Running liferay ce 7 as non-root OS accountRunning liferay ce 7 as non-root OS accounthttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785333&threadId=920740482024-03-29T13:41:47Z2024-03-29T13:41:47ZRE: Running liferay ce 7 as non-root OS accountLuke Palnauhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=921046642017-07-21T16:44:11Z2017-07-21T16:44:11Z<html><head></head><body>Thank you, the blog series from Olaf covers a lot, I wish I had it when I started, it definitely clarifies server setup steps. Although, I'm not sure how much I would have followed it, if I had found it in a google search, because it references v6.<br><br>I will try the manual install again to tomcat with the java option and the classpath portal-ext with the include/override path. That seems cleaner for this case. I knew of the properties file entry, but I was feeling "chicken and egg" in order for liferay to find my portal-ext in the path it was trying to override.<br><br>Oh by the way, more troubleshooting seemed to indicate when my service account's default shell was changed from sh to tcsh, then I was able to interactively run the startup.sh successfully as the service account. I am learning that the rc.d system requires all the startup scripts to be written in sh, so I think that is why the tomcat8 port 's rc.d script may be failing. I have temporarily overridden the start and stop commands with the following lines and it is working until I get the manual installation into the tomcat8 port working.<br><pre><code>
start_cmd="liferay_start"
liferay_start() {
/usr/bin/su -m ${_tomcat_catalina_user} -c /usr/local/liferay/tomcat-8.0.32/bin/startup.sh
}
stop_cmd="liferay_stop"
liferay_stop() {
/usr/bin/su -m ${_tomcat_catalina_user} -c /usr/local/liferay/tomcat-8.0.32/bin/shutdown.sh
}
</code></pre><br><br>Hopefully I can get a better grasp on what jsvc is doing when it runs tomcat as the service account in regards to the environment/shell. Else I might be stuck with the bundle su approach.</body></html>Luke Palnau2017-07-21T16:44:11ZRE: Running liferay ce 7 as non-root OS accountDavid H Nebingerhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920958722017-07-21T13:18:44Z2017-07-21T13:18:44Z<div class="quote-title">Luke Palnau:</div><blockquote>The port installs tomcat8 into /usr/local/apache-tomcat8, so the logs kept showing it was treating liferay home as /usr/local. I couldn't find how to tell liferay to look elsewhere.</blockquote><br /><br />There are two ways you can try. First, use a "-Dliferay.home=/var/lib/liferay" argument to move the liferay home. Second, in webapps/ROOT/WEB-INF/classes, you can create a portal-ext.properties that includes a "liferay.home=/var/lib/liferay" line (typically I actually do both of these). Since modifying your portal-ext.properties when it is in this location is challenging, I also add to the webapps/ROOT/WEB-INF/classes/portal-ext.properties file the line "include-and-override=/var/lib/liferay/portal-ext.properties" to pull in an additional file.<br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Come meet me at <a href="https://www.eventbrite.com/e/liferay-devcon-2017-registration-29348597445">Devcon 2017</a> or <a href="https://www.eventbrite.com/e/liferay-symposium-north-america-2017-registration-28398031276">2017 LSNA!</a>David H Nebinger2017-07-21T13:18:44ZRE: Running liferay ce 7 as non-root OS accountLuke Palnauhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920901342017-07-21T10:02:32Z2017-07-21T10:02:32ZI will give it a look, i was granting the service account write access to certain folders, which made the permission denied errors stop, since i was still getting the mentioned startup errors, I have actually made the service account temporarily the owner of the entire liferay home recursively.Luke Palnau2017-07-21T10:02:32ZRE: Running liferay ce 7 as non-root OS accountLuke Palnauhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920900102017-07-21T09:55:00Z2017-07-21T09:55:00ZI should have mentioned that I did try deploying liferay into the tomcat8 port using the developer site instructions. The port installs tomcat8 into /usr/local/apache-tomcat8, so the logs kept showing it was treating liferay home as /usr/local. I couldn't find how to tell liferay to look elsewhere. But that was using the www OS service account, which has no shell or home directory, so perhaps that is worth trying again. Bitnami figured out how to do it, perhaps the include and override setting in /usr/home/liferay/portal-ext.properties might help.<br /><br />I copied the tomcat8 port rc.d script and am just setting the env variables it uses to determine catalina_home path to point at the bundled tomcat.Luke Palnau2017-07-21T09:55:00ZRE: Running liferay ce 7 as non-root OS accountOlaf Kockhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920828292017-07-21T07:49:35Z2017-07-21T07:49:35ZIn addition to all of this: Once you ran as root (bad idea), all kinds of files and directories might now be owned by root and you should double check the permissions. <br /><br />My init-script superpowers are weak as well, but I dare to point to an example one that <a href="https://web.liferay.com/en/web/olaf.kock/blog/-/blogs/securing-liferay-chapter-1-introduction-basics-and-operating-system-level">I've posted years ago</a> - if only to point you to the "soften" and "harden" parts of it. These sections explicitly deal with file permissions on temporary and other folders.Olaf Kock2017-07-21T07:49:35ZRE: Running liferay ce 7 as non-root OS accountDavid H Nebingerhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920777522017-07-21T03:56:37Z2017-07-21T03:56:37Z<html><head></head><body><div class="quote-title">Luke Palnau:</div><blockquote>Cannot run program "java": error=2, No such file or directory</blockquote><br><br>You're missing the forest through the trees. The java executable is not in the non-root user's path. You probably want to just go ahead and set a system-wide JDK to keep things easy.<br><br><blockquote>I've also tried a rc.d script that calls: <pre><code>/usr/local/bin/sudo -u liferay /usr/local/liferay/tomcat-8.0.32/bin/startup.sh</code></pre> which fails with the same error about cannot run program "java" and tries using HSQL.</blockquote><br><br>Dude, you're making this a lot harder on yourself than it needs to be. To set up a server-based install, just install tomcat 8 per your distribution's package manager.<br><br>After tomcat is installed that way, it will automagically be set up with an init script, correct bindings to java, proper placement in the filesystem per linux system standards, ...<br><br>When it is all working, then install Liferay by finding and following the instructions for deploying Liferay to an existing tomcat. When you do that, the only thing you're trying to figure out at that point is how to get Liferay working instead of trying to figure out how to get everything working.<br><br><br><br><br><br><br><br><br><br>Come meet me at <a href="https://www.eventbrite.com/e/liferay-devcon-2017-registration-29348597445">Devcon 2017</a> or <a href="https://www.eventbrite.com/e/liferay-symposium-north-america-2017-registration-28398031276">2017 LSNA!</a></body></html>David H Nebinger2017-07-21T03:56:37ZRunning liferay ce 7 as non-root OS accountLuke Palnauhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=920740472017-07-21T03:05:07Z2017-07-21T03:05:07Z<html><head></head><body>I have a working installation of liferay ce 7 on freebsd 11 w/openjdk8, but I am running it interactively as root. I am struggling to find a way to get it to start as a service using a rc.d script with a service account (i.e. non-root). <br><br>So far I have tried the freebsd 11 tomcat8 port approach (which utilizes jsvc and its user parameter). This seems to fail at this point in the startup:<br><pre><code>21-Jul-2017 02:29:39.953 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class com.liferay.portal.spring.context.PortalContextLoaderListener
java.lang.RuntimeException: com.liferay.portal.kernel.process.ProcessException: java.io.IOException: Cannot run program "java": error=2, No such file or directory
at com.liferay.portal.spring.context.PortalContextLoaderListener.contextInitialized(PortalContextLoaderListener.java:260)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4812)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5255)
</code></pre><br><br>It also seems to be ignoring my portal-ext.properties jdbc settings and connecting to HSQL instead... They both feel like path issues, but I have confirmed that the service account can run "java -version" successfully. I even went as far as adding the cwd parameter and pointing at the path to catalina_home (which is the tomcat-8.0.32 folder in the liferay bundle).<br><br>I've also tried a rc.d script that calls: <pre><code>/usr/local/bin/sudo -u liferay /usr/local/liferay/tomcat-8.0.32/bin/startup.sh</code></pre> which fails with the same error about cannot run program "java" and tries using HSQL.<br><br>This may be a lack in m