8.5 - multiple host configuration question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

8.5 - multiple host configuration question

Chris Cheshire-2
I am migrating from 7 (yum repo installation) to 8.5 (direct from
apache) and looking to improve configuration where possible.

Currently (on *nix) I have a machine that runs sandboxes for my
domain, call them sb1.dom.com and sb2.dom.com. They each have their
own (system) user and in tomcat's system.xml I have a host for each :

<Host name="sb1.dom.com" appBase="/home/sandbox1/webapps" ... />

<Host name="sb2.dom.com" appBase="/home/sandbox2/webapps" .... />


Each has access to the host-manager app via a hardlink to manager.xml
through /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each
user belongs to the tomcat group, and has their webapps directory
group readable so Tomcat can deploy the apps. Each host may have
multiple contexts within it representing code branches. The env
variables have CATALINA_HOME and CATALINA_BASE pointing to
/usr/share/tomcat.

Reading RUNNING.txt, it says that HOME and BASE can point to different
locations for a multi-user environment, which sounds like what I am
doing. How do I go about configuring it this way?

Assume I put the tomcat installation in /usr/local, with a symlink
from /usr/local/tomcat to /usr/local/tomcat/apache-tomcat-${version}

Would it be better to put the webapps for each user under
/usr/local/tomcat/webapps and symlink to them from the users home
directory? What would the structure look like and what would I set
CATALINA_BASE and CATALINA_HOME to?

What about file/directory permissions, assuming tomcat is running
under the 'tomcat' user? I have root access to the machine, so
changing groups, users, permissions is not an issue.

Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris,

On 9/5/17 10:54 AM, Chris Cheshire wrote:
> I am migrating from 7 (yum repo installation) to 8.5 (direct from
> apache) and looking to improve configuration where possible.
>
> Currently (on *nix) I have a machine that runs sandboxes for my
> domain, call them sb1.dom.com and sb2.dom.com. They each have
> their own (system) user and in tomcat's system.xml

Nit: server.xml

> I have a host for each :
>
> <Host name="sb1.dom.com" appBase="/home/sandbox1/webapps" ... />
>
> <Host name="sb2.dom.com" appBase="/home/sandbox2/webapps" .... />
>
> Each has access to the host-manager app via a hardlink to
> manager.xml through
> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
> belongs to the tomcat group, and has their webapps directory group
> readable so Tomcat can deploy the apps. Each host may have multiple
> contexts within it representing code branches. The env variables
> have CATALINA_HOME and CATALINA_BASE pointing to
> /usr/share/tomcat.
>
> Reading RUNNING.txt, it says that HOME and BASE can point to
> different locations for a multi-user environment, which sounds like
> what I am doing. How do I go about configuring it this way?

It depends upon your goals. If you want to run a single JVM, then it
really doesn't matter whether you have a "single" Tomcat where
CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
pretty much required that you use a split configuration.

I'd argue that you should always have a split configuration, because
it allows you to upgrade/downgrade almost trivially without disturbing
your application's (Tomcat) configuration.

> Assume I put the tomcat installation in /usr/local, with a symlink
> from /usr/local/tomcat to
> /usr/local/tomcat/apache-tomcat-${version}
>
> Would it be better to put the webapps for each user under
> /usr/local/tomcat/webapps and symlink to them from the users home
> directory? What would the structure look like and what would I set
> CATALINA_BASE and CATALINA_HOME to?

If I were king, I'd set things up like this:

1. Tomcat is installed in /usr/local/tomcat (or
/usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
3. Each user has their own CATALINA_BASE directory in their own home
directory (or wherever in the fs tree). No need to put anything in
/usr/local which is usually considered to be shared and read-only.
CATALINA_BASE is just a directory with the following directories in
it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
using a custom conf/server.xml and leaving everything else pretty much
alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
necessary for all the other Tomcats that will be running on the server.

This gives you a LOT of flexibility:

1. Users run their own JVMs as their own users. Filesystem permissions
become simpler. Applications require less trust (e.g. apps are running
at "cschultz" instead of "tomcat7").
2. Users can select which version of Tomcat they want to use. Just
change CATALINA_BASE and restart. (Roughly speaking. If you switch
major versions, you'll likely have to update
CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
running x.y.z whether you like it or not".
3. Users can start/stop their own Tomcat services. No more emailing an
administrator and asking for a restart, and having to coordinate it
with several other unrelated teams who weren't expecting a service
restart in the middle of the day.
4. You (admin) don't have to babysit everyone's web applications.
Users simply put their own apps in CATALINA_BASE/webapps and move on
with their lives.

> What about file/directory permissions, assuming tomcat is running
> under the 'tomcat' user? I have root access to the machine, so
> changing groups, users, permissions is not an issue.

Free yourself from the "tomcat user". It's one of the things I dislike
most about the package-managed versions of Tomcat: they tend to run
everything as a single user which is completely unnecessary.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZrufJAAoJEBzwKT+lPKRYFbwP/1IVYWj06JaPcgVebrJbsMa2
o1aOB47fWStEPsOshcBBswiSO07EPvshahoyvn9mWaYCCIN1/BND0sIZzkFc1Lb1
YWq1HWd2TbdeUMNMD7d9WgnzlCB5mGxxsklFvqQ/jWzG8bX98VtWDS4c95YcebPc
7yep1Oah+pSnvpfRzV6XpIF64xwc3HQHciOxezn6BFjMe6ZEd6R8w7OdEUrEy/g/
0UtS1XiKBdgUT3KdxkLYi7PbgigHyw8zGxp4d3ZkqIC8shCiF+teO8YhZ4qYGoVc
8GkV18QHs5cV7s9dQBtMXOzsVtCjmGBzEx2XgXZ5SroNjJCYUs4FskNLE9oiS0GS
FJcpLPXF8noEb6sYSbmdn2RK3qv62RjD8Atu65q4G7S/20HbwFFGDEFjBnLlzrsV
W4vk3YcMbLrDQWCybjpaGBiyLzBhUBtdMLvnHsBeShTwFZzlgZRbi8GuIn9TFgkk
AW75DLZQ83Z4aQxSTjJkfhf2qU7jQdzNEl30Qka7JE7K/SwFcaWe/w0aiJmxHgrq
gqpbpuc4suMSJ2sLj1oY2nOc+1+SlIpfBth66J1OWxNkxBxDVbbPYaAIV6skgUnL
Ys3ZJ6TFVug3BBrV5QM8LKaKvy2pYb1FDpgHU01dhSP3YjUONJJKpMUWBbHHVe+6
CsousuKimJ2WvoRJu8SP
=Auhe
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Chris Cheshire-2
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 10:54 AM, Chris Cheshire wrote:
>> I am migrating from 7 (yum repo installation) to 8.5 (direct from
>> apache) and looking to improve configuration where possible.
>>
>> Currently (on *nix) I have a machine that runs sandboxes for my
>> domain, call them sb1.dom.com and sb2.dom.com. They each have
>> their own (system) user and in tomcat's system.xml
>
> Nit: server.xml
>

Brain fart :)


>> I have a host for each :
>>
>> <Host name="sb1.dom.com" appBase="/home/sandbox1/webapps" ... />
>>
>> <Host name="sb2.dom.com" appBase="/home/sandbox2/webapps" .... />
>>
>> Each has access to the host-manager app via a hardlink to
>> manager.xml through
>> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
>> belongs to the tomcat group, and has their webapps directory group
>> readable so Tomcat can deploy the apps. Each host may have multiple
>> contexts within it representing code branches. The env variables
>> have CATALINA_HOME and CATALINA_BASE pointing to
>> /usr/share/tomcat.
>>
>> Reading RUNNING.txt, it says that HOME and BASE can point to
>> different locations for a multi-user environment, which sounds like
>> what I am doing. How do I go about configuring it this way?
>
> It depends upon your goals. If you want to run a single JVM, then it
> really doesn't matter whether you have a "single" Tomcat where
> CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
> pretty much required that you use a split configuration.
>
> I'd argue that you should always have a split configuration, because
> it allows you to upgrade/downgrade almost trivially without disturbing
> your application's (Tomcat) configuration.
>
>> Assume I put the tomcat installation in /usr/local, with a symlink
>> from /usr/local/tomcat to
>> /usr/local/tomcat/apache-tomcat-${version}
>>
>> Would it be better to put the webapps for each user under
>> /usr/local/tomcat/webapps and symlink to them from the users home
>> directory? What would the structure look like and what would I set
>> CATALINA_BASE and CATALINA_HOME to?
>
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
> 3. Each user has their own CATALINA_BASE directory in their own home
> directory (or wherever in the fs tree). No need to put anything in
> /usr/local which is usually considered to be shared and read-only.
> CATALINA_BASE is just a directory with the following directories in
> it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
> anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
> using a custom conf/server.xml and leaving everything else pretty much
> alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
> necessary for all the other Tomcats that will be running on the server.
>
> This gives you a LOT of flexibility:
>
> 1. Users run their own JVMs as their own users. Filesystem permissions
> become simpler. Applications require less trust (e.g. apps are running
> at "cschultz" instead of "tomcat7").
> 2. Users can select which version of Tomcat they want to use. Just
> change CATALINA_BASE and restart. (Roughly speaking. If you switch
> major versions, you'll likely have to update
> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
> running x.y.z whether you like it or not".


Ok this helps a bit for upgrades. I would just expand the new tarball
in a similar
place, update user level conf and restart each instance when ready?



> 3. Users can start/stop their own Tomcat services. No more emailing an
> administrator and asking for a restart, and having to coordinate it
> with several other unrelated teams who weren't expecting a service
> restart in the middle of the day.
> 4. You (admin) don't have to babysit everyone's web applications.
> Users simply put their own apps in CATALINA_BASE/webapps and move on
> with their lives.
>


This means I need to configure each server and connector element with different
ports for each user, correct?

I am fronting tomcat with httpd using an ajp connector to handle ssl
certs. I use
letsencrypt, and on a production server I can't afford to bounce even
the connector
and lose connections. httpd handles it a lot more gracefully. Can I
have separate
mod_jk.conf and workers.properties files for mod_jk pointing to
different ports for
separate connectors for tomcat?



>> What about file/directory permissions, assuming tomcat is running
>> under the 'tomcat' user? I have root access to the machine, so
>> changing groups, users, permissions is not an issue.
>
> Free yourself from the "tomcat user". It's one of the things I dislike
> most about the package-managed versions of Tomcat: they tend to run
> everything as a single user which is completely unnecessary.
>

Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as each
user (sandbox1, sandbox2 etc)?


Trying to assimilate all this, it sounds like :

CATALINA_HOME=/usr/local/tomcat-x.y.z
CATALINA_BASE=/home/sandbox1/tc

CATALINA_BASE/conf/server.xml has the entire configuration, engine,
connector, host etc for that one user.

Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt says

"The CATALINA_HOME and CATALINA_BASE variables cannot be configured in the
setenv script, because they are used to locate that file."


Do I then need to create my own startup script that sets those, then
calls ${CATALINA_HOME}/bin/startup.sh, or
can I just set the variables in .bashrc?

For each other sandbox I replicate that setup, changing the connector
and server config elements to listen
on a new port, correct?

Thanks

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Chris Cheshire-2
In reply to this post by Christopher Schultz-2
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
<[hidden email]> wrote:
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).


Looks like I do need to adjust default permissions on this if I expand as root.

The tarball leaves me with

[root@host apache-tomcat-8.5.20]# ls -al
total 124
drwxr-xr-x  9 root root  4096 Sep  5 20:31 .
drwxr-xr-x 14 root root  4096 Sep  5 20:31 ..
-rw-r-----  1 root root 57092 Aug  2 21:36 LICENSE
-rw-r-----  1 root root  1723 Aug  2 21:36 NOTICE
-rw-r-----  1 root root  7064 Aug  2 21:36 RELEASE-NOTES
-rw-r-----  1 root root 15946 Aug  2 21:36 RUNNING.txt
drwxr-x---  2 root root  4096 Sep  5 20:31 bin
drwx------  2 root root  4096 Aug  2 21:36 conf
drwxr-x---  2 root root  4096 Sep  5 20:31 lib
drwxr-x---  2 root root  4096 Aug  2 21:35 logs
drwxr-x---  2 root root  4096 Sep  5 20:31 temp
drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
drwxr-x---  2 root root  4096 Aug  2 21:35 work


What should the permissions, owner & group be set to for CATALINA_HOME
if I am running separate instances per user?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Christopher Schultz-2
In reply to this post by Chris Cheshire-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris,

On 9/5/17 3:39 PM, Chris Cheshire wrote:

> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>> If I were king, I'd set things up like this:
>>
>> 1. Tomcat is installed in /usr/local/tomcat (or
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>> has their own CATALINA_BASE directory in their own home directory
>> (or wherever in the fs tree). No need to put anything in
>> /usr/local which is usually considered to be shared and
>> read-only. CATALINA_BASE is just a directory with the following
>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>> there overrides anything in the CATALINA_HOME where Tomcat is
>> installed. I'd recommend using a custom conf/server.xml and
>> leaving everything else pretty much alone except maybe a JDBC
>> driver in CATALINA_BASE/lib that isn't necessary for all the
>> other Tomcats that will be running on the server.
>>
>> This gives you a LOT of flexibility:
>>
>> 1. Users run their own JVMs as their own users. Filesystem
>> permissions become simpler. Applications require less trust (e.g.
>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>> can select which version of Tomcat they want to use. Just change
>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>> versions, you'll likely have to update
>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
>> running x.y.z whether you like it or not".
>
>
> Ok this helps a bit for upgrades. I would just expand the new
> tarball in a similar place, update user level conf and restart each
> instance when ready?

Exactly. Your users can even decide when they want to switch to a new
Tomcat version.

>> 3. Users can start/stop their own Tomcat services. No more
>> emailing an administrator and asking for a restart, and having to
>> coordinate it with several other unrelated teams who weren't
>> expecting a service restart in the middle of the day. 4. You
>> (admin) don't have to babysit everyone's web applications. Users
>> simply put their own apps in CATALINA_BASE/webapps and move on
>> with their lives.
>>
>
> This means I need to configure each server and connector element
> with different ports for each user, correct?

Yes. A regimented port assignment scheme is recommended. In my shared
development environments, I assign every dev a number and their port
numbers become:

Tomcat AJP:           8[dev #][app #]5
Tomcat shutdown:      8[dev #][app #]6
Tomcat "Secure" port: 8[dev #][app #]7

(the "secure" port is for loopback requests; we have those for certain
applications)

So for example, my primary app id is 1 and my dev id is 2:

AJP:      8215
Shutdown: 8216
Secure:   8217

> I am fronting tomcat with httpd using an ajp connector to handle
> ssl certs. I use letsencrypt, and on a production server I can't
> afford to bounce even the connector and lose connections. httpd
> handles it a lot more gracefully. Can I have separate mod_jk.conf
> and workers.properties files for mod_jk pointing to different ports
> for separate connectors for tomcat?

Absolutely. Using regimented port assignments allows you to set up
everyone's port assignments in advance using a template worker and
then a bunch of workers that all look the same except for the port
numbers.

Then you just need to map URLs (e.g. /dev1-app1) to the matching port
numbers.

>>> What about file/directory permissions, assuming tomcat is
>>> running under the 'tomcat' user? I have root access to the
>>> machine, so changing groups, users, permissions is not an
>>> issue.
>>
>> Free yourself from the "tomcat user". It's one of the things I
>> dislike most about the package-managed versions of Tomcat: they
>> tend to run everything as a single user which is completely
>> unnecessary.
>>
>
> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
> each user (sandbox1, sandbox2 etc)?

Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.

> Trying to assimilate all this, it sounds like :
>
> CATALINA_HOME=/usr/local/tomcat-x.y.z
> CATALINA_BASE=/home/sandbox1/tc
>
> CATALINA_BASE/conf/server.xml has the entire configuration,
> engine, connector, host etc for that one user.

Yes.

> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
> says
>
> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
> in the setenv script, because they are used to locate that file."

You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
whatever way makes most sense. For example, ~/.profile works, but only
for interactive logins.

> Do I then need to create my own startup script that sets those,
> then calls ${CATALINA_HOME}/bin/startup.sh, or can I just set the
> variables in .bashrc?

Yeah, .bashrc will work, too, but .profile will be better because it
will effect non-bash shells, of course.

Once those variables are set, just run $CATALINA_HOME/bin/startup.sh.
If CATALINA_BASE/bin/setenv.sh exists, it will be sourced before
Tomcat starts, so customized environment variables can be set there
(like CATALINA_OPTS).

> For each other sandbox I replicate that setup, changing the
> connector and server config elements to listen on a new port,
> correct?

Correct. I highly recommend writing a script to churn-out a new
sandbox and then ACTUALLY USE THE SCRIPT. Once you start doing it,
you'll wonder why you ever did things any differently.

I have scripts that generate my jk_workers.properties and httpd.conf
files (snippets, for a single dev), and our builds are all ant-based,
so build.xml knows how to build a CATALINA_BASE for me with the right
directory, merges the server.xml file with the right port numbers, etc.

Moving all of this to demo and production is trivial: everything is
the same, it's just that you have only a single "dev" in production.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsbocAAoJEBzwKT+lPKRYtPIP/2MMay9rU85PkBDfmAZA9C/+
NnR91O7ZQEkT6dSiCmDdQLfH8LmQdoZ4G3bV95Rojfi2UJbTB6/OiDEUF7NUfqvz
2OCG1k0lVgEeCMV+FqFZ/YxYJSj8CA8wTvZQGhEfYIwtGpyvnroJKPbOqI2Kk/VE
Y84cqnGPs+MN4hZKlZYDkSQnWDgQ5pHgjE34Q5052l1WNW2b62sRta9r05gLvfG+
kgZAfc86kecUjjBIsCjGiwtubNZDc57PJDS6iYuK2tUKi5b6cUFS2WaQ3WPTgEhM
aA5rCHDkZFI3eP6tiYUn4tjZVV5o+Ix9RUJMx7cyP92yhz2WJdB6QgZSUGm2X9gz
JEzyeTcvRKPmvZTgi+n8N76cL4PGiOek1TIPnEvV9w7J/4q7xuSSayXSDNx4wXok
sdiX1dHqNZEvx7famTx+QsIEbmb/uJfWsk/4k6LU7le5XbsV0sbvyENtvLG3zIra
l02p5SFJxr+S0zMs9C3otzoLcOP8cZE+3kcYtsKjV0Sqql1eeIIasPDCN83LXK4/
WO4bYSMcTa3IhXruZQgLPSGnFSyZYralTqno8cx05zCGqZbW3KVjXE0kE+l/Ok5J
+Q8t7fzja3fyL6t4rkSrxUaS4LcCZMpxLmxErdAWQC9MHidqw50ylbxvIIqnyINk
HtaaoTSHOGIF6lDsVB8/
=V8FA
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Christopher Schultz-2
In reply to this post by Chris Cheshire-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris,

On 9/5/17 4:42 PM, Chris Cheshire wrote:

> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
> <[hidden email]> wrote:
>> If I were king, I'd set things up like this:
>>
>> 1. Tomcat is installed in /usr/local/tomcat (or
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
>
>
> Looks like I do need to adjust default permissions on this if I
> expand as root.
>
> The tarball leaves me with
>
> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
> 20:31 .. -rw-r-----  1 root root 57092 Aug  2 21:36 LICENSE
> -rw-r-----  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-----  1
> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-----  1 root root
> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
> 20:31 bin drwx------  2 root root  4096 Aug  2 21:36 conf
> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
> drwxr-x---  2 root root  4096 Aug  2 21:35 work
>
>
> What should the permissions, owner & group be set to for
> CATALINA_HOME if I am running separate instances per user?

It doesn't really matter. You just need to make sure that your "users"
can read the default config files -- especially conf/web.xml and
conf/tomcat.xml which usually shouldn't be modified from their
defaults anyway.

I've always been irritated that the conf/ directory is only readable
by the owner in the tarball. Maybe I'll agitate to get that changed,
and only protect conf/server.xml and conf/tomcat-users.xml in that way.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsbqPAAoJEBzwKT+lPKRY+bcQAI6I9VMV42xTiV/02XT1idic
GJQzfD6fpukZ2ZoCltzsQ9n9oygAb43QAnslGLwzG+xa4+Kon+TkgNLlckhpO0IK
yw65LAcEkG8x7iggX23l1I4u4c51GlPERqb8FXH4Sys8JNMFaM3r48/SMiBmVW3r
29ILYk3yHhUWovZGnHcqzosTECo9FBfCNMe8bp+v7vDCifODKPrRRVUtzmOFdN+a
4YAqG+aRIQVHZHqE/2h5lbnnER5PzERj7igfArjOuHwkR4W283y/VxasOaQVrNgL
R/r+Qb99KNH5djiNj3kvfpqLO9Jq3rrIpuc6zH6yrv8EJcgmEoy494bONixt7Eus
q8g/0XTzU9izPfG3wRaCQaPh7oV+ZurYOZAFeYz0eOj5a/AjZfWnwpFSfcTyP5qD
IIrfiaysH+j3NwGpTsT2B1q5Ecp1bugzuIiHHnoZDVDodncSI52XdgykL9tyrjN7
20d4pcepVEdQoTT1ABJKl6mONKMuG3NA+rvNYJQvIlq642LbUx/3rkA+dk+m7OeY
TkCquZZ128NBGzMhwEuEnNSEmBmGyF27vH4qi+2HKi8dsVDsdvRb+mnmFJWTeWVC
ndW3Px/xldEDyhdF84g5TzX8Y7fYjJLOC2EzjkDZmZmI0/l54e7Y/+aq6pThrIpC
q2SjSPEtuzmmlEh2OC1z
=Xei9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Chris Cheshire-2
On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 4:42 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>> <[hidden email]> wrote:
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
>>
>>
>> Looks like I do need to adjust default permissions on this if I
>> expand as root.
>>
>> The tarball leaves me with
>>
>> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
>> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
>> 20:31 .. -rw-r-----  1 root root 57092 Aug  2 21:36 LICENSE
>> -rw-r-----  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-----  1
>> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-----  1 root root
>> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
>> 20:31 bin drwx------  2 root root  4096 Aug  2 21:36 conf
>> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
>> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
>> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
>> drwxr-x---  2 root root  4096 Aug  2 21:35 work
>>
>>
>> What should the permissions, owner & group be set to for
>> CATALINA_HOME if I am running separate instances per user?
>
> It doesn't really matter. You just need to make sure that your "users"
> can read the default config files -- especially conf/web.xml and
> conf/tomcat.xml which usually shouldn't be modified from their
> defaults anyway.
>
> I've always been irritated that the conf/ directory is only readable
> by the owner in the tarball. Maybe I'll agitate to get that changed,
> and only protect conf/server.xml and conf/tomcat-users.xml in that way.
>
> - -chris

Thanks,

I'm just wary of giving everyone read permission to something that starts out
without it, especially when installed by root. The only change I made to the
default config anyway was to remove tomcat-users.xml since I have a
JDBC realm for restricting access to the manager webapp.


Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 8.5 - multiple host configuration question

Chris Cheshire-2
In reply to this post by Christopher Schultz-2
On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>>> has their own CATALINA_BASE directory in their own home directory
>>> (or wherever in the fs tree). No need to put anything in
>>> /usr/local which is usually considered to be shared and
>>> read-only. CATALINA_BASE is just a directory with the following
>>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>>> there overrides anything in the CATALINA_HOME where Tomcat is
>>> installed. I'd recommend using a custom conf/server.xml and
>>> leaving everything else pretty much alone except maybe a JDBC
>>> driver in CATALINA_BASE/lib that isn't necessary for all the
>>> other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> 1. Users run their own JVMs as their own users. Filesystem
>>> permissions become simpler. Applications require less trust (e.g.
>>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>>> can select which version of Tomcat they want to use. Just change
>>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>>> versions, you'll likely have to update
>>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
>>> running x.y.z whether you like it or not".
>>
>>
>> Ok this helps a bit for upgrades. I would just expand the new
>> tarball in a similar place, update user level conf and restart each
>> instance when ready?
>
> Exactly. Your users can even decide when they want to switch to a new
> Tomcat version.
>
>>> 3. Users can start/stop their own Tomcat services. No more
>>> emailing an administrator and asking for a restart, and having to
>>> coordinate it with several other unrelated teams who weren't
>>> expecting a service restart in the middle of the day. 4. You
>>> (admin) don't have to babysit everyone's web applications. Users
>>> simply put their own apps in CATALINA_BASE/webapps and move on
>>> with their lives.
>>>
>>
>> This means I need to configure each server and connector element
>> with different ports for each user, correct?
>
> Yes. A regimented port assignment scheme is recommended. In my shared
> development environments, I assign every dev a number and their port
> numbers become:
>
> Tomcat AJP:           8[dev #][app #]5
> Tomcat shutdown:      8[dev #][app #]6
> Tomcat "Secure" port: 8[dev #][app #]7
>
> (the "secure" port is for loopback requests; we have those for certain
> applications)
>
> So for example, my primary app id is 1 and my dev id is 2:
>
> AJP:      8215
> Shutdown: 8216
> Secure:   8217
>
>> I am fronting tomcat with httpd using an ajp connector to handle
>> ssl certs. I use letsencrypt, and on a production server I can't
>> afford to bounce even the connector and lose connections. httpd
>> handles it a lot more gracefully. Can I have separate mod_jk.conf
>> and workers.properties files for mod_jk pointing to different ports
>> for separate connectors for tomcat?
>
> Absolutely. Using regimented port assignments allows you to set up
> everyone's port assignments in advance using a template worker and
> then a bunch of workers that all look the same except for the port
> numbers.
>
> Then you just need to map URLs (e.g. /dev1-app1) to the matching port
> numbers.
>
>>>> What about file/directory permissions, assuming tomcat is
>>>> running under the 'tomcat' user? I have root access to the
>>>> machine, so changing groups, users, permissions is not an
>>>> issue.
>>>
>>> Free yourself from the "tomcat user". It's one of the things I
>>> dislike most about the package-managed versions of Tomcat: they
>>> tend to run everything as a single user which is completely
>>> unnecessary.
>>>
>>
>> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
>> each user (sandbox1, sandbox2 etc)?
>
> Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.
>
>> Trying to assimilate all this, it sounds like :
>>
>> CATALINA_HOME=/usr/local/tomcat-x.y.z
>> CATALINA_BASE=/home/sandbox1/tc
>>
>> CATALINA_BASE/conf/server.xml has the entire configuration,
>> engine, connector, host etc for that one user.
>
> Yes.
>
>> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
>> says
>>
>> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
>> in the setenv script, because they are used to locate that file."
>
> You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
> whatever way makes most sense. For example, ~/.profile works, but only
> for interactive logins.
>
>> Do I then need to create my own startup script that sets those,
>> then calls ${CATALINA_HOME}/bin/startup.sh, or can I just set the
>> variables in .bashrc?
>
> Yeah, .bashrc will work, too, but .profile will be better because it
> will effect non-bash shells, of course.
>
> Once those variables are set, just run $CATALINA_HOME/bin/startup.sh.
> If CATALINA_BASE/bin/setenv.sh exists, it will be sourced before
> Tomcat starts, so customized environment variables can be set there
> (like CATALINA_OPTS).
>
>> For each other sandbox I replicate that setup, changing the
>> connector and server config elements to listen on a new port,
>> correct?
>
> Correct. I highly recommend writing a script to churn-out a new
> sandbox and then ACTUALLY USE THE SCRIPT. Once you start doing it,
> you'll wonder why you ever did things any differently.
>
> I have scripts that generate my jk_workers.properties and httpd.conf
> files (snippets, for a single dev), and our builds are all ant-based,
> so build.xml knows how to build a CATALINA_BASE for me with the right
> directory, merges the server.xml file with the right port numbers, etc.
>
> Moving all of this to demo and production is trivial: everything is
> the same, it's just that you have only a single "dev" in production.
>

Thank you for the explanations, this helps considerably.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: 8.5 - multiple host configuration question

Berneburg, Cris J. - US
Chris and Chris (but not Chris)

-----Original Message-----
From: Chris Cheshire [mailto:[hidden email]]
Sent: Friday, September 08, 2017 9:16 PM
To: Tomcat Users List <[hidden email]>
Subject: Re: 8.5 - multiple host configuration question

On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is never
>>> launched with CATALINA_BASE=/usr/local/tomcat 3. Each user has their
>>> own CATALINA_BASE directory in their own home directory (or wherever
>>> in the fs tree). No need to put anything in /usr/local which is
>>> usually considered to be shared and read-only. CATALINA_BASE is just
>>> a directory with the following directories in it: work/ logs/ conf/
>>> lib/ webapps/. Anything in there overrides anything in the
>>> CATALINA_HOME where Tomcat is installed. I'd recommend using a
>>> custom conf/server.xml and leaving everything else pretty much alone
>>> except maybe a JDBC driver in CATALINA_BASE/lib that isn't necessary
>>> for all the other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> [SNIP]
>>>
> Thank you for the explanations, this helps considerably.

Ditto!  I saved a copy in my archives of accumulated Tomcat wisdom.  The problem is that the info is still stored in my computer and not in my brain.

--
Cris Berneburg
CACI Lead Software Engineer


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]