Solved it! First reaction to your response was “well of course I checked file and directory permissions, that’s not it”. /var/lucee/config/
and all the subdirectories do in fact belong to the tomcat-user, so that box was truely checked.
Then I took a step back and wondered what else could shoot down a daemon because of some permissions issue - and who would be so mean to do that covertly and not tell anybody about it in any damn log file?
First thing coming to mind was my old enemy systemd
. My lazy ass had already taken some beating over adding kernel parameters to /etc/defaults/tomcat9
, which had worked fine in previous Debian versions, but not with Buster (hence the name, I guess). After identifying the culprits by sheer trial and error I had to remove these lines and put them in /etc/sysctl.d/
and /etc/security/limits.d/
where they belonged. Fortunately systemd
tells you exactly nothing why it doesn’t start a service, so guesswork can be quite an adventure for the day.
systemd
sandboxing has more challenges, though - at least when leaving the predesigned paths. So one
systemctl edit --full tomcat9.service
later, I had added the paths to the Lucee jars and the working directories to ReadWritePaths, so the Security-block in my unit file now reads
# Security
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
ReadWritePaths=/opt/lucee/
ReadWritePaths=/var/lucee/config/
One service tomcat9 start
later I am greeted with a “No Password set yet!” on the Lucee admin page. What I glorious start to my day! I guess it’s downhill from here on, but I am quite happy for a few minutes now.
There may be more to this systemd
config, though. I might have to fine tune some settings in the end, maybe ProtectSystem
needs to be more lax. But at least now I know where to look. I am relieved that I didn’t use the installer, as that would have gotten me nowhere in the end - I would have tried to wrap the installed Lucee in a systemd
unit and would have stumbled just as hard, I assume.
So thank you again for mentioning permissions. Even if file permissions are not the problem here, security in general definitely was.