The pattern of embedding the servlet container and the application into one runnable Jar is a great way to package and run your Grails 3 / Spring Boot applications. It provides flexibility to use different containers (Tomcat, Jetty, etc) and makes deployment a breeze. We’ve been using this pattern to run applications for awhile now and wanted to share some tips for running them on Centos 7.
Running jars as a service
The first thing you’ll notice in Centos7 is that creating a service to run your app got a whole lot easier with
systemd, but may feel unfamiliar at first. Here’s an example of a
systemd service in
[Unit] Description=MyApp Java Daemon [Service] ExecStart=/usr/bin/java -jar /opt/myapp/myapp-0.1.0.jar User=centos [Install] WantedBy=multi-user.target # Similar to runlevel 5
Thats it! Much cleaner than those huge init.d scripts we’re used to.
There are a lot more options, checkout the man page here - http://www.freedesktop.org/software/systemd/man/systemd.service.html
Starting, stopping and retrieving logs has changed as well:
systemctl daemon-reload # Reload systemd config from disk systemctl [start|stop|status] myapp.service # similar to service myapp start systemctl enable myapp.service # set service to start onboot journalctl -u myapp.service -f # -f tails stdout logs journalctl -u myapp.service --since=00:00 --until=9:30 # filter on a time period
New Security settings
Centos 7 is a bit stricter with SELinux than you may be used to, which is a good thing but can catch you off guard. SELinux has been around for a while and you can fix most issues by googling them these days. Here’s a few we ran into.
Proxying from/to localhost
If you’re running nginx or apache httpd as a reverse proxy on the same host as your java app you’ll need to allow the httpd connection -
If you’re using Chef to manage your infrastructure you can use the
selinux_policy cookbook as well:
selinux_policy_boolean 'httpd_can_network_connect' do value true notifies :restart, 'service[nginx]' end
selinux settings can be found here - http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
chmod we also have
chcon (change security context)
To allow httpd to read keys stored outside it’s predefined directories you can run
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/mysite.crt chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/intermediate.ca chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/private/mysite.key
chcon changes are temporary and won't survive if the the security context is reapplied. To permanently add this context to the system use semanage fcontext.
You can find the logs for
/var/log/audit/audit.log. They should provide enough detail to find what you need via google.
If you're using Grails 2.x you can still build runnable jars with this plugin https://grails.org/plugin/standalone.
We hope this helps you deploying your runnable jars. If you have some other tips or need help building and deploying your Java apps drop us an email at firstname.lastname@example.org. I will also be speaking at GR8Conf US 2015 on this and much more http://gr8conf.us/#/talk/130