Tomcat catalina.sh starts correctly but starting tomcat.service gives Permission denied

Question

Background

On RHEL 8 I have Apache Tomcat v8.5.78 installed under /opt/tomcat/. User & group of the directory is set to tomcat:tomcat, so is the directory's content.

I can start Tomcat with

$ sudo -u tomcat /opt/tomcat/bin/catalina.sh start

Now I try to manage Tomcat via systemctl. I have a tomcat.service file like this:

[Unit]
Description=Tomcat Server
After=syslog.target network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment='JAVA_OPTS=-Djava.awt.headless=true'
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment='CATALINA_OPTS=-Xms512M -Xmx2048M'
ExecStart=/opt/tomcat/bin/catalina.sh start
ExecStop=/opt/tomcat/bin/catalina.sh stop
[Install]
WantedBy=multi-user.target

Note that the service user & group is set to tomcat & tomcat as well.

Problem

When I startup Tomcat via systemctl:

$ sudo systemctl start tomcat.service

I get "Job for tomcat.service failed...". systemctl status tomcat.service shows

● tomcat.service - Tomcat Server
   Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2022-06-22 12:11:59 AEST; 1min 29s ago
  Process: 1641092 ExecStart=/opt/tomcat/bin/catalina.sh start (code=exited, status=203/EXEC)

and journalctl -xe gives:

-- Unit tomcat.service has begun starting up.
Jun 22 11:41:47 my.server.local systemd[1638136]: tomcat.service: Failed to execute command: Permission denied
Jun 22 11:41:47 my.server.local systemd[1638136]: tomcat.service: Failed at step EXEC spawning /opt/tomcat/bin/catalina.sh: Permission d>-- Subject: Process /opt/tomcat/bin/catalina.sh could not be executed

Why does systemctl reports permission problems when the service file specifies the same user with whom manual start up works?

Additional info

Tomcat version

The Tomcat version is a requirement - I cannot upgrade to a newer version.

What I have tried additionally?

Having read https://unix.stackexchange.com/a/498494/45940 I tried in tomcat.service the directive Type=oneshot -- with no success.
Having read https://stackoverflow.com/a/58301082/65889 I tried setting in tomcat.service the working directory to /opt/tomcat/bin -- with no success

score 1 · Answer 1 · edited Dec 07 '22 at 09:39

1

In my case, it was the .sh files permissions in the /bin directory. They were all missing the x (executable) flag.

edited Dec 07 '22 at 09:39

Edward

2,509

answered Dec 06 '22 at 22:10

Ramez

11
1