Re: Number of Web Applications in one Tomcat: THANKS!
Chris, On Thu, Nov 1, 2018 at 10:13 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > > On 11/1/18 12:06, Igal Sapir wrote: > > On Thu, Nov 1, 2018 at 7:39 AM André Warnier (tomcat) > > wrote: > > > >> On 01.11.2018 14:51, Christopher Schultz wrote: > >>> We assign each dev a number and each application a number. Each > >>> pair of dev+app yields an actual port number. This works great > >>> in development so nobody ever steps on anyone's toes. In other > >>> environments (test, prod, etc.) there is only ever one "dev > >>> number" and that's "the deployer". > > > > > This new feature from BZ 61171 might make life easier for > > deployments of such setups: Add port offset attribute (portOffset?) > > to Server configuration > > https://bz.apache.org/bugzilla/show_bug.cgi?id=61171 > > Yup. We don't happen to use that feature, but that's just because we > baked everything into our deployment scripts back in 2003. :) > Right, given the fact that it was only added to dev a few hours ago (r1845482) I don't expect anyone to be using it yet ;) I like your idea of `port = dev + app`. In development, I often find myself disabling the AJP and SHUTDOWN ports to avoid binding conflicts. In production, one of the organizations for which I provide support has about 200 different applications, with deployment scripts that sets the different ports and map the web server accordingly. Come 9.0.13 the new portOffset feature can make such deployment a little easier. Best, Igal
Re: Number of Web Applications in one Tomcat: THANKS!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Igal, On 11/1/18 12:06, Igal Sapir wrote: > On Thu, Nov 1, 2018 at 7:39 AM André Warnier (tomcat) > wrote: > >> On 01.11.2018 14:51, Christopher Schultz wrote: >>> We assign each dev a number and each application a number. Each >>> pair of dev+app yields an actual port number. This works great >>> in development so nobody ever steps on anyone's toes. In other >>> environments (test, prod, etc.) there is only ever one "dev >>> number" and that's "the deployer". >> >> I don't know if this is original or a system that is aready >> well-known in this industry, but that sounds like a really clever >> idea to me. Our own context is bit different, but I'm sure there >> is a way for us to re-use this. >> > > +1 > > This new feature from BZ 61171 might make life easier for > deployments of such setups: Add port offset attribute (portOffset?) > to Server configuration > https://bz.apache.org/bugzilla/show_bug.cgi?id=61171 Yup. We don't happen to use that feature, but that's just because we baked everything into our deployment scripts back in 2003. :) - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvbNDsACgkQHPApP6U8 pFiPhxAAqayojWGqEYrW6K10n7HNXb3OBK7Wzjm02JoB9kiiHn1io7APMpkoKTVg hL/LhDPpqClJ0Mdq1VRmfG2qICQe2hQXSrIjiB1v+sbuL9c/5xFc9e+6gzG8jWSL mZmP+aUqV6aAcG0b7cPulTF8YREH0clkSfFQp6eAxVCm7YETPGt0gC5MuYlY4jB2 yK3PiXmoPnRjz87nrFccw3tYpJYbGc3QnOiDfJp6Z6hsYvuE+i0zygU3mjyiFvfL W7rLq0tkfWwNmiLgFhk4IRiGiiUbjKKeCupcSiMdTDp5vP7507ZACAGED+4kdail JQ3Tafc608vXuLk78aw6+1e5tHURcB/3HojD1Rwa7iy3E3sNke1ToVWjNZ/z82aN pJNX8vBYroTHgQU7ZFpF3+UiS6Hh4+nMgn78Gl0yBELBxQVOcqIF91ZjST85zFSZ Zw2AV8d7ekqzo3tX+5+9vEbTreGdepBwrsF/t35RlwUTXYCZpLuFAdifhseIOnXJ lCCryd7FsaplhJaKZWEAYqUDle/u7BUclxykKiQXXaJl7TT7xtWDlk0aZ++/S5q9 nncMkc0CeL7xruPSxbamDyrNQCvrB2mNAj/zj4Xa+xjFoY09vdqVt3MVm8HrTYeq +i2NrdXPf3ucs62cTLMa4tdI5ev26nrLk5SUEEcq+N6Jl2X5wPQ= =5tQt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
On Thu, Nov 1, 2018 at 7:39 AM André Warnier (tomcat) wrote: > On 01.11.2018 14:51, Christopher Schultz wrote: > > We assign each dev a number and each application a number. Each pair > > of dev+app yields an actual port number. This works great in > > development so nobody ever steps on anyone's toes. In other > > environments (test, prod, etc.) there is only ever one "dev number" > > and that's "the deployer". > > I don't know if this is original or a system that is aready well-known in > this industry, > but that sounds like a really clever idea to me. Our own context is bit > different, but I'm > sure there is a way for us to re-use this. > +1 This new feature from BZ 61171 might make like easier for deployments of such setups: Add port offset attribute (portOffset?) to Server configuration https://bz.apache.org/bugzilla/show_bug.cgi?id=61171 Igal
Re: Number of Web Applications in one Tomcat: THANKS!
On 01.11.2018 14:51, Christopher Schultz wrote: We assign each dev a number and each application a number. Each pair of dev+app yields an actual port number. This works great in development so nobody ever steps on anyone's toes. In other environments (test, prod, etc.) there is only ever one "dev number" and that's "the deployer". I don't know if this is original or a system that is aready well-known in this industry, but that sounds like a really clever idea to me. Our own context is bit different, but I'm sure there is a way for us to re-use this. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 10/31/18 14:17, George Stanchev wrote: > This is an interesting discussion. Are there any guides to > alleviating management work of such deployments? It's a little out of scope for this community (formally), but there may be people here who can share their stories. > For example, how do you deal with the port mapping? We assign each dev a number and each application a number. Each pair of dev+app yields an actual port number. This works great in development so nobody ever steps on anyone's toes. In other environments (test, prod, etc.) there is only ever one "dev number" and that's "the deployer". > Or logs - do you collect at a common location or let each app log > in its corner ? We use separate logs, but many logging systems allow for log aggregation. I know e.g. log4j has a SysLogAppender and you can do *anything* with that. > Can you share configuration across instances such as SSL, JNDI > configuration, etc? We use revision-control for that kind of thing with replaceable parameters for things like relocatable resources (e.g. database URLs) and sensitive information (e.g. passwords). We use "ant" for deployment, which merges the configuration(s) under revision-control with a set of local settings to build a working configuration. > Any blogs to such approach? Not that I have personally written. Configuration-management and deployment strategies are typically very environment-specific. - -chris > -Original Message- From: Christopher Schultz > Sent: Wednesday, October 31, 2018 > 9:29 AM To: users@tomcat.apache.org Subject: Re: Number of Web > Applications in one Tomcat: THANKS! > > Guido, > > On 10/31/18 05:14, Jäkel, Guido wrote: >>> Has anyone ever attacked one of your web applications? There >>> are some fun ways to make an application use a huge amount of >>> memory. Just because the applications themselves are behaving >>> doesn't mean that all the users are behaving. >>> >>> For example, do you have a max POST size set for your >>> application? If not, I can send your login form a username that >>> is so long it might exhaust your heap. 2147483647 characters is >>> a LOT of characters. >>> >>> If you have a max POST size, maybe you don't filter-out PUT >>> requests, and have Tomcat parsing those for you. Same problem, >>> there. > >> Dear Chris, > >> But that's no argument for or against running more than one >> application per Tomcat: If you're not aware of such things, one >> may attack your other Tomcats in the same way because of >> identical configuration. > > Yes and no. > > Presumably, more than one application means more resources required > in general. Since each application might experience "peak" usage > simultaneously, you must over-provision *for both*. That actually > *helps* you against the kind of attack I proposed (more memory is > slightly more difficult to fill than less). > > On the other hand, each application has different requirements. > Perhaps one application needs to be able to accept file uploads > while the other one does not. That means that the application which > need not accept large POST requests is now vulnerable because of a > shared resource 9memory) which the other application can allow > attackers to consume. > >> Of course, if you plan to run a couple of applications per >> Tomcat, you may also plan to spread it to more than instance to >> have a fail-over or load balancing . But even if you use a >> HA-cluster with one App per cluster member: If one is able to >> crash the Application by a Request on one cluster member, this >> might be repeated on the other members without noteworthy costs. > > Cascade failures can indeed be a serious problem. > > It's generally more difficult to crash a Tomcat instance with a > single request. It usually requires multiple requests (sometimes > concurrently) and so that provides the admin more opportunities at > mitigation. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvbBOUACgkQHPApP6U8 pFjJKg/+KOX+zbD+fIIPDmUToZ
RE: Number of Web Applications in one Tomcat: THANKS!
This is an interesting discussion. Are there any guides to alleviating management work of such deployments? For example, how do you deal with the port mapping? Or logs - do you collect at a common location or let each app log in its corner ? Can you share configuration across instances such as SSL, JNDI configuration, etc? Any blogs to such approach? -Original Message- From: Christopher Schultz Sent: Wednesday, October 31, 2018 9:29 AM To: users@tomcat.apache.org Subject: Re: Number of Web Applications in one Tomcat: THANKS! -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Guido, On 10/31/18 05:14, Jäkel, Guido wrote: >> Has anyone ever attacked one of your web applications? There are some >> fun ways to make an application use a huge amount of memory. >> Just because the applications themselves are behaving doesn't mean >> that all the users are behaving. >> >> For example, do you have a max POST size set for your application? If >> not, I can send your login form a username that is so long it might >> exhaust your heap. 2147483647 characters is a LOT of characters. >> >> If you have a max POST size, maybe you don't filter-out PUT requests, >> and have Tomcat parsing those for you. Same problem, there. > > Dear Chris, > > But that's no argument for or against running more than one > application per Tomcat: If you're not aware of such things, one may > attack your other Tomcats in the same way because of identical > configuration. Yes and no. Presumably, more than one application means more resources required in general. Since each application might experience "peak" usage simultaneously, you must over-provision *for both*. That actually *helps* you against the kind of attack I proposed (more memory is slightly more difficult to fill than less). On the other hand, each application has different requirements. Perhaps one application needs to be able to accept file uploads while the other one does not. That means that the application which need not accept large POST requests is now vulnerable because of a shared resource 9memory) which the other application can allow attackers to consume. > Of course, if you plan to run a couple of applications per Tomcat, you > may also plan to spread it to more than instance to have a fail-over > or load balancing . But even if you use a HA-cluster with one App per > cluster member: If one is able to crash the Application by a Request > on one cluster member, this might be repeated on the other members > without noteworthy costs. Cascade failures can indeed be a serious problem. It's generally more difficult to crash a Tomcat instance with a single request. It usually requires multiple requests (sometimes concurrently) and so that provides the admin more opportunities at mitigation. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvZykEACgkQHPApP6U8 pFiq+A/8DVWiQY6dZhlclS6IkN/Mah2iyslgpTrqASAO4ZkUf8bj9mZKR/FK0wEn zBJyYz0K4YxZY5HKFn9oVE2WGQOIJAf3FXh/GY1OFb7PtFanU65QS9q7MCj+TmLX D1lMfI4MjXqV6NTZsdPXwstCpKxFZ1MMpC6fjCO1cS3vE9pKYn8+OpUWgsL/e5Jj uqj925911/ZNOUxtibG7E5l9uafadxHhVRa3XYOHzSq6t2+lvQ1NXmMYtDUIyatQ IeMm++HML1RJBIYe38cMyq5IFg+uPkD5wnPHIFcS3kIkGv8nWBAL8xs+QPsEQoRa I+tWoMJ5T5Yd+x8aP7ifHGtRs3PHczl07ZS5MJPwL/TUUaYolEYuvo+nMW0sJ6mX 75G6KBexS2oMww+m6jcBIZy9HEsi9LfZhWrUP71D3z86y6pbJLHqW9WfnfK+UH8B MhOv+++xH6I8sLPPMikvy33Ppt8UfGJneyqOn6DXftw9ri4mXZQLs7XyzQWRjEmF XWaWKWE8XtyVJwgr2S9Dt4HUJiOjMjcG5DhHXossBMwqemh6PYcbe1/LXAsv7t++ 7jOOTgTiBHpgN6Ot5K1Q6qCbs9HvWXQBrDf9ycVsqAejV5gPIFqepoj9iPhFbKd+ Px+s18DcwoB6MgXRT5WtGgEsqRNOScdiC+PrJyzsoGN5MHsHxCI= =GK5X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Guido, On 10/31/18 05:14, Jäkel, Guido wrote: >> Has anyone ever attacked one of your web applications? There are >> some fun ways to make an application use a huge amount of memory. >> Just because the applications themselves are behaving doesn't >> mean that all the users are behaving. >> >> For example, do you have a max POST size set for your >> application? If not, I can send your login form a username that >> is so long it might exhaust your heap. 2147483647 characters is a >> LOT of characters. >> >> If you have a max POST size, maybe you don't filter-out PUT >> requests, and have Tomcat parsing those for you. Same problem, >> there. > > Dear Chris, > > But that's no argument for or against running more than one > application per Tomcat: If you're not aware of such things, one > may attack your other Tomcats in the same way because of identical > configuration. Yes and no. Presumably, more than one application means more resources required in general. Since each application might experience "peak" usage simultaneously, you must over-provision *for both*. That actually *helps* you against the kind of attack I proposed (more memory is slightly more difficult to fill than less). On the other hand, each application has different requirements. Perhaps one application needs to be able to accept file uploads while the other one does not. That means that the application which need not accept large POST requests is now vulnerable because of a shared resource 9memory) which the other application can allow attackers to consume. > Of course, if you plan to run a couple of applications per Tomcat, > you may also plan to spread it to more than instance to have a > fail-over or load balancing . But even if you use a HA-cluster > with one App per cluster member: If one is able to crash the > Application by a Request on one cluster member, this might be > repeated on the other members without noteworthy costs. Cascade failures can indeed be a serious problem. It's generally more difficult to crash a Tomcat instance with a single request. It usually requires multiple requests (sometimes concurrently) and so that provides the admin more opportunities at mitigation. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvZykEACgkQHPApP6U8 pFiq+A/8DVWiQY6dZhlclS6IkN/Mah2iyslgpTrqASAO4ZkUf8bj9mZKR/FK0wEn zBJyYz0K4YxZY5HKFn9oVE2WGQOIJAf3FXh/GY1OFb7PtFanU65QS9q7MCj+TmLX D1lMfI4MjXqV6NTZsdPXwstCpKxFZ1MMpC6fjCO1cS3vE9pKYn8+OpUWgsL/e5Jj uqj925911/ZNOUxtibG7E5l9uafadxHhVRa3XYOHzSq6t2+lvQ1NXmMYtDUIyatQ IeMm++HML1RJBIYe38cMyq5IFg+uPkD5wnPHIFcS3kIkGv8nWBAL8xs+QPsEQoRa I+tWoMJ5T5Yd+x8aP7ifHGtRs3PHczl07ZS5MJPwL/TUUaYolEYuvo+nMW0sJ6mX 75G6KBexS2oMww+m6jcBIZy9HEsi9LfZhWrUP71D3z86y6pbJLHqW9WfnfK+UH8B MhOv+++xH6I8sLPPMikvy33Ppt8UfGJneyqOn6DXftw9ri4mXZQLs7XyzQWRjEmF XWaWKWE8XtyVJwgr2S9Dt4HUJiOjMjcG5DhHXossBMwqemh6PYcbe1/LXAsv7t++ 7jOOTgTiBHpgN6Ot5K1Q6qCbs9HvWXQBrDf9ycVsqAejV5gPIFqepoj9iPhFbKd+ Px+s18DcwoB6MgXRT5WtGgEsqRNOScdiC+PrJyzsoGN5MHsHxCI= =GK5X -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tarek, On 10/31/18 03:19, Ahmed, Tarek wrote: > Christopher, > > Am 30.10.18 um 18:30 schrieb Christopher Schultz: > >> Has anyone ever attacked one of your web applications? There are >> some fun ways to make an application use a huge amount of memory. >> Just because the applications themselves are behaving doesn't >> mean that all the users are behaving. >> >> For example, do you have a max POST size set for your >> application? If not, I can send your login form a username that >> is so long it might exhaust your heap. 2147483647 characters is a >> LOT of characters. >> >> If you have a max POST size, maybe you don't filter-out PUT >> requests, and have Tomcat parsing those for you. Same problem, >> there. >> >> Just some thing to think about. Most web applications haven't >> really been exercised by someone who knows what might break it. >> Can you afford for those applications to take each other down >> because the JVM becomes unstable? Maybe and maybe not. > > I have to assume that our applications are attacked, though so far > at least we have no knowledge of serious incidences. The security > measures taken in the individual applications vary with the > security awareness of the programming team responsible (and, of > course, the criticality of the application). > > We are working on increasing this awareness but this is a slow and > ongoing process, and, of course, anyone really competent at hacking > web applications usually finds jobs that are better paid than > software development, so we, as mostly everyone else, will always > lag behind. > > Anyway, thanks for the additional argument and for the hint > regarding maxPostSize. This > http://tomcat.apache.org/tomcat-8.5-doc/config/http.html, though, > says, its set to 2097152 characters, which is still a lot of bytes > and more than most applications need. I'll check, how we handle > that :-) Exactly. 2MiB times the number of allowable connections, which is something like 10k by default. How big is your heap? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvZyTIACgkQHPApP6U8 pFjphQ//fHhs5fmhebqlOp0mebjq78nXTvjf8ZnLeldulwjJdFzBfk8ySikfZxhD H/vdq+jwuTRfONNfki60ZN9GGBKUXfzHN4Tagv6xdazWDcVhIi05S56/17BYmToC WdhD0ujPJTvdqIhMsSMFYItkW6jZZsIfi40SZ2+61mUdXcZANkONT1aWBoUgbbKu PphKdkrUjpJVrUZVtgSGCoaQZjxBTjPqjlAKgfObExJuYcdwwMUZDU2n5ewLGnS4 sNLQi4/P5bnrDdyJkiXwHNMVAadv9vb4nvAygVYxXcxWPCNnJIo2h6qstO/NejJP VhtApXfwNW0xPKwVo2wMr5YIRwdzfPTi+mEco6JRSEmAWp2b1vi+XMb2K3worbT1 3KNdzOo52P7oJUVptUA7x4BFfdtXQiOx/zbzOjZTuoQmATIAobIFI2KZDe2fp7dk UYUGR3G86qhL0XkRghr/52TbQ3+0/X8thmwaVa20xVEl//NtVY/ShLfbTjjgXf+T 2Vm66Bq7AtOUnxB8J6zXZ1U3LddEMJAGqjJJcV+9lNC1SeScVJrUzeuUUm9SfYYF dSBLnoQopirjIx7YfZf7+ZcLiX0zmYl+hlDK5CIJ226ry6p4XaGO8nALhHvBRvV0 E4ZpSBDiRf9FqxP+lAryl6bYf4aEIsyop4+p+94JOy+0+8qsgmo= =iI4e -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Number of Web Applications in one Tomcat: THANKS!
>Has anyone ever attacked one of your web applications? There are some >fun ways to make an application use a huge amount of memory. Just >because the applications themselves are behaving doesn't mean that all >the users are behaving. > >For example, do you have a max POST size set for your application? If >not, I can send your login form a username that is so long it might >exhaust your heap. 2147483647 characters is a LOT of characters. > >If you have a max POST size, maybe you don't filter-out PUT requests, >and have Tomcat parsing those for you. Same problem, there. Dear Chris, But that's no argument for or against running more than one application per Tomcat: If you're not aware of such things, one may attack your other Tomcats in the same way because of identical configuration. Of course, if you plan to run a couple of applications per Tomcat, you may also plan to spread it to more than instance to have a fail-over or load balancing . But even if you use a HA-cluster with one App per cluster member: If one is able to crash the Application by a Request on one cluster member, this might be repeated on the other members without noteworthy costs.
Re: Number of Web Applications in one Tomcat: THANKS!
Christopher, Am 30.10.18 um 18:30 schrieb Christopher Schultz: > Has anyone ever attacked one of your web applications? There are some > fun ways to make an application use a huge amount of memory. Just > because the applications themselves are behaving doesn't mean that all > the users are behaving. > > For example, do you have a max POST size set for your application? If > not, I can send your login form a username that is so long it might > exhaust your heap. 2147483647 characters is a LOT of characters. > > If you have a max POST size, maybe you don't filter-out PUT requests, > and have Tomcat parsing those for you. Same problem, there. > > Just some thing to think about. Most web applications haven't really > been exercised by someone who knows what might break it. Can you > afford for those applications to take each other down because the JVM > becomes unstable? Maybe and maybe not. I have to assume that our applications are attacked, though so far at least we have no knowledge of serious incidences. The security measures taken in the individual applications vary with the security awareness of the programming team responsible (and, of course, the criticality of the application). We are working on increasing this awareness but this is a slow and ongoing process, and, of course, anyone really competent at hacking web applications usually finds jobs that are better paid than software development, so we, as mostly everyone else, will always lag behind. Anyway, thanks for the additional argument and for the hint regarding maxPostSize. This http://tomcat.apache.org/tomcat-8.5-doc/config/http.html, though, says, its set to 2097152 characters, which is still a lot of bytes and more than most applications need. I'll check, how we handle that :-) greetings, tarek - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tarek, On 10/30/18 03:13, Ahmed, Tarek wrote: > Thanks for your input! > > To summarize: Most of us seem to prefer not to have too many web > applications running in one tomcat instance. If, however, it is > possible to run a tomcat with many applications in a stable way it > reduces administrative overhead to do so. The prerequisites for > this are that the applications are mature, handle resources well > and don't get too many updates (we _do_ regular dependency updates, > though ...). > > On the other hand, if there is - for whatever reason - a regular > need of restarts or re-deployments or if the applications deployed > need individual monitoring or special care or whatever, there is a > case for one application per tomcat. > > What do I make of this? There might be a compromise here: Identify > those applications that don't cause trouble and put them into one > tomcat instance. Everything else (new applications, buggy ones no > one bothers to fix anymore, applications that get regular feature > updates etc.) are isolated in their own tomcat instances. As soon > as those become stable we can move them to (one of) the fat > tomcat(s). > > Sounds like something I might get through :-) > > Thanks and greetings, tarek > > Am 29.10.18 um 09:00 schrieb Ahmed, Tarek: >> >> Hi all, >> >> TLDR? Do you deploy one web application per tomcat instance or >> several? >> Has anyone ever attacked one of your web applications? There are some fun ways to make an application use a huge amount of memory. Just because the applications themselves are behaving doesn't mean that all the users are behaving. For example, do you have a max POST size set for your application? If not, I can send your login form a username that is so long it might exhaust your heap. 2147483647 characters is a LOT of characters. If you have a max POST size, maybe you don't filter-out PUT requests, and have Tomcat parsing those for you. Same problem, there. Just some thing to think about. Most web applications haven't really been exercised by someone who knows what might break it. Can you afford for those applications to take each other down because the JVM becomes unstable? Maybe and maybe not. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvYlTwACgkQHPApP6U8 pFi2uQ/+JTpVnGKJkQTRDyq4XQIXERDmTRJ0ZlIc8z3pFgjGq3QePvjq+EF5c8Vi O7SCHnti/z/PMNTjLVsDH+Z828BV7nvIteD3+AzG5YQoWTavTeaq/LHPKdvUX/DP 1UDWPYNeFzpp7+bbt0aLlRgO488WaZeYjqwNHlyyLilnqgJbLIw477BmKFXDS+ur 16hUWzti1Hjt6anuQhNavZQPU88UuRNU0GiY4+7ns+kq8to+qxqJS8soP9RNPJ5a FvS/YwpyMSDcNelzWrADAsEaqA8A0p0iBUFhB05kPPh3xjKAA2qt8p1P6EBgcWgo JUP4KUh2wGpD6izluVS6TDBtJunMoI9mMGhwgfyLHs6G0sH6e4c3YSxsMxWbCn9A vWwFyKF4qfDDKsaX9DJ5m4ldsxvWtB3/5PZ4AmYf9HqsiCz9k6zzANBnbL2sMos6 jKuqyF34ahFV5MX0SnN6DUtCUSOkqWK0BcBAK5kUevt9/ouwUnssti4cKBNQiRFy Ss1YGfbf8m6JJ14K2BqteCLe1tekDJ8z9uPzqug9QNqJ5T4pLAYM6eXkpTXfDjtQ pyqPKRR+YAHRqcbCeva/D85DVXFDIvXoIJVvW7lvZXAve6zwHzYFr5JO4lizFXXW RZepakYb7Kph9GIPsDPhISr2PqwLY+wCVVpRRuLDvCW1K6Xk2i8= =/x7Y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: Number of Web Applications in one Tomcat: THANKS!
On 30.10.2018 08:13, Ahmed, Tarek wrote: Thanks for your input! To summarize: Most of us seem to prefer not to have too many web applications running in one tomcat instance. If, however, it is possible to run a tomcat with many applications in a stable way it reduces administrative overhead to do so. The prerequisites for this are that the applications are mature, handle resources well and don't get too many updates (we _do_ regular dependency updates, though ...). On the other hand, if there is - for whatever reason - a regular need of restarts or re-deployments or if the applications deployed need individual monitoring or special care or whatever, there is a case for one application per tomcat. What do I make of this? There might be a compromise here: Identify those applications that don't cause trouble and put them into one tomcat instance. Everything else (new applications, buggy ones no one bothers to fix anymore, applications that get regular feature updates etc.) are isolated in their own tomcat instances. As soon as those become stable we can move them to (one of) the fat tomcat(s). Sounds like something I might get through :-) And somehow, this sounds a lot like Java GC. It should be possible to automate this.. Thanks and greetings, tarek Am 29.10.18 um 09:00 schrieb Ahmed, Tarek: Hi all, TLDR? Do you deploy one web application per tomcat instance or several? [...] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Number of Web Applications in one Tomcat: THANKS!
Thanks for your input! To summarize: Most of us seem to prefer not to have too many web applications running in one tomcat instance. If, however, it is possible to run a tomcat with many applications in a stable way it reduces administrative overhead to do so. The prerequisites for this are that the applications are mature, handle resources well and don't get too many updates (we _do_ regular dependency updates, though ...). On the other hand, if there is - for whatever reason - a regular need of restarts or re-deployments or if the applications deployed need individual monitoring or special care or whatever, there is a case for one application per tomcat. What do I make of this? There might be a compromise here: Identify those applications that don't cause trouble and put them into one tomcat instance. Everything else (new applications, buggy ones no one bothers to fix anymore, applications that get regular feature updates etc.) are isolated in their own tomcat instances. As soon as those become stable we can move them to (one of) the fat tomcat(s). Sounds like something I might get through :-) Thanks and greetings, tarek Am 29.10.18 um 09:00 schrieb Ahmed, Tarek: > > Hi all, > > TLDR? Do you deploy one web application per tomcat instance or several? > [...] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
