Describe the bug

On AWX 17.0.1 ( with Ansible 2.9.17 ) provision fails with message

{
  "msg": "The conditional check 'tomcat_service_enabled is boolean' failed. The error was: template error while templating string: no test named 'boolean'. String: {% if tomcat_service_enabled is boolean %} True {% else %} False {% endif %}",
  "_ansible_no_log": false
}

Playbook

- name: myplay
  hosts: myplay
  become: yes

  roles:
    - { role: java,    tags: ["java"] }
    - { role: robertdebock.tomcat,     tags: ["tomcat"] }







## Output

{
"msg": "The conditional check 'tomcat_service_enabled is boolean' failed. The error was: template error while templating string: no test named 'boolean'. String: {% if tomcat_service_enabled is boolean %} True {% else %} False {% endif %}",
"_ansible_no_log": false
}

## Environment

- Control node OS: AWX in container
- Control node Ansible version2.9.17
- Managed node OS: Ubuntu 18.04

Proposed feature

Hello!

It would be great, if there would be an additional variable for the tomcat URIencoding, so I could set it to UTF-8, as described here https://www.baeldung.com/tomcat-utf-8

Let me know, if that is something you would like to add, then I could set up a Pull Request, shouldn't be to difficult (change in template + defaults)

Hi,

I think we are missing in this block JAVA_OPTS=

{% if instance.java_opts is defined %}
{% for java_opt in instance.java_opts %}
JAVA_OPTS="{{ java_opt.name }}={{ java_opt.value }} ${JAVA_OPTS}"
{% endfor %}
{% endif %}

For now the folder instance is created from the instance name , it could be interesting to have a specifiy variable for instance folder different from instance name.

Are you open for a PR ?

Describe the bug
When started using systemd service, the java process hang with 100% system CPU.
When started with normal tomcat user, it started normally

To Reproduce
Steps to reproduce the behavior:

1. Run this role:
2. Deploy a war with annotations, wait.

Expected behavior
Normal startup with serviced

Error

Environment

• VM : Cento OS 7
• Tomcat 9.0.17

Additional context
Resolved with strace on java process, it was recursively reading : /proc/self/task/81569/cwd/proc/self/task/81569/cwd/proc/self/task/81569/cwd/proc/self/task/81569/cwd/proc/self/task/81569/cwd/proc/self/task/8156...

Java process was outside of his directory, even if launch with correct user.

Just add working_directory parameter to service.role:

service_list: - name: "{{ instance.name | default(tomcat_name) }}" description: "{{ instance.name | default(tomcat_name) }}" start_command: "{{ tomcat_directory }}/{{ instance.name | default(tomcat_directory) }}/bin/catalina.sh run" user_name: "{{ instance.user | default(tomcat_user) }}" group_name: "{{ instance.group | default(tomcat_group) }}" working_directory: "{{ tomcat_directory }}/{{ instance.name | default(tomcat_directory) }}/"

I can't see how to enable SSLEnabled connector. I can define ssl ports, it is place inside server.xml but ssl connector is always commented out.
version: 5.3.4

Describe the bug

When I deployed an instance to CentOS 8, It could not start the tomcat instance because it could not get /bin/bash to run by default. It was alright on a local VM but not on our actual server. My suggested fix is generic and should not cause any harm.

Playbook

---
    - role: robertdebock.tomcat
      vars:
        tomcat_directory: /home/tomcat
        tomcat_instances:
          - name: "instance_castlemock"
            version: 8
            java_opts:
              - name: JAVA_HOME
                value: "/opt/red/java"
            shutdown_port: "{{ shutdown_port }}"
            ssl_connector_port: "{{ https_port }}"
            ajp_port: "{{ ajp_port }}"
            non_ssl_connector_port: "{{ http_port }}"
            access_log_enabled: no
            wars:
              - url: "{{ castlemock_download_url }}"

Output

Main process exited, code=exited, status=203/EXEC

Environment

• Control node OS: Ubuntu 20
• Control node Ansible version: ansible 2.9.6 python version = 3.8.5
• Managed node OS: CentOS 8
  Please consider sponsoring me.

Fix

I have raised a pull request for the fix.

Describe the bug

If you run role with just defaults tomcat will raise issue:
java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

Playbook

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

---
- name: Gather facts
  hosts: tomcat_all
  gather_facts: "{{ osa_gather_facts | default(True) }}"
  tags:
    - always

- name: Deploy tomcat server
  hosts: tomcat_all
  gather_facts: false
  user: root
  environment: "{{ deployment_environment_variables | default({}) }}"
  pre_tasks:
    - name: Gather additional facts
      include_tasks: "common-tasks/gather-hardware-facts.yml"
      tags:
        - always
    - include_tasks: "common-tasks/os-{{ container_tech | default('lxc') }}-container-setup.yml"
      when: not is_metal
    - include_tasks: common-tasks/unbound-clients.yml
      when:
        - hostvars['localhost']['resolvconf_enabled'] | bool
  roles:
    - role: java
    - role: tomcat

Output

So eventually the issue here is that tomcat_ajp_enabled by default is set to true. At the same time ajp_secret is defined and set to empty string.

I see one of the following ways for fixing that:

• Generate ajp_secret by default with password_lookup
• Allow to set ajp_secret with a "default" variable rather then require to override whole tomcat_instances for that
• Change condition here https://github.com/robertdebock/ansible-role-tomcat/blob/master/templates/server.xml.j2#L124 to if instance.ajp_secret | length > 0
• Set tomcat_ajp_enabled to False by default

Environment

• Control node OS: Ubuntu 20.04
• Control node Ansible version: 2.10.10
• Managed node OS: Ubuntu 20.04

Hi,

Proposed feature

Allow to harden the instance by default

Rationale

Security

Additional context

Actually I do this, dunno how we can integrate this

---
- name: Hardening
  block:
    - name: Init hardening_todo fact to False
      ansible.builtin.set_fact:
        hardening_todo: false

    - name: "Test if default webapps are present"
      ansible.builtin.stat:
        path: '/opt/tomcat/webapps/{{ item }}'
      with_items:
        - docs
        # - ROOT  # Already managed by the role
        - examples
      register: is_hardening_done

    - name: Set hardening_todo fact to true if a directory exists
      ansible.builtin.set_fact:
        hardening_todo: true
      with_items: "{{ is_hardening_done.results }}"
      when: item.stat.exists == true

    - name: "Test if hide version is present"
      ansible.builtin.stat:
        path: '/opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties'
      register: is_hardening_done

    - name: Set hardening_todo fact to true if hide version is not present
      ansible.builtin.set_fact:
        hardening_todo: true
      when: is_hardening_done.stat.exists == false

    - name: Stop Tomcat
      ansible.builtin.service:
        name: "tomcat"
        enabled: true
        state: stopped
      when:
        - hardening_todo

    - name: Remove default webapps
      ansible.builtin.file:
        path: '/opt/tomcat/webapps/{{ item }}'
        state: absent
      with_items:
        - docs
        # - ROOT  # Already managed by the role
        - examples

    - name: Hide Tomcat version - Directories
      ansible.builtin.file:
        dest: '/opt/tomcat/{{ item }}'
        state: directory
      with_items:
        - lib
        - lib/org
        - lib/org/apache
        - lib/org/apache/catalina
        - lib/org/apache/catalina/util

    - name: Hide Tomcat version
      ansible.builtin.copy:
        dest: '/opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties'
        content: 'server.info={{ custom_version_string | default("Apache Tomcat")  }}'

    - name: Start Tomcat
      ansible.builtin.service:
        name: "tomcat"
        enabled: true
        state: started
      when:
        - hardening_todo

And in the web.xml, add a block showServerInfo

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>showServerInfo</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Best regards

Proposed feature

Make downloads url configurable. Currently we cannot configure alternate tomcat download urls.

Basically move config vars/main.yml to defaults/main.yml

Personally I prefer config in that location for example as follows

tomcat_version: 7.0.104
tomcat_versions: 
  7.0.104:
    url: https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz
    checksum: sha256:****

Users can then add their own versions without having to change robertdebock.tomcat.

Rationale

Currently this role does not allow us to configure an alternative tomcat_unarchive_url. More often than note in specific industry I am working in, it is not allowed to download from internet.
So we download manually, transfer the binary to a "mirror" that we host internally.

Ideally we can configure our own tomcat_version and tomcat_versions. Without having to change robertdobock.tomcat.

Additional context

I mostly consider the way config in vars works an Ansible bug. Config in an Ansible role that is not your own should always have a low precedence. You should be able to override config in a role in groups_vars, host_vars etc.

Compared to Chef config in vars are like "override" attributes. These are not often used. Because of the fact that Ansible gives config in vars the highest precedence, config in vars in roles should not be used unless absolutely necessary.

Proposed feature

Default error landing page doesn't exist and some tomcat information is sent. Also, the default page exposes sensitive information as well.

See screen shot:

Rationale

A default error page could prevent this potentially sensitive information from being inadvertently disclosed.

Additional context

Found this via a nessus scan.

Describe the bug
Starting seems to fail.

To Reproduce

molecule test --scenario-name vagrant

Expected behavior
Passing tests

Error

ERROR: Idempotence test failed because of the following tasks:
* [tomcat-debian] => ansible-role-tomcat : start and enable tomcat instance
* [tomcat-fedora] => ansible-role-tomcat : start and enable tomcat instance

ISSUE TYPE

• Bug Report

SUMMARY

Not defining group results in an error:

       tomcat_layout:
      - name: blaa
        directory: /opt/bla
        non_ssl_connector_port: 8080
        ssl_connector_port: 8443
        shutdown_port: 8005
        ajp_port: 8009

TASK [robertdebock.tomcat : ensure group exists] ******************************************************************************************************************************************************************
fatal: [server1]: FAILED! => {"msg": "'dict object' has no attribute 'group'"}

I tried deploying tomcat to Ubuntu 20.04LTS, and found that starting the service failed with the following error in syslog:

Nov 19 07:12:04 <hostname> bash[1032]: /bin/bash: /opt//opt/bin/catalina.sh: No such file or directory

When i looked in /opt, i found that the tomcat directory was there:

~# ls -al /opt/
total 12
drwxr-xr-x  3 root   root   4096 Nov 19 07:06 .
drwxr-xr-x 19 root   root   4096 Nov 19 07:10 ..
drwxr-xr-x  9 tomcat tomcat 4096 Nov 19 07:07 tomcat
~# ls -al /opt/tomcat/
total 10400
drwxr-xr-x 9 tomcat tomcat     4096 Nov 19 07:07 .
drwxr-xr-x 3 root   root       4096 Nov 19 07:06 ..
drwxr-xr-x 2 tomcat tomcat     4096 Nov 19 07:07 bin
.
.
-r--r----- 1 root   root   10488933 Nov 19 07:07 tomcat_src.tar.gz
drwxr-xr-x 7 tomcat tomcat     4096 Nov 12  2020 webapps
drwxr-xr-x 3 tomcat tomcat     4096 Nov 19 07:07 work

Playbook

---
- hosts: all
  remote_user: '{{ non_root_username }}'
  become: true
  vars_files:
    - secret
  roles:
    - robertdebock.bootstrap
    - robertdebock.core_dependencies
    - robertdebock.java
    - robertdebock.tomcat

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

- src: geerlingguy.redis
- src: robertdebock.bootstrap
- src: robertdebock.core_dependencies
- src: robertdebock.service
- src: robertdebock.java
- src: robertdebock.tomcat

Output

The playbook ran without error.

Environment

• Control node OS: macos 11
• Control node Ansible version: [e.g. 2.9.1] (ansible --version)

% ansible --version
ansible [core 2.11.6] 
  config file = <...>/playbooks/ansible.cfg
  configured module search path = ['<...>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /<...>/venv/lib/python3.8/site-packages/ansible
  ansible collection location = /<...>/.ansible/collections:/usr/share/ansible/collections
  executable location = <...>/venv/bin/ansible
  python version = 3.8.9 (default, May 10 2021, 17:25:26) [Clang 12.0.5 (clang-1205.0.22.9)]
  jinja version = 2.11.2
  libyaml = True

• Managed node OS: [e.g. CentOS 7] (cat /etc/os-release)

~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Is your feature request related to a problem? Please describe.
i got a 403 on tomcat_mirror see below:

the tomcat_mirror is generated from many vars e.g. tomcat_version see below:

- name: install tomcat instance
  unarchive:
    src: "{{ tomcat_mirror }}/{{ tomcat_archives[instance.version | default(tomcat_version)]['url_path'] }}/{{ tomcat_archives[instance.version | default(tomcat_version)]['targz'] }}"
    dest: "{{ tomcat_directory }}/{{ instance.name }}"
    owner: "{{ instance.user | default(tomcat_user) }}"
    group: "{{ instance.group | default(tomcat_group) }}"
    remote_src: yes
    extra_opts: "--strip-components=1"
    creates: "{{ tomcat_directory }}/{{ instance.name }}/bin"
  register: install_tomcat
  until: install_tomcat is succeeded
  retries: 3

Describe the solution you'd like

i want to set the tomcat_mirror to official mirror not from uni delft

Describe alternatives you've considered
see above

Additional context
no

Appreciation

I really like your implementation of this. It is very clean and scalable.

Describe the bug

I get an error "No test 'boolean'" on TASK [robertdebock.tomcat : test if tomcat_validate_certs is set correctly]
I know this may not be happening with you but I run several ansible roles without any issues. If I comment out the 'boolean' validation it works.

Playbook

---
  vars_files:
    - defaults/main.yml
  become: yes

  roles:
    - role: robertdebock.tomcat
      vars:
        tomcat_directory: /home/tomcat
        tomcat_instances:
          - name: "instance_myapp1"
            version: 8
            java_opts:
              - name: JAVA_HOME
                value: "/opt/red/java"
            shutdown_port: 8019
            non_ssl_connector_port: 8084
            ssl_connector_port: 8447
            ajp_port: 8013
            wars:
            - url: "{{ download_url }}"

Output

FAILED! => {"msg": "The conditional check 'tomcat_validate_certs is boolean' failed. The error was: template error while templating string: no test named 'boolean'. String: {% if tomcat_validate_certs is boolean %} True {% else %} False {% endif %}"}

Environment

• Control node OS: Ubuntu 20
• Control node Ansible version: ansible 2.9.6 python version = 3.8.5
• Managed node OS: CentOS 8

Please consider sponsoring me.

If you install multiple instances of same tomcat version, now you have to specify different directories for each of them and in the folder you still have an unfriendly name like apache-tomcat-9.0.14. In addition, these kind of name are uncomfortable to manage with a deploy Ansible script.

It'll be nice if you can use the instance.name or specify something like instance.folder_name in order to have a file system like: opt\

• tomcat-a\
  • bin\
  • ....
• tomcat-b\
  • bin\
  • ...
• ...

In alternative using different instance.directory but specify a symbolic link in a specified position.

Thanks!

Describe the bug

Tomcat systemd service refuses to start, due to mandatory secret missing from server.xml (template.)

This was introduced in; Tomcat 7.0.100, Tomcat 8.5.59, and tomcat 9.0.31, according to the logs, which is less than the default version for tomcat 7 and 9 values.

From the changelog:

Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt)

I don't know what would be the best way to solve in the server.yml template. Having a instance.ajp_secret variable on the ajp Connector element, with a default secret generated, or should the default requiredSecret attribute be set to false?

I added a secret attribute manually on the box, and the service then started.

--

Playbook

---
...
 tasks:
  - import_role:
      name: "ansible-role-tomcat"
    vars:
      tomcat_instances:
      - name: "tomcat-version-9"
        version: 9
    become: true

Output

Play does not report error, but sudo systemctl status tomcat-version-9 shows:

Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Oct 19 19:36:11 example.org catalina.sh[34248]:         Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:270)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 ... 12 more

Environment

• Control node OS: Fedora release 30 (Thirty)
• Control node Ansible version: 2.99
• Managed node OS: Centos 8

Proposed feature

Add connector_address so user can configure which IP address the server is listening to.

Rationale

We have Nginx built on top of Tomcat, 127.0.0.1 is what we really need instead of the default 0.0.0.0.

Describe the bug

When a download of the specified version of tomcat is called, the file is only downloaded the first time. If a new version of tomcat is specified using the tomcat_version9 variable and the playbook is run on the same host, tomcat is not updated.

Playbook

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

latest version
Run on multiple hosts with tomcat already installed, every command was reported as "skipped".

---
- name: Deploy Tomcat
  hosts: catalog-fgdc2iso
  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.core_dependencies
    - role: robertdebock.java
    - role: robertdebock.tomcat
      vars:
        tomcat_version9: "9.0.37"
        tomcat_instances:
          - name: "tomcat"
            version: 9
            address: "127.0.0.1"

Output

All tasks reported as "skipped".

Environment

• Control node OS: Ubuntu 18.04.5
• Control node Ansible version: 2.8.15
• Managed node OS: Ubuntu 18.04.5

Please consider sponsoring me.

Describe the bug
Xmx parameter use

To Reproduce
Steps to reproduce the behavior:

1. Run this role: ansible-role-tomcat
2. with XMX 6G

Expected behavior
Tomcat started with -Xmx6G parameter

Error
Tomcat is not started

Environment

• Control node OS: Debian 9
• Control node Ansible version: 2.7
• Managed node OS: CentOS 7

Additional context
I did not see the use of "xmx" attribute of tomcat instance in the role.

Proposed feature

• The server.xml.j2 template currently configures an access log. Can you please make it optional and give the ability to change the log directory as well?
• Can we please have the ability to deploy additional config files like logging and catalina.properties that can replace the default files?

Rationale

The app I am setting up would likely keep running for a long time. We keep all important the logs in specially mounted directory and use apache for access logs.

Additional context

Describe the bug

I can't change version of tomcat per instance.

Playbook

---
tomcat_instances:
  - name: "tomcat-9-test"
    version: 9
    user: "tomcat-9-test"
    group: "tomcat-9-test"

Changing version globaly using:

---
tomcat_version: 9
tomcat_instances:
  - name: "tomcat-9-test"
    version: 9
    user: "tomcat-9-test"
    group: "tomcat-9-test"

works.

Environment

• robertdebock.tomcat,5.3.4

Hello and thanks for this role.

Just noticed that properties xmx and xms have no effect unless jvm_opts is defined.

Proposed feature

Allow the override of server.xml.j2 & setenv.sh.j2 template source in the instance.yml task file

Rationale

This would allow for template override if/when needed, to add or remove functionalities otherwise hardcoded in the template.

Additional context

I had to change the server.xml.j2 template to add new features like services, engines, hosts & aliases declaration but found myself stranded when I had to force the template task to use my own template (even using the same filename in my template folder)

Being able to set a template_src variable per instance would solve this problem :

tomcat_instances:
  - name: "{{ tomcat_name }}"
    server_xml_template_src : server.xml.j2
    setenv_template_src : setenv.sh.j2
    [...]

- name: instance | Configure tomcat instance - server.xml
  ansible.builtin.template:
    src: {{ instance.server_xml_template_src |default('server.xml.j2') }}
    dest: "{{ tomcat_directory }}/{{ instance.name }}/conf/server.xml"
    mode: "0644"
  notify:
    - Restart tomcat instance

This would be the same for the setenv.sh.j2 template.

Thanks o/

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 
'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions.
 This feature will be removed in a future release. Deprecation warnings can be 
disabled by setting deprecation_warnings=False in ansible.cfg.

These includes are listed in tasks/main.yml