www.bonsaiframework.com
Page tree

Versions Compared

Old Version 152

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 153

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
cd /home/serveradmin
sudo mv ./0fs-tomcat/ /opt/apache/

Finally, because this is a multi-user machine, we secure tomcat from other users and processes. The only users should be serveradmin for read and write and staff for read to debug.

Change the permissions,

Code Block
languagebash
cd /opt/apache
sudo chown -R serveradmin:staff ./0fs-tomcat/
sudo chmod -R o-x ./0fs-tomcat/ # Make sure other cannot execute.

Only Allow serveradmin to Run Tomcat

Setting up and running Tomcat with serveradmin has the advantage that you can manage the Application server without having to go into root. We want to ensure that only serveradmin starts Tomcat to prevent any issues with permissions. For example, once you start Tomcat as root you may find that log files spawned from that startup can no longer be managed by serveradmin. Also, running Tomcat as serveradmin rather than root is safer from a security standpoint.

...

Code Block
su - serveradmin

Modify Tomcat's /opt/apache/0fs-tomcat/bin/startup.sh and opt/apache/0fs-tomcat/bin/shutdown.sh to only allow serveradmin to start and stop Tomcat.

...

Code Block
languagebash
#!/bin/sh

# Bonsaiframework - Modification Start
# --------------------------------------
if [ "$LOGNAME" != "serveradmin" ]; then
echo "This service should only managed with the user serveradmin"
exit 1
fi
# --------------------------------------
# Bonsaiframework - Modification End

# Licensed to the Apache Software Foundation (ASF) under one or more
Tip
Challenge to a reader after learning this. Make the above edit automated with copy and paste with sed and wget like my other tutorials.

Bind Tomcat to Java Using setenv.sh

Tomcat can be run with a separate version of JRE or JDK that is not the default system version. To do so, you will have to explicitly set the JRE_HOME variable. The JAVA_HOME variable is also configured as some applications will want to make use of this variable instead.

Tomcat has a nice facility for this via a file called setenv.sh which actually does not exist by default. As soon as you create the file, Tomcat will run setenv.sh as part of its startup.

...

Code Block
languagebash
su - serveradmin # If you are not already serveradmin.
cd /opt/apache/0fs-tomcat/bin
./version.sh
Neither the JAVA_HOME nor the JRE_HOME environment variable is defined
At least one of these environment variable is needed to run this program

So now let's create the setenv.sh file. As serveradmin create /opt/apache/0fs-tomcat/bin/setenv.sh using your favourite editor. Your file contents will look like this,

...

The $CATALINA_HOME is a script variable that is established by Tomcat to set the directory it is running from.

Now when you use  exeucting version.sh you will see the following resultsworks,

Code Block
languagebash
./version.sh
Using CATALINA_BASE:   /opt/apache/0fs-tomcat
Using CATALINA_HOME:   /opt/apache/0fs-tomcat
Using CATALINA_TMPDIR: /opt/apache/0fs-tomcat/temp
Using JRE_HOME:       /opt/apache/0fs-tomcat/java
Server version: Apache Tomcat/6.0.20
Server built:   May 14 2009 01:13:50
Server number:  6.0.20.0
OS Name:        Linux
OS Version:     2.6.31-302-rs
Architecture:   amd64
JVM Version:    1.6.0_16-b01
JVM Vendor:     Sun Microsystems Inc.

Using this method, you can have different Tomcat instances running different versions of Java and control when you want to move between Java versions.

Secure Directory

Finally, because this is a multi-user machine, we secure tomcat from other users and processes. The only users should be serveradmin for read and write and staff for read to debug.

Change the permissions,

Code Block
languagebash
cd /opt/
sudo chown -R serveradmin:staff ./0fs-tomcat/ # Only serveradmin and staff can manage files.
sudo chmod o-x ./0fs-tomcat/bin/* # Remove execute permission from "other".

Verify Process is Running

...

Code Block
languagebash
su - serveradmin

cd /opt/apache/0fs-tomcat/bin/
./startup.sh

netstat -an | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 127.0.0.1:8105          :::*                    LISTEN
tcp6       0      0 :::8009                 :::*                    LISTEN
tcp6       0      0 :::8080                 :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     7376     @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     11434    /var/run/fail2ban/fail2ban.sock
unix  2      [ ACC ]     STREAM     LISTENING     21228    /var/run/apache2/cgisock.4973

...

Once you are happy with your setup you may want to make your own package .

Cleanup Log Files

...

TAR Maintaining Permissions and Roles

...

using your staff account,

Code Block
languagebash
cd /opt/
sudo tar -cvfz 0fs-tomcat.tar.gz ./0fs-tomcat/

References

http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q9 - still to finish reading

...