From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, July 20, 2017 6:15 AM To: Tomcat Users List Subject: Re: Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?
On 19/07/17 22:28, Terence Lee wrote: > Please forgive any misuse of terminology here. I am a sysadmin involved in > devops deployments of tomcat servers and applications, but I don't really > know much about how tomcat actually works. I am a unix guy! > > We recently had a deployment of a third party application that resulted in > tomcat throwing 404 errors on any content of a symlinked directory that was > contained in/under an aliased path. It seems to me that it is something in > the app configuration gone awry, but the vendor claims not. So I am casting > about for some information here after not coming up with anything definitive > in the docs or by act of google. > > Example: > > 1) The context.xml for the root context has the following: > > aliases="/static=/pnas/legacy/static" > > 2) /pnas/legacy/static/ has a symlinked directory that functions as expected > at the o/s level: > > [root@exampleserver]# ls -lad /pnas/legacy/static/Digital > lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40 /pnas/legacy/static/Digital -> > /pnas/editorial/Digital/ > > 3) tomcat runs as the appsrv user and all files in /pnas/editorial/Digital/ > are owned by appsrv:apps, so we would expect <webroot>/static/Digital/* to be > accessible without error > > 4) attempts to access files in <webroot>/static/Digital result in a 404 error > ... but this was not the case before this last app deploy > > 5) reverting the build of the app is not possible as it was one part of a > really big multiheaded deployment. We can work around the issue but accrue > signifcant technical debt as a result. > > 6) Versions of anything relevant other than the app itself have not changed: > tomcat = 7.0.56 > java = 1.7.0_71 > o/s = Red Hat Enterprise Linux Server release 6.8 (Santiago) > 2.6.32-642.11.1.el6.x86_64 > > Question: > > Does the use of symlinks under aliases require some like an "allowLinking" > attribute or something else that could have misconfigured in the app? Yes. allowLinking applies to aliases as well as the Context's docBase. > The docs don't really address this case and I can only find reference to > "allowLinking" affecting material symlinked directlly in or under the web > context root. Aliases appear to be suggested as an alternative and symlinks > under an alias are not specifically addressed (that I have seen). > > Any thoughts are appreciated and please do pardon any tomcat vocabulary that > I may have injured in this effort to pose a question. No problem. The question was clearly stated and easily understood. Mark Update for what it is worth ... This is app a bit of a science project. The alias in question was to an NFS mount .. the symlink inside the alias was to a directory inside a cifs mount. We had to do it this way because multiprotocol file sharing works better in theory than it does in practice. But, this app had been working for more than a year like this. I compared an older release of everything under the root context to the current release and I did not see anything in the configuration files that would specifically allow or disallow symlinks in either version. Why it worked at all is a mystery and may be related to some java code in the app itself rather than any resource provided by Tomcat itself. That is outside of my normal food group as an infrastructure guy. So, we tried an experiment: We stood up a dummy server with just the examples app deployed in the root context and with the same alias/symlink combo defined. We allowed directory listings and could not see the symlink on a directory browse of the alias. We then added the allowLinking and still could not see the symlink. We tried making another symlink just pointing to a normal directory inside the aliased path and could not see that either. Both types symlinks were fine at the o/s level, so we decided to look for plan B. We mounted the cifs mount subdirectory directly inside the aliased path and that works just fine. So, rather than kill ourselves trying to figure out what came off the rails, we will just go with what works and what we can control. Thanks to all who responded and I hope I can pay that forward sometime. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
