Re: 8.5 - multiple host configuration question

2017-12-08 Thread Chris Cheshire 
On Fri, Dec 8, 2017 at 11:25 AM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 12/7/17 2:08 PM, Chris Cheshire wrote:
>> On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
>>  wrote:

 What should the permissions, owner & group be set to for
 CATALINA_HOME if I am running separate instances per user?
>>>
>>> It doesn't really matter. You just need to make sure that your
>>> "users" can read the default config files -- especially
>>> conf/web.xml and conf/tomcat.xml which usually shouldn't be
>>> modified from their defaults anyway.
>>>
>>> I've always been irritated that the conf/ directory is only
>>> readable by the owner in the tarball. Maybe I'll agitate to get
>>> that changed, and only protect conf/server.xml and
>>> conf/tomcat-users.xml in that way.
>>>
>>
>> Resurrecting this 
>>
>> I'm doing some cleanup and upgrading to 8.5.24. Previously I had
>> copied the entire conf directory from HOME to BASE, and modifying
>> files as necessary. Now I removed from BASE files I hadn't touched
>> (web.xml, jaspic stuff etc), but subsequently get the following
>> message in catalina.out
>>
>> INFO ...
>> org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment
>> No global web.xml found
>>
>> All other startup succeeds but nothing is accessible, I just get a
>> standard 404 when trying to access my web apps or even the manager
>> app. There are no actual ERROR level messages though.
>>
>> Permissions are as follows :
>>
>> /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total
>> 236 drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 . drwxr-xr-x 9
>> root root 4096 Dec  7 16:30 .. -rw-r- 1 root tomcat  13824
>> Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat   7376 Nov 27
>> 13:33 catalina.properties -rw-r- 1 root tomcat   1338 Nov 27
>> 13:33 context.xml -rw-r- 1 root tomcat   1149 Nov 27 13:33
>> jaspic-providers.xml -rw-r- 1 root tomcat   2313 Nov 27 13:33
>> jaspic-providers.xsd -rw-r- 1 root tomcat   3622 Nov 27 13:33
>> logging.properties -rw--- 1 root tomcat   7511 Nov 27 13:33
>> server.xml -rw--- 1 root tomcat   2164 Nov 27 13:33
>> tomcat-users.xml -rw-r- 1 root tomcat   2633 Nov 27 13:33
>> tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33
>> web.xml
>>
>> /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32
>> drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 . drwxr-xr-x 10
>> sandbox1 sandbox1 4096 Dec  7 18:59 .. drwxr-xr-x  3 sandbox1
>> sandbox1 4096 Sep  7 16:50 Catalina -rw-r--r--  1 sandbox1 sandbox1
>> 7407 Nov  2 01:58 catalina.properties -rw-r--r--  1 sandbox1
>> sandbox1 1437 Sep  7 20:38 context.xml -rw-r--r--  1 sandbox1
>> sandbox1 3770 Dec  7 18:46 logging.properties -rw-r--r--  1
>> sandbox1 sandbox1 2522 Sep  7 20:29 server.xml
>>
>> My sandbox users belong to the 'tomcat' group (not using a
>> 'tomcat' user though). I can cat web.xml with a sandbox user. (I
>> tweaked the permissions from the defaults to allow sandbox users to
>> read the default config)
>>
>> If I copy web.xml from HOME/conf to BASE/conf everything works
>> again. So do I need to copy everything over from HOME/conf to
>> BASE/conf even if I am not changing anything?
>
> I checked, and my CATALINA_BASE/conf contains the following:
>
> server.xml (required)
> Catalina/ (and friends, optional)
> tomcat-users.xml (optional)
> web.xml (evidently required)
>
> We should probably allow web.xml to come from
> CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/.
> I would have expected that to be allowed, but I guess it isn't.
>
> Can you file a BZ enhancement request?
>
> - -chris

Done. https://bz.apache.org/bugzilla/show_bug.cgi?id=61877

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

2017-12-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 12/7/17 2:08 PM, Chris Cheshire wrote:
> On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz 
>  wrote:
>>> 
>>> What should the permissions, owner & group be set to for 
>>> CATALINA_HOME if I am running separate instances per user?
>> 
>> It doesn't really matter. You just need to make sure that your
>> "users" can read the default config files -- especially
>> conf/web.xml and conf/tomcat.xml which usually shouldn't be
>> modified from their defaults anyway.
>> 
>> I've always been irritated that the conf/ directory is only
>> readable by the owner in the tarball. Maybe I'll agitate to get
>> that changed, and only protect conf/server.xml and
>> conf/tomcat-users.xml in that way.
>> 
> 
> Resurrecting this 
> 
> I'm doing some cleanup and upgrading to 8.5.24. Previously I had 
> copied the entire conf directory from HOME to BASE, and modifying 
> files as necessary. Now I removed from BASE files I hadn't touched 
> (web.xml, jaspic stuff etc), but subsequently get the following 
> message in catalina.out
> 
> INFO ...
> org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment 
> No global web.xml found
> 
> All other startup succeeds but nothing is accessible, I just get a 
> standard 404 when trying to access my web apps or even the manager 
> app. There are no actual ERROR level messages though.
> 
> Permissions are as follows :
> 
> /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total
> 236 drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 . drwxr-xr-x 9
> root root 4096 Dec  7 16:30 .. -rw-r- 1 root tomcat  13824
> Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat   7376 Nov 27
> 13:33 catalina.properties -rw-r- 1 root tomcat   1338 Nov 27
> 13:33 context.xml -rw-r- 1 root tomcat   1149 Nov 27 13:33
> jaspic-providers.xml -rw-r- 1 root tomcat   2313 Nov 27 13:33
> jaspic-providers.xsd -rw-r- 1 root tomcat   3622 Nov 27 13:33
> logging.properties -rw--- 1 root tomcat   7511 Nov 27 13:33
> server.xml -rw--- 1 root tomcat   2164 Nov 27 13:33
> tomcat-users.xml -rw-r- 1 root tomcat   2633 Nov 27 13:33
> tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33
> web.xml
> 
> /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32 
> drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 . drwxr-xr-x 10
> sandbox1 sandbox1 4096 Dec  7 18:59 .. drwxr-xr-x  3 sandbox1
> sandbox1 4096 Sep  7 16:50 Catalina -rw-r--r--  1 sandbox1 sandbox1
> 7407 Nov  2 01:58 catalina.properties -rw-r--r--  1 sandbox1
> sandbox1 1437 Sep  7 20:38 context.xml -rw-r--r--  1 sandbox1
> sandbox1 3770 Dec  7 18:46 logging.properties -rw-r--r--  1
> sandbox1 sandbox1 2522 Sep  7 20:29 server.xml
> 
> My sandbox users belong to the 'tomcat' group (not using a
> 'tomcat' user though). I can cat web.xml with a sandbox user. (I
> tweaked the permissions from the defaults to allow sandbox users to
> read the default config)
> 
> If I copy web.xml from HOME/conf to BASE/conf everything works
> again. So do I need to copy everything over from HOME/conf to
> BASE/conf even if I am not changing anything?

I checked, and my CATALINA_BASE/conf contains the following:

server.xml (required)
Catalina/ (and friends, optional)
tomcat-users.xml (optional)
web.xml (evidently required)

We should probably allow web.xml to come from
CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/.
I would have expected that to be allowed, but I guess it isn't.

Can you file a BZ enhancement request?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloqvQ4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgZPw/5AZZr1yfSnTLlOh6W
YVJXRPWnbXonNaVrPw0oBbwCv8c3EJuzKCwPdex8LW2ODCuCzveIqwNEh2KoKV0K
W6qENepo2Fws0DYdW4r24kfENV/L7EU6ysCPdyWytg03XzhMkV++6BvrKdbd8mBx
OvXH4QB1O4iuKs0fPei1QiOIhI51i4noyoswEDwYWEr77ES0kqedLf4E6TMxqbbc
R49WkovgxwiN1QsW8mHCoaManCdsXhbsRKcrqsHQORf+9Pv5uQNDKSlUFEvNOSf2
Pjc5qxJRkcflmmoSvMamwfWyCAoQIdLXeEzepb+ma5KnFyqk3AAs7PY8oj/dMLrI
VSXbQblBZaEMx8OZ14mnQncofGRuoVCNB2kDaFsgsrldpbDX6RO/j+pPcstO2K24
QctgptCeOL6b4IBSl1Fzj2ZxcHxhMQKgzPAjyEyqJiv9UbYkuUJwUFXTH9xb97wT
9EIQYf88F8yUDBmSIVjBOSvXQOIQAOUA5kp/PKsk/CgNGpNTZsbJHy/NzCF3XS7W
VPrzzonxTJG2s+7+tCrMFeK2fE76gASBv29IGtUffKvld1epdaLt6ktsT7tRUlXz
FVWZ0Nk2A5aHTrCfqdh3uQVQCV7UgGtrQswo8pzgUCxrFg8Eu7SN7L93WbxhlMzW
LIR6RflaGP4vL6x0QoJPIu5U9x0=
=mhYt
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

2017-12-07 Thread Chris Cheshire 
On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
 wrote:
>>
>> What should the permissions, owner & group be set to for
>> CATALINA_HOME if I am running separate instances per user?
>
> It doesn't really matter. You just need to make sure that your "users"
> can read the default config files -- especially conf/web.xml and
> conf/tomcat.xml which usually shouldn't be modified from their
> defaults anyway.
>
> I've always been irritated that the conf/ directory is only readable
> by the owner in the tarball. Maybe I'll agitate to get that changed,
> and only protect conf/server.xml and conf/tomcat-users.xml in that way.
>

Resurrecting this 

I'm doing some cleanup and upgrading to 8.5.24. Previously I had
copied the entire conf directory from HOME to BASE, and modifying
files as necessary. Now I removed from BASE files I hadn't touched
(web.xml, jaspic stuff etc), but subsequently get the following
message in catalina.out

INFO ... org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment
No global web.xml found

All other startup succeeds but nothing is accessible, I just get a
standard 404 when trying to access my web apps or even the manager
app. There are no actual ERROR level messages though.

Permissions are as follows :

/usr/local/apache-tomcat-8.5.24/conf
[root@s3 conf]# ls -al
total 236
drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 .
drwxr-xr-x 9 root root 4096 Dec  7 16:30 ..
-rw-r- 1 root tomcat  13824 Nov 27 13:33 catalina.policy
-rw-r- 1 root tomcat   7376 Nov 27 13:33 catalina.properties
-rw-r- 1 root tomcat   1338 Nov 27 13:33 context.xml
-rw-r- 1 root tomcat   1149 Nov 27 13:33 jaspic-providers.xml
-rw-r- 1 root tomcat   2313 Nov 27 13:33 jaspic-providers.xsd
-rw-r- 1 root tomcat   3622 Nov 27 13:33 logging.properties
-rw--- 1 root tomcat   7511 Nov 27 13:33 server.xml
-rw--- 1 root tomcat   2164 Nov 27 13:33 tomcat-users.xml
-rw-r- 1 root tomcat   2633 Nov 27 13:33 tomcat-users.xsd
-rw-r- 1 root tomcat 169322 Nov 27 13:33 web.xml

/home/sandbox1/tomcat/conf
[sandbox1@s3 conf]$ ls -la
total 32
drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 .
drwxr-xr-x 10 sandbox1 sandbox1 4096 Dec  7 18:59 ..
drwxr-xr-x  3 sandbox1 sandbox1 4096 Sep  7 16:50 Catalina
-rw-r--r--  1 sandbox1 sandbox1 7407 Nov  2 01:58 catalina.properties
-rw-r--r--  1 sandbox1 sandbox1 1437 Sep  7 20:38 context.xml
-rw-r--r--  1 sandbox1 sandbox1 3770 Dec  7 18:46 logging.properties
-rw-r--r--  1 sandbox1 sandbox1 2522 Sep  7 20:29 server.xml

My sandbox users belong to the 'tomcat' group (not using a 'tomcat'
user though). I can cat web.xml with a sandbox user. (I tweaked the
permissions from the defaults to allow sandbox users to read the
default config)

If I copy web.xml from HOME/conf to BASE/conf everything works again.
So do I need to copy everything over from HOME/conf to BASE/conf even
if I am not changing anything?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: 8.5 - multiple host configuration question

2017-09-11 Thread Berneburg, Cris J. - US 
Chris and Chris (but not Chris)

-Original Message-
From: Chris Cheshire [mailto:yahoono...@gmail.com] 
Sent: Friday, September 08, 2017 9:16 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: 8.5 - multiple host configuration question

On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz 
<ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or 
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is never 
>>> launched with CATALINA_BASE=/usr/local/tomcat 3. Each user has their 
>>> own CATALINA_BASE directory in their own home directory (or wherever 
>>> in the fs tree). No need to put anything in /usr/local which is 
>>> usually considered to be shared and read-only. CATALINA_BASE is just 
>>> a directory with the following directories in it: work/ logs/ conf/ 
>>> lib/ webapps/. Anything in there overrides anything in the 
>>> CATALINA_HOME where Tomcat is installed. I'd recommend using a 
>>> custom conf/server.xml and leaving everything else pretty much alone 
>>> except maybe a JDBC driver in CATALINA_BASE/lib that isn't necessary 
>>> for all the other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> [SNIP]
>>>
> Thank you for the explanations, this helps considerably.

Ditto!  I saved a copy in my archives of accumulated Tomcat wisdom.  The 
problem is that the info is still stored in my computer and not in my brain.

--
Cris Berneburg
CACI Lead Software Engineer

Re: 8.5 - multiple host configuration question

2017-09-08 Thread Chris Cheshire 
On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>>> has their own CATALINA_BASE directory in their own home directory
>>> (or wherever in the fs tree). No need to put anything in
>>> /usr/local which is usually considered to be shared and
>>> read-only. CATALINA_BASE is just a directory with the following
>>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>>> there overrides anything in the CATALINA_HOME where Tomcat is
>>> installed. I'd recommend using a custom conf/server.xml and
>>> leaving everything else pretty much alone except maybe a JDBC
>>> driver in CATALINA_BASE/lib that isn't necessary for all the
>>> other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> 1. Users run their own JVMs as their own users. Filesystem
>>> permissions become simpler. Applications require less trust (e.g.
>>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>>> can select which version of Tomcat they want to use. Just change
>>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>>> versions, you'll likely have to update
>>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
>>> running x.y.z whether you like it or not".
>>
>>
>> Ok this helps a bit for upgrades. I would just expand the new
>> tarball in a similar place, update user level conf and restart each
>> instance when ready?
>
> Exactly. Your users can even decide when they want to switch to a new
> Tomcat version.
>
>>> 3. Users can start/stop their own Tomcat services. No more
>>> emailing an administrator and asking for a restart, and having to
>>> coordinate it with several other unrelated teams who weren't
>>> expecting a service restart in the middle of the day. 4. You
>>> (admin) don't have to babysit everyone's web applications. Users
>>> simply put their own apps in CATALINA_BASE/webapps and move on
>>> with their lives.
>>>
>>
>> This means I need to configure each server and connector element
>> with different ports for each user, correct?
>
> Yes. A regimented port assignment scheme is recommended. In my shared
> development environments, I assign every dev a number and their port
> numbers become:
>
> Tomcat AJP:   8[dev #][app #]5
> Tomcat shutdown:  8[dev #][app #]6
> Tomcat "Secure" port: 8[dev #][app #]7
>
> (the "secure" port is for loopback requests; we have those for certain
> applications)
>
> So for example, my primary app id is 1 and my dev id is 2:
>
> AJP:  8215
> Shutdown: 8216
> Secure:   8217
>
>> I am fronting tomcat with httpd using an ajp connector to handle
>> ssl certs. I use letsencrypt, and on a production server I can't
>> afford to bounce even the connector and lose connections. httpd
>> handles it a lot more gracefully. Can I have separate mod_jk.conf
>> and workers.properties files for mod_jk pointing to different ports
>> for separate connectors for tomcat?
>
> Absolutely. Using regimented port assignments allows you to set up
> everyone's port assignments in advance using a template worker and
> then a bunch of workers that all look the same except for the port
> numbers.
>
> Then you just need to map URLs (e.g. /dev1-app1) to the matching port
> numbers.
>
 What about file/directory permissions, assuming tomcat is
 running under the 'tomcat' user? I have root access to the
 machine, so changing groups, users, permissions is not an
 issue.
>>>
>>> Free yourself from the "tomcat user". It's one of the things I
>>> dislike most about the package-managed versions of Tomcat: they
>>> tend to run everything as a single user which is completely
>>> unnecessary.
>>>
>>
>> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
>> each user (sandbox1, sandbox2 etc)?
>
> Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.
>
>> Trying to assimilate all this, it sounds like :
>>
>> CATALINA_HOME=/usr/local/tomcat-x.y.z
>> CATALINA_BASE=/home/sandbox1/tc
>>
>> CATALINA_BASE/conf/server.xml has the entire configuration,
>> engine, connector, host etc for that one user.
>
> Yes.
>
>> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
>> says
>>
>> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
>> in the setenv script, because they are used to locate that file."
>
> You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
> whatever way makes most sense. For example, ~/.profile works, but only
> for interactive logins.
>
>> Do I then need to create my own startup script that sets

Re: 8.5 - multiple host configuration question

2017-09-08 Thread Chris Cheshire 
On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 4:42 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>  wrote:
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
>>
>>
>> Looks like I do need to adjust default permissions on this if I
>> expand as root.
>>
>> The tarball leaves me with
>>
>> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
>> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
>> 20:31 .. -rw-r-  1 root root 57092 Aug  2 21:36 LICENSE
>> -rw-r-  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-  1
>> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-  1 root root
>> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
>> 20:31 bin drwx--  2 root root  4096 Aug  2 21:36 conf
>> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
>> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
>> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
>> drwxr-x---  2 root root  4096 Aug  2 21:35 work
>>
>>
>> What should the permissions, owner & group be set to for
>> CATALINA_HOME if I am running separate instances per user?
>
> It doesn't really matter. You just need to make sure that your "users"
> can read the default config files -- especially conf/web.xml and
> conf/tomcat.xml which usually shouldn't be modified from their
> defaults anyway.
>
> I've always been irritated that the conf/ directory is only readable
> by the owner in the tarball. Maybe I'll agitate to get that changed,
> and only protect conf/server.xml and conf/tomcat-users.xml in that way.
>
> - -chris

Thanks,

I'm just wary of giving everyone read permission to something that starts out
without it, especially when installed by root. The only change I made to the
default config anyway was to remove tomcat-users.xml since I have a
JDBC realm for restricting access to the manager webapp.


Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

2017-09-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 4:42 PM, Chris Cheshire wrote:
> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz 
>  wrote:
>> If I were king, I'd set things up like this:
>> 
>> 1. Tomcat is installed in /usr/local/tomcat (or 
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 
> 
> Looks like I do need to adjust default permissions on this if I
> expand as root.
> 
> The tarball leaves me with
> 
> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
> 20:31 .. -rw-r-  1 root root 57092 Aug  2 21:36 LICENSE 
> -rw-r-  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-  1
> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-  1 root root
> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
> 20:31 bin drwx--  2 root root  4096 Aug  2 21:36 conf 
> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps 
> drwxr-x---  2 root root  4096 Aug  2 21:35 work
> 
> 
> What should the permissions, owner & group be set to for
> CATALINA_HOME if I am running separate instances per user?

It doesn't really matter. You just need to make sure that your "users"
can read the default config files -- especially conf/web.xml and
conf/tomcat.xml which usually shouldn't be modified from their
defaults anyway.

I've always been irritated that the conf/ directory is only readable
by the owner in the tarball. Maybe I'll agitate to get that changed,
and only protect conf/server.xml and conf/tomcat-users.xml in that way.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsbqPAAoJEBzwKT+lPKRY+bcQAI6I9VMV42xTiV/02XT1idic
GJQzfD6fpukZ2ZoCltzsQ9n9oygAb43QAnslGLwzG+xa4+Kon+TkgNLlckhpO0IK
yw65LAcEkG8x7iggX23l1I4u4c51GlPERqb8FXH4Sys8JNMFaM3r48/SMiBmVW3r
29ILYk3yHhUWovZGnHcqzosTECo9FBfCNMe8bp+v7vDCifODKPrRRVUtzmOFdN+a
4YAqG+aRIQVHZHqE/2h5lbnnER5PzERj7igfArjOuHwkR4W283y/VxasOaQVrNgL
R/r+Qb99KNH5djiNj3kvfpqLO9Jq3rrIpuc6zH6yrv8EJcgmEoy494bONixt7Eus
q8g/0XTzU9izPfG3wRaCQaPh7oV+ZurYOZAFeYz0eOj5a/AjZfWnwpFSfcTyP5qD
IIrfiaysH+j3NwGpTsT2B1q5Ecp1bugzuIiHHnoZDVDodncSI52XdgykL9tyrjN7
20d4pcepVEdQoTT1ABJKl6mONKMuG3NA+rvNYJQvIlq642LbUx/3rkA+dk+m7OeY
TkCquZZ128NBGzMhwEuEnNSEmBmGyF27vH4qi+2HKi8dsVDsdvRb+mnmFJWTeWVC
ndW3Px/xldEDyhdF84g5TzX8Y7fYjJLOC2EzjkDZmZmI0/l54e7Y/+aq6pThrIpC
q2SjSPEtuzmmlEh2OC1z
=Xei9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

2017-09-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 3:39 PM, Chris Cheshire wrote:
> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>> If I were king, I'd set things up like this:
>> 
>> 1. Tomcat is installed in /usr/local/tomcat (or 
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>> has their own CATALINA_BASE directory in their own home directory
>> (or wherever in the fs tree). No need to put anything in 
>> /usr/local which is usually considered to be shared and
>> read-only. CATALINA_BASE is just a directory with the following
>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>> there overrides anything in the CATALINA_HOME where Tomcat is
>> installed. I'd recommend using a custom conf/server.xml and
>> leaving everything else pretty much alone except maybe a JDBC
>> driver in CATALINA_BASE/lib that isn't necessary for all the
>> other Tomcats that will be running on the server.
>> 
>> This gives you a LOT of flexibility:
>> 
>> 1. Users run their own JVMs as their own users. Filesystem
>> permissions become simpler. Applications require less trust (e.g.
>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>> can select which version of Tomcat they want to use. Just change
>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>> versions, you'll likely have to update 
>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all 
>> running x.y.z whether you like it or not".
> 
> 
> Ok this helps a bit for upgrades. I would just expand the new
> tarball in a similar place, update user level conf and restart each
> instance when ready?

Exactly. Your users can even decide when they want to switch to a new
Tomcat version.

>> 3. Users can start/stop their own Tomcat services. No more
>> emailing an administrator and asking for a restart, and having to
>> coordinate it with several other unrelated teams who weren't
>> expecting a service restart in the middle of the day. 4. You
>> (admin) don't have to babysit everyone's web applications. Users
>> simply put their own apps in CATALINA_BASE/webapps and move on 
>> with their lives.
>> 
> 
> This means I need to configure each server and connector element
> with different ports for each user, correct?

Yes. A regimented port assignment scheme is recommended. In my shared
development environments, I assign every dev a number and their port
numbers become:

Tomcat AJP:   8[dev #][app #]5
Tomcat shutdown:  8[dev #][app #]6
Tomcat "Secure" port: 8[dev #][app #]7

(the "secure" port is for loopback requests; we have those for certain
applications)

So for example, my primary app id is 1 and my dev id is 2:

AJP:  8215
Shutdown: 8216
Secure:   8217

> I am fronting tomcat with httpd using an ajp connector to handle
> ssl certs. I use letsencrypt, and on a production server I can't
> afford to bounce even the connector and lose connections. httpd
> handles it a lot more gracefully. Can I have separate mod_jk.conf
> and workers.properties files for mod_jk pointing to different ports
> for separate connectors for tomcat?

Absolutely. Using regimented port assignments allows you to set up
everyone's port assignments in advance using a template worker and
then a bunch of workers that all look the same except for the port
numbers.

Then you just need to map URLs (e.g. /dev1-app1) to the matching port
numbers.

>>> What about file/directory permissions, assuming tomcat is
>>> running under the 'tomcat' user? I have root access to the
>>> machine, so changing groups, users, permissions is not an
>>> issue.
>> 
>> Free yourself from the "tomcat user". It's one of the things I
>> dislike most about the package-managed versions of Tomcat: they
>> tend to run everything as a single user which is completely
>> unnecessary.
>> 
> 
> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
> each user (sandbox1, sandbox2 etc)?

Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.

> Trying to assimilate all this, it sounds like :
> 
> CATALINA_HOME=/usr/local/tomcat-x.y.z 
> CATALINA_BASE=/home/sandbox1/tc
> 
> CATALINA_BASE/conf/server.xml has the entire configuration,
> engine, connector, host etc for that one user.

Yes.

> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
> says
> 
> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
> in the setenv script, because they are used to locate that file."

You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
whatever way makes most sense. For example, ~/.profile works, but only
for interactive logins.

> Do I then need to create my own startup script that sets those,
> then calls ${CATALINA_HOME}/bin/startup.sh, or can I just set the
> variables in .bashrc?

Yeah, .bashrc will work, too, but .profile will be better because it
will effect non-bash shells, of course.

Once those

Re: 8.5 - multiple host configuration question

2017-09-05 Thread Chris Cheshire 
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
 wrote:
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).


Looks like I do need to adjust default permissions on this if I expand as root.

The tarball leaves me with

[root@host apache-tomcat-8.5.20]# ls -al
total 124
drwxr-xr-x  9 root root  4096 Sep  5 20:31 .
drwxr-xr-x 14 root root  4096 Sep  5 20:31 ..
-rw-r-  1 root root 57092 Aug  2 21:36 LICENSE
-rw-r-  1 root root  1723 Aug  2 21:36 NOTICE
-rw-r-  1 root root  7064 Aug  2 21:36 RELEASE-NOTES
-rw-r-  1 root root 15946 Aug  2 21:36 RUNNING.txt
drwxr-x---  2 root root  4096 Sep  5 20:31 bin
drwx--  2 root root  4096 Aug  2 21:36 conf
drwxr-x---  2 root root  4096 Sep  5 20:31 lib
drwxr-x---  2 root root  4096 Aug  2 21:35 logs
drwxr-x---  2 root root  4096 Sep  5 20:31 temp
drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
drwxr-x---  2 root root  4096 Aug  2 21:35 work


What should the permissions, owner & group be set to for CATALINA_HOME
if I am running separate instances per user?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

2017-09-05 Thread Chris Cheshire 
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 10:54 AM, Chris Cheshire wrote:
>> I am migrating from 7 (yum repo installation) to 8.5 (direct from
>> apache) and looking to improve configuration where possible.
>>
>> Currently (on *nix) I have a machine that runs sandboxes for my
>> domain, call them sb1.dom.com and sb2.dom.com. They each have
>> their own (system) user and in tomcat's system.xml
>
> Nit: server.xml
>

Brain fart :)


>> I have a host for each :
>>
>> 
>>
>> 
>>
>> Each has access to the host-manager app via a hardlink to
>> manager.xml through
>> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
>> belongs to the tomcat group, and has their webapps directory group
>> readable so Tomcat can deploy the apps. Each host may have multiple
>> contexts within it representing code branches. The env variables
>> have CATALINA_HOME and CATALINA_BASE pointing to
>> /usr/share/tomcat.
>>
>> Reading RUNNING.txt, it says that HOME and BASE can point to
>> different locations for a multi-user environment, which sounds like
>> what I am doing. How do I go about configuring it this way?
>
> It depends upon your goals. If you want to run a single JVM, then it
> really doesn't matter whether you have a "single" Tomcat where
> CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
> pretty much required that you use a split configuration.
>
> I'd argue that you should always have a split configuration, because
> it allows you to upgrade/downgrade almost trivially without disturbing
> your application's (Tomcat) configuration.
>
>> Assume I put the tomcat installation in /usr/local, with a symlink
>> from /usr/local/tomcat to
>> /usr/local/tomcat/apache-tomcat-${version}
>>
>> Would it be better to put the webapps for each user under
>> /usr/local/tomcat/webapps and symlink to them from the users home
>> directory? What would the structure look like and what would I set
>> CATALINA_BASE and CATALINA_HOME to?
>
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
> 3. Each user has their own CATALINA_BASE directory in their own home
> directory (or wherever in the fs tree). No need to put anything in
> /usr/local which is usually considered to be shared and read-only.
> CATALINA_BASE is just a directory with the following directories in
> it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
> anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
> using a custom conf/server.xml and leaving everything else pretty much
> alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
> necessary for all the other Tomcats that will be running on the server.
>
> This gives you a LOT of flexibility:
>
> 1. Users run their own JVMs as their own users. Filesystem permissions
> become simpler. Applications require less trust (e.g. apps are running
> at "cschultz" instead of "tomcat7").
> 2. Users can select which version of Tomcat they want to use. Just
> change CATALINA_BASE and restart. (Roughly speaking. If you switch
> major versions, you'll likely have to update
> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
> running x.y.z whether you like it or not".


Ok this helps a bit for upgrades. I would just expand the new tarball
in a similar
place, update user level conf and restart each instance when ready?



> 3. Users can start/stop their own Tomcat services. No more emailing an
> administrator and asking for a restart, and having to coordinate it
> with several other unrelated teams who weren't expecting a service
> restart in the middle of the day.
> 4. You (admin) don't have to babysit everyone's web applications.
> Users simply put their own apps in CATALINA_BASE/webapps and move on
> with their lives.
>


This means I need to configure each server and connector element with different
ports for each user, correct?

I am fronting tomcat with httpd using an ajp connector to handle ssl
certs. I use
letsencrypt, and on a production server I can't afford to bounce even
the connector
and lose connections. httpd handles it a lot more gracefully. Can I
have separate
mod_jk.conf and workers.properties files for mod_jk pointing to
different ports for
separate connectors for tomcat?



>> What about file/directory permissions, assuming tomcat is running
>> under the 'tomcat' user? I have root access to the machine, so
>> changing groups, users, permissions is not an issue.
>
> Free yourself from the "tomcat user". It's one of the things I dislike
> most about the package-managed versions of Tomcat: they tend to run
> everything as a single user which is completely unnecessary.
>

Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as each
user

Re: 8.5 - multiple host configuration question

2017-09-05 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 10:54 AM, Chris Cheshire wrote:
> I am migrating from 7 (yum repo installation) to 8.5 (direct from 
> apache) and looking to improve configuration where possible.
> 
> Currently (on *nix) I have a machine that runs sandboxes for my 
> domain, call them sb1.dom.com and sb2.dom.com. They each have
> their own (system) user and in tomcat's system.xml

Nit: server.xml

> I have a host for each :
> 
> 
> 
> 
> 
> Each has access to the host-manager app via a hardlink to
> manager.xml through
> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
> belongs to the tomcat group, and has their webapps directory group
> readable so Tomcat can deploy the apps. Each host may have multiple
> contexts within it representing code branches. The env variables
> have CATALINA_HOME and CATALINA_BASE pointing to 
> /usr/share/tomcat.
> 
> Reading RUNNING.txt, it says that HOME and BASE can point to
> different locations for a multi-user environment, which sounds like
> what I am doing. How do I go about configuring it this way?

It depends upon your goals. If you want to run a single JVM, then it
really doesn't matter whether you have a "single" Tomcat where
CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
pretty much required that you use a split configuration.

I'd argue that you should always have a split configuration, because
it allows you to upgrade/downgrade almost trivially without disturbing
your application's (Tomcat) configuration.

> Assume I put the tomcat installation in /usr/local, with a symlink 
> from /usr/local/tomcat to
> /usr/local/tomcat/apache-tomcat-${version}
> 
> Would it be better to put the webapps for each user under 
> /usr/local/tomcat/webapps and symlink to them from the users home 
> directory? What would the structure look like and what would I set 
> CATALINA_BASE and CATALINA_HOME to?

If I were king, I'd set things up like this:

1. Tomcat is installed in /usr/local/tomcat (or
/usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
3. Each user has their own CATALINA_BASE directory in their own home
directory (or wherever in the fs tree). No need to put anything in
/usr/local which is usually considered to be shared and read-only.
CATALINA_BASE is just a directory with the following directories in
it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
using a custom conf/server.xml and leaving everything else pretty much
alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
necessary for all the other Tomcats that will be running on the server.

This gives you a LOT of flexibility:

1. Users run their own JVMs as their own users. Filesystem permissions
become simpler. Applications require less trust (e.g. apps are running
at "cschultz" instead of "tomcat7").
2. Users can select which version of Tomcat they want to use. Just
change CATALINA_BASE and restart. (Roughly speaking. If you switch
major versions, you'll likely have to update
CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
running x.y.z whether you like it or not".
3. Users can start/stop their own Tomcat services. No more emailing an
administrator and asking for a restart, and having to coordinate it
with several other unrelated teams who weren't expecting a service
restart in the middle of the day.
4. You (admin) don't have to babysit everyone's web applications.
Users simply put their own apps in CATALINA_BASE/webapps and move on
with their lives.

> What about file/directory permissions, assuming tomcat is running 
> under the 'tomcat' user? I have root access to the machine, so 
> changing groups, users, permissions is not an issue.

Free yourself from the "tomcat user". It's one of the things I dislike
most about the package-managed versions of Tomcat: they tend to run
everything as a single user which is completely unnecessary.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZrufJAAoJEBzwKT+lPKRYFbwP/1IVYWj06JaPcgVebrJbsMa2
o1aOB47fWStEPsOshcBBswiSO07EPvshahoyvn9mWaYCCIN1/BND0sIZzkFc1Lb1
YWq1HWd2TbdeUMNMD7d9WgnzlCB5mGxxsklFvqQ/jWzG8bX98VtWDS4c95YcebPc
7yep1Oah+pSnvpfRzV6XpIF64xwc3HQHciOxezn6BFjMe6ZEd6R8w7OdEUrEy/g/
0UtS1XiKBdgUT3KdxkLYi7PbgigHyw8zGxp4d3ZkqIC8shCiF+teO8YhZ4qYGoVc
8GkV18QHs5cV7s9dQBtMXOzsVtCjmGBzEx2XgXZ5SroNjJCYUs4FskNLE9oiS0GS
FJcpLPXF8noEb6sYSbmdn2RK3qv62RjD8Atu65q4G7S/20HbwFFGDEFjBnLlzrsV
W4vk3YcMbLrDQWCybjpaGBiyLzBhUBtdMLvnHsBeShTwFZzlgZRbi8GuIn9TFgkk
AW75DLZQ83Z4aQxSTjJkfhf2qU7jQdzNEl30Qka7JE7K/SwFcaWe/w0aiJmxHgrq
gqpbpuc4suMSJ2sLj1oY2nOc+1+SlIpfBth66J1OWxNkxBxDVbbPYaAIV6skgUnL
Ys3ZJ6TFVug3BBrV5QM8LKaKvy2pYb1FDpgHU01dhSP3YjUONJJKpMUWBbHHVe+6
CsousuKimJ2WvoRJu8SP
=Auhe
-END PGP SIGNATURE-