On Debian 13:
sudo apt update
sudo apt install openjdk-17-jdk
On RHEL 10:
sudo dnf install java-17-openjdk-devel
Verify:
java -version
sudo useradd --system --home /opt/wildfly --shell /usr/sbin/nologin wildfly
Install unzip if needed.
On Debian 13:
sudo apt install unzip
On RHEL 10:
sudo dnf install unzip
cd /tmp
curl -LO https://github.com/wildfly/wildfly/releases/download/39.0.0.Final/wildfly-39.0.0.Final.zip
sudo mkdir -p /opt/wildfly
sudo unzip -q wildfly-39.0.0.Final.zip -d /opt
sudo mv /opt/wildfly-39.0.0.Final/* /opt/wildfly/
sudo chown -R wildfly:wildfly /opt/wildfly
sudo -u wildfly /opt/wildfly/bin/add-user.sh
sudo tee /etc/systemd/system/wildfly.service >/dev/null <<'SERVICE'
[Unit]
Description=WildFly Application Server
After=network.target
[Service]
Type=simple
User=wildfly
Group=wildfly
Environment=WILDFLY_HOME=/opt/wildfly
Environment=JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ExecStart=/opt/wildfly/bin/standalone.sh -b 0.0.0.0
Restart=on-failure
LimitNOFILE=102642
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
CapabilityBoundingSet=
AmbientCapabilities=
[Install]
WantedBy=multi-user.target
SERVICE
Note: On Debian, you may need to set JAVA_HOME to /usr/lib/jvm/java-17-openjdk-amd64.
If your app needs write access outside /opt/wildfly, add ReadWritePaths= entries to the service.
Stronger hardening (optional). This reduces filesystem/device access and may need ReadWritePaths for app data. If WildFly fails to start, remove or relax these:
ProtectSystem=strict
PrivateDevices=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectProc=invisible
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictFileSystems=ext4 xfs
UMask=0077
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now wildfly
On UFW:
sudo ufw allow 8080/tcp
sudo ufw allow 9990/tcp
On firewalld:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=9990/tcp
sudo firewall-cmd --reload
http://SERVER_IP:8080http://SERVER_IP:9990/console9990/tcp in the firewall to trusted admin IPs only.8080.Do you need help or support for WildFly? Feel free to contact us!