Pros and cons of readonly UserDatabase (tomcat-users.xml)
Hi all, any comment on this subject? The question is related to OpenSolaris package (*) where we have all files owned by root and tomcat is executed with dedicated user credentials. Currently tomcat-user.xml and conf directory is owned by tomcat user but it makes some noise in our package auditing. The question is what is limitation of setting user database as readonly (in server.xml) for Tomcat 6.0.18 and having tomcat-user.xml and conf directory owned by root. Thanks, Petr -- View this message in context: http://www.nabble.com/Pros-and-cons-of-readonly-UserDatabase-%28tomcat-users.xml%29-tp21348882p21348882.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
I'm running jsvc as root. If you look in jsvc.c you will see some linux ifdefs. Particularly look for set_caps() function. Petr Andrew Ralph Feller, afelle1 wrote: > > Petr, > > Are you executing JSVC as root or no? If you aren't, then I can > understand > why your non-root account cannot bind to 443. The way JSVC works is by > starting up under the account that executed it and then spawning a child > process that is owned by the account specified in the -user option. > > A- > > On 10/31/08 10:56 AM, "Petr Sumbera" <[EMAIL PROTECTED]> wrote: > >> >> >> Caldarale, Charles R wrote: >>> >>>> From: Andrew Ralph Feller, afelle1 [mailto:[EMAIL PROTECTED] >>>> Subject: Re: relation between Tomcat and Apache Commons >>>> >>>> it seems possible to run Tomcat on a non-privileged port with a >>>> non-root account and have requests for port 443 redirected to >>>> Tomcat's listening port. >>> >>> Of course - but it requires additional configuration (e.g., iptables, >>> firewall). Using jsvc may be simpler and avoid dependencies external to >>> Tomcat. >>> >> >> What I have just found is that jsvc enables Tomcat to bind privileged >> port >> only on Linux (it's using capabilities). >> >> For example on Solaris one need to add net_privadd privilege for Tomcat >> user. This can be done by modifying /etc/user_attr. In such case I >> believe >> there is no need for jsvc. >> >> grep tomcat /etc/user_attr >> tomcatdefaultpriv=basic,net_privaddr >> >> -- >> >> Petr > > -- > Andrew R. Feller, Analyst > Information Technology Services > 200 Fred Frey Building > Louisiana State University > Baton Rouge, LA 70803 > (225) 578-3737 (Office) > (225) 578-6400 (Fax) > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20270558.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: relation between Tomcat and Apache Commons
Caldarale, Charles R wrote: > >> From: Andrew Ralph Feller, afelle1 [mailto:[EMAIL PROTECTED] >> Subject: Re: relation between Tomcat and Apache Commons >> >> it seems possible to run Tomcat on a non-privileged port with a >> non-root account and have requests for port 443 redirected to >> Tomcat's listening port. > > Of course - but it requires additional configuration (e.g., iptables, > firewall). Using jsvc may be simpler and avoid dependencies external to > Tomcat. > What I have just found is that jsvc enables Tomcat to bind privileged port only on Linux (it's using capabilities). For example on Solaris one need to add net_privadd privilege for Tomcat user. This can be done by modifying /etc/user_attr. In such case I believe there is no need for jsvc. grep tomcat /etc/user_attr tomcatdefaultpriv=basic,net_privaddr -- Petr -- View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20268834.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: relation between Tomcat and Apache Commons
Rainer Jung-3 wrote: > > Commons collections seems to be a relict and not really used. > DBCP and pool is contained in tomcat-dbcp.jar. We ranem the packages in > order to make to dbcp and pool classes independant of any webapp bundled > dbcp or pool versions. > And how about commons-daemon.jar in bin directory? According to http://tomcat.apache.org/tomcat-6.0-doc/setup.html it is used with jsvc only. Btw I don't see any benefit using jsvc. Is somebody using it? Why? Thanks, Petr -- View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20251071.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
relation between Tomcat and Apache Commons
Hi Tomcat gurus, The question I have is rather philosophical and not really technical (I'm evaluating Tomcat 6 integration into OpenSolaris). While compiling Tomcat 6.0.16 it requires: Apache Commons Daemon Apache Commons Collections Apache Commons DBCP Apache Commons Pool But after compilation I see just commons-daemon.jar. Where are the others? Is there 1-1 mapping between Apache Commons module version and Tomcat version? I mean, new version of Apache common module (e.g fixing security issue) results in new Tomcat version? Thanks, Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat versioning
Hi Tomcat gurus, can somebody please explain to me little bit more Tomcat versioning than I can find at following link? http://tomcat.apache.org/whichversion.html I'm interested in compatibility level (binary/source) between various Tomcat .. releases. What is intention and what is reality? Is there a plan for other Tomcat version after Tomcat 6.x? 6.1 or 7? Thanks, Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat 4 history
Hi All, I'm lost between various versions of Tomcat and relations between them. Can you please help me to answer some questions? 1. What happened to Jakarta Tomcat 4.0 (last version I can see is 4.0.6) 2. What is relation between Jakarta Tomcat 4.0 and Apache Tomcat 4.1? Are they compatible? 3. Is Apache Tomcat 4.1 supported and all security problems are fixed there? Thanks. Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can be mod_webapp used with Tomcat 5.5 (and above)?
Hi All, I just need to know answer to question in subject. I did some investigation and it seems that mod_webapp doesn't run with Tomcat 5.5 (it only runs with 4.0). I come to this conclusion according to: http://tomcat.apache.org/tomcat-5.5-doc/connectors.html http://tomcat.apache.org/tomcat-4.1-doc/config/webap So, am I right? Thanks, Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with/without Tomcat native library
Thank you both for the info. But what is your opinion about the crash I am experiencing with SSL: bash-3.00# /usr/apache2/bin/ab -c 4 -n 1 https://localhost:443/favicon.ico This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0 Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Copyright 2006 The Apache Software Foundation, http://www.apache.org/ Benchmarking localhost (be patient) SSL handshake failed (5). Test aborted after 10 failures apr_socket_connect(): Connection refused (146) Total of 1 requests completed -- I understand that test is not good but Tomcat shouldn't crash, right? Thanks, Petr "Mladen Turk" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Petr Sumbera wrote: >> Hi Bill and all, >> >> not sure what is the right way for comparison between using and not using >> APR. I tried Apache ab tool like this: >> >> ab -c 4 -n 1 http://localhost:8080/favicon.ico >> >> And I don't see any difference. Actually it might be little bit slower >> with APR. The file size is 21630, so it should use sendfile then (well >> actually our APR doesn't use sendfile at the moment as far as I know). >> > > The purpose of APR is to change the model from thread-per-connection > to thread-per-request. This means it will behave much faster when > you have 1000 concurrent clients using Keep-Alive (HTTP 1.1). > I agree with Mladen here. Your test is artificial, so under most systems the non-APR connector will win (since you only have 4 clients connecting to TC). And since you haven't specified '-k' to ab, you are really testing connection speed, which isn't realistic. On Solaris, having a 1000 threads blocking on input isn't that big of a deal, so I'm not sure about the "much faster" claim, but I haven't profiled Tomcat lately :). > In that case you'll be able to serve them all with lower number > of maxThreads. > > So, try to use the 'normal' test tool instead a brute force one like 'ab' > that will reflect the real load to your boxes. > I mean, the ab (Apache Bench) is a DoS tool, right ;) > When I was profiling, I used JMeter and 500 clients with about a one minute ramp-up time (I don't care about how it handles an accept flood), and about a 5-10 second delay between requests (I don't have the script I used anymore, so I don't remember the exact value). Also, if you use JMeter, use the HttpClient Sampler or configure the java.net Sampler to use a bigger than default pool, since by default the java.net Sampler doesn't scale up to this level (skewing the results). Also interesting would be to use a longer connectionTimeout on the and longer delays between requests. But for a good comparision, make sure that the maxThreads attribute on the is large enough to handle the lode. > Regards, > Mladen. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with/without Tomcat native library
Hi Bill and all, not sure what is the right way for comparison between using and not using APR. I tried Apache ab tool like this: ab -c 4 -n 1 http://localhost:8080/favicon.ico And I don't see any difference. Actually it might be little bit slower with APR. The file size is 21630, so it should use sendfile then (well actually our APR doesn't use sendfile at the moment as far as I know). And the other issue is stability with APR. When I configure Tomcat to use SSL via APR it works for simple requests. But using huge amount of requests with ab it will fail (and tomcat is no longer responding to any request): bash-3.00# /usr/apache2/bin/ab -c 4 -n 1 https://localhost:443/favicon.ico This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0 Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Copyright 2006 The Apache Software Foundation, http://www.apache.org/ Benchmarking localhost (be patient) SSL handshake failed (5). Test aborted after 10 failures apr_socket_connect(): Connection refused (146) Total of 1 requests completed -- Any comment to this? Petr Bill Barker wrote: "Petr Sumbera" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Hi Guys, Does anybody have experience or even better some numbers comparing performance of Tomcat running with and without Tomcat native library (libtcnative-1)? I don't see any comparable difference so far (using TC 5.5.23, Native Library 1.1.10, Solaris/i386). On Solaris there wasn't a big difference last time I profiled it. On Solaris, it doesn't cost much to have a large number of threads blocking on input, so you don't get a lot from the APR Poller. Also, the Solaris JVM is pretty optimized for the OS. From testing with the AJP Connectors, you might have noticible improvements with TC 6 and the NIO Connector on Solaris, but I haven't profiled it myself. It's with Linux boxes (I haven't seen reports for other *nixs) with older kernels that you see the most improvement when using the APR Connector. Cheers, Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat with/without Tomcat native library
Hi Guys, Does anybody have experience or even better some numbers comparing performance of Tomcat running with and without Tomcat native library (libtcnative-1)? I don't see any comparable difference so far (using TC 5.5.23, Native Library 1.1.10, Solaris/i386). Cheers, Petr - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]