On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 10:54 AM, Chris Cheshire wrote:
>> I am migrating from 7 (yum repo installation) to 8.5 (direct from
>> apache) and looking to improve configuration where possible.
>>
>> Currently (on *nix) I have a machine that runs sandboxes for my
>> domain, call them sb1.dom.com and sb2.dom.com. They each have
>> their own (system) user and in tomcat's system.xml
>
> Nit: server.xml
>
Brain fart :)
>> I have a host for each :
>>
>> <Host name="sb1.dom.com" appBase="/home/sandbox1/webapps" ... />
>>
>> <Host name="sb2.dom.com" appBase="/home/sandbox2/webapps" .... />
>>
>> Each has access to the host-manager app via a hardlink to
>> manager.xml through
>> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
>> belongs to the tomcat group, and has their webapps directory group
>> readable so Tomcat can deploy the apps. Each host may have multiple
>> contexts within it representing code branches. The env variables
>> have CATALINA_HOME and CATALINA_BASE pointing to
>> /usr/share/tomcat.
>>
>> Reading RUNNING.txt, it says that HOME and BASE can point to
>> different locations for a multi-user environment, which sounds like
>> what I am doing. How do I go about configuring it this way?
>
> It depends upon your goals. If you want to run a single JVM, then it
> really doesn't matter whether you have a "single" Tomcat where
> CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
> pretty much required that you use a split configuration.
>
> I'd argue that you should always have a split configuration, because
> it allows you to upgrade/downgrade almost trivially without disturbing
> your application's (Tomcat) configuration.
>
>> Assume I put the tomcat installation in /usr/local, with a symlink
>> from /usr/local/tomcat to
>> /usr/local/tomcat/apache-tomcat-${version}
>>
>> Would it be better to put the webapps for each user under
>> /usr/local/tomcat/webapps and symlink to them from the users home
>> directory? What would the structure look like and what would I set
>> CATALINA_BASE and CATALINA_HOME to?
>
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
> 3. Each user has their own CATALINA_BASE directory in their own home
> directory (or wherever in the fs tree). No need to put anything in
> /usr/local which is usually considered to be shared and read-only.
> CATALINA_BASE is just a directory with the following directories in
> it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
> anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
> using a custom conf/server.xml and leaving everything else pretty much
> alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
> necessary for all the other Tomcats that will be running on the server.
>
> This gives you a LOT of flexibility:
>
> 1. Users run their own JVMs as their own users. Filesystem permissions
> become simpler. Applications require less trust (e.g. apps are running
> at "cschultz" instead of "tomcat7").
> 2. Users can select which version of Tomcat they want to use. Just
> change CATALINA_BASE and restart. (Roughly speaking. If you switch
> major versions, you'll likely have to update
> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
> running x.y.z whether you like it or not".
Ok this helps a bit for upgrades. I would just expand the new tarball
in a similar
place, update user level conf and restart each instance when ready?
> 3. Users can start/stop their own Tomcat services. No more emailing an
> administrator and asking for a restart, and having to coordinate it
> with several other unrelated teams who weren't expecting a service
> restart in the middle of the day.
> 4. You (admin) don't have to babysit everyone's web applications.
> Users simply put their own apps in CATALINA_BASE/webapps and move on
> with their lives.
>
This means I need to configure each server and connector element with different
ports for each user, correct?
I am fronting tomcat with httpd using an ajp connector to handle ssl
certs. I use
letsencrypt, and on a production server I can't afford to bounce even
the connector
and lose connections. httpd handles it a lot more gracefully. Can I
have separate
mod_jk.conf and workers.properties files for mod_jk pointing to
different ports for
separate connectors for tomcat?
>> What about file/directory permissions, assuming tomcat is running
>> under the 'tomcat' user? I have root access to the machine, so
>> changing groups, users, permissions is not an issue.
>
> Free yourself from the "tomcat user". It's one of the things I dislike
> most about the package-managed versions of Tomcat: they tend to run
> everything as a single user which is completely unnecessary.
>
Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as each
user (sandbox1, sandbox2 etc)?
Trying to assimilate all this, it sounds like :
CATALINA_HOME=/usr/local/tomcat-x.y.z
CATALINA_BASE=/home/sandbox1/tc
CATALINA_BASE/conf/server.xml has the entire configuration, engine,
connector, host etc for that one user.
Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt says
"The CATALINA_HOME and CATALINA_BASE variables cannot be configured in the
setenv script, because they are used to locate that file."
Do I then need to create my own startup script that sets those, then
calls ${CATALINA_HOME}/bin/startup.sh, or
can I just set the variables in .bashrc?
For each other sandbox I replicate that setup, changing the connector
and server config elements to listen
on a new port, correct?
Thanks
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
