For our production JIRA installation, I was following the instructions at: Installing JIRA applications from an archive file on Windows, Linux or Solaris
I've configured the "jira" user to sudo as the "jira-tomcat" user without password:
jira ALL=(jira-tomcat) NOPASSWD: ALL Defaults:jira !requiretty
I start JIRA as the "jira" user using the following command:
sudo -u jira-tomcat -s ./start-jira.sh
My issue is that when JIRA starts, it displays a SEVERE error in the catalina.out file saying:
30-Sep-2016 12:35:36.917 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.start Unable to create directory for deployment: /opt/home/jira/atlassian-jira-software-7.0.11-standalone/conf/Catalina/localhost
JIRA seems to be working fine but it seems that the "jira-tomcat" user needs WRITE access to conf folder to be able to create the "Catalina/localhost" folder.
Is this correct or could the documentation be updated to advise that this folder should be pre-created before starting JIRA to avoid the SEVERE error?
Are you running other Tomcat containers besides JIRA on your instance, or what is the reason you split up JIRA and JIRA-tomcat? I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira. In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.
With this said, my JIRA instance is not facing the internet, so i don't have to calculate in that external attack vector.
>Are you running other Tomcat containers besides JIRA on your instance
JIRA is running in the Tomcat container that comes with its installation bundle. There are no other webapps running in that container. I have not split up JIRA. Sorry for the misunderstanding.
>I use a non privileged user (jira) for running JIRA and don't really distinguish between the rights of Tomcat versus the right of Jira.
I thought Atlassian may have had a security reason for running the Tomcat container as a user separate from the user that owns the JIRA installation files. I assumed it was to limit the impact of what the Tomcat user can access if compromised. I agree its easier to simply use a single non priv. user. I may have over thought the installation instructions.
>In front of that we have a rewrite proxy that terminates SSL and redirects port 80/443 to the high port of Jira.
Yes, I have a similar setup.
>my JIRA instance is not facing the internet
Unfortunately, for the moment our instance is facing the internet. In the future we will IP restrict it.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot