Re: Starting up Tomcat 8
On 17.03.2020 19:52, Maxfield, Rebecca A wrote: Hello, I manage a project that currently runs on Tomcat 7 but is migrating to a new server where Tomcat 8 was installed by the server admin. When I navigate to the /var/lib/tomcat8 folder, I don’t see a ./bin folder or any startup.sh or similar. Is this something that has changed from Tomcat 7 to Tomcat 8, or does this imply that it was not installed completely/correctly? What is the platform (OS) of the new server ? (and the old one) Maybe it was installed using a package provided by the platform, in (eminently variable) other directories. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Starting up Tomcat 8
On 17.03.2020 21:18, Maxfield, Rebecca A wrote: Both are Linux. The new is Debian, the old ?? On a Debian Linux system, tomcat 8 installed via the standard Debian package manager results in some files appearing in the following directories (and maybe others) - /etc/tomcat8 - /usr/share/tomcat8 - /var/lib/tomcat8 - /var/log/tomcat8 - .. ? Some of the entries in these directories are links pointing somewhere else. It is sometimes a bit difficult to follow. But it works, and it allows tomcat to be managed using the Debian usual commands for starting/stopping services, install updates etc.. Use this command to see a full list of the directories/files used : dpkg --listfiles tomcat8 (Note : this gives a list of directories/files initially reated or installed by the standard Debian tomcat8 package. But it does not include anything created/installed later on maybe to "customise" tomcat8 on that machine). On 3/17/20, 4:03 PM, "André Warnier (tomcat/perl)" wrote: On 17.03.2020 19:52, Maxfield, Rebecca A wrote: > Hello, > > I manage a project that currently runs on Tomcat 7 but is migrating to a new server where Tomcat 8 was installed by the server admin. When I navigate to the /var/lib/tomcat8 folder, I don’t see a ./bin folder or any startup.sh or similar. Is this something that has changed from Tomcat 7 to Tomcat 8, or does this imply that it was not installed completely/correctly? > What is the platform (OS) of the new server ? (and the old one) Maybe it was installed using a package provided by the platform, in (eminently variable) other directories. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org › This email was sent from outside of Providence College › Do not click any suspicious links or open any attachments that you are not expecting › Never send any sensitive or financial information (Including passwords, social security numbers, credit card numbers, and gift cards) via email - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Starting up Tomcat 8
On 17.03.2020 21:43, Maxfield, Rebecca A wrote: Ah, some problems are arising because, I suppose, the startup process wants to create or touch something in ../logs and that's now all the way over in /var/lib/tomcat8. How do I move on from here? Try (as root) : service tomcat8 start (or restart or stop ..) As mentioned before, the Debian package is assembled in such a way that it will function in the same way as other "services" in the Debian environment, log in the same general place etc.. The above command in fact runs the shell script at /etc/init.d/tomcat8. This script sets a number of variables before calling tomcat's startup.sh, changes to the approriate directory etc.. If you want a tomcat8 which is installed in a single directory, and which reacts in the "canonical" way as explained on the tomcat website, then you would have to de-install the Debian tomcat8 package, and install tomcat8 as per the tomcat website. But that's probably, in your case, more work than necessary. You just want to run some tomcat applications (webapps), right ? On 3/17/20, 4:40 PM, "Maxfield, Rebecca A" wrote: I see it now in /usr/share/tomcat8/bin, thank you! Can I just run startup.sh from there or is that not right? On 3/17/20, 4:37 PM, "André Warnier (tomcat/perl)" wrote: On 17.03.2020 21:18, Maxfield, Rebecca A wrote: > Both are Linux. The new is Debian, the old ?? On a Debian Linux system, tomcat 8 installed via the standard Debian package manager results in some files appearing in the following directories (and maybe others) - /etc/tomcat8 - /usr/share/tomcat8 - /var/lib/tomcat8 - /var/log/tomcat8 - .. ? Some of the entries in these directories are links pointing somewhere else. It is sometimes a bit difficult to follow. But it works, and it allows tomcat to be managed using the Debian usual commands for starting/stopping services, install updates etc.. Use this command to see a full list of the directories/files used : dpkg --listfiles tomcat8 (Note : this gives a list of directories/files initially reated or installed by the standard Debian tomcat8 package. But it does not include anything created/installed later on maybe to "customise" tomcat8 on that machine). > > On 3/17/20, 4:03 PM, "André Warnier (tomcat/perl)" wrote: > > On 17.03.2020 19:52, Maxfield, Rebecca A wrote: > > Hello, > > > > I manage a project that currently runs on Tomcat 7 but is migrating to a new server where Tomcat 8 was installed by the server admin. When I navigate to the /var/lib/tomcat8 folder, I don’t see a ./bin folder or any startup.sh or similar. Is this something that has changed from Tomcat 7 to Tomcat 8, or does this imply that it was not installed completely/correctly? > > > What is the platform (OS) of the new server ? (and the old one) > Maybe it was installed using a package provided by the platform, in (eminently variable) > other directories. > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > › This email was sent from outside of Providence College > › Do not click any suspicious links or open any attachments that you are not expecting > › Never send any sensitive or financial information (Including passwords, social security numbers, credit card numbers, and gift cards) via email > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr.
Re: AW: AJP Connector issue
On 20.03.2020 08:23, Fritze, Florian wrote: Hello Chris, thanks for the reply. Maybe I am doing something wrong, but setting secretRequired="false" does not solve my issue. Let me show you what I did and experience: I added to the Tomcat configuration and the ajp connector on the Apache HTTPD side connects to 8011. When I now visit my website I got HTTP Status 403 – Forbidden And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style). Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ? (compare by timestamnp and URI) Also, under what OS does your front-end httpd run ? I attached also the error page as a screenshot to this mail. This behaviour exists only sice the Ghostcat fix release (I know that this has nothing to do with security fix but probably with the release itself). Thanks in advance Florian -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de -Ursprüngliche Nachricht- Von: Christopher Schultz Gesendet: Donnerstag, 19. März 2020 20:14 An: users@tomcat.apache.org Betreff: Re: AJP Connector issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Florian, On 3/19/20 07:43, Fritze, Florian wrote: since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me as an admin have the problem using the https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to connect the Apache HTTPD with the Tomcat running on localhost. The attribute secretRequired must be set to „true“ or „false“ with „false“ set the connection is not possible between Tomcat and Apache HTTPD. When you have set secretRequired="false", it's not possible to connect? When you try to connect, what DOES happen? With „true“ the Apache development is not ready in the current version to work with the „secret“ attribute. Only the next version of Apache 2.4 supports this attribute. Correct. Support for secret= in mod_proxy_ajp was evidently never really a priority for anybody until now. So I want to use the newest Tomcat version and an AJP connector but after the Ghostcat fix release there is this attribute which does not work in my configuration. Are there any suggestions or solutions available that you can deliver me (links or documentation, etc.) secretRequired="false" should be all you need. Of course, to be truly secure, you need to make sure that not just anybody can make requests through your AJP interface. Have you secured that interface from potential evildoers? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8 pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L 9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2 qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6 iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9 ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec= =CYi0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: AJP Connector issue
Ok, so it looks like : - the request is effectively reaching tomcat, and that it is tomcat sending back the 403 response. - the URL is "/", so presumably it is "well-formed" etc. Furthermore, according to something you wrote below, both Apache httpd and tomcat are running on the same Linux host. This reminds me vaguely of some issue previously (and recently) discussed on the list, with some request attributes which tomcat did not like.. But I do not remember ptecisely what the issue was, and it also seems to me that this concerned an IIS front-end, not Apache httpd. Perhaps someone else on the list has a better idea. Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat. Which raises the question of why you have a httpd front-end in the first place. (But that's a later discussion maybe, let's first see why "/" doesn't work) On 20.03.2020 11:07, Fritze, Florian wrote: Here is the additional information: The error page looks like Tomcat: HTTP Status 403 – Forbidden _ Type Status Report Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung. _ Apache Tomcat/8.5.53 The Apache HTTPD log file says: - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" The Tomcat says: - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630 - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630 The server on which all is running is: Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux There is no new entry in the Apache HTTPD error.log concering these requests. Help is appreciated Florian Fritze -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de -Ursprüngliche Nachricht- Von: André Warnier (tomcat/perl) Gesendet: Freitag, 20. März 2020 10:14 An: users@tomcat.apache.org Betreff: Re: AW: AJP Connector issue On 20.03.2020 08:23, Fritze, Florian wrote: Hello Chris, thanks for the reply. Maybe I am doing something wrong, but setting secretRequired="false" does not solve my issue. Let me show you what I did and experience: I added redirectPort="8443" secretRequired="false" /> to the Tomcat configuration and the ajp connector on the Apache HTTPD side connects to 8011. When I now visit my website I got HTTP Status 403 – Forbidden And just to make diagnosis a bit quicker : does that 403 error page look like an Apache httpd page, or a tomcat page ? (they look quite differemt in style). Also, can you check both the httpd logs, and the tomcat logs for that request, and check what they say ? (compare by timestamnp and URI) Also, under what OS does your front-end httpd run ? I attached also the error page as a screenshot to this mail. This behaviour exists only sice the Ghostcat fix release (I know that this has nothing to do with security fix but probably with the release itself). Thanks in advance Florian -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de<mailto:florian.fri...@irb.fraunhofer.de> | www.irb.fraunhofer.de<http://www.irb.fraunhofer.de> -Ursprüngliche Nachricht- Von: Christopher Schultz mailto:ch...@christopherschultz.net>> Gesendet: Donnerstag, 19. März 2020 20:14 An: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Betreff: Re: AJP Connector issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Florian, On 3/19/20 07:43, Fritze, Florian wrote: since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me as an admin have the problem using the https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to connect the Apache HTTPD with the Tomcat running on localhost. The attribute secretRequired must be set to „true“ or „false“ with „false“ set the connection is not possible between Tomcat and Apache HTTPD. When you have set secretRequired="false", it's not possible to connect? When you tr
Re: AW: AW: AW: AJP Connector issue
Hi Florian. The log below shows clearly "The AJP Connector is configured with secretRequired="true"". This probably comes from the fact that in your AJP Connector configuration, you either - have an explicit secretRequired="true" attribute or - you do not mention this attribute, and it defaults to "true" To get the previous behaviour (without secret), you now *must* specify : secretRequired="false". This is one of the changes in the latest tomcat versions compared to the previous one, and this was motivated by security reasons. So I doubt that there is any chance for that change to be reversed. On 20.03.2020 13:49, Fritze, Florian wrote: Just to make it clear what from my opinion the problem is: SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8011]] org.apache.catalina.LifecycleException: Der Start des Protokoll-Handlers ist fehlgeschlagen at org.apache.catalina.connector.Connector.startInternal(Connector.java:1057) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:688) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1055) ... 12 more This new "secretRequired" attribute prevents the Tomcat from starting flawlessly. It was first introduced with the Ghostcat release. So this is a wish from me to the Tomcat developers: Please set this new attribute not mandatory but optional. So that I can run the newest Tomcat without this attribute which I do now with the pre-Ghostcat releases. Have a nice weekend Florian Fritze -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center Research Services & Open Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713 florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de -Ursprüngliche Nachricht- Von: André Warnier (tomcat/perl) Gesendet: Freitag, 20. März 2020 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP Connector issue Ok, so it looks like : - the request is effectively reaching tomcat, and that it is tomcat sending back the 403 response. - the URL is "/", so presumably it is "well-formed" etc. Furthermore, according to something you wrote below, both Apache httpd and tomcat are running on the same Linux host. This reminds me vaguely of some issue previously (and recently) discussed on the list, with some request attributes which tomcat did not like.. But I do not remember ptecisely what the issue was, and it also seems to me that this concerned an IIS front-end, not Apache httpd. Perhaps someone else on the list has a better idea. Incidentally, it also seems that you are, in httpd, proxying *all* requests to tomcat. Which raises the question of why you have a httpd front-end in the first place. (But that's a later discussion maybe, let's first see why "/" doesn't work) On 20.03.2020 11:07, Fritze, Florian wrote: Here is the additional information: The error page looks like Tomcat: HTTP Status 403 – Forbidden _ Type Status Report Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine Autorisierung. _ Apache Tomcat/8.5.53 The Apache HTTPD log file says: - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69" - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 88
gostCat patch
Hello tomcat developers. Re : current : https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations quote secretRequired If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. This attribute only controls whether the secret attribute is required to be specified for the AJP Connector to start. It does not control whether workers are required to provide the secret. The default value is true. This attribute should only be set to false when the Connector is used on a trusted network. unquote The above new feature/default has been creating a lot of issues, particularly for sysadmins, who upgrade to what looks like a minor version level, and find their front-end/back-end configurations not working anymore. (Because previously, they did not specify this attribute at all, which defaulted to "false"). In many cases, this will happen even though the front-end httpd (or IIS) and the back-end (tomcat) are in fact running on the same host (*), and thus using the loopback interface to communicate (which also fits well with the new default for "address", which is the loopback address). To avoid such surprises for sysadmins, how about the following suggested change, to the documentation and to the underlying code : quote secretRequired If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. This attribute only controls whether the secret attribute is required to be specified for the AJP Connector as they did previouslyto start. It does not control whether workers are required to provide the secret. This attribute should only be set to false when the Connector is used on a trusted network. In consequence and as a hint : The *default* of this attribute is "false", when the "address" attribute is explicitly set to "127.0.0.1" or "::1", or when it defaults to the loopback address. The *default* of this attribute is "true", when the "address" attribute is set to any other IP address. unquote The point is to make sure that existing configurations, which often concern a front-end and a back-end running on the same host, and which often do not contain an explicit "secretRequired" AJP Connector attribute, would default to working as they did before, but *only if* the connection is deemed secure anyway, because it is local. I believe that this alone would already greatly reduce the "stress" caused by this security-related configuration change. (*) I currently manage about 30 Apache httpd / tomcat combinations, and in all of them but one, they are on the same host. And from a historical perspective, I believe that is true for the majority of httpd/tomcat installations except large load-balancing configurations. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Handling close_waits
Hi. On 17.08.2020 02:51, Norbert Elbanbuena wrote: Hi Paul, Yes these are some samples, I have about 300 of them getting stuck hourly tcp 761 0 192.168.1.50:58870 74.112.28.109:8011 CLOSE_WAIT tcp0 0 192.168.1.50:56938 192.168.1.50:61616 CLOSE_WAIT tcp0 0 192.168.1.50:56924 192.168.1.50:61616 CLOSE_WAIT tcp0 0 192.168.1.50:56910 192.168.1.50:61616 CLOSE_WAIT tcp0 0 192.168.1.50:56912 192.168.1.50:61616 CLOSE_WAIT tcp6 0 6240 192.168.1.50:44352.11.72.45:47123 CLOSE_WAIT tcp6 32 0 192.168.1.50:44334.209.104.242:13402CLOSE_WAIT tcp6 268 0 192.168.1.50:443108.162.244.28:40864CLOSE_WAIT tcp6 32 0 192.168.1.50:44335.167.185.49:10019 CLOSE_WAIT tcp6 32 0 192.168.1.50:44352.24.48.141:60660 CLOSE_WAIT tcp6 202 0 192.168.1.50:443199.189.191.86:51716CLOSE_WAIT tcp6 202 0 192.168.1.50:443199.189.191.86:1386 CLOSE_WAIT Try forcing a Java Garbage Collection in Tomcat, and check if these CLOSE_WAIT sockets are still there after that. If they are gone, you probably have a server application which leaves these sockets "dangling" and does not properly close them. Other people on this list may be able to provide a simpler way to trigger a GC, but I used a script with "jmxsh", like this : # gc_tomcat.jmxsh # force the target JVM to do a GC, from the jmxsh shell # invoke as : # java -jar jmxsh.jar gc_tomcat.jmxsh # # In the following command, replace the port number (-p) # by the port which has been specified in the parameter : # -Dcom.sun.management.jmxremote.port=x # of the target Java JVM startup line jmx_connect -h 127.0.0.1 -p (port) -U (userid) -P (password) jmx_invoke -m java.lang:type=Memory gc jmx_close for jmxsh, see : - https://github.com/davr/jmxsh - http://isbyr.com/use-jmxsh-jmx-cli-tool-to-troubleshoot-remote-jmx-connection/ Warm regards, Norbert -Original Message- From: Paul Carter-Brown Sent: Sunday, August 16, 2020 2:43 PM To: Tomcat Users List Subject: Re: Tomcat Handling close_waits Hi Norbert, The TCP socket states and timers are managed by the underlying OS and not by Tomcat. Can you paste a netstat -an result so I can see what you mean. Also, is the client using HTTP 1.1 with keep-alive or not? What kind of traffic is this? Paul On Sun, Aug 16, 2020 at 7:16 PM Norbert Elbanbuena wrote: I also noticed that while server receives the connection requests, we are seeing multiple requests from the same sources. Some same source requests (FIN-WAIT) are all in state while other same sources requests are in other state (some in FIN-WAIT or close_wait and some Established). Why are we seeing multiple requests from the same source at the same time? Doesn't each socket request exhaust a thread on the application? Warm regards, Norbert Elbanbuena -Original Message- From: Norbert Elbanbuena Sent: Sunday, August 16, 2020 11:35 AM To: Tomcat Users List Subject: Tomcat Handling close_waits Hi, We are experiencing a flood of close_waits in our server. Interestingly, all of the sessions stuck in close_waits are sourced from Amazon IP addresses. Our second server running the same setup (hardware spec, OS version, Tomcat version, etc.) and had almost the same session count and our application and Tomcat didn't go unresponsive. Is there any tuneable parameter for the APR connector for Tomcat to close the stuck sessions, rather than waiting for the application? Warm regards, Norbert Elbanbuena - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP2: memory filled up fast on increasing the connections to 1000/2000 (Embedded tomcat 9.0.38)
On 30.09.2020 07:42, Arshiya Shariff wrote: Hi Martin , Thank you for the response. With a payload of 200 bytes we were able to send 20K requests/sec with 200 users from Jmeter without any memory issue . On increasing the payload to 5Kb and the number of users to 1000 in Jmeter and sending 1000 requests per second , the heap of 20GB got filled in 2 minutes . How long does it typically take (at the beginning of the test) for tomcat to *process* one of these requests ? With 200 users the memory is cleared in the G1 mixed GC itself , but with 1000 users the memory is not cleared in the mixed GC , it takes full GCs of 7 to 10 seconds to clear the memory. These cases were executed with maxThreads 200 in tomcat , so we tried increasing the maxThreads from 200 to 1000, but still GC was struggling . When we tried with 10 instances of JMeter , each with 100 users , where each instance was started with a delay of 1 minute we were able to see 1000 connections created in tomcat without any memory issues. But when 1000 users are created using single instance of JMeter in 20 seconds , tomcat's memory is filling fast- 20GB in 2 minutes. We suspect that the burst of connections being opened has a problem . Please help us with the same . On analyzing the heap dump we see org.apache.tomcat.util.collections.SynchronizedStack occupying around 93% of 3GB live data ,the remaining 17GB is Garbage collected in the heap dump. Thanks and Regards Arshiya Shariff -Original Message- From: Martin Grigorov Sent: Monday, September 28, 2020 11:44 PM To: Tomcat Users List Subject: Re: HTTP2: memory filled up fast on increasing the connections to 1000/2000 (Embedded tomcat 9.0.38) Hi Arshiya, On Mon, Sep 28, 2020 at 7:59 PM Arshiya Shariff wrote: Hi All, With 200 threads(users) , ramp up duration of 2 seconds , loop count 80 and by sending 1000 http2 requests/sec from JMeter Client to an embedded tomcat application we did not observe any memory issue , but on sending 1000 http2 requests/sec with 2000 or 1000 users from JMeter , the application's heap space of 20 GB is occupied in 2 minutes and after 2 full GCs the memory clears and comes down to 4GB (expected) . I am not sure whether you follow the other discussions at users@. In another email thread we discuss load testing Tomcat HTTP2 and we are able to make around 12K reqs/s with another load testing tool - https://protect2.fireeye.com/v1/url?k=f8cfc13c-a66f0379-f8cf81a7-8692dc8284cb-2c0aae53194b790f=1=6a9c569d-7da1-4394-a9ac-bf72724992fa=https%3A%2F%2Fgithub.com%2Ftsenart%2Fvegeta For me JMeter itself failed with OOM when increasing the number of the virtual users above 2K. There are several improvements in Tomcat master and 9.0.x in the HTTP2 area. Some of the changes are not yet downported to 9.0.x. We still test them, trying to avoid introducing regressions in 9.0.x. Embedded tomcat Version:9.0.38 Max Threads : 200 The number of threads should be less if you do only CPU calculations without IO/network. If your app blocks on IO/network calls then you need more spare threads. With more threads there will be more context switches and less throughput. That's why there is no one golden rule that applies to all applications. 200 is a good default that works for most of the applications. But you need to test with different values to see which one gives the best performance for your scenaria. All other properties are the tomcat defaults. Why is tomcat not able to process many connections ? You can tell us by enabling -XX:+HeapDumpOnOutOfMemoryError and -XX:HeapDumpPath=. Once you have the .hprof file you can examine it with Eclipse Memory Analyzer tool and see what is leaking. I will try to reproduce this issue tomorrow with Vegeta. Why is the memory filled when the connections are increased, are there any parameters to tune connections ? Please let us know. Thanks and Regards Arshiya Shariff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exit code 6 on shutting down Tomcat service
Hi. On 30.09.2020 14:40, Jakub Moravec wrote: Hello Tomcat team, we are having an issue that we were not able to resolve ourselves or using the existing documentation, so I'd like to ask you for help. Description: During Tomcat service shutdown (using command /bin/tomcat9.exe //SS//), we sometimes receive exit code 6. You may want to have a look at these : - https://cwiki.apache.org/confluence/display/TOMCAT/Windows#Windows-Q11 - http://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html These pages do not explain why you get an exit code 6 from tomcat9.exe. But they explain what tomcat9.exe actually is, which may help for what follows (*) The documentation page http://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html, at the end, lists some additional tomcat9.exe command-line parameters (the ones starting with "--Log") which may enable you to find out more details about the internal error that triggers this exit code. (e.g : --LogLevel "Debug")(and where to find that logfile) The mailing list archives, at https://markmail.org/list/org.apache.commons.users/ may also help finding the reason (in the search box, enter "daemon", or "daemon exit") (*) the tomcat9.exe program is actually a renamed copy of the Apache Commons Daemon "prunsrv" program, which the tomcat team adds to the tomcat-for-Windows package, to facilitate installing and running tomcat as a Windows service. It happens underministically (or at least we don't know the exact circumstances under which the error code is returned). We were not able to find any information about this exit code or any suggestions for fixes in the documentation. Environment: Tomcat: 9.0.33 OS: Windows 2016, Version: 10.0, Flavor: Data Center Thank you for your assistance! Jakub Moravec jakub.mora...@getmanta.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.36 - JDK 13/14
On 02.07.2020 10:23, Utkarsh Bhargav wrote: Please i have resolved my issue Kindly stop sending mails Hi. You receive these emails because you subscribed to the email list "users@tomcat.apache.org". To not receive these emails anymore, you should unsubscribe from the list, be sending an email (from the same email address which you used to subscribe), *as indicated at the end of every email that you receive from the list*. (including this one) [...] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
NullPointerException on statrup - possible bug in Tomcat
I have a web application which is failing in RestEasy initialization with an NPE. It worked for many years until I added a large number of jar dependencies because of a new development effort. I've debugged the code by stepping through the Tomcat source to the point I've found where it is failing. It seems to be a Tomcat bug but of course I'm not convinced since it is highly more likely it is my problem. Tomcat version is 9.0.36, though the failure happens in the Tomcat 8 versions I've tried as well. The NPE is triggered by a single "return null" statement in org.apache.catalina.core.ApplicationContext line 933. Below is a code snippet of where the return statement is. In my failing scenario the wrapper is NOT null and isOverridable is already returning false. So it falls through to return null. So here is my question: Why in the world in the code below does the return null statement even exist? It seems like the return null at line 933 is the precondition the code is trying to establish. //code from 'org.apache.catalina.core.ApplicationContext' Wrapper wrapper = (Wrapper) context.findChild(servletName); // Assume a 'complete' ServletRegistration is one that has a class and // a name if (wrapper == null) { wrapper = context.createWrapper(); wrapper.setName(servletName); context.addChild(wrapper); } else { if (wrapper.getName() != null && wrapper.getServletClass() != null) { if (wrapper.isOverridable()) { wrapper.setOverridable(false); } else { return null; // Line 933 } } } - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: NullPointerException on statrup - possible bug in Tomcat
Problem resolved. Thank you. On Wed, Jun 24, 2020, at 12:46 PM, Konstantin Kolinko wrote: > ср, 24 июн. 2020 г. в 19:25, : > > > > I have a web application which is failing in RestEasy initialization with > > an NPE. It worked for many years until I added a large number of jar > > dependencies because of a new development effort. I've debugged the code by > > stepping through the Tomcat source to the point I've found where it is > > failing. It seems to be a Tomcat bug but of course I'm not convinced since > > it is highly more likely it is my problem. > > > > Tomcat version is 9.0.36, though the failure happens in the Tomcat 8 > > versions I've tried as well. > > > > The NPE is triggered by a single "return null" statement in > > org.apache.catalina.core.ApplicationContext line 933. Below is a code > > snippet of where the return statement is. In my failing scenario the > > wrapper is NOT null and isOverridable is already returning false. So it > > falls through to return null. > > > > So here is my question: Why in the world in the code below does the return > > null statement even exist? It seems like the return null at line 933 is the > > precondition the code is trying to establish. > > This method is documented in the specification of Servlet API (in > their javadoc) to return null if such servlet has already been > registered. > See Java EE 8 javadoc > https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#addServlet-java.lang.String-java.lang.Class- > > (Following the links from Specifications page > https://cwiki.apache.org/confluence/display/TOMCAT/Specifications > > K.Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSO valve implementation
On 16.12.2020 19:39, Kevin Oxley wrote: We are trying to support SSO SAML 2.0 for user authentication in Tomcat (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO valve implementation that you've had a good experience with? searching Google for "SAML SP for servlet engine" gives a few links, among them this one : https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink I haven't tried it myself. In my cases, I always use an Apache httpd front-end, which does the authentication prior to proxying to a back-end tomcat (with the Connector attribute ' tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we use Shibboleth as the SAML SP side. That works perfectly. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat server not considering Mime Type - Request urgent help!!
On 14.01.2021 22:55, Christopher Schultz wrote: Content-Disposition: attachment; filename="[filename]"; filename*=utf-8''[filename in UTF-8 encoding] Hi Chris. Do you have any reference for the above ? (the "utf8''" part is new to me) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat server not considering Mime Type - Request urgent help!!
Hi again. Sorry for the noise. The page which you quoted (https://www.geeksforgeeks.org/http-headers-content-disposition/), itself contains a formal reference to RFC 5987 (https://tools.ietf.org/html/rfc5987), which formally defines the extended "filename*" header parameter below. On 15.01.2021 11:48, André Warnier (tomcat/perl) wrote: On 14.01.2021 22:55, Christopher Schultz wrote: Content-Disposition: attachment; filename="[filename]"; filename*=utf-8''[filename in UTF-8 encoding] Hi Chris. Do you have any reference for the above ? (the "utf8''" part is new to me) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Archive or package install
Hi Onno, On 18.06.21 07:07, Sugar Moose wrote: > I am using Ansible role robertdebock.tomcat to install Tomcat. This role uses > archives from the Tomcat site to install Tomcat. I have always thought that > this is a fine approach but the customer has pointed out that a package > install is preferred because it makes installing security updates easier. > This customer uses Ubuntu 18.04 and the position of the InfraOps engineers is > that installing Tomcat from the official Ubuntu repository is always > preferred. Installing Tomcat directly from the archives is easy and straight forward, in my opinion it should be perfectly fine using upstream as source (you should at least verify the download). Especially, if Tomcat plays a major role of the system (i.e. running some business critical applications), I would always stick to the version from Tomcat archives. You will end up with a more recent version of Tomcat, as it is actively developed, those versions will contain all security fixes (directly from the team and without possible backporting of security fixes). If you use CATALINA_HOME and CATALINA_BASE variables you can easily switch between different Tomcat versions, making it very easy to manage updates and possible necessary rollbacks. I would only stick to the distro-provided packages, if it is a small (in other words not that important) application running in Tomcat. Just for reference: With Ubuntu 18.04, you would end up with 9.0.16 vs. 9.0.48 (Tomcat project) or 8.5.39 vs. 8.5.68 (Tomcat project), which is about 2 years old software. For any errors you might get on distro packages, first hint would most likely be to update to a recent Tomcat version. Even if security fixed are backported by the distro, you would end up with versions missing a lot of fixes and improvements. > I don't know how exactly using apt packages makes life a lot easier when it > comes to security updates. I think it depends. If Ansible manages the version > it looks more or less the same to me. The Ansible role would have an var for > example tomcat_version and the value would determine the what version is on > the system. Updating Tomcat using Ansible would be same proces: update > tomcat_version var and provision the node. When Ansible is not managing the > version but is used for example only for the initial install using Ansible > package module it becomes a bit of a puzzle to figure out how this would > work. And also would have some drawbacks. Ansible is good at configuration > management and orchestration for example. Apt not really. Yes, Ansible is much more flexible for managing the configuration and deployment-parts. You will need something for that task, even if you use the distro-provided packages. > What is the position / what are the thoughts on this in the Tomcat community? > On the Tomcat website I could find no information on package install. I don't > think a recommended installation approach is mentioned there. In short: If your application in Tomcat is important, use the Tomcat archive up to date versions, if not distro packages might be sufficient. This might be challenging, if Tomcat is managed by the infrastructure team (from my experience, there is always a trend towards the distro packages, sometimes with the argument support by the distro). It might help, if managing the Tomcat can be done by the applications support/devops team (however, that might depend on the organisation constraints). hth, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Archive or package install
Hi Christopher, On 18.06.21 20:54, Christopher Schultz wrote: >> I would only stick to the distro-provided packages, if it is a small >> (in other words not that important) application running in Tomcat. Just >> for reference: With Ubuntu 18.04, you would end up >> with 9.0.16 vs. 9.0.48 (Tomcat project) or 8.5.39 vs. 8.5.68 (Tomcat >> project), which is about 2 years old software. > The above statement is *very* misleading. > > To understand why it's misleading, you have to understand the Debian "way" of > package-management. Ubuntu is Debian-derived and, although they have their > own package repositories, etc., they do > inherit from upstream and do make some changes on their own separate from > upstream. Thanks for picking that up, I was not clear enough by just referencing the security back ports in one sentence. It is right, that those distro packages get updates. My main point is, that due to the update policy of Ubuntu (and Debian as well), not all changes and updates will get into the distro packages. This might be an issue, especially if IT organisation stick to a specific distros version for a long time. This is not an issue with the distro policy or updates (never wanted to blame anyone from the Debian or Ubuntu team for that), but with the update policies of the running org. I was focusing on *Ubuntu 18.04* (which was mentioned by Onno), for that change log [1] mentions Wed, 11 Sep 2019 as last update. > All that junk at the end (-4~bpo9+1_all) indicates the various updates that > have been applied after the original 9.0.16. If you read the changelog[1] for > Buster, you'll see that it was last > updated as recently as 2021-04-12 to apply fixes for CVE-2021-25122 and > CVE-2021-25329 (thanks, Emmanuel!). In fact, in Buster, you are getting > 9.0.31. I'll bet if you look at the Ubuntu > changelog for your package, you'll find something similar. You are right, if you manage your base system and keep it updated to recent version (not my experience though), this will be fine. However if you stick as long as possible to a distros version (there is already a new Ubuntu LTS out for over a year, some time to update), you will have a gap to more recent Tomcat versions. Comparing Ubuntu 18.04 Tomcat versions to current Ubuntu or Debian versions, is not what was asked by the Onno. My experience is that some organisations try to stay on a specific distro version as long as possible. > If you are getting 9.0.16 from your Ubuntu repository, I think you may be > getting "left behind" by something. The current Ubuntu package should > actually be a base version of 9.0.43. Older > versions of Ubuntu have older base Tomcat versions. Again current vs. Ubuntu 18.04 is a different story. My apologies, I should have been clearer in my first post. [1] https://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat9/tomcat9_9.0.16-3ubuntu0.18.04.1/changelog regards, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Soyrry to top-post, but it's getting cluttered down there.. The next thing that you may want to do : > netstat -p -a -6 --tcp That is an alternative list of sockets, which also shows the "tcp state" of the sockets. To get only the ones of the tomcat JVM PID, filter with grep based of the last column. The type of thing you are looking for is the column which should show "LISTEN", or "ESTABLISHED" or "CLOSE_WAIT" etc.. The options above : -p : show PID and program -a : show all sockets states -6 : only inet v6 --tcp : only TCP sockets "netstat" may not be on your system by default, and you may need to install it. An alternative is "ss", but I don't know the options. On 21.05.2021 02:14, Yeggy Javadi wrote: Hi, Yes; that is what I get and as you can see among 8028 open files, 7474 are for TCPv6 sockets: java130244 root 7805u sock 0,9 0t0 12294251 protocol: TCPv6 # ps -ef | grep tomcat root 130244 1 1 11:01 ?00:06:20 /usr/local/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -d64 -server -Xms1800m -Xmx8192m -XX:MaxMetaspaceSize=1800m -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/apache-tomcat/bin/bootstrap.jar:/usr/local/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat -Dcatalina.home=/usr/local/apache-tomcat -Djava.io.tmpdir=/usr/local/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start root 132566 132492 0 20:10 pts/100:00:00 grep --color=auto tomcat #lsof -p 130244 | wc -l 8028 #lsof -p 130244 | grep "protocol: TCPv6"| wc -l 7474 Thanks -Original Message- From: André Warnier (tomcat/perl) Sent: Thursday, May 20, 2021 4:19 PM To: users@tomcat.apache.org Subject: Re: apache-tomcat-8.5.59 too many open files on Linux 8 Hi. According to the list below, you have 2 java (JVM) processes running on your system. One (PID = 130244) is the JVM which runs tomcat. This is visible when you look at the whole command-line. The other (PID = 130516) runs ElasticSearch, which I believe is not relevant here. So you should run lsof with the "-p 130244" option, to show only the files opened by the tomcat JVM. To show the current Tomcat JVM PID, do e.g. : ps -ef | grep "apache-tomcat" (or anything else unique in that line) On 20.05.2021 21:00, Yeggy Javadi wrote: Hi Chris, Please indicate how to show lsof or netstat to *just the JVM* process. Below is the list of running processes on my server: UID PIDPPID C STIME TTY TIME CMD root 1 0 0 May07 ?00:00:14 /usr/lib/systemd/systemd --switched-root --system --deserialize 17 root 2 0 0 May07 ?00:00:00 [kthreadd] root 3 2 0 May07 ?00:00:00 [rcu_gp] root 4 2 0 May07 ?00:00:00 [rcu_par_gp] root 6 2 0 May07 ?00:00:00 [kworker/0:0H-kblockd] root 8 2 0 May07 ?00:00:00 [mm_percpu_wq] root 9 2 0 May07 ?00:00:00 [ksoftirqd/0] root 10 2 0 May07 ?00:02:18 [rcu_sched] root 11 2 0 May07 ?00:00:00 [migration/0] root 12 2 0 May07 ?00:00:00 [watchdog/0] root 13 2 0 May07 ?00:00:00 [cpuhp/0] root 14 2 0 May07 ?00:00:00 [cpuhp/1] root 15 2 0 May07 ?00:00:00 [watchdog/1] root 16 2 0 May07 ?00:00:00 [migration/1] root 17 2 0 May07 ?00:00:00 [ksoftirqd/1] root 19 2 0 May07 ?00:00:00 [kworker/1:0H-kblockd] root 20 2 0 May07 ?00:00:00 [cpuhp/2] root 21 2 0 May07 ?00:00:00 [watchdog/2] root 22 2 0 May07 ?00:00:00 [migration/2] root 23 2 0 May07 ?00:00:00 [ksoftirqd/2] root 25 2 0 May07 ?00:00:00 [kworker/2:0H-kblockd] root 26 2 0 May07 ?00:00:00 [cpuhp/3] root 27 2 0 May07 ?00:00:00 [watchdog/3] root 28 2 0 May07 ?00:00:00 [migration/3] root 29 2 0 May07 ?00:00:00 [ksoftirqd/3] root 31 2 0 May07 ?00:00:00 [kworker/3:0H-kblockd] root 32 2 0 May07 ?00:00:00 [cpuhp/4] root 33 2 0 May07 ?00:00:00 [watchdog/4] root 34 2 0 May07 ?00:00:00 [migration/4] root 35 2 0 May07 ?00:00:00 [ksoftirqd/4] root 37 2 0 May07 ?00:00:00 [kworker/4:0H-kblockd] ro
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Hi. According to the list below, you have 2 java (JVM) processes running on your system. One (PID = 130244) is the JVM which runs tomcat. This is visible when you look at the whole command-line. The other (PID = 130516) runs ElasticSearch, which I believe is not relevant here. So you should run lsof with the "-p 130244" option, to show only the files opened by the tomcat JVM. To show the current Tomcat JVM PID, do e.g. : ps -ef | grep "apache-tomcat" (or anything else unique in that line) On 20.05.2021 21:00, Yeggy Javadi wrote: Hi Chris, Please indicate how to show lsof or netstat to *just the JVM* process. Below is the list of running processes on my server: UID PIDPPID C STIME TTY TIME CMD root 1 0 0 May07 ?00:00:14 /usr/lib/systemd/systemd --switched-root --system --deserialize 17 root 2 0 0 May07 ?00:00:00 [kthreadd] root 3 2 0 May07 ?00:00:00 [rcu_gp] root 4 2 0 May07 ?00:00:00 [rcu_par_gp] root 6 2 0 May07 ?00:00:00 [kworker/0:0H-kblockd] root 8 2 0 May07 ?00:00:00 [mm_percpu_wq] root 9 2 0 May07 ?00:00:00 [ksoftirqd/0] root 10 2 0 May07 ?00:02:18 [rcu_sched] root 11 2 0 May07 ?00:00:00 [migration/0] root 12 2 0 May07 ?00:00:00 [watchdog/0] root 13 2 0 May07 ?00:00:00 [cpuhp/0] root 14 2 0 May07 ?00:00:00 [cpuhp/1] root 15 2 0 May07 ?00:00:00 [watchdog/1] root 16 2 0 May07 ?00:00:00 [migration/1] root 17 2 0 May07 ?00:00:00 [ksoftirqd/1] root 19 2 0 May07 ?00:00:00 [kworker/1:0H-kblockd] root 20 2 0 May07 ?00:00:00 [cpuhp/2] root 21 2 0 May07 ?00:00:00 [watchdog/2] root 22 2 0 May07 ?00:00:00 [migration/2] root 23 2 0 May07 ?00:00:00 [ksoftirqd/2] root 25 2 0 May07 ?00:00:00 [kworker/2:0H-kblockd] root 26 2 0 May07 ?00:00:00 [cpuhp/3] root 27 2 0 May07 ?00:00:00 [watchdog/3] root 28 2 0 May07 ?00:00:00 [migration/3] root 29 2 0 May07 ?00:00:00 [ksoftirqd/3] root 31 2 0 May07 ?00:00:00 [kworker/3:0H-kblockd] root 32 2 0 May07 ?00:00:00 [cpuhp/4] root 33 2 0 May07 ?00:00:00 [watchdog/4] root 34 2 0 May07 ?00:00:00 [migration/4] root 35 2 0 May07 ?00:00:00 [ksoftirqd/4] root 37 2 0 May07 ?00:00:00 [kworker/4:0H-kblockd] root 38 2 0 May07 ?00:00:00 [cpuhp/5] root 39 2 0 May07 ?00:00:00 [watchdog/5] root 40 2 0 May07 ?00:00:00 [migration/5] root 41 2 0 May07 ?00:00:00 [ksoftirqd/5] root 43 2 0 May07 ?00:00:00 [kworker/5:0H-kblockd] root 44 2 0 May07 ?00:00:00 [cpuhp/6] root 45 2 0 May07 ?00:00:00 [watchdog/6] root 46 2 0 May07 ?00:00:00 [migration/6] root 47 2 0 May07 ?00:00:00 [ksoftirqd/6] root 49 2 0 May07 ?00:00:00 [kworker/6:0H-kblockd] root 50 2 0 May07 ?00:00:00 [cpuhp/7] root 51 2 0 May07 ?00:00:00 [watchdog/7] root 52 2 0 May07 ?00:00:00 [migration/7] root 53 2 0 May07 ?00:00:00 [ksoftirqd/7] root 55 2 0 May07 ?00:00:00 [kworker/7:0H-kblockd] root 57 2 0 May07 ?00:00:00 [kdevtmpfs] root 58 2 0 May07 ?00:00:00 [netns] root 59 2 0 May07 ?00:00:00 [kauditd] root 62 2 0 May07 ?00:00:00 [khungtaskd] root 63 2 0 May07 ?00:00:00 [oom_reaper] root 64 2 0 May07 ?00:00:00 [writeback] root 65 2 0 May07 ?00:00:00 [kcompactd0] root 66 2 0 May07 ?00:00:00 [ksmd] root 67 2 0 May07 ?00:00:02 [khugepaged] root 68 2 0 May07 ?00:00:00 [crypto] root 69 2 0 May07 ?00:00:00 [kintegrityd] root 70 2 0 May07 ?00:00:00 [kblockd] root 71 2 0 May07 ?00:00:00 [tpm_dev_wq] root 72 2 0 May07 ?00:00:00 [md] root 73 2 0 May07 ?00:00:00 [edac-poller] root 74 2 0 May07 ?00:00:00 [watchdogd] root 92 2 0 May07 ?00:00:00 [kswapd0] root 188 2 0 May07 ?00:0
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Maybe I am missing something, but at first sight it looks like lsof, inside the container, can also not get more information about these "sock" things. I am running out of ideas. If you search in Google for precisely this : lsof "sock" and "protocol : TCP" there are a lot of links which discuss similar issues, and this over many years. (So it is not either a unique or a recent issue). They all seem to boil down to this : some *application* is opening sockets, but then not really using them (and not closing them). In your case, that probably means one of the webapps running under tomcat. It seems quite unlikely that this would be tomcat itself, because if that was the case, this tomcat users list would probably be swamped with requests such as yours; which it isn't. It is worth noting also, that among all these messages found in Google, I have not so far seen a single one which provides another explanation for those "sock" things. In your case, the problem is going to be in finding out *which* webapp does that, unless there are not many, and you can turn them off one-by-one selectively. (The difficulty is in part due to the fact that, to the OS, the whole of the JVM, tomcat and all the webapps look like one single process; and to lsof also). Maybe there is some type of logging available in tomcat, that would help finding out which application is creating sockets, and then never using or destroying them. But my personal competences do not run that far, so maybe someone else can help you here. On 26.05.2021 00:03, Yeggy Javadi wrote: Hi, Below is the nsenter output: # ps -ef | grep tomcat root 165217 1 1 10:22 ?00:05:33 /usr/local/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -d64 -server -Xms1800m -Xmx8192m -XX:MaxMetaspaceSize=1800m -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/apache-tomcat/bin/bootstrap.jar:/usr/local/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat -Dcatalina.home=/usr/local/apache-tomcat -Djava.io.tmpdir=/usr/local/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start root 167329 167268 0 18:00 pts/100:00:00 grep --color=auto tomcat # nsenter -t 165217 --net lsof -n -p 165217 |less COMMANDPID USER FD TYPE DEVICE SIZE/OFF NODE NAME java165217 root cwd DIR8,2 4096 157664 /usr/local/freestor/bin java165217 root rtd DIR8,3 40962 / java165217 root txt REG8,2 8712 8913 /usr/local/jdk/jre1.8.0_271/bin/java java165217 root mem REG8,2 113371 160881 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/hibernate-jpa-2.1-api-1.0.0.Final.jar java165217 root mem REG8,2 147874 160802 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/activemq-protobuf-1.1.jar java165217 root mem REG8,2 391515 160836 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/lucene-queryparser-4.10.4.jar java165217 root mem REG8,2 868615 160813 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/spring-context-3.2.17.RELEASE.jar java165217 root mem REG8,2 9711 160792 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/slf4j-log4j12-1.6.6.jar java165217 root mem REG8,2 196573 160819 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/spring-expression-3.2.17.RELEASE.jar java165217 root mem REG8,297173 160843 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/lucene-misc-4.10.4.jar java165217 root mem REG8,210074 160872 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/batik-ext-1.11.jar java165217 root mem REG8,262983 160861 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/activation-1.1.jar java165217 root mem REG8,2 371668 160812 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/spring-security-core-3.2.9.RELEASE.jar java165217 root mem REG8,2 645914 160754 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/hibernate-entitymanager-4.3.5.Final.jar java165217 root mem REG8,2 427030 160753 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/hibernate-envers-4.3.5.Final.jar java165217 root mem REG8,2 256468 160829 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/barcode4j-2.0.jar java16521
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Addendum : Maybe to debug this more efficiently, you could look at this issue from the opposite side : Earlier in the thread of messages, you said this : 1. Did you upgrade anything recently (like Java VM)? [YJ] To support Linux 8, only Postgres was upgraded from version 9.3 to 9.6. Maybe when you did this, you also changed the driver which tomcat is using to communicate with Postgresql. And maybe the problem lies in that driver. I mean that the driver is the piece of code which creates connections (using sockets) with Postgresql. And usually, that works and you have a number of ESTABLISHED connections (which are visible in the netstat output). But what if, occasionally, the connection doesn't work, and the driver is not very clean in handling this failing socket ? Or maybe the issue is in the code which uses these connections ? Have a look at this : https://stackoverflow.com/questions/2225221/closing-database-connections-in-java/2225275#2225275 On 26.05.2021 11:12, André Warnier (tomcat/perl) wrote: Maybe I am missing something, but at first sight it looks like lsof, inside the container, can also not get more information about these "sock" things. I am running out of ideas. If you search in Google for precisely this : lsof "sock" and "protocol : TCP" there are a lot of links which discuss similar issues, and this over many years. (So it is not either a unique or a recent issue). They all seem to boil down to this : some *application* is opening sockets, but then not really using them (and not closing them). In your case, that probably means one of the webapps running under tomcat. It seems quite unlikely that this would be tomcat itself, because if that was the case, this tomcat users list would probably be swamped with requests such as yours; which it isn't. It is worth noting also, that among all these messages found in Google, I have not so far seen a single one which provides another explanation for those "sock" things. In your case, the problem is going to be in finding out *which* webapp does that, unless there are not many, and you can turn them off one-by-one selectively. (The difficulty is in part due to the fact that, to the OS, the whole of the JVM, tomcat and all the webapps look like one single process; and to lsof also). Maybe there is some type of logging available in tomcat, that would help finding out which application is creating sockets, and then never using or destroying them. But my personal competences do not run that far, so maybe someone else can help you here. On 26.05.2021 00:03, Yeggy Javadi wrote: Hi, Below is the nsenter output: # ps -ef | grep tomcat root 165217 1 1 10:22 ? 00:05:33 /usr/local/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -d64 -server -Xms1800m -Xmx8192m -XX:MaxMetaspaceSize=1800m -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/apache-tomcat/bin/bootstrap.jar:/usr/local/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat -Dcatalina.home=/usr/local/apache-tomcat -Djava.io.tmpdir=/usr/local/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start root 167329 167268 0 18:00 pts/1 00:00:00 grep --color=auto tomcat # nsenter -t 165217 --net lsof -n -p 165217 |less COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 165217 root cwd DIR 8,2 4096 157664 /usr/local/freestor/bin java 165217 root rtd DIR 8,3 4096 2 / java 165217 root txt REG 8,2 8712 8913 /usr/local/jdk/jre1.8.0_271/bin/java java 165217 root mem REG 8,2 113371 160881 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/hibernate-jpa-2.1-api-1.0.0.Final.jar java 165217 root mem REG 8,2 147874 160802 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/activemq-protobuf-1.1.jar java 165217 root mem REG 8,2 391515 160836 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/lucene-queryparser-4.10.4.jar java 165217 root mem REG 8,2 868615 160813 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/spring-context-3.2.17.RELEASE.jar java 165217 root mem REG 8,2 9711 160792 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/slf4j-log4j12-1.6.6.jar java 165217 root mem REG 8,2 196573 160819 /usr/local/apache-tomcat-8.5.59/webapps/ROOT/WEB-INF/lib/spring-expression-3.2.17.RELEASE.jar java 165217 root mem REG 8,2 97173 160843 /usr/local/a
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Hi. The point is to try to figure out what these thousands of apparently "TCPv6" sockets belonging to the tomcat process actually are, so that we can maybe begin to look at where they may be coming from. The trouble is, the lsof output so far did not really tell us what these "sock" things might be. But there may be a clue here : https://serverfault.com/questions/1000338/in-lsof-output-what-are-those-sock-lines (about when things run in a container). Is that your case ? And if so, could you run the lsof command in the container, as they suggest ? And the point of forcing a tomcat/JVM GC was this : When you restart tomcat (actually the JVM which runs tomcat), the OS will clean up *all* the file descriptors belonging to that process, including the "legitimate" ones shown by netstat, and the "unknown" ones shown in addition by lsof. Doing a GC, without stopping the JVM, would clean up *only* such sockets/fd that are held by objects which are discarded, but still sit on the heap awaiting a GC to really destroy them. If your heap is very large, it may otherwise take a long while before such a GC happens, and such sockets could accumulate. One way to trigger a GC is through JMX, but it takes a bit of additional setup to make that work. That's why I was asking if you had some method to do that. (see : https://code.google.com/archive/p/jmxsh/) But let's look at the lsof part first. On 24.05.2021 16:09, Yeggy Javadi wrote: Hi, I restarted tomcat so PID has changed to 143152; I do not know how to trigger tomcat GC, I just restart it to reset the lsof to 0. Please see outputs below: # ps -ef | grep tomcat root 143152 1 0 May22 ?00:26:44 /usr/local/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -d64 -server -Xms1800m -Xmx8192m -XX:MaxMetaspaceSize=1800m -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/apache-tomcat/bin/bootstrap.jar:/usr/local/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat -Dcatalina.home=/usr/local/apache-tomcat -Djava.io.tmpdir=/usr/local/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start root 153962 153912 0 10:00 pts/100:00:00 grep --color=auto tomcat # lsof -p 143152 | wc -l 41043 # lsof -p 143152 | grep "protocol: TCPv6"| wc -l 40487 # netstat -p -a -n --inet6 | grep 143152 tcp6 0 0 :::8443 :::*LISTEN 143152/java tcp6 0 0 :::443 :::*LISTEN 143152/java tcp6 0 0 127.0.0.1:8005 :::*LISTEN 143152/java tcp6 0 0 :::1099 :::*LISTEN 143152/java tcp6 0 0 :::80 :::*LISTEN 143152/java tcp6 0 0 :::36081:::*LISTEN 143152/java tcp6 0 0 10.4.3.55:60736 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60732 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60728 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:8010.197.255.10:55446 ESTABLISHED 143152/java tcp6 1 0 10.4.3.55:55958 10.4.3.55:11576 CLOSE_WAIT 143152/java tcp6 0 0 10.4.3.55:53682 172.22.21.48:443ESTABLISHED 143152/java tcp6 0 0 127.0.0.1:48622 127.0.0.1:5432 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60748 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 1 0 10.4.3.55:55956 10.4.3.55:11576 CLOSE_WAIT 143152/java tcp6 0 0 10.4.3.55:40574 172.22.21.47:443ESTABLISHED 143152/java tcp6 0 0 127.0.0.1:48620 127.0.0.1:5432 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:53782 172.22.21.48:443ESTABLISHED 143152/java tcp6 0 1 10.4.3.55:49808 10.12.3.78:443 SYN_SENT 143152/java tcp6 0 0 10.4.3.55:60730 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60750 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60742 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60746 10.4.3.55:9300 ESTABLISHED 143152/java tcp6 0 0 127.0.0.1:48624 127.0.0.1:5432 ESTABLISHED 143152/java tcp6 0 0 10.4.3.55:60734 10.4.3.55:9300 ESTABLISHED 143152/java tcp6
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Hi. I have no idea what lines like this are : java130244 root 78u sock0,9 0t0 12154374 protocol: TCPv6 There are obviously too many of them, for them to match with the sockets listed by netstat. The ones which in the lsof output, have "TYPE" set to "IPv6" seem to correspond to the ones marked as "LISTEN" in the netstat output. But the ones with TYPE="sock" and NAME="protocol: TCPv6" are a mystery to me. Could you redo a netstat as follows : # netstat -p -a -n --inet6 | grep 130244 and can you also try this form of lsof : # lsof -a -p 130244 -T s -i6 And finally (after copying the result of the above) : do you know how to trigger a GC (Garbage Collection) in your tomcat JVM ? (the point is to see if when a GC happens, these things disappear). On 22.05.2021 18:03, Yeggy Javadi wrote: Here it is: # netstat -p -a --tcp | grep 130244 tcp6 0 0 [::]:pcsync-https [::]:* LISTEN 130244/java tcp6 0 0 [::]:https [::]:* LISTEN 130244/java tcp6 0 0 [::]:37537 [::]:* LISTEN 130244/java tcp6 0 0 localhost.localdoma:mxi [::]:* LISTEN 130244/java tcp6 0 0 [::]:8009 [::]:* LISTEN 130244/java tcp6 0 0 [::]:rmiregistry[::]:* LISTEN 130244/java tcp6 0 0 [::]:http [::]:* LISTEN 130244/java tcp6 86 0 Yeggy-F8-FMSVA:39680172.22.22.192:https CLOSE_WAIT 130244/java tcp6 0 1 Yeggy-F8-FMSVA:5361810.12.3.78:httpsSYN_SENT 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54772Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42664 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54782Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54766Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42662 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54778Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54788Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54770Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54790Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54776Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54786Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54780Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:45736 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54768Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54784Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42660 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 1 Yeggy-F8-FMSVA:4292210.12.3.77:httpsSYN_SENT 130244/java tcp6 0 0 Yeggy-F8-FMSVA:35794172.22.22.192:https ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54774Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:45734 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 localhost.localdo:41016 localhost.localdo:vrace ESTABLISHED 130244/java # lsof -p 130244 COMMANDPID USER FD TYPE DEVICE SIZE/OFF NODE NAME java130244 root cwd DIR8,2 4096 157664 /usr/local/freestor/bin java130244 root rtd DIR8,3 40962 / java130244 root txt REG8,2 8712 8913 /usr/local/jdk/jre1.8.0_271/bin/java java130244 root mem REG8,2 498864 9007 /usr/local/jdk/jre1.8.0_271/lib/amd64/libfontmanager.so java130244 root mem REG8,239176 9006 /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt_headless.so java130244 root mem REG8,2 759184 8996 /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt.so java130244 root mem REG8,2 3559360 9139 /usr/local/jdk/jre1.8.0_271/lib/resources.jar java130244 root mem REG8,299680 133076 /usr/lib64/libgcc_s-8-20191121.so.1 java130244 root mem REG8,2 3135658 9133 /usr/local/jdk/jre1.8.0_271/lib/charsets.jar java130244 root mem REG8,2 283368 8980 /usr/local/jdk/jre1.8.0_271/lib/amd64/libsunec.so java130244 root mem REG
Re: apache-tomcat-8.5.59 too many open files on Linux 8
Mmm. Nothing very special in that netstat output. The sockets seen there look quite normal for tomcat, and there are not a lot. What about the IPv4 sockets ? (remove the -6 in your netstat command) Looks like lsof is counting things which are not IPv6 TCP sockets belonging to the tomcat JVM process. Where is the difference between the lsof count (19948) and the netstat count (25) ? (genuine question, I'm puzzled too) Can you give an example of the "lsof -p 130244" output lines ? (not all 19948 please, but enough to see some variety) On 21.05.2021 16:11, Yeggy Javadi wrote: Hi, Here its is: # lsof -p 130244 | grep "protocol: TCPv6"| wc -l 19948 # netstat -p -a -6 --tcp | grep 130244 tcp6 0 0 [::]:pcsync-https [::]:* LISTEN 130244/java tcp6 0 0 [::]:https [::]:* LISTEN 130244/java tcp6 0 0 [::]:37537 [::]:* LISTEN 130244/java tcp6 0 0 localhost.localdoma:mxi [::]:* LISTEN 130244/java tcp6 0 0 [::]:8009 [::]:* LISTEN 130244/java tcp6 0 0 [::]:rmiregistry[::]:* LISTEN 130244/java tcp6 0 0 [::]:http [::]:* LISTEN 130244/java tcp6 86 0 Yeggy-F8-FMSVA:39680172.22.22.192:https CLOSE_WAIT 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54772Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42664 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54782Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54766Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42662 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54778Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:46966 localhost.localdo:11753 ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54788Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54770Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:http 10.197.255.10:64799 ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54790Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54776Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54786Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54780Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:45736 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54768Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54784Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:42660 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:54774Yeggy-F8-FMSVA:vraceESTABLISHED 130244/java tcp6 0 0 localhost.localdo:45734 localhost.loca:postgres ESTABLISHED 130244/java tcp6 0 0 Yeggy-F8-FMSVA:http 10.197.255.10:64798 ESTABLISHED 130244/java tcp6 0 0 localhost.localdo:41016 localhost.localdo:vrace ESTABLISHED 130244/java Thanks -Original Message- From: Noelette Stout Sent: Friday, May 21, 2021 8:28 AM To: Tomcat Users List Subject: Re: apache-tomcat-8.5.59 too many open files on Linux 8 ss has all the same options as netstat On Fri, May 21, 2021 at 3:51 AM André Warnier (tomcat/perl) wrote: Soyrry to top-post, but it's getting cluttered down there.. The next thing that you may want to do : > netstat -p -a -6 --tcp That is an alternative list of sockets, which also shows the "tcp state" of the sockets. To get only the ones of the tomcat JVM PID, filter with grep based of the last column. The type of thing you are looking for is the column which should show "LISTEN", or "ESTABLISHED" or "CLOSE_WAIT" etc.. The options above : -p : show PID and program -a : show all sockets states -6 : only inet v6 --tcp : only TCP sockets "netstat" may not be on your system by default, and you may need to install it. An alternative is "ss", but I don't know the options. On 21.05.2021 02:14, Yeggy Javadi wrote: Hi, Yes; that is what I get and as you can see among 8028 open files, 7474 are for TCPv6 sockets: java130244 root 7805u sock0,9 0t0 12294251 protocol: TCPv6 # ps -ef | grep tomcat root 130244 1 1 11:01 ?00:06:20 /usr/local/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat/conf/logging. properties -Djava.util.logging.manager=org.apac
Re: What exactly does the AJP connector on 8009 do?
On 06.04.2021 00:45, James H. H. Lampert wrote: On 4/5/21 1:22 PM, Christopher Schultz wrote: If you are not running a reverse-proxy in front of Tomcat, then it does absolutely nothing for you. If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for you, depending upon what software you are using and what its configuration is. Thanks. Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd (on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our cloud-based product, but I don't know if the AJP port is involved in any of that. I don't know about AWS Beanstalks, but for Apache httpd, there are some tell-tale configuration directives in the Apache httpd configuration files, which - if present - will tell you if Apache httpd is communicating with the back-end tomcat using the AJP protocol (and hence tomcat's AJP Connector). Look for either of : - ProxyPass instructions mentioning "AJP:" - SetHandler jakarta-servlet - JkMount (case does generally not matter) (Note that under Linux(es), your Apache httpd config files may be spread in small chunks all over the place, generally in locations such as "/etc/apache2/*" or "/etc/httpd/*") (*) Relevant documentation is available here : 1) http://tomcat.apache.org/connectors-doc/ 2) http://tomcat.apache.org/connectors-doc/reference/apache.html 3) http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass 4) (more complicated cases) http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule Also, if Apache httpd uses AJP to communicate with tomcat, then either one of these Apache httpd add-on modules will be loaded and configured : - mod_jk - mod_proxy_ajp To find out which modules are loaded by Apache httpd, use the following command : # apache2ctl -M (Note that the mere fact that a module is loaded, does not necessarily mean that it is being *used*; but if neither of them is loaded, then you can be pretty sure that Apache httpd is NOT using AJP) Shortcut : - comment-out the AJP Connector in the tomcat configuration - restart tomcat - and wait for desperate support calls (*) This is not a critic : it is very flexible that way; it's just a bit more work to search for the right files. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] programming style or mental process ?
On 06.04.2021 20:06, gustavo.avitab...@unina.it wrote: To nitpick, in Spanish one would rather say "cafe frio". ... and, in Italian, "caffè freddo", but we Italians love coffee, and we have much phantasy, so try also: "granita di caffè", "caffè gelato", "caffè col ghiaccio", "il caffè s'è fatto freddo", ... Not so you'd think that Italians are the only ones with imagination when it comes to coffee, Spanish people also call this "granizado de cafe" (or "cafe granizado") or "cafe del tiempo". And that's only for the basic cold type, because there are many subtypes each with it's own name, with and without different types of liquor (flambé or not), short, medium, large or "americano" (== like water), real coffee or powder, decaffeinated or not, with or without (hot or cold) milk, in different types of recipients. And not that some people would think that this is now all totally [OT], I would remind everyone of the definite historical and cultural connections between Tomcat, Java, programming and coffee (and Jakarta). (And dutch people. Where are they in this discussion by the way ? (but they have only one type of coffee I think)). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] programming style or mental process ?
Hi. I have a question which may be totally off-topic for this list, but this has been puzzling me for a while and I figure that someone here may be able to provide some clue as to the answer, or at least some interesting ponts of view. In various places (including on this list), I have seen multiple occurrences of a certain way to write a test, namely : if (null == request.getCharacterEncoding()) { as opposed to if (request.getCharacterEncoding() == null) { Granted, the two are equivalent in the end. But it would seem to me, maybe naively, that the second form better corresponds to some "semantic logic", by which one wants to know if a certain a-priori unknown piece of data (here the value obtained by retrieving the character encoding of the current request) is defined (not null) or not (null). Said another way : we don't want to know if "null" is equal to anything; we want to know if request.getCharacterEncoding() is null or not. Or in yet another way : the focus (or the "subject" of the test) here is on "request.getCharacterEncoding()" (which we don't know), and not on "null" (which we know already). Or, more literarily, given that the syntax of most (all?) programming languages is based on English (if, then, else, new, for, while, until, exit, continue, etc.), we (*) do normally ask "is your coffee cold ?" and not "is cold your coffee ?". So why do (some) people write it the other way ? Is it purely a question of individual programming style ? Is there some (temporary ?) fashion aspect involved ? Do the people who write this either way really think in a different way ? Or is there really something "technical" behind this, which makes one or the other way be slightly more efficient (whether to compile, or optimise, or run) ? (*) excepting Yoda of course - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] programming style or mental process ?
On 04.04.2021 12:57, Olaf Kock wrote: Hi André On 04.04.21 12:23, André Warnier (tomcat/perl) wrote: if (null == request.getCharacterEncoding()) { as opposed to if (request.getCharacterEncoding() == null) { So why do (some) people write it the other way ? Is it purely a question of individual programming style ? Is there some (temporary ?) fashion aspect involved ? Do the people who write this either way really think in a different way ? Or is there really something "technical" behind this, which makes one or the other way be slightly more efficient (whether to compile, or optimise, or run) ? (*) excepting Yoda of course I can't say I'm always writing Yoda style, but if I stretch my memory, then the rationale behind this style of comparisons is to have a constant on the left side, so that you get a compiler error in case you're using = instead of ==. I like that explanation, in the sense that it provides a programming rationale for using the first form (and not only in Java), even if it feels intuitively un-natural. So it's apparently not only fashion or Yoda fandom. Thanks. In your case, with a function call, this wouldn't make a difference "if(request.getCharacterEncoding() = null)" would be illegal syntax as well, but "if(someObject = null)" is perfectly legal, but doesn't express the author's intent clearly: Is it a smart person who's taking a shortcut, or a newbie using the wrong operator? Let the seasoned programmer who's never made that same mistake throw the first stone. Of course, the style doesn't really help people new to the language, as they first need to understand that this is something that they might want to apply to their code. And today, with so many IDE warnings being flagged while typing, it might be outdated, though it still clearly expresses the intent to have a real comparison and not an assignment here. And I agree with the other answer posted already: It makes a lot more sense in C++ with all the implicit boolean conversions and habits of outsmarting the code's maintainers with clever expressions. +1 to that too. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] programming style or mental process ?
On 05.04.2021 00:21, Zala Pierre GOUPIL wrote: In your case, with a function call, this wouldn't make a difference "if(request.getCharacterEncoding() = null)" would be illegal syntax as well, but "if(someObject = null)" is perfectly legal, but doesn't express the author's intent clearly: Is it a smart person who's taking a shortcut, or a newbie using the wrong operator? Let the seasoned programmer who's never made that same mistake throw the first stone. I think I never did that mistake. Or at least, I didn't realize it. J'ai jamais tué d'chats Ou alors y'a longtemps Ou bien j'ai oublié Ou ils sentaient pas bon (Jacques Brel - Ces gens-là) Couldn't resist. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] programming style or mental process ?
On 05.04.2021 14:37, Christopher Schultz wrote: Or, more literarily, given that the syntax of most (all?) programming languages is based on English (if, then, else, new, for, while, until, exit, continue, etc.), we (*) do normally ask "is your coffee cold ?" and not "is cold your coffee ?". On the other hand, in English, coffee which is not hot is called "cold coffee" but in e.g. Spanish, it's "coffee cold". To nitpick, in Spanish one would rather say "cafe frio". But that's a bit beside the point since - as mentioned above - most currently fashionable programming languages are based on English. Nevertheless, just for the sake of it, and in some imaginary situation in which the Java syntax would be based on Spanish, one would probably have this : si (nada == requerimiento.obtengaCodificaciónCarácteros()) entonces { } sino { } as opposed to si (requerimiento.obtengaCodificaciónCarácteros() == nada) entonces { } sino { } .. which makes it even more striking that the first form deviates from the human language, because "nothing" cannot really be equal to anything, and thus the first form should always evaluate to false. (*) (Which would also lead to more concise Java programs, because if you already know the answer, then you don't even need to make the test in the first place.) On the other hand, this provides an interesting insight into English-speaking people's thought processes, for example as to the expression "nothing matches a good coffee in the morning", which is undoubtedly evaluated as true by many, although logically it cannot be. :-) (*) actually, this appears to be false : in Java, (null == null) is true. See here for an in-depth discussion : https://stackoverflow.com/questions/2707322/what-is-null-in-java P.S. If anyone is interested about how it would be to write programs based on a Latin-inspired programming language, I recommend this : https://metacpan.org/pod/distribution/Lingua-Romana-Perligata/lib/Lingua/Romana/Perligata.pm (in which language it would be very difficult to confuse "==" and "=") - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Working with SAML
On 17.03.2021 17:49, Christopher Schultz wrote: André, On 3/16/21 18:21, André Warnier (tomcat/perl) wrote: Alternatively, see this : https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo Thanks for mentioning this. I looked at Shibboleth. Their web site says "version 3 is deprecated" and "version 4 is undocumented". We've been using versions 2 and 3 without problems. I don't know what version 4 brings, that is not in the others but nevertheless helpful. We've set up one (our own) IdP (the SAML "identity provider", where the clients really login), and several SP (Service Provider), which interact with our own IdP or with other people's IdP's (of various brands/makes/types). It's all a bit of work to set up, but once set up it hasn't given us any more hassle. The documentation for versions 2 and 3 is very extensive, and quite complex, which I believe is kind of unavoidable considering that SAML itself is one of these things designed by a committee. (We also have our own summarised installation and setup documentation, so if you want any tips, just ask) :( That's not exactly encouraging. Thanks, -chris On 16.03.2021 21:18, Christopher Schultz wrote: Robert, On 3/16/21 14:33, Robert Turner wrote: Chris, I'm not sure if it will do what you want, but when sourcing Java-based SAML libraries for our use as an SP, I too found that most of the libraries were much larger and more complicated that I thought necessary. We went with the (limited but simple to use) OneLogin libraries for our use case. It doesn't do everything by any means, but was considerably smaller and simpler than most packages out there. I did see the OneLogin library. You mean this one, right? https://github.com/onelogin/java-saml Is there anything tied to any particular service for that? Or do they simply give-away their library for use anywhere? Thanks, -chris On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz < ch...@christopherschultz.net> wrote: All, I've got a system which is accepting one-legged, signed SAML responses from trusted third parties and going all the right things. It's working great. It's time to look at doing the opposite: assembling our own SAML responses, signing them, and sending them to another party. I'm sure I could manually create a DOM document with all the right namespaces, add the various values that I need, and then use XML DSIG using the bits and pieces that are provided by Java directly, but there's got to be a nice compact library that doesn't require me to download the entire internet in order to use in my product. Any recommendations? Thanks, -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Working with SAML
Alternatively, see this : https://wiki.shibboleth.net/confluence/display/SP3/JavaHowTo On 16.03.2021 21:18, Christopher Schultz wrote: Robert, On 3/16/21 14:33, Robert Turner wrote: Chris, I'm not sure if it will do what you want, but when sourcing Java-based SAML libraries for our use as an SP, I too found that most of the libraries were much larger and more complicated that I thought necessary. We went with the (limited but simple to use) OneLogin libraries for our use case. It doesn't do everything by any means, but was considerably smaller and simpler than most packages out there. I did see the OneLogin library. You mean this one, right? https://github.com/onelogin/java-saml Is there anything tied to any particular service for that? Or do they simply give-away their library for use anywhere? Thanks, -chris On Tue, Mar 16, 2021 at 1:55 PM Christopher Schultz < ch...@christopherschultz.net> wrote: All, I've got a system which is accepting one-legged, signed SAML responses from trusted third parties and going all the right things. It's working great. It's time to look at doing the opposite: assembling our own SAML responses, signing them, and sending them to another party. I'm sure I could manually create a DOM document with all the right namespaces, add the various values that I need, and then use XML DSIG using the bits and pieces that are provided by Java directly, but there's got to be a nice compact library that doesn't require me to download the entire internet in order to use in my product. Any recommendations? Thanks, -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Run servlets on Nashorn written in server-side JavaScript
On 17.02.2021 14:59, Christopher Schultz wrote: Rony and Leo, On 2/17/21 02:58, Rony G. Flatscher (Apache) wrote: Hi Leo, why would you want to do that if you could do the same with Java? What is the motivation, the use case for you? How urgent is this (I may have something for both, Java EE and Jakarta EE, but need a little bit of time)? —-rony On 15.02.2021 07:29, leo wrote: Hi there I am trying to find out how to process servlets written in server-side JavaScript through Tomcat. I looked through the Tomcat FAQ and How-To but couldn't find anything. By googling I found a way to hook up Python through Jython's PyServlet class. I tried this and it works great. But I am looking for server-side JavaScript in Tomcat. I am aware of the JavaScript engine Nashorn. Is there a way to hook up Nashorn with a servlet class, so that Tomcat serves JavaScript servlets? Something like a "JavaScript Server Page" for Tomcat would be fine too. Many thanks for any pointers, Leo ps: I use Tomcat 8.5, but I could move to another Tomcat version for this. Weird; I never saw the OP on the list, only Rony's reply. Usually if you want to use server-side JavaScript, you use something like Node.js instead of a servlet container. Why not use Node? If you'd really like to use Tomcat, you will need to write a Servlet that establishes a JavaScript environment (e.g. Nashhorn), provides all the plumbing for the servlet-container provided resources (e.g. request, response, streams, session, etc.) as well as error-handling, etc. It's a big job. I'd be surprised is nobody had built something like this before. Or maybe everybody just uses Node.js. +1. On the face of it, it looks much simpler to set up a local Nodejs server, and proxy the corresponding requests from Tomcat to it. Perhaps have a look at this ? https://stackoverflow.com/questions/42057314/how-to-implement-an-application-proxy-in-java-on-tomcat Or use an Apache httpd front-end to filter requests and do the proxying to Nodejs and Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Sorry, I haven't read the whole thread, but a basic question : In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to "no" ? https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Common_Attributes On 13.07.2021 17:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is written in the document. The only differences are that there are two sites "prod" and "test" so the only differences for "test" are: 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") isapi_redirect.properties file content: extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\log\mod_jk.log log_level=warn worker_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\workers.properties worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\uriworkermap.properties workers.properties file content: worker.list=dgroupnex02,dgroupnex01 worker.dgroupnex02.type=ajp13 worker.dgroupnex02.host=10.1.2.93 worker.dgroupnex02.port=8009 worker.dgroupnex01.type=ajp13 worker.dgroupnex01.host=10.1.2.39 worker.dgroupnex01.port=8009 uriworkermap.properties file content: /S2W/*=dgroupnex02 /s2wweb/*=dgroupnex01 /websat/*=dgroupnex02 I would like to tell you that ISAPI redirection of all virtual folders works perfectly. The only thing that doesn't work is sending the authorization type and user from IIS to Tomcat. The only application that needs this functionality is "s2wweb". Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas ha scritto: On 13/07/2021 12:29, Paolo Clerici wrote: Hi Mark, How did you set up the s2wweb virtual directory? Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb Physical Path Credential: blank Physical Path Credential Logon Type: Clear Text Virtual Path: /s2wweb Pass-through authentication: / Connect As: / Path credentials: Application user (pass-through authentication) I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Mark Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas ha scritto: On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication to work without any password prompt. If I connect from PC AD I am not asked for credentials (correct). If I connect from a non-AD PC I am prompted for credentials (correctly). The credential check is done correctly by IIS. Are any other authentication mechanisms enabled? For virtual directory "s2wweb" only "Windows Authentication" is enabled ("Anonymous Authentication" is disabled). For site "test" is enabled "Anonymous Authentication". Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Yes. Current IIS server needs to be migrated to a new IIS server. The current server (Windows Server 2008 R2 with IIS 6.1) is connected to the same Tomcat server (another Windows Server 2008 R2 with Tomcat 7.0) on the same port (8009). Again, testing a similar setup locally works as expected. The authenticated Windows user name is passed to Tomcat. How did you set up the s2wweb virtual directory? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session stickiness with mod_proxy_balancer
Hi Chris. Maybe the problem was due to this : https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy the snippet after "Mixing ProxyPass settings in different contexts does not work:" In your first configuration below, the ProxyPass (including the settings of the variables) is outside of any , or block, while the other proxy-related directives are inside a block; those are 2 different "contexts". (And clearly, the "does not work" could have been a bit more explicit; as it is, it sounds like my customers reporting issues). Alternatively, the difference between the 2 configurations may be due to a question of priority (or "overriding"). Apache httpd considers content at a different time (in the HTTP request cycle) compared to what is contained in sections (and thus probably also sections), and compared to what is not contained in any section (and which is thus considered as "VirtualHost-level"). Within each section, the interpretation is generally top-down. In your 1st configuration below, I notice that the ProxyPass directive is *after* the block, while in the example at https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html#balancer_manager , the ProxyPass directive *precedes* the block. That may sound insignificant or finicky as a difference, but actually, based on https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#workers, this second explanation may be the right one : If I understand that page correctly, - if your block comes first (before the ProxyPass), then it is the block which creates the "balancer:" worker. And then, when the ProxyPass is evaluated, not only does it "re-use" that same worker, but also the attributes of the ProxyPass are ignored. (quote: "Note that all configuration attributes given explicitly for the later worker will be ignored")(It also says "This will be logged as a warning", so if you still have access to the old log, you could check) - while if the ProxyPass directive comes before the block, then it is the ProxyPass which creates the worker (and the attributes are not ignored). And when the is evaluated, it "re-uses" the worker created by ProxyPass (with its already-defined attributes). The same logic also explains why your 2d configuration does work : - the block creates the "balancer" worker AND sets its attributes via ProxySet - the ProxyPass directive comes after, and it re-uses the "balancer" worker, but it does not set parameters (which would be ignored anyway, with a warning logged) This could be easily confirmed (or negated) if you had a chance to restore your first configuration, and just moved the ProxyPass above the block. (But in the end, I believe that your 2d configuration is more "solid" anyway). In the end, each httpd add-on module (like mod_proxy and mod_proxy_balancer) is responsible for its own interpretation (and ordering) of the directives that relate to it, and they are not always totally consistent with one another in that respect. For even more sordid details, see https://httpd.apache.org/docs/2.4/sections.html and its sections : - How the sections are merged and - Relationship between modules and configuration sections and if after that you really understand what is going on, come back to me to explain, because after 20+ years of configuring Apache httpd, I'm still not sure sometimes. On 22.12.2021 18:04, Christopher Schultz wrote: All, I'm setting up mod_proxy_balancer to talk to Tomcat after having only used mod_jk for a very long time. With a multiple-Tomcat-node situation, I was finding that sessions didn't seem to be "sticking" and I thought I had my configuration correct. Something like this: BalancerMember https://tomcat-1/ route=tc1 BalancerMember https://tomcat-2/ route=tc2 ProxyPass /myapp/ balancer://myapp/ stickysession=JSESSIONID|jsessionid scolonpathdelim=On ProxyPassReverse /myapp/ balancer://myapp/ I found that httpd wasn't picking-up my session ids from JSESSIONID cookies like 76234132976549238.tc1 or 642586735782.tc2. However, when I *moved* the configuration from the ProxyPass line into the balancer configuration like this, it works as expected: BalancerMember https://tomcat-1/ route=tc1 BalancerMember https://tomcat-2/ route=tc2 ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On ProxyPass /myapp/ balancer://myapp/ ProxyPassReverse /myapp/ balancer://myapp/ Was I incorrect in my expectations? I would expect that the two configurations would work the same way. This is a client system so I can't really play around with it too much at this point. Once it started working, we stopped messing-around with it. I can probably create another similar setup but it will take me a while to do so; if anyone can explain what I'm seeing without me having to reproduce it, t
Re: tomcat logging
Hi Alan, On 09.06.22 12:56, Alan F wrote: > Tomcat logging > > I would like to add a delimiter or characters " " around {user-agent} for > logging, I wanted it in double quotes for example "Mozilla 5.0.." but can't > seem to make it work. Or even adding a # symbol before would help any ideas? I assume, you refer to access logging. Recent Tomcat has a proper example already in the standard server.xml (IIRC for a long time), just use the XML entity, where you need it (taken from 9.0.64): If you are happy with a standard combined pattern, just use pattern="combined", it contains user agent in double quotes. See https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Log_Valve for complete pattern information. hth, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT: Question about TomcatX.exe files
See also : https://cwiki.apache.org/confluence/display/TOMCAT/Windows#Windows-Q11 On 28.09.2022 21:41, jonmcalexan...@wellsfargo.com.INVALID wrote: Thank you Mark. I mainly wanted to have answers for when I will be invariably questioned about it. :-). I knew about the naming, but understand that these aren't recompiled for each release, so modifying the version wouldn't work. (file/properties) Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Wednesday, September 28, 2022 1:57 PM To: users@tomcat.apache.org Subject: Re: OT: Question about TomcatX.exe files On 28/09/2022 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote: Ok, this is a silly off-topic question, but is there an underlying reason that the wrapper exe files for Windows Tomcat do not reflect the same file version as the implementation version found in the manifest of the bootstrap.jar? That version info matching the release version of the Tomcat release? I understand if these wrappers aren't recompiled each release, but if they are, why not make the versions reflect the Tomcat release? This seems to throw a loop at 3rd party software discovery tools such as BigFix, ServiceNow, etc., as well as normalizations performed by vendors like Flexera. Those files are renamed Procrun files from Commons Daemon. The filesare never compiled as part of a Tomcat release (we use the binaries from Commons Daemon) but they can be renamed to anything you want but note the next point. The file name reflects the default service name so you don't have to specify the service name every time you call the executables. The default service name is TomcatX where X is the major version. This allows the service name to stay the same across minor and point release upgrades. Renaming the service every time you upgrade is likely to cause other issues - e.g. for software monitoring the service. Other naming schemes are possible. The current scheme seems to provide a reasonable solution for the majority of users. That said, if the community disagrees, it can always be changed. Mark Just curious. Thank you for your time. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 5.5.26 hangs
Hi, our customer is running a cluster of tomcat servlet engines. On these, our web application is running. The basic setup is Loadbalancer --- Apache 1.3.x with mod_jk --- Tomcat with 2-3 Apache servers and 30 Tomcat instances bundled into clusters of 3-5 instances each. Apache + Tomcat servers are running on recent SUN multi-core machines under Solaris. The basic setup hasn't changed much over the past few years, except occasional updates to soft- and hardware, and the number of Tomcat instances has been increasing steadily. Currently, they're using Tomcat-5.5.26 on SUN's jdk 1.5.0_10 (64 bit) and mod_jk 1.2.28. Over the years, we have seen the same situation since before Tomcat-5.5.12. Most of the time, things work nicely. Occasionally, though, the whole system comes to a complete halt. A post-mortem thread dump shows all (!) worker threads on all instances waiting for input from the Apache servers, e. g.: TP-Processor2432 daemon prio=10 tid=0x00b2f258 nid=0x9f1 runnable [0x7cfbf000. .0x7cfbfa70] at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1(BufferedInputStream.java:256) at java.io.BufferedInputStream.read(BufferedInputStream.java:313) - locked 0x95947c70 (a java.io.BufferedInputStream) at org.apache.jk.common.ChannelSocket.read(ChannelSocket.java:626) at org.apache.jk.common.ChannelSocket.receive(ChannelSocket.java:564) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:691) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595) Due to the large number of machines involved and the high number of client requests, it is impossible to see how such a situation evolves. We have ruled out lengthy garbage collection pauses (CMS collector is enabled). There is no obviously relevant information in the logfiles. Usually, the situation can be resolved by restarting Apache and/or (some) Tomcat servers, which makes DOS attacks unlikely, IMO. Has anyone seen this situation before? Any ideas what could be the problem, and how to resolve it? Any idea how to gain more information? Thanks, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.26 hangs
Hi, Am Mittwoch, 14. Oktober 2009 schrieb Christopher Schultz: Although those threads say runnable, they're really blocked at the OS level waiting to receive data from the mod_jk connector. These threads are actually idle, waiting for requests from httpd to come through the pipe. You can probably confirm this by checking with 'top' to see that Tomcat isn't using any CPU time, because it's just waiting. exactly. That's what I meant with waiting for input from the Apache servers. Thanks for confirming this. Is it feasible to remove httpd from the equation? Tomcat 5.5 can easily compete with httpd for static file delivery if that's all your using it for. Not really. We're relying on mod_jk for load-balancing with sticky sessions, and for SSL termination. Getting rid of the Apaches would be a major PITA. If you could post your httpd configuration for your worker/prefork stuff AND your mod_jk configuration, it might be helpful. ===workers.properties=== worker.list=lb,jkstatus worker.jkstatus.type=status worker.lb.type=lb worker.lb.balance_workers=xx01E1, xx02E1, [...] worker.xx01E1.port=31011 worker.xx01E1.host=appsrv01 worker.xx01E1.type=ajp13 worker.xx01E1.lbfactor=5 worker.xx01E1.activation=A worker.xx01E1.domain=d01 worker.xx01E1.connect_timeout=15000 worker.xx01E1.prepost_timeout=15000 [...more workers with identical config except host and domain...] ===/workers.properties=== ===httpd.conf=== IfModule mod_jk.c JkWorkersFile /...path.../conf/workers.properties JkShmFile /...path.../logs/apache_2_2/jk-shm.file JkLogFile /...path.../logs/apache_2_2/jk.log JkLogLevel info # JkLogLevel Fatal # JkLogLevel info # JkLogLevel trace # JkLogLevel debug /IfModule # Manager config: Location /jkmanager/ JkMount jkstatus Order deny,allow Deny from all Allow from 10.207.69 10.64 192.168.7 /Location # Virtual Host config: JkMount /app/* lb JkMount jkstatus ===/httpd.conf=== Thanks, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat restart not killing session
Hi, On Thu, Oct 15, 2009 at 08:53:03AM -0500, sharda k wrote: I was under the impression that restarting webserver would kill all user sessions. But with my tomcat install, restarting Tomcat does not kill user sessions. I am still able to continue with the initially started sessions. Is this a typical tomcat behaviour or a bug? I have Tomcat 5.5 running on Windows Vista. it's a feature. :-) See http://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Restart Persistence Bye, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.26 hangs
Hi, for completeness: the issue seems to have been resolved. The problems were apparently caused by a misconfigured router between the webservers and the appservers. Am Mittwoch, 14. Oktober 2009 schrieb Mark Thomas: Any idea how to gain more information? Jk debug logs wireshark compare httpd and Tomcat access logs netstat was found to be very helpful, because it showed non-empty send-queues and lots of connections in FIN_WAIT_1 on the webservers. Which proved that the problems were network-related, and not due to software bugs. Thanks for your help! Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache-2.2.11 + mod_jk-1.2.28 + SSL
Hi, we're seeing a strange problem here that is only partially reproducible. Our customer is running a cluster of Tomcat 5.5.26 servers (several cluster domains) behind several load-balanced Apache-2.2.11 (for SSL termination + sticky sessions). The application consists of an unencrypted part and an SSL encrypted part. Most of the time, the setup is running fine (at least since we solved some (unrelated) network problems, see my previous mails). When a HTTP/1.0 client requests a dynamically generated page over SSL, most of the response is returned immediately. Then, we see a 5-second timeout (this is *not* Apache's KeepAliveTimeout), then the rest of the response is delivered just before the connection is shut down. For dynamically generated pages, we do not set a Content-Length header, so for HTTP/1.0 clients the server has to respond with Connection: close (which it does). Only it waits for 5 seconds before actually closing it. Everything works fine for - static content (where we set Content-Length) - redirects (where we set Content-Lenth: 0) - HTTP/1.1-clients (where the server uses Transfer-Encoding: Chunked) - HTTP/1.0-clients in the non-ssl part (!) Here's an example output generated by curl -0 -v -L -N -o /dev/null: * About to connect() to xxx.yyy.de port 443 (#0) * Trying xxx.xxx.xx.xx... connected * Connected to xxx.yyy.de (xxx.xxx.xx.xx) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Server hello (2): { [data not shown] * SSLv3, TLS handshake, CERT (11): { [data not shown] * SSLv3, TLS handshake, Server key exchange (12): { [data not shown] * SSLv3, TLS handshake, Server finished (14): { [data not shown] * SSLv3, TLS handshake, Client key exchange (16): } [data not shown] * SSLv3, TLS change cipher, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Finished (20): } [data not shown] * SSLv3, TLS change cipher, Client hello (1): { [data not shown] * SSLv3, TLS handshake, Finished (20): { [data not shown] * SSL connection using DHE-RSA-AES256-SHA * Server certificate: *subject: /C=DE/ST=.../L=.../O=.../OU=.../CN=xxx.yyy.de *start date: 2009-07-13 00:00:00 GMT *expire date: 2010-07-23 23:59:59 GMT *common name: xxx.yyy.de (matched) *issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD. (c)97 VeriSign *SSL certificate verify ok. GET /.../html HTTP/1.0 User-Agent: curl/7.19.0 (i686-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 Host: xxx.yyy.de Accept: */* Cookie: JSESSIONID=B0ED3118B70E8E00433E2E709C9FE5B7.zzz HTTP/1.1 200 OK Date: Wed, 18 Nov 2009 15:18:50 GMT Server: Apache Cache-Control: no-cache Pragma: no-cache P3P: policyref=..., CP=IDC CUR DEV PSA CONi OUR DEL STP PHY ONL UNI PUR COM NAV DEM CNT STA Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: de % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed ^M 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 { [data not shown] ^M100 245520 245520 0 19043 0 --:--:-- 0:00:01 --:--:-- 22239 ^M100 245520 245520 0 10706 0 --:--:-- 0:00:02 --:--:-- 11647 ^M100 245520 245520 0 7446 0 --:--:-- 0:00:03 --:--:-- 7889 ^M100 245520 245520 0 5702 0 --:--:-- 0:00:04 --:--:-- 5959 ^M100 245520 245520 0 4876 0 --:--:-- 0:00:05 --:--:-- 5062 * SSLv3, TLS alert, Client hello (1): { [data not shown] ^M100 280350 280350 0 5556 0 --:--:-- 0:00:05 --:--:-- 927 * Closing connection #0 * SSLv3, TLS alert, Client hello (1): } [data not shown] As you can see, 24552 (=3 * 8184) bytes are received almost immediately, while the rest is only transferred after 5 seconds. Leaving -0 away from the curl command line, the complete result is received immediately. Requesting the same page via http instead of https, the complete result is received immediately. The 5-second-delay can be seen using wget instead of curl, too, so this is probably not a client problem. So far, the problem has only been seen on the production system. Due to the load conditions, it is infeasible to run mod_jk with significant logging output. mod_jk configuration is straightforward, timeouts are not defined (i. e. we use default values). Any ideas? Thanks, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Re: Apache-2.2.11 + mod_jk-1.2.28 + SSL
Hi, On Thu, Nov 19, 2009 at 12:50:44AM +0100, Rainer Jung wrote: On 18.11.2009 17:01, conrad-tomcat.users.2...@tivano.de wrote: As you can see, 24552 (=3 * 8184) bytes are received almost immediately, 8184 looks like the body size of one full AJP packet (protocol used by mod_jk and Tomcat). yep, that's what I thought, too. It looks like the last, partially filled AJP packet from the Tomcat response is not making it through the SSL layer, somehow. Or whatever signals end of response to the SSL layer. while the rest is only transferred after 5 seconds. Leaving -0 away from the curl command line, the complete result is received immediately. Requesting the same page via http instead of https, the complete result is received immediately. The 5-second-delay can be seen using wget instead of curl, too, so this is probably not a client problem. So far, the problem has only been seen on the production system. Due to the load conditions, it is infeasible to run mod_jk with significant logging output. To bad. mod_jk configuration is straightforward, timeouts are not defined (i. e. we use default values). That's not so nice but also likely not the cause of the problem. Can you run a network sniff (Wireshark et.al.) between Apache and Tomcat? No, that's infeasible due to the high traffic volume. the AJP protocol is pretty clear text, so you could verify, whether the 5 seconds are caused by Apache (in case the full content has beend delivered by Tomcat well before), or the reason is Tomcat or your webapp (in case the last response content packet really comes with the delay). The webapp behaviour (for this page) depends neither on the HTTP protocol version nor on the presence of SSL. So I'm certain that the webapp delivers the complete response immediately. Bye, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache-2.2.11 + mod_jk-1.2.28 + SSL
Hi, Am Mittwoch, 18. November 2009 schrieb conrad-tomcat.users.2...@tivano.de: When a HTTP/1.0 client requests a dynamically generated page over SSL, most of the response is returned immediately. Then, we see a 5-second timeout (this is *not* Apache's KeepAliveTimeout), then the rest of the response is delivered just before the connection is shut down. For dynamically generated pages, we do not set a Content-Length header, so for HTTP/1.0 clients the server has to respond with Connection: close (which it does). Only it waits for 5 seconds before actually closing it. apparently this problem was caused by mod_ssl configuration, specifically the SSLSessionCache setting. Thanks, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[no subject]
X-zuka-RWMailScanner-ID: 49AB853821E.AE729 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 49AB853821E for users@tomcat.apache.org; Sun, 2 May 2010 15:36:36 -0400 (EDT) Message-ID: 4bddd3f9.3080...@zuka.net Date: Sun, 02 May 2010 15:35:21 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Tomcat on a machine with multiple ip addresses Content-Type: multipart/alternative; boundary=060208010707020700080002 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:26.44926/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --060208010707020700080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --060208010707020700080002--
[no subject]
X-zuka-RWMailScanner-ID: 49AB853821E.AE729 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 49AB853821E for users@tomcat.apache.org; Sun, 2 May 2010 15:36:36 -0400 (EDT) Message-ID: 4bddd3f9.3080...@zuka.net Date: Sun, 02 May 2010 15:35:21 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Tomcat on a machine with multiple ip addresses Content-Type: multipart/alternative; boundary=060208010707020700080002 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:26.44926/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --060208010707020700080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --060208010707020700080002--
[no subject]
X-zuka-RWMailScanner-ID: 5186753823B.AD285 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 5186753823B; Mon, 3 May 2010 18:42:10 -0400 (EDT) Message-ID: 4bdf50fa.70...@zuka.net Date: Mon, 03 May 2010 18:40:58 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=090903060903010408070801 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --090903060903010408070801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. Thanks in advance. Dave On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --090903060903010408070801--
[no subject]
X-zuka-RWMailScanner-ID: 5186753823B.AD285 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 5186753823B; Mon, 3 May 2010 18:42:10 -0400 (EDT) Message-ID: 4bdf50fa.70...@zuka.net Date: Mon, 03 May 2010 18:40:58 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=090903060903010408070801 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --090903060903010408070801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. Thanks in advance. Dave On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --090903060903010408070801--
[no subject]
X-zuka-RWMailScanner-ID: 66C1153823B.AFC52 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 66C1153823B; Mon, 3 May 2010 18:49:29 -0400 (EDT) Message-ID: 4bdf52b1.6020...@zuka.net Date: Mon, 03 May 2010 18:48:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=050206000901070405080803 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --050206000901070405080803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Smithan On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. Both instances run on port 80 but are on different IP numbers. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. DNS only Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --050206000901070405080803--
[no subject]
X-zuka-RWMailScanner-ID: 66C1153823B.AFC52 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 66C1153823B; Mon, 3 May 2010 18:49:29 -0400 (EDT) Message-ID: 4bdf52b1.6020...@zuka.net Date: Mon, 03 May 2010 18:48:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=050206000901070405080803 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --050206000901070405080803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Smithan On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. Both instances run on port 80 but are on different IP numbers. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. DNS only Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --050206000901070405080803--
[no subject]
X-zuka-RWMailScanner-ID: B0236538235.AD627 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id B0236538235; Tue, 4 May 2010 00:13:25 -0400 (EDT) Message-ID: 4bdf9e9d.4040...@zuka.net Date: Tue, 04 May 2010 00:12:13 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Mark Thomas ma...@apache.org CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: 4bdf5246.3040...@apache.org In-Reply-To: 4bdf5246.3040...@apache.org Content-Type: multipart/alternative; boundary=000501090100060602030207 X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000501090100060602030207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thanks for this. I did use the address attribute for port 80. No check that. I think what I did was pit address=XXX.XXX.XXX.XXX but did not specify the port ... just the address as it also listens on ports up in the 8000 range I believe. How do I stop it from listening on port 443? I will need to have another site (non tomcat) listening on 443 on the same IP under Apache. This machine basically has three IP numbers assigned to it. Dave On 22/07/64 2:59 PM, Mark Thomas wrote: On 03/05/2010 23:40, Dave Filchak wrote: Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. By default, Tomcat will listen to all IPv4 and IPv6 addressed on the specified port. Use the address attribute of the connector to limit this to all IPv4 only, all IPv6 only or a apecific IPv4 or IPv6 address. Mark --000501090100060602030207--
[no subject]
X-zuka-RWMailScanner-ID: B0236538235.AD627 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id B0236538235; Tue, 4 May 2010 00:13:25 -0400 (EDT) Message-ID: 4bdf9e9d.4040...@zuka.net Date: Tue, 04 May 2010 00:12:13 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Mark Thomas ma...@apache.org CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: 4bdf5246.3040...@apache.org In-Reply-To: 4bdf5246.3040...@apache.org Content-Type: multipart/alternative; boundary=000501090100060602030207 X-Old-Spam-Status: No X-pstn-neptune: 3/1/0.33/70 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000501090100060602030207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thanks for this. I did use the address attribute for port 80. No check that. I think what I did was pit address=XXX.XXX.XXX.XXX but did not specify the port ... just the address as it also listens on ports up in the 8000 range I believe. How do I stop it from listening on port 443? I will need to have another site (non tomcat) listening on 443 on the same IP under Apache. This machine basically has three IP numbers assigned to it. Dave On 22/07/64 2:59 PM, Mark Thomas wrote: On 03/05/2010 23:40, Dave Filchak wrote: Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. By default, Tomcat will listen to all IPv4 and IPv6 addressed on the specified port. Use the address attribute of the connector to limit this to all IPv4 only, all IPv6 only or a apecific IPv4 or IPv6 address. Mark --000501090100060602030207--
[no subject]
X-zuka-RWMailScanner-ID: AEE69538190.ABB3E X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id AEE69538190 for users@tomcat.apache.org; Tue, 4 May 2010 18:43:50 -0400 (EDT) Message-ID: 4be0a2de.5080...@zuka.net Date: Tue, 04 May 2010 18:42:38 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: error with jk_module Content-Type: multipart/alternative; boundary=040106080009080709090308 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:73.05954/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --040106080009080709090308 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Can somebody enlighten me on what this means? I have been struggling with this for a while and need to restart my server but keep getting this config error. httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? I have the following compiled in modules in Apache 2.2.3, 64-bit. Compiled in modules: core.c mod_authn_file.c mod_authn_dbd.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_cache.c mod_disk_cache.c mod_dbd.c mod_echo.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_mime_magic.c mod_expires.c mod_headers.c mod_usertrack.c mod_setenvif.c mod_ssl.c worker.c http_core.c mod_mime.c mod_dav.c mod_status.c mod_autoindex.c mod_asis.c mod_info.c mod_cgid.c mod_cgi.c mod_dav_fs.c mod_negotiation.c mod_dir.c mod_imagemap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_so.c I am using Tomcat 6.0.18 and am trying to load this module like so: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so I really am not sure what is the problem here. Is the module actually garbled or is it something else that produces this very misleading error? Regards, Dave --040106080009080709090308--
[no subject]
X-zuka-RWMailScanner-ID: AEE69538190.ABB3E X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id AEE69538190 for users@tomcat.apache.org; Tue, 4 May 2010 18:43:50 -0400 (EDT) Message-ID: 4be0a2de.5080...@zuka.net Date: Tue, 04 May 2010 18:42:38 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: error with jk_module Content-Type: multipart/alternative; boundary=040106080009080709090308 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:73.05954/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --040106080009080709090308 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Can somebody enlighten me on what this means? I have been struggling with this for a while and need to restart my server but keep getting this config error. httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? I have the following compiled in modules in Apache 2.2.3, 64-bit. Compiled in modules: core.c mod_authn_file.c mod_authn_dbd.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_cache.c mod_disk_cache.c mod_dbd.c mod_echo.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_mime_magic.c mod_expires.c mod_headers.c mod_usertrack.c mod_setenvif.c mod_ssl.c worker.c http_core.c mod_mime.c mod_dav.c mod_status.c mod_autoindex.c mod_asis.c mod_info.c mod_cgid.c mod_cgi.c mod_dav_fs.c mod_negotiation.c mod_dir.c mod_imagemap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_so.c I am using Tomcat 6.0.18 and am trying to load this module like so: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so I really am not sure what is the problem here. Is the module actually garbled or is it something else that produces this very misleading error? Regards, Dave --040106080009080709090308--
[no subject]
X-zuka-RWMailScanner-ID: DEFBF538263.AD9A5 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DEFBF538263; Wed, 5 May 2010 15:06:29 -0400 (EDT) Message-ID: 4be1c16d.5010...@zuka.net Date: Wed, 05 May 2010 15:05:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org CC: =?ISO-8859-1?Q?Andr=E9_Warnier?= a...@ice-sa.com Subject: Re: Re: error with jk_module References: 4be0a632.8010...@ice-sa.com In-Reply-To: 4be0a632.8010...@ice-sa.com Content-Type: multipart/alternative; boundary=000205080009000906020401 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000205080009000906020401 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? I really need to restart the server because it was listening on all interfaces to port 443 and I needed to stop that happening. But I do not want to restart until I figure out why the hell I am getting this error. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Dave On 22/07/64 2:59 PM, André Warnier wrote: Dave Filchak wrote: ... this : httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? ... and this : LoadModule jk_module /usr/local/apache2/modules/mod_jk.so do not seem to match (the filename), unless mod_jk.so is a link to the other one. Are you sure it is ? Also, if it is a link, and if your Apache is a 2.2 version, then it would appear that you may have downloaded a wrong version of the mod_jk.so. The end of the version says httpd-2.0.X.so, which would appear to make it a version for Apache 2.0.x, not 2.2.x. --000205080009000906020401--
[no subject]
X-zuka-RWMailScanner-ID: DEFBF538263.AD9A5 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DEFBF538263; Wed, 5 May 2010 15:06:29 -0400 (EDT) Message-ID: 4be1c16d.5010...@zuka.net Date: Wed, 05 May 2010 15:05:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org CC: =?ISO-8859-1?Q?Andr=E9_Warnier?= a...@ice-sa.com Subject: Re: Re: error with jk_module References: 4be0a632.8010...@ice-sa.com In-Reply-To: 4be0a632.8010...@ice-sa.com Content-Type: multipart/alternative; boundary=000205080009000906020401 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000205080009000906020401 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? I really need to restart the server because it was listening on all interfaces to port 443 and I needed to stop that happening. But I do not want to restart until I figure out why the hell I am getting this error. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Dave On 22/07/64 2:59 PM, André Warnier wrote: Dave Filchak wrote: ... this : httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? ... and this : LoadModule jk_module /usr/local/apache2/modules/mod_jk.so do not seem to match (the filename), unless mod_jk.so is a link to the other one. Are you sure it is ? Also, if it is a link, and if your Apache is a 2.2 version, then it would appear that you may have downloaded a wrong version of the mod_jk.so. The end of the version says httpd-2.0.X.so, which would appear to make it a version for Apache 2.0.x, not 2.2.x. --000205080009000906020401--
[no subject]
X-zuka-RWMailScanner-ID: 22D9E53828A.AD1D4 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 22D9E53828A for users@tomcat.apache.org; Thu, 6 May 2010 11:46:27 -0400 (EDT) Message-ID: 4be2e408.8090...@zuka.net Date: Thu, 06 May 2010 11:45:12 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: error with jk_module References: 4be1ea75.2020...@christopherschultz.net In-Reply-To: 4be1ea75.2020...@christopherschultz.net Content-Type: multipart/alternative; boundary=070302070406020309060004 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --070302070406020309060004 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I will implement the IfModule stuff (thanks also to Andre) but I think I finally figured it out. First, it turns out I had another version of apache on the server I did not realize. (this server was managed by someone else before me and I did not know exactly what was on it). There was the 2.0.53 version, which was a yum install. Then there was the 2.2.3 version, a separate instance of Apache I installed which is listening on a different IP. But there was also a third instance of 2.2.3 installed but was not running. However, the modules in question were actually compile for that version, hence the complaining. so I stopped the 2.0.53 version and cranked up the 2.2.3 version. Still complained a bit so I recompiled a fresh module for that version and voila, there she works! Why don't EVER have to stop learning ;-) Thanks again to those who took the time to try and answer my questions. Regards to all. Dave On 22/07/64 2:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, On 5/5/2010 3:05 PM, Dave Filchak wrote: Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? What happens when you do: $ file /usr/local/apache2/modules/mod_jk.so Did you check the md5sum from the mirror you used to download? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? No, you can (re)start Apache and Tomcat in any order. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Try doing this: IfModule mod_jk.c JkLogFile /var/log/apache2/mod_jk.log JkLogLevel Info JkShmFile /var/log/apache2/jk-runtime-status JkWorkersFile /etc/apache2/jk_workers.properties /IfModule The IfModule will have Apache skip the mod_jk configuration if the module isn't loaded. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvh6nUACgkQ9CaO5/Lv0PDJLwCaAqeaw+0BcvExFTc+LQuetmTf qbsAnj/7H3tTjdR4yaynOprElZlxwbdD =zVQn -END PGP SIGNATURE- --070302070406020309060004--
[no subject]
X-zuka-RWMailScanner-ID: 22D9E53828A.AD1D4 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 22D9E53828A for users@tomcat.apache.org; Thu, 6 May 2010 11:46:27 -0400 (EDT) Message-ID: 4be2e408.8090...@zuka.net Date: Thu, 06 May 2010 11:45:12 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: error with jk_module References: 4be1ea75.2020...@christopherschultz.net In-Reply-To: 4be1ea75.2020...@christopherschultz.net Content-Type: multipart/alternative; boundary=070302070406020309060004 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --070302070406020309060004 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I will implement the IfModule stuff (thanks also to Andre) but I think I finally figured it out. First, it turns out I had another version of apache on the server I did not realize. (this server was managed by someone else before me and I did not know exactly what was on it). There was the 2.0.53 version, which was a yum install. Then there was the 2.2.3 version, a separate instance of Apache I installed which is listening on a different IP. But there was also a third instance of 2.2.3 installed but was not running. However, the modules in question were actually compile for that version, hence the complaining. so I stopped the 2.0.53 version and cranked up the 2.2.3 version. Still complained a bit so I recompiled a fresh module for that version and voila, there she works! Why don't EVER have to stop learning ;-) Thanks again to those who took the time to try and answer my questions. Regards to all. Dave On 22/07/64 2:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, On 5/5/2010 3:05 PM, Dave Filchak wrote: Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? What happens when you do: $ file /usr/local/apache2/modules/mod_jk.so Did you check the md5sum from the mirror you used to download? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? No, you can (re)start Apache and Tomcat in any order. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Try doing this: IfModule mod_jk.c JkLogFile /var/log/apache2/mod_jk.log JkLogLevel Info JkShmFile /var/log/apache2/jk-runtime-status JkWorkersFile /etc/apache2/jk_workers.properties /IfModule The IfModule will have Apache skip the mod_jk configuration if the module isn't loaded. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvh6nUACgkQ9CaO5/Lv0PDJLwCaAqeaw+0BcvExFTc+LQuetmTf qbsAnj/7H3tTjdR4yaynOprElZlxwbdD =zVQn -END PGP SIGNATURE- --070302070406020309060004--
WebSocket connection silently drops
Hi, I have a desktop application that, using the org.glassfish.tyrus WebSocket implementation, connects and talks with a parent web application running on Tomcat. All runs well for a while but, after data transfer falls quiet for a few minutes, the connection gets silently dropped (nothing in the logs). The ServerEndpoint onOpen() method sets the session to never timeout: session.setMaxIdleTimeout(0). But this hasn't had the desired effect. I've not (yet) implemented a game of ping pong to keep connections alive over long periods of time. Still, I'd like to know why connections consistently get dropped after just a matter of minutes, and whether this can be resolved with a simple configuration change. Web.xml is configured to keep sessions alive for 720 minutes, so the problem is not there. 720 WebSocket connections are handled by Tomcat port 8080, and as you can see this is set in server.xml to timeout after just 20 seconds. I haven't tried extending this for fear it may have undesirable side effects. Anyway, connections are dropping after several minutes, not 20 seconds. protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" /> Any suggestions much appreciated. Regards, Chris. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebSocket connection silently drops
It turns out that I was premature in concluding connections were silently getting dropped. I left the client application running for another quarter hour after it stopped displaying message updates from the server. On shutting it down, the server immediately recorded that the client had just disconnected. This indicates that the WebSocket connection is not being silently dropped afterall, rather the client is becoming deaf to inbound messages after a few minutes. Exactly why this is is a mystery. But evidently it is a Tyrus rather than a Tomcat or network issue (they communicate across the internet, to answer your earlier question). Regards, Chris. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org