...
This is a method of installing and running Tomcat in a way that is portable and part of the BonsaiFramework BonsaiFramework 0FS approach. Tar (zip) up the directory and move your entire application server or duplicate it with a copy command.
This work comes from a corporate environment where isolation, control and ease of upgrade with a fallback are very important. Also, allows for fast horizontal or vertical scaling where multiple Tomcat instances are run on the same machine. This is the fundation for understanding and moving towards cloud techniques such as Tomcat based
Also this also sets your application to moving towards cloud containor implementations like LXC or Docker.
The key concept here is that we setup Tomcat and Java as an isolated package. There is no install and you may take your package to another system just by using tar and then untaring provided you rely on the same serveradmin account with matching . As long as you have matching serveradmin GUID's across systems you may transport your package with tar.
Software Stack Selection,
...
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Shortcut
Everything is all packaged up at http://www.bonsaiframework.com/downloads/0fs-tomcat-linux/,
...
| Code Block | ||
|---|---|---|
| ||
wget http://www.bonsaiframework.com/downloads/0fs-tomcat-linux/0fs-tomcat.tar.gz # this symbolically points to the latest 64-bit version # NOTE - to work properly ensure serveradmin is setup per Bonsai instructions! # sudo tar -xvpf 0fs-tomcat.tar.gz # sudo will ensure the permissions and users are kept sudo mv /0fs-tomcat/ /opt/ # Optionally if you want to follow the Bonsaiframework convention and also let users belonging to "staff" group to view files and restrict others, cd /opt/ sudo chown -R serveradmin:staff ./0fs-tomcat/ sudo chmod -R o-rwx ./0fs-tomcat/ sudo chown -R serveradmin.staff ./0fs-tomcat/ |
You are now ready to go and start Tomcat as serveradmin,
...
| Code Block | ||
|---|---|---|
| ||
su - serveradmin # if not already serveradmin cd /opt/0fs-tomcat/bin/ ./shutdown.sh |
That's it.
Tomcat and serveradmin
I will re-iterated that you should run Tomcat or any public facing service for that matter as serveradmin. As noted in account creation, this is for security reasons. In the event that Tomcat is somehow attacked, the compromise would be limited to serveradmin which has reduced limited priviledges.
Further to this, using a central account ensures consistency.
...
| Code Block | ||
|---|---|---|
| ||
cd /home/serveradmin sudo mv ./0fs-tomcat/ /opt/apache/ |
Only Allow serveradmin to Run Tomcat
Setting up and running Tomcat with serveradmin has the advantage that you can manage the Application server without having to go into root. It's also makes things much safer if somebody breaks into Tomcat.
We want to ensure that only serveradmin starts Tomcat to prevent any issues with permissions. For example, once you start Tomcat as root you may find that log files spawned from that during startup can no longer be managed by serveradmin. Also, running Tomcat as serveradmin rather than root is safer from a security standpoint.
| Note |
|---|
I may have come up with a better strategy where others can not execute and the below script is no longer necessary. hmm.... got to test and ensure root can not override this. |
First login as serveradmin. All modification to Tomcat and running of tomcat will happen as serveradmin.
...
Using this method, you can have different Tomcat instances running different versions of Java and control when you want to move between Java versions.
Secure Directory
Finally, because this is a multi-user machine, we secure tomcat from other users and processes. The only users should be serveradmin for read and write and staff for read to debug. All others should not even be able to go into the directory.
Change the permissions,
| Code Block | ||
|---|---|---|
| ||
cd /opt/ sudo chown -R serveradmin:staff ./0fs-tomcat/ # Only serveradmin and staff can manage files. sudo chmod o-xrwx ./0fs-tomcat/bin/* # Remove execute"other" permission from "other".getting any access. sudo chown -R serveradmin.staff # Ensure new files created follow the Directory's setgid. |
However, this is not enough. Any new files created in those directories will change to what the particular user has set in terms of that user's groups. This also includes the process user serveradmin. The log files created when the process starts will belong to serveradmin user and serveradmin group - which we don't want. So to fix this we tell the directory to set the setgid bit,
| Code Block | ||
|---|---|---|
| ||
cd /opt/
sudo chown -R serveradmin.staff # Ensure new files created follow the Directory's setgid. |
Verify Process is Running
...
| Note |
|---|
The more enterprise solution is to front Tomcat with Apache and setup SSL on Apache. |
UTF-8
| Warning |
|---|
I have only used this in Production with Confluence. My other i18n projects seem to work fine without this parameter. More testing and research is needed to determine why and if this is a good idea in general. |
If the application written posts with UTF-8 then you need to make sure the connector can handle UTF-8.
Modify server.xml as follows,
| Code Block | ||
|---|---|---|
| ||
<Connector port="8180" URIEncoding="UTF-8"/> |
If you plan to use mod_jk then also adjust the appropriate connector,
| Code Block | ||
|---|---|---|
| ||
<Connector port="8109" protocol="AJP/1.3" redirectPort="8643" URIEncoding="UTF-8" /> |
Make Your Own 0FS TAR Package
Once you are happy with your setup you may want to can make your own package using . Using your staff account,
| Code Block | ||
|---|---|---|
| ||
cd /opt/ sudo tar -cvfzczvf 0fs-tomcat.tar.gz ./0fs-tomcat/ # Don't change the parameter orders. |
Notice the use of sudo to run the tar command. This ensures that proper ownership and permissions will carry over to the new system.
Before unpacking to the target system, ensure the users, groups and GUID match following the Bonsai Standards.
References
http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q9 - still to finish reading
...