Java executable jar location best practice for systemd and Jenkins CI?

Question

I have Spring Boot 2 executable jar (runs by command java -jar myapp.jar) which I need to deploy to remote linux server as systemd service. Jenkins CI will manage building this jar from source and copy to proper location and restart java service associated with myapp.jar. Linux server has just one user 'jonas' with sudo privilege, in addition to jenkins user. Where do I need to put myapp.jar on linux server from security best practice point of view in production environment ? Possible location:

 /var/myapplications/myapp.jar 
 /home/jona/myapplications/myapp.jar
 /opt//myapplications/myapp.jar

Also where the log files generated by myapp.jar are going to be located?

Answer 1

Based on my experience, I would recommend to keep all third parties and applications under /opt/{{ app_name }}

You can follow if you like following structure which makes deployment of new artefacts much easier with option to quickly rollback if needed.

/opt/{{ app_name }}/releases/{{ app_version }}

/opt/{{ app_name }}/current <- Symlink to above

/opt/{{ app_name }}/current/logs <- directory for logs which would be part of the releases/{{ app_version }}

Your deployment script can create respective folders, manage permissions and symlinks for this purpose.

What i personally like is to make sure it runs under a non-privileged user with proper permissions to ensure only that particular user can read/execute/write on the directory recursively which would include logs which might have some sensitive information that might be included as part of the exception, however this purely depends on how you log.