AW: AW: Logging web applications with log4j 1.2
Hi Chris, > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Thomas, > > On 2/21/19 07:20, Thomas Rohde wrote: > > Hi Chris, > > > > -Ursprüngliche Nachricht- Von: Christopher Schultz > > [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 20. > > Februar 2019 16:41 An: users@tomcat.apache.org Betreff: Re: Logging > > web applications with log4j 1.2 > > > >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >>> > >>> Thomas, > >>> > >>> On 2/20/19 08:00, Thomas Rohde wrote: > I've some basic questions regarding the usage of log4j 1.2 in > Tomcat 8.5. > > We are running more than one web application in Tomcat. Each > application uses log4j via slf4j and ships the log4j.jar in > > >>> WEB-INF/lib. The Tomcat itself uses JULI. > >>> > >>> We are using a common log4j.xml file for configuration. > >>> > >>> The file path is set as system property in CATALINA_OPTS as > >>> follows: -Dlog4j.configuration=/path/to/file/log4j.xml > >>> > >>> 1. Is this a valid setup or are there any side effects in > >>> initialization log4j by the different WebAppClassLoaders? > >> > >> You are not using classpath-based config-file-loading, so it should > >> not be a problem[*]. > >> > >>> 2. We are observing weird things in rolling the files hourly. > >>> The timestamp of the log messages doesn't fit to the timestamp > >>> suffix of the file. Why does this happen? > >> > >> Possibly conflicting time zones, somewhere? Because log4j.jar is in > >> each application's class loader, they CAN have different in-memory > >> configurations. > > No there are no different time zones in use. > > That's what I figured. I've never see anything quite like you describe. I > could imagine that the JVM has one time zone but the shell is using another. > > For example, if the JVM is convinced that the time zone is UTC but when you > are logged-into the server, your shell has TZ=America/Los_Angeles, then > you'll see a ~9 hour difference between file timestamps and the filenames. > Like this: > > $ ls -l logs/ > > - -rw-r--r-- 12345 Feb 19 16:01 log4j.log.2019-02-18 > - -rw-r--r-- 12345 Feb 20 16:00 log4j.log.2019-02-19 > - -rw-r--r-- 12345 Feb 21 16:01 log4j.log.2019-02-20 > > Note how each filename has the name you'd expect, but the timestamp looks a > little odd. If you look into each file, you'd see that e.g. in the 2019-02-19 > file, the timestamps go from 2019-02-19T00:00:00 through 2019-02-19T23:59:59 > but it looks like the file was rotated 8 hours earlier. That's because it was > rotated at 00:00 (PST) as reckoned by the JVM, but at 16:01 in UTC. > > My recommendation would be to set all of your timezones to the same thing. > UTC makes the most sense to me, but that's just my opinion. > Theoretically, all timestamps are interchangeable, right? Thank you for the hint. We will check that! > > >> [*] While this will work, why would you ever want multiple > >> applications to have their logging configuration all tied together? > >> Why not separate the logging configuration into one config-per web > >> application? OR are you trying to unify all logging into the same > >> file(s )? > > Yes I would like to do that, but I'm not sure how to achieve it > > without putting the log4j.xml into the WAR file. Do you have any hint? > I can think of several ways, but it depends upon how your application > initializes log4j. > > If you specify where the configuration file is, directly, then you can either > change that to somewhere else, or you can replace that filename with a > parameter that you can set in web.xml -- say, in an . You *are* > configuring log4j in a ServletContextInitializer, right? > > If you just do "new PropertyConfigurator()" (like I do), then it will search > the parent ClassLoader and that's it. In that case, you'll have to arrange > for the log4j.properties file to be present, there. Placing it in the WAR > file is an option. Another option would be to put the file elsewhere, but > then modify the Tomcat configuration to add another directory to the > ClassLoader, like this: > > > >webAppMount="/" > base="/path/to/app-specific-log-dir" > className="org.apache.catalina.webresources.DirResourceSet" > > > > Then you put your log4j.properties file in /path/to/app-specific-log-dir . Yeah, in the meantime, I have already thougt about this solution. We will do some tests. Thank you! > > Hope that helps, > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxuv/0ACgkQHPApP6U8 > pFiiTA/+MesYHVHy1lHSzhxLylGC9q/vLXu2wykUQysUBh0GCbHqnftzytV5gKrd > GBwsPbbFSveGcn6VkhL/mJZJPsHAxGWB6pgoK4rYsjw1qVfUeDWr2XeC7AAVNFMC > 0BXyS99u5CC0jlh+/Ps/SZMOZAby/hGfTuoFRD4VT6K3MmgtdAsbGVcci+ycLSLd > tOKWmxglu/0ylEc4fmxBDPygvmve/FD+elfSyqZ8VBri6UTlae++qcsnmBSeus8y >
Re: Parallel Tomcat Instances On Same Server
The way I have done it in the past is to separate each tomcat instance by a local user on the machine. I use linux so I have no idea if this would work on windoze. This was done to separate powers and isolate permissions. I am actually looking for critique of this setup as well. So please feel free to blast away. Example : Let's say I have 4 websites. site1.com site2.com site3.com site4.com I have : An NGINX proxy in front of the apache servers that sits in a public segment. A tomcat server fronted by NGINX to terminate SSL that sits in a private segment. Tomcat is installed in /opt/company/tomcat-8.5 and a symlink exists /opt/company/tomcat-latest --> /opt/company/tomcat-8.5 Systemd requires a startup script. /usr/lib/systemd/system/tomcat8@.service # Systemd unit file for tomcat instances. # # To create clones of this service: # 1. systemctl enable tomcat@name.service # 2. create catalina.base directory structure in #/var/lib/tomcats/name # /usr/lib/systemd/system/tomcatN.service [Unit] Description=Apache Tomcat 8 After=network.target [Service] Type=simple User=%I Group=%I # Run ExecStartPre with root-permissions PermissionsStartOnly=true ExecStartPre=-/usr/bin/mkdir /var/run/tomcat8 #ExecStartPre=/opt/company/utility/tomcat8/pre-run.sh ExecStartPre=/usr/bin/chown -R root:tomcat8r /var/run/tomcat8 ExecStartPre=/usr/bin/chmod 770 /var/run/tomcat8 Environment="NAME=%I" EnvironmentFile=/etc/sysconfig/tomcat8@%I #ExecStart=/opt/company/tomcat8/bin/catalina.sh start ExecStart=/opt/company/tomcat8/bin/startup.sh ExecStop=/opt/company/tomcat8/bin/shutdown.sh RemainAfterExit=yes #User=%I #Group=%I [Install] WantedBy=multi-user.target Tomcat is setup as a service using the following service file : # Service-specific configuration file for tomcat8. This will be sourced by # the systemd script after the global configuration file # /etc/sysconfig/tomcat8@userNN, thus allowing values to be overridden in # a per-service manner. (NN being the numerical value for the specififed use 01-99) # # NEVER change the systemd unit file itself. To change values for all services make # your changes in /etc/sysconfig/tomcat8@userNN. # # To change values for a specific service make your edits here. # To create a new service a config file must exist for the user in # /etc/sysconfig/tomcat8@userNN. All of the tomcat environment variables will be # handled inside that config file for that user. When calling systemctl, systemd # will look the specificed config file based on the username passed to it. # Start the new service by executing : systemctl start tomcat8\@user99 replacing # user 99 with the appropriate user. # Make the service start at boot time by executing the following command: # systemctl enable tomcat8\@user99 again replacing user 99 with the appropriate # user. TOMCAT_CFG_LOADED=1 # Run tomcat under the Java Security Manager SECURITY_MANAGER="false" # Where your java installation lives JAVA_HOME="/opt/company/java-1.8" # Where your tomcat installation lives CATALINA_BASE="/home/user01/website" CATALINA_HOME="/opt/company/tomcat8" #JASPER_HOME="" CATALINA_TMPDIR="/home/user01/website/temp" # You can pass some parameters to java here if you wish to JAVA_OPTS="-Xms2048m -Xmx2048m -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -Dspring.profiles.active=development" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=/usr/lib" # What user should run tomcat TOMCAT_USER="user01" TOMCAT_LOG="/home/user01/website/logs/catalina.out" # You can change your tomcat locale here #LANG="en_US" # Run tomcat under the Java Security Manager #SECURITY_MANAGER="false" # Time to wait in seconds, before killing process #SHUTDOWN_WAIT="30" # Whether to annoy the user with "attempting to shut down" messages or not #SHUTDOWN_VERBOSE="true" # Set the TOMCAT_PID location CATALINA_PID="/var/run/tomcat8/tomcat8-user01.pid" # Connector port is 8080 for this tomcat8 instance #CONNECTOR_PORT="8080" # If you wish to further customize your tomcat environment, # put your own definitions here # (i.e. LD_LIBRARY_PATH for some jdbc drivers) #CLASSPATH="" #The above will not work without makeing changes to the base tomcat startup scripts. A user is created for each site : site1.com = user01 site2.com = user02 site3.com = user03 site4.com = user04 A sysconfig file is created for each user. /etc/sysconfig/tomcat8@user01 /etc/sysconfig/tomcat8@user02 /etc/sysconfig/tomcat8@user03 /etc/sysconfig/tomcat8@user04 The tomcat configs for each website are stored in /home/user01/website/conf as an example. Each user is assigned their own unique port.using a scheme. Example : user01 = 8101 user02 = 8102 user03 = 8103 user04 = 8104 and so on. I have ran into some challenges that I have not been able to explain. Which is another reason I am posting this again for more eyes to be on it. Hope that helps. On Fri, Feb 22, 2019 at 12:26 AM Jerry Malcolm wrote: > I need a bit of
Parallel Tomcat Instances On Same Server
I need a bit of brainstorming. I have a production Tomcat server that hosts several web sites. A couple of these websites are high-availability sensitive. Any downtime will cost the customer. So obviously I want to minimize downtime. On the other hand, I am always adding/removing/testing other virtual hosts which requires configuration changes and periodic reboots of Tomcat. I'm not at CPU capacity or memory capacity on the box. So that is not the problem. What I'd really like to do is run both a production TC instance AND a 'development/test' TC instance on the same box with the luxury of bouncing or taking the dev TC down any time necessary without affecting the production TC. I'm using Apache httpd as the front end and routing via mod_jk to TC. The separation of function on the two instances would be at domain level. Domain A runs on production, Domain B runs on dev. I am using the basic mod_jk worker config currently. If I change the dev instance to run a different port, is it simply a matter of having worker1 and worker2 that route to the different TC instances, and assign either worker1 or worker2 to each virtual host in httpd? I figure some people have done this in the past. Is this the easiest way to do this? Is there a better way? Thx as always. Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
Hello , Thanks for the reply. Yes having the plan to remediate same on weekend, ALready informed them about Challenges of upgrading and impact of any failure. Current vulnerability CVE detected in 7.0.79 is showing is taken care in 7.0.91 tomcat version So thinking of upgrading to the same family version, Which I am thinking will be easier than upgrading to the latest version. Found below Link from Youtube and will be performing same, Please let know your thoughts on same. https://www.youtube.com/watch?v=Jvum4TsTnAQ On Thu, Feb 21, 2019 at 6:30 PM John Dale wrote: > Are you going to try to do this on Friday night? You might forward > some of our comments to your security team if they want you to change > a tire on a moving vehicle .. it's possible, but not the best > practice. > > Does your security team have the ability to allocate some more > computing resources to your project? > > On 2/21/19, Nitin Kadam wrote: > > FOr backup - I will be taking Snapshot backup before doing the upgrade > but > > also going to take folder backup from C: programme Files /Apache Tomcat > > folder. > > > > I am continuously getting emails from the internal security team for > > upgrading the version 7.0.79 to the latest version > > need to figure out this ASAP > > > > Apps are hosted in Web apps folders and there are few D3 apps > > which connected with SQL for database > > > > > > > > > > On Wed, Feb 20, 2019 at 9:45 PM John Dale wrote: > > > >> Without all of those early adopters to take the flack, we'd never know > >> where the enemy bases are .. or something like that. ;) > >> > >> I'm just very glad we have OpenJDK and that my code is very simple. > >> > >> Java 12 .. Uff da! > >> > >> > >> > >> On 2/20/19, Christopher Schultz wrote: > >> > -BEGIN PGP SIGNED MESSAGE- > >> > Hash: SHA256 > >> > > >> > John, > >> > > >> > On 2/20/19 10:58, John Dale wrote: > >> >> Points taken .. I have a great deal from my cloud provider on a > >> >> wheezy instance, so I have to see if I can negotiate to keep my > >> >> rate. I do a lot of custom MVC and security checks so things are > >> >> nice and tight and I haven't been hacked even though I get several > >> >> thousand attempts a day mostly from China and Iran. I'm also > >> >> kicking around whether to use James or keep using postfix for > >> >> email. With an upgrade to Java 8 I can use the latest james > >> >> release so I'll look into that. > >> >> > >> >> I've been struggling to find a nice block of time for a full > >> >> regression test. It's funny .. I was working for a bank a couple > >> >> of years back that was still on Java 1.6 and that's the way they > >> >> liked it. :) > >> >> > >> >> Did you see the road map for Java 10? Seems like we're moving a > >> >> little too fast sometimes .. > >> > > >> > Java 10's dead, baby. > >> > > >> > Java 11 will be a long-term-service release. Java 12 is already > >> > available for pre-release. > >> > > >> > The biggest step is from 8 -> 9/10/11. Once you are over that, it will > >> > be much better for everyone. > >> > > >> > I don't want to have to wait 10 years to get new stuff like TLS 1.3 > >> > support or the forthcoming HTTP/3, so I'm happy with the shorter > >> > development cycles Oracle has switched-over to. > >> > > >> > - -chris > >> > > >> >> On 2/20/19, Christopher Schultz > >> >> wrote: John, > >> >> > >> >> On 2/20/19 09:11, John Dale wrote: > >> > I'm thinking about migrating to 8 soon myself. Maybe I'll > >> > use this as an opportunity to get started on that .. but I > >> > think the last time I checked, OpenJDK 7 was supported on > >> > Wheezy, so I'm thinking I have more to do than just upgrade > >> > tomcat in my scenario. > >> >> > >> >> Yes. Wheezy is essentially unsupported and I would drop everything > >> >> and upgrade to at least Jessie like right now if I were you. > >> >> Stretch isn't much more work and you'll be good for a few years on > >> >> that. > >> >> > >> >> Stretch has OpenJDK 8 packages. Current version is 1.8.0_181. > >> >> > >> >> Jessie looks like it only has OpenJDK 7 packages. I didn't check > >> >> the backports. > >> >> > >> > I'll need to update linux, Java, tomcat, then finally my > >> > apps. But I'm pretty CDO (that's like OCD, but alphabetical) > >> > about the platform independence of my apps, so that's going > >> > to be straightforward. > >> >> Make sure you don't waste time upgrading from Tomcat 7 to Tomcat 8. > >> >> Go directly to Tomcat 8.5, since 8.0 is no longer supported. > >> >> > >> >> -chris > >> >> > >> > On 2/20/19, Nitin Kadam wrote: > >> >> Thanks John for reply.. > >> >> > >> >> is there any documentation walkthrough for this upgrade > >> >> available? i am new to Tomcat and doing this 1st time, It > >> >> will be great help if anyone provide same. > >> >> > >> >> On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock > >> >> wrote: > >> >> > >> >>> > >> >>>
Re: AW: Logging web applications with log4j 1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas, On 2/21/19 07:20, Thomas Rohde wrote: > Hi Chris, > > -Ursprüngliche Nachricht- Von: Christopher Schultz > [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 20. > Februar 2019 16:41 An: users@tomcat.apache.org Betreff: Re: Logging > web applications with log4j 1.2 > >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> Thomas, >>> >>> On 2/20/19 08:00, Thomas Rohde wrote: I've some basic questions regarding the usage of log4j 1.2 in Tomcat 8.5. We are running more than one web application in Tomcat. Each application uses log4j via slf4j and ships the log4j.jar in >>> WEB-INF/lib. The Tomcat itself uses JULI. >>> >>> We are using a common log4j.xml file for configuration. >>> >>> The file path is set as system property in CATALINA_OPTS as >>> follows: -Dlog4j.configuration=/path/to/file/log4j.xml >>> >>> 1. Is this a valid setup or are there any side effects in >>> initialization log4j by the different WebAppClassLoaders? >> >> You are not using classpath-based config-file-loading, so it >> should not be a problem[*]. >> >>> 2. We are observing weird things in rolling the files hourly. >>> The timestamp of the log messages doesn't fit to the timestamp >>> suffix of the file. Why does this happen? >> >> Possibly conflicting time zones, somewhere? Because log4j.jar is >> in each application's class loader, they CAN have different >> in-memory configurations. > No there are no different time zones in use. That's what I figured. I've never see anything quite like you describe. I could imagine that the JVM has one time zone but the shell is using another. For example, if the JVM is convinced that the time zone is UTC but when you are logged-into the server, your shell has TZ=America/Los_Angeles, then you'll see a ~9 hour difference between file timestamps and the filenames. Like this: $ ls -l logs/ - -rw-r--r-- 12345 Feb 19 16:01 log4j.log.2019-02-18 - -rw-r--r-- 12345 Feb 20 16:00 log4j.log.2019-02-19 - -rw-r--r-- 12345 Feb 21 16:01 log4j.log.2019-02-20 Note how each filename has the name you'd expect, but the timestamp looks a little odd. If you look into each file, you'd see that e.g. in the 2019-02-19 file, the timestamps go from 2019-02-19T00:00:00 through 2019-02-19T23:59:59 but it looks like the file was rotated 8 hours earlier. That's because it was rotated at 00:00 (PST) as reckoned by the JVM, but at 16:01 in UTC. My recommendation would be to set all of your timezones to the same thing. UTC makes the most sense to me, but that's just my opinion. Theoretically, all timestamps are interchangeable, right? >> [*] While this will work, why would you ever want multiple >> applications to have their logging configuration all tied >> together? Why not separate the logging configuration into one >> config-per web application? OR are you trying to unify all >> logging into the same file(s )? > Yes I would like to do that, but I'm not sure how to achieve it > without putting the log4j.xml into the WAR file. Do you have any > hint? I can think of several ways, but it depends upon how your application initializes log4j. If you specify where the configuration file is, directly, then you can either change that to somewhere else, or you can replace that filename with a parameter that you can set in web.xml -- say, in an . You *are* configuring log4j in a ServletContextInitializer, right? If you just do "new PropertyConfigurator()" (like I do), then it will search the parent ClassLoader and that's it. In that case, you'll have to arrange for the log4j.properties file to be present, there. Placing it in the WAR file is an option. Another option would be to put the file elsewhere, but then modify the Tomcat configuration to add another directory to the ClassLoader, like this: Then you put your log4j.properties file in /path/to/app-specific-log-dir . Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxuv/0ACgkQHPApP6U8 pFiiTA/+MesYHVHy1lHSzhxLylGC9q/vLXu2wykUQysUBh0GCbHqnftzytV5gKrd GBwsPbbFSveGcn6VkhL/mJZJPsHAxGWB6pgoK4rYsjw1qVfUeDWr2XeC7AAVNFMC 0BXyS99u5CC0jlh+/Ps/SZMOZAby/hGfTuoFRD4VT6K3MmgtdAsbGVcci+ycLSLd tOKWmxglu/0ylEc4fmxBDPygvmve/FD+elfSyqZ8VBri6UTlae++qcsnmBSeus8y KqiHiZCWrZsn55FBhAsEJXQ1tvluxhpNYrcleEVXM/KZcH/g7eyNGdelFMJ4UVyk cEM9dfWJdi74RJlZNN03CIWjJawI7IVZg0ghU/2C0ErwXlfjecA2vW0HZE2z/XtO v+vJW2PXcM/pVef+Af5kf+f8wFGWeAaFVQhwQeSFEZQnG8Mfi8VaQifZd8X+ho9f SshOywKZ4vDb2VmJrhg3aMwu9Q2BtggA+7fZ0n0/wJJJHj7qC9W8OI35hacSJJ1d U+USkNNo9vhoF6/wqU+NCMxj7sApEJyIgR4+Vcfl4MFnMaVRthc1WsOiTraW6RuS G7IJm1z/pSSjqR+Age2/0F/zAAqknjVmCxKzuQIIv66K6PYV4UncRJY0r9bSnMx6 43eGJmG+wTcH+R7IAXEi0+r9zVb7UbK6kqpvfD9SpFWD3Ijlb8Y= =BT+f -END PGP SIGNATURE- - To unsubscribe, e-mail:
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nitin, On 2/21/19 07:47, Nitin Kadam wrote: > FOr backup - I will be taking Snapshot backup before doing the > upgrade but also going to take folder backup from C: programme > Files /Apache Tomcat folder. > > I am continuously getting emails from the internal security team > for upgrading the version 7.0.79 to the latest version need to > figure out this ASAP Upgrading from 7.0.79 to 7.0.92 should not be too risky. Upgrading from 7.0.79 (or 7.0.92) up to 8.5.x will absolutely require you to test it in another environment before upgrading. There are a few small things that changed which may significantly affect you. I'm specifically thinking about the stricter Cookie-parsing that was introduced in Tomcat 8.5 which may break some of your application's cookies. (Specifically, ones that are not properly-quoted and/or use non-ASCII names and values). If you have Cookie-related problems, my recommendation is that you modify your application to encode cookie values in a way that guarantees ASCII-only values. Options include base32/64 encoding, etc. > Apps are hosted in Web apps folders and there are few D3 apps which > connected with SQL for database This should be no problem. For your 7.0.x -> 8.5.x upgrade, I highly recommend that you start using split CATALINA_HOME and CATALINA_BASE directories. It makes "trying" a new version of Tomcat much less painful. Hope that helps, - -chris > On Wed, Feb 20, 2019 at 9:45 PM John Dale > wrote: > >> Without all of those early adopters to take the flack, we'd never >> know where the enemy bases are .. or something like that. ;) >> >> I'm just very glad we have OpenJDK and that my code is very >> simple. >> >> Java 12 .. Uff da! >> >> >> >> On 2/20/19, Christopher Schultz >> wrote: > John, > > On 2/20/19 10:58, John Dale wrote: > Points taken .. I have a great deal from my cloud provider > on a wheezy instance, so I have to see if I can negotiate > to keep my rate. I do a lot of custom MVC and security > checks so things are nice and tight and I haven't been > hacked even though I get several thousand attempts a day > mostly from China and Iran. I'm also kicking around > whether to use James or keep using postfix for email. With > an upgrade to Java 8 I can use the latest james release so > I'll look into that. > > I've been struggling to find a nice block of time for a > full regression test. It's funny .. I was working for a > bank a couple of years back that was still on Java 1.6 and > that's the way they liked it. :) > > Did you see the road map for Java 10? Seems like we're > moving a little too fast sometimes .. > > Java 10's dead, baby. > > Java 11 will be a long-term-service release. Java 12 is already > available for pre-release. > > The biggest step is from 8 -> 9/10/11. Once you are over that, it > will be much better for everyone. > > I don't want to have to wait 10 years to get new stuff like TLS > 1.3 support or the forthcoming HTTP/3, so I'm happy with the > shorter development cycles Oracle has switched-over to. > > -chris > > On 2/20/19, Christopher Schultz > wrote: John, > > On 2/20/19 09:11, John Dale wrote: I'm thinking about migrating to 8 soon myself. Maybe I'll use this as an opportunity to get started on that .. but I think the last time I checked, OpenJDK 7 was supported on Wheezy, so I'm thinking I have more to do than just upgrade tomcat in my scenario. > > Yes. Wheezy is essentially unsupported and I would drop > everything and upgrade to at least Jessie like right now if > I were you. Stretch isn't much more work and you'll be good > for a few years on that. > > Stretch has OpenJDK 8 packages. Current version is > 1.8.0_181. > > Jessie looks like it only has OpenJDK 7 packages. I didn't > check the backports. > I'll need to update linux, Java, tomcat, then finally my apps. But I'm pretty CDO (that's like OCD, but alphabetical) about the platform independence of my apps, so that's going to be straightforward. > Make sure you don't waste time upgrading from Tomcat 7 to > Tomcat 8. Go directly to Tomcat 8.5, since 8.0 is no longer > supported. > > -chris > On 2/20/19, Nitin Kadam wrote: > Thanks John for reply.. > > is there any documentation walkthrough for this > upgrade available? i am new to Tomcat and doing > this 1st time, It will be great help if anyone > provide same. > > On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock > wrote: > >> >> On 20.02.19 13:57, Nitin Kadam wrote: >>> Hello Team, >>> >>> Can you please guide how we can migrate >>> seamlessly from Tomcat apache
Re: Logging web applications with log4j 1.2
1 - DevOps can alleviate this issue .. implicit in the model. 2 - exploded directory deployment would allow you to change log4j assuming log4j is configured to reload its configuration on change I'm not sure how classpath contexts are assigned to war files .. but I'm sure there is way. Anyone else have a suggestion? On 2/21/19, Thomas Rohde wrote: > Hi Chris, > > -Ursprüngliche Nachricht- > Von: Christopher Schultz [mailto:ch...@christopherschultz.net] > Gesendet: Mittwoch, 20. Februar 2019 16:41 > An: users@tomcat.apache.org > Betreff: Re: Logging web applications with log4j 1.2 > >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA256 >> > >> > Thomas, >> > >> > On 2/20/19 08:00, Thomas Rohde wrote: >> > > I've some basic questions regarding the usage of log4j 1.2 in Tomcat >> > > 8.5. >> > > >> > > We are running more than one web application in Tomcat. Each >> > > application uses log4j via slf4j and ships the log4j.jar in >> > WEB-INF/lib. The Tomcat itself uses JULI. >> > >> > We are using a common log4j.xml file for configuration. >> > >> > The file path is set as system property in CATALINA_OPTS as >> > follows: -Dlog4j.configuration=/path/to/file/log4j.xml >> > >> > 1. Is this a valid setup or are there any side effects in >> > initialization log4j by the different WebAppClassLoaders? >> >> You are not using classpath-based config-file-loading, so it should not be >> a problem[*]. >> >> > 2. We are observing weird things in rolling the files hourly. The >> > timestamp of the log messages doesn't fit to the timestamp suffix of >> > the file. Why does this happen? >> >> Possibly conflicting time zones, somewhere? Because log4j.jar is in each >> application's class loader, they CAN have different in-memory >> configurations. > No there are no different time zones in use. > >> >> [*] While this will work, why would you ever want multiple applications to >> have their logging configuration all tied together? >> Why not separate the logging configuration into one config-per web >> application? OR are you trying to unify all logging into the same file(s >> )? > Yes I would like to do that, but I'm not sure how to achieve it without > putting the log4j.xml into the WAR file. Do you have any hint? > >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxtdSUACgkQHPApP6U8 >> pFhxow//T+5ALVYJcljqLxykHND7ZSy9NHf0+a+jnWzlDO5S6oO+bxjso9raJZYC >> jUG4nhBwuAtD5MWyS04t0UedYUBP+n1iw4aAGs7PrhFgPxLiHZpMOTBBaeDSYgny >> bI+7GuqOhkiauPA8Jb6guE8SkrT18d9X+k7xzy6puYgqbTws0iwk2yEmSV+KNtXy >> 0EsVC20KGhU9pCdD7MLSpYX8PaM8sctazxSSVMygL9Ed03WKkJ6BRPavq4ao1uGg >> V0ZlTQb7f9PRPOXOQzoAlsaWNTCVRKQES82/HHJE/uJG5tg7jnQ5Syjs53FyfVwH >> 0AtfNpJiOI4LES5ejR7E5JZ8Lx0/J41XwsPO5hOmYaiHHs35EFtozCETNNwjYxcb >> 245z++YsBw0bnBDRpAFi5Kq5UL8ludo0CqDTfKQSIqrMoNHoiULm4U3niGl2P01w >> O8k2KrwqtYWu77esh+TpJpXTTaLnEhCc+YWFGWnER3w8WAOHitvjbmAi21gL3NIG >> 3PJEFEdrNMaoI2h3SkK+DJzuVVJRmXRMV2wduX4+3qGW6l31Jo3ihFiDDdXyGB+b >> jtpU1JHYfYP+ck8mEXgOvI6RXZEG7R8Ef7ectYuKdhRRpE+S9wx1llZminsxY/fr >> 0apA+L6paBo9R7EGxJVt237wx/L+tRnfF5raLZoAJrkks7SkWgE= >> =sjai >> -END PGP SIGNATURE- >> > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
Are you going to try to do this on Friday night? You might forward some of our comments to your security team if they want you to change a tire on a moving vehicle .. it's possible, but not the best practice. Does your security team have the ability to allocate some more computing resources to your project? On 2/21/19, Nitin Kadam wrote: > FOr backup - I will be taking Snapshot backup before doing the upgrade but > also going to take folder backup from C: programme Files /Apache Tomcat > folder. > > I am continuously getting emails from the internal security team for > upgrading the version 7.0.79 to the latest version > need to figure out this ASAP > > Apps are hosted in Web apps folders and there are few D3 apps > which connected with SQL for database > > > > > On Wed, Feb 20, 2019 at 9:45 PM John Dale wrote: > >> Without all of those early adopters to take the flack, we'd never know >> where the enemy bases are .. or something like that. ;) >> >> I'm just very glad we have OpenJDK and that my code is very simple. >> >> Java 12 .. Uff da! >> >> >> >> On 2/20/19, Christopher Schultz wrote: >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA256 >> > >> > John, >> > >> > On 2/20/19 10:58, John Dale wrote: >> >> Points taken .. I have a great deal from my cloud provider on a >> >> wheezy instance, so I have to see if I can negotiate to keep my >> >> rate. I do a lot of custom MVC and security checks so things are >> >> nice and tight and I haven't been hacked even though I get several >> >> thousand attempts a day mostly from China and Iran. I'm also >> >> kicking around whether to use James or keep using postfix for >> >> email. With an upgrade to Java 8 I can use the latest james >> >> release so I'll look into that. >> >> >> >> I've been struggling to find a nice block of time for a full >> >> regression test. It's funny .. I was working for a bank a couple >> >> of years back that was still on Java 1.6 and that's the way they >> >> liked it. :) >> >> >> >> Did you see the road map for Java 10? Seems like we're moving a >> >> little too fast sometimes .. >> > >> > Java 10's dead, baby. >> > >> > Java 11 will be a long-term-service release. Java 12 is already >> > available for pre-release. >> > >> > The biggest step is from 8 -> 9/10/11. Once you are over that, it will >> > be much better for everyone. >> > >> > I don't want to have to wait 10 years to get new stuff like TLS 1.3 >> > support or the forthcoming HTTP/3, so I'm happy with the shorter >> > development cycles Oracle has switched-over to. >> > >> > - -chris >> > >> >> On 2/20/19, Christopher Schultz >> >> wrote: John, >> >> >> >> On 2/20/19 09:11, John Dale wrote: >> > I'm thinking about migrating to 8 soon myself. Maybe I'll >> > use this as an opportunity to get started on that .. but I >> > think the last time I checked, OpenJDK 7 was supported on >> > Wheezy, so I'm thinking I have more to do than just upgrade >> > tomcat in my scenario. >> >> >> >> Yes. Wheezy is essentially unsupported and I would drop everything >> >> and upgrade to at least Jessie like right now if I were you. >> >> Stretch isn't much more work and you'll be good for a few years on >> >> that. >> >> >> >> Stretch has OpenJDK 8 packages. Current version is 1.8.0_181. >> >> >> >> Jessie looks like it only has OpenJDK 7 packages. I didn't check >> >> the backports. >> >> >> > I'll need to update linux, Java, tomcat, then finally my >> > apps. But I'm pretty CDO (that's like OCD, but alphabetical) >> > about the platform independence of my apps, so that's going >> > to be straightforward. >> >> Make sure you don't waste time upgrading from Tomcat 7 to Tomcat 8. >> >> Go directly to Tomcat 8.5, since 8.0 is no longer supported. >> >> >> >> -chris >> >> >> > On 2/20/19, Nitin Kadam wrote: >> >> Thanks John for reply.. >> >> >> >> is there any documentation walkthrough for this upgrade >> >> available? i am new to Tomcat and doing this 1st time, It >> >> will be great help if anyone provide same. >> >> >> >> On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock >> >> wrote: >> >> >> >>> >> >>> On 20.02.19 13:57, Nitin Kadam wrote: >> Hello Team, >> >> Can you please guide how we can migrate seamlessly >> from Tomcat apache 7.0.79 to 7.0.92 or any latest >> version that 8.x or 9.x ( Windows 2012 R2 server)escr >> >>> >> >>> 7.0 to 8.0: https://tomcat.apache.org/migration-8.html >> >>> >> >>> 8.0 to 8.5: https://tomcat.apache.org/migration-85.html >> >>> >> >>> 8.x to 9.0: https://tomcat.apache.org/migration-9.html >> >>> >> the current environment is configured with SSL >> certificate ( SSL 443) >> >>> .jks >> store and needs to upgrade same due to security >> vulnerability detected by Qualys scanner. >> >>> >> >>> The documents have TLS documentation chapters. If you
Re: [OT] Tomcat Apache 7.0.79 upgrade to Latest version
FOr backup - I will be taking Snapshot backup before doing the upgrade but also going to take folder backup from C: programme Files /Apache Tomcat folder. I am continuously getting emails from the internal security team for upgrading the version 7.0.79 to the latest version need to figure out this ASAP Apps are hosted in Web apps folders and there are few D3 apps which connected with SQL for database On Wed, Feb 20, 2019 at 9:45 PM John Dale wrote: > Without all of those early adopters to take the flack, we'd never know > where the enemy bases are .. or something like that. ;) > > I'm just very glad we have OpenJDK and that my code is very simple. > > Java 12 .. Uff da! > > > > On 2/20/19, Christopher Schultz wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > John, > > > > On 2/20/19 10:58, John Dale wrote: > >> Points taken .. I have a great deal from my cloud provider on a > >> wheezy instance, so I have to see if I can negotiate to keep my > >> rate. I do a lot of custom MVC and security checks so things are > >> nice and tight and I haven't been hacked even though I get several > >> thousand attempts a day mostly from China and Iran. I'm also > >> kicking around whether to use James or keep using postfix for > >> email. With an upgrade to Java 8 I can use the latest james > >> release so I'll look into that. > >> > >> I've been struggling to find a nice block of time for a full > >> regression test. It's funny .. I was working for a bank a couple > >> of years back that was still on Java 1.6 and that's the way they > >> liked it. :) > >> > >> Did you see the road map for Java 10? Seems like we're moving a > >> little too fast sometimes .. > > > > Java 10's dead, baby. > > > > Java 11 will be a long-term-service release. Java 12 is already > > available for pre-release. > > > > The biggest step is from 8 -> 9/10/11. Once you are over that, it will > > be much better for everyone. > > > > I don't want to have to wait 10 years to get new stuff like TLS 1.3 > > support or the forthcoming HTTP/3, so I'm happy with the shorter > > development cycles Oracle has switched-over to. > > > > - -chris > > > >> On 2/20/19, Christopher Schultz > >> wrote: John, > >> > >> On 2/20/19 09:11, John Dale wrote: > > I'm thinking about migrating to 8 soon myself. Maybe I'll > > use this as an opportunity to get started on that .. but I > > think the last time I checked, OpenJDK 7 was supported on > > Wheezy, so I'm thinking I have more to do than just upgrade > > tomcat in my scenario. > >> > >> Yes. Wheezy is essentially unsupported and I would drop everything > >> and upgrade to at least Jessie like right now if I were you. > >> Stretch isn't much more work and you'll be good for a few years on > >> that. > >> > >> Stretch has OpenJDK 8 packages. Current version is 1.8.0_181. > >> > >> Jessie looks like it only has OpenJDK 7 packages. I didn't check > >> the backports. > >> > > I'll need to update linux, Java, tomcat, then finally my > > apps. But I'm pretty CDO (that's like OCD, but alphabetical) > > about the platform independence of my apps, so that's going > > to be straightforward. > >> Make sure you don't waste time upgrading from Tomcat 7 to Tomcat 8. > >> Go directly to Tomcat 8.5, since 8.0 is no longer supported. > >> > >> -chris > >> > > On 2/20/19, Nitin Kadam wrote: > >> Thanks John for reply.. > >> > >> is there any documentation walkthrough for this upgrade > >> available? i am new to Tomcat and doing this 1st time, It > >> will be great help if anyone provide same. > >> > >> On Wed, Feb 20, 2019 at 6:49 PM Olaf Kock > >> wrote: > >> > >>> > >>> On 20.02.19 13:57, Nitin Kadam wrote: > Hello Team, > > Can you please guide how we can migrate seamlessly > from Tomcat apache 7.0.79 to 7.0.92 or any latest > version that 8.x or 9.x ( Windows 2012 R2 server)escr > >>> > >>> 7.0 to 8.0: https://tomcat.apache.org/migration-8.html > >>> > >>> 8.0 to 8.5: https://tomcat.apache.org/migration-85.html > >>> > >>> 8.x to 9.0: https://tomcat.apache.org/migration-9.html > >>> > the current environment is configured with SSL > certificate ( SSL 443) > >>> .jks > store and needs to upgrade same due to security > vulnerability detected by Qualys scanner. > >>> > >>> The documents have TLS documentation chapters. If you run > >>> into specific problems, describe them here. > >>> > >>> Olaf > >>> > >>> > >>> - > > - --- > >> > >>> > > - - > >>> > >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: > >>> users-h...@tomcat.apache.org > >>> > >>> > >> > >> -- Regards Nitin Kadam (9967688959) > >> > > >
AW: Logging web applications with log4j 1.2
Hi Chris, -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 20. Februar 2019 16:41 An: users@tomcat.apache.org Betreff: Re: Logging web applications with log4j 1.2 > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Thomas, > > > > On 2/20/19 08:00, Thomas Rohde wrote: > > > I've some basic questions regarding the usage of log4j 1.2 in Tomcat > > > 8.5. > > > > > > We are running more than one web application in Tomcat. Each > > > application uses log4j via slf4j and ships the log4j.jar in > > WEB-INF/lib. The Tomcat itself uses JULI. > > > > We are using a common log4j.xml file for configuration. > > > > The file path is set as system property in CATALINA_OPTS as > > follows: -Dlog4j.configuration=/path/to/file/log4j.xml > > > > 1. Is this a valid setup or are there any side effects in > > initialization log4j by the different WebAppClassLoaders? > > You are not using classpath-based config-file-loading, so it should not be a > problem[*]. > > > 2. We are observing weird things in rolling the files hourly. The > > timestamp of the log messages doesn't fit to the timestamp suffix of > > the file. Why does this happen? > > Possibly conflicting time zones, somewhere? Because log4j.jar is in each > application's class loader, they CAN have different in-memory configurations. No there are no different time zones in use. > > [*] While this will work, why would you ever want multiple applications to > have their logging configuration all tied together? > Why not separate the logging configuration into one config-per web > application? OR are you trying to unify all logging into the same file(s )? Yes I would like to do that, but I'm not sure how to achieve it without putting the log4j.xml into the WAR file. Do you have any hint? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxtdSUACgkQHPApP6U8 > pFhxow//T+5ALVYJcljqLxykHND7ZSy9NHf0+a+jnWzlDO5S6oO+bxjso9raJZYC > jUG4nhBwuAtD5MWyS04t0UedYUBP+n1iw4aAGs7PrhFgPxLiHZpMOTBBaeDSYgny > bI+7GuqOhkiauPA8Jb6guE8SkrT18d9X+k7xzy6puYgqbTws0iwk2yEmSV+KNtXy > 0EsVC20KGhU9pCdD7MLSpYX8PaM8sctazxSSVMygL9Ed03WKkJ6BRPavq4ao1uGg > V0ZlTQb7f9PRPOXOQzoAlsaWNTCVRKQES82/HHJE/uJG5tg7jnQ5Syjs53FyfVwH > 0AtfNpJiOI4LES5ejR7E5JZ8Lx0/J41XwsPO5hOmYaiHHs35EFtozCETNNwjYxcb > 245z++YsBw0bnBDRpAFi5Kq5UL8ludo0CqDTfKQSIqrMoNHoiULm4U3niGl2P01w > O8k2KrwqtYWu77esh+TpJpXTTaLnEhCc+YWFGWnER3w8WAOHitvjbmAi21gL3NIG > 3PJEFEdrNMaoI2h3SkK+DJzuVVJRmXRMV2wduX4+3qGW6l31Jo3ihFiDDdXyGB+b > jtpU1JHYfYP+ck8mEXgOvI6RXZEG7R8Ef7ectYuKdhRRpE+S9wx1llZminsxY/fr > 0apA+L6paBo9R7EGxJVt237wx/L+tRnfF5raLZoAJrkks7SkWgE= > =sjai > -END PGP SIGNATURE- > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
