Re: 8.5 - multiple host configuration question
On Fri, Dec 8, 2017 at 11:25 AM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 12/7/17 2:08 PM, Chris Cheshire wrote: >> On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz >> wrote: What should the permissions, owner & group be set to for CATALINA_HOME if I am running separate instances per user? >>> >>> It doesn't really matter. You just need to make sure that your >>> "users" can read the default config files -- especially >>> conf/web.xml and conf/tomcat.xml which usually shouldn't be >>> modified from their defaults anyway. >>> >>> I've always been irritated that the conf/ directory is only >>> readable by the owner in the tarball. Maybe I'll agitate to get >>> that changed, and only protect conf/server.xml and >>> conf/tomcat-users.xml in that way. >>> >> >> Resurrecting this >> >> I'm doing some cleanup and upgrading to 8.5.24. Previously I had >> copied the entire conf directory from HOME to BASE, and modifying >> files as necessary. Now I removed from BASE files I hadn't touched >> (web.xml, jaspic stuff etc), but subsequently get the following >> message in catalina.out >> >> INFO ... >> org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment >> No global web.xml found >> >> All other startup succeeds but nothing is accessible, I just get a >> standard 404 when trying to access my web apps or even the manager >> app. There are no actual ERROR level messages though. >> >> Permissions are as follows : >> >> /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total >> 236 drwxr-x--- 2 root tomcat 4096 Nov 27 13:33 . drwxr-xr-x 9 >> root root 4096 Dec 7 16:30 .. -rw-r- 1 root tomcat 13824 >> Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat 7376 Nov 27 >> 13:33 catalina.properties -rw-r- 1 root tomcat 1338 Nov 27 >> 13:33 context.xml -rw-r- 1 root tomcat 1149 Nov 27 13:33 >> jaspic-providers.xml -rw-r- 1 root tomcat 2313 Nov 27 13:33 >> jaspic-providers.xsd -rw-r- 1 root tomcat 3622 Nov 27 13:33 >> logging.properties -rw--- 1 root tomcat 7511 Nov 27 13:33 >> server.xml -rw--- 1 root tomcat 2164 Nov 27 13:33 >> tomcat-users.xml -rw-r- 1 root tomcat 2633 Nov 27 13:33 >> tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33 >> web.xml >> >> /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32 >> drwxr-xr-x 3 sandbox1 sandbox1 4096 Dec 7 19:01 . drwxr-xr-x 10 >> sandbox1 sandbox1 4096 Dec 7 18:59 .. drwxr-xr-x 3 sandbox1 >> sandbox1 4096 Sep 7 16:50 Catalina -rw-r--r-- 1 sandbox1 sandbox1 >> 7407 Nov 2 01:58 catalina.properties -rw-r--r-- 1 sandbox1 >> sandbox1 1437 Sep 7 20:38 context.xml -rw-r--r-- 1 sandbox1 >> sandbox1 3770 Dec 7 18:46 logging.properties -rw-r--r-- 1 >> sandbox1 sandbox1 2522 Sep 7 20:29 server.xml >> >> My sandbox users belong to the 'tomcat' group (not using a >> 'tomcat' user though). I can cat web.xml with a sandbox user. (I >> tweaked the permissions from the defaults to allow sandbox users to >> read the default config) >> >> If I copy web.xml from HOME/conf to BASE/conf everything works >> again. So do I need to copy everything over from HOME/conf to >> BASE/conf even if I am not changing anything? > > I checked, and my CATALINA_BASE/conf contains the following: > > server.xml (required) > Catalina/ (and friends, optional) > tomcat-users.xml (optional) > web.xml (evidently required) > > We should probably allow web.xml to come from > CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/. > I would have expected that to be allowed, but I guess it isn't. > > Can you file a BZ enhancement request? > > - -chris Done. https://bz.apache.org/bugzilla/show_bug.cgi?id=61877 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5 - multiple host configuration question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 12/7/17 2:08 PM, Chris Cheshire wrote: > On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz >wrote: >>> >>> What should the permissions, owner & group be set to for >>> CATALINA_HOME if I am running separate instances per user? >> >> It doesn't really matter. You just need to make sure that your >> "users" can read the default config files -- especially >> conf/web.xml and conf/tomcat.xml which usually shouldn't be >> modified from their defaults anyway. >> >> I've always been irritated that the conf/ directory is only >> readable by the owner in the tarball. Maybe I'll agitate to get >> that changed, and only protect conf/server.xml and >> conf/tomcat-users.xml in that way. >> > > Resurrecting this > > I'm doing some cleanup and upgrading to 8.5.24. Previously I had > copied the entire conf directory from HOME to BASE, and modifying > files as necessary. Now I removed from BASE files I hadn't touched > (web.xml, jaspic stuff etc), but subsequently get the following > message in catalina.out > > INFO ... > org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment > No global web.xml found > > All other startup succeeds but nothing is accessible, I just get a > standard 404 when trying to access my web apps or even the manager > app. There are no actual ERROR level messages though. > > Permissions are as follows : > > /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total > 236 drwxr-x--- 2 root tomcat 4096 Nov 27 13:33 . drwxr-xr-x 9 > root root 4096 Dec 7 16:30 .. -rw-r- 1 root tomcat 13824 > Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat 7376 Nov 27 > 13:33 catalina.properties -rw-r- 1 root tomcat 1338 Nov 27 > 13:33 context.xml -rw-r- 1 root tomcat 1149 Nov 27 13:33 > jaspic-providers.xml -rw-r- 1 root tomcat 2313 Nov 27 13:33 > jaspic-providers.xsd -rw-r- 1 root tomcat 3622 Nov 27 13:33 > logging.properties -rw--- 1 root tomcat 7511 Nov 27 13:33 > server.xml -rw--- 1 root tomcat 2164 Nov 27 13:33 > tomcat-users.xml -rw-r- 1 root tomcat 2633 Nov 27 13:33 > tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33 > web.xml > > /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32 > drwxr-xr-x 3 sandbox1 sandbox1 4096 Dec 7 19:01 . drwxr-xr-x 10 > sandbox1 sandbox1 4096 Dec 7 18:59 .. drwxr-xr-x 3 sandbox1 > sandbox1 4096 Sep 7 16:50 Catalina -rw-r--r-- 1 sandbox1 sandbox1 > 7407 Nov 2 01:58 catalina.properties -rw-r--r-- 1 sandbox1 > sandbox1 1437 Sep 7 20:38 context.xml -rw-r--r-- 1 sandbox1 > sandbox1 3770 Dec 7 18:46 logging.properties -rw-r--r-- 1 > sandbox1 sandbox1 2522 Sep 7 20:29 server.xml > > My sandbox users belong to the 'tomcat' group (not using a > 'tomcat' user though). I can cat web.xml with a sandbox user. (I > tweaked the permissions from the defaults to allow sandbox users to > read the default config) > > If I copy web.xml from HOME/conf to BASE/conf everything works > again. So do I need to copy everything over from HOME/conf to > BASE/conf even if I am not changing anything? I checked, and my CATALINA_BASE/conf contains the following: server.xml (required) Catalina/ (and friends, optional) tomcat-users.xml (optional) web.xml (evidently required) We should probably allow web.xml to come from CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/. I would have expected that to be allowed, but I guess it isn't. Can you file a BZ enhancement request? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloqvQ4dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgZPw/5AZZr1yfSnTLlOh6W YVJXRPWnbXonNaVrPw0oBbwCv8c3EJuzKCwPdex8LW2ODCuCzveIqwNEh2KoKV0K W6qENepo2Fws0DYdW4r24kfENV/L7EU6ysCPdyWytg03XzhMkV++6BvrKdbd8mBx OvXH4QB1O4iuKs0fPei1QiOIhI51i4noyoswEDwYWEr77ES0kqedLf4E6TMxqbbc R49WkovgxwiN1QsW8mHCoaManCdsXhbsRKcrqsHQORf+9Pv5uQNDKSlUFEvNOSf2 Pjc5qxJRkcflmmoSvMamwfWyCAoQIdLXeEzepb+ma5KnFyqk3AAs7PY8oj/dMLrI VSXbQblBZaEMx8OZ14mnQncofGRuoVCNB2kDaFsgsrldpbDX6RO/j+pPcstO2K24 QctgptCeOL6b4IBSl1Fzj2ZxcHxhMQKgzPAjyEyqJiv9UbYkuUJwUFXTH9xb97wT 9EIQYf88F8yUDBmSIVjBOSvXQOIQAOUA5kp/PKsk/CgNGpNTZsbJHy/NzCF3XS7W VPrzzonxTJG2s+7+tCrMFeK2fE76gASBv29IGtUffKvld1epdaLt6ktsT7tRUlXz FVWZ0Nk2A5aHTrCfqdh3uQVQCV7UgGtrQswo8pzgUCxrFg8Eu7SN7L93WbxhlMzW LIR6RflaGP4vL6x0QoJPIu5U9x0= =mhYt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5 - multiple host configuration question
On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultzwrote: >> >> What should the permissions, owner & group be set to for >> CATALINA_HOME if I am running separate instances per user? > > It doesn't really matter. You just need to make sure that your "users" > can read the default config files -- especially conf/web.xml and > conf/tomcat.xml which usually shouldn't be modified from their > defaults anyway. > > I've always been irritated that the conf/ directory is only readable > by the owner in the tarball. Maybe I'll agitate to get that changed, > and only protect conf/server.xml and conf/tomcat-users.xml in that way. > Resurrecting this I'm doing some cleanup and upgrading to 8.5.24. Previously I had copied the entire conf directory from HOME to BASE, and modifying files as necessary. Now I removed from BASE files I hadn't touched (web.xml, jaspic stuff etc), but subsequently get the following message in catalina.out INFO ... org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment No global web.xml found All other startup succeeds but nothing is accessible, I just get a standard 404 when trying to access my web apps or even the manager app. There are no actual ERROR level messages though. Permissions are as follows : /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total 236 drwxr-x--- 2 root tomcat 4096 Nov 27 13:33 . drwxr-xr-x 9 root root 4096 Dec 7 16:30 .. -rw-r- 1 root tomcat 13824 Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat 7376 Nov 27 13:33 catalina.properties -rw-r- 1 root tomcat 1338 Nov 27 13:33 context.xml -rw-r- 1 root tomcat 1149 Nov 27 13:33 jaspic-providers.xml -rw-r- 1 root tomcat 2313 Nov 27 13:33 jaspic-providers.xsd -rw-r- 1 root tomcat 3622 Nov 27 13:33 logging.properties -rw--- 1 root tomcat 7511 Nov 27 13:33 server.xml -rw--- 1 root tomcat 2164 Nov 27 13:33 tomcat-users.xml -rw-r- 1 root tomcat 2633 Nov 27 13:33 tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33 web.xml /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32 drwxr-xr-x 3 sandbox1 sandbox1 4096 Dec 7 19:01 . drwxr-xr-x 10 sandbox1 sandbox1 4096 Dec 7 18:59 .. drwxr-xr-x 3 sandbox1 sandbox1 4096 Sep 7 16:50 Catalina -rw-r--r-- 1 sandbox1 sandbox1 7407 Nov 2 01:58 catalina.properties -rw-r--r-- 1 sandbox1 sandbox1 1437 Sep 7 20:38 context.xml -rw-r--r-- 1 sandbox1 sandbox1 3770 Dec 7 18:46 logging.properties -rw-r--r-- 1 sandbox1 sandbox1 2522 Sep 7 20:29 server.xml My sandbox users belong to the 'tomcat' group (not using a 'tomcat' user though). I can cat web.xml with a sandbox user. (I tweaked the permissions from the defaults to allow sandbox users to read the default config) If I copy web.xml from HOME/conf to BASE/conf everything works again. So do I need to copy everything over from HOME/conf to BASE/conf even if I am not changing anything? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 8.5 - multiple host configuration question
Chris and Chris (but not Chris) -Original Message- From: Chris Cheshire [mailto:yahoono...@gmail.com] Sent: Friday, September 08, 2017 9:16 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: 8.5 - multiple host configuration question On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 9/5/17 3:39 PM, Chris Cheshire wrote: >> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz >>> If I were king, I'd set things up like this: >>> >>> 1. Tomcat is installed in /usr/local/tomcat (or >>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is never >>> launched with CATALINA_BASE=/usr/local/tomcat 3. Each user has their >>> own CATALINA_BASE directory in their own home directory (or wherever >>> in the fs tree). No need to put anything in /usr/local which is >>> usually considered to be shared and read-only. CATALINA_BASE is just >>> a directory with the following directories in it: work/ logs/ conf/ >>> lib/ webapps/. Anything in there overrides anything in the >>> CATALINA_HOME where Tomcat is installed. I'd recommend using a >>> custom conf/server.xml and leaving everything else pretty much alone >>> except maybe a JDBC driver in CATALINA_BASE/lib that isn't necessary >>> for all the other Tomcats that will be running on the server. >>> >>> This gives you a LOT of flexibility: >>> >>> [SNIP] >>> > Thank you for the explanations, this helps considerably. Ditto! I saved a copy in my archives of accumulated Tomcat wisdom. The problem is that the info is still stored in my computer and not in my brain. -- Cris Berneburg CACI Lead Software Engineer
Re: 8.5 - multiple host configuration question
On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 9/5/17 3:39 PM, Chris Cheshire wrote: >> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz >>> If I were king, I'd set things up like this: >>> >>> 1. Tomcat is installed in /usr/local/tomcat (or >>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is >>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user >>> has their own CATALINA_BASE directory in their own home directory >>> (or wherever in the fs tree). No need to put anything in >>> /usr/local which is usually considered to be shared and >>> read-only. CATALINA_BASE is just a directory with the following >>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in >>> there overrides anything in the CATALINA_HOME where Tomcat is >>> installed. I'd recommend using a custom conf/server.xml and >>> leaving everything else pretty much alone except maybe a JDBC >>> driver in CATALINA_BASE/lib that isn't necessary for all the >>> other Tomcats that will be running on the server. >>> >>> This gives you a LOT of flexibility: >>> >>> 1. Users run their own JVMs as their own users. Filesystem >>> permissions become simpler. Applications require less trust (e.g. >>> apps are running at "cschultz" instead of "tomcat7"). 2. Users >>> can select which version of Tomcat they want to use. Just change >>> CATALINA_BASE and restart. (Roughly speaking. If you switch major >>> versions, you'll likely have to update >>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all >>> running x.y.z whether you like it or not". >> >> >> Ok this helps a bit for upgrades. I would just expand the new >> tarball in a similar place, update user level conf and restart each >> instance when ready? > > Exactly. Your users can even decide when they want to switch to a new > Tomcat version. > >>> 3. Users can start/stop their own Tomcat services. No more >>> emailing an administrator and asking for a restart, and having to >>> coordinate it with several other unrelated teams who weren't >>> expecting a service restart in the middle of the day. 4. You >>> (admin) don't have to babysit everyone's web applications. Users >>> simply put their own apps in CATALINA_BASE/webapps and move on >>> with their lives. >>> >> >> This means I need to configure each server and connector element >> with different ports for each user, correct? > > Yes. A regimented port assignment scheme is recommended. In my shared > development environments, I assign every dev a number and their port > numbers become: > > Tomcat AJP: 8[dev #][app #]5 > Tomcat shutdown: 8[dev #][app #]6 > Tomcat "Secure" port: 8[dev #][app #]7 > > (the "secure" port is for loopback requests; we have those for certain > applications) > > So for example, my primary app id is 1 and my dev id is 2: > > AJP: 8215 > Shutdown: 8216 > Secure: 8217 > >> I am fronting tomcat with httpd using an ajp connector to handle >> ssl certs. I use letsencrypt, and on a production server I can't >> afford to bounce even the connector and lose connections. httpd >> handles it a lot more gracefully. Can I have separate mod_jk.conf >> and workers.properties files for mod_jk pointing to different ports >> for separate connectors for tomcat? > > Absolutely. Using regimented port assignments allows you to set up > everyone's port assignments in advance using a template worker and > then a bunch of workers that all look the same except for the port > numbers. > > Then you just need to map URLs (e.g. /dev1-app1) to the matching port > numbers. > What about file/directory permissions, assuming tomcat is running under the 'tomcat' user? I have root access to the machine, so changing groups, users, permissions is not an issue. >>> >>> Free yourself from the "tomcat user". It's one of the things I >>> dislike most about the package-managed versions of Tomcat: they >>> tend to run everything as a single user which is completely >>> unnecessary. >>> >> >> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as >> each user (sandbox1, sandbox2 etc)? > > Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good. > >> Trying to assimilate all this, it sounds like : >> >> CATALINA_HOME=/usr/local/tomcat-x.y.z >> CATALINA_BASE=/home/sandbox1/tc >> >> CATALINA_BASE/conf/server.xml has the entire configuration, >> engine, connector, host etc for that one user. > > Yes. > >> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt >> says >> >> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured >> in the setenv script, because they are used to locate that file." > > You'll have to set CATALINA_HOME and CATALINA_BASE for the user in > whatever way makes most sense. For example, ~/.profile works, but only > for interactive logins. > >> Do I then need to create my own startup script that sets
Re: 8.5 - multiple host configuration question
On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 9/5/17 4:42 PM, Chris Cheshire wrote: >> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz >> wrote: >>> If I were king, I'd set things up like this: >>> >>> 1. Tomcat is installed in /usr/local/tomcat (or >>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). >> >> >> Looks like I do need to adjust default permissions on this if I >> expand as root. >> >> The tarball leaves me with >> >> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x 9 >> root root 4096 Sep 5 20:31 . drwxr-xr-x 14 root root 4096 Sep 5 >> 20:31 .. -rw-r- 1 root root 57092 Aug 2 21:36 LICENSE >> -rw-r- 1 root root 1723 Aug 2 21:36 NOTICE -rw-r- 1 >> root root 7064 Aug 2 21:36 RELEASE-NOTES -rw-r- 1 root root >> 15946 Aug 2 21:36 RUNNING.txt drwxr-x--- 2 root root 4096 Sep 5 >> 20:31 bin drwx-- 2 root root 4096 Aug 2 21:36 conf >> drwxr-x--- 2 root root 4096 Sep 5 20:31 lib drwxr-x--- 2 root >> root 4096 Aug 2 21:35 logs drwxr-x--- 2 root root 4096 Sep 5 >> 20:31 temp drwxr-x--- 7 root root 4096 Aug 2 21:36 webapps >> drwxr-x--- 2 root root 4096 Aug 2 21:35 work >> >> >> What should the permissions, owner & group be set to for >> CATALINA_HOME if I am running separate instances per user? > > It doesn't really matter. You just need to make sure that your "users" > can read the default config files -- especially conf/web.xml and > conf/tomcat.xml which usually shouldn't be modified from their > defaults anyway. > > I've always been irritated that the conf/ directory is only readable > by the owner in the tarball. Maybe I'll agitate to get that changed, > and only protect conf/server.xml and conf/tomcat-users.xml in that way. > > - -chris Thanks, I'm just wary of giving everyone read permission to something that starts out without it, especially when installed by root. The only change I made to the default config anyway was to remove tomcat-users.xml since I have a JDBC realm for restricting access to the manager webapp. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5 - multiple host configuration question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 9/5/17 4:42 PM, Chris Cheshire wrote: > On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz >wrote: >> If I were king, I'd set things up like this: >> >> 1. Tomcat is installed in /usr/local/tomcat (or >> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). > > > Looks like I do need to adjust default permissions on this if I > expand as root. > > The tarball leaves me with > > [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x 9 > root root 4096 Sep 5 20:31 . drwxr-xr-x 14 root root 4096 Sep 5 > 20:31 .. -rw-r- 1 root root 57092 Aug 2 21:36 LICENSE > -rw-r- 1 root root 1723 Aug 2 21:36 NOTICE -rw-r- 1 > root root 7064 Aug 2 21:36 RELEASE-NOTES -rw-r- 1 root root > 15946 Aug 2 21:36 RUNNING.txt drwxr-x--- 2 root root 4096 Sep 5 > 20:31 bin drwx-- 2 root root 4096 Aug 2 21:36 conf > drwxr-x--- 2 root root 4096 Sep 5 20:31 lib drwxr-x--- 2 root > root 4096 Aug 2 21:35 logs drwxr-x--- 2 root root 4096 Sep 5 > 20:31 temp drwxr-x--- 7 root root 4096 Aug 2 21:36 webapps > drwxr-x--- 2 root root 4096 Aug 2 21:35 work > > > What should the permissions, owner & group be set to for > CATALINA_HOME if I am running separate instances per user? It doesn't really matter. You just need to make sure that your "users" can read the default config files -- especially conf/web.xml and conf/tomcat.xml which usually shouldn't be modified from their defaults anyway. I've always been irritated that the conf/ directory is only readable by the owner in the tarball. Maybe I'll agitate to get that changed, and only protect conf/server.xml and conf/tomcat-users.xml in that way. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZsbqPAAoJEBzwKT+lPKRY+bcQAI6I9VMV42xTiV/02XT1idic GJQzfD6fpukZ2ZoCltzsQ9n9oygAb43QAnslGLwzG+xa4+Kon+TkgNLlckhpO0IK yw65LAcEkG8x7iggX23l1I4u4c51GlPERqb8FXH4Sys8JNMFaM3r48/SMiBmVW3r 29ILYk3yHhUWovZGnHcqzosTECo9FBfCNMe8bp+v7vDCifODKPrRRVUtzmOFdN+a 4YAqG+aRIQVHZHqE/2h5lbnnER5PzERj7igfArjOuHwkR4W283y/VxasOaQVrNgL R/r+Qb99KNH5djiNj3kvfpqLO9Jq3rrIpuc6zH6yrv8EJcgmEoy494bONixt7Eus q8g/0XTzU9izPfG3wRaCQaPh7oV+ZurYOZAFeYz0eOj5a/AjZfWnwpFSfcTyP5qD IIrfiaysH+j3NwGpTsT2B1q5Ecp1bugzuIiHHnoZDVDodncSI52XdgykL9tyrjN7 20d4pcepVEdQoTT1ABJKl6mONKMuG3NA+rvNYJQvIlq642LbUx/3rkA+dk+m7OeY TkCquZZ128NBGzMhwEuEnNSEmBmGyF27vH4qi+2HKi8dsVDsdvRb+mnmFJWTeWVC ndW3Px/xldEDyhdF84g5TzX8Y7fYjJLOC2EzjkDZmZmI0/l54e7Y/+aq6pThrIpC q2SjSPEtuzmmlEh2OC1z =Xei9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5 - multiple host configuration question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 9/5/17 3:39 PM, Chris Cheshire wrote: > On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz >> If I were king, I'd set things up like this: >> >> 1. Tomcat is installed in /usr/local/tomcat (or >> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is >> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user >> has their own CATALINA_BASE directory in their own home directory >> (or wherever in the fs tree). No need to put anything in >> /usr/local which is usually considered to be shared and >> read-only. CATALINA_BASE is just a directory with the following >> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in >> there overrides anything in the CATALINA_HOME where Tomcat is >> installed. I'd recommend using a custom conf/server.xml and >> leaving everything else pretty much alone except maybe a JDBC >> driver in CATALINA_BASE/lib that isn't necessary for all the >> other Tomcats that will be running on the server. >> >> This gives you a LOT of flexibility: >> >> 1. Users run their own JVMs as their own users. Filesystem >> permissions become simpler. Applications require less trust (e.g. >> apps are running at "cschultz" instead of "tomcat7"). 2. Users >> can select which version of Tomcat they want to use. Just change >> CATALINA_BASE and restart. (Roughly speaking. If you switch major >> versions, you'll likely have to update >> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all >> running x.y.z whether you like it or not". > > > Ok this helps a bit for upgrades. I would just expand the new > tarball in a similar place, update user level conf and restart each > instance when ready? Exactly. Your users can even decide when they want to switch to a new Tomcat version. >> 3. Users can start/stop their own Tomcat services. No more >> emailing an administrator and asking for a restart, and having to >> coordinate it with several other unrelated teams who weren't >> expecting a service restart in the middle of the day. 4. You >> (admin) don't have to babysit everyone's web applications. Users >> simply put their own apps in CATALINA_BASE/webapps and move on >> with their lives. >> > > This means I need to configure each server and connector element > with different ports for each user, correct? Yes. A regimented port assignment scheme is recommended. In my shared development environments, I assign every dev a number and their port numbers become: Tomcat AJP: 8[dev #][app #]5 Tomcat shutdown: 8[dev #][app #]6 Tomcat "Secure" port: 8[dev #][app #]7 (the "secure" port is for loopback requests; we have those for certain applications) So for example, my primary app id is 1 and my dev id is 2: AJP: 8215 Shutdown: 8216 Secure: 8217 > I am fronting tomcat with httpd using an ajp connector to handle > ssl certs. I use letsencrypt, and on a production server I can't > afford to bounce even the connector and lose connections. httpd > handles it a lot more gracefully. Can I have separate mod_jk.conf > and workers.properties files for mod_jk pointing to different ports > for separate connectors for tomcat? Absolutely. Using regimented port assignments allows you to set up everyone's port assignments in advance using a template worker and then a bunch of workers that all look the same except for the port numbers. Then you just need to map URLs (e.g. /dev1-app1) to the matching port numbers. >>> What about file/directory permissions, assuming tomcat is >>> running under the 'tomcat' user? I have root access to the >>> machine, so changing groups, users, permissions is not an >>> issue. >> >> Free yourself from the "tomcat user". It's one of the things I >> dislike most about the package-managed versions of Tomcat: they >> tend to run everything as a single user which is completely >> unnecessary. >> > > Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as > each user (sandbox1, sandbox2 etc)? Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good. > Trying to assimilate all this, it sounds like : > > CATALINA_HOME=/usr/local/tomcat-x.y.z > CATALINA_BASE=/home/sandbox1/tc > > CATALINA_BASE/conf/server.xml has the entire configuration, > engine, connector, host etc for that one user. Yes. > Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt > says > > "The CATALINA_HOME and CATALINA_BASE variables cannot be configured > in the setenv script, because they are used to locate that file." You'll have to set CATALINA_HOME and CATALINA_BASE for the user in whatever way makes most sense. For example, ~/.profile works, but only for interactive logins. > Do I then need to create my own startup script that sets those, > then calls ${CATALINA_HOME}/bin/startup.sh, or can I just set the > variables in .bashrc? Yeah, .bashrc will work, too, but .profile will be better because it will effect non-bash shells, of course. Once those
Re: 8.5 - multiple host configuration question
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultzwrote: > If I were king, I'd set things up like this: > > 1. Tomcat is installed in /usr/local/tomcat (or > /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). Looks like I do need to adjust default permissions on this if I expand as root. The tarball leaves me with [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x 9 root root 4096 Sep 5 20:31 . drwxr-xr-x 14 root root 4096 Sep 5 20:31 .. -rw-r- 1 root root 57092 Aug 2 21:36 LICENSE -rw-r- 1 root root 1723 Aug 2 21:36 NOTICE -rw-r- 1 root root 7064 Aug 2 21:36 RELEASE-NOTES -rw-r- 1 root root 15946 Aug 2 21:36 RUNNING.txt drwxr-x--- 2 root root 4096 Sep 5 20:31 bin drwx-- 2 root root 4096 Aug 2 21:36 conf drwxr-x--- 2 root root 4096 Sep 5 20:31 lib drwxr-x--- 2 root root 4096 Aug 2 21:35 logs drwxr-x--- 2 root root 4096 Sep 5 20:31 temp drwxr-x--- 7 root root 4096 Aug 2 21:36 webapps drwxr-x--- 2 root root 4096 Aug 2 21:35 work What should the permissions, owner & group be set to for CATALINA_HOME if I am running separate instances per user? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5 - multiple host configuration question
On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 9/5/17 10:54 AM, Chris Cheshire wrote: >> I am migrating from 7 (yum repo installation) to 8.5 (direct from >> apache) and looking to improve configuration where possible. >> >> Currently (on *nix) I have a machine that runs sandboxes for my >> domain, call them sb1.dom.com and sb2.dom.com. They each have >> their own (system) user and in tomcat's system.xml > > Nit: server.xml > Brain fart :) >> I have a host for each : >> >> >> >> >> >> Each has access to the host-manager app via a hardlink to >> manager.xml through >> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user >> belongs to the tomcat group, and has their webapps directory group >> readable so Tomcat can deploy the apps. Each host may have multiple >> contexts within it representing code branches. The env variables >> have CATALINA_HOME and CATALINA_BASE pointing to >> /usr/share/tomcat. >> >> Reading RUNNING.txt, it says that HOME and BASE can point to >> different locations for a multi-user environment, which sounds like >> what I am doing. How do I go about configuring it this way? > > It depends upon your goals. If you want to run a single JVM, then it > really doesn't matter whether you have a "single" Tomcat where > CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's > pretty much required that you use a split configuration. > > I'd argue that you should always have a split configuration, because > it allows you to upgrade/downgrade almost trivially without disturbing > your application's (Tomcat) configuration. > >> Assume I put the tomcat installation in /usr/local, with a symlink >> from /usr/local/tomcat to >> /usr/local/tomcat/apache-tomcat-${version} >> >> Would it be better to put the webapps for each user under >> /usr/local/tomcat/webapps and symlink to them from the users home >> directory? What would the structure look like and what would I set >> CATALINA_BASE and CATALINA_HOME to? > > If I were king, I'd set things up like this: > > 1. Tomcat is installed in /usr/local/tomcat (or > /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). > 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat > 3. Each user has their own CATALINA_BASE directory in their own home > directory (or wherever in the fs tree). No need to put anything in > /usr/local which is usually considered to be shared and read-only. > CATALINA_BASE is just a directory with the following directories in > it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides > anything in the CATALINA_HOME where Tomcat is installed. I'd recommend > using a custom conf/server.xml and leaving everything else pretty much > alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't > necessary for all the other Tomcats that will be running on the server. > > This gives you a LOT of flexibility: > > 1. Users run their own JVMs as their own users. Filesystem permissions > become simpler. Applications require less trust (e.g. apps are running > at "cschultz" instead of "tomcat7"). > 2. Users can select which version of Tomcat they want to use. Just > change CATALINA_BASE and restart. (Roughly speaking. If you switch > major versions, you'll likely have to update > CATALINA_BASE/conf/server.xml quite a bit). No more "we are all > running x.y.z whether you like it or not". Ok this helps a bit for upgrades. I would just expand the new tarball in a similar place, update user level conf and restart each instance when ready? > 3. Users can start/stop their own Tomcat services. No more emailing an > administrator and asking for a restart, and having to coordinate it > with several other unrelated teams who weren't expecting a service > restart in the middle of the day. > 4. You (admin) don't have to babysit everyone's web applications. > Users simply put their own apps in CATALINA_BASE/webapps and move on > with their lives. > This means I need to configure each server and connector element with different ports for each user, correct? I am fronting tomcat with httpd using an ajp connector to handle ssl certs. I use letsencrypt, and on a production server I can't afford to bounce even the connector and lose connections. httpd handles it a lot more gracefully. Can I have separate mod_jk.conf and workers.properties files for mod_jk pointing to different ports for separate connectors for tomcat? >> What about file/directory permissions, assuming tomcat is running >> under the 'tomcat' user? I have root access to the machine, so >> changing groups, users, permissions is not an issue. > > Free yourself from the "tomcat user". It's one of the things I dislike > most about the package-managed versions of Tomcat: they tend to run > everything as a single user which is completely unnecessary. > Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as each user
Re: 8.5 - multiple host configuration question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 9/5/17 10:54 AM, Chris Cheshire wrote: > I am migrating from 7 (yum repo installation) to 8.5 (direct from > apache) and looking to improve configuration where possible. > > Currently (on *nix) I have a machine that runs sandboxes for my > domain, call them sb1.dom.com and sb2.dom.com. They each have > their own (system) user and in tomcat's system.xml Nit: server.xml > I have a host for each : > > > > > > Each has access to the host-manager app via a hardlink to > manager.xml through > /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user > belongs to the tomcat group, and has their webapps directory group > readable so Tomcat can deploy the apps. Each host may have multiple > contexts within it representing code branches. The env variables > have CATALINA_HOME and CATALINA_BASE pointing to > /usr/share/tomcat. > > Reading RUNNING.txt, it says that HOME and BASE can point to > different locations for a multi-user environment, which sounds like > what I am doing. How do I go about configuring it this way? It depends upon your goals. If you want to run a single JVM, then it really doesn't matter whether you have a "single" Tomcat where CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's pretty much required that you use a split configuration. I'd argue that you should always have a split configuration, because it allows you to upgrade/downgrade almost trivially without disturbing your application's (Tomcat) configuration. > Assume I put the tomcat installation in /usr/local, with a symlink > from /usr/local/tomcat to > /usr/local/tomcat/apache-tomcat-${version} > > Would it be better to put the webapps for each user under > /usr/local/tomcat/webapps and symlink to them from the users home > directory? What would the structure look like and what would I set > CATALINA_BASE and CATALINA_HOME to? If I were king, I'd set things up like this: 1. Tomcat is installed in /usr/local/tomcat (or /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user has their own CATALINA_BASE directory in their own home directory (or wherever in the fs tree). No need to put anything in /usr/local which is usually considered to be shared and read-only. CATALINA_BASE is just a directory with the following directories in it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides anything in the CATALINA_HOME where Tomcat is installed. I'd recommend using a custom conf/server.xml and leaving everything else pretty much alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't necessary for all the other Tomcats that will be running on the server. This gives you a LOT of flexibility: 1. Users run their own JVMs as their own users. Filesystem permissions become simpler. Applications require less trust (e.g. apps are running at "cschultz" instead of "tomcat7"). 2. Users can select which version of Tomcat they want to use. Just change CATALINA_BASE and restart. (Roughly speaking. If you switch major versions, you'll likely have to update CATALINA_BASE/conf/server.xml quite a bit). No more "we are all running x.y.z whether you like it or not". 3. Users can start/stop their own Tomcat services. No more emailing an administrator and asking for a restart, and having to coordinate it with several other unrelated teams who weren't expecting a service restart in the middle of the day. 4. You (admin) don't have to babysit everyone's web applications. Users simply put their own apps in CATALINA_BASE/webapps and move on with their lives. > What about file/directory permissions, assuming tomcat is running > under the 'tomcat' user? I have root access to the machine, so > changing groups, users, permissions is not an issue. Free yourself from the "tomcat user". It's one of the things I dislike most about the package-managed versions of Tomcat: they tend to run everything as a single user which is completely unnecessary. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZrufJAAoJEBzwKT+lPKRYFbwP/1IVYWj06JaPcgVebrJbsMa2 o1aOB47fWStEPsOshcBBswiSO07EPvshahoyvn9mWaYCCIN1/BND0sIZzkFc1Lb1 YWq1HWd2TbdeUMNMD7d9WgnzlCB5mGxxsklFvqQ/jWzG8bX98VtWDS4c95YcebPc 7yep1Oah+pSnvpfRzV6XpIF64xwc3HQHciOxezn6BFjMe6ZEd6R8w7OdEUrEy/g/ 0UtS1XiKBdgUT3KdxkLYi7PbgigHyw8zGxp4d3ZkqIC8shCiF+teO8YhZ4qYGoVc 8GkV18QHs5cV7s9dQBtMXOzsVtCjmGBzEx2XgXZ5SroNjJCYUs4FskNLE9oiS0GS FJcpLPXF8noEb6sYSbmdn2RK3qv62RjD8Atu65q4G7S/20HbwFFGDEFjBnLlzrsV W4vk3YcMbLrDQWCybjpaGBiyLzBhUBtdMLvnHsBeShTwFZzlgZRbi8GuIn9TFgkk AW75DLZQ83Z4aQxSTjJkfhf2qU7jQdzNEl30Qka7JE7K/SwFcaWe/w0aiJmxHgrq gqpbpuc4suMSJ2sLj1oY2nOc+1+SlIpfBth66J1OWxNkxBxDVbbPYaAIV6skgUnL Ys3ZJ6TFVug3BBrV5QM8LKaKvy2pYb1FDpgHU01dhSP3YjUONJJKpMUWBbHHVe+6 CsousuKimJ2WvoRJu8SP =Auhe -END PGP SIGNATURE-