Re: Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?

[Mark Thomas <ma...@apache.org>]

On 19/07/17 22:28, Terence Lee wrote:
> Please forgive any misuse of terminology here.  I am a sysadmin involved in devops deployments of tomcat servers and applications, but I don't really know much about how tomcat actually works.  I am a unix guy!
> 
> We recently had a deployment of a third party application that resulted in tomcat throwing 404 errors on any content of a symlinked directory that was contained in/under an aliased path.  It seems to me that it is something in the app configuration gone awry, but the vendor claims not.  So I am casting about for some information here after not coming up with anything definitive in the docs or by act of google.
> 
> Example:
> 
> 1) The context.xml for the root context has the following:
> 
> aliases="/static=/pnas/legacy/static"
> 
> 2) /pnas/legacy/static/ has a symlinked directory that functions as expected at the o/s level:
> 
> [root@exampleserver]# ls -lad /pnas/legacy/static/Digital
> lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40 /pnas/legacy/static/Digital -> /pnas/editorial/Digital/
> 
> 3) tomcat runs as the appsrv user and all files in /pnas/editorial/Digital/ are owned by appsrv:apps, so we would expect <webroot>/static/Digital/* to be accessible without error
> 
> 4) attempts to access files in <webroot>/static/Digital result in a 404 error ... but this was not the case before this last app deploy
> 
> 5) reverting the build of the app is not possible as it was one part of a really big multiheaded deployment.  We can work around the issue but accrue signifcant technical debt as a result.
> 
> 6) Versions of anything relevant other than the app itself have not changed:
>      tomcat = 7.0.56
>      java = 1.7.0_71
>      o/s = Red Hat Enterprise Linux Server release 6.8 (Santiago) 2.6.32-642.11.1.el6.x86_64
> 
> Question:
> 
> Does the use of symlinks under aliases require some like an "allowLinking" attribute or something else that could have misconfigured in the app?

Yes. allowLinking applies to aliases as well as the Context's docBase.

> The docs don't really address this case and I can only find reference to "allowLinking" affecting material symlinked directlly in or under the web context root.   Aliases appear to be suggested as an alternative and symlinks under an alias are not specifically addressed (that I have seen).
> 
> Any thoughts are appreciated and please do pardon any tomcat vocabulary that I may have injured in this effort to pose a question.

No problem. The question was clearly stated and easily understood.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Terence,

On 7/20/17 6:14 AM, Mark Thomas wrote:
> On 19/07/17 22:28, Terence Lee wrote:
>> Please forgive any misuse of terminology here.  I am a sysadmin
>> involved in devops deployments of tomcat servers and
>> applications, but I don't really know much about how tomcat
>> actually works.  I am a unix guy!
>> 
>> We recently had a deployment of a third party application that
>> resulted in tomcat throwing 404 errors on any content of a
>> symlinked directory that was contained in/under an aliased path.
>> It seems to me that it is something in the app configuration gone
>> awry, but the vendor claims not.  So I am casting about for some
>> information here after not coming up with anything definitive in
>> the docs or by act of google.
>> 
>> Example:
>> 
>> 1) The context.xml for the root context has the following:
>> 
>> aliases="/static=/pnas/legacy/static"
>> 
>> 2) /pnas/legacy/static/ has a symlinked directory that functions
>> as expected at the o/s level:
>> 
>> [root@exampleserver]# ls -lad /pnas/legacy/static/Digital 
>> lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40
>> /pnas/legacy/static/Digital -> /pnas/editorial/Digital/
>> 
>> 3) tomcat runs as the appsrv user and all files in
>> /pnas/editorial/Digital/ are owned by appsrv:apps, so we would
>> expect <webroot>/static/Digital/* to be accessible without error
>> 
>> 4) attempts to access files in <webroot>/static/Digital result in
>> a 404 error ... but this was not the case before this last app
>> deploy
>> 
>> 5) reverting the build of the app is not possible as it was one
>> part of a really big multiheaded deployment.  We can work around
>> the issue but accrue signifcant technical debt as a result.
>> 
>> 6) Versions of anything relevant other than the app itself have
>> not changed: tomcat = 7.0.56 java = 1.7.0_71 o/s = Red Hat
>> Enterprise Linux Server release 6.8 (Santiago)
>> 2.6.32-642.11.1.el6.x86_64
>> 
>> Question:
>> 
>> Does the use of symlinks under aliases require some like an
>> "allowLinking" attribute or something else that could have
>> misconfigured in the app?
> 
> Yes. allowLinking applies to aliases as well as the Context's
> docBase.

Another option would be to use Tomcat's "aliases" configuration to
effect the symlink. So instead of
aliases="/static=/pnas/legacy/static" you could do
aliases="/static/Digital=/pnas/editorial/Digital,/static=/pnas/legacy/st
atic".
It's probably better to simply "allowLinking", though.

Odd that this did not affect earlier versions of their application. Do
they supply their own context.xml file which (a) had and (b) no longer
includes the allowLinking="true" setting?

>> The docs don't really address this case and I can only find
>> reference to "allowLinking" affecting material symlinked
>> directlly in or under the web context root.   Aliases appear to
>> be suggested as an alternative and symlinks under an alias are
>> not specifically addressed (that I have seen).
>> 
>> Any thoughts are appreciated and please do pardon any tomcat
>> vocabulary that I may have injured in this effort to pose a
>> question.
> 
> No problem. The question was clearly stated and easily understood.

Agreed. You included (a) your Tomcat version (b) a clear description
of the problem (and accompanying configuration) and (c) what you
expected to happen. If only all first-time posters had such
high-quality posts :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZcMJBAAoJEBzwKT+lPKRY6KoP/jhFmAw/Y7CuCoMNv2lswJXj
sg/ialC1/b4t5EIcZXayrPHnEw60b9JBEKM+h5mkvYDSQATvTKIxeBqRkP1yI5w4
w7g0Ft4G5vbK++ihquahfRiWm++nAh284YK8V3TNFhr54LmfjlIwjwFAXsmkerW7
P6WQ0lWwziNrSiw6ynf2/yXn8kzPxQ9IdgIaFweKqEyHpUVxRUskYgJeSkm0v8lq
pzweiVT5eiRtJSSpevf1WycltPY3nROTlyuDSHEoVeoNnWmfUiHnsMusw7SSVwyt
STG363IN9m611yEsujiP1+KOpkgrF1DFaay5mdn7eNAOPIqnkmKQF6d8IfTZHmeK
u1Oqr6pgu8Qp+XHhp4ni3o3tidLEIW/HWMZPzhYN3rpMzHh5ndNGiMP9hN8yZxDC
eZpbY66fiOtjBzghE34KDae+e/QqJdYiRL8E3iD8Mh1GCYrc5T4N/IapPP0PloRT
RoEoK98n7pei6EwK/DsTfHihnmcc0xQTyIVcyxdLmLZ5Omyh0UMbzFZtKMqVV6vA
UUKzOW3mZ/amCxQmW7hc4A+0H3BMTtmrxGB9dqpVKrvkp/E4nynQNwVsRavjOXpk
uMe8j2AzUTaxvoj+B98GhNjr5/tXwT/3MYlELtprxZKodnoTtIQ/VMCse69BUYhn
l128qZo/lD5zZ2RbLr5h
=bOWF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?

[Terence Lee <TL...@drf.com>]

From: Mark Thomas [mailto:markt@apache.org] 
Sent: Thursday, July 20, 2017 6:15 AM
To: Tomcat Users List
Subject: Re: Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?

On 19/07/17 22:28, Terence Lee wrote:
> Please forgive any misuse of terminology here. I am a sysadmin involved in devops deployments of tomcat servers and applications, but I don't really know much about how tomcat actually works. I am a unix guy!
> 
> We recently had a deployment of a third party application that resulted in tomcat throwing 404 errors on any content of a symlinked directory that was contained in/under an aliased path. It seems to me that it is something in the app configuration gone awry, but the vendor claims not. So I am casting about for some information here after not coming up with anything definitive in the docs or by act of google.
> 
> Example:
> 
> 1) The context.xml for the root context has the following:
> 
> aliases="/static=/pnas/legacy/static"
> 
> 2) /pnas/legacy/static/ has a symlinked directory that functions as expected at the o/s level:
> 
> [root@exampleserver]# ls -lad /pnas/legacy/static/Digital
> lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40 /pnas/legacy/static/Digital -> /pnas/editorial/Digital/
> 
> 3) tomcat runs as the appsrv user and all files in /pnas/editorial/Digital/ are owned by appsrv:apps, so we would expect <webroot>/static/Digital/* to be accessible without error
> 
> 4) attempts to access files in <webroot>/static/Digital result in a 404 error ... but this was not the case before this last app deploy
> 
> 5) reverting the build of the app is not possible as it was one part of a really big multiheaded deployment. We can work around the issue but accrue signifcant technical debt as a result.
> 
> 6) Versions of anything relevant other than the app itself have not changed:
> tomcat = 7.0.56
> java = 1.7.0_71
> o/s = Red Hat Enterprise Linux Server release 6.8 (Santiago) 2.6.32-642.11.1.el6.x86_64
> 
> Question:
> 
> Does the use of symlinks under aliases require some like an "allowLinking" attribute or something else that could have misconfigured in the app?

Yes. allowLinking applies to aliases as well as the Context's docBase.

> The docs don't really address this case and I can only find reference to "allowLinking" affecting material symlinked directlly in or under the web context root. Aliases appear to be suggested as an alternative and symlinks under an alias are not specifically addressed (that I have seen).
> 
> Any thoughts are appreciated and please do pardon any tomcat vocabulary that I may have injured in this effort to pose a question.

No problem. The question was clearly stated and easily understood.

Mark

Update for what it is worth ...

This is app a bit of a science project.  The alias in question was to an NFS mount .. the symlink inside the alias was to a directory inside a cifs mount.  We had to do it this way because multiprotocol file sharing works better in theory than it does in practice.  But, this app had been working for more than a year like this.

I compared an older release of everything under the root context to the current release and I did not see anything in the configuration files that would specifically allow or disallow symlinks in either version. Why it worked at all is a mystery and may be related to some java code in the app itself rather than any resource provided by Tomcat itself.  That is outside of my normal food group as an infrastructure guy.

So, we tried an experiment:

We stood up a dummy server with just the examples app deployed in the root context and with the same alias/symlink combo defined.  
We allowed directory listings and could not see the symlink on a directory browse of the alias.  
We then added the allowLinking and still could not see the symlink.
We tried making another symlink just pointing to a normal directory inside the aliased path and could not see that either.
Both types symlinks were fine at the o/s level, so we decided to look for plan B.
We mounted the cifs mount subdirectory directly inside the aliased path and that works just fine.

So, rather than kill ourselves trying to figure out what came off the rails, we will just go with what works and what we can control.

Thanks to all who responded and I hope I can pay that forward sometime.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org