The best place to ask programming/development questions, imo. UPDATE: stackoverflow is the *worst* place to *ask* questions (if your first question/comment doesn't get any up-rating/response, then u can't ask anymore questions--ridiculously unrealistic), but a great reference for finding answers.

My Music (Nickleus)

20131023

how to run jboss server as jboss user

it's safer to run jboss as the jboss user, so a hacker can't do anything outside of the "jboss home" (where you installed jboss, e.g. /usr/jboss )

here's how i set it up (will gladly take constructive input):

i created a new service template file based on JBoss' file:
bin/jboss_init_redhat.sh

and called it jboss.service.template.nick.sh and put it here:
bin/jboss.service.template.nick.sh

here are the contents:
###########jboss.service.template.nick.sh###########

#!/bin/sh
#
# $Id: jboss_init_redhat.sh 60992 2007-02-28 11:33:27Z dimitris@jboss.org $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself.
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.
#
#    UPDATED 20131023 BY NICK, FOR RUNNING AS USER jboss
#
#    HOW TO CONFIGURE THIS AS A "SYSTEM SERVICE" (although i've configured it to stay open and dump output to the console, and can be stopped by just doing ctrl+c) AND RUN AS jboss USER:
#    * create jboss user (the password you give the jboss user is the password that will be asked for when you start jboss as the jboss user--see commands farther down, i.e. "HOW TO START/RUN.."):
#        sudo useradd -d /usr/jboss -s /bin/bash jboss
#    * make jboss user own the /usr/jboss folder:
#        sudo chown -R jboss:jboss /usr/jboss
#    * edit this file (as jboss user) so paths are correct, for every block of code titled "EDIT/CONFIGURE"
#        sudoedit -u jboss /usr/jboss/bin/jboss.service.template.nick.sh
#    * copy this file to /etc/init.d:
#        sudo cp /usr/jboss/bin/jboss.service.template.nick.sh /etc/init.d/jboss
#    HOW TO START/RUN JBOSS DOMAIN:
#    * to run myapp as jboss:
#        service jboss start myapp
#    * to run myapptest as jboss:
#        service jboss start myapptest
#    * to run myappprod as jboss:
#        service jboss start myappprod
#
#    NOTE: THIS FILE IS BASED ON JBOSS' OWN TEMPLATE FILE: <jboss-home>/bin/jboss_init_redhat.sh
#
#    HOW TO UPDATE /usr/jboss FROM SVN SINCE USER jboss OWNS IT:
#        cd /usr/jboss
#        sudo svn up .
#
#        IF YOU GET CONFLICTS ON UPDATE AND SEE SOMETHING LIKE THIS:
#            Conflict discovered in 'run.sh'.
#            Select: (p) postpone, (df) diff-full, (e) edit,
#            (h) help for more options:
#
#        ...AND YOU WANT TO LOAD ALL CHANGES FROM SVN ("UPDATE AND OVERRIDE LOCAL CHANGES"), CHOOSE "theirs full (tf)":
#            tf
#
#        FINALLY, REASSIGN USER jboss TO OWN /usr/jboss:
#            sudo chown -R jboss:jboss /usr/jboss
#


#define where jboss is - this is the directory containing directories log, bin, conf etc
#JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss"}
####### EDIT/CONFIGURE #######
JBOSS_HOME=${JBOSS_HOME:-"/usr/jboss"}
##########################


#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
#JBOSS_USER=${JBOSS_USER:-"RUNASIS"}
##### EDIT/CONFIGURE #####
JBOSS_USER=${JBOSS_USER:-"jboss"}
##########################


#make sure java is in your path
#JAVAPTH=${JAVAPTH:-"/usr/local/jdk/bin"}
##### EDIT/CONFIGURE #####
JAVAPTH=${JAVAPTH:-"/home/me/jdk1.6.0_11"}
##########################


#configuration to use, usually one of 'minimal', 'default', 'all'
#JBOSS_CONF=${JBOSS_CONF:-"default"}
JBOSS_CONF=${JBOSS_CONF:-"$2"}

#if JBOSS_HOST specified, use -b to bind jboss services to that address
##### EDIT/CONFIGURE #####
JBOSS_HOST="0.0.0.0"
##########################

JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}

#define the classpath for the shutdown class
JBOSSCP=${JBOSSCP:-"$JBOSS_HOME/bin/shutdown.jar:$JBOSS_HOME/client/jnet.jar"}

#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}

if [ "$JBOSS_USER" = "RUNASIS" ]; then
  SUBIT=""
else
  SUBIT="su - $JBOSS_USER -c "
fi

if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
  # ensure the file exists
  touch $JBOSS_CONSOLE
  if [ ! -z "$SUBIT" ]; then
    chown $JBOSS_USER $JBOSS_CONSOLE
  fi
fi

if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
  echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
  echo "WARNING: ignoring it and using /dev/null"
  JBOSS_CONSOLE="/dev/null"
fi

#define what will be done with the console log
#JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}
JBOSS_CONSOLE=

JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"
JBOSS_CMD_STOP=${JBOSS_CMD_STOP:-"java -classpath $JBOSSCP org.jboss.Shutdown --shutdown"}

if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
  export PATH=$PATH:$JAVAPTH
fi

if [ ! -d "$JBOSS_HOME" ]; then
  echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
  exit 1
fi

case "$1" in
start)
    cd $JBOSS_HOME/bin
    if [ -z "$SUBIT" ]; then
#        eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
        eval $JBOSS_CMD_START 2>&1
    else
#        $SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &"
        $SUBIT "$JBOSS_CMD_START 2>&1"
    fi
    ;;
stop)
    if [ -z "$SUBIT" ]; then
        $JBOSS_CMD_STOP
    else
        $SUBIT "$JBOSS_CMD_STOP"
    fi
    ;;
restart)
    $0 stop
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac

########################################



the section in the comments at the top of the file, "HOW TO CONFIGURE THIS...", tells you exactly what you need to do to make it work

the orange code are my implementation comments/examples

the red code is code i've commented out based on JBoss' bin/jboss_init_redhat.sh

the green code is code i've added OR modified to make this work


NOTE: this was implemented for jboss 4.2 on an ubuntu 8.10 machine

No comments:

Post a Comment