it's safer to run jboss as the jboss user, so a hacker can't do anything outside of the "jboss home" (where you installed jboss, e.g. /usr/jboss )
here's how i set it up (will gladly take constructive input):
i created a new service template file based on JBoss' file:
bin/jboss_init_redhat.sh
and called it jboss.service.template.nick.sh and put it here:
bin/jboss.service.template.nick.sh
here are the contents:
###########jboss.service.template.nick.sh###########
#!/bin/sh
#
# $Id: jboss_init_redhat.sh 60992 2007-02-28 11:33:27Z dimitris@jboss.org $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself.
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.
#
# UPDATED 20131023 BY NICK, FOR RUNNING AS USER jboss
#
# HOW TO CONFIGURE THIS AS A "SYSTEM SERVICE" (although i've configured it to stay open and dump output to the console, and can be stopped by just doing ctrl+c) AND RUN AS jboss USER:
# * create jboss user (the password you give the jboss user is the password that will be asked for when you start jboss as the jboss user--see commands farther down, i.e. "HOW TO START/RUN.."):
# sudo useradd -d /usr/jboss -s /bin/bash jboss
# * make jboss user own the /usr/jboss folder:
# sudo chown -R jboss:jboss /usr/jboss
# * edit this file (as jboss user) so paths are correct, for every block of code titled "EDIT/CONFIGURE"
# sudoedit -u jboss /usr/jboss/bin/jboss.service.template.nick.sh
# * copy this file to /etc/init.d:
# sudo cp /usr/jboss/bin/jboss.service.template.nick.sh /etc/init.d/jboss
# HOW TO START/RUN JBOSS DOMAIN:
# * to run myapp as jboss:
# service jboss start myapp
# * to run myapptest as jboss:
# service jboss start myapptest
# * to run myappprod as jboss:
# service jboss start myappprod
#
# NOTE: THIS FILE IS BASED ON JBOSS' OWN TEMPLATE FILE: <jboss-home>/bin/jboss_init_redhat.sh
#
# HOW TO UPDATE /usr/jboss FROM SVN SINCE USER jboss OWNS IT:
# cd /usr/jboss
# sudo svn up .
#
# IF YOU GET CONFLICTS ON UPDATE AND SEE SOMETHING LIKE THIS:
# Conflict discovered in 'run.sh'.
# Select: (p) postpone, (df) diff-full, (e) edit,
# (h) help for more options:
#
# ...AND YOU WANT TO LOAD ALL CHANGES FROM SVN ("UPDATE AND OVERRIDE LOCAL CHANGES"), CHOOSE "theirs full (tf)":
# tf
#
# FINALLY, REASSIGN USER jboss TO OWN /usr/jboss:
# sudo chown -R jboss:jboss /usr/jboss
#
#define where jboss is - this is the directory containing directories log, bin, conf etc
#JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss"}
####### EDIT/CONFIGURE #######
JBOSS_HOME=${JBOSS_HOME:-"/usr/jboss"}
##########################
#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
#JBOSS_USER=${JBOSS_USER:-"RUNASIS"}
##### EDIT/CONFIGURE #####
JBOSS_USER=${JBOSS_USER:-"jboss"}
##########################
#make sure java is in your path
#JAVAPTH=${JAVAPTH:-"/usr/local/jdk/bin"}
##### EDIT/CONFIGURE #####
JAVAPTH=${JAVAPTH:-"/home/me/jdk1.6.0_11"}
##########################
#configuration to use, usually one of 'minimal', 'default', 'all'
#JBOSS_CONF=${JBOSS_CONF:-"default"}
JBOSS_CONF=${JBOSS_CONF:-"$2"}
#if JBOSS_HOST specified, use -b to bind jboss services to that address
##### EDIT/CONFIGURE #####
JBOSS_HOST="0.0.0.0"
##########################
JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}
#define the classpath for the shutdown class
JBOSSCP=${JBOSSCP:-"$JBOSS_HOME/bin/shutdown.jar:$JBOSS_HOME/client/jnet.jar"}
#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}
if [ "$JBOSS_USER" = "RUNASIS" ]; then
SUBIT=""
else
SUBIT="su - $JBOSS_USER -c "
fi
if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
# ensure the file exists
touch $JBOSS_CONSOLE
if [ ! -z "$SUBIT" ]; then
chown $JBOSS_USER $JBOSS_CONSOLE
fi
fi
if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
echo "WARNING: ignoring it and using /dev/null"
JBOSS_CONSOLE="/dev/null"
fi
#define what will be done with the console log
#JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}
JBOSS_CONSOLE=
JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"
JBOSS_CMD_STOP=${JBOSS_CMD_STOP:-"java -classpath $JBOSSCP org.jboss.Shutdown --shutdown"}
if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
export PATH=$PATH:$JAVAPTH
fi
if [ ! -d "$JBOSS_HOME" ]; then
echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
exit 1
fi
case "$1" in
start)
cd $JBOSS_HOME/bin
if [ -z "$SUBIT" ]; then
# eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
eval $JBOSS_CMD_START 2>&1
else
# $SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &"
$SUBIT "$JBOSS_CMD_START 2>&1"
fi
;;
stop)
if [ -z "$SUBIT" ]; then
$JBOSS_CMD_STOP
else
$SUBIT "$JBOSS_CMD_STOP"
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 (start|stop|restart|help)"
esac
########################################
the section in the comments at the top of the file, "HOW TO CONFIGURE THIS...", tells you exactly what you need to do to make it work
the orange code are my implementation comments/examples
the red code is code i've commented out based on JBoss' bin/jboss_init_redhat.sh
the green code is code i've added OR modified to make this work
NOTE: this was implemented for jboss 4.2 on an ubuntu 8.10 machine
The best place to *find* answers to programming/development questions, imo, however it's the *worst* place to *ask* questions (if your first question/comment doesn't get any up-rating/response, then u can't ask anymore questions--ridiculously unrealistic), but again, a great reference for *finding* answers.
No comments:
Post a Comment