RE: Disable connector by property
-Original Message- From: Mark Thomas Sent: Wednesday, May 13, 2020 5:28 PM To: users@tomcat.apache.org Subject: Re: Disable connector by property On 13/05/2020 20:16, T. Papke wrote: > Hello all, > > Currently adding or removing a connector requires changes to the XML > structure of the server.xml (at least 9.x) > > Is there any option to enable or disable a connector with a system > property? If not, does it make sense to add a "enabled" attribute to > the connector or implicit interpret a Port = "-1" as disabled? > What problem are you trying to solve? > Mark > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Isn't it just as easy that if you don't want a connector enabled, don't define it or comment it out?
Re: Disable connector by property
On 13/05/2020 20:16, T. Papke wrote: > Hello all, > > Currently adding or removing a connector requires changes to the XML > structure of the server.xml (at least 9.x) > > Is there any option to enable or disable a connector with a system > property? If not, does it make sense to add a "enabled" attribute to the > connector or implicit interpret a Port = "-1" as disabled? What problem are you trying to solve? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CentOS Tomcat install seems to ignore setenv.sh
On Wed, May 13, 2020 at 1:31 PM Coty Sutherland wrote: > Hi, > > Please see responses in line below. I'm top posting a bit because the > thread got off in the weeds about permissions it seems, which are important > but not exactly relevant to your problem IMO. > > Indeed, thank you. > On Tue, May 12, 2020 at 11:28 AM Patrick Baldwin < > pbald...@myersinfosys.com> > wrote: > > > I've gotten passed an odd (to me, anyway) issue with one of our clients > > CentOS systems. > > > > When our webapp starts running, tomcat dies shortly thereafter with an > > OutOfMemoryError. This apparently just started a few days ago. > > > > The issue isn't really odd. The JVM is telling you that something is > preventing the garbage collector from being effective and therefore > exhausting your heap space. See > > https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/parallel.html#parallel_collector_excessive_gc > for more information about the particular OOME you noted that you're > experiencing. > > Reading that, I'm not quite sure if this error would happen if tomcat is honoring the memory restrictions that have been (hopefully?) set in config. One of our devs thinks the issue is with tomcat not honoring memory restrictions, so I'm trying to see if there's any way I can make sure it is. I'm also trying to figure out if this could be an issue with the Java code, and not tomcat config per se. > > > System info: > > > > Tomcat Version: Apache Tomcat/7.0.76 > > > > JVM version: 1.8.0_191-b12 > > > > OS: CentOS Linux release 7.6.1810 (Core) > > > > > > This seemed to indicate that catalina.sh isn’t the place for environment > > variables on Tomcat 7 for Linux: > > > > https://forums.centos.org/viewtopic.php?t=54207 > > > > > > Since there isn’t a setenv.sh in /usr/local/tomcat/bin, we create one: > > > > > https://stackoverflow.com/questions/9480210/tomcat-7-setenv-sh-is-not-found > > > > 195$ ls -l /usr/local/tomcat/bin/setenv.sh > > > > -rwxrwxrwx. 1 root tomcat 110 May 11 12:56 > /usr/local/tomcat/bin/setenv.sh > > > > 45$ cat /usr/local/tomcat/bin/setenv.sh > > > > Assuming you've installed tomcat using yum, the startup doesn't use > startup.sh at all so the setenv.sh script is ignored. Instead you want to > put your settings into /etc/tomcat/tomcat.conf which is sourced by the > systemd service unit. If you want to learn more about how that works, check > out the unit file to see which scripts it calls (/usr/libexec/tomcat/server > -> /usr/libexec/tomcat/preamble -> /usr/libexec/tomcat/functions). > > > To /etc/tomcat/tomcat.conf I added: # You can pass some parameters to java here if you wish to #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" JAVA_OPTS="-Xmx2048m -XX:MaxPermSize=2048m" And now see: sudo journalctl -u tomcat -f : May 13 15:50:01 protrack server[24306]: OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=2048m; support was removed in 8.0 ... May 13 15:50:01 protrack server[24306]: INFO: Command line argument: -Xmx2048m May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM org.apache.catalina.startup.VersionLoggerListener log May 13 15:50:01 protrack server[24306]: INFO: Command line argument: -XX:MaxPermSize=2048m May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM org.apache.catalina.startup.VersionLoggerListener log May 13 15:50:01 protrack server[24306]: INFO: Command line argument: -Xms2048m May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM org.apache.catalina.startup.VersionLoggerListener log May 13 15:50:01 protrack server[24306]: INFO: Command line argument: -Xmx2048m ... May 13 15:51:23 protrack server[24306]: SEVERE: Unexpected death of background thread ContainerBackgroundProcessor[StandardEngine[Catalina]] May 13 15:51:23 protrack server[24306]: java.lang.OutOfMemoryError: GC overhead limit exceeded May 13 15:51:23 protrack server[24306]: Exception in thread "ContainerBackgroundProcessor[StandardEngine[Catalina]]" java.lang.OutOfMemoryError: GC overhead limit exceeded So, it is now definitely picking up that memory restriction, but it seems to be ignoring because it’s deprecated. I’ve also found this: https://stackoverflow.com/questions/22634644/java-hotspottm-64-bit-server-vm-warning-ignoring-option-maxpermsize Specifically, “I think this was downvoted because it implies that you should switch previous uses of MaxPermGen with MaxMetaSpaceSize which is misleading, since their roles have practically reversed. Before Java 8 class metadata space resided in PermGen which was limited by 32/64MB, and MaxPerGen was used to increase it. Starting from Java 8 however, PermGen is no more and class metadata space is unlimited, so MaxMetaspace size is actually used to decrease it. “ So that seems to suggest Java is not running out of heap memory and making tomcat die, but that it really is just spending a lot of time on garbage collection? > > export CATALINA_OPTS="-server -Xms2048m -Xmx2048m" > > > > export
Disable connector by property
Hello all, Currently adding or removing a connector requires changes to the XML structure of the server.xml (at least 9.x) Is there any option to enable or disable a connector with a system property? If not, does it make sense to add a "enabled" attribute to the connector or implicit interpret a Port = "-1" as disabled? Thank you, Kind regards, Thomas
Re: CentOS Tomcat install seems to ignore setenv.sh
Hi, Please see responses in line below. I'm top posting a bit because the thread got off in the weeds about permissions it seems, which are important but not exactly relevant to your problem IMO. On Tue, May 12, 2020 at 11:28 AM Patrick Baldwin wrote: > I've gotten passed an odd (to me, anyway) issue with one of our clients > CentOS systems. > > When our webapp starts running, tomcat dies shortly thereafter with an > OutOfMemoryError. This apparently just started a few days ago. > The issue isn't really odd. The JVM is telling you that something is preventing the garbage collector from being effective and therefore exhausting your heap space. See https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/parallel.html#parallel_collector_excessive_gc for more information about the particular OOME you noted that you're experiencing. > System info: > > Tomcat Version: Apache Tomcat/7.0.76 > > JVM version: 1.8.0_191-b12 > > OS: CentOS Linux release 7.6.1810 (Core) > > > This seemed to indicate that catalina.sh isn’t the place for environment > variables on Tomcat 7 for Linux: > > https://forums.centos.org/viewtopic.php?t=54207 > > > Since there isn’t a setenv.sh in /usr/local/tomcat/bin, we create one: > > https://stackoverflow.com/questions/9480210/tomcat-7-setenv-sh-is-not-found > > 195$ ls -l /usr/local/tomcat/bin/setenv.sh > > -rwxrwxrwx. 1 root tomcat 110 May 11 12:56 /usr/local/tomcat/bin/setenv.sh > > 45$ cat /usr/local/tomcat/bin/setenv.sh > Assuming you've installed tomcat using yum, the startup doesn't use startup.sh at all so the setenv.sh script is ignored. Instead you want to put your settings into /etc/tomcat/tomcat.conf which is sourced by the systemd service unit. If you want to learn more about how that works, check out the unit file to see which scripts it calls (/usr/libexec/tomcat/server -> /usr/libexec/tomcat/preamble -> /usr/libexec/tomcat/functions). > export CATALINA_OPTS="-server -Xms2048m -Xmx2048m" > > export JAVA_OPTS="-XX:PermSize=256m -XX:MaxPermSize=2048m" > > 46$ > > > System memory before starting tomcat: > > 188$ free -h > > totalusedfree shared buff/cache > available > > Mem:11G2.3G2.2G2.0G7.1G > 6.7G > > Swap: 8.0G1.0G7.0G > > > Started tomcat, with sudo service tomcat start > > Tomcat journal error: > > > May 11 17:48:59 protrack server[7298]: SEVERE: Unexpected death of > background thread ContainerBackgroundProcessor[StandardEngine[Catalina]] > > May 11 17:48:59 protrack server[7298]: java.lang.OutOfMemoryError: GC > overhead limit exceeded > > May 11 17:48:59 protrack server[7298]: Exception in thread > "ContainerBackgroundProcessor[StandardEngine[Catalina]]" > java.lang.OutOfMemoryError: GC overhead limit exceeded > > May 11 17:49:38 protrack server[7298]: Exception: > java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in > thread "http-bio-8080-AsyncTimeout" > > May 11 17:49:39 protrack server[7298]: Exception: > java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in > thread "ajp-bio-8009-AsyncTimeout" > > May 11 17:49:42 protrack server[7298]: Exception in thread > > "org.springframework.scheduling.quartz.SchedulerFactoryBean#0_QuartzSchedulerThread" > > > Application log error: > > Caused by: java.lang.OutOfMemoryError: GC overhead limit exceeded > > 2020-05-11 17:49:50 > [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-2] > ERROR o.s.t.i.TransactionInterceptor - Application exception overridden by > rollback exception > > java.lang.OutOfMemoryError: GC overhead limit exceeded > > > System memory while tomcat is up, after the OutOfMemoryError pops: > > ksmq_tv 191$ free -h > > totalusedfree shared buff/cache > available > > Mem:11G3.5G1.0G2.0G7.1G > 5.5G > > Swap: 8.0G1.0G7.0G > > > Stopped with sudo service tomcat stop > > > > System memory after tomcat stopped: > > ksmq_tv 194$ free -h > > totalusedfree shared buff/cache > available > > Mem:11G795M3.7G2.0G7.1G > 8.2G > > Swap: 8.0G1.0G7.0G > > > > It sure doesn't look like something is actually running the system out of > memory at a system level; usage is definitely impacted by starting our app, > but that's expected. > The system isn't running out of memory, Tomcat's JVM is. This could be due to numerous things, so you'll have to do some digging to find out why that is. I'd start by enabling/collecting/reviewing GC logging and a heap dump from the time of the OOME, which you may have to take manually (I don't recall if the HeapDumpOnOutOfMemory argument triggers with a GC overhead error). As a simple solution try and increase the amount of heap that you give the instance to see if the problem goes away or if it occurs after a
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Chris, > Am 13.05.2020 um 16:42 schrieb Christopher Schultz > : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Peter, > > On 5/13/20 02:48, logo wrote: >> Hi calder, >> >> >>> Am 13.05.2020 um 04:59 schrieb calder : >>> >>> On Tue, May 12, 2020, 21:48 kohmoto >>> wrote: >>> Hi, Calder, Thank you for your prompt reply. I think Tomcat binary files all have root priviledges. Should these priviledges should be changed to user priviledges? >>> >>> >>> Yes. >> >> I would suggest to leave the binaries and maybe even config files >> to root or any other admin. So a hacked tomcat process under tomcat >> user will not be able to exchange config or even binaries. > Yes! There really is no need for Tomcat to modify its own config files > or binaries. > >> That will only work if the config will not be changed via >> host-manager or programmatically. > > This shouldn't be too much of a problem. Not many people use the > host-manager. > >> In the past we even held the installed webapps under a different >> user. but that maybe difficult in automated deployments. > > This is less important IMO. The owner of the files can be anybody... > just not the Tomcat user. > > And, before anybody says "but.. but... Docker!" you should remember > that root in a Docker container often ends up having many more > privileges outside the container than you think it does/should. > Never ignore this! As simple as adding the following to your Dockerfile RUN set -x \ && groupadd tomcat \ && useradd -g tomcat -s /usr/bin/nologin -m -d /home/tomcat tomcat \ && chown -R tomcat:tomcat $CATALINA_HOME/logs $CATALINA_HOME/work $CATALINA_HOME/temp # add $CATALINA_HOME/webapps if you use the manager-app USER tomcat before running the ENTRYPOINT or CMD. BTW: that is something that is really missing in the „Official“ Tomcat Docker images. (I know they are not maintained by ASF) Peter > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 > pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar > EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 > LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps > C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG > k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch > ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r > cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO > DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj > PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa > 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG > q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= > =V1n4 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CONFIRM subscribe to users@tomcat.apache.org
Sorry for the noise. I hit the wrong reply button. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CONFIRM subscribe to users@tomcat.apache.org
Domain checks out. On 13/05/2020 15:36, users-h...@tomcat.apache.org wrote: > Hi! This is the ezmlm program. I'm managing the > users@tomcat.apache.org mailing list. > > I'm working for my owner, who can be reached > at users-ow...@tomcat.apache.org. > > I respectfully request your permission to add > >kapil.gir...@mkspamp.com > > to the subscribers of the users mailing list. This request > either came from you, or it has already been verified by > the potential subscriber. > > To confirm, please send a short reply to this address: > > > users-tc.1589380614.bbplodigmplabcibahpl-kapil.giroti=mkspamp@tomcat.apache.org > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > or click here: > > mailto:users-tc.1589380614.bbplodigmplabcibahpl-kapil.giroti=mkspamp@tomcat.apache.org > > If you don't approve, simply ignore this message. > > Thank you for your help! > > > --- Administrative commands for the users list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > To subscribe to the list, send a message to: > > > To remove your address from the list, send a message to: > > > Send mail to the following for info and FAQ for this list: > > > > Similar addresses exist for the digest list: > > > > To get messages 123 through 145 (a maximum of 100 per request), mail: > > > To get an index with subject and author for messages 123-456 , mail: > > > They are always returned as sets of 100, max 2000 per request, > so you'll actually get 100-499. > > To receive all messages with the same subject as message 12345, > send a short message to: > > > The messages should contain one line or word of text to avoid being > treated as sp@m, but I will ignore their content. > Only the ADDRESS you send to is important. > > You can start a subscription for an alternate address, > for example "john@host.domain", just add a hyphen and your > address (with '=' instead of '@') after the command word: > > > To stop subscription for this address, mail: > > > In both cases, I'll send a confirmation message to that address. When > you receive it, simply reply to it to complete your subscription. > > If despite following these instructions, you do not get the > desired results, please contact my owner at > users-ow...@tomcat.apache.org. Please be patient, my owner is a > lot slower than I am ;-) > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 4734 invoked by uid 99); 13 May 2020 14:36:54 - > Received: from pnap-us-west-generic-nat.apache.org (HELO > spamd3-us-west.apache.org) (209.188.14.142) > by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 May 2020 14:36:54 + > Received: from localhost (localhost [127.0.0.1]) > by spamd3-us-west.apache.org (ASF Mail Server at > spamd3-us-west.apache.org) with ESMTP id BBC9B181424 > for > ; > Wed, 13 May 2020 14:36:53 + (UTC) > X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org > X-Spam-Flag: NO > X-Spam-Score: 0.598 > X-Spam-Level: > X-Spam-Status: No, score=0.598 tagged_above=-999 required=6.31 > tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, > DKIM_VALID_EF=-0.1, KAM_MXURI=1.5, RCVD_IN_DNSWL_LOW=-0.7, > RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, > URIBL_BLOCKED=0.001] autolearn=disabled > Authentication-Results: spamd3-us-west.apache.org (amavisd-new); > dkim=pass (2048-bit key) header.d=mkspamp.com > Received: from mx1-ec2-va.apache.org ([10.40.0.8]) > by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, > port 10024) > with ESMTP id zPe9tdyt7W09 > for > ; > Wed, 13 May 2020 14:36:51 + (UTC) > Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=40.107.7.74; > helo=eur04-he1-obe.outbound.protection.outlook.com; > envelope-from=kapil.gir...@mkspamp.com; receiver= > Received: from EUR04-HE1-obe.outbound.protection.outlook.com > (mail-eopbgr70074.outbound.protection.outlook.com [40.107.7.74]) > by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) > with ESMTPS id 1B1BEBB8C2 > for > ; > Wed, 13 May 2020 14:36:50 + (UTC) > ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; > > b=bV1RZoBrZCn4FV9EZy+XcSj7vtiM0BFhuowAzu4tndsEvidAgzQtfZn/XqS74jjE4VUF5HJsC4D5wqcaasC7UMgVPxBf3Qy2WdMLZXi5BKxjTXYb0nYMLAje2yEXWNYv/UcFTxBZJ1sndkQ+ObK3Nfr5NLakuHoeZ2mG4BoVkH6Ss2uZSANAjC6fN3ldvYHLlYkGmsKmUbYJz1fFO/3J3xAexU5wQE97OSx0XIhOdDmPpZASGlEDENaXJUuMFwmkZrE0PD2xw9aZnmbwju7Xm4EXZeiMGjdtQaCJPby8V0OVRnkeCNsU+iEJ6xiFvTYTK2G/aaxx0o6ZVgZE4Gv5RA== > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; > s=arcselector9901; > >
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 5/13/20 02:48, logo wrote: > Hi calder, > > >> Am 13.05.2020 um 04:59 schrieb calder : >> >> On Tue, May 12, 2020, 21:48 kohmoto >> wrote: >> >>> Hi, Calder, >>> >>> Thank you for your prompt reply. I think Tomcat binary files >>> all have root priviledges. Should these priviledges should be >>> changed to user priviledges? >>> >> >> >> Yes. > > I would suggest to leave the binaries and maybe even config files > to root or any other admin. So a hacked tomcat process under tomcat > user will not be able to exchange config or even binaries. Yes! There really is no need for Tomcat to modify its own config files or binaries. > That will only work if the config will not be changed via > host-manager or programmatically. This shouldn't be too much of a problem. Not many people use the host-manager. > In the past we even held the installed webapps under a different > user. but that maybe difficult in automated deployments. This is less important IMO. The owner of the files can be anybody... just not the Tomcat user. And, before anybody says "but.. but... Docker!" you should remember that root in a Docker container often ends up having many more privileges outside the container than you think it does/should. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl68B08ACgkQHPApP6U8 pFhlGA/+O68ss6u7JTG4j7LDOqZq3K+E6DJ+45v8Tz69nL49WNZzcs3n1DfhP3Ar EomgYcbGgAq0eot6LInWQmoMX1xp+Wh2XC0b/fae1/vkerN4ugqLiqWIA1uM1ar4 LQ0im7X8RaredMc0BanditDuJK5iRoUqRg7md8Sw/aGOncvVzjRR1hgU9mzqbHps C6wrSb+5rr5a3SE1P2k2uhpMY1FI1xP8icdQXBCA6eYiJ3tBYsPmWU3z3J8JAmmG k3i4WpZdoTsfVlX2n8H6K1l3u8WQsHmoMg5pzqgV1ABUtSBBbrSSkdCTlwHse4ch ePAZg5XRuVlb06UbRHW15hfVGJCgCrzeL/yIufScEOYV6YYnEAx5D+UULG0wSJ7r cRnmPE5ccWSLflplcmhurqhXRWeqsfpzjraZGRdyqv4HqG1zlfefEIuMVCPLHtRO DQACi0HfbhOvNoIsVtabXBC4gigT4Zv2k9EQcRjbpO/cN1VMzRNV80jVnnV4QiOj PCJ81Z4G+LE0pCSqoYLIvZKZ1CbmD0BIeL6ZngrHJFACJlkbSK4zfRMBgKc/2OZa 5ltCftRev8fW4hztptQRxg9tfEdhaa+6MVXTGPTHYhGycMsDgCEO/W7dU6LcJNJG q+bcNedNE5y046yCm9SpGKW0/kmS5I6R984W1NhfHSNKTLtEwHc= =V1n4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Hi, Logo, My current practice is as you suggest. Thank you for your advice. Yours truly, Kazuhiko Kohmoto On 2020/05/13 15:48, logo wrote: Hi calder, Am 13.05.2020 um 04:59 schrieb calder : On Tue, May 12, 2020, 21:48 kohmoto wrote: Hi, Calder, Thank you for your prompt reply. I think Tomcat binary files all have root priviledges. Should these priviledges should be changed to user priviledges? Yes. I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries. That will only work if the config will not be changed via host-manager or programmatically. In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments. My 2cts. Peter There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft has a good guide https://www.mulesoft.com/tcat/tomcat-security Your truly, Kazuhiko Kohmoto On 2020/05/13 11:17, calder wrote: If TC, running as root, is ever compromised, the compromising user (attacker) can gain access to the whole of the system. The attacker could execute any arbitrary command available on the system. They could remove files, or install malicious software. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ClassNotFoundException when loading session from disk
Regarding the deployment location, you're right, it's unusual, but it's a legacy application. I found out the reason for the class not being visible. There was a Context element with docBase defined in server.xml which I hadn't noticed. Nesting the Manager element inside that (rather than in context.xml) solved the issue. On Tue, May 12, 2020 at 9:45 PM Mark Thomas wrote: > On 12/05/2020 18:38, Jonathan Yom-Tov wrote: > > I'm trying to use PersistentManager with FileStore to load sessions from > > disk. Serialization goes ok but when the session is loaded I get an > > exception deserializing one of my application's classes. > > > > [2020-05-12 09:08:52] [SEVERE] Session: > > 6325A48BA1D2FC79105C7F4B0A76CB74.worker1; > > java.lang.ClassNotFoundException: com.mycompany.MyClass > > at > > > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1365) > > at > > > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188) > > at java.lang.Class.forName0(Native Method) > > at java.lang.Class.forName(Class.java:348) > > at > > > org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:159) > > at > > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1620) > > at > > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) > > at > > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1781) > > at > > java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353) > > at > java.io.ObjectInputStream.readObject(ObjectInputStream.java:373) > > at > > > org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1576) > > at > > > org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1048) > > at org.apache.catalina.session.FileStore.load(FileStore.java:234) > > > > Looking into the classpath when the exception occurs I see that every jar > > in ${catalina.base}/lib is loaded plus those explicitly mentioned in the > > run command, but none of my application's jars. > > That is as expected. You want to look at the WebappClassLoader instance. > Is that pointing to the right web application? If not, why not? Pay > particular attention to the state field. > > > My application is deployed > > in ${catalina.base}/myapp/. I tried to add a ${catalina.base}/myapp/ > > META-INF/context.xml file, but that wasn't loaded. > > That is an odd location. Why not in webapps? > > > Then I tried to add > > > > > > > className="org.apache.catalina.webresources.JarResourceSet" > > base="${catalina.base}/mycompany/WEB-INF/lib/my.jar" webAppMount="/" /> > > > > That should never be necessary. > > > to context.xml but that didn't help either. It makes sense that Tomcat is > > separating my application from the rest of the classpath but then how do > I > > include the required class? > > If the correct web application class loader is picked up, is should just > work. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: ClassNotFoundException when loading session from disk
On 5/12/2020 at 7:45 PM, "Mark Thomas" wrote:On 12/05/2020 18:38, Jonathan Yom-Tov wrote: > I'm trying to use PersistentManager with FileStore to load sessions from > disk. Serialization goes ok but when the session is loaded I get an > exception deserializing one of my application's classes. > > [2020-05-12 09:08:52] [SEVERE] Session: > 6325A48BA1D2FC79105C7F4B0A76CB74.worker1; > java.lang.ClassNotFoundException: com.mycompany.MyClass > at > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1365) > at > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:348) > at > org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:159) > at > java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1620) > at > java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) > at > java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1781) > at > java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1353) > at java.io.ObjectInputStream.readObject(ObjectInputStream.java:373) > at > org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1576) > at > org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1048) > at org.apache.catalina.session.FileStore.load(FileStore.java:234) > > Looking into the classpath when the exception occurs I see that every jar > in ${catalina.base}/lib is loaded plus those explicitly mentioned in the > run command, but none of my application's jars. That is as expected. You want to look at the WebappClassLoader instance. Is that pointing to the right web application? If not, why not? Pay particular attention to the state field. > My application is deployed > in ${catalina.base}/myapp/. I tried to add a ${catalina.base}/myapp/ > META-INF/context.xml file, but that wasn't loaded. That is an odd location. Why not in webapps? > Then I tried to add > > > className="org.apache.catalina.webresources.JarResourceSet" > base="${catalina.base}/mycompany/WEB-INF/lib/my.jar" webAppMount="/" /> > That should never be necessary. > to context.xml but that didn't help either. It makes sense that Tomcat is > separating my application from the rest of the classpath but then how do I > include the required class? If the correct web application class loader is picked up, is should just work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: CentOS Tomcat install seems to ignore setenv.sh
Hi calder, > Am 13.05.2020 um 04:59 schrieb calder : > > On Tue, May 12, 2020, 21:48 kohmoto wrote: > >> Hi, Calder, >> >> Thank you for your prompt reply. >> I think Tomcat binary files all have root priviledges. >> Should these priviledges should be changed to user priviledges? >> > > > Yes. I would suggest to leave the binaries and maybe even config files to root or any other admin. So a hacked tomcat process under tomcat user will not be able to exchange config or even binaries. That will only work if the config will not be changed via host-manager or programmatically. In the past we even held the installed webapps under a different user. but that maybe difficult in automated deployments. My 2cts. Peter > > There is a "Tomcat Security" guide at the Tomcat website. Also, Mulesoft > has a good guide > https://www.mulesoft.com/tcat/tomcat-security > > > Your truly, >> Kazuhiko Kohmoto >> >> On 2020/05/13 11:17, calder wrote: >>> If TC, running as root, is ever compromised, the compromising user >>> (attacker) can gain access to the whole of the system. The attacker >> could >>> execute any arbitrary command available on the system. They could remove >>> files, or install malicious software. >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org