Merge pull request silpion#33 in ISAR/ansible-tomcat from feature/ISA…

…R-273 to next

* commit 'b976ac3aa3b22269fbe4b97787de8e9577c2cc6a':
  With systemd on tomcat >= 8.5 we add custom protocol handlers based on the default when running tomcat with catalina.sh
  Fix typo in tasks documentation
  Non-systemd services call catalina.sh
  Fixup minimum required library files access controls for tomcat >= 8.5 to function
  Tomcat 8.5.N installs CATALINA_HOME/conf with umask 077
  Add tomcat version 8.5.6

tasks/8.5-acls.yml

@@ -0,0 +1,38 @@
+---
+- name: Register libraries in Tomcat installation
+  tags: tomcat
+  become: true
+  register: tomcat_registered_files
+  always_run: true
+  changed_when: false
+  when: tomcat_fact_is_not_initial_check_mode
+  shell: ls -1 {{ acl_dir }}/*.jar
+
+- name: Update installation folder access controls
+  tags: tomcat
+  become: true
+  file:
+    state: directory
+    dest: '{{ acl_dir }}'
+    mode: 'o=rx'
+
+- name: Update installation libraries access controls
+  tags: tomcat
+  become: true
+  with_items: '{{ (tomcat_registered_files|default({})).stdout_lines|default([]) }}'
+  file:
+    state: file
+    mode: 'o=r'
+    dest: '{{ item }}'
+
+- name: Update installation executables access controls
+  tags: tomcat
+  become: true
+  when: '{{ ansible_local.util.init.system != "systemd" }}'
+  with_items:
+    - catalina.sh
+    - setclasspath.sh
+  file:
+    state: file
+    mode: 'o=rx'
+    dest: '{{ tomcat_env_catalina_home }}/bin/{{ item }}'

tasks/main.yml

@@ -119,6 +119,22 @@
   args:
     creates: "{{ tomcat_env_catalina_home }}/lib"
 
+# Tomcat 8.5 is packaged with umask 027 which breaks current paradigm
+#   to keep CATALINA_HOME and CATALINA_BASE files separated.
+#   Identify all jars in bin/ and lib/ directory and make them accessible
+#   to the tomcat service user(s).
+- name: Include file system access controls for tomcat >= 8.5
+  tags: tomcat
+  when:
+    - '{{ tomcat_version|version_compare("8.5", ">=") }}'
+    - '{{ tomcat_fact_is_not_initial_check_mode }}'
+  with_items:
+    - '{{ tomcat_env_catalina_home }}/bin'
+    - '{{ tomcat_env_catalina_home }}/lib'
+  loop_control:
+    loop_var: acl_dir
+  include: 8.5-acls.yml
+
 
 - name: Install instance directories
   tags: tomcat
@@ -135,6 +151,7 @@
 
 - name: Register static/unmanaged conf files
   tags: tomcat
+  become: true
   register: tomcat_registered_conf_files
   always_run: true
   changed_when: false

templates/service_systemd.j2

@@ -43,6 +43,9 @@ ExecStart={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap start
@@ -71,6 +74,9 @@ ExecStop={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap stop

vars/versions/8.5.6.yml

@@ -0,0 +1,4 @@
+---
+# SHA256 sum for the Tomcat redistributable package
+tomcat_redis_checksum: "sha256:8564cd9570adfd23394fd62a4cf999a294429e5f29017e4bb292c604eae9677b"
+tomcat_web_xml_schema_version: 3.1