read

The pattern of embedding the servlet container and the application into one runnable Jar is a great way to package and run your Grails 3 / Spring Boot applications. It provides flexibility to use different containers (Tomcat, Jetty, etc) and makes deployment a breeze. We’ve been using this pattern to run applications for awhile now and wanted to share some tips for running them on Centos 7.

Running jars as a service

The first thing you’ll notice in Centos7 is that creating a service to run your app got a whole lot easier with systemd, but may feel unfamiliar at first. Here’s an example of a systemd service in /etc/systemd/system/myapp.service.

[Unit]
Description=MyApp Java Daemon

[Service]
ExecStart=/usr/bin/java -jar /opt/myapp/myapp-0.1.0.jar
User=centos

[Install]
WantedBy=multi-user.target # Similar to runlevel 5

Thats it! Much cleaner than those huge init.d scripts we’re used to.

There are a lot more options, checkout the man page here - http://www.freedesktop.org/software/systemd/man/systemd.service.html

Starting, stopping and retrieving logs has changed as well:

systemctl daemon-reload # Reload systemd config from disk
systemctl [start|stop|status] myapp.service # similar to service myapp start
systemctl enable myapp.service # set service to start onboot
journalctl -u myapp.service -f # -f tails stdout logs
journalctl -u myapp.service --since=00:00 --until=9:30 # filter on a time period

New Security settings

Centos 7 is a bit stricter with SELinux than you may be used to, which is a good thing but can catch you off guard. SELinux has been around for a while and you can fix most issues by googling them these days. Here’s a few we ran into.

Proxying from/to localhost

If you’re running nginx or apache httpd as a reverse proxy on the same host as your java app you’ll need to allow the httpd connection - bash setsebool httpd_can_network_connect=1

If you’re using Chef to manage your infrastructure you can use the selinux_policy cookbook as well:

selinux_policy_boolean 'httpd_can_network_connect' do
  value true
  notifies :restart, 'service[nginx]'
end

More selinux settings can be found here - http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Permissions

Along with chown and chmod we also have chcon (change security context)

To allow httpd to read keys stored outside it’s predefined directories you can run

chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/mysite.crt
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/intermediate.ca
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/private/mysite.key

chcon changes are temporary and won't survive if the the security context is reapplied. To permanently add this context to the system use semanage fcontext.

selinux logs

You can find the logs for selinux in /var/log/audit/audit.log. They should provide enough detail to find what you need via google.

Grails 2?

If you're using Grails 2.x you can still build runnable jars with this plugin https://grails.org/plugin/standalone.

We hope this helps you deploying your runnable jars. If you have some other tips or need help building and deploying your Java apps drop us an email at info@agileorbit.com. I will also be speaking at GR8Conf US 2015 on this and much more http://gr8conf.us/#/talk/130

Blog Logo

Eric Helgeson


Published

Image

Agile Orbit

Agile Development and DevOps

Back to Overview