zaxos / tomcat-ansible-role Goto Github PK

It seems that as of version 2.4, the include module is deprecated, and as of 2023-05-16, it won't work at all. Using 2.16.4, I get this error message when using zaxos.tomcat-ansible-role:

ERROR! [DEPRECATED]: ansible.builtin.include has been removed. Use include_tasks or import_tasks instead. This feature was removed from ansible-core in a release after 2023-05-16. Please update your playbooks.

From ansible/ansible#76684 it seems that the fix may be a simple as changing "include" to "import_tasks".

Is there likely to be a version of this role that supports the current ansible?

The reason I added write-only support to the logs directory in my fork was because I read the recommendation on the OWASP page about Tomcat. After considering the practical limitations of 300 mode on RedHat Linux, it might be better to have a write-only partition somewhere and then be able to configure logging to use that instead via a logging.properties template (Tomcat 8.5) or via whatever the config file is used in other versions.

It's a shame there seem to be no out-of-the-box option to use a syslog server since version 8 apparently.

Typically you'd only want to include the become: true where you need it making it dependent on the the task. The idea following the principal of least privilege to prevent everything running as root.

You may want to evaluate which tasks actually need to be run as root and update the role accordingly. At the very least you should mention that become: true is needed to run the role in the documentation.

In some cases, managed hosts does have access to internet even HTTP proxy.
The only access is that the Ansible control node can communicate with the managed host (remote) thru SSH.

In this case, we need to delegate the download of Tomcat package to the control node (localhost of Ansible CLI), once download is done, we transfer (copy:) this package to the remote package.

Option to delete/ignore default webapps (list of default webapps to delete so we can pick and choose). If I delete them outside the role, it breaks idempotence because it expects manager and host-manager apps to exist.

will you provide un-install - role?

Hello,

Did you plan to support Red Hat EL8 soon ?

Thank you, Gilian.

Group execute permission is missing from bin/*.sh, so tomcat user can't run startup.sh or shutdown.sh. Here's the error in the playbook...
RUNNING HANDLER [zaxos.tomcat-ansible-role : restart tomcat] ********************************* fatal: [prod_host]: FAILED! => {"changed": false, "msg": "Unable to start service tomcat: Job for tomcat.service failed because the control process exited with error code. See \"systemctl status tomcat.service\" and \"journalctl -xe\" for details.\n"}

and here is the other error...
`Aug 26 00:03:52 prod_host systemd[23492]: Failed at step EXEC spawning /path/to/tomcat/bin/startup.sh: Permission denied
-- Subject: Process /path/to/tomcat/bin/startup.sh could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- The process /path/to/tomcat/bin/startup.sh could not be executed and failed.

-- The error number returned by this process is 13.`

Hye,
Can you updates all templates with variables ?
We use TOMCAT 8.5 and the templates don't have variable:
for the file tomcat-server-8.5.xml.j2
Thanks

I appreciate the role setting/managing some sensible defaults. However, I'd like the option to use my own settings.xml file rather than using the ansible blockinfile to inject my stuff into your template.

perhaps it's just another variable like settings_file_path where is could be a straight up copy or interpolated through jinja.

This one is not necessarily anything you did wrong but Ubuntu 14.04 uses upstart instead of ststemd. While, I wouldn't expect you to support a OS that is 10+ years old at this point this issue is more for posterity should someone else run into the "msg": "Destination directory /usr/lib/systemd/system does not exist" error I ran into. I had to wrap the existing functionality in a block

- block:

    - name: Configure service file {{ tomcat_service_name }}.service
      template:
        src: tomcat.service.j2
        dest: /usr/lib/systemd/system/{{ tomcat_service_name }}.service
      notify: restart tomcat

    - name: Enable tomcat service on startup
      systemd:
        name: "{{ tomcat_service_name }}"
        enabled: "{% if tomcat_service_enabled_on_startup %}yes{% else %}no{% endif %}"
        daemon_reload: yes

  when: ansible_facts['distribution'] != "Ubuntu" and ansible_facts['distribution_version'] != '14.04'

Hello,

Since CVE-2020-1938 vulnerability, Tomcat change/add some default settings for AJP connector.

By default, he listen only on localhost and we need to explicit add "address="{{ tomcat_listen_address }}"". Maybe you can add this in server.xml template file.

By default, Tomcat now require a secret for AJP connector. We add a static "secretRequired="false"" property because we run httpd 2.4. Only httpd 2.5 support AJP secret :( Maybe you can add a boolean var (false by default ?) and a optional secret var in ansible role.

Thank you for this usefull role.
Best regard, Gilian.