Shutdown port on Windows Service installation

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Shutdown port on Windows Service installation

David Kerber
I am running several instances of TC 7 as services on a Windows Server
2008 R2.  Each instance has its own set of ports, and I have both the
data port and shutdown ports configured in server.xml.  They are
currently running only HTTP.

My questions:

1.  Does the shutdown port serve any purpose on a windows service
installation?  I thought I had read that it did not, but some searching
didn't turn up a definitive answer.

2.  I may need to start using HTTPS for my data transfer for at least
one of the instances.  If that instance is going to allow only HTTPS
(and not HTTP), can I just make the current HTTP port into HTTPS?  Or do
I need to configure an additional port?  If I need an additional port,
and the shutdown port isn't needed, I could just turn the shutdown port
into the HTTPS port, right?

I understand that there are significant configuration changes needed for
HTTPS, and will be back if I run into issues with it, but for now I'm
only asking about the TCP ports.

Thanks!
Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Shutdown port on Windows Service installation

André Warnier (tomcat)
David kerber wrote:

> I am running several instances of TC 7 as services on a Windows Server
> 2008 R2.  Each instance has its own set of ports, and I have both the
> data port and shutdown ports configured in server.xml.  They are
> currently running only HTTP.
>
> My questions:
>
> 1.  Does the shutdown port serve any purpose on a windows service
> installation?  I thought I had read that it did not, but some searching
> didn't turn up a definitive answer.

I don't really know either, but just for the fun of it, let's proceed by logical induction.

In a Windows Service scenario, the JVM that runs Tomcat, itself runs under a "wrapper"
(tomcatX.exe).  That wrapper is a generic program for Java processes, and has no
particular knowledge of Tomcat.  But it is that wrapper which would get the Windows
message "Stop Service", and would have to forward this to the JVM in some way, to ask the
JVM itself to exit.
The JVM has no specific knowledge of Tomcat either, nor of its shutdown port and what it
is there for.  So if the JVM must stop Tomcat before stopping itself, it must be doing it
via another way.
My guess would thus be that Tomcat inserts some "callback hook" in the JVM, so that it is
notified when the JVM has been asked to stop itself.  And when this callback is called by
the JVM, Tomcat initiates its own shutdown.  And when this callback returns, the JVM
proceeds to shut itself down (or Tomcat just does a system.exit()).  And when that is
done, the wrapper knows and can tell Windows that the Service is shut down, and then exit
itself.

Conclusion : no, the Tomcat shutdown port is not used when running as a Windows Service.

Now the question is : if you do not specify a shutdown port, does Tomcat nevertheless set
one up by default ?

>
> 2.  I may need to start using HTTPS for my data transfer for at least
> one of the instances.  If that instance is going to allow only HTTPS
> (and not HTTP), can I just make the current HTTP port into HTTPS?  

I cannot think of why not. You can comment out the HTTP Connector, and just leave the
HTTPS Connector (and change its port).

Or do
> I need to configure an additional port?  If I need an additional port,
> and the shutdown port isn't needed, I could just turn the shutdown port
> into the HTTPS port, right?

You mean using the same port number, that you are currently using for the shutdown port ?
If so, yes, depending on the answer to the question above.
Note that this would not be the standard HTTPS port (443), so the clients would need to
specifiy the port number explicitly, in addition to the "https://" prefix.
That may or may not bother you, depending on the scenario.

>
> I understand that there are significant configuration changes needed for
> HTTPS, and will be back if I run into issues with it, but for now I'm
> only asking about the TCP ports.
>
> Thanks!
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Shutdown port on Windows Service installation

David Kerber
On 3/4/2014 10:34 AM, André Warnier wrote:

> David kerber wrote:
>> I am running several instances of TC 7 as services on a Windows Server
>> 2008 R2.  Each instance has its own set of ports, and I have both the
>> data port and shutdown ports configured in server.xml.  They are
>> currently running only HTTP.
>>
>> My questions:
>>
>> 1.  Does the shutdown port serve any purpose on a windows service
>> installation?  I thought I had read that it did not, but some
>> searching didn't turn up a definitive answer.
>
> I don't really know either, but just for the fun of it, let's proceed by
> logical induction.
>
> In a Windows Service scenario, the JVM that runs Tomcat, itself runs
> under a "wrapper" (tomcatX.exe).  That wrapper is a generic program for
> Java processes, and has no particular knowledge of Tomcat.  But it is
> that wrapper which would get the Windows message "Stop Service", and
> would have to forward this to the JVM in some way, to ask the JVM itself
> to exit.
> The JVM has no specific knowledge of Tomcat either, nor of its shutdown
> port and what it is there for.  So if the JVM must stop Tomcat before
> stopping itself, it must be doing it via another way.
> My guess would thus be that Tomcat inserts some "callback hook" in the
> JVM, so that it is notified when the JVM has been asked to stop itself.

Shutdown hook, maybe?  I just used my first one yesterday in a cmd-line
java app...


> And when this callback is called by the JVM, Tomcat initiates its own
> shutdown.  And when this callback returns, the JVM proceeds to shut
> itself down (or Tomcat just does a system.exit()).  And when that is
> done, the wrapper knows and can tell Windows that the Service is shut
> down, and then exit itself.

That was my reasoning as well, but I'm not as well-versed in this stuff
as I would like to be.


>
> Conclusion : no, the Tomcat shutdown port is not used when running as a
> Windows Service.
>
> Now the question is : if you do not specify a shutdown port, does Tomcat
> nevertheless set one up by default ?

That's what I was hoping Mark, Chuck or one of the other committers
could answer definitively.


>
>>
>> 2.  I may need to start using HTTPS for my data transfer for at least
>> one of the instances.  If that instance is going to allow only HTTPS
>> (and not HTTP), can I just make the current HTTP port into HTTPS?
>
> I cannot think of why not. You can comment out the HTTP Connector, and
> just leave the HTTPS Connector (and change its port).

That's what I thought.


>
> Or do
>> I need to configure an additional port?  If I need an additional port,
>> and the shutdown port isn't needed, I could just turn the shutdown
>> port into the HTTPS port, right?
>
> You mean using the same port number, that you are currently using for
> the shutdown port ? If so, yes, depending on the answer to the question
> above.

Right, that's what I thought.


> Note that this would not be the standard HTTPS port (443), so the
> clients would need to specifiy the port number explicitly, in addition
> to the "https://" prefix.
> That may or may not bother you, depending on the scenario.

That is expected in this particular scenario; it's an automated data
collection system with no human interface.  The http port is also
non-standard.


>
>>
>> I understand that there are significant configuration changes needed
>> for HTTPS, and will be back if I run into issues with it, but for now
>> I'm only asking about the TCP ports.
>>
>> Thanks!
>> Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Shutdown port on Windows Service installation

Jeffrey Janner
In reply to this post by David Kerber
> -----Original Message-----
> From: David kerber [mailto:[hidden email]]
> Sent: Tuesday, March 04, 2014 8:17 AM
> To: Tomcat Users List
> Subject: Shutdown port on Windows Service installation
>
> I am running several instances of TC 7 as services on a Windows Server
> 2008 R2.  Each instance has its own set of ports, and I have both the
> data port and shutdown ports configured in server.xml.  They are
> currently running only HTTP.
>
> My questions:
>
> 1.  Does the shutdown port serve any purpose on a windows service
> installation?  I thought I had read that it did not, but some searching
> didn't turn up a definitive answer.
>
The shutdown port is not needed for a Windows service, but it is usable if configured.
In other words, assuming the default configuration, if someone were to send "SHUTDOWN" to the localhost port 8005, then Tomcat would shutdown.
I couldn't tell from the documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/server.html), but I seem to recall that the "port" attribute is required on the <Server> tag.  For all my Windows installations, I just set it to -1 and let the Commons Daemon implementation (tomcat.exe) take care of the shutdown task.  
FYI: Tomcat implements the Java Daemon API, which is the mechanism that the Apache Commons Daemon (http://commons.apache.org/proper/commons-daemon/) executables use to communicate with the Tomcat. The ACD is a C program that loads the JVM and tells it to run the Tomcat bootstrap. Then it just listens for system signals.  There is a Windows version (procrun) and a Unix/Linux version (jsvc).  This is a separate utility that you can use if you have standalone Java programs you need to run as a service.
BTW: The JVM exits when Tomcat issues a System.exit() call.

> 2.  I may need to start using HTTPS for my data transfer for at least
> one of the instances.  If that instance is going to allow only HTTPS
> (and not HTTP), can I just make the current HTTP port into HTTPS?  Or
> do I need to configure an additional port?  If I need an additional
> port, and the shutdown port isn't needed, I could just turn the
> shutdown port into the HTTPS port, right?
>
You don't mention your setup, but I would use the standard HTTPS port of 443 and actually provide both the HTTP and HTTPS connectors, then configure the application to force HTTPS where necessary via the web.xml directives.
But then again, it depends on your implementation.

> I understand that there are significant configuration changes needed
> for HTTPS, and will be back if I run into issues with it, but for now
> I'm only asking about the TCP ports.
>
> Thanks!
> Dave

Be careful of whether you are also running with the native/APR library.  The SSL configuration requirements are different if doing so.  It is all well documented in the Tomcat documentation.
Jeff


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Shutdown port on Windows Service installation

David Kerber
On 3/4/2014 12:04 PM, Jeffrey Janner wrote:

>> -----Original Message-----
>> From: David kerber [mailto:[hidden email]]
>> Sent: Tuesday, March 04, 2014 8:17 AM
>> To: Tomcat Users List
>> Subject: Shutdown port on Windows Service installation
>>
>> I am running several instances of TC 7 as services on a Windows Server
>> 2008 R2.  Each instance has its own set of ports, and I have both the
>> data port and shutdown ports configured in server.xml.  They are
>> currently running only HTTP.
>>
>> My questions:
>>
>> 1.  Does the shutdown port serve any purpose on a windows service
>> installation?  I thought I had read that it did not, but some searching
>> didn't turn up a definitive answer.
>>
> The shutdown port is not needed for a Windows service, but it is usable if configured.
> In other words, assuming the default configuration, if someone were to send "SHUTDOWN" to the localhost port 8005, then Tomcat would shutdown.

Ok, I think I'll disable that.  We always use the service controls.



> I couldn't tell from the documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/server.html), but I seem to recall that the "port" attribute is required on the <Server> tag.  For all my Windows installations, I just set it to -1 and let the Commons Daemon implementation (tomcat.exe) take care of the shutdown task.
> FYI: Tomcat implements the Java Daemon API, which is the mechanism that the Apache Commons Daemon (http://commons.apache.org/proper/commons-daemon/) executables use to communicate with the Tomcat. The ACD is a C program that loads the JVM and tells it to run the Tomcat bootstrap. Then it just listens for system signals.  There is a Windows version (procrun) and a Unix/Linux version (jsvc).  This is a separate utility that you can use if you have standalone Java programs you need to run as a service.
> BTW: The JVM exits when Tomcat issues a System.exit() call.

So -1 disables the shutdown port, right?


>
>> 2.  I may need to start using HTTPS for my data transfer for at least
>> one of the instances.  If that instance is going to allow only HTTPS
>> (and not HTTP), can I just make the current HTTP port into HTTPS?  Or
>> do I need to configure an additional port?  If I need an additional
>> port, and the shutdown port isn't needed, I could just turn the
>> shutdown port into the HTTPS port, right?
>>
> You don't mention your setup, but I would use the standard HTTPS port of 443 and actually provide both the HTTP and HTTPS connectors, then configure the application to force HTTPS where necessary via the web.xml directives.
> But then again, it depends on your implementation.

The ports are different for each TC instance, but I can give each
instance an extra port if needed.


>
>> I understand that there are significant configuration changes needed
>> for HTTPS, and will be back if I run into issues with it, but for now
>> I'm only asking about the TCP ports.
>>
>> Thanks!
>> Dave
>
> Be careful of whether you are also running with the native/APR library.  The SSL configuration requirements are different if doing so.  It is all well documented in the Tomcat documentation.


Thanks for the comments, Jeff.  I'll definitely be running the native
lib for performance reasons.  A couple  of the instances get around 4M
transactions per day, and we total well over 10M per day across all the
instances.  So I want to keep the load as small as I reasonably can.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Shutdown port on Windows Service installation

Christopher Schultz-2
In reply to this post by David Kerber
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David,

On 3/4/14, 10:47 AM, David kerber wrote:

> On 3/4/2014 10:34 AM, André Warnier wrote:
>> David kerber wrote:
>>> I am running several instances of TC 7 as services on a Windows
>>> Server 2008 R2.  Each instance has its own set of ports, and I
>>> have both the data port and shutdown ports configured in
>>> server.xml.  They are currently running only HTTP.
>>>
>>> My questions:
>>>
>>> 1.  Does the shutdown port serve any purpose on a windows
>>> service installation?  I thought I had read that it did not,
>>> but some searching didn't turn up a definitive answer.
>>
>> I don't really know either, but just for the fun of it, let's
>> proceed by logical induction.
>>
>> In a Windows Service scenario, the JVM that runs Tomcat, itself
>> runs under a "wrapper" (tomcatX.exe).  That wrapper is a generic
>> program for Java processes, and has no particular knowledge of
>> Tomcat.  But it is that wrapper which would get the Windows
>> message "Stop Service", and would have to forward this to the JVM
>> in some way, to ask the JVM itself to exit. The JVM has no
>> specific knowledge of Tomcat either, nor of its shutdown port and
>> what it is there for.  So if the JVM must stop Tomcat before
>> stopping itself, it must be doing it via another way. My guess
>> would thus be that Tomcat inserts some "callback hook" in the
>> JVM, so that it is notified when the JVM has been asked to stop
>> itself.
>
> Shutdown hook, maybe?  I just used my first one yesterday in a
> cmd-line java app...
>
>
>> And when this callback is called by the JVM, Tomcat initiates its
>> own shutdown.  And when this callback returns, the JVM proceeds
>> to shut itself down (or Tomcat just does a system.exit()).  And
>> when that is done, the wrapper knows and can tell Windows that
>> the Service is shut down, and then exit itself.
>
> That was my reasoning as well, but I'm not as well-versed in this
> stuff as I would like to be.
>
>
>>
>> Conclusion : no, the Tomcat shutdown port is not used when
>> running as a Windows Service.
>>
>> Now the question is : if you do not specify a shutdown port, does
>> Tomcat nevertheless set one up by default ?
>
> That's what I was hoping Mark, Chuck or one of the other
> committers could answer definitively.

If you use "-1" as the shutdown port, it will be entirely disabled.
Come on, guys.. that's right in the documentation ;)

>>> 2.  I may need to start using HTTPS for my data transfer for at
>>> least one of the instances.  If that instance is going to allow
>>> only HTTPS (and not HTTP), can I just make the current HTTP
>>> port into HTTPS?
>>
>> I cannot think of why not. You can comment out the HTTP
>> Connector, and just leave the HTTPS Connector (and change its
>> port).
>
> That's what I thought.

There's nothing magical about port numbers: you can use them for
whatever you want. Most people expect HTTP to be available on 80 and
HTTPS to be available on 443. But if you have a reverse proxy
somewhere that uses those standard ports, you can use 1234 for HTTP
and 559 for HTTPS or whatever. Or 16234. Your choice.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTFiTHAAoJEBzwKT+lPKRYA/YP/i6Gn01NPI2+hKp6Q81Cc/80
jC/mLqEtLKPsb8d2bo79JFx4iV3zX0JJNGzOToISZisHxAvg+iZmIb1WLeVN4bK/
x56UT21ZahXnQt3tcpgxuLDySxH7Kn9qM3MSpdJrkTki8ukZIbbkiOadM55ieekS
uMu30qc2ivEZ4Iodd1Yyxg7Y+uzebsXlWYlnr8eno4Ph/v1Cf8z+nZTGXdjWF7f8
xMO55s/W4n1vpNRzLAv8mk1lJ5ThZwMjuQg2GyBEJK4gaWzxyQ4QrbWsAx1juKt5
zcNI9DQJMJQGOXNLB6MdiD5kXOhgGOU1j1WTFcAm/+v83gNukQYQv/X5m5Cwp6VW
X8Vzgv4BTlCPAxsd1YgsXCUrFm696pU5zSA3wWyTkvzfxJpVBfOyesQ2P+5aV7kk
+jxShzcbaK6yXISwPr7PWyo9oSxLmMbnNpGZAXsAm7wOHQUZnNygNOFBsaxDQvs/
bgI8Dz/4a8duwTyb9hiNn3Xr/KPh5359nMX8sfKX7vm1IjkKuLDeFYbp1EB0jnw2
KOS54lGNxdMJ62q9hzdBoztPDJnjcOnovheudHMX3blYla6ouRAueb3QrLopF1NT
SJ0fC2rEhohmSO8yROcXdkv0PVTWljWrSUKCXJ5Cj0SGqhj9YlYCKnXQ/qjTy0CX
C6MtQ2ltCH7uZDMjl23b
=3gTs
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Shutdown port on Windows Service installation

David Kerber
On 3/4/2014 2:08 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> David,
>
> On 3/4/14, 10:47 AM, David kerber wrote:
>> On 3/4/2014 10:34 AM, André Warnier wrote:
>>> David kerber wrote:

...

>> That's what I was hoping Mark, Chuck or one of the other
>> committers could answer definitively.
>
> If you use "-1" as the shutdown port, it will be entirely disabled.
> Come on, guys.. that's right in the documentation ;)

I think I knew that somewhere in the back of my head.  My original
question was whether or not it was safe to do so in a Windows service
installation, or if the service shutdown might use it.  That has been
answered.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Shutdown port on Windows Service installation

Jeffrey Janner
In reply to this post by David Kerber
> -----Original Message-----
> From: David kerber [mailto:[hidden email]]
> Sent: Tuesday, March 04, 2014 11:32 AM
> To: Tomcat Users List
> Subject: Re: Shutdown port on Windows Service installation
>
> On 3/4/2014 12:04 PM, Jeffrey Janner wrote:
> >> -----Original Message-----
> >> From: David kerber [mailto:[hidden email]]
> >> Sent: Tuesday, March 04, 2014 8:17 AM
> >> To: Tomcat Users List
> >> Subject: Shutdown port on Windows Service installation
> >>
> >> I am running several instances of TC 7 as services on a Windows
> >> Server
> >> 2008 R2.  Each instance has its own set of ports, and I have both
> the
> >> data port and shutdown ports configured in server.xml.  They are
> >> currently running only HTTP.
> >>
> >> My questions:
> >>
> >> 1.  Does the shutdown port serve any purpose on a windows service
> >> installation?  I thought I had read that it did not, but some
> >> searching didn't turn up a definitive answer.
> >>
> > The shutdown port is not needed for a Windows service, but it is
> usable if configured.
> > In other words, assuming the default configuration, if someone were
> to send "SHUTDOWN" to the localhost port 8005, then Tomcat would
> shutdown.
>
> Ok, I think I'll disable that.  We always use the service controls.
>
>
>
> > I couldn't tell from the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/config/server.html), but I
> seem to recall that the "port" attribute is required on the <Server>
> tag.  For all my Windows installations, I just set it to -1 and let the
> Commons Daemon implementation (tomcat.exe) take care of the shutdown
> task.
> > FYI: Tomcat implements the Java Daemon API, which is the mechanism
> that the Apache Commons Daemon
> (http://commons.apache.org/proper/commons-daemon/) executables use to
> communicate with the Tomcat. The ACD is a C program that loads the JVM
> and tells it to run the Tomcat bootstrap. Then it just listens for
> system signals.  There is a Windows version (procrun) and a Unix/Linux
> version (jsvc).  This is a separate utility that you can use if you
> have standalone Java programs you need to run as a service.
> > BTW: The JVM exits when Tomcat issues a System.exit() call.
>
> So -1 disables the shutdown port, right?
>
Correct!

>
> >
> >> 2.  I may need to start using HTTPS for my data transfer for at
> least
> >> one of the instances.  If that instance is going to allow only HTTPS
> >> (and not HTTP), can I just make the current HTTP port into HTTPS?
> Or
> >> do I need to configure an additional port?  If I need an additional
> >> port, and the shutdown port isn't needed, I could just turn the
> >> shutdown port into the HTTPS port, right?
> >>
> > You don't mention your setup, but I would use the standard HTTPS port
> of 443 and actually provide both the HTTP and HTTPS connectors, then
> configure the application to force HTTPS where necessary via the
> web.xml directives.
> > But then again, it depends on your implementation.
>
> The ports are different for each TC instance, but I can give each
> instance an extra port if needed.
>
>
> >
> >> I understand that there are significant configuration changes needed
> >> for HTTPS, and will be back if I run into issues with it, but for
> now
> >> I'm only asking about the TCP ports.
> >>
> >> Thanks!
> >> Dave
> >
> > Be careful of whether you are also running with the native/APR
> library.  The SSL configuration requirements are different if doing so.
> It is all well documented in the Tomcat documentation.
>
>
> Thanks for the comments, Jeff.  I'll definitely be running the native
> lib for performance reasons.  A couple  of the instances get around 4M
> transactions per day, and we total well over 10M per day across all the
> instances.  So I want to keep the load as small as I reasonably can.
>
When it comes time to issue the signed certificate from whatever CA you decide to use, be careful which version you pick.  Some will offer a choice of "Tomcat", but that will get you a certificate useful for the native-Java SSL implementation.  You will want to be sure to pick the "Apache" offering.
Jeff


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]