如何允许Tomcat war应用程序写入文件夹 [英] How to allow Tomcat war app to write in folder
问题描述
我希望作为战争部署的 web 应用程序 ROOT.war 具有对 /var/www/html/static/images 的写访问权限,以便它可以将上传和转换的图像写入该文件夹,以便 nginx 可以静态提供它.目前它不起作用并触发 java.nio.file.FileSystemException 异常以及 Filesystem is read-only 消息.
I'd like for my webapp which is deployed as a war ROOT.war to have write access to /var/www/html/static/images so that it can write uploaded and converted images to that folder so nginx can serve it statically. Currently it doesn't work and triggers a java.nio.file.FileSystemException exception together with the Filesystem is read-only message.
但是文件系统不是只读的,并且状况良好.该文件夹已经被修改为 777.
But the filesystem is not read-only and is in great condition. The folder has already been chmodded 777.
额外信息:tomcat 设置在带有托管磁盘的 Ubuntu 18.04 Azure VM 上运行.该文件夹位于 Ext4 格式的驱动器上
Extra info: The tomcat setup is running on an Ubuntu 18.04 Azure VM with managed disk. The folder is residing on an Ext4 formatted drive
推荐答案
让我们开始:chmod 777 非常适合测试,但绝对不适合现实世界,你不应该习惯这个设置.而是在授予世界写入权限之前正确设置所有者/组.
Let's start with: chmod 777 is great for testing, but absolutely unfit for the real world and you shouldn't get used to this setting. Rather set the owner/group correctly, before you give world write permissions.
一个类似的问题刚刚出现在 Tomcat 邮件列表中,Emmanuel Bourg 指出 Debian Tomcat 被 systemd 沙箱化.阅读您的 /usr/share/doc/tomcat9/README.Debian 包含这一段:
A similar question just came up on the Tomcat mailing list, and Emmanuel Bourg pointed out that Debian Tomcat is sandboxed by systemd. Read your /usr/share/doc/tomcat9/README.Debian which contains this paragraph:
Tomcat 被 systemd 沙箱化,并且只有对以下目录:
Tomcat is sandboxed by systemd and only has write access to the following directories:
- /var/lib/tomcat9/conf/Catalina(实际上是/etc/tomcat9/Catalina)
- /var/lib/tomcat9/logs(实际上是/var/log/tomcat9)
- /var/lib/tomcat9/webapps
/var/lib/tomcat9/work(实际上是/var/cache/tomcat9)
- /var/lib/tomcat9/conf/Catalina (actually /etc/tomcat9/Catalina)
- /var/lib/tomcat9/logs (actually /var/log/tomcat9)
- /var/lib/tomcat9/webapps
/var/lib/tomcat9/work (actually /var/cache/tomcat9)
如果需要对其他目录的写访问权限,则服务设置必须被覆盖.这是通过创建 override.conf 文件来完成的在/etc/systemd/system/tomcat9.service.d/包含:
If write access to other directories is required the service settings have to be overridden. This is done by creating an override.conf file in /etc/systemd/system/tomcat9.service.d/ containing:
[服务]
ReadWritePaths=/path/to/the/directory/
之后必须重新启动服务:
The service has to be restarted afterward with:
systemctl daemon-reload
systemctl restart tomcat9
编辑结束,继续没有解决OP问题的段落,但应该留在:
End of edit, continuing with the passage that didn't solve OP's problem, but should stay in:
如果 - 所有经过测试的东西 - Tomcat 应该对该目录具有写访问权限,但没有,错误消息将我指向一个假设:可能是这样的
If - all things tested - Tomcat should have write access to that directory, but doesn't have it, the error message points me to an assumption: Could it be that
- Tomcat 是否以 root 身份运行?
- 目录是通过NFS挂载的?
NFS 的默认配置是 root 在外部文件系统上没有任何权限(或者它没有写权限?这是古老的历史记忆 - 查找NFS root squash"以获取完整故事)
The default configuration for NFS is that root has no permissions whatsoever on that external filesystem (or was it no write-permission? this is ancient historical memory - look up "NFS root squash" to get the full story)
如果这是一个与您正在运行的条件相匹配的条件,您应该停止以 root 身份运行 Tomcat,而是以非特权用户身份运行它.然后,您可以将相关目录的权限设置为您的 tomcat 用户可写,nginx 可读,您就完成了.
If this is a condition that matches what you are running, you should stop running Tomcat as root, and rather run it as an unprivileged user. Then you can set the permissions on the directory in question to be writeable by your tomcat-user, and readable by nginx, and you're done.
以 root 身份运行 Tomcat 会导致灾难:您不希望 Internet 上可用的进程以 root 身份运行.
Running Tomcat as root is a recipe for disaster: You don't want a process that's available from the internet to run as root.
如果这些条件不符合您的配置:详细说明配置.对于稍后可能会找到此问题/答案的其他人,我仍然支持此描述.
If these conditions don't meet your configuration: Elaborate on the configuration. I'd still stand by this description for others who might find this question/answer later.
这篇关于如何允许Tomcat war应用程序写入文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
