Re: Chrooting Tomcat // Linux threading issue
Hi, If security is your main concern, you should really consider 2.6: Technologies like AppArmor are are giving a lot of confidence. And you have intrusion detection included. And IMHO you have no long term alternative to using current and maintained software. R. Am Dienstag, 13. März 2007 12:01 schrieb Roman Medina-Heigl Hernandez: Hello, Andrew Miehs escribió: On 13/03/2007, at 11:22 AM, Roman Medina-Heigl Hernandez wrote: Hello, Server version: Apache Tomcat/5.5.17 Server number: 5.5.17.0 OS Version: 2.4.34-grsec-rslabs-k7 JVM Version:1.4.2_10-b03 Look for NPTL and Linux in Google... I liked this article: http://linuxdevices.com/articles/AT6753699732.html I would seriously recommend upgrading to a 2.6 kernel - (unless performance for your web app is irrelevant) I'll think about it. Performance, in this case, is not too much relevant. I was indeed worried about memory exhausted problems and things like that, but not about how speedy my application could run. If the application is stable enough in 2.4, I could keep that kernel. Many people consider kernel 2.4 more secure than 2.6, and in my case I prefer security to performance. It would also be time to think about an upgrade to Java 1.5 or 1.6. Would I notice big performance improvements if upgrading? (specially regarding threading?) 1.5 or 1.6? Thanks for your help, Andrew. It is appreciated. Cheers, -Roman - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/03/2007, at 11:22 AM, Roman Medina-Heigl Hernandez wrote: Hello, Server version: Apache Tomcat/5.5.17 Server number: 5.5.17.0 OS Version: 2.4.34-grsec-rslabs-k7 JVM Version:1.4.2_10-b03 PS: A 2nd issue (not related to chroot) that I would like to clarify, if you're so kind: when I run the web app in Tomcat (version showed above) I got several processes (69 in particular). It seems to be related to the following FAQ: Actually, you get 69 'threads'. Linux 2.4 kernel shows (and deals with) threads as processes. http://tomcat.apache.org/faq/unix.html#ps But I've read FAQ entry (and followed the two links in the entry) and it is unclear to me where there is some workaround in latest 2.4 kernels (I'm using 2.4.34; don't wanna switch to 2.6 yet). The FAQ talks about lightweight processes (the threads, as seen by Linux 2.4), but how could I check that they're really light? I'm trying to measure the possible impact of linux threading problem over my application. Some URLs or help would be welcomed. I've also set LD_ASSUME_KERNEL=2.4 and exported the variable, without any apparent change of behaviour. Look for NPTL and Linux in Google... for example: http://kerneltrap.org/node/429 I would seriously recommend upgrading to a 2.6 kernel - (unless performance for your web app is irrelevant) It would also be time to think about an upgrade to Java 1.5 or 1.6. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFF9n8yW126qUNSzvURAkcMAJ93juvogDO9QxMAOW19R+I/cjDfcACfT3gl w9MjlRfL7zzzByl77Y7xu08= =pe3y -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
Hi, it's, as far as i know, impossible to chroot tomcat after startup (unless some JNI tools to do it exist am not aware about) So, like any other application you would chroot before linking, you need to ensure your chrooted environment contains all libraries needed by the JVM (don't ask me for this list, sun doesn't provide it) also your JAVA_HOME should be updated after chroot :) and tomcat script will required availabilty of bash most probably. En l'instant précis du 13/03/07 11:22, Roman Medina-Heigl Hernandez s'exprimait en ces termes: Hello, Please, could you recommend to me some tutorial/howto for chrooting Tomcat? Some special points to take into account? I suppose Tomcat version shouldn't mind but anyway...: [EMAIL PROTECTED]:/usr/local/obs/tomcat/bin# ./catalina.sh version Using CATALINA_BASE: /usr/local/obs/tomcat Using CATALINA_HOME: /usr/local/obs/tomcat Using CATALINA_TMPDIR: /usr/local/obs/tomcat/temp Using JRE_HOME: /usr/local/obs/java Server version: Apache Tomcat/5.5.17 Server built: Apr 14 2006 02:08:29 Server number: 5.5.17.0 OS Name:Linux OS Version: 2.4.34-grsec-rslabs-k7 Architecture: i386 JVM Version:1.4.2_10-b03 JVM Vendor: Sun Microsystems Inc. PS: A 2nd issue (not related to chroot) that I would like to clarify, if you're so kind: when I run the web app in Tomcat (version showed above) I got several processes (69 in particular). It seems to be related to the following FAQ: http://tomcat.apache.org/faq/unix.html#ps But I've read FAQ entry (and followed the two links in the entry) and it is unclear to me where there is some workaround in latest 2.4 kernels (I'm using 2.4.34; don't wanna switch to 2.6 yet). The FAQ talks about lightweight processes (the threads, as seen by Linux 2.4), but how could I check that they're really light? I'm trying to measure the possible impact of linux threading problem over my application. Some URLs or help would be welcomed. I've also set LD_ASSUME_KERNEL=2.4 and exported the variable, without any apparent change of behaviour. Thanks in advance. -Román - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
Hello, Andrew Miehs escribió: On 13/03/2007, at 11:22 AM, Roman Medina-Heigl Hernandez wrote: Hello, Server version: Apache Tomcat/5.5.17 Server number: 5.5.17.0 OS Version: 2.4.34-grsec-rslabs-k7 JVM Version:1.4.2_10-b03 Look for NPTL and Linux in Google... I liked this article: http://linuxdevices.com/articles/AT6753699732.html I would seriously recommend upgrading to a 2.6 kernel - (unless performance for your web app is irrelevant) I'll think about it. Performance, in this case, is not too much relevant. I was indeed worried about memory exhausted problems and things like that, but not about how speedy my application could run. If the application is stable enough in 2.4, I could keep that kernel. Many people consider kernel 2.4 more secure than 2.6, and in my case I prefer security to performance. It would also be time to think about an upgrade to Java 1.5 or 1.6. Would I notice big performance improvements if upgrading? (specially regarding threading?) 1.5 or 1.6? Thanks for your help, Andrew. It is appreciated. Cheers, -Roman - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
Hello David, There are tools/scripts which try to automate the process of chrooting an application, i.e, guessing libraries needed and so on. But they usually require additional work (fine-tunning, etc), trialerror tests, etc. Being Tomcat/Java a common application (at least amongst this list's users), I had supposed some of you have already done this work and could share with me their findings/work, so I could anticipate problems, issues, etc. Cheers, -Roman David Delbecq escribió: Hi, it's, as far as i know, impossible to chroot tomcat after startup (unless some JNI tools to do it exist am not aware about) So, like any other application you would chroot before linking, you need to ensure your chrooted environment contains all libraries needed by the JVM (don't ask me for this list, sun doesn't provide it) also your JAVA_HOME should be updated after chroot :) and tomcat script will required availabilty of bash most probably. En l'instant précis du 13/03/07 11:22, Roman Medina-Heigl Hernandez s'exprimait en ces termes: Hello, Please, could you recommend to me some tutorial/howto for chrooting Tomcat? Some special points to take into account? I suppose Tomcat version shouldn't mind but anyway...: [EMAIL PROTECTED]:/usr/local/obs/tomcat/bin# ./catalina.sh version Using CATALINA_BASE: /usr/local/obs/tomcat Using CATALINA_HOME: /usr/local/obs/tomcat Using CATALINA_TMPDIR: /usr/local/obs/tomcat/temp Using JRE_HOME: /usr/local/obs/java Server version: Apache Tomcat/5.5.17 Server built: Apr 14 2006 02:08:29 Server number: 5.5.17.0 OS Name:Linux OS Version: 2.4.34-grsec-rslabs-k7 Architecture: i386 JVM Version:1.4.2_10-b03 JVM Vendor: Sun Microsystems Inc. PS: A 2nd issue (not related to chroot) that I would like to clarify, if you're so kind: when I run the web app in Tomcat (version showed above) I got several processes (69 in particular). It seems to be related to the following FAQ: http://tomcat.apache.org/faq/unix.html#ps But I've read FAQ entry (and followed the two links in the entry) and it is unclear to me where there is some workaround in latest 2.4 kernels (I'm using 2.4.34; don't wanna switch to 2.6 yet). The FAQ talks about lightweight processes (the threads, as seen by Linux 2.4), but how could I check that they're really light? I'm trying to measure the possible impact of linux threading problem over my application. Some URLs or help would be welcomed. I've also set LD_ASSUME_KERNEL=2.4 and exported the variable, without any apparent change of behaviour. Thanks in advance. -Román - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Chrooting Tomcat // Linux threading issue
From: Roman Medina-Heigl Hernandez [mailto:[EMAIL PROTECTED] Subject: Re: Chrooting Tomcat // Linux threading issue Performance, in this case, is not too much relevant. Would I notice big performance improvements if upgrading? I'm curious: if performance isn't relevant, why do you care if a JVM upgrade would make it better? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
Hi Chuck, Not too much relevant != isn't relevant. Performance is always relevant, so it's good to enhance it *if possible*. I mean, if switching to 2.6 could make security worse (I know, this assert could be subjective / questionable but it's one opinion) AND performance is not too much relevant, I will not switch to 2.6. I don't know the enhancements of different JVM branchs/versions, nor from a performance perspective, neither from a security perspective, so a JVM upgrade could be perfectly possible and coherent with my thoughts. I hope your curiosity is satisfied :-) Cheers, -r Caldarale, Charles R escribió: From: Roman Medina-Heigl Hernandez [mailto:[EMAIL PROTECTED] Subject: Re: Chrooting Tomcat // Linux threading issue Performance, in this case, is not too much relevant. Would I notice big performance improvements if upgrading? I'm curious: if performance isn't relevant, why do you care if a JVM upgrade would make it better? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Chrooting Tomcat // Linux threading issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Roman, To be honest I don't really understand your concerns with 2.6, but if you really want to be running anything that uses threads, use a 2.6 kernel. If the Java Tomcat App that you are running is just a frontend to something else, and not really for production purposes, then you can happily stick with 2.4 And yes - 2.6 with NPTL is MUCH faster under high load than using an old 2.4 kernel. In my experience Java 1.5 is also much quicker than Java 1.42 On 13/03/2007, at 3:48 PM, Roman Medina-Heigl Hernandez wrote: Hi Chuck, Not too much relevant != isn't relevant. Performance is always relevant, so it's good to enhance it *if possible*. I mean, if switching to 2.6 could make security worse (I know, this assert could be subjective / questionable but it's one opinion) AND performance is not too much relevant, I will not switch to 2.6. I don't know the enhancements of different JVM branchs/versions, nor from a performance perspective, neither from a security perspective, so a JVM upgrade could be perfectly possible and coherent with my thoughts. I hope your curiosity is satisfied :-) Cheers, -r Caldarale, Charles R escribió: From: Roman Medina-Heigl Hernandez [mailto:[EMAIL PROTECTED] Subject: Re: Chrooting Tomcat // Linux threading issue Performance, in this case, is not too much relevant. Would I notice big performance improvements if upgrading? I'm curious: if performance isn't relevant, why do you care if a JVM upgrade would make it better? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e- mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFF9ruYW126qUNSzvURAuR/AJ9VMX4gL161TxBXaDYEPXNKNJdq5QCffZgJ gJOVSu4uVlJ4shlP0yZFH7I= =KZVm -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]