Application logging broken under Tomcat 9: permission denied to /var/log/myapp

Question

I have a Java webapp that runs under Apache Tomcat on Ubuntu Linux. When I upgraded from Tomcat 9 from Tomcat 8, the application was no longer able to write log files to /var/log/myapp. I can't figure out why it doesn't have permission to log to this location.

My first thought was that the user changed. Tomcat 8 ran under the tomcat8:tomcat8 user. Tomcat 9 runs under tomcat:tomcat user. I updated the directory with those permissions. Both the tomcat user and tomcat group have write permission.

I also checked the write and execute permissions of that directory. That directory has write and execute permissions, and all parent directories have execute permissions.

/var/log/myapp/ drwxrwxr-x  tomcat tomcat
/var/log        drwxrwxr-x  root syslog 
/var            drwxr-xr-x  root root            
/               drwxr-xr-x  root root

If I run the following code under my web application

    File logdir =  new File("/var/log/myapp");
    setAttribute("debug", 
        "<br>user: " + System.getProperty("user.name") +
        "<br>execute: " + logdir.canExecute() +
        "<br>read: " + logdir.canRead() +
        "<br>write: " + logdir.canWrite()
    );

it prints out that there is no write permission

user: tomcat
execute: true
read: true
write: false 

If I run similar code in a main method as the tomcat user

File logdir =  new File("/var/log/myapp");
    System.out.println("\n user: " + System.getProperty("user.name") +
        "\n execute: " + logdir.canExecute() +
        "\n read: " + logdir.canRead() +
        "\n write: " + logdir.canWrite()
        );

It prints that it has write permission

user: tomcat
execute: true
read: true
write: true

I've exhausted all the debugging that I know how to do. What is preventing my web application from writing to this directory under tomcat 9? What do I need to do to fix it.

Answer 1

This is caused by new systemd sandboxing around tomcat 9 as part of Debian/Ubuntu. To solve the problem you need to tell systemd to allow read write access to additional directories for Tomcat.

sudo mkdir -p /etc/systemd/system/tomcat9.service.d
echo -e "[Service]\nReadWritePaths=/var/log/" | sudo tee /etc/systemd/system/tomcat9.service.d/logging-allow.conf
sudo systemctl daemon-reload
sudo systemctl restart tomcat9

After making these changes, web apps can once again write to their own directories in /var/log.

Source: Debian Tomcat 9 release notes

Answer 2

Stephen Ostermiller's answer solves the problem.
Another way to do it would be:

systemctl edit tomcat9.service

put in

[Service]
ReadWritePaths=/var/log/

This will get written to /etc/systemd/system/tomcat9.service.d/override.conf.
Then do

systemctl daemon-reload
systemctl restart tomcat9.service 

You can go back to the original with

systemctl revert tomcat9.service