The pattern of embedding the servlet container and the application into one runnable Jar is a great way to package and run your Grails 3 / Spring Boot applications. It provides flexibility to use different containers (Tomcat, Jetty, etc) and makes deployment a breeze. We’ve been using this pattern to run applications for awhile now and wanted to share some tips for running them on Centos 7.
Running jars as a service
The first thing you’ll notice in Centos7 is that creating a service to run your app got a whole lot easier with systemd, but may feel unfamiliar at first. Here’s an example of a systemd service in /etc/systemd/system/myapp.service.
[Unit]
Description=MyApp Java Daemon
[Service]
ExecStart=/usr/bin/java -jar /opt/myapp/myapp-0.1.0.jar
User=centos
[Install]
WantedBy=multi-user.target # Similar to runlevel 5
Thats it! Much cleaner than those huge init.d scripts we’re used to.
There are a lot more options, checkout the man page here - http://www.freedesktop.org/software/systemd/man/systemd.service.html
Starting, stopping and retrieving logs has changed as well:
systemctl daemon-reload # Reload systemd config from disk
systemctl [start|stop|status] myapp.service # similar to service myapp start
systemctl enable myapp.service # set service to start onboot
journalctl -u myapp.service -f # -f tails stdout logs
journalctl -u myapp.service --since=00:00 --until=9:30 # filter on a time period
New Security settings
Centos 7 is a bit stricter with SELinux than you may be used to, which is a good thing but can catch you off guard. SELinux has been around for a while and you can fix most issues by googling them these days. Here’s a few we ran into.
Proxying from/to localhost
If you’re running nginx or apache httpd as a reverse proxy on the same host as your java app you’ll need to allow the httpd connection -
setsebool httpd_can_network_connect=1
If you’re using Chef to manage your infrastructure you can use the selinux_policy cookbook as well:
selinux_policy_boolean 'httpd_can_network_connect' do
value true
notifies :restart, 'service[nginx]'
end
More selinux settings can be found here - http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Permissions
Along with chown and chmod we also have chcon (change security context)
To allow httpd to read keys stored outside it’s predefined directories you can run
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/mysite.crt
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/certs/intermediate.ca
chcon unconfined_u:object_r:httpd_config_t:s0 /etc/pki/tls/private/mysite.key
chcon changes are temporary and won’t survive if the the security context is reapplied. To permanently add this context to the system use semanage fcontext.
selinux logs
You can find the logs for selinux in /var/log/audit/audit.log. They should provide enough detail to find what you need via google.
Grails 2?
If you’re using Grails 2.x you can still build runnable jars with this plugin https://grails.org/plugin/standalone.
We hope this helps you deploying your runnable jars. If you have some other tips or need help building and deploying your Java apps drop us an email at info@agileorbit.com. I will also be speaking at GR8Conf US 2015 on this and much more http://gr8conf.us/#/talk/130