This is a method of installing and running Tomcat in a way that is portable and part of the BonsaiFramework 0FS approach. Tar (zip) up the directory and move your entire application server or duplicate it with a copy command.
This work comes from a corporate environment where isolation, control and ease of upgrade with a fallback are very important. Also, allows for fast horizontal or vertical scaling where multiple Tomcat instances are run on the same machine.
The key concept here is that we setup Tomcat and Java as an isolated package. There is no install. As long as you have matching serveradmin GUID's across systems you may transport your package with tar.
Software Stack Selection,
- Java SE Runtime Environment (JRE) = 6 Update 16
- Tomcat = 6.0.20
Here is a diagram of what we will be building,
Everything is all packaged up at http://www.bonsaiframework.com/downloads/0fs-tomcat-linux/,
|Package Version||Comments||Next Step Version|
|v0.1||Basic Tomcat with Java embedded. This should be run only as serveradmin per the Bonsai approach to server management.||Ongoing Maintenance with new versions of Java and documentation of who's using it and where.|
|v0.2||Harden Tomcat and maintain a log.||... will be done as part of the Bonsai group work ...|
|v0.3||Rolling Logs||Fix catalina.outlog rotation (determine best route) and petition to get this fixed. Kevin looking into this.|
Install an unzip using a staff account. The use of sudo is necessary to retain permission,
You are now ready to go and start Tomcat as serveradmin,
Verify Tomcat is running,
To stop Tomcat,
Tomcat and serveradmin
I will re-iterated that you should run Tomcat or any public facing service for that matter as serveradmin. As noted in account creation, this is for security reasons. In the event that Tomcat is somehow attacked, the compromise would be limited to serveradmin which has reduced limited priviledges.
Further to this, using a central account ensures consistency.
For audit purposes, make sure to log in with your own staff id first and then sudo into serveradmin for managing Tomcat. In true Cloud world where everything works as a recipe, use your recipes to make Tomcat adjustments.
The directory structure will be as follows,
/opt/ - root directory for all our applications and services (anything custom if possible should be here)
/opt/0fs-tomcat - directory for Tomcat running on port 8180
/opt/0fs-tomcat/java - directory we will place java for Tomcat
First step, create the apache directory under opt,
Manually Setup JRE
Use the account that will be launching the Java process. In this example it will be serveradmin,
The steps for JRE and JDK are both the same. Here is an example of a JRE setup,
The result will be an uncompressed jre directory using the same name as the package. In this example the folder name would be, jre-7u7-linux-x64.
If you plan to use multiple versions of Java, we recommend keeping the folder name with the version number information and using symbolic links. If you are only using one version of Java, then simply rename the folder.
For the server example, we will rename the folder,
You may be interested in how to Zero Footprint Java on Windows.
Leave the setup Java folder alone for now. It will be moved into the Tomcat folder as part of the Tomcat setup.
Manually Setup Tomcat and Package Java In
By manually setting up Tomcat there is much more control and you can run multiple tomcat instances. Download tomcat. The tar.gz file is used because permissions are already setup such as execute for startup.sh. A zip file will lose the permissions.
Go to the Apache Tomcat download site.
Next move the extracted Java folder into your tomcat folder,
Log in as your staff account which has sudo access to perform the actual move to /opt/
Only Allow serveradmin to Run Tomcat
Setting up and running Tomcat with serveradmin has the advantage that you can manage the Application server without having to go into root. It's also makes things much safer if somebody breaks into Tomcat.
We want to ensure that only serveradmin starts Tomcat to prevent any issues with permissions. For example, once you start Tomcat as root you may find log files spawned from during startup can no longer be managed by serveradmin.
First login as serveradmin. All modification to Tomcat and running of tomcat will happen as serveradmin.
Modify Tomcat's /opt/0fs-tomcat/bin/startup.sh and opt/apache/0fs-tomcat/bin/shutdown.sh to only allow serveradmin to start and stop Tomcat.
Do this by adding the block of lines marked with # Bonsaiframework as shown below,
Bind Tomcat to Java Using setenv.sh
Tomcat can be run with a separate version of JRE or JDK that is not the default system version. To do so, you will have to explicitly set the JRE_HOME variable. The JAVA_HOME variable is also configured as some applications will want to make use of this variable instead.
Tomcat has a facility for this via a file called setenv.sh which actually does not exist by default. As soon as you create the file, Tomcat will run setenv.sh as part of its startup.
First, let's run the Tomcat diagnostics to see what happens. Because we have no default java and Tomcat does not know about it we should expect a message that we need Java.
So now let's create the setenv.sh file. As serveradmin create /opt/0fs-tomcat/bin/setenv.sh using your favourite editor. Your file contents will look like this,
The $CATALINA_HOME is a script variable that is established by Tomcat to set the directory it is running from.
Now exeucting version.sh works,
Using this method, you can have different Tomcat instances running different versions of Java and control when you want to move between Java versions.
Finally, because this is a multi-user machine, we secure tomcat from other users and processes. The only users should be serveradmin for read and write and staff for read to debug. All others should not even be able to go into the directory.
Change the permissions,
However, this is not enough. Any new files created in those directories will change to what the particular user has set in terms of that user's groups. This also includes the process user serveradmin. The log files created when the process starts will belong to serveradmin user and serveradmin group - which we don't want. So to fix this we tell the directory to set the setgid bit,
Verify Process is Running
Finally startup your Tomcat instances and verify that they are listening,
Notice that here we have started Tomcat and it is listening on port 8009 and 8080.
Tomcat by default will have a sample application installed and running.
If you have a firewall setup do not forget to open port 8080 for testing and then close them afterwards if you plan to front with the Apache Web Server.
If your server has a web browser you can load the examples page using http://localhost:8080/examples/. From another computer you can see the examples application by browsing to, http://www.krypton.com:8080/examples/ where if www.krypton.com is not a real dns, use the server's IP address or add a host file entry to your client system.
In my experience all my real world systems do not need any more layers to Tomcat. However, there are some odd scenarios which are covered here.
Automatic Startup and Shutdown of Tomcat
Not recommend until you proper monitoring in place. If you system reboots you want to know about it.
Even then, most Enterprise simply do not have automatic startup setup. The closest I have personally seen is a delayed startup. The reason being that the appliction server itself may hang the entire machine.
In a Cloud world this is more self-contained so this section will be written out in the future.
This section is still to be written.
Setup SSL on Tomcat
For testing purposes or if the only thing you want to do is encrypt the channel of communication you can Setup a Self-Signed Certificate for Tomcat.
Otherwise, Setup of a Real SSL Certificate for Tomcat is very similar but with a few extra steps.
Make Your Own 0FS TAR Package
Once you are happy with your setup you can make your own package. Using your staff account,
Notice the use of sudo to run the tar command. This ensures that proper ownership and permissions will carry over to the new system.
Before unpacking to the target system, ensure the users, groups and GUID match following the Bonsai Standards.
http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q9 - still to finish reading