and run jetty.sh
jetty
身份登录并运行jetty.sh
If you want to be able to run on port 80 but not run as root 如果您希望能够在端口80上运行但不能以root身份运行
init.d
and service
) init.d
和service
) If you want all users (or some users) to start jetty, but have it run as 1 specific user 如果您希望所有用户 (或某些用户) 启动 jetty,但让它作为1个特定用户运行
Check the ${jetty.home}/logs/start.log
(or similarly named log file) 检查
${jetty.home}/logs/start.log
(或类似命名的日志文件)
That will tell you why it failed. 那会告诉你它失败的原因。
Also, you might want to look into the optional setuid support. 此外,您可能希望查看可选的setuid支持。
http://www.eclipse.org/jetty/documentation/current/setuid.html http://www.eclipse.org/jetty/documentation/current/setuid.html
I faced the same issue; 我遇到了同样的问题; there was a right access problem on the directory
/var/run/jetty/
and jetty was trying to write the logs in that directory. 目录
/var/run/jetty/
上有一个正确的访问问题,并且jetty试图在该目录中写入日志。
A chmod 777 /var/run/jetty/
fixed the issue for me. chmod 777 /var/run/jetty/
为我解决了这个问题。
The problem is caused by no write access rights to the JETTY_RUN
which by default is set to /var/run
which is effectively regenerated and rights reset to root only on every restart (daemon init). 该问题是由
JETTY_RUN
写访问权限引起的,默认情况下,该JETTY_RUN
被设置为/var/run
,只有在每次重启(守护进程初始化)时才会有效地重新生成权限并将权限重置为root。 Actually jetty.sh
has JETTY_RUN
covered such as: 实际上
jetty.sh
已经覆盖了JETTY_RUN
例如:
..defaults to the first available of /var/run, /usr/var/run, JETTY_BASE and /tmp if not set.
..defaults到第一个可用的/ var / run,/ usr / var / run,JETTY_BASE和/ tmp,如果没有设置。
but that wasn't working in my case. 但这不符合我的情况。 The solution is explicitly setting the
JETTY_RUN
within /etc/init.d/jetty
pointing to the directory which jetty user(group) has write access to (ie /opt/jetty/temp
). 解决方案是在
/etc/init.d/jetty
明确设置JETTY_RUN
,指向jetty用户(组)具有写访问权限的目录(即/opt/jetty/temp
)。
ps: Debian 8 vs Jetty 9.4 ps:Debian 8 vs Jetty 9.4
Several of the posted answers to this question are correct, and might be needed in combination. 这个问题的几个已发布的答案是正确的,可能需要组合使用。 Also setting JETTY_USER can have some indirect requirements.
设置JETTY_USER也可能有一些间接要求。
Running jetty as a user other than root requires correct permissions allowing that user access to certain files/directories/trees. 以root用户身份运行jetty需要正确的权限,允许该用户访问某些文件/目录/树。 Those filesystem objects include the
<jetty-home>
tree, and either /var/run/jetty
or wherever JETTY_RUN
, JETTY_START_LOG
and JETTY_LOGS
are set to if not left to default to /var/run/jetty
. 这些文件系统对象包括
<jetty-home>
树,以及/var/run/jetty
或JETTY_RUN
, JETTY_START_LOG
和JETTY_LOGS
设置为的地方,如果没有保留为/var/run/jetty
默认值。
Running jetty as a user by setting JETTY_USER
(eg. JETTY_USER=jetty
for running the OS service as non-root) also requires that OS user to have a valid shell (eg. /var/sh
) set in /etc/passwd. 通过设置
JETTY_USER
(例如JETTY_USER=jetty
以便以非root用户身份运行OS服务)作为用户运行jetty也要求OS用户在/ etc / passwd中设置有效的shell(例如/var/sh
)。 A good practice is to set that user to have an invalid shell (eg. /usr/sbin/nologin
), closing the security hole of this service user allowing a login. 一个好的做法是将该用户设置为具有无效的shell(例如
/usr/sbin/nologin
),关闭此服务用户的安全漏洞以允许登录。 In that case the jetty startup environment must also set JETTY_SHELL (eg. JETTY_SHELL=/bin/sh
) providing a shell for the nonlogin session in which to execute the jetty executables. 在这种情况下,jetty启动环境还必须设置JETTY_SHELL(例如,
JETTY_SHELL=/bin/sh
), JETTY_SHELL=/bin/sh
登录会话提供shell,以执行jetty可执行文件。
These settings can be made in the service startup script (eg. /etc/init.d/jetty
where they're commented out by default), but it's a better practice to set them in /etc/default/jetty
, leaving the startup script alone because it contains logic and other content better left undisturbed. 这些设置可以在服务启动脚本中进行(例如
/etc/init.d/jetty
,默认情况下它们被注释掉),但是在/etc/default/jetty
设置它们是更好的做法,离开启动脚本单独,因为它包含逻辑和其他内容更好地保持不受干扰。
Also note that running jetty as root, such as starting it as a service without changing the configured jetty runtime user, will create files (such as logfiles) that are owned by root. 另请注意,以root身份运行jetty(例如将其作为服务启动而不更改已配置的jetty运行时用户)将创建root所拥有的文件(例如日志文件)。 Changing the runtime user to a non-root user can cause jetty to fail because it tries to rewrite as the non-root user a file that is owned by root.
将运行时用户更改为非root用户可能会导致jetty失败,因为它尝试将非root用户重写为root拥有的文件。 For example
<jetty-base>/logs/<YYYY>_<MM>_<DD>.jetty.log
. 例如
<jetty-base>/logs/<YYYY>_<MM>_<DD>.jetty.log
。 Changing the owner of that file to the non-root user, or deleting it, is necessary to solve that problem. 将该文件的所有者更改为非root用户或删除它是解决该问题所必需的。
And note that when jetty fails to start up because of these kinds of problems it will not write to a log (none is accessible, jetty isn't actually running), outputting merely Starting Jetty: FAILED <datetime>
. 请注意,当jetty由于这些类型的问题而无法启动时,它将无法写入日志(无法访问,jetty实际上并未运行),仅输出
Starting Jetty: FAILED <datetime>
。
您所要做的就是更改/var/run/jetty
目录的所有权: sudo chown -R jetty:jetty /var/run/jetty
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.