libtomcat9-java and tomcat9-common 9.0.31-1ubuntu0.2 causes read-only file system for Tomcat

Bug #1967564 reported by wiseley
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tomcat9 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

After Ubuntu unattended upgrade installed these two package updates Tomcat cannot write to disk at all. The service can't write its logs and the application running can't create /tmp files after this update.

Revision history for this message
wiseley (wiseley) wrote :

Clarification on this after further research. It appears that after this update, the tomcat9 service is no longer honoring the sandbox settings in the systemd script. The service can write to the default folders like /var/log/tomcat9, but not to the custom folders I've specified in the systemd script as follows:

# Security
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
ReadWritePaths=/custom/path/here/

Tomcat is not given access to the /custom/path/here path. Also, changing ProtectSystem=strict to ProtectSystem=false has no effect. This setup was working before the update and hasn't changed for a fairly long time.

Revision history for this message
wiseley (wiseley) wrote :

This is the error in the /var/log/tomcat9/catalina... log:

01-Apr-2022 21:56:24.959 SEVERE [main] org.apache.catalina.valves.AccessLogValve.open Failed to open access log file [/custom/path/here/access_log.2022-04-01.txt]
        java.io.FileNotFoundException: /custom/path/here/access_log.2022-04-01.txt (Read-only file system)

I've changed an application specific path to /custom/path/here to be consistent with my previous comment.

Revision history for this message
Steven Truelove (struelove) wrote :

I believe I am running into this as well -- the symptom for me is that WAR files no longer unpack because it cannot write to webapps directories.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tomcat9 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.