Re: Migrating tomcat 6 to 9 , rmi client not working

[Christopher Schultz]

Dhayalan,

On 7/14/23 01:42, Dhayalan Ganapathy wrote:
I am trying to migrate tomcat6 with the war to tomcat 9, but rmiclient 
which is running in tomcat 6 not working in tomcat9.


Is rmiclient a component of your application, or something from a 
third-party?


It throws an error  unknown protocol: war. Can you please help us to run 
the application in tomcat 9?.


All of your screenshots were stripped from your message because this 
list does not support images. Can you please re-send with plain-text 
information?


The full stack trace and the full URL that is being used for the war: 
URL will be very helpful.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Migrating tomcat 6 to 9 , rmi client not working

[Dhayalan Ganapathy]

 Hi,



I am trying to migrate tomcat6 with the war to tomcat 9, but rmiclient
which is running in tomcat 6 not working in tomcat9.

It throws an error  unknown protocol: war. Can you please help us to run
the application in tomcat 9?.



[image: cid:image004.jpg@01D9B641.52DEE890]









[image: cid:image003.jpg@01D9B640.9C190D70]



[image: cid:image005.png@01D9B641.52DEE890]



[image: cid:image006.png@01D9B641.52DEE890]



Thanks,

Dhayalan.G

RE: tomcat 6 vulnerability scan default error page help

[Berneburg, Cris J. - US]

Mark

Thanks for taking the time to help.  Again, I appreciate it.

cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> And we're using Tomcat 6.0.37 (ahem).

MT> And you are worried about returning the version number? Have you
MT> seen how many real security issues (as opposed to this version
MT> number non-issue) there are in 6.0.37? I can't help but think
MT> your priorities are all wrong.

While I agree that we need to upgrade Tomcat, and it is long overdue, I 
disagree that my priorities are *all* wrong. (tongue-in-cheek)  The compliance 
deadline looms a bit close to allow time for staging and regression testing. 
(panicked)

Ironically, the scan said nothing about the Tomcat version itself:

"The remote web server contains default files.  The default error page, default 
index page, example JSPs, and/or example servlets are installed on the remote 
Apache Tomcat server. These files should be removed as they may help an 
attacker uncover information about the remote Tomcat install or host itself.  
Delete the default index page and remove the example JSP and servlets. Follow 
the Tomcat or OWASP instructions to replace or modify the default error page."

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 6 vulnerability scan default error page help

[Berneburg, Cris J. - US]

Leon, Mark, and Alejandro

Thanks for your time and suggestions.  I appreciate it.

cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> However, I can't find where the error-page for 404 is defined.
cjb> [...] How do I get rid of or override the default error
cjb> / 404 / not-found page

LR> try to add following to your web.xml 

MT> $CATALINA_HOME/lib/org/apache/catalina/util
MT> Download this file: [...] ServerInfo.properties
MT> [...] modify the three properties to whatever value you like

AV> unpack catalina.jar in tomcat lib directory,
AV> then go to org\apache\catalina\util\,
AV> open ServerInfo.properties and edit it

I'm thinking of opting for the simplest and quickest possible solution, which 
is to add an  section to the main Tomcat conf/web.xml file but 
*not* supply the static page specified in the .

Experimenting with that arrangement returns a 404 but no page contents, which 
conforms to the security finding of not returning the default 404 error page.

The least complex solution is most likely to succeed because it has the 
greatest chance of being deployed correctly within our tight deadline.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 6 vulnerability scan default error page help

[Berneburg, Cris J. - US]

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, May 2, 2018 4:01 PM
To: users@tomcat.apache.org
Subject: Re: tomcat 6 vulnerability scan default error page help

> On 02/05/18 20:51, Leon Rosenberg wrote:
> > Hi Mark,
> >
> > I agree with you that the complaint about version number is rather a 
> > minor one, however, I've had the same situation as one of our projects 
> > had to pass through a PCI Compliance test, and this is what they really 
> > test for.
>
> Don't get me started on PCI compliance...
>
> Oh, and Cris - take a look at the ErrorReportValve.
> That is where the default error page is coming from.
>
> Mark

Thanks Mark, will do - once all this compliance stuff dies down.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[alejandro . vargas]

You need to unpack catalina.jar in tomcat lib directory,
then go to org\apache\catalina\util\,
open ServerInfo.properties and edit it

server.info=Apache Tomcat
server.number=
server.built=

You need to set to empty these variables, as shown above.

Save the file.
Pack as jar again
Put in the tomcat\lib directory again.

Hope this could help you, I'm using Tomcat 8.0.27



"Berneburg, Cris J. - US"  escribió:

We are getting dinged by a vulnerability scan for the default  
not-found error page being returned by Tomcat for a Status 404.


On my dev server when requesting an invalid URL, Tomcat returns a  
Status 404 page that displays the Tomcat version.  Right, I need to  
do something about that.


However, I can't find where the error-page for 404 is defined.  It's  
not defined in:

- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml

Also, I can't find a notFound or error page either.

How do I get rid of or override the default error / 404 / not-found  
page if I can't find it or where it is currently defined?  Also, how  
is Tomcat returning the default 404 error page if it does not exist?  
 I hope it's not hardcoded in a servlet response.


FYI, we're going to remove the ROOT, docs, and examples folders to  
mitigate other scan findings.


And we're using Tomcat 6.0.37 (ahem).

--
Cris Berneburg
CACI Lead Software Engineer





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Mark Thomas]

On 02/05/18 20:51, Leon Rosenberg wrote:
> Hi Mark,
> 
> I agree with you that the complaint about version number is rather a minor
> one, however, I've had the same situation as one of our projects had to
> pass through a PCI Compliance test, and this is what they really test for.

Don't get me started on PCI compliance...

Oh, and Cris - take a look at the ErrorReportValve. That is where the
default error page is coming from.

Mark


> 
> regards
> Leon
> 
> On Wed, May 2, 2018 at 9:42 PM, Mark Thomas  wrote:
> 
>> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
>>> We are getting dinged by a vulnerability scan for the default not-found
>> error page being returned by Tomcat for a Status 404.
>>>
>>> On my dev server when requesting an invalid URL, Tomcat returns a Status
>> 404 page that displays the Tomcat version.  Right, I need to do something
>> about that.
>>>
>>> However, I can't find where the error-page for 404 is defined.  It's not
>> defined in:
>>> - webapps/ROOT/WEB-INF/web.xml
>>> - conf/web.xml
>>> - conf/server.xml
>>> - conf/context.xml
>>>
>>> Also, I can't find a notFound or error page either.
>>>
>>> How do I get rid of or override the default error / 404 / not-found page
>> if I can't find it or where it is currently defined?  Also, how is Tomcat
>> returning the default 404 error page if it does not exist?  I hope it's not
>> hardcoded in a servlet response.
>>>
>>> FYI, we're going to remove the ROOT, docs, and examples folders to
>> mitigate other scan findings.
>>>
>>> And we're using Tomcat 6.0.37 (ahem).
>>
>> And you are worried about returning the version number? Have you seen
>> how many real security issues (as opposed to this version number
>> non-issue) there are in 6.0.37? I can't help but think your priorities
>> are all wrong.
>>
>> Hiding the version info is trivial
>> Create the following directory structure:
>> $CATALINA_HOME/lib/org/apache/catalina/util
>>
>> Download this file:
>> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
>> java/org/apache/catalina/util/ServerInfo.properties?
>> revision=1803960=co
>>
>> Place it in that directory and modify the three properties to whatever
>> value you like.
>>
>> Restart Tomcat.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Mark,

I agree with you that the complaint about version number is rather a minor
one, however, I've had the same situation as one of our projects had to
pass through a PCI Compliance test, and this is what they really test for.

regards
Leon

On Wed, May 2, 2018 at 9:42 PM, Mark Thomas  wrote:

> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> > We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
> >
> > On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
> >
> > However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> > - webapps/ROOT/WEB-INF/web.xml
> > - conf/web.xml
> > - conf/server.xml
> > - conf/context.xml
> >
> > Also, I can't find a notFound or error page either.
> >
> > How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
> >
> > FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
> >
> > And we're using Tomcat 6.0.37 (ahem).
>
> And you are worried about returning the version number? Have you seen
> how many real security issues (as opposed to this version number
> non-issue) there are in 6.0.37? I can't help but think your priorities
> are all wrong.
>
> Hiding the version info is trivial
> Create the following directory structure:
> $CATALINA_HOME/lib/org/apache/catalina/util
>
> Download this file:
> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
> java/org/apache/catalina/util/ServerInfo.properties?
> revision=1803960=co
>
> Place it in that directory and modify the three properties to whatever
> value you like.
>
> Restart Tomcat.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat 6 vulnerability scan default error page help

[Mark Thomas]

On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> We are getting dinged by a vulnerability scan for the default not-found error 
> page being returned by Tomcat for a Status 404.
> 
> On my dev server when requesting an invalid URL, Tomcat returns a Status 404 
> page that displays the Tomcat version.  Right, I need to do something about 
> that.
> 
> However, I can't find where the error-page for 404 is defined.  It's not 
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
> 
> Also, I can't find a notFound or error page either.
> 
> How do I get rid of or override the default error / 404 / not-found page if I 
> can't find it or where it is currently defined?  Also, how is Tomcat 
> returning the default 404 error page if it does not exist?  I hope it's not 
> hardcoded in a servlet response.
> 
> FYI, we're going to remove the ROOT, docs, and examples folders to mitigate 
> other scan findings.
> 
> And we're using Tomcat 6.0.37 (ahem).

And you are worried about returning the version number? Have you seen
how many real security issues (as opposed to this version number
non-issue) there are in 6.0.37? I can't help but think your priorities
are all wrong.

Hiding the version info is trivial
Create the following directory structure:
$CATALINA_HOME/lib/org/apache/catalina/util

Download this file:
https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/java/org/apache/catalina/util/ServerInfo.properties?revision=1803960=co

Place it in that directory and modify the three properties to whatever
value you like.

Restart Tomcat.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Cris,

try to add following to your web.xml

404   
/error404.html

regards
Leon


On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US  wrote:

> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>

tomcat 6 vulnerability scan default error page help

[Berneburg, Cris J. - US]

We are getting dinged by a vulnerability scan for the default not-found error 
page being returned by Tomcat for a Status 404.

On my dev server when requesting an invalid URL, Tomcat returns a Status 404 
page that displays the Tomcat version.  Right, I need to do something about 
that.

However, I can't find where the error-page for 404 is defined.  It's not 
defined in:
- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml

Also, I can't find a notFound or error page either.

How do I get rid of or override the default error / 404 / not-found page if I 
can't find it or where it is currently defined?  Also, how is Tomcat returning 
the default 404 error page if it does not exist?  I hope it's not hardcoded in 
a servlet response.

FYI, we're going to remove the ROOT, docs, and examples folders to mitigate 
other scan findings.

And we're using Tomcat 6.0.37 (ahem).

--
Cris Berneburg
CACI Lead Software Engineer

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Mark Thomas]

On 28/12/17 10:06, Olaf Kock wrote:
> 
> On 27.12.2017 23:16, Eric Robinson wrote:
>>> I mean A is java8 and tomcat8.. so make a C that is tomcat6 and java8
>> I don't think so. This is a requirement of the software company whose
>> application solution we use. They are requiring us to move to tomcat 8
>> with jdk 1.8. If we try to mix tomcat8 with jdk 1.6, supposedly we
>> would have problems. I guess all this is being driven by the need to
>> switch to TLS 1.2. I'm not sure if that would be a function of tomcat
>> or java.
> As you were looking for the reason of the increased footprint, this
> would help you tremendously to get to the root cause, even if you don't
> intend to use it in production. Assume that a similar behavior already
> appears when you run tomcat6 with Java8 - in this case there might be
> little reason to continue to dig in tomcat, and assume that it's the
> Java implementation that caused your increased footprint.
> 
> Tomcat 8 with Java 6 won't work (apart from the outdated implementation)
> as it requires at least Java7 (which is also outdated).
> 
> And then there's yet another aspect: The memory footprint increased way
> below the price decrease for memory, so just adding this much memory
> could be filed away as a reasonable assumption within 7.5 years (JDK
> 1.6.21 was released July 2010, I'm assuming that this is the age of the
> hardware as well (because why would you have installed this version on
> newer hardware, when newer releases existed)
> 
> I'm assuming that you have enough aspects to inspect - if you're really
> interested in finding the root cause, you'll need to come up with more
> specific measurements, e.g. profiler data, compare thread dumps and set
> up Tomcat 6 with Java 8 to have a third reference point.

I don't have Tomcat 6 to hand but I do have Tomcat 7. A quick test with
Tomcat 7 + Java 6 vs Tomcat 7 + Java 8 I saw a 20% increase in memory usage.

This looks very much like changes in the JVM rather than changes in Tomcat.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Suvendu Sekhar Mondal]

On Thu, Dec 28, 2017 at 3:36 PM, Olaf Kock <tom...@olafkock.de> wrote:
>
> On 27.12.2017 23:16, Eric Robinson wrote:
>>>
>>> I mean A is java8 and tomcat8.. so make a C that is tomcat6 and java8
>>
>> I don't think so. This is a requirement of the software company whose
>> application solution we use. They are requiring us to move to tomcat 8 with
>> jdk 1.8. If we try to mix tomcat8 with jdk 1.6, supposedly we would have
>> problems. I guess all this is being driven by the need to switch to TLS 1.2.
>> I'm not sure if that would be a function of tomcat or java.
>
> As you were looking for the reason of the increased footprint, this would
> help you tremendously to get to the root cause, even if you don't intend to
> use it in production. Assume that a similar behavior already appears when
> you run tomcat6 with Java8 - in this case there might be little reason to
> continue to dig in tomcat, and assume that it's the Java implementation that
> caused your increased footprint.
>
> Tomcat 8 with Java 6 won't work (apart from the outdated implementation) as
> it requires at least Java7 (which is also outdated).
>
> And then there's yet another aspect: The memory footprint increased way
> below the price decrease for memory, so just adding this much memory could
> be filed away as a reasonable assumption within 7.5 years (JDK 1.6.21 was
> released July 2010, I'm assuming that this is the age of the hardware as
> well (because why would you have installed this version on newer hardware,
> when newer releases existed)
>
> I'm assuming that you have enough aspects to inspect - if you're really
> interested in finding the root cause, you'll need to come up with more
> specific measurements, e.g. profiler data, compare thread dumps and set up
> Tomcat 6 with Java 8 to have a third reference point.
>
> Olaf
>

How about turning on Native Memory Tracking for both Tomcat8+JDK1.8
and Tomcat6+JDK1.6 combination and compare the results? It will give
you details about internal memory consumption of the JVM. If you see
increase there, you will also able to find out which component's
memory footprint has increased. You can turn NMT on by adding
following JVM arguments:

-XX:+UnlockDiagnosticVMOptions
-XX:NativeMemoryTracking=summary

After turning on NMT and running Tomcat, when you see there is rise in
memory usage, use JCMD to dump native memory consumption details for
analysis. You can find more details about NMT here:
https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/tooldescr007.html

IMO, if you see there is not much difference between native memory
consumption of JDK1.6 and JDK1.8, then you need to focus on Tomcat.

Thanks!
Suvendu

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Olaf Kock]

On 27.12.2017 23:16, Eric Robinson wrote:

I mean A is java8 and tomcat8.. so make a C that is tomcat6 and java8

I don't think so. This is a requirement of the software company whose 
application solution we use. They are requiring us to move to tomcat 8 with jdk 
1.8. If we try to mix tomcat8 with jdk 1.6, supposedly we would have problems. 
I guess all this is being driven by the need to switch to TLS 1.2. I'm not sure 
if that would be a function of tomcat or java.
As you were looking for the reason of the increased footprint, this 
would help you tremendously to get to the root cause, even if you don't 
intend to use it in production. Assume that a similar behavior already 
appears when you run tomcat6 with Java8 - in this case there might be 
little reason to continue to dig in tomcat, and assume that it's the 
Java implementation that caused your increased footprint.


Tomcat 8 with Java 6 won't work (apart from the outdated implementation) 
as it requires at least Java7 (which is also outdated).


And then there's yet another aspect: The memory footprint increased way 
below the price decrease for memory, so just adding this much memory 
could be filed away as a reasonable assumption within 7.5 years (JDK 
1.6.21 was released July 2010, I'm assuming that this is the age of the 
hardware as well (because why would you have installed this version on 
newer hardware, when newer releases existed)


I'm assuming that you have enough aspects to inspect - if you're really 
interested in finding the root cause, you'll need to come up with more 
specific measurements, e.g. profiler data, compare thread dumps and set 
up Tomcat 6 with Java 8 to have a third reference point.


Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

> > More heap or more native memory?
> >
> 
> With the exact same Xms and Xmx settings, I get vastly different resident and
> virtual image sizes from the Linux ps command.
> 
> 
>  tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
>  tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656
> 
> 
> And b is also tomcat8 right?

No, tomcatB is using tomcat6. 

> Can you make that also tomcat8 but keep java8?
> 
> 
> I mean A is java8 and tomcat8.. so make a C that is tomcat6 and java8
> 
> 

I don't think so. This is a requirement of the software company whose 
application solution we use. They are requiring us to move to tomcat 8 with jdk 
1.8. If we try to mix tomcat8 with jdk 1.6, supposedly we would have problems. 
I guess all this is being driven by the need to switch to TLS 1.2. I'm not sure 
if that would be a function of tomcat or java.

--Eric

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Johan Compagner]

Op 23 dec. 2017 09:27 schreef "Johan Compagner" :



Op 22 dec. 2017 21:02 schreef "Eric Robinson" :

>
> More heap or more native memory?
>

With the exact same Xms and Xmx settings, I get vastly different resident
and virtual image sizes from the Linux ps command.


 tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
 tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656




And b is also tomcat8 right?
Can you make that also tomcat8 but keep java8?


I mean A is java8 and tomcat8.. so make a C that is tomcat6 and java8




--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Johan Compagner]

Op 22 dec. 2017 21:02 schreef "Eric Robinson" :

>
> More heap or more native memory?
>

With the exact same Xms and Xmx settings, I get vastly different resident
and virtual image sizes from the Linux ps command.


 tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
 tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656




And b is also tomcat8 right?
Can you make that also tomcat8 but keep java8?



--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Olaf Kock]

On 22.12.2017 21:02, Eric Robinson wrote:
With the exact same Xms and Xmx settings, I get vastly different 
resident and virtual image sizes from the Linux ps command.


  tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
  tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656

-Xmx is not all that's determining how much memory the JVM actually 
allocates. 
https://jguru.fi/why-is-my-java-process-taking-more-memory-than-i-gave-it.html 
gives some more hints on factors that have to be taken into account.


32 vs 64 bit architectures might do something to the sizes. And, now 
that you gave your JVM options in another answer, you're not specifying 
the GC algorithm and parameters, other than just logging. This means 
that most likely you're using another algorithm with different 
parameters, e.g. it might kick in later.


Coming back to the linked article: Tomcat might have different default 
thread pool sizes - I don't know if you explicitly configure them. And 
I've lost track if the default connectors are different ones between 
Tomcat 6 and 8, or if you have ex- or implicitly configured them 
differently (e.g. through using your Linux distribution's implementation 
and they might have changed it).


Unrelated: I like to configure my production servers with identical -Xms 
and -Xmx, so that they either start or don't start when I'm around (or 
when the server boots) and not fail to allocate more memory from the OS 
sunday night at 3am.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

> Eric,
> 
> Just curious how much ram do you have in the server and cpu resources.
> 
> #free -m and # cat /proc/cpuinfo | egrep 'cores|processor'
> 
> (Not to insult your intelligence , I am just specifying what I was curious to 
> see)
> 
> And it's always easier to copy/paste than to think.
> 
> I see in another thread you went from Java 1.6_xxx to 1.8_xxx
> 
> That could be the whole story right there.
> 
> 

No offense taken. You're right, copy and paste is easier...

[root@app17 alley]# free -m
 total   used   free sharedbuffers cached
Mem: 64415  58110   6304  0   2938  18382
-/+ buffers/cache:  36789  27626
Swap:15999759  15240
[root@app17 alley]# cat /proc/cpuinfo | egrep 'cores|processor'
processor   : 0
cpu cores   : 6
processor   : 1
cpu cores   : 6
processor   : 2
cpu cores   : 6
processor   : 3
cpu cores   : 6
processor   : 4
cpu cores   : 6
processor   : 5
cpu cores   : 6
processor   : 6
cpu cores   : 6
processor   : 7
cpu cores   : 6
processor   : 8
cpu cores   : 6
processor   : 9
cpu cores   : 6
processor   : 10
cpu cores   : 6
processor   : 11
cpu cores   : 6

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Cheltenham, Chris]

Eric,

Just curious how much ram do you have in the server and cpu resources.

#free -m and # cat /proc/cpuinfo | egrep 'cores|processor'

(Not to insult your intelligence , I am just specifying what I was curious
to see)

And it's always easier to copy/paste than to think.

I see in another thread you went from Java 1.6_xxx to 1.8_xxx

That could be the whole story right there.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-Original Message-
From: Eric Robinson [mailto:eric.robin...@psmnv.com] 
Sent: Friday, December 22, 2017 2:59 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
Tomcat 6?

> > From: Eric Robinson [mailto:eric.robin...@psmnv.com]
> > Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory 
> > Than
> Tomcat 6?
> 
> > if JVM instance "A" is configured as follows on server 1 under 
> > tomcat6/jdk
> 1.6, then
> > instance "A" on server 2 is configured the same, except it is 
> > running
> under tomcat
> > 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average.
> 
> > JAVA_OPTS="-Xms16M -Xmx192M \
> > -XX:MaxPermSize=192M \
> 
> Note that PermGen is no longer used in Java 8, and the above should 
> log a
> warning:
> 
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
> MaxPermSize=192m; support was removed in 8.0

Great tip, thanks. 

Unfortunately, I don't think that explains why the exact same Xms and Xmx
settings produce vastly different resident and virtual running image sizes
under jdk1.8 versus jdk1.6.

> It might be leaking.

If that were the case, I assume it would manifest under tomcat6/jdk 1.6 as
well. Since it does not, I am inclined to think leakage is not the issue.

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

> 
> More heap or more native memory?
> 

With the exact same Xms and Xmx settings, I get vastly different resident and 
virtual image sizes from the Linux ps command.


 tomcatA: jdk1.8.0_152, res: 694312, virt: 5045084
 tomcatB: jdk1.6.0_21, res: 332840, virt: 3922656

--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

> > From: Eric Robinson [mailto:eric.robin...@psmnv.com]
> > Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
> Tomcat 6?
> 
> > if JVM instance "A" is configured as follows on server 1 under tomcat6/jdk
> 1.6, then
> > instance "A" on server 2 is configured the same, except it is running
> under tomcat
> > 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average.
> 
> > JAVA_OPTS="-Xms16M -Xmx192M \
> > -XX:MaxPermSize=192M \
> 
> Note that PermGen is no longer used in Java 8, and the above should log a
> warning:
> 
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option
> MaxPermSize=192m;
> support was removed in 8.0

Great tip, thanks. 

Unfortunately, I don't think that explains why the exact same Xms and Xmx 
settings produce vastly different resident and virtual running image sizes 
under jdk1.8 versus jdk1.6.

> It might be leaking.

If that were the case, I assume it would manifest under tomcat6/jdk 1.6 as 
well. Since it does not, I am inclined to think leakage is not the issue.

--Eric

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Caldarale, Charles R]

> From: Eric Robinson [mailto:eric.robin...@psmnv.com] 
> Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
Tomcat 6?

> if JVM instance "A" is configured as follows on server 1 under tomcat6/jdk
1.6, then 
> instance "A" on server 2 is configured the same, except it is running
under tomcat 
> 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average. 

> JAVA_OPTS="-Xms16M -Xmx192M \
> -XX:MaxPermSize=192M \

Note that PermGen is no longer used in Java 8, and the above should log a
warning:

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=192m;
support was removed in 8.0

Here's a brief overview:
https://blogs.oracle.com/poonam/about-g1-garbage-collector,-permanent-genera
tion-and-metaspace

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Cheltenham, Chris]

Eric,



If you have upgraded java along with tomcat then yes that it is very 
probable.

You can restrict how much memory java can use however, if it is consuming 
too much memory.

-Xmx and –Xms startup parameters.

However, you may be jeopardizing performance.

In this case you can only add more memory.

It may also be leaking.

Java is a pig get used to it.









===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: Eric Robinson [mailto:eric.robin...@psmnv.com]
Sent: Friday, December 22, 2017 2:04 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 
6?

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

> On 22.12.2017 13:48, Eric Robinson wrote:
> > We have multiple JVMs deployed on two identical Linux servers. Each server
> has 60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6.
> Today we upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs
> on the Tomcat 8 server are each using between 20-80% more memory than the
> ones on Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some
> kind of settings? Is it fixable?
> >
> It might be as simple as different thresholds for the garbage collector to 
> kick in.
> I'd start with an evaluation of how much memory is used right after a GC run -
> and in case this isn't satisfactory, which objects use the memory.
> Typically it's appropriate to just look at the top of the list.
> 
> Note that the GC algorithms (or just GC defaults) between the different JVM
> versions (sometimes even between minor upgrades) might differ significantly.
> One big question is: Did you explicitly configure memory consumption, GC
> algorithm and thresholds? If so, what's the difference between the two 
> options:
> I'd expect that you need to change the settings significantly in order to 
> achieve
> the same behavior. There's a lot of work that has been done in this world.
> 
> That being said, I'd also not rule out that tomcat's or other component's
> implementation changed - e.g. caches, or just memory use through upgraded
> libraries. But I'd recommend to look in both directions, with JDK and GC 
> tuning
> being the elephant in the room, giving you the biggest bang for your buck.
> 
> Olaf
> 

The following startup options are typical for our JVMs. The min, max, and 
permgen settings may differ from JVM to JVM on the same server, but the 
settings are always identical between servers. In other words, if JVM instance 
"A" is configured as follows on server 1 under tomcat6/jdk 1.6, then instance 
"A" on server 2 is configured the same, except it is running under tomcat 8/jdk 
1.8. Yet the tomcat 8 ones used 50% more memory, on average. 

JAVA_OPTS="-Xms16M -Xmx192M \
-XX:MaxPermSize=192M \
-Djvm=$JVM_ID \
-Djava.awt.headless=true \
-Djava.net.preferIPv4Stack=true \
-Duser.timezone=US/Pacific \
-Xloggc:/alley/site098/tomcat8/logs/gc.log -XX:+PrintGCDateStamps 
-XX:+PrintGCDetails

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 12/22/17 7:48 AM, Eric Robinson wrote:
> We have multiple JVMs deployed on two identical Linux servers.
> Each server has 60 JVMs. Until today, both servers were running
> Tomcat6 with JDK 1.6. Today we upgraded one of the servers to
> Tomcat 8 with JDK 1.8. Now the JVMs on the Tomcat 8 server are each
> using between 20-80% more memory than the ones on Tomcat6 with JDK
> 1.6. Is that normal? Why would that be? Is it some kind of
> settings? Is it fixable?

More heap or more native memory?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9STQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgXQhAAnOCilGyuELDsZq+r
r25nW+9spA6ilZqB5fLMNJkBNj/93AB9tzVbtwZqMKPvPo2KD78FEBbrqok3UWBz
SoISB3EOCB+6dxfOcfm9i+/FRbSfbzd3H6+LcJOl1Fzyoc0/bZfM5BHcCaMkharZ
RYp0wfV2raUAiK8DI1xTTFyf380V1KG1MOa6z/jnfneW5sas05OumblbeiGQBV8q
8ZOcJ8qMCYGfw5DMeNjNXZC2MlQuCRkI0B3xr7kVYliZf7Tz2A5xAXC2W7cYAQDE
4VcD6CpYkGZx9/xG1pL4RGc+qUTgCRai9MXV3pVKIc+LAMYHVh4mhYp+iNHeR/8M
o8Wn+TueQOjOLp4PeVSTHIHoCRdAZAEySXAPpvmonEvHENgSecUhAEhwtNqqXSTA
xRelSG88bfT+LIRIiB4yCmpA/Wctz0D8naSk7VV7PgExKv8yxBswGo5gbXht2byp
4j9jhBn2RQQWDxIU4qoBaD717N0lhnZYtquDAFGSjjMddMK/Ut8TTBXj5/7qZhNQ
Gx6szkowKpg+elFbGHexAysT+HJ+rcbnvGtscvvsjmdZWY8FjtYmbChbbMATBDNM
FazT8CXqkivy2i/YbmLyLgUzTDo8SlayumAnZZemHZcPz/kfCk+ZT3sAZjtuw+Jy
RmqZ5APR9vpEW3Bkb3Hdmc2LqZo=
=nJ1T
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Olaf Kock]

On 22.12.2017 13:48, Eric Robinson wrote:

We have multiple JVMs deployed on two identical Linux servers. Each server has 
60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6. Today we 
upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs on the 
Tomcat 8 server are each using between 20-80% more memory than the ones on 
Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some kind of 
settings? Is it fixable?

It might be as simple as different thresholds for the garbage collector 
to kick in.
I'd start with an evaluation of how much memory is used right after a GC 
run - and in case this isn't satisfactory, which objects use the memory. 
Typically it's appropriate to just look at the top of the list.


Note that the GC algorithms (or just GC defaults) between the different 
JVM versions (sometimes even between minor upgrades) might differ 
significantly. One big question is: Did you explicitly configure memory 
consumption, GC algorithm and thresholds? If so, what's the difference 
between the two options: I'd expect that you need to change the settings 
significantly in order to achieve the same behavior. There's a lot of 
work that has been done in this world.


That being said, I'd also not rule out that tomcat's or other 
component's implementation changed - e.g. caches, or just memory use 
through upgraded libraries. But I'd recommend to look in both 
directions, with JDK and GC tuning being the elephant in the room, 
giving you the biggest bang for your buck.


Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Eric Robinson]

We have multiple JVMs deployed on two identical Linux servers. Each server has 
60 JVMs. Until today, both servers were running Tomcat6 with JDK 1.6. Today we 
upgraded one of the servers to Tomcat 8 with JDK 1.8. Now the JVMs on the 
Tomcat 8 server are each using between 20-80% more memory than the ones on 
Tomcat6 with JDK 1.6. Is that normal? Why would that be? Is it some kind of 
settings? Is it fixable?

--Eric



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mark H. Wood]

On Thu, Sep 07, 2017 at 04:07:25PM +0530, Mohammad Nayeem wrote:
> We have installed apace and configured mod_jk connector along with a
> load-balancer for 2 tomcat servers.
> 
> We were able to successfully start apache and we got the login page of our
> application hosted on it, but the functionality is lost. For example, when
> we hit login button on home page, nothing happens. Also, we tried access
> some specific web page using a direct url, we ended up with an error.
> 
> Do you have any suggestion for me so that we can achieve the exact same
> functionality that we had without apache in the front?

Yes:

o  When you say, "we ended up with an error," tell us what the error
   message says.  It is very difficult to diagnose an unknown error.

o  When you say, "nothing happens," what should happen, in detail?
   Check Tomcat's log files for the time at which nothing happened.
   Check your applications log files for that time.  If the logs say
   nothing about the operation, then it's time to insert more logging
   in your application code, or attach a debugger and step through the
   code, to see what it is doing.

o  Your browser may have developer tools that can show you requests
   and responses, which may help you to determine what is happening.
   I like a Firefox add-on called Firebug, if you need a suggestion.

o  In general, if we are to help, we need a lot more detail than "it
   doesn't work."  Too much information is better than too little.

o  My recollection is that this list does not forward attachments.  If
   the evidence is too large to simply copy into an email body, you
   could post it on something like Pastebin or Github Gist and refer
   to the URL in your messages.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mohammad Nayeem]

Hello Olaf,

We have tried yours as well as Chris's suggestions, but in both the cases
the functionality of the application is lost.

We have installed apace and configured mod_jk connector along with a
load-balancer for 2 tomcat servers.

We were able to successfully start apache and we got the login page of our
application hosted on it, but the functionality is lost. For example, when
we hit login button on home page, nothing happens. Also, we tried access
some specific web page using a direct url, we ended up with an error.

Do you have any suggestion for me so that we can achieve the exact same
functionality that we had without apache in the front?


Regards,
Mohammad Nayeem

-Original Message-

From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 31 May 2017 16:38
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x
version



Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:

> Hello Olaf,

>

> Thanks for your response!

>

> Based on your inputs, we are thinking to put Apache httpd in front of
Tomcat 6 server, since our header configuration is going to be static.

>

> Can you please help us in identifying which version of Apache HTTP Server
we can use for Tomcat 6 version? Also, it will be great if you can share
some guidelines on how to implement Apache in front of Tomcat.



For completeness sake I'd like to answer a few of these questions, rather
briefly. It seems that you're deep into implementing Christopher's solution
of compiling the newer filters for Tomcat 6.



Every current Apache httpd is fine, no version restriction. Especially:

Choose one that will get updates for quite a while, not like the outdated
Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and
mod_proxy_http, which are all keywords on the connection between Apache and
tomcat. Once you've set this up, setting the headers is a matter of adding
the "Header" directive to httpd's configuration. I understand though, that
setting up the connection can be some task if you've never done that.
Especially if you're using https, and also refer to it in your webapp's
code (e.g. to validate client certs) - but as you give no clue you're doing
that, I'm assuming you don't and the setup would be easy.



Anyway, feel free to utilize the newer code - I just wanted this
information to be in this thread as well. However, once you're done with

it: Utilize even more newer code and prepare to migrate away from your
discontinued tomcat version.



Olaf







-

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Mohammad Nayeem]

Hi Chris,


We currently have 7.0.42 version which does not support security headers,
so we have taken jar files from 7.0.63 and replaced with the those in
7.0.42 library folder. We were able to successfully start our tomcat
instance and we got the login page of our application hosted on it, but the
functionality is lost. For example, when we hit login button on home page,
nothing happens. Also, we tried access some specific web page using a
direct url, we ended up with an error.


Do you have any suggestion for me so that we can achieve the exact same
functionality using libraries of 7.0.63? For your information, I  have
tried using more latest versions like Tomcat 8, but no luck.



Regards,

Mohammad Nayeem

 -Original Message-

From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x
version



-BEGIN PGP SIGNED MESSAGE-

Hash: SHA256



Mohammad,



On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:

> What should be name of the new JAR file that I would create for the

> Filter classes?

It doesn't matter.



> There are multiple JAR files in lib folder. Does the name of these JAR

> files have any significance?



Not really.



> My understanding is that as long as you have your code (.class

> files) is present in any of the JAR files under "lib" folder, system

> would get it. You don’t need to have a specific-named JAR files having

> specific-named .class files. The .class files from all the jar files

> under lib folder is considered as one big collection, and based on the

> invoked classname its corresponding .class file gets executed from

> that big code. Multiple JAR files with different names is setup just

> for logical classification of classes. Please correct me if this is

> not right.



You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard Tomcat
installation, plus the JAR file that has a few (unique) classes from Tomcat
7 in there.



Remember: Upgrade ASAP.



- -chris



> -Original Message- From: Christopher Schultz

> [mailto:ch...@christopherschultz.net <ch...@christopherschultz.net>]
Sent: 31 May 2017 23:52 To:

> users@tomcat.apache.org Subject: [External] Re: Security Headers

> Implementation in Tomcat 6.x version

>

> Mohammad,

>

> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:

>> Can I simply use the JAR files from Tomcat 7 that contains executable

>> code of filter classes (security headers), and put them into

>> corresponding location in Tomcat 6?

>

> Definitely don't do that. But you could probably grab the compiled

> .class files from Tomcat 7's binary distribution... just make sure you

> have all of them.

>

> So, basically, create a new JAR file that contains only those Filter

> classes (don't forget any inner classes that might be found in

> separate .class files).

>

> -chris

>

> -

>

>

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

> For additional commands, e-mail: users-h...@tomcat.apache.org

>

>

> 

>

> This message is for the designated recipient only and may contain

> privileged, proprietary, or otherwise confidential information. If you

> have received it in error, please notify the sender immediately and

> delete the original. Any other use of the e-mail by you is prohibited.

> Where allowed by local law, electronic communications with Accenture

> and its affiliates, including e-mail and instant messaging (including

> content), may be scanned by our systems for the purposes of

> information security and assessment of internal compliance with

> Accenture policy.

> __



>

>  www.accenture.com

>

> -

>

>

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

> For additional commands, e-mail: users-h...@tomcat.apache.org

>

-BEGIN PGP SIGNATURE-

Comment: GPGTools - http://gpgtools.org

Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/



iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u

kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi

3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx

bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn

aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo

/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou

gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhd

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[kmaxwilliams43]

Ghgfhch 
Dygugjfbjg

Envoyé de mon smartphone BlackBerry 10.
  Message d'origine  
De: Christopher Schultz
Envoyé: jeudi 8 juin 2017 18:43
À: users@tomcat.apache.org
Répondre à: Tomcat Users List
Objet: Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Shaik,

On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
> 
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
> 
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?

Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.

By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.

- -chris

> -Original Message- From: Olaf Kock
> [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <users@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
> 
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>> 
>> Thanks for your response!
>> 
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> 
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
> 
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
> 
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
> 
> Olaf
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
> www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoI

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Shaik,

On 6/8/17 1:18 AM, Shaik, Mohammad N. wrote:
> Hi Olaf & Chris,
> 
> By placing HTTPD 2.x server in front of Tomcat 6, is it possible to
> hide Tomcat 6 from external world? I just don’t want people to find
> out that I am using Tomcat 6, instead I want them to know that I am
> using httpd 2.x server. Is this possible?
> 
> I just need Apache HTTPD server to take care of headers and let
> Tomcat do rest of the stuff (which it is already doing in my case).
> Do I still need to configure anything other than headers in my
> case?

Not really. If you configure httpd -> Tomcat, then you can
firewall-out everyone from your Tomcat server except the server
running httpd.

By default, httpd will return its own "Server" header so you don't
even need to try to mask Tomcat's existence that way.

- -chris

> -Original Message- From: Olaf Kock
> [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat
> Users List <users@tomcat.apache.org> Subject: [External] Re:
> Security Headers Implementation in Tomcat 6.x version
> 
> Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
>> Hello Olaf,
>> 
>> Thanks for your response!
>> 
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
>> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> 
> For completeness sake I'd like to answer a few of these questions,
> rather briefly. It seems that you're deep into implementing
> Christopher's solution of compiling the newer filters for Tomcat
> 6.
> 
> Every current Apache httpd is fine, no version restriction.
> Especially: Choose one that will get updates for quite a while, not
> like the outdated Tomcat version you're running. Read on mod_proxy,
> mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on
> the connection between Apache and tomcat. Once you've set this up,
> setting the headers is a matter of adding the "Header" directive to
> httpd's configuration. I understand though, that setting up the
> connection can be some task if you've never done that. Especially
> if you're using https, and also refer to it in your webapp's code
> (e.g. to validate client certs) - but as you give no clue you're
> doing that, I'm assuming you don't and the setup would be easy.
> 
> Anyway, feel free to utilize the newer code - I just wanted this
> information to be in this thread as well. However, once you're done
> with it: Utilize even more newer code and prepare to migrate away
> from your discontinued tomcat version.
> 
> Olaf
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
>  www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZOZqoAAoJEBzwKT+lPKRYVBAP/RotI8+S6dbEVYxNNJtwIoLT
LzoBCrxF/VWva8CUqGNrWJNdjy4IUuwiB00zGYZpyXmvIVAjG8H+fq+pocYVTSLz
1q6ZiqLuw3yj2xottS2fBY3lQC3hQawGjP9IX+Y3/qq9lgGNificZ7ok2iBBhlrZ
CiwiQSVuvpboawxYKl62kXB6c2pprzGqRZ1l6I+pcir/mMHJ6W0fYXrdxgEk8M9d
aY7W0YRugVsCbuAHqpQ+1Jr2jv3+Wme1LknTV9+ixmbHnu0UecoIhseWywDanrQD
1if8Rh/TtuT31wWKu7nn48llofjzmWwNRVjaFeNY9u/zjMkimcQ2B+shSuq81M5H
BxcvutplbYhGWED2AS/G/OviNbC+JJiaDXgE+mrH31kNfH9WXS5DH+RZO0q1kxmy
gXrBQ4M+XoZgloQQ4Y9kSRfEBeEccr3axtdo7FwpqJjCesLFSfCkUZgGHhOFuGAx
JGG4zIu2JLAsNVXu76KSX7JNPvnWoqrYzmrV5uweDU3xf3Mls2A2LuxEOTe5ANOg
jDVH6K6UbkplWHv

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Olaf & Chris,

By placing HTTPD 2.x server in front of Tomcat 6, is it possible to hide Tomcat 
6 from external world? I just don’t want people to find out that I am using 
Tomcat 6, instead I want them to know that I am using httpd 2.x server. Is this 
possible?

I just need Apache HTTPD server to take care of headers and let Tomcat do rest 
of the stuff (which it is already doing in my case). Do I still need to 
configure anything other than headers in my case?


Regards,
Mohammad

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 31 May 2017 16:38
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version

Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 
> 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we 
> can use for Tomcat 6 version? Also, it will be great if you can share some 
> guidelines on how to implement Apache in front of Tomcat.

For completeness sake I'd like to answer a few of these questions, rather 
briefly. It seems that you're deep into implementing Christopher's solution of 
compiling the newer filters for Tomcat 6.

Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the outdated 
Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and 
mod_proxy_http, which are all keywords on the connection between Apache and 
tomcat. Once you've set this up, setting the headers is a matter of adding the 
"Header" directive to httpd's configuration. I understand though, that setting 
up the connection can be some task if you've never done that. Especially if 
you're using https, and also refer to it in your webapp's code (e.g. to 
validate client certs) - but as you give no clue you're doing that, I'm 
assuming you don't and the setup would be easy.

Anyway, feel free to utilize the newer code - I just wanted this information to 
be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your 
discontinued tomcat version.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 02.06.2017 um 07:43 schrieb Shaik, Mohammad N.:
> Hi Chris, > > My actual requirement was to implement 7 HTTP headers, out of 
> which
4 are implemented in "HttpHeaderSecurityFilter". The remaining 3 headers
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not
addressed in any of the filters available in Tomcat 7, 8 & 9 versions. >
> Is there any way that we implement these 3 headers in Tomcat?
Sure. Look at the implementation for the 4 headers you found. Add three
more, recompile. Alternatively, add another filter just for your 3 headers.

As you're creating a solution for you exclusively, you may even
completely hard code the values and conditions you need. There's no need
for configuration or making it "ready for prime time" as nobody else
will use this code under different circumstances.

Or write your own servlet filter for the webapps you deploy (no need to
go app-server side when the webapps do what's required themselves). In
those servlet filters, set those headers under conditions that you
determine yourself.

Or (again, sorry) utilize httpd's mod_headers.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

My actual requirement was to implement 7 HTTP headers, out of which 4 are 
implemented in "HttpHeaderSecurityFilter". The remaining 3 headers 
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in 
any of the filters available in Tomcat 7, 8 & 9 versions.

Is there any way that we implement these 3 headers in Tomcat?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x 
version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for the
> Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these JAR
> files have any significance?

Not really.

> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder, system
> would get it. You don’t need to have a specific-named JAR files having
> specific-named .class files. The .class files from all the jar files
> under lib folder is considered as one big collection, and based on the
> invoked classname its corresponding .class file gets executed from
> that big code. Multiple JAR files with different names is setup just
> for logical classification of classes. Please correct me if this is
> not right.

You are correct. There are problems if the same class exists in two separate 
JAR files, but that should not be a problem in the standard Tomcat 
installation, plus the JAR file that has a few (unique) classes from Tomcat 7 
in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains executable
>> code of filter classes (security headers), and put them into
>> corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure you
> have all of them.
>
> So, basically, create a new JAR file that contains only those Filter
> classes (don't forget any inner classes that might be found in
> separate .class files).
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> __

>
>  www.accenture.com
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional comm

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for
> the Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these 
> JAR files have any significance?

Not really.

> My understanding is that as long as you have your code (.class 
> files) is present in any of the JAR files under "lib" folder,
> system would get it. You don’t need to have a specific-named JAR
> files having specific-named .class files. The .class files from all
> the jar files under lib folder is considered as one big collection,
> and based on the invoked classname its corresponding .class file
> gets executed from that big code. Multiple JAR files with different
> names is setup just for logical classification of classes. Please
> correct me if this is not right.

You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard
Tomcat installation, plus the JAR file that has a few (unique) classes
from Tomcat 7 in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
> 
> Mohammad,
> 
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains
>> executable code of filter classes (security headers), and put
>> them into corresponding location in Tomcat 6?
> 
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure
> you have all of them.
> 
> So, basically, create a new JAR file that contains only those
> Filter classes (don't forget any inner classes that might be found
> in separate .class files).
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
>  www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

What should be name of the new JAR file that I would create for the Filter 
classes?

There are multiple JAR files in lib folder. Does the name of these JAR files 
have any significance?

My understanding is that as long as you have your code (.class files) is 
present in any of the JAR files under "lib" folder, system would get it. You 
don’t need to have a specific-named JAR files having specific-named .class 
files. The .class files from all the jar files under lib folder is considered 
as one big collection, and based on the invoked classname its corresponding 
.class file gets executed from that big code. Multiple JAR files with different 
names is setup just for logical classification of classes. Please correct me if 
this is not right.

- Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 31 May 2017 23:52
To: users@tomcat.apache.org
Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains executable
> code of filter classes (security headers), and put them into
> corresponding location in Tomcat 6?

Definitely don't do that. But you could probably grab the compiled .class files 
from Tomcat 7's binary distribution... just make sure you have all of them.

So, basically, create a new JAR file that contains only those Filter classes 
(don't forget any inner classes that might be found in separate .class files).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
> Can I simply use the JAR files from Tomcat 7 that contains 
> executable code of filter classes (security headers), and put them 
> into corresponding location in Tomcat 6?

Definitely don't do that. But you could probably grab the compiled
.class files from Tomcat 7's binary distribution... just make sure you
have all of them.

So, basically, create a new JAR file that contains only those Filter
classes (don't forget any inner classes that might be found in
separate .class files).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLwnHAAoJEBzwKT+lPKRYVZ4P/1XAtHfld2JwqfQLLUTaiZ7C
jlJoUOjImnwTI4JAKOnlaSIQ0c0IhboBlPxcuBOaAbn5zbKOQZslqbWhidnHuKp5
T5C8eChRR8OuP6cJAi2zCx0m7NgxInaYRIMdbxBGIwnAOZkaq0UgKY2JYo9OUfeJ
S5VRuZIKdH8nE3dlriC72uZkn2ZXPoHMe3KyfsNZzR8UNqyZmQwUsb8645Xiw0up
Sik6onVBiqSubnLCYslhizMiK7r7hU55whMbsS3tDXnfck8ZwE6nRldxRw630vet
D9b00aUw5Em9SW9ZaeIG/n6x/L7hTFzJJFhKMuhEQHndo610xDiI+d2fADEfvx/i
L5BKGzVwoUtq0MpUxKpwMeoKagA9NYpbSDyLpeJViqv/m77KOA4O2hGwmcq/UOml
XFQ//5yaHvGL+W8ICNZCzgdTX5OgOwx0Nbu9ii7//FOcI5O2uT+0EN+LoagGpDNy
OJmQm5PsXJDvScoyNRK+z6mgPpe+3YPR7tKfx9Aw6TlPecB8VaXY2zLMf7g0wck3
AMtGfaqKw1kSjLEmLrSb7rUCDxEROXh4zgpZS1Xv0/0tPfmoFPWxx7msw6bVd9CB
aKKw7NbMkUehs4lBixzPGHqBQfpMyvJByUQyY4ThUCrJM/DU/9y2rwdwJGYFR+lv
mD63/FtqNHglnYULpUTS
=jN8f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.:
> Hello Olaf,
>
> Thanks for your response!
>
> Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 
> 6 server, since our header configuration is going to be static.
>
> Can you please help us in identifying which version of Apache HTTP Server we 
> can use for Tomcat 6 version? Also, it will be great if you can share some 
> guidelines on how to implement Apache in front of Tomcat.

For completeness sake I'd like to answer a few of these questions,
rather briefly. It seems that you're deep into implementing
Christopher's solution of compiling the newer filters for Tomcat 6.

Every current Apache httpd is fine, no version restriction. Especially:
Choose one that will get updates for quite a while, not like the
outdated Tomcat version you're running. Read on mod_proxy,
mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the
connection between Apache and tomcat. Once you've set this up, setting
the headers is a matter of adding the "Header" directive to httpd's
configuration. I understand though, that setting up the connection can
be some task if you've never done that. Especially if you're using
https, and also refer to it in your webapp's code (e.g. to validate
client certs) - but as you give no clue you're doing that, I'm assuming
you don't and the setup would be easy.

Anyway, feel free to utilize the newer code - I just wanted this
information to be in this thread as well. However, once you're done with
it: Utilize even more newer code and prepare to migrate away from your
discontinued tomcat version.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Violeta Georgieva]

Hi,

2017-05-31 13:37 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com>:
>
> Hi Chris,
>
> Can I simply use the JAR files from Tomcat 7 that contains executable
code of filter classes (security headers), and put them into corresponding
location in Tomcat 6?

I would not recommend that. You might easily hit variety of class loading
problems.
Just grab the java files and compile them against Tomcat/lib.

Regards,
Violeta

>
> Regards,
> Mohammad
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -Original Message- From: Christopher Schultz
> > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat 7 to run.
> >
> >> Can you please help us in identifying which version of Apache HTTP
> >> Server we can use for Tomcat 6 version? Also, it will be great if you
> >> can share some guidelines on how to implement Apache in front of
> >> Tomcat.
> > All supported versions of Apache web server work with app supported
> > versions of Tomcat (as well as Tomcat 6). You have several choices for
> > how to connect them together, but the most straightforward is to use
> > mod_proxy_http from httpd to Tomcat.
> > Tomcat behaves exactly as it did before and requires no additional
> > configuration unless you are moving TLS termination from Tomcat to
> > httpd. If that's the case, there are many guides on the web as well as
> > on Tomcat's Presentations Page[2] that document how to do that.
> >
> > Hope that helps, -chris
> >
> > [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> > http://tomcat.apache.org/presentations.html
> >
> > -
> >
> >
> >
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > 
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential informa

Re: Security Headers Implementation in Tomcat 6.x version

[Violeta Georgieva]

Hi,

2017-05-31 13:34 GMT+03:00 Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com>:
>
> Hi Chris,
>
> I got the source files (.java) of the filter classes that I was looking
for.
>
> Should we compile the source file against the servlet jar file(s) present
in "[Tomcat]\lib\"

Yes.
Compile them against the jar files located in Tomcat/lib.
The servlet API classes will be loaded from Tomcat/lib a.k.a. common
loader. More you can find here:

http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html#Class_Loader_Definitions
- Common — This class loader contains additional classes that are made
visible to both Tomcat internal classes and to all web applications.
- WebappX — A class loader is created for each web application that is
deployed in a single Tomcat instance.


> or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there are
multiple JAR files in both these locations. How to locate the exact JAR
file which should be used to compile source files?
>
> My understanding is that as long as you have your code (.class files) in
any of the JAR files under "lib" folder, system would get it. You don’t
need to have specific code in specific JAR file. Code from all the jar
files under lib folder is considered as one big code, and based on the
class invoked its corresponding code gets executed from that one big code.
Please correct me if this is not right.
>
> Also, should we include the filters in web.xml file under
"[Tomcat]\conf\" folder or under "WEB-INF" folder of my application?

The web.xml located in Tomcat/conf is the "global" one. The configurations
there will be applied to every web application deployed on the Tomcat
instance. So if you need to apply this filter to all web apps then place
the definition and configurations there. Otherwise you can provide the
filter definition and configurations in the WEB-INF/web.xml for a
particular web app.

Regards,
Violeta

>
>
> Regards,
> Mohammad
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 30 May 2017 21:06
> To: users@tomcat.apache.org
> Subject: Re: Security Headers Implementation in Tomcat 6.x version
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mohammad,
>
> On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> > Thanks for the valuable input, that helps!! We shall go with getting
> > the source package of Tomcat 7, put them in Tomcat 6 and use the
> > filters of Tomcat 7 in Tomcat 6.
> >
> > Can you please let me know from where I can get/download the source
> > package of Tomcat 7? Also can you please share the location of the
> > source package in Tomcat 6 so that we can replace it with the one from
> > Tomcat 7?
>
> The source download for Tomcat 7 is in the same place all the other
downloads are.
>
> You will not need the source for Tomcat 6, nor will you need to build the
complete source-to-binary for Tomcat 7. Just grab the source, take the
classes you need, and compile them against the servlet JAR you already have
for Tomcat 6. Feel free to re-name the packages if they are awkward for you
to compile/install and then just reference the new class names in your
application/server.
>
> Remember to watch for patches to those source files in Tomcat 7 in case
they include e.g. security updates -- you'll want to apply those same
updates to the code you have taken from Tomcat 7.
>
> A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it does
behave differently sometimes as the Servlet Experts Group has clarified
certain questions or added new capabilities (like annotation-processing). I
recommend a long period of testing with a new version of Tomcat, but I also
recommend that you begin that testing as soon as possible. Tomcat 6 will
probably receive *no further updates, security or otherwise*, even if a
vulnerability is foun d.
>
> - -chris
>
> > -Original Message- From: Christopher Schultz
> > [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> > users@tomcat.apache.org Subject: Re: Security Headers Implementation
> > in Tomcat 6.x version
> >
> > Mohammad,
> >
> > On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> >> Based on your inputs, we are thinking to put Apache httpd in front of
> >> Tomcat 6 server, since our header configuration is going to be
> >> static.
> >
> > This might not be a bad idea for a number of reasons, but it is by no
> > means required.
> >
> > You can download the Tomcat 7 source package and use the security
> > filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> > actually requires Tomcat

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

Can I simply use the JAR files from Tomcat 7 that contains executable code of 
filter classes (security headers), and put them into corresponding location in 
Tomcat 6?

Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?

The source download for Tomcat 7 is in the same place all the other downloads 
are.

You will not need the source for Tomcat 6, nor will you need to build the 
complete source-to-binary for Tomcat 7. Just grab the source, take the classes 
you need, and compile them against the servlet JAR you already have for Tomcat 
6. Feel free to re-name the packages if they are awkward for you to 
compile/install and then just reference the new class names in your 
application/server.

Remember to watch for patches to those source files in Tomcat 7 in case they 
include e.g. security updates -- you'll want to apply those same updates to the 
code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is 
backward-compatible with all spec-compliant applications, though it does behave 
differently sometimes as the Servlet Experts Group has clarified certain 
questions or added new capabilities (like annotation-processing). I recommend a 
long period of testing with a new version of Tomcat, but I also recommend that 
you begin that testing as soon as possible. Tomcat 6 will probably receive *no 
further updates, security or otherwise*, even if a vulnerability is foun d.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> -
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> __

>
>
>
www.accenture.com
>
> -
>
>
&

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hi Chris,

I got the source files (.java) of the filter classes that I was looking for.

Should we compile the source file against the servlet jar file(s) present in 
"[Tomcat]\lib\" or "[Tomcat]\webapps\ApplicationName\WEB-INF\lib"? I see there 
are multiple JAR files in both these locations. How to locate the exact JAR 
file which should be used to compile source files?

My understanding is that as long as you have your code (.class files) in any of 
the JAR files under "lib" folder, system would get it. You don’t need to have 
specific code in specific JAR file. Code from all the jar files under lib 
folder is considered as one big code, and based on the class invoked its 
corresponding code gets executed from that one big code. Please correct me if 
this is not right.

Also, should we include the filters in web.xml file under "[Tomcat]\conf\" 
folder or under "WEB-INF" folder of my application?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 30 May 2017 21:06
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with getting
> the source package of Tomcat 7, put them in Tomcat 6 and use the
> filters of Tomcat 7 in Tomcat 6.
>
> Can you please let me know from where I can get/download the source
> package of Tomcat 7? Also can you please share the location of the
> source package in Tomcat 6 so that we can replace it with the one from
> Tomcat 7?

The source download for Tomcat 7 is in the same place all the other downloads 
are.

You will not need the source for Tomcat 6, nor will you need to build the 
complete source-to-binary for Tomcat 7. Just grab the source, take the classes 
you need, and compile them against the servlet JAR you already have for Tomcat 
6. Feel free to re-name the packages if they are awkward for you to 
compile/install and then just reference the new class names in your 
application/server.

Remember to watch for patches to those source files in Tomcat 7 in case they 
include e.g. security updates -- you'll want to apply those same updates to the 
code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is 
backward-compatible with all spec-compliant applications, though it does behave 
differently sometimes as the Servlet Experts Group has clarified certain 
questions or added new capabilities (like annotation-processing). I recommend a 
long period of testing with a new version of Tomcat, but I also recommend that 
you begin that testing as soon as possible. Tomcat 6 will probably receive *no 
further updates, security or otherwise*, even if a vulnerability is foun d.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To:
> users@tomcat.apache.org Subject: Re: Security Headers Implementation
> in Tomcat 6.x version
>
> Mohammad,
>
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in front of
>> Tomcat 6 server, since our header configuration is going to be
>> static.
>
> This might not be a bad idea for a number of reasons, but it is by no
> means required.
>
> You can download the Tomcat 7 source package and use the security
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
> actually requires Tomcat 7 to run.
>
>> Can you please help us in identifying which version of Apache HTTP
>> Server we can use for Tomcat 6 version? Also, it will be great if you
>> can share some guidelines on how to implement Apache in front of
>> Tomcat.
> All supported versions of Apache web server work with app supported
> versions of Tomcat (as well as Tomcat 6). You have several choices for
> how to connect them together, but the most straightforward is to use
> mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well as
> on Tomcat's Presentations Page[2] that document how to do that.
>
> Hope that helps, -chris
>
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2]
> http://tomcat.apache.org/presentations.html
>
> -
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the design

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/30/17 2:13 AM, Shaik, Mohammad N. wrote:
> Thanks for the valuable input, that helps!! We shall go with
> getting the source package of Tomcat 7, put them in Tomcat 6 and
> use the filters of Tomcat 7 in Tomcat 6.
> 
> Can you please let me know from where I can get/download the
> source package of Tomcat 7? Also can you please share the location
> of the source package in Tomcat 6 so that we can replace it with
> the one from Tomcat 7?

The source download for Tomcat 7 is in the same place all the other
downloads are.

You will not need the source for Tomcat 6, nor will you need to build
the complete source-to-binary for Tomcat 7. Just grab the source, take
the classes you need, and compile them against the servlet JAR you
already have for Tomcat 6. Feel free to re-name the packages if they
are awkward for you to compile/install and then just reference the new
class names in your application/server.

Remember to watch for patches to those source files in Tomcat 7 in
case they include e.g. security updates -- you'll want to apply those
same updates to the code you have taken from Tomcat 7.

A longer-term goal should be to upgrade to Tomcat 8 or 8.5. Tomcat is
backward-compatible with all spec-compliant applications, though it
does behave differently sometimes as the Servlet Experts Group has
clarified certain questions or added new capabilities (like
annotation-processing). I recommend a long period of testing with a
new version of Tomcat, but I also recommend that you begin that
testing as soon as possible. Tomcat 6 will probably receive *no
further updates, security or otherwise*, even if a vulnerability is foun
d.

- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: 29 May 2017 20:57 To: 
> users@tomcat.apache.org Subject: Re: Security Headers
> Implementation in Tomcat 6.x version
> 
> Mohammad,
> 
> On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
>> Based on your inputs, we are thinking to put Apache httpd in
>> front of Tomcat 6 server, since our header configuration is going
>> to be static.
> 
> This might not be a bad idea for a number of reasons, but it is by
> no means required.
> 
> You can download the Tomcat 7 source package and use the security 
> filters from Tomcat 7[1] in Tomcat 6: there is nothing in there
> that actually requires Tomcat 7 to run.
> 
>> Can you please help us in identifying which version of Apache
>> HTTP Server we can use for Tomcat 6 version? Also, it will be
>> great if you can share some guidelines on how to implement Apache
>> in front of Tomcat.
> All supported versions of Apache web server work with app
> supported versions of Tomcat (as well as Tomcat 6). You have
> several choices for how to connect them together, but the most
> straightforward is to use mod_proxy_http from httpd to Tomcat.
> Tomcat behaves exactly as it did before and requires no additional
> configuration unless you are moving TLS termination from Tomcat to
> httpd. If that's the case, there are many guides on the web as well
> as on Tomcat's Presentations Page[2] that document how to do that.
> 
> Hope that helps, -chris
> 
> [1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html [2] 
> http://tomcat.apache.org/presentations.html
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain 
> privileged, proprietary, or otherwise confidential information. If 
> you have received it in error, please notify the sender
> immediately and delete the original. Any other use of the e-mail by
> you is prohibited. Where allowed by local law, electronic
> communications with Accenture and its affiliates, including e-mail
> and instant messaging (including content), may be scanned by our
> systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. 
> __

>
>
> 
www.accenture.com
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLZFGAAoJEBzwKT+lPKRYFlEQAMWx2/ngj4vEeoQfZU4rRFlH
1Mscn61MUFJdrVBFkVF+NR86m8clUt8Kw1MKZNGexMXcKjrIllqnVPJUQxjyvgai

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello Chris,

Thanks for the valuable input, that helps!! We shall go with getting the source 
package of Tomcat 7, put them in Tomcat 6 and use the filters of Tomcat 7 in 
Tomcat 6.

Can you please let me know from where I can get/download the source package of 
Tomcat 7? Also can you please share the location of the source package in 
Tomcat 6 so that we can replace it with the one from Tomcat 7?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 29 May 2017 20:57
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front of
> Tomcat 6 server, since our header configuration is going to be static.

This might not be a bad idea for a number of reasons, but it is by no means 
required.

You can download the Tomcat 7 source package and use the security filters from 
Tomcat 7[1] in Tomcat 6: there is nothing in there that actually requires 
Tomcat 7 to run.

> Can you please help us in identifying which version of Apache HTTP
> Server we can use for Tomcat 6 version? Also, it will be great if you
> can share some guidelines on how to implement Apache in front of
> Tomcat.
All supported versions of Apache web server work with app supported versions of 
Tomcat (as well as Tomcat 6). You have several choices for how to connect them 
together, but the most straightforward is to use mod_proxy_http from httpd to 
Tomcat. Tomcat behaves exactly as it did before and requires no additional 
configuration unless you are moving TLS termination from Tomcat to httpd. If 
that's the case, there are many guides on the web as well as on Tomcat's 
Presentations Page[2] that document how to do that.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front 
> of Tomcat 6 server, since our header configuration is going to be
> static.

This might not be a bad idea for a number of reasons, but it is by no
means required.

You can download the Tomcat 7 source package and use the security
filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
actually requires Tomcat 7 to run.

> Can you please help us in identifying which version of Apache HTTP 
> Server we can use for Tomcat 6 version? Also, it will be great if
> you can share some guidelines on how to implement Apache in front
> of Tomcat.
All supported versions of Apache web server work with app supported
versions of Tomcat (as well as Tomcat 6). You have several choices for
how to connect them together, but the most straightforward is to use
mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did
before and requires no additional configuration unless you are moving
TLS termination from Tomcat to httpd. If that's the case, there are
many guides on the web as well as on Tomcat's Presentations Page[2]
that document how to do that.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello Olaf,

Thanks for your response!

Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 
server, since our header configuration is going to be static.

Can you please help us in identifying which version of Apache HTTP Server we 
can use for Tomcat 6 version? Also, it will be great if you can share some 
guidelines on how to implement Apache in front of Tomcat.


Regards,
Mohammad Nayeem

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 29 May 2017 13:53
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version


Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw=
>  ), I don't see any filters that implement any these headers. Some of them 
> are available in Tomcat 7 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA=
>  ), but we cannot upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see 
https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4=
 ), you're between a rock and a hard place: Invest in a platform that's a 
potential security threat (it won't get any more updates) or invest in an 
upgrade.

That out of the way, for most cases, just have an Apache httpd in front of 
tomcat and use its magic to tag most of your headers. For many it will be 
static configuration. If there's anything dynamic that you need, implement a 
servlet filter that just does the job. Hardcode it - you don't need a lot of 
configuration if you come up with a solution that's just used within your 
premises.

If you have multiple web applications that all need the same filter, deploy the 
filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see 
> any filters that implement any these headers. Some of them are available in 
> Tomcat 7 version webpage 
> (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot 
> upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see
http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and
a hard place: Invest in a platform that's a potential security threat
(it won't get any more updates) or invest in an upgrade.

That out of the way, for most cases, just have an Apache httpd in front
of tomcat and use its magic to tag most of your headers. For many it
will be static configuration. If there's anything dynamic that you need,
implement a servlet filter that just does the job. Hardcode it - you
don't need a lot of configuration if you come up with a solution that's
just used within your premises.

If you have multiple web applications that all need the same filter,
deploy the filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to implement Security Headers in Tomcat 6

[manjesh]

If the technology is java/j2ee then you can implements some sort of servlet
filter where you can  manipulate the HTTP response to add these headers for
each outgoing response.  I believe  other platforms like .Net should also
support similar feature to customize the request and response objects.

On Mon, May 29, 2017 at 12:28 PM, Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com> wrote:

> Hello,
>
> Can someone please let me know if the following headers are compatible
> with Tomcat 6.x version? If yes, then how do we enable them?
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 3) Public-Key-Pins
> 4) X-Frame-Options
> 5) X-XSS-Protection
> 6) X-Content-Type-Options
> 7) X-Robots-Tag
>
>
> Kind Regards,
> Mohammad Nayeem
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> 
> __
>
> www.accenture.com
>

How to implement Security Headers in Tomcat 6

[Shaik, Mohammad N.]

Hello,

Can someone please let me know if the following headers are compatible with 
Tomcat 6.x version? If yes, then how do we enable them?

Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag


Kind Regards,
Mohammad Nayeem



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello,

We are using Tomcat 6.x version and we need to implement the following headers 
in our environment.

Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag

When I checked the Tomcat 6 version webpage 
(https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see any 
filters that implement any these headers. Some of them are available in Tomcat 
7 version webpage 
(https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot 
upgrade to Tomcat 7.x version due to some constraints.

Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
All your comments on this topic are welcome.


Kind Regards,
Mohammad Nayeem



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

Re: Upgrading from tomcat 6 to tomcat 8 | Performance goes down (Http requests)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vikas,

On 5/31/16 11:11 PM, vikas chandra yadav wrote:
> Hi, I am upgrading from tomcat 6 to tomcat 8. My throughput get
> decreased by 40%.
> 
> Simple sending http request from jmeter using 40 threads. In tomcat
> 6 it is 11 in tomcat 7(last version) it si 108000 in tomcat 8 -
> 8
> 
> Please suggest if we have to disable any auto enavle feature of do
> tuning.

Please post your  configuration for each version and
explain your testing methodology.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldO45IACgkQ9CaO5/Lv0PAzowCeJsgF5PyKmJR+/IRpdyR4u/3x
JfEAoL7oFwb9562MVYkhJLF2rJsC9a4F
=k7tV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Upgrading from tomcat 6 to tomcat 8 | Performance goes down (Http requests)

[vikas chandra yadav]

Hi,
I am upgrading from tomcat 6 to tomcat 8.
My throughput get decreased by 40%.

Simple sending http request from jmeter using 40 threads.
In tomcat 6 it is 11
in tomcat 7(last version) it si 108000
in tomcat 8 - 8

Please suggest if we have to disable any auto enavle feature of do tuning.

Thanks & Regards,
Vikas

Re: performance of tomcat 8 is less than tomcat 6

[Felix Schumacher]

Am 20.04.2016 um 12:55 schrieb Ravi Chandra Suryavanshi:

Yes I tried the NIO and NIO2 but not seen much difference. The TPS only 
increased 3K  with NIO2.
Can you try it with nio enabled in tomcat 6 and see, if that is slower, 
too? Same with bio and tomcat 8 and see if it is better?


Regards,
 Felix


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, April 20, 2016 4:21 PM
To: Tomcat Users List
Subject: RE: performance of tomcat 8 is less than tomcat 6

On 20 Apr 2016 1:30 pm, "Ravi Chandra Suryavanshi" < 
ravi.chandra.suryavan...@ericsson.com> wrote:

Hi Christopher,
PFA, the requested XMLs. Just want to highlight that tomcat 8  is not

able to use the CPU usage. I have tried maxThread 200,300,400 but result is 
same sometimes even less TPS.

Regards,
Ravi

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, April 19, 2016 7:38 PM
To: Tomcat Users List
Subject: Re: performance of tomcat 8 is less than tomcat 6

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:

Hi, I am using tomcat 6 in my product. I am planning to upgrade to
tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken
the performance of Tomcat 8 and found the 70% less performance
compared to tomcat 6. See the below results Tomcat 6 is giving
167473.2/s whereas tomcat 8 is giving 100436.6/s I have just
compared with two standalone tomcat which is just hitting the
HelloWorld servlet available in example.

Kindly let me know what need to configure to boost the performance.

Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark
tool=jmeter

testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP
Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux



testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
32-bit, 64-bit Byte Order:Little Endian CPU(s):
32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
socket:8 Socket(s): 2 NUMA node(s):  2
Vendor ID: GenuineIntel CPU family:6 Model:
63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
2.60GHz Stepping:  2 CPU MHz:   2600.000
BogoMIPS:  5210.53 Virtualization:VT-x L1d
cache: 32K L1i cache: 32K L2 cache:
256K L3 cache:  20480K NUMA node0 CPU(s):
0-7,16-23 NUMA node1 CPU(s): 8-15,24-31

testserver:~# vmstat -s 131730840 K total memory 5931052 K used
memory
7126352 K active memory 5511616 K inactive memory 116069376 K free
memory 20888 K buffer memory 9709520 K swap cache 11681788 K total
swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu
ticks 997 nice user cpu ticks 9712353 system cpu ticks
15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks
21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in
267868897 pages paged out 0 pages swapped in 0 pages swapped out
4281536287 interrupts 4185543972 CPU context switches
1456296771 boot time 84815522 forks



Tomcat 6 performance

Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
_x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
%system   %iowait%steal %idle 05:36:38 PM all 37.66
0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
all 38.31  0.00 14.48  0.03  0.00 47.19
05:36:53 PM all 37.45  0.00 14.53  0.01
0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
14.62  0.01  0.00 47.69

Created the tree successfully using HTTPRequest.jmx Starting the
test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
possible shutdown message on port 4445 summary +  16181 in   1.3s =
12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
Min: 0 Max:67 Err: 0 (0.00%) summary + 5024196 in
30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err: 0
(0.00%) Active: 24 Started: 24 Finished: 0 summary = 20474652 in
121s = 168856.1/s Avg: 0 Min: 0 Max:67 

RE: performance of tomcat 8 is less than tomcat 6

[Ravi Chandra Suryavanshi]

Hi Christopher,
I am using simple HelloWorld servlet. Which will give "Hello World!" as 
response. There is no business logic in the servlet. Same code is executing on 
both the version of tomcat. 

public class HelloWorld extends HttpServlet {

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("");
out.println("");
out.println("Hello World!");
out.println("");
out.println("");
out.println("Hello World!");
out.println("");
out.println("");
}
}

-Ravi
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, April 21, 2016 7:37 PM
To: Tomcat Users List
Subject: Re: performance of tomcat 8 is less than tomcat 6

Ravi,

On 4/20/16 6:55 AM, Ravi Chandra Suryavanshi wrote:
> Yes I tried the NIO and NIO2 but not seen much difference. The TPS 
> only increased 3K  with NIO2.

What is your test case?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: performance of tomcat 8 is less than tomcat 6

[Christopher Schultz]

Ravi,

On 4/20/16 6:55 AM, Ravi Chandra Suryavanshi wrote:
> Yes I tried the NIO and NIO2 but not seen much difference. The TPS
> only increased 3K  with NIO2.

What is your test case?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: performance of tomcat 8 is less than tomcat 6

[Ravi Chandra Suryavanshi]

Yes I tried the NIO and NIO2 but not seen much difference. The TPS only 
increased 3K  with NIO2.

-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, April 20, 2016 4:21 PM
To: Tomcat Users List
Subject: RE: performance of tomcat 8 is less than tomcat 6

On 20 Apr 2016 1:30 pm, "Ravi Chandra Suryavanshi" < 
ravi.chandra.suryavan...@ericsson.com> wrote:
>
> Hi Christopher,
> PFA, the requested XMLs. Just want to highlight that tomcat 8  is not
able to use the CPU usage. I have tried maxThread 200,300,400 but result is 
same sometimes even less TPS.
> Regards,
> Ravi
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, April 19, 2016 7:38 PM
> To: Tomcat Users List
> Subject: Re: performance of tomcat 8 is less than tomcat 6
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ravi,
>
> On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:
> > Hi, I am using tomcat 6 in my product. I am planning to upgrade to 
> > tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken 
> > the performance of Tomcat 8 and found the 70% less performance 
> > compared to tomcat 6. See the below results Tomcat 6 is giving 
> > 167473.2/s whereas tomcat 8 is giving 100436.6/s I have just 
> > compared with two standalone tomcat which is just hitting the 
> > HelloWorld servlet available in example.
> >
> > Kindly let me know what need to configure to boost the performance.
> >
> > Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark 
> > tool=jmeter
> >
> > testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP 
> > Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
> > 32-bit, 64-bit Byte Order:Little Endian CPU(s):
> > 32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
> > socket:8 Socket(s): 2 NUMA node(s):  2
> > Vendor ID: GenuineIntel CPU family:6 Model:
> > 63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
> > 2.60GHz Stepping:  2 CPU MHz:   2600.000
> > BogoMIPS:  5210.53 Virtualization:VT-x L1d
> > cache: 32K L1i cache: 32K L2 cache:
> > 256K L3 cache:  20480K NUMA node0 CPU(s):
> > 0-7,16-23 NUMA node1 CPU(s): 8-15,24-31
> >
> > testserver:~# vmstat -s 131730840 K total memory 5931052 K used 
> > memory
> > 7126352 K active memory 5511616 K inactive memory 116069376 K free 
> > memory 20888 K buffer memory 9709520 K swap cache 11681788 K total 
> > swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu 
> > ticks 997 nice user cpu ticks 9712353 system cpu ticks
> > 15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks
> > 21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in
> > 267868897 pages paged out 0 pages swapped in 0 pages swapped out
> > 4281536287 interrupts 4185543972 CPU context switches
> > 1456296771 boot time 84815522 forks
> >
> >
> >
> > Tomcat 6 performance
> >
> > Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> > _x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
> > %system   %iowait%steal %idle 05:36:38 PM all 37.66
> > 0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
> > 37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
> > all 38.31  0.00 14.48  0.03  0.00 47.19
> > 05:36:53 PM all 37.45  0.00 14.53  0.01
> > 0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
> > 0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
> > 14.62  0.01  0.00 47.69
> >
> > Created the tree successfully using HTTPRequest.jmx Starting the 
> > test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
> > possible shutdown message on port 4445 summary +  16181 in   1.3s =
> > 12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
> > 172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
> > Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
> > 166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
> > 26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
> > 104

RE: performance of tomcat 8 is less than tomcat 6

[Igor Cicimov]

On 20 Apr 2016 1:30 pm, "Ravi Chandra Suryavanshi" <
ravi.chandra.suryavan...@ericsson.com> wrote:
>
> Hi Christopher,
> PFA, the requested XMLs. Just want to highlight that tomcat 8  is not
able to use the CPU usage. I have tried maxThread 200,300,400 but result is
same sometimes even less TPS.
> Regards,
> Ravi
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, April 19, 2016 7:38 PM
> To: Tomcat Users List
> Subject: Re: performance of tomcat 8 is less than tomcat 6
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ravi,
>
> On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:
> > Hi, I am using tomcat 6 in my product. I am planning to upgrade to
> > tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken the
> > performance of Tomcat 8 and found the 70% less performance compared to
> > tomcat 6. See the below results Tomcat 6 is giving 167473.2/s whereas
> > tomcat 8 is giving 100436.6/s I have just compared with two standalone
> > tomcat which is just hitting the HelloWorld servlet available in
> > example.
> >
> > Kindly let me know what need to configure to boost the performance.
> >
> > Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark
> > tool=jmeter
> >
> > testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP
> > Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
> > 32-bit, 64-bit Byte Order:Little Endian CPU(s):
> > 32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
> > socket:8 Socket(s): 2 NUMA node(s):  2
> > Vendor ID: GenuineIntel CPU family:6 Model:
> > 63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
> > 2.60GHz Stepping:  2 CPU MHz:   2600.000
> > BogoMIPS:  5210.53 Virtualization:VT-x L1d
> > cache: 32K L1i cache: 32K L2 cache:
> > 256K L3 cache:  20480K NUMA node0 CPU(s):
> > 0-7,16-23 NUMA node1 CPU(s): 8-15,24-31
> >
> > testserver:~# vmstat -s 131730840 K total memory 5931052 K used memory
> > 7126352 K active memory 5511616 K inactive memory 116069376 K free
> > memory 20888 K buffer memory 9709520 K swap cache 11681788 K total
> > swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu
> > ticks 997 nice user cpu ticks 9712353 system cpu ticks
> > 15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks
> > 21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in
> > 267868897 pages paged out 0 pages swapped in 0 pages swapped out
> > 4281536287 interrupts 4185543972 CPU context switches
> > 1456296771 boot time 84815522 forks
> >
> >
> >
> > Tomcat 6 performance
> >
> > Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> > _x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
> > %system   %iowait%steal %idle 05:36:38 PM all 37.66
> > 0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
> > 37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
> > all 38.31  0.00 14.48  0.03  0.00 47.19
> > 05:36:53 PM all 37.45  0.00 14.53  0.01
> > 0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
> > 0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
> > 14.62  0.01  0.00 47.69
> >
> > Created the tree successfully using HTTPRequest.jmx Starting the test
> > @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
> > possible shutdown message on port 4445 summary +  16181 in   1.3s =
> > 12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
> > 172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
> > Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
> > 166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
> > 26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
> > 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
> > Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
> > 0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
> > Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
> > Min: 0 Max:67 Err

RE: performance of tomcat 8 is less than tomcat 6

[Ravi Chandra Suryavanshi]

Hi Christopher,
PFA, the requested XMLs. Just want to highlight that tomcat 8  is not able to 
use the CPU usage. I have tried maxThread 200,300,400 but result is same 
sometimes even less TPS. 
Regards,
Ravi 

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Tuesday, April 19, 2016 7:38 PM
To: Tomcat Users List
Subject: Re: performance of tomcat 8 is less than tomcat 6

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:
> Hi, I am using tomcat 6 in my product. I am planning to upgrade to 
> tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken the 
> performance of Tomcat 8 and found the 70% less performance compared to 
> tomcat 6. See the below results Tomcat 6 is giving 167473.2/s whereas 
> tomcat 8 is giving 100436.6/s I have just compared with two standalone 
> tomcat which is just hitting the HelloWorld servlet available in 
> example.
> 
> Kindly let me know what need to configure to boost the performance.
> 
> Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark 
> tool=jmeter
> 
> testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP 
> Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
> 32-bit, 64-bit Byte Order:Little Endian CPU(s):
> 32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
> socket:8 Socket(s): 2 NUMA node(s):  2 
> Vendor ID: GenuineIntel CPU family:6 Model:
> 63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
> 2.60GHz Stepping:  2 CPU MHz:   2600.000 
> BogoMIPS:  5210.53 Virtualization:VT-x L1d
> cache: 32K L1i cache: 32K L2 cache:
> 256K L3 cache:  20480K NUMA node0 CPU(s):
> 0-7,16-23 NUMA node1 CPU(s): 8-15,24-31
> 
> testserver:~# vmstat -s 131730840 K total memory 5931052 K used memory 
> 7126352 K active memory 5511616 K inactive memory 116069376 K free 
> memory 20888 K buffer memory 9709520 K swap cache 11681788 K total 
> swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu 
> ticks 997 nice user cpu ticks 9712353 system cpu ticks
> 15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks 
> 21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in 
> 267868897 pages paged out 0 pages swapped in 0 pages swapped out 
> 4281536287 interrupts 4185543972 CPU context switches
> 1456296771 boot time 84815522 forks
> 
> 
> 
> Tomcat 6 performance
> 
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> _x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
> %system   %iowait%steal %idle 05:36:38 PM all 37.66
> 0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
> 37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
> all 38.31  0.00 14.48  0.03  0.00 47.19 
> 05:36:53 PM all 37.45  0.00 14.53  0.01
> 0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
> 0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
> 14.62  0.01  0.00 47.69
> 
> Created the tree successfully using HTTPRequest.jmx Starting the test 
> @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
> possible shutdown message on port 4445 summary +  16181 in   1.3s =
> 12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
> 172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
> Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
> 166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%) 
> summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
> 26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
> 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
> 0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
> Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
> Min: 0 Max:67 Err: 0 (0.00%) summary + 5024196 in
> 30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err: 0
> (0.00%) Active: 24 Started: 24 Finished: 0 summary = 20474652 in
> 121s = 168856.1/s Avg: 0 Min: 0 Max:67 Err: 0
> (0.00%)
> 
> 
> --
- 
- 
>
> 
tomcat 8
> 
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/201

Re: performance of tomcat 8 is less than tomcat 6

[Daniel Savard]

2016-04-19 1:04 GMT-04:00 Ravi Chandra Suryavanshi <
ravi.chandra.suryavan...@ericsson.com>:

> Hi,
> I am using tomcat 6 in my product. I am planning to upgrade to tomcat 8 as
> tomcat is going to EoS in Dec-2016.
> I have just taken the performance of Tomcat 8 and found the 70% less
> performance compared to tomcat 6. See the below results Tomcat 6 is giving
> 167473.2/s whereas tomcat 8 is giving 100436.6/s
> I have just compared with two standalone tomcat which is just hitting the
> HelloWorld servlet available in example.
>
> Kindly let me know what need to configure to boost the performance.
>
> Following are my setup:
> Java=Java 8
> HttpClient=HttpClient4
> Benchmark tool=jmeter
>
> testserver:~# uname -a
> Linux testserver 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015
> x86_64 x86_64 x86_64 GNU/Linux
>
>
>
> testserver:~# lscpu
> Architecture:  x86_64
> CPU op-mode(s):32-bit, 64-bit
> Byte Order:Little Endian
> CPU(s):32
> On-line CPU(s) list:   0-31
> Thread(s) per core:2
> Core(s) per socket:8
> Socket(s): 2
> NUMA node(s):  2
> Vendor ID: GenuineIntel
> CPU family:6
> Model: 63
> Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
> Stepping:  2
> CPU MHz:   2600.000
> BogoMIPS:  5210.53
> Virtualization:VT-x
> L1d cache: 32K
> L1i cache: 32K
> L2 cache:  256K
> L3 cache:  20480K
> NUMA node0 CPU(s): 0-7,16-23
> NUMA node1 CPU(s): 8-15,24-31
>
> testserver:~# vmstat -s
> 131730840 K total memory
>   5931052 K used memory
>   7126352 K active memory
>   5511616 K inactive memory
> 116069376 K free memory
> 20888 K buffer memory
>   9709520 K swap cache
>  11681788 K total swap
> 0 K used swap
>  11681788 K free swap
>  54069797 non-nice user cpu ticks
>   997 nice user cpu ticks
>   9712353 system cpu ticks
>   15112937897 idle cpu ticks
> 37101 IO-wait cpu ticks
>73 IRQ cpu ticks
> 21245 softirq cpu ticks
> 0 stolen cpu ticks
>   8918100 pages paged in
> 267868897 pages paged out
> 0 pages swapped in
> 0 pages swapped out
>4281536287 interrupts
>4185543972 CPU context switches
>1456296771 boot time
>  84815522 forks
>
>
>
> Tomcat 6 performance
>
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016  _x86_64_
>   (32 CPU)
> 05:36:33 PM CPU %user %nice   %system   %iowait%steal
>  %idle
> 05:36:38 PM all 37.66  0.00 14.69  0.10  0.00
>  47.55
> 05:36:43 PM all 37.61  0.00 14.50  0.01  0.00
>  47.89
> 05:36:48 PM all 38.31  0.00 14.48  0.03  0.00
>  47.19
> 05:36:53 PM all 37.45  0.00 14.53  0.01  0.00
>  48.01
> 05:36:58 PM all 37.97  0.00 14.67  0.02  0.00
>  47.34
> 05:37:03 PM all 37.68  0.00 14.62  0.01  0.00
>  47.69
>
> Created the tree successfully using HTTPRequest.jmx
> Starting the test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701)
> Waiting for possible shutdown message on port 4445
> summary +  16181 in   1.3s = 12893.2/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%) Active: 3 Started: 3 Finished: 0
> summary + 5187350 in30s = 172911.7/s Avg: 0 Min: 0 Max:31
> Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0
> summary = 5203531 in  31.3s = 166486.4/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%)
> summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:26
> Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0
> summary = 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%)
> summary + 5039715 in30s = 167990.5/s Avg: 0 Min: 0 Max:13
> Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0
> summary = 15450456 in  91.3s = 169310.8/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%)
> summary + 5024196 in30s = 167473.2/s Avg: 0 Min: 0 Max:22
> Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0
> summary = 20474652 in   121s = 168856.1/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%)
>
>
>
> --
> tomcat 8
>
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016  _x86_64_
&g

Re: performance of tomcat 8 is less than tomcat 6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:
> Hi, I am using tomcat 6 in my product. I am planning to upgrade to
> tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken
> the performance of Tomcat 8 and found the 70% less performance
> compared to tomcat 6. See the below results Tomcat 6 is giving
> 167473.2/s whereas tomcat 8 is giving 100436.6/s I have just
> compared with two standalone tomcat which is just hitting the
> HelloWorld servlet available in example.
> 
> Kindly let me know what need to configure to boost the
> performance.
> 
> Following are my setup: Java=Java 8 HttpClient=HttpClient4 
> Benchmark tool=jmeter
> 
> testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1
> SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
> 32-bit, 64-bit Byte Order:Little Endian CPU(s):
> 32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
> socket:8 Socket(s): 2 NUMA node(s):  2 
> Vendor ID: GenuineIntel CPU family:6 Model:
> 63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
> 2.60GHz Stepping:  2 CPU MHz:   2600.000 
> BogoMIPS:  5210.53 Virtualization:VT-x L1d
> cache: 32K L1i cache: 32K L2 cache:
> 256K L3 cache:  20480K NUMA node0 CPU(s):
> 0-7,16-23 NUMA node1 CPU(s): 8-15,24-31
> 
> testserver:~# vmstat -s 131730840 K total memory 5931052 K used
> memory 7126352 K active memory 5511616 K inactive memory 116069376
> K free memory 20888 K buffer memory 9709520 K swap cache 11681788 K
> total swap 0 K used swap 11681788 K free swap 54069797 non-nice
> user cpu ticks 997 nice user cpu ticks 9712353 system cpu ticks 
> 15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu
> ticks 21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages
> paged in 267868897 pages paged out 0 pages swapped in 0 pages
> swapped out 4281536287 interrupts 4185543972 CPU context switches 
> 1456296771 boot time 84815522 forks
> 
> 
> 
> Tomcat 6 performance
> 
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> _x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
> %system   %iowait%steal %idle 05:36:38 PM all 37.66
> 0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
> 37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
> all 38.31  0.00 14.48  0.03  0.00 47.19 
> 05:36:53 PM all 37.45  0.00 14.53  0.01
> 0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
> 0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
> 14.62  0.01  0.00 47.69
> 
> Created the tree successfully using HTTPRequest.jmx Starting the
> test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
> possible shutdown message on port 4445 summary +  16181 in   1.3s =
> 12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
> 172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
> Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
> 166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%) 
> summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
> 26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
> 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
> Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
> 0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
> Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
> Min: 0 Max:67 Err: 0 (0.00%) summary + 5024196 in
> 30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err: 0
> (0.00%) Active: 24 Started: 24 Finished: 0 summary = 20474652 in
> 121s = 168856.1/s Avg: 0 Min: 0 Max:67 Err: 0
> (0.00%)
> 
> 
> --
- 
- 
>
> 
tomcat 8
> 
> Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> _x86_64_(32 CPU)
> 
> 06:14:36 PM CPU %user %nice   %system   %iowait
> %steal %idle 06:14:41 PM all 24.10  0.00  9.39
> 0.01  0.00 66.51 06:14:46 PM all 24.62  0.00
> 9.25  0.00  0.00 66.13 06:14:51 PM all 24.66
> 0.00  9.12  0.01  0.00 66.22 06:14:56 PM all
> 23.96  0.00  9.36  0.08  0.00

performance of tomcat 8 is less than tomcat 6

[Ravi Chandra Suryavanshi]

Hi,
I am using tomcat 6 in my product. I am planning to upgrade to tomcat 8 as 
tomcat is going to EoS in Dec-2016.
I have just taken the performance of Tomcat 8 and found the 70% less 
performance compared to tomcat 6. See the below results Tomcat 6 is giving 
167473.2/s whereas tomcat 8 is giving 100436.6/s
I have just compared with two standalone tomcat which is just hitting the 
HelloWorld servlet available in example.

Kindly let me know what need to configure to boost the performance.

Following are my setup:
Java=Java 8
HttpClient=HttpClient4
Benchmark tool=jmeter

testserver:~# uname -a
Linux testserver 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 
x86_64 x86_64 x86_64 GNU/Linux



testserver:~# lscpu
Architecture:  x86_64
CPU op-mode(s):32-bit, 64-bit
Byte Order:Little Endian
CPU(s):32
On-line CPU(s) list:   0-31
Thread(s) per core:2
Core(s) per socket:8
Socket(s): 2
NUMA node(s):  2
Vendor ID: GenuineIntel
CPU family:6
Model: 63
Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
Stepping:  2
CPU MHz:   2600.000
BogoMIPS:  5210.53
Virtualization:VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache:  256K
L3 cache:  20480K
NUMA node0 CPU(s): 0-7,16-23
NUMA node1 CPU(s): 8-15,24-31

testserver:~# vmstat -s
131730840 K total memory
  5931052 K used memory
  7126352 K active memory
  5511616 K inactive memory
116069376 K free memory
20888 K buffer memory
  9709520 K swap cache
 11681788 K total swap
0 K used swap
 11681788 K free swap
 54069797 non-nice user cpu ticks
  997 nice user cpu ticks
  9712353 system cpu ticks
  15112937897 idle cpu ticks
37101 IO-wait cpu ticks
   73 IRQ cpu ticks
21245 softirq cpu ticks
0 stolen cpu ticks
  8918100 pages paged in
267868897 pages paged out
0 pages swapped in
0 pages swapped out
   4281536287 interrupts
   4185543972 CPU context switches
   1456296771 boot time
 84815522 forks



Tomcat 6 performance

Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016  _x86_64_
(32 CPU)
05:36:33 PM CPU %user %nice   %system   %iowait%steal %idle
05:36:38 PM all 37.66  0.00 14.69  0.10  0.00 47.55
05:36:43 PM all 37.61  0.00 14.50  0.01  0.00 47.89
05:36:48 PM all 38.31  0.00 14.48  0.03  0.00 47.19
05:36:53 PM all 37.45  0.00 14.53  0.01  0.00 48.01
05:36:58 PM all 37.97  0.00 14.67  0.02  0.00 47.34
05:37:03 PM all 37.68  0.00 14.62  0.01  0.00 47.69

Created the tree successfully using HTTPRequest.jmx
Starting the test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701)
Waiting for possible shutdown message on port 4445
summary +  16181 in   1.3s = 12893.2/s Avg: 0 Min: 0 Max:67 Err:
 0 (0.00%) Active: 3 Started: 3 Finished: 0
summary + 5187350 in30s = 172911.7/s Avg: 0 Min: 0 Max:31 Err:  
   0 (0.00%) Active: 24 Started: 24 Finished: 0
summary = 5203531 in  31.3s = 166486.4/s Avg: 0 Min: 0 Max:67 Err:  
   0 (0.00%)
summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:26 Err:  
   0 (0.00%) Active: 24 Started: 24 Finished: 0
summary = 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67 Err: 
0 (0.00%)
summary + 5039715 in30s = 167990.5/s Avg: 0 Min: 0 Max:13 Err:  
   0 (0.00%) Active: 24 Started: 24 Finished: 0
summary = 15450456 in  91.3s = 169310.8/s Avg: 0 Min: 0 Max:67 Err: 
0 (0.00%)
summary + 5024196 in30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err:  
   0 (0.00%) Active: 24 Started: 24 Finished: 0
summary = 20474652 in   121s = 168856.1/s Avg: 0 Min: 0 Max:67 Err: 
0 (0.00%)


--
tomcat 8

Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016  _x86_64_
(32 CPU)

06:14:36 PM CPU %user %nice   %system   %iowait%steal %idle
06:14:41 PM all 24.10  0.00  9.39  0.01  0.00 66.51
06:14:46 PM all 24.62  0.00  9.25  0.00  0.00 66.13
06:14:51 PM all 24.66  0.00  9.12  0.01  0.00 66.22
06:14:56 PM all 23.96  0.00  9.36  0.08  0.00 66.60
06:15:01 PM all 24.78  0.00  9.52  0.01  0.00 65.69
06:15:06 PM all 23.86  0.00  9.24  0.03  0.00 66.87





Created the tree successfully using HTTPRequest.jmx
Starting the test @ Wed Apr 13 18

Re: Tomcat 6.x 32bit-- becomes non responsive state / crash/hang

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mahudeswaran,

On 3/14/16 2:21 PM, Mahudeswaran A wrote:
> We are working in different time zone. & We will try the thread
> dump meantime...Would you like to share any check points in thread
> dump or share some troubleshooting steps/tools to identify the
> issue. The visualgc plugin in jvisualvm is not supported for the
> jvm 1.6.
> 
> Is there any configuration to include timestamp in tomcat std.out
> or std.err log files.
> 
> **Attached is the sequence flow that we are trying in our load
> environment;
> 
> Itr-1: If we attach a commercial tool (forget the name-it something
> like yourjdk... will share you as soon as I get) the jvm crashes
> within 10-15 minutes; Thread-count=150 Itr-2: If we attach a
> commercial tool (forget the name-it something like yourjdk... will
> share you as soon as I get) the jvm crashes within 50-55 minutes; 
> Thread-count=300 Itr-3: If we attach a commercial tool (forget the
> name-it something like yourjdk... will share you as soon as I get)
> the jvm crashes within 50-55 minutes; Thread-count=30 Itr-4: The
> commercial tool was disconnected from jvm monitoring and started
> the load with thread-count=30; & last few hours before checked it's
> was running;monitoring with jvisualvm.

You are probably using YourKit.

When the JVM "crashes", do you get a hspid file and the process
actually dies, or do you get some kind of exception in Tomcat's
catalina.out or other log?

Thanks,
- -chris

> -Original Message- From: Mark Thomas
> [mailto:ma...@apache.org] Sent: 14 March 2016 20:14 To: Tomcat
> Users List Subject: Re: Tomcat 6.x 32bit-- becomes non responsive
> state / crash/hang
> 
> On 14/03/2016 14:41, Mahudeswaran A wrote:
>> Hi,
>> 
>> We are facing unusual issue in Tomcat 6.x, where Tomcat 6.x
>> becomes non responsive state after two week's time. This happens
>> randomly; The jvisualvm screen shows CPU, memory, thread are
>> normal and we don't see memory leak, thread leak or CPU hike. JVM
>> running is 32 bit; In our lab, we are simulating this issue by
>> running a load but still trying our level best but couldn't. Min
>> heap=256MB; Max heap=512MB Thread count=150 Tomcat idle session
>> timeout=30minutes In out load environment the thread count
>> reduced to 30;
>> 
>> Any insights on why the tomcat becomes non responsive;
> 
> Take a series of 3 thread dumps, ~15s apart. If you need help
> analysing them, post them here.
> 
> Mark
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlboVRQACgkQ9CaO5/Lv0PCUxwCbB+LSrljEx62lSXvbRsOD4Xbj
+g8An0UqMAZSgmVUEEXJcgqQH6NFxPrX
=KmpU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 6.x 32bit-- becomes non responsive state / crash/hang

[Mahudeswaran A]

Hello Mark,
Thank you

We are working in different time zone. & We will try the thread dump 
meantime...Would you like to share any check points in thread dump or share 
some troubleshooting steps/tools to identify the issue.
The visualgc plugin in jvisualvm is not supported for the jvm 1.6.

Is there any configuration to include timestamp in tomcat std.out or std.err 
log files.

**Attached is the sequence flow that we are trying in our load environment;

Itr-1: If we attach a commercial tool (forget the name-it something like 
yourjdk... will share you as soon as I get) the jvm crashes within 10-15 
minutes;
Thread-count=150
Itr-2: If we attach a commercial tool (forget the name-it something like 
yourjdk... will share you as soon as I get) the jvm crashes within 50-55 
minutes;
Thread-count=300
Itr-3: If we attach a commercial tool (forget the name-it something like 
yourjdk... will share you as soon as I get) the jvm crashes within 50-55 
minutes;
Thread-count=30
Itr-4: The commercial tool was disconnected from jvm monitoring and started the 
load with thread-count=30; & last few hours before checked it's was 
running;monitoring with jvisualvm.

Regards
Mahu
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: 14 March 2016 20:14
To: Tomcat Users List
Subject: Re: Tomcat 6.x 32bit-- becomes non responsive state / crash/hang

On 14/03/2016 14:41, Mahudeswaran A wrote:
> Hi,
> 
> We are facing unusual issue in Tomcat 6.x, where Tomcat 6.x becomes non 
> responsive state after two week's time.
> This happens randomly;
> The jvisualvm screen shows CPU, memory, thread are normal and we don't see 
> memory leak, thread leak or CPU hike.
> JVM running is 32 bit;
> In our lab, we are simulating this issue by running a load but still trying 
> our level best but couldn't.
> Min heap=256MB; Max heap=512MB
> Thread count=150
> Tomcat idle session timeout=30minutes
> In out load environment the thread count reduced to 30;
> 
> Any insights on why the tomcat becomes non responsive;

Take a series of 3 thread dumps, ~15s apart. If you need help analysing them, 
post them here.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6.x 32bit-- becomes non responsive state / crash/hang

[Mark Thomas]

On 14/03/2016 14:41, Mahudeswaran A wrote:
> Hi,
> 
> We are facing unusual issue in Tomcat 6.x, where Tomcat 6.x becomes non 
> responsive state after two week's time.
> This happens randomly;
> The jvisualvm screen shows CPU, memory, thread are normal and we don't see 
> memory leak, thread leak or CPU hike.
> JVM running is 32 bit;
> In our lab, we are simulating this issue by running a load but still trying 
> our level best but couldn't.
> Min heap=256MB; Max heap=512MB
> Thread count=150
> Tomcat idle session timeout=30minutes
> In out load environment the thread count reduced to 30;
> 
> Any insights on why the tomcat becomes non responsive;

Take a series of 3 thread dumps, ~15s apart. If you need help analysing
them, post them here.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 6.x 32bit-- becomes non responsive state / crash/hang

[Mahudeswaran A]

Hi,

We are facing unusual issue in Tomcat 6.x, where Tomcat 6.x becomes non 
responsive state after two week's time.
This happens randomly;
The jvisualvm screen shows CPU, memory, thread are normal and we don't see 
memory leak, thread leak or CPU hike.
JVM running is 32 bit;
In our lab, we are simulating this issue by running a load but still trying our 
level best but couldn't.
Min heap=256MB; Max heap=512MB
Thread count=150
Tomcat idle session timeout=30minutes
In out load environment the thread count reduced to 30;

Any insights on why the tomcat becomes non responsive;

Thanks & Regards

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 18/02/2016 22:57, Ty wrote:
> I've re-run my tests using 8.0.x trunk (8.0.33-dev) using the same
> procedure from the first message of this thread, and summarized the results
> below.  Heap usage is vastly improved both with and without JAR scanning.
> Heap size and startup time are both reasonable and it's now feasible to
> re-visit our upgrade plan, so we will be putting 8.0.33 into our next cycle
> (once it's officially released).
> 
> Thanks again for looking into this, and wow, addressing it so quickly.

Great. That is good news.

I'm not finished with this. There were a number of things in the heap
dump that looked to be worthy of further consideration. I hope to get to
them in time for 8.0.33 but regardless of whether I do, looking at this
some more is on my TODO list.

Mark


> 
> Cheers,
> Ty
> 
> 
> Case 1 (baseline):
> 
> +-+--+---+
> | version | startup time | heap usage after major GC |
> +-+--+---+
> | tomcat6 | 36,711ms | 21,163,288|
> | tomcat7 | 104,517ms| 489,992,264   |
> | tomcat8 | 156,094ms| 1,010,512,568 |
> | tomcat8-dev | 139,858ms| 218,976,528   |
> +-+--+---+
> 
> 
> Case 2 (Tomcat 7 and 8 with “jarsToSkip=*”)
> 
> +-+--+---+
> | version | startup time | heap usage after major GC |
> +-+--+---+
> | tomcat6 | 36,711ms | 21,163,288|
> | tomcat7 | 38,979ms | 72,359,840|
> | tomcat8 | 52,040ms | 633,682,336   |
> | tomcat8-dev | 66,662ms | 97,365,048|
> +-+--+---+
> 
> 
> 
> 
> On Thu, Feb 18, 2016 at 10:12 AM Ty  wrote:
> 
>>> Are you able to build Tomcat 8.0.x from source to test locally or would
>>> you like me to provide you with a test build?
>>
>> Looks like building is pretty straightforward.  I'll dive in and post back
>> with my testing results.
>>
>>
>> On Thu, Feb 18, 2016 at 9:11 AM Mark Thomas  wrote:
>>
>>> Another update.
>>>
>>> Before any fixes, my tests showed a heap of ~1GB with ~30% used by
>>> WebappClassLoader and 50% by JarResourceSet
>>>
>>> The WebappClassLoader issue was triggered by JAR scanning. Disabling /
>>> limiting JAR scanning will reduce the impact of this issue.
>>> The issue has been fixed in 9.0.x and 8.0.x and will be included in
>>> 9.0.0.M4 and 8.0.33 onwards.
>>>
>>> The JarResourceSet issue was hard coded. There is no way to work around
>>> it. This has also been fixed in 9.0.x and 8.0.x and will be included in
>>> 9.0.0.M4 and 8.0.33 onwards.
>>>
>>> Regressions are possible but unlikely. All the unit tests pass and I
>>> have been using Atlassian Jira as a test app to check for changes in
>>> start time and as a smoke test. There is a small increase in start time
>>> with fix for the JarResourceSet issue (~5%) but the reduction in memory
>>> usage more than makes up for it.
>>>
>>> Are you able to build Tomcat 8.0.x from source to test locally or would
>>> you like me to provide you with a test build?
>>>
>>> Looking at the heap dump, there are still a few areas where it may be
>>> possible to reclaim more memory. This is on my TODO list and I hope to
>>> get to it before the next releases.
>>>
>>> Mark
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

I've re-run my tests using 8.0.x trunk (8.0.33-dev) using the same
procedure from the first message of this thread, and summarized the results
below.  Heap usage is vastly improved both with and without JAR scanning.
Heap size and startup time are both reasonable and it's now feasible to
re-visit our upgrade plan, so we will be putting 8.0.33 into our next cycle
(once it's officially released).

Thanks again for looking into this, and wow, addressing it so quickly.

Cheers,
Ty


Case 1 (baseline):

+-+--+---+
| version | startup time | heap usage after major GC |
+-+--+---+
| tomcat6 | 36,711ms | 21,163,288|
| tomcat7 | 104,517ms| 489,992,264   |
| tomcat8 | 156,094ms| 1,010,512,568 |
| tomcat8-dev | 139,858ms| 218,976,528   |
+-+--+---+


Case 2 (Tomcat 7 and 8 with “jarsToSkip=*”)

+-+--+---+
| version | startup time | heap usage after major GC |
+-+--+---+
| tomcat6 | 36,711ms | 21,163,288|
| tomcat7 | 38,979ms | 72,359,840|
| tomcat8 | 52,040ms | 633,682,336   |
| tomcat8-dev | 66,662ms | 97,365,048|
+-+--+---+




On Thu, Feb 18, 2016 at 10:12 AM Ty  wrote:

> > Are you able to build Tomcat 8.0.x from source to test locally or would
> > you like me to provide you with a test build?
>
> Looks like building is pretty straightforward.  I'll dive in and post back
> with my testing results.
>
>
> On Thu, Feb 18, 2016 at 9:11 AM Mark Thomas  wrote:
>
>> Another update.
>>
>> Before any fixes, my tests showed a heap of ~1GB with ~30% used by
>> WebappClassLoader and 50% by JarResourceSet
>>
>> The WebappClassLoader issue was triggered by JAR scanning. Disabling /
>> limiting JAR scanning will reduce the impact of this issue.
>> The issue has been fixed in 9.0.x and 8.0.x and will be included in
>> 9.0.0.M4 and 8.0.33 onwards.
>>
>> The JarResourceSet issue was hard coded. There is no way to work around
>> it. This has also been fixed in 9.0.x and 8.0.x and will be included in
>> 9.0.0.M4 and 8.0.33 onwards.
>>
>> Regressions are possible but unlikely. All the unit tests pass and I
>> have been using Atlassian Jira as a test app to check for changes in
>> start time and as a smoke test. There is a small increase in start time
>> with fix for the JarResourceSet issue (~5%) but the reduction in memory
>> usage more than makes up for it.
>>
>> Are you able to build Tomcat 8.0.x from source to test locally or would
>> you like me to provide you with a test build?
>>
>> Looking at the heap dump, there are still a few areas where it may be
>> possible to reclaim more memory. This is on my TODO list and I hope to
>> get to it before the next releases.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

> Are you able to build Tomcat 8.0.x from source to test locally or would
> you like me to provide you with a test build?

Looks like building is pretty straightforward.  I'll dive in and post back
with my testing results.

On Thu, Feb 18, 2016 at 9:11 AM Mark Thomas  wrote:

> Another update.
>
> Before any fixes, my tests showed a heap of ~1GB with ~30% used by
> WebappClassLoader and 50% by JarResourceSet
>
> The WebappClassLoader issue was triggered by JAR scanning. Disabling /
> limiting JAR scanning will reduce the impact of this issue.
> The issue has been fixed in 9.0.x and 8.0.x and will be included in
> 9.0.0.M4 and 8.0.33 onwards.
>
> The JarResourceSet issue was hard coded. There is no way to work around
> it. This has also been fixed in 9.0.x and 8.0.x and will be included in
> 9.0.0.M4 and 8.0.33 onwards.
>
> Regressions are possible but unlikely. All the unit tests pass and I
> have been using Atlassian Jira as a test app to check for changes in
> start time and as a smoke test. There is a small increase in start time
> with fix for the JarResourceSet issue (~5%) but the reduction in memory
> usage more than makes up for it.
>
> Are you able to build Tomcat 8.0.x from source to test locally or would
> you like me to provide you with a test build?
>
> Looking at the heap dump, there are still a few areas where it may be
> possible to reclaim more memory. This is on my TODO list and I hope to
> get to it before the next releases.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 2/18/16 10:11 AM, Mark Thomas wrote:
> Another update.
> 
> Before any fixes, my tests showed a heap of ~1GB with ~30% used by 
> WebappClassLoader and 50% by JarResourceSet
> 
> The WebappClassLoader issue was triggered by JAR scanning.
> Disabling / limiting JAR scanning will reduce the impact of this
> issue. The issue has been fixed in 9.0.x and 8.0.x and will be
> included in 9.0.0.M4 and 8.0.33 onwards.
> 
> The JarResourceSet issue was hard coded. There is no way to work
> around it. This has also been fixed in 9.0.x and 8.0.x and will be
> included in 9.0.0.M4 and 8.0.33 onwards.
> 
> Regressions are possible but unlikely. All the unit tests pass and
> I have been using Atlassian Jira as a test app to check for changes
> in start time and as a smoke test. There is a small increase in
> start time with fix for the JarResourceSet issue (~5%) but the
> reduction in memory usage more than makes up for it.

Nice. Thanks for diving into this one.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbF4OIACgkQ9CaO5/Lv0PBjTACcCcDphK4esKtoC92i9p5iRu+R
fqMAn0GmGulhAwirSyDRcqIK6lFMO5Pf
=BKY6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

Another update.

Before any fixes, my tests showed a heap of ~1GB with ~30% used by
WebappClassLoader and 50% by JarResourceSet

The WebappClassLoader issue was triggered by JAR scanning. Disabling /
limiting JAR scanning will reduce the impact of this issue.
The issue has been fixed in 9.0.x and 8.0.x and will be included in
9.0.0.M4 and 8.0.33 onwards.

The JarResourceSet issue was hard coded. There is no way to work around
it. This has also been fixed in 9.0.x and 8.0.x and will be included in
9.0.0.M4 and 8.0.33 onwards.

Regressions are possible but unlikely. All the unit tests pass and I
have been using Atlassian Jira as a test app to check for changes in
start time and as a smoke test. There is a small increase in start time
with fix for the JarResourceSet issue (~5%) but the reduction in memory
usage more than makes up for it.

Are you able to build Tomcat 8.0.x from source to test locally or would
you like me to provide you with a test build?

Looking at the heap dump, there are still a few areas where it may be
possible to reclaim more memory. This is on my TODO list and I hope to
get to it before the next releases.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 18/02/2016 00:26, Ty wrote:
>>> For Ty's purposes, simply avoid JAR scanning entirely should eliminate
>>> the heap issues, right? Moving from Tomcat 6 means that JAR scanning
>>> is not required for correct operation of their application.
> 
>> Yes. http://wiki.apache.org/tomcat/HowTo/FasterStartUp has the details
>> of the configuration required.
> 
> I might be missing something, if so please correct me, but it seems that
> there's a huge difference with Tomcat 8, even when JAR scanning is taken
> out of the picture (jarsToSkip=*).
> 
> For my test case, Tomcat 8 has a heap size of ~1GB with JAR scanning
> enabled, and ~600MB with jarsToSkip=*.  That's a 40% improvement by
> disabling JAR scanning, sure, but for comparison, same test case, Tomcat
> 6's heap is ~20MB while Tomcat 7's (with jarsToSkip=*) is ~70MB.  We're
> still back to a 30x increase in heap utilization from Tomcat 6 to Tomcat 8,
> and a 10x increase from Tomcat 7 to Tomcat 8, without having JAR scanning
> in the mix.

Sorry. Not enough sleep when I wrote that. The WebappClassLoader issue
is addressed by disabling JAR scanning but the JarResourceSet issue is not.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

>> For Ty's purposes, simply avoid JAR scanning entirely should eliminate
>> the heap issues, right? Moving from Tomcat 6 means that JAR scanning
>> is not required for correct operation of their application.

> Yes. http://wiki.apache.org/tomcat/HowTo/FasterStartUp has the details
> of the configuration required.

I might be missing something, if so please correct me, but it seems that
there's a huge difference with Tomcat 8, even when JAR scanning is taken
out of the picture (jarsToSkip=*).

For my test case, Tomcat 8 has a heap size of ~1GB with JAR scanning
enabled, and ~600MB with jarsToSkip=*.  That's a 40% improvement by
disabling JAR scanning, sure, but for comparison, same test case, Tomcat
6's heap is ~20MB while Tomcat 7's (with jarsToSkip=*) is ~70MB.  We're
still back to a 30x increase in heap utilization from Tomcat 6 to Tomcat 8,
and a 10x increase from Tomcat 7 to Tomcat 8, without having JAR scanning
in the mix.


On Wed, Feb 17, 2016 at 6:14 PM Mark Thomas <ma...@apache.org> wrote:

> On 18/02/2016 00:05, Christopher Schultz wrote:
> > Mark,
> >
> > On 2/17/16 5:04 PM, Mark Thomas wrote:
> >> On 17/02/2016 11:11, Mark Thomas wrote:
> >>> On 16/02/2016 22:07, Ty wrote:
> >>>>> Exactly which versions were you using when you ran your
> >>>>> tests?
> >>>>
> >>>> According to my notes:  7.0.59, which should've been the most
> >>>> recent version available at the time (about this time last
> >>>> year).
> >>>>
> >>>> To clarify:  that was the version we did a heap dump analysis
> >>>> of, and noted the memory increase related to Manifest objects.
> >>>> The version used for the test procedure in this thread's
> >>>> original message -- last performed last week -- was 7.0.67 and
> >>>> we did not do a heap analysis of it (only noting that at a
> >>>> glance it resulted in approximately the same amount of heap
> >>>> increase correlating with JAR scanning as we saw with last
> >>>> year's version).
> >>>
> >>> Thanks for the version info.
> >>>
> >>> I've started looking at this. The bulk of the memory is used by
> >>> JarResourceSet. It is caching a JarFileEntry object for each
> >>> class in the JAR.
> >>>
> >>> I wrote this code but I don't recall why those entries were
> >>> retained. I need to look back through svn to figure out what
> >>> problem it was solving and then see if I can find a better
> >>> solution.
> >
> >> Quick update.
> >
> >> There are two separate issues, both triggered by JAR scanning.
> >
> >> The JarResourceSet issue above accounts for ~50% of a 1GB heap.
> >> There is also a WebappClassLoader issue that accounts for ~30% of
> >> the same heap.
> >
> >> The WebappClassLoader issue is the easier to fix. I have fixed this
> >> in trunk and am just waiting for the tests to confirm all is well.
> >> I plan to back-port this to 8.0.x for the next release.
> >
> >> The JarResourceSet is going to be trickier. The code is the way it
> >> is partly for performance, partly to avoid file locking on Windows.
> >> It is going to take a little longer to put together a fix for this
> >> one.
> >
> > For Ty's purposes, simply avoid JAR scanning entirely should eliminate
> > the heap issues, right? Moving from Tomcat 6 means that JAR scanning
> > is not required for correct operation of their application.
>
> Yes. http://wiki.apache.org/tomcat/HowTo/FasterStartUp has the details
> of the configuration required.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 18/02/2016 00:05, Christopher Schultz wrote:
> Mark,
> 
> On 2/17/16 5:04 PM, Mark Thomas wrote:
>> On 17/02/2016 11:11, Mark Thomas wrote:
>>> On 16/02/2016 22:07, Ty wrote:
>>>>> Exactly which versions were you using when you ran your
>>>>> tests?
>>>>
>>>> According to my notes:  7.0.59, which should've been the most
>>>> recent version available at the time (about this time last
>>>> year).
>>>>
>>>> To clarify:  that was the version we did a heap dump analysis
>>>> of, and noted the memory increase related to Manifest objects.
>>>> The version used for the test procedure in this thread's
>>>> original message -- last performed last week -- was 7.0.67 and
>>>> we did not do a heap analysis of it (only noting that at a
>>>> glance it resulted in approximately the same amount of heap 
>>>> increase correlating with JAR scanning as we saw with last
>>>> year's version).
>>>
>>> Thanks for the version info.
>>>
>>> I've started looking at this. The bulk of the memory is used by 
>>> JarResourceSet. It is caching a JarFileEntry object for each
>>> class in the JAR.
>>>
>>> I wrote this code but I don't recall why those entries were
>>> retained. I need to look back through svn to figure out what
>>> problem it was solving and then see if I can find a better
>>> solution.
> 
>> Quick update.
> 
>> There are two separate issues, both triggered by JAR scanning.
> 
>> The JarResourceSet issue above accounts for ~50% of a 1GB heap. 
>> There is also a WebappClassLoader issue that accounts for ~30% of
>> the same heap.
> 
>> The WebappClassLoader issue is the easier to fix. I have fixed this
>> in trunk and am just waiting for the tests to confirm all is well.
>> I plan to back-port this to 8.0.x for the next release.
> 
>> The JarResourceSet is going to be trickier. The code is the way it
>> is partly for performance, partly to avoid file locking on Windows.
>> It is going to take a little longer to put together a fix for this
>> one.
> 
> For Ty's purposes, simply avoid JAR scanning entirely should eliminate
> the heap issues, right? Moving from Tomcat 6 means that JAR scanning
> is not required for correct operation of their application.

Yes. http://wiki.apache.org/tomcat/HowTo/FasterStartUp has the details
of the configuration required.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ty,

On 2/16/16 4:51 PM, Ty wrote:
>> if Tomcat had the option to ignore META-INF/resources in JAR
>> files
> 
> Perhaps interesting:  of the 27 JAR files in my dummy application,
> not a single one has a META-INF/resources.

Obviously, markt is following the real story, here. I was just
speculating based upon your comments and Mark's (previously untested)
thoughts on the matter.

It still seems that getting to work on disabling JAR scanning is going
to help you immensely.

- -chris

> On Tue, Feb 16, 2016 at 3:40 PM Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Ty,
> 
> On 2/16/16 3:11 PM, Ty wrote:
>>>> George, thanks for sharing your experience, good to know I'm
>>>> not the first down this path.  I'd be interested to know if
>>>> you've tested at all with Tomcat 8 and what your findings
>>>> were, if so. Based on my experience I'd expect you to be in a
>>>> similar boat to us.
>>>> 
>>>> Mark, thanks for the reply.  I've uploaded my "dummy" webapp
>>>> here:
>>>> 
>>>> http://filebin.ca/2XCPi8oAdy84/test.war
>>>> 
>>>> As for the JAR scanning / startup times, with Tomcat 8's
>>>> jarsToScan setting I'm confident we'd be able to manage that,
>>>> and am happy to leapfrog over Tomcat 7. It's the memory
>>>> utilization in Tomcat 8 specifically, independent of JAR
>>>> scanning, that's the show-stopper for us.  Let me know if I
>>>> can provide any other info, and thanks again.
> 
> I'm not sure if others will agree, but if Tomcat had the option to 
> ignore META-INF/resources in JAR files, you could probably save
> some memory. Since you are currently using Tomcat 6, this setting
> wouldn't affect you at all, since Tomcat 6 didn't expose those
> files in the way Mark describes. On the other hand, since it's a
> spec-requirement, there may be some pushback amongst the team here
> as to whether or not we should implement such a workaround.
> 
> We have lots of other settings that can technically be used to
> violate spec-defined behavior, so it's not like there isn't
> precedent for such things.
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbFCyEACgkQ9CaO5/Lv0PC4BQCfa6BD9xNHdnb9SOpajipk++wq
0AYAoIu1/kKrK9/ol/YnJxGKEfMcqsgO
=dtK0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 2/17/16 5:04 PM, Mark Thomas wrote:
> On 17/02/2016 11:11, Mark Thomas wrote:
>> On 16/02/2016 22:07, Ty wrote:
>>>> Exactly which versions were you using when you ran your
>>>> tests?
>>> 
>>> According to my notes:  7.0.59, which should've been the most
>>> recent version available at the time (about this time last
>>> year).
>>> 
>>> To clarify:  that was the version we did a heap dump analysis
>>> of, and noted the memory increase related to Manifest objects.
>>> The version used for the test procedure in this thread's
>>> original message -- last performed last week -- was 7.0.67 and
>>> we did not do a heap analysis of it (only noting that at a
>>> glance it resulted in approximately the same amount of heap 
>>> increase correlating with JAR scanning as we saw with last
>>> year's version).
>> 
>> Thanks for the version info.
>> 
>> I've started looking at this. The bulk of the memory is used by 
>> JarResourceSet. It is caching a JarFileEntry object for each
>> class in the JAR.
>> 
>> I wrote this code but I don't recall why those entries were
>> retained. I need to look back through svn to figure out what
>> problem it was solving and then see if I can find a better
>> solution.
> 
> Quick update.
> 
> There are two separate issues, both triggered by JAR scanning.
> 
> The JarResourceSet issue above accounts for ~50% of a 1GB heap. 
> There is also a WebappClassLoader issue that accounts for ~30% of
> the same heap.
> 
> The WebappClassLoader issue is the easier to fix. I have fixed this
> in trunk and am just waiting for the tests to confirm all is well.
> I plan to back-port this to 8.0.x for the next release.
> 
> The JarResourceSet is going to be trickier. The code is the way it
> is partly for performance, partly to avoid file locking on Windows.
> It is going to take a little longer to put together a fix for this
> one.

For Ty's purposes, simply avoid JAR scanning entirely should eliminate
the heap issues, right? Moving from Tomcat 6 means that JAR scanning
is not required for correct operation of their application.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbFCtMACgkQ9CaO5/Lv0PAZ6QCdHDVAEamLknKC6//lBxhfY7cX
/qQAn0FqyDoE+92/ivKZbxgX9PtEjzeD
=9sLw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 17/02/2016 11:11, Mark Thomas wrote:
> On 16/02/2016 22:07, Ty wrote:
>>> Exactly which versions were you using when you ran your tests?
>>
>> According to my notes:  7.0.59, which should've been the most recent
>> version available at the time (about this time last year).
>>
>> To clarify:  that was the version we did a heap dump analysis of, and noted
>> the memory increase related to Manifest objects.  The version used for the
>> test procedure in this thread's original message -- last performed last
>> week -- was 7.0.67 and we did not do a heap analysis of it (only noting
>> that at a glance it resulted in approximately the same amount of heap
>> increase correlating with JAR scanning as we saw with last year's version).
> 
> Thanks for the version info.
> 
> I've started looking at this. The bulk of the memory is used by
> JarResourceSet. It is caching a JarFileEntry object for each class in
> the JAR.
> 
> I wrote this code but I don't recall why those entries were retained. I
> need to look back through svn to figure out what problem it was solving
> and then see if I can find a better solution.

Quick update.

There are two separate issues, both triggered by JAR scanning.

The JarResourceSet issue above accounts for ~50% of a 1GB heap.
There is also a WebappClassLoader issue that accounts for ~30% of the
same heap.

The WebappClassLoader issue is the easier to fix. I have fixed this in
trunk and am just waiting for the tests to confirm all is well. I plan
to back-port this to 8.0.x for the next release.

The JarResourceSet is going to be trickier. The code is the way it is
partly for performance, partly to avoid file locking on Windows. It is
going to take a little longer to put together a fix for this one.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 16/02/2016 22:07, Ty wrote:
>> Exactly which versions were you using when you ran your tests?
> 
> According to my notes:  7.0.59, which should've been the most recent
> version available at the time (about this time last year).
> 
> To clarify:  that was the version we did a heap dump analysis of, and noted
> the memory increase related to Manifest objects.  The version used for the
> test procedure in this thread's original message -- last performed last
> week -- was 7.0.67 and we did not do a heap analysis of it (only noting
> that at a glance it resulted in approximately the same amount of heap
> increase correlating with JAR scanning as we saw with last year's version).

Thanks for the version info.

I've started looking at this. The bulk of the memory is used by
JarResourceSet. It is caching a JarFileEntry object for each class in
the JAR.

I wrote this code but I don't recall why those entries were retained. I
need to look back through svn to figure out what problem it was solving
and then see if I can find a better solution.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

> Exactly which versions were you using when you ran your tests?

According to my notes:  7.0.59, which should've been the most recent
version available at the time (about this time last year).

To clarify:  that was the version we did a heap dump analysis of, and noted
the memory increase related to Manifest objects.  The version used for the
test procedure in this thread's original message -- last performed last
week -- was 7.0.67 and we did not do a heap analysis of it (only noting
that at a glance it resulted in approximately the same amount of heap
increase correlating with JAR scanning as we saw with last year's version).



On Tue, Feb 16, 2016 at 3:55 PM Mark Thomas  wrote:

> On 16/02/2016 20:14, Ty wrote:
> >> JAR scanning should be transient. What was it that was causing the 10-20
> >> fold increase?
> >
> > From memory (this was a while ago), it was related to
> > java.util.jar.Manifest objects, or what they contained/referenced.  I'd
> be
> > glad to do another heap analysis and summarize it if it would help, but
> > even more glad to just skip Tomcat 7 altogether.
>
> There was an issue related to caching of Manifest instances but that
> should have been fixed. Exactly which versions were you using when you
> ran your tests?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 16/02/2016 20:14, Ty wrote:
>> JAR scanning should be transient. What was it that was causing the 10-20
>> fold increase?
> 
> From memory (this was a while ago), it was related to
> java.util.jar.Manifest objects, or what they contained/referenced.  I'd be
> glad to do another heap analysis and summarize it if it would help, but
> even more glad to just skip Tomcat 7 altogether.

There was an issue related to caching of Manifest instances but that
should have been fixed. Exactly which versions were you using when you
ran your tests?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

>  if Tomcat had the option to ignore META-INF/resources in JAR files

Perhaps interesting:  of the 27 JAR files in my dummy application, not a
single one has a META-INF/resources.

On Tue, Feb 16, 2016 at 3:40 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ty,
>
> On 2/16/16 3:11 PM, Ty wrote:
> > George, thanks for sharing your experience, good to know I'm not
> > the first down this path.  I'd be interested to know if you've
> > tested at all with Tomcat 8 and what your findings were, if so.
> > Based on my experience I'd expect you to be in a similar boat to
> > us.
> >
> > Mark, thanks for the reply.  I've uploaded my "dummy" webapp here:
> >
> > http://filebin.ca/2XCPi8oAdy84/test.war
> >
> > As for the JAR scanning / startup times, with Tomcat 8's jarsToScan
> > setting I'm confident we'd be able to manage that, and am happy to
> > leapfrog over Tomcat 7. It's the memory utilization in Tomcat 8
> > specifically, independent of JAR scanning, that's the show-stopper
> > for us.  Let me know if I can provide any other info, and thanks
> > again.
>
> I'm not sure if others will agree, but if Tomcat had the option to
> ignore META-INF/resources in JAR files, you could probably save some
> memory. Since you are currently using Tomcat 6, this setting wouldn't
> affect you at all, since Tomcat 6 didn't expose those files in the way
> Mark describes. On the other hand, since it's a spec-requirement,
> there may be some pushback amongst the team here as to whether or not
> we should implement such a workaround.
>
> We have lots of other settings that can technically be used to violate
> spec-defined behavior, so it's not like there isn't precedent for such
> things.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlbDlzAACgkQ9CaO5/Lv0PBWDgCfV3efH9stmGMVPFtch9unNeJl
> Dq4AoJwlx4NbRa9NfHzu10XHLV86FBGf
> =hafd
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ty,

On 2/16/16 3:11 PM, Ty wrote:
> George, thanks for sharing your experience, good to know I'm not
> the first down this path.  I'd be interested to know if you've
> tested at all with Tomcat 8 and what your findings were, if so.
> Based on my experience I'd expect you to be in a similar boat to
> us.
> 
> Mark, thanks for the reply.  I've uploaded my "dummy" webapp here:
> 
> http://filebin.ca/2XCPi8oAdy84/test.war
> 
> As for the JAR scanning / startup times, with Tomcat 8's jarsToScan
> setting I'm confident we'd be able to manage that, and am happy to
> leapfrog over Tomcat 7. It's the memory utilization in Tomcat 8
> specifically, independent of JAR scanning, that's the show-stopper
> for us.  Let me know if I can provide any other info, and thanks
> again.

I'm not sure if others will agree, but if Tomcat had the option to
ignore META-INF/resources in JAR files, you could probably save some
memory. Since you are currently using Tomcat 6, this setting wouldn't
affect you at all, since Tomcat 6 didn't expose those files in the way
Mark describes. On the other hand, since it's a spec-requirement,
there may be some pushback amongst the team here as to whether or not
we should implement such a workaround.

We have lots of other settings that can technically be used to violate
spec-defined behavior, so it's not like there isn't precedent for such
things.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbDlzAACgkQ9CaO5/Lv0PBWDgCfV3efH9stmGMVPFtch9unNeJl
Dq4AoJwlx4NbRa9NfHzu10XHLV86FBGf
=hafd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[George Sexton]

On 2/16/2016 1:11 PM, Ty wrote:

George, thanks for sharing your experience, good to know I'm not the first
down this path.  I'd be interested to know if you've tested at all with
Tomcat 8 and what your findings were, if so.  Based on my experience I'd
expect you to be in a similar boat to us.


I was doing some work for someone, and I thought about upgrading to 
Tomcat 8, but it doesn't offer anything I need. I'm just going to wait 
for Tomcat 9, which will have something compelling for me (SNI support).





Mark, thanks for the reply.  I've uploaded my "dummy" webapp here:

http://filebin.ca/2XCPi8oAdy84/test.war

As for the JAR scanning / startup times, with Tomcat 8's jarsToScan setting
I'm confident we'd be able to manage that, and am happy to leapfrog over
Tomcat 7. It's the memory utilization in Tomcat 8 specifically, independent
of JAR scanning, that's the show-stopper for us.  Let me know if I can
provide any other info, and thanks again.



On Tue, Feb 16, 2016 at 12:58 PM Mark Thomas <ma...@apache.org> wrote:


On 16/02/2016 16:13, Ty wrote:

Summary:

Because of our use case (hundreds of webapps per instance), we cannot
feasibly upgrade our Tomcat 6 containers to Tomcat 7 or Tomcat 8, due to
the massive increase in memory the upgrade causes.

Background:

We’ve been running Tomcat 6 for several years, on perhaps an unusual

scale:

several dozen Tomcat instances, each running up to a *few hundred

webapps*

in a single container.  (Picture a cloud service provider with several
products and hundreds of customers, with one dedicated webapp
per-customer-per-product, resulting in many thousands of web
applications.  It’s
not ideal but it’s how the software was designed).  Typical max heap

sizes

per container are 1GB to 4GB depending on utilization, and max container
startup times are in the neighborhood of 5 to 10 minutes.

· When Tomcat 7 was released, our testing showed a 10-to-20-fold
increase in memory consumption and a 3-to-5-fold increase in startup time
for our test case (100 deployed webapps).  After some digging we

determined

that these increases were related to JAR scanning
(tomcat.util.scan.DefaultJarScanner).

JAR scanning should be transient. What was it that was causing the 10-20
fold increase?


· When Tomcat 8 was released, we noted that it included a
“whitelist” version of the jarsToSkip Property, jarsToScan.  Our hopes

were

high that we could skip from Tomcat 6 to Tomcat 8, but our test case

(again

100 deployed webapps) quickly deflated those hopes:  similar startup

times

but at least a *30-fold increase in memory consumption*, regardless of

how

we configure jarsToScan or jarsToSkip.

· A heap dump analysis showed that the Tomcat 8 memory increase

was

largely due to the size/count of
org.apache.catalina.webresources.JarResourceSet objects.

Those are only going to be created when a JAR is found that contains
META-INF/resources. The spec requires Tomcat to expose those as static
resources and that requires plumbing. Note Tomcat 6 will just ignore
these because the spec is to old for this feature.


We attempted to
reduce this by setting the Context/Resources@cachingAllowed atttribute

to

“false” and also tried to tune the “cacheMaxSize” and

“cacheObjectMaxSize”

attributes.

Those attributes should have no impact on the number or size of the
JarResourceSet instances.


The only effect that came from these changes was a change in
the object that took up all the space:  instead of
org.apache.catalina.webresources.JarResourceSet objects, they are
org.apache.catalina.webresources.StandardResourceSet objects, taking up
roughly the same amount of space.

Strange. Very strange.


Question:

Is there anything else we can adjust to make Tomcat 8’s memory

consumption

closer to that of Tomcat 6’s, for our use case?

It is hard to see exactly what is going on here. The symptoms you
describe and the resulting changes with configuration are not consistent
with how I would expect Tomcat to behave nor can I see how it might
behave in the way described.


If not, we are faced with
either running Tomcat 6 past its EOL, or possibly maintaining a very

large

jarsToSkip blacklist in Tomcat 7 (until its EOL).  It is not economically
feasible for us to increase the physical memory of our servers by 30x so

we

can run Tomcat 8.

Test procedure:


- Create a "dummy" webapp (using default Maven archetype) named

test.war

- Add several popular Maven dependencies such that the total size of

the

JARs in WEB-INF/lib is about 30MB

Can you provide the sample project? It makes sense to ensure we are
working from the same baseline. I wonder if the libraries themselves are
a factor here.


- Download the latest versions of Tomcat 6, 7, and 8.
- Set Java environment variables for a JMX listener and a 3GB max heap
- Make 100 copies of test.war (test1.war, test2.war, …, test100.war)

and

drop them in /webapps.

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

George, thanks for sharing your experience, good to know I'm not the first
down this path.  I'd be interested to know if you've tested at all with
Tomcat 8 and what your findings were, if so.  Based on my experience I'd
expect you to be in a similar boat to us.

Mark, thanks for the reply.  I've uploaded my "dummy" webapp here:

http://filebin.ca/2XCPi8oAdy84/test.war

As for the JAR scanning / startup times, with Tomcat 8's jarsToScan setting
I'm confident we'd be able to manage that, and am happy to leapfrog over
Tomcat 7. It's the memory utilization in Tomcat 8 specifically, independent
of JAR scanning, that's the show-stopper for us.  Let me know if I can
provide any other info, and thanks again.



On Tue, Feb 16, 2016 at 12:58 PM Mark Thomas <ma...@apache.org> wrote:

> On 16/02/2016 16:13, Ty wrote:
> > Summary:
> >
> > Because of our use case (hundreds of webapps per instance), we cannot
> > feasibly upgrade our Tomcat 6 containers to Tomcat 7 or Tomcat 8, due to
> > the massive increase in memory the upgrade causes.
> >
> > Background:
> >
> > We’ve been running Tomcat 6 for several years, on perhaps an unusual
> scale:
> > several dozen Tomcat instances, each running up to a *few hundred
> webapps*
> > in a single container.  (Picture a cloud service provider with several
> > products and hundreds of customers, with one dedicated webapp
> > per-customer-per-product, resulting in many thousands of web
> > applications.  It’s
> > not ideal but it’s how the software was designed).  Typical max heap
> sizes
> > per container are 1GB to 4GB depending on utilization, and max container
> > startup times are in the neighborhood of 5 to 10 minutes.
> >
> > · When Tomcat 7 was released, our testing showed a 10-to-20-fold
> > increase in memory consumption and a 3-to-5-fold increase in startup time
> > for our test case (100 deployed webapps).  After some digging we
> determined
> > that these increases were related to JAR scanning
> > (tomcat.util.scan.DefaultJarScanner).
>
> JAR scanning should be transient. What was it that was causing the 10-20
> fold increase?
>
> > · When Tomcat 8 was released, we noted that it included a
> > “whitelist” version of the jarsToSkip Property, jarsToScan.  Our hopes
> were
> > high that we could skip from Tomcat 6 to Tomcat 8, but our test case
> (again
> > 100 deployed webapps) quickly deflated those hopes:  similar startup
> times
> > but at least a *30-fold increase in memory consumption*, regardless of
> how
> > we configure jarsToScan or jarsToSkip.
> >
> > · A heap dump analysis showed that the Tomcat 8 memory increase
> was
> > largely due to the size/count of
> > org.apache.catalina.webresources.JarResourceSet objects.
>
> Those are only going to be created when a JAR is found that contains
> META-INF/resources. The spec requires Tomcat to expose those as static
> resources and that requires plumbing. Note Tomcat 6 will just ignore
> these because the spec is to old for this feature.
>
> > We attempted to
> > reduce this by setting the Context/Resources@cachingAllowed atttribute
> to
> > “false” and also tried to tune the “cacheMaxSize” and
> “cacheObjectMaxSize”
> > attributes.
>
> Those attributes should have no impact on the number or size of the
> JarResourceSet instances.
>
> > The only effect that came from these changes was a change in
> > the object that took up all the space:  instead of
> > org.apache.catalina.webresources.JarResourceSet objects, they are
> > org.apache.catalina.webresources.StandardResourceSet objects, taking up
> > roughly the same amount of space.
>
> Strange. Very strange.
>
> > Question:
> >
> > Is there anything else we can adjust to make Tomcat 8’s memory
> consumption
> > closer to that of Tomcat 6’s, for our use case?
>
> It is hard to see exactly what is going on here. The symptoms you
> describe and the resulting changes with configuration are not consistent
> with how I would expect Tomcat to behave nor can I see how it might
> behave in the way described.
>
> > If not, we are faced with
> > either running Tomcat 6 past its EOL, or possibly maintaining a very
> large
> > jarsToSkip blacklist in Tomcat 7 (until its EOL).  It is not economically
> > feasible for us to increase the physical memory of our servers by 30x so
> we
> > can run Tomcat 8.
> >
> > Test procedure:
> >
> >
> >- Create a "dummy" webapp (using default Maven archetype) named
> test.war
> >- Add several popular Maven dependencies such that the total s

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

> JAR scanning should be transient. What was it that was causing the 10-20
> fold increase?

>From memory (this was a while ago), it was related to
java.util.jar.Manifest objects, or what they contained/referenced.  I'd be
glad to do another heap analysis and summarize it if it would help, but
even more glad to just skip Tomcat 7 altogether.

On Tue, Feb 16, 2016 at 2:11 PM Ty <ty733...@gmail.com> wrote:

> George, thanks for sharing your experience, good to know I'm not the first
> down this path.  I'd be interested to know if you've tested at all with
> Tomcat 8 and what your findings were, if so.  Based on my experience I'd
> expect you to be in a similar boat to us.
>
> Mark, thanks for the reply.  I've uploaded my "dummy" webapp here:
>
> http://filebin.ca/2XCPi8oAdy84/test.war
>
> As for the JAR scanning / startup times, with Tomcat 8's jarsToScan
> setting I'm confident we'd be able to manage that, and am happy to leapfrog
> over Tomcat 7. It's the memory utilization in Tomcat 8 specifically,
> independent of JAR scanning, that's the show-stopper for us.  Let me know
> if I can provide any other info, and thanks again.
>
>
>
> On Tue, Feb 16, 2016 at 12:58 PM Mark Thomas <ma...@apache.org> wrote:
>
>> On 16/02/2016 16:13, Ty wrote:
>> > Summary:
>> >
>> > Because of our use case (hundreds of webapps per instance), we cannot
>> > feasibly upgrade our Tomcat 6 containers to Tomcat 7 or Tomcat 8, due to
>> > the massive increase in memory the upgrade causes.
>> >
>> > Background:
>> >
>> > We’ve been running Tomcat 6 for several years, on perhaps an unusual
>> scale:
>> > several dozen Tomcat instances, each running up to a *few hundred
>> webapps*
>> > in a single container.  (Picture a cloud service provider with several
>> > products and hundreds of customers, with one dedicated webapp
>> > per-customer-per-product, resulting in many thousands of web
>> > applications.  It’s
>> > not ideal but it’s how the software was designed).  Typical max heap
>> sizes
>> > per container are 1GB to 4GB depending on utilization, and max container
>> > startup times are in the neighborhood of 5 to 10 minutes.
>> >
>> > · When Tomcat 7 was released, our testing showed a 10-to-20-fold
>> > increase in memory consumption and a 3-to-5-fold increase in startup
>> time
>> > for our test case (100 deployed webapps).  After some digging we
>> determined
>> > that these increases were related to JAR scanning
>> > (tomcat.util.scan.DefaultJarScanner).
>>
>> JAR scanning should be transient. What was it that was causing the 10-20
>> fold increase?
>>
>> > · When Tomcat 8 was released, we noted that it included a
>> > “whitelist” version of the jarsToSkip Property, jarsToScan.  Our hopes
>> were
>> > high that we could skip from Tomcat 6 to Tomcat 8, but our test case
>> (again
>> > 100 deployed webapps) quickly deflated those hopes:  similar startup
>> times
>> > but at least a *30-fold increase in memory consumption*, regardless of
>> how
>> > we configure jarsToScan or jarsToSkip.
>> >
>> > · A heap dump analysis showed that the Tomcat 8 memory increase
>> was
>> > largely due to the size/count of
>> > org.apache.catalina.webresources.JarResourceSet objects.
>>
>> Those are only going to be created when a JAR is found that contains
>> META-INF/resources. The spec requires Tomcat to expose those as static
>> resources and that requires plumbing. Note Tomcat 6 will just ignore
>> these because the spec is to old for this feature.
>>
>> > We attempted to
>> > reduce this by setting the Context/Resources@cachingAllowed atttribute
>> to
>> > “false” and also tried to tune the “cacheMaxSize” and
>> “cacheObjectMaxSize”
>> > attributes.
>>
>> Those attributes should have no impact on the number or size of the
>> JarResourceSet instances.
>>
>> > The only effect that came from these changes was a change in
>> > the object that took up all the space:  instead of
>> > org.apache.catalina.webresources.JarResourceSet objects, they are
>> > org.apache.catalina.webresources.StandardResourceSet objects, taking up
>> > roughly the same amount of space.
>>
>> Strange. Very strange.
>>
>> > Question:
>> >
>> > Is there anything else we can adjust to make Tomcat 8’s memory
>> consumption
>> > closer to that of Tomcat 6’s, for our use case?
&g

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[Mark Thomas]

On 16/02/2016 16:13, Ty wrote:
> Summary:
> 
> Because of our use case (hundreds of webapps per instance), we cannot
> feasibly upgrade our Tomcat 6 containers to Tomcat 7 or Tomcat 8, due to
> the massive increase in memory the upgrade causes.
> 
> Background:
> 
> We’ve been running Tomcat 6 for several years, on perhaps an unusual scale:
> several dozen Tomcat instances, each running up to a *few hundred webapps*
> in a single container.  (Picture a cloud service provider with several
> products and hundreds of customers, with one dedicated webapp
> per-customer-per-product, resulting in many thousands of web
> applications.  It’s
> not ideal but it’s how the software was designed).  Typical max heap sizes
> per container are 1GB to 4GB depending on utilization, and max container
> startup times are in the neighborhood of 5 to 10 minutes.
> 
> · When Tomcat 7 was released, our testing showed a 10-to-20-fold
> increase in memory consumption and a 3-to-5-fold increase in startup time
> for our test case (100 deployed webapps).  After some digging we determined
> that these increases were related to JAR scanning
> (tomcat.util.scan.DefaultJarScanner).

JAR scanning should be transient. What was it that was causing the 10-20
fold increase?

> · When Tomcat 8 was released, we noted that it included a
> “whitelist” version of the jarsToSkip Property, jarsToScan.  Our hopes were
> high that we could skip from Tomcat 6 to Tomcat 8, but our test case (again
> 100 deployed webapps) quickly deflated those hopes:  similar startup times
> but at least a *30-fold increase in memory consumption*, regardless of how
> we configure jarsToScan or jarsToSkip.
> 
> · A heap dump analysis showed that the Tomcat 8 memory increase was
> largely due to the size/count of
> org.apache.catalina.webresources.JarResourceSet objects.

Those are only going to be created when a JAR is found that contains
META-INF/resources. The spec requires Tomcat to expose those as static
resources and that requires plumbing. Note Tomcat 6 will just ignore
these because the spec is to old for this feature.

> We attempted to
> reduce this by setting the Context/Resources@cachingAllowed atttribute to
> “false” and also tried to tune the “cacheMaxSize” and “cacheObjectMaxSize”
> attributes.

Those attributes should have no impact on the number or size of the
JarResourceSet instances.

> The only effect that came from these changes was a change in
> the object that took up all the space:  instead of
> org.apache.catalina.webresources.JarResourceSet objects, they are
> org.apache.catalina.webresources.StandardResourceSet objects, taking up
> roughly the same amount of space.

Strange. Very strange.

> Question:
> 
> Is there anything else we can adjust to make Tomcat 8’s memory consumption
> closer to that of Tomcat 6’s, for our use case?

It is hard to see exactly what is going on here. The symptoms you
describe and the resulting changes with configuration are not consistent
with how I would expect Tomcat to behave nor can I see how it might
behave in the way described.

> If not, we are faced with
> either running Tomcat 6 past its EOL, or possibly maintaining a very large
> jarsToSkip blacklist in Tomcat 7 (until its EOL).  It is not economically
> feasible for us to increase the physical memory of our servers by 30x so we
> can run Tomcat 8.
> 
> Test procedure:
> 
> 
>- Create a "dummy" webapp (using default Maven archetype) named test.war
>- Add several popular Maven dependencies such that the total size of the
>JARs in WEB-INF/lib is about 30MB

Can you provide the sample project? It makes sense to ensure we are
working from the same baseline. I wonder if the libraries themselves are
a factor here.

>- Download the latest versions of Tomcat 6, 7, and 8.
>- Set Java environment variables for a JMX listener and a 3GB max heap
>- Make 100 copies of test.war (test1.war, test2.war, …, test100.war) and
>drop them in /webapps.
>- Start the container, note the reported startup time, perform an
>explicit major GC, and note the heap utilization.
>- Run each test several times and average the results

That is a nice simple test we should be able to repeat.

> Test results:
> 
> Case 1 (baseline):
> 
> 
> 
> +-+--+---+
> | version | startup time | heap usage after major GC |
> +-+--+---+
> | tomcat6 | 36,711ms | 21,163,288|
> | tomcat7 | 104,517ms| 489,992,264   |
> | tomcat8 | 156,094ms| 1,010,512,568 |
> +-+--+---+
> 
> 
> Case 2 (Tomcat 7 and 8 with “jars

Re: Cannot upgrade past Tomcat 6 due to massive memory increase

[George Sexton]

On 2/16/2016 9:13 AM, Ty wrote:

· When Tomcat 7 was released, our testing showed a 10-to-20-fold
increase in memory consumption and a 3-to-5-fold increase in startup time
for our test case (100 deployed webapps).  After some digging we determined
that these increases were related to JAR scanning
(tomcat.util.scan.DefaultJarScanner).  When setting jarsToSkip=*, the
memory consumption was decreased to something somewhat more reasonable
(2-3x increase over Tomcat 6) and the startup time went back to what we
were used to with Tomcat 6.  However at that time we opted to stay on
Tomcat 6, because our apps were not functional with jarsToSkip=*, and we
deemed it impractical to manage a very large “blacklist” in the jarsToSkip
Property.




I'll just throw in my experiences. I'm running around 800+ copies of a 
web app on tomcat 7.


First, to get Tomcat 7 to start in under a century, I had to do 
jarsToSkip. It hasn't been a big problem to maintain since. Fortunately 
for me as well, my app doesn't use annotations in any significant way so 
I'm pretty lucky there.


Second, I moved all of the generic jars into ${catalina.base}/lib. My 
web app's jar uses statics, so each webapp has perhaps a single 1.5MB 
jar in the context WEB-INF/lib. This is bad because now I pretty much 
have to upgrade all instances in lock-step otherwise I run into version 
dependencies with ${catalina.base}/lib files. Still, it's an acceptable 
tradeoff. If this were possible for you, I'd definitely give this a go.


My startup times are around 30 seconds. A huge part of my remaining 
startup times are caused by loading each instance's unique database. 
When I put the databases on SSD, things were lots better :)


Right now, I have 48GB allocated to the JVM. Really, it's using 16GB of 
eden space, and it's got around 32GB dedicated to Old Gen, but it's 
really only using 5GB of space in Old Gen. Survivor space is under 
256MB. I suppose I could do some tuning with various parameters to force 
more allocation to eden space, and less to old gen, but performance is 
really good, and I don't have any motivation to do it.



--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Cannot upgrade past Tomcat 6 due to massive memory increase

[Ty]

Summary:

Because of our use case (hundreds of webapps per instance), we cannot
feasibly upgrade our Tomcat 6 containers to Tomcat 7 or Tomcat 8, due to
the massive increase in memory the upgrade causes.

Background:

We’ve been running Tomcat 6 for several years, on perhaps an unusual scale:
several dozen Tomcat instances, each running up to a *few hundred webapps*
in a single container.  (Picture a cloud service provider with several
products and hundreds of customers, with one dedicated webapp
per-customer-per-product, resulting in many thousands of web
applications.  It’s
not ideal but it’s how the software was designed).  Typical max heap sizes
per container are 1GB to 4GB depending on utilization, and max container
startup times are in the neighborhood of 5 to 10 minutes.

· When Tomcat 7 was released, our testing showed a 10-to-20-fold
increase in memory consumption and a 3-to-5-fold increase in startup time
for our test case (100 deployed webapps).  After some digging we determined
that these increases were related to JAR scanning
(tomcat.util.scan.DefaultJarScanner).  When setting jarsToSkip=*, the
memory consumption was decreased to something somewhat more reasonable
(2-3x increase over Tomcat 6) and the startup time went back to what we
were used to with Tomcat 6.  However at that time we opted to stay on
Tomcat 6, because our apps were not functional with jarsToSkip=*, and we
deemed it impractical to manage a very large “blacklist” in the jarsToSkip
Property.

· When Tomcat 8 was released, we noted that it included a
“whitelist” version of the jarsToSkip Property, jarsToScan.  Our hopes were
high that we could skip from Tomcat 6 to Tomcat 8, but our test case (again
100 deployed webapps) quickly deflated those hopes:  similar startup times
but at least a *30-fold increase in memory consumption*, regardless of how
we configure jarsToScan or jarsToSkip.

· A heap dump analysis showed that the Tomcat 8 memory increase was
largely due to the size/count of
org.apache.catalina.webresources.JarResourceSet objects.  We attempted to
reduce this by setting the Context/Resources@cachingAllowed atttribute to
“false” and also tried to tune the “cacheMaxSize” and “cacheObjectMaxSize”
attributes.  The only effect that came from these changes was a change in
the object that took up all the space:  instead of
org.apache.catalina.webresources.JarResourceSet objects, they are
org.apache.catalina.webresources.StandardResourceSet objects, taking up
roughly the same amount of space.

Question:

Is there anything else we can adjust to make Tomcat 8’s memory consumption
closer to that of Tomcat 6’s, for our use case?  If not, we are faced with
either running Tomcat 6 past its EOL, or possibly maintaining a very large
jarsToSkip blacklist in Tomcat 7 (until its EOL).  It is not economically
feasible for us to increase the physical memory of our servers by 30x so we
can run Tomcat 8.

Test procedure:


   - Create a "dummy" webapp (using default Maven archetype) named test.war
   - Add several popular Maven dependencies such that the total size of the
   JARs in WEB-INF/lib is about 30MB
   - Download the latest versions of Tomcat 6, 7, and 8.
   - Set Java environment variables for a JMX listener and a 3GB max heap
   - Make 100 copies of test.war (test1.war, test2.war, …, test100.war) and
   drop them in /webapps.
   - Start the container, note the reported startup time, perform an
   explicit major GC, and note the heap utilization.
   - Run each test several times and average the results

Test results:

Case 1 (baseline):



+-+--+---+
| version | startup time | heap usage after major GC |
+-+--+---+
| tomcat6 | 36,711ms | 21,163,288|
| tomcat7 | 104,517ms| 489,992,264   |
| tomcat8 | 156,094ms| 1,010,512,568 |
+-+--+---+


Case 2 (Tomcat 7 and 8 with “jarsToSkip=*”)

+-+--+---+
| version | startup time | heap usage after major GC |
+-+--+---+
| tomcat6 | 36,711ms | 21,163,288|
| tomcat7 | 38,979ms | 72,359,840|
| tomcat8 | 52,040ms | 633,682,336   |
+-+--+---+

Re: Tomcat 6 | Tomcat with APR causing Thread Blocking

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 2/10/16 1:43 AM, Ranjan, Ravi wrote:
> Yes the stack trace was taken on server.

> Anyway thanks for your valuable replies, I will continue my
> research in this direction. Since tomcat is out of picture now, I
> will concentrate on my external Process or any redesign that might
> be required. I will share my findings, if hopefully I am able to
> crack this one.

It's not rocket science: just set a connection/read timeout on the
HTTP client. Something like this:

AbstractHttpMessage message = ;
HttpParams params=message.getParams();
HttpConnectionParams.setConnectionTimeout(params, 5000); // 5s
HttpConnectionParams.setSoTimeout(params, 5000); // 5s

Hope that helps,
- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 09,
> 2016 7:42 PM To: Tomcat Users List Subject: Re: Tomcat 6 | Tomcat
> with APR causing Thread Blocking
> 
> Ravi,
> 
> On 2/9/16 7:10 AM, Ranjan, Ravi wrote:
>> HI Chris,
> 
>> Sorry for a delayed response. Here is few information that you 
>> asked for: 1.Tomcat Native Library version is 1.1.30 and APR 
>> version is 1.4.8 2.  I am running my tomcat 6.0.41 on Windows 7 
>> system with Java 7.
> 
>> As you said that if APR is not available the Java BIO (blocking 
>> I/O) connector will be used. For me this connector is working. I
>> am still not able to pinpoint to exact difference between these
>> two types of connectors, which might be causing/solving the
>> issue.
> 
>> Here is the thread dump for the stuck thread:
> 
>> "http-8080-2" - Thread t@55 java.lang.Thread.State: RUNNABLE at 
>> java.net.SocketInputStream.socketRead0(Native Method) at 
>> java.net.SocketInputStream.read(SocketInputStream.java:152) at 
>> java.net.SocketInputStream.read(SocketInputStream.java:122) at 
>> java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
>> at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
>> - locked <1559b4d1> (a java.io.BufferedInputStream) at 
>> org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:
7
>
>> 
7)
> 
> This
> 
> stack trace was taken on the server, not the client, right?
> 
> If so, this has nothing whatsoever to do with Tomcat. This is a
> problem with your web application making a connection to an outside
> service that is taking a long time to respond.
> 
> Set your timeouts appropriately and you won't have this stuck
> thread anymore. But you will have to handle error situations, of
> course.
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> _ The information contained in this message is
> proprietary and/or confidential. If you are not the intended
> recipient, please: (i) delete the message and all copies; (ii) do
> not disclose, distribute or use the message in any manner; and
> (iii) notify the sender immediately. In addition, please be aware
> that any message addressed to our domain is subject to archiving
> and review by persons other than the intended recipient. Thank
> you.
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7VcAACgkQ9CaO5/Lv0PAwrACeOZXkok7crxHSYO/jHO9mZuOX
LioAn35Kd4PPQ3jrmdUBg89L8t/gMcmt
=W3QV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6 | Tomcat with APR causing Thread Blocking

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 2/9/16 7:10 AM, Ranjan, Ravi wrote:
> HI Chris,
> 
> Sorry for a delayed response. Here is few information that you
> asked for: 1. Tomcat Native Library version is 1.1.30 and APR
> version is 1.4.8 2.   I am running my tomcat 6.0.41 on Windows 7
> system with Java 7.
> 
> As you said that if APR is not available the Java BIO (blocking
> I/O) connector will be used. For me this connector is working. I am
> still not able to pinpoint to exact difference between these two
> types of connectors, which might be causing/solving the issue.
> 
> Here is the thread dump for the stuck thread:
> 
> "http-8080-2" - Thread t@55 java.lang.Thread.State: RUNNABLE at
> java.net.SocketInputStream.socketRead0(Native Method) at
> java.net.SocketInputStream.read(SocketInputStream.java:152) at
> java.net.SocketInputStream.read(SocketInputStream.java:122) at
> java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at
> java.io.BufferedInputStream.read(BufferedInputStream.java:254) -
> locked <1559b4d1> (a java.io.BufferedInputStream) at
> org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:7
7)

This
> 
stack trace was taken on the server, not the client, right?

If so, this has nothing whatsoever to do with Tomcat. This is a
problem with your web application making a connection to an outside
service that is taking a long time to respond.

Set your timeouts appropriately and you won't have this stuck thread
anymore. But you will have to handle error situations, of course.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla588EACgkQ9CaO5/Lv0PBRGQCfR9Loo2m5rvQSmva7BYTar7JQ
8fUAn1uKghqYKTjbKE99ahnxGtlTaWza
=Vip6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 6 | Tomcat with APR causing Thread Blocking

[Ranjan, Ravi]

HI Chris,

Sorry for a delayed response.
Here is few information that you asked for:
1.  Tomcat Native Library version is 1.1.30 and APR version is 1.4.8
2.  I am running my tomcat 6.0.41 on Windows 7 system with Java 7.

As you said that if APR is not available the Java BIO (blocking I/O) connector 
will be used. For me this connector is working.
I am still not able to pinpoint to exact difference between these two types of 
connectors, which might be causing/solving the issue. 

Here is the thread dump for the stuck thread:

"http-8080-2" - Thread t@55
   java.lang.Thread.State: RUNNABLE
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
- locked <1559b4d1> (a java.io.BufferedInputStream)
at 
org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:77)
at 
org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105)
at 
org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1118)
at 
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1373)
at 
org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1832)
at 
org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1590)
at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:995)
at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at 
org.codehaus.xfire.transport.http.CommonsHttpMessageSender.send(CommonsHttpMessageSender.java:364)
at 
org.codehaus.xfire.transport.http.HttpChannel.sendViaClient(HttpChannel.java:123)
at 
org.codehaus.xfire.transport.http.HttpChannel.send(HttpChannel.java:48)
at 
org.codehaus.xfire.handler.OutMessageSender.invoke(OutMessageSender.java:26)
at 
org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:75)
at org.codehaus.xfire.client.Client.invoke(Client.java:335)
at 
org.codehaus.xfire.client.XFireProxy.handleRequest(XFireProxy.java:77)
at org.codehaus.xfire.client.XFireProxy.invoke(XFireProxy.java:57)
at com.sun.proxy.$Proxy62.query(Unknown Source)
at 
com..XXX.web.services.client.XX.sendMessageToServer(XXX.java:53)
.
.
.

Thanks,
Ravi Ranjan

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Saturday, February 06, 2016 4:18 AM
To: Tomcat Users List
Subject: Re: Tomcat 6 | Tomcat with APR causing Thread Blocking

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 2/4/16 2:15 AM, Ranjan, Ravi wrote:
> I am new to this user list and this is the first email I am sending 
> out to you. Hope you will let me know if more 
> information/logs/dump/test case/clarity is required.

Welcome.

> So I am working with Tomcat 6.0.41 (both 64bit and 32 bit). In my 
> Tomcat environment I am using APR (Apache Portable
> Runtime<http://ivf.dlr.de/docs/apr.html>)Listener: (by configuring 
> below property in server.xml)  className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />

So far, so good. The only think you didn't mention was the versions of APR and 
tcnative you were using, and your OS.

> I am using below connector, which i assume is a blocking type: 
>  connectionTimeout="2"  redirectPort="8443" />

If you have APR available, then that configuration will give you the APR 
connector. If APR is not available, you'll get the Java BIO (blocking I/O) 
connector.

> In one of my webapp i am running a dll as a Java Process to validate 
> some data. This dll is accessed as a Process whenever is required. I 
> have separate Thread to terminate this Process if not used for few 
> minutes.

(DLL: So this is Microsoft Windows?)

> Now i am facing a weired issue where with Apache Tomcat 6.0.43 (both 
> 64 and 32 bit), the http thread that has started this process gets 
> stuck. From thread dump i get this stack trace:
> 
> "http-8080-2" - Thread t@55 java.lang.Thread.State: RUNNABLE at 
> java.net.SocketInputStream.socketRead0(Native Method) at
> java.net.SocketInputStream.read(SocketInputStream.

RE: Tomcat 6 | Tomcat with APR causing Thread Blocking

[Ranjan, Ravi]

Chris,

Yes the stack trace was taken on server. 
Anyway thanks for your valuable replies, I will continue my research in this 
direction. Since tomcat is out of picture now, I will concentrate on my 
external Process or any redesign that might be required. I will share my 
findings, if hopefully I am able to crack this one.

Regards,
Ravi Ranjan 

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Tuesday, February 09, 2016 7:42 PM
To: Tomcat Users List
Subject: Re: Tomcat 6 | Tomcat with APR causing Thread Blocking

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 2/9/16 7:10 AM, Ranjan, Ravi wrote:
> HI Chris,
> 
> Sorry for a delayed response. Here is few information that you
> asked for: 1. Tomcat Native Library version is 1.1.30 and APR
> version is 1.4.8 2.   I am running my tomcat 6.0.41 on Windows 7
> system with Java 7.
> 
> As you said that if APR is not available the Java BIO (blocking
> I/O) connector will be used. For me this connector is working. I am 
> still not able to pinpoint to exact difference between these two types 
> of connectors, which might be causing/solving the issue.
> 
> Here is the thread dump for the stuck thread:
> 
> "http-8080-2" - Thread t@55 java.lang.Thread.State: RUNNABLE at 
> java.net.SocketInputStream.socketRead0(Native Method) at
> java.net.SocketInputStream.read(SocketInputStream.java:152) at
> java.net.SocketInputStream.read(SocketInputStream.java:122) at
> java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at
> java.io.BufferedInputStream.read(BufferedInputStream.java:254) - 
> locked <1559b4d1> (a java.io.BufferedInputStream) at
> org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:7
7)

This
> 
stack trace was taken on the server, not the client, right?

If so, this has nothing whatsoever to do with Tomcat. This is a problem with 
your web application making a connection to an outside service that is taking a 
long time to respond.

Set your timeouts appropriately and you won't have this stuck thread anymore. 
But you will have to handle error situations, of course.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla588EACgkQ9CaO5/Lv0PBRGQCfR9Loo2m5rvQSmva7BYTar7JQ
8fUAn1uKghqYKTjbKE99ahnxGtlTaWza
=Vip6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


_
The information contained in this message is proprietary and/or confidential. 
If you are not the intended recipient, please: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately. In addition, please be aware that any 
message addressed to our domain is subject to archiving and review by persons 
other than the intended recipient. Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6 | Tomcat with APR causing Thread Blocking

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 2/4/16 2:15 AM, Ranjan, Ravi wrote:
> I am new to this user list and this is the first email I am
> sending out to you. Hope you will let me know if more 
> information/logs/dump/test case/clarity is required.

Welcome.

> So I am working with Tomcat 6.0.41 (both 64bit and 32 bit). In my 
> Tomcat environment I am using APR (Apache Portable 
> Runtime)Listener: (by configuring 
> below property in server.xml)  className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" />

So far, so good. The only think you didn't mention was the versions of
APR and tcnative you were using, and your OS.

> I am using below connector, which i assume is a blocking type: 
>  connectionTimeout="2"  redirectPort="8443" />

If you have APR available, then that configuration will give you the
APR connector. If APR is not available, you'll get the Java BIO
(blocking I/O) connector.

> In one of my webapp i am running a dll as a Java Process to
> validate some data. This dll is accessed as a Process whenever is
> required. I have separate Thread to terminate this Process if not
> used for few minutes.

(DLL: So this is Microsoft Windows?)

> Now i am facing a weired issue where with Apache Tomcat 6.0.43
> (both 64 and 32 bit), the http thread that has started this process
> gets stuck. From thread dump i get this stack trace:
> 
> "http-8080-2" - Thread t@55 java.lang.Thread.State: RUNNABLE at
> java.net.SocketInputStream.socketRead0(Native Method) at
> java.net.SocketInputStream.read(SocketInputStream.java:152) at
> java.net.SocketInputStream.read(SocketInputStream.java:122) at
> java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at
> java.io.BufferedInputStream.read(BufferedInputStream.java:254) -
> locked <1559b4d1> (a java.io.BufferedInputStream) at
> org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:7
7)
>
> 
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105
)
> at
> org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.j
ava:1118)
>
> 
.
> . .

Hmm. The thread name doesn't say what type of connector it is. I might
just be used to seeing thread names from Tomcat 7+, where it's clear
whether nio/bio/apr is in use.

But! The stack trace above is not Tomcat's code. This is your code
calling-out through commons HttpClient to another server. None of your
 configuration has any bearing on how that connection is
handled.

> To ascertain that the native process is not causing the issue, i
> ran few other external exe's (both 64 bit and 32 bit) with same
> result.
> 
> During my research i found that if i comment the above listed 
> AprLifecycleListener property from the server.xml, things start 
> working. This behavior is very inconsistent across different
> versions of Tomcat, e.g. in Tomcat 6.0.10, i am not facing the
> issue. Then i upgraded to Tomcat 8, i faced this issue. I have
> tried with many versions of Tomcat and all result in same
> behavior.
> 
> So, is this APR interfering with my own process calls? Or is there 
> something that i am missing. Anyone who have seen any such tomcat
> bugs or fixes can point me as well.

I'm not convinced this has anything to do with Tomcat at all,
actually. If your code is stuck calling another service, there's
nothing Tomcat can do about it.

Can you show us more of that stack trace?

Something many programmers forget is that any time you are making a
call that touches the network, it's vitally important to set
appropriate timeouts. Many APIs default to "no timeout: wait forever"
which means if there's some kind of network lag or whatever, your web
application will become unresponsive if you make requests to some
other unreliable service. If you timeout after 2-3 seconds, at least
your application can tell the user "sorry, that *other* service is
down", instead of locking everything up.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla1JoIACgkQ9CaO5/Lv0PDEqACguX5Mi+XmVMKj1+C7K4hy6rQv
I+QAn0qnJm+82GiA0F5kdPesL5THEAAo
=J4DD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 6 | Tomcat with APR causing Thread Blocking

[Ranjan, Ravi]

Hi Guys,

I am new to this user list and this is the first email I am sending out to you. 
Hope you will let me know if more information/logs/dump/test case/clarity is 
required.

So I am working with Tomcat 6.0.41 (both 64bit and 32 bit). In my Tomcat 
environment I am using APR (Apache Portable 
Runtime)Listener: (by configuring below 
property in server.xml)


I am using below connector, which i assume is a blocking type:


In one of my webapp i am running a dll as a Java Process to validate some data. 
This dll is accessed as a Process whenever is required. I have separate Thread 
to terminate this Process if not used for few minutes.
Now i am facing a weired issue where with Apache Tomcat 6.0.43 (both 64 and 32 
bit), the http thread that has started this process gets stuck. From thread 
dump i get this stack trace:
"http-8080-2" - Thread t@55
   java.lang.Thread.State: RUNNABLE
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
- locked <1559b4d1> (a java.io.BufferedInputStream)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:77)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105)
at 
org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1118)
.
.
.

To ascertain that the native process is not causing the issue, i ran few other 
external exe's (both 64 bit and 32 bit) with same result.
During my research i found that if i comment the above listed 
AprLifecycleListener property from the server.xml, things start working. This 
behavior is very inconsistent across different versions of Tomcat, e.g. in 
Tomcat 6.0.10, i am not facing the issue. Then i upgraded to Tomcat 8, i faced 
this issue. I have tried with many versions of Tomcat and all result in same 
behavior.
So, is this APR interfering with my own process calls? Or is there something 
that i am missing. Anyone who have seen any such tomcat bugs or fixes can point 
me as well.

Thanks and Regards,
Ravi Ranjan

_
The information contained in this message is proprietary and/or confidential. 
If you are not the intended recipient, please: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately. In addition, please be aware that any 
message addressed to our domain is subject to archiving and review by persons 
other than the intended recipient. Thank you.

RE: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

[Datta, Abir - Ealing]

Could you please suggest something in TOMCAT 8 which might be leading to the 
problem mentioned below.

Thanks,
Abir

From: Datta, Abir - Ealing <ada...@wiley.com>
Sent: 05 November 2015 17:17
To: Tomcat Users List
Subject: RE: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

Hi Mark,

Thanks for the response. The setting is already enabled. We have upgraded to 
tomcat version 8.0.26



Thanks,
Abir


From: Mark Thomas <ma...@apache.org>
Sent: 05 November 2015 17:07
To: Tomcat Users List
Subject: Re: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

On 05/11/2015 16:58, Datta, Abir - Ealing wrote:
> Hi,
>
>
> Background
>
> Application server has been upgraded from tomcat 6 to tomcat 8. We are 
> experiencingperformance issues in transactions which involve XML processing 
> using DOM4J and xerces api. The application uses dom4j-1.6.1.jar and 
> xercesImpl-2.10.0.jar. There has been no change in the application which was 
> deployed in tomcat 6 to the application deployed in tomcat 8.
>
> Problem
>
> We use Dynatrace to monitor our application. We have seen that in tomcat 8, 
> the time taken for classloading api has increased significantly, leading to 
> performance degradation. This tomcat 8 classloading time and api breakdown 
> leading to classloading<http://i.stack.imgur.com/zblrc.jpg> shows the time 
> taken by the classloading api in Tomcat 8 and this shows what was happening 
> in tomcat 6<http://i.stack.imgur.com/LOk5e.jpg>.
>
> From the above pics, we can see that Classloading is invoked from the xerces 
> apis(Xml Processing in the pic), so the transactions using the xerces api 
> have shown performance degradation.
>
> Please help in understanding why the classloading times have increased in 
> tomcat 8 and how to get rid of this problem in tomcat8.

Try enabling unpackWARs.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



John Wiley & Sons Limited is a private limited company registered in England 
with registered number 641132.
Registered office address: The Atrium, Southern Gate, Chichester, West Sussex, 
United Kingdom. PO19 8SQ.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

[Mark Thomas]

On 06/11/2015 16:15, Datta, Abir - Ealing wrote:
> Could you please suggest something in TOMCAT 8 which might be leading to the 
> problem mentioned below.

Define "increased significantly".

A simple test case that demonstrates the issue would also help.

Mark


> 
> Thanks,
> Abir
> 
> From: Datta, Abir - Ealing <ada...@wiley.com>
> Sent: 05 November 2015 17:17
> To: Tomcat Users List
> Subject: RE: Classloading performance problems, Tomcat 8 upgrade from tomcat 6
> 
> Hi Mark,
> 
> Thanks for the response. The setting is already enabled. We have upgraded to 
> tomcat version 8.0.26
> 
>  unpackWARs="true" autoDeploy="true">
> 
> Thanks,
> Abir
> 
> 
> From: Mark Thomas <ma...@apache.org>
> Sent: 05 November 2015 17:07
> To: Tomcat Users List
> Subject: Re: Classloading performance problems, Tomcat 8 upgrade from tomcat 6
> 
> On 05/11/2015 16:58, Datta, Abir - Ealing wrote:
>> Hi,
>>
>>
>> Background
>>
>> Application server has been upgraded from tomcat 6 to tomcat 8. We are 
>> experiencingperformance issues in transactions which involve XML processing 
>> using DOM4J and xerces api. The application uses dom4j-1.6.1.jar and 
>> xercesImpl-2.10.0.jar. There has been no change in the application which was 
>> deployed in tomcat 6 to the application deployed in tomcat 8.
>>
>> Problem
>>
>> We use Dynatrace to monitor our application. We have seen that in tomcat 8, 
>> the time taken for classloading api has increased significantly, leading to 
>> performance degradation. This tomcat 8 classloading time and api breakdown 
>> leading to classloading<http://i.stack.imgur.com/zblrc.jpg> shows the time 
>> taken by the classloading api in Tomcat 8 and this shows what was happening 
>> in tomcat 6<http://i.stack.imgur.com/LOk5e.jpg>.
>>
>> From the above pics, we can see that Classloading is invoked from the xerces 
>> apis(Xml Processing in the pic), so the transactions using the xerces api 
>> have shown performance degradation.
>>
>> Please help in understanding why the classloading times have increased in 
>> tomcat 8 and how to get rid of this problem in tomcat8.
> 
> Try enabling unpackWARs.
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> John Wiley & Sons Limited is a private limited company registered in England 
> with registered number 641132.
> Registered office address: The Atrium, Southern Gate, Chichester, West 
> Sussex, United Kingdom. PO19 8SQ.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Classloading performance problems, Tomcat 8 upgrade from tomcat 6

[Datta, Abir - Ealing]

Hi,


Background

Application server has been upgraded from tomcat 6 to tomcat 8. We are 
experiencingperformance issues in transactions which involve XML processing 
using DOM4J and xerces api. The application uses dom4j-1.6.1.jar and 
xercesImpl-2.10.0.jar. There has been no change in the application which was 
deployed in tomcat 6 to the application deployed in tomcat 8.

Problem

We use Dynatrace to monitor our application. We have seen that in tomcat 8, the 
time taken for classloading api has increased significantly, leading to 
performance degradation. This tomcat 8 classloading time and api breakdown 
leading to classloading<http://i.stack.imgur.com/zblrc.jpg> shows the time 
taken by the classloading api in Tomcat 8 and this shows what was happening in 
tomcat 6<http://i.stack.imgur.com/LOk5e.jpg>.

>From the above pics, we can see that Classloading is invoked from the xerces 
>apis(Xml Processing in the pic), so the transactions using the xerces api have 
>shown performance degradation.

Please help in understanding why the classloading times have increased in 
tomcat 8 and how to get rid of this problem in tomcat8.

Thanks.?



John Wiley & Sons Limited is a private limited company registered in England 
with registered number 641132.
Registered office address: The Atrium, Southern Gate, Chichester, West Sussex, 
United Kingdom. PO19 8SQ.

Re: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

[Mark Thomas]

On 05/11/2015 16:58, Datta, Abir - Ealing wrote:
> Hi,
> 
> 
> Background
> 
> Application server has been upgraded from tomcat 6 to tomcat 8. We are 
> experiencingperformance issues in transactions which involve XML processing 
> using DOM4J and xerces api. The application uses dom4j-1.6.1.jar and 
> xercesImpl-2.10.0.jar. There has been no change in the application which was 
> deployed in tomcat 6 to the application deployed in tomcat 8.
> 
> Problem
> 
> We use Dynatrace to monitor our application. We have seen that in tomcat 8, 
> the time taken for classloading api has increased significantly, leading to 
> performance degradation. This tomcat 8 classloading time and api breakdown 
> leading to classloading<http://i.stack.imgur.com/zblrc.jpg> shows the time 
> taken by the classloading api in Tomcat 8 and this shows what was happening 
> in tomcat 6<http://i.stack.imgur.com/LOk5e.jpg>.
> 
> From the above pics, we can see that Classloading is invoked from the xerces 
> apis(Xml Processing in the pic), so the transactions using the xerces api 
> have shown performance degradation.
> 
> Please help in understanding why the classloading times have increased in 
> tomcat 8 and how to get rid of this problem in tomcat8.

Try enabling unpackWARs.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

[Datta, Abir - Ealing]

Hi Mark,

Thanks for the response. The setting is already enabled. We have upgraded to 
tomcat version 8.0.26



Thanks,
Abir


From: Mark Thomas <ma...@apache.org>
Sent: 05 November 2015 17:07
To: Tomcat Users List
Subject: Re: Classloading performance problems, Tomcat 8 upgrade from tomcat 6

On 05/11/2015 16:58, Datta, Abir - Ealing wrote:
> Hi,
>
>
> Background
>
> Application server has been upgraded from tomcat 6 to tomcat 8. We are 
> experiencingperformance issues in transactions which involve XML processing 
> using DOM4J and xerces api. The application uses dom4j-1.6.1.jar and 
> xercesImpl-2.10.0.jar. There has been no change in the application which was 
> deployed in tomcat 6 to the application deployed in tomcat 8.
>
> Problem
>
> We use Dynatrace to monitor our application. We have seen that in tomcat 8, 
> the time taken for classloading api has increased significantly, leading to 
> performance degradation. This tomcat 8 classloading time and api breakdown 
> leading to classloading<http://i.stack.imgur.com/zblrc.jpg> shows the time 
> taken by the classloading api in Tomcat 8 and this shows what was happening 
> in tomcat 6<http://i.stack.imgur.com/LOk5e.jpg>.
>
> From the above pics, we can see that Classloading is invoked from the xerces 
> apis(Xml Processing in the pic), so the transactions using the xerces api 
> have shown performance degradation.
>
> Please help in understanding why the classloading times have increased in 
> tomcat 8 and how to get rid of this problem in tomcat8.

Try enabling unpackWARs.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



John Wiley & Sons Limited is a private limited company registered in England 
with registered number 641132.
Registered office address: The Atrium, Southern Gate, Chichester, West Sussex, 
United Kingdom. PO19 8SQ.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org