Ive been spending a lot of time in the last year and a half dealing with Apache Tomcat. The DevOps team I am on focuses on Grails for almost all development needs. We use Tomcat 6 and 7 to host a variety of applications we have written. As such I have learned a lot about Tomcat, and Im going to use this opportunity to share some of the things I have learned with you.
The server setup
I like using CentOS on my personal stuff, so for this example Ill be using CentOS 6.3 and using my Rackspace Cloud Server. Im just using the default image provided by Rackspace. From the cloud server control panel I name my server tomcat-dev1. Next I selected CentOS 6.3 for the image and 512M of RAM for the server size. Finally in the networks section I leave it defaulted to a public and private adapter, and then press the create server button to begin building my new cloud server. Keep in mind this is just a development server for me so I dont need much RAM, for a production system you will need to calculate your needs accordingly and make your server as large as you need it. Once my server is done building I will log on and install:
- jdk 7 from Oracle
- Tomcat 7
- git (optional, but I like to keep my config files in version control)
- jsvc (this is bundled with tomcat)
Lets begin by logging into our new cloud server as root. The first thing I do to a new cloud server is change the password. Once that is done we can begin by updating the system.
yum -y update
This is done because the base image could be several months old so we want to get the latest updates from the vendor before we begin. Once that finishes reboot if you need, if you do not know if you need a reboot or not just do it anyway to be sure.
Gathering the goods
Some of what we will be installing is either not provided by yum, or is older and we want flashy and new. We need to fetch the jdk; I will download the x64 rpm to my local desktop then upload it to my cloud server using winscp. Next we need Tomcat, and jsvc. Since these two things do not require me agreeing to some terms I will download them directly from the server.
Now on my server I should have the jdk rpm, and the Tomcat 7, and jsvc packages.(jsvc is bundled with tomcat)
Installing the jdk, Tomcat, and jsvc
We need to install the jdk first. To do that lets install the rpm:
rpm -Uvh jdk-7u10-linux-x64.rpm
If you see output like this:
Error: Could not open input file: /usr/java/jdk1.7.0_10/jre/lib/rt.pack
Error: Could not open input file: /usr/java/jdk1.7.0_10/jre/lib/jsse.pack
Error: Could not open input file: /usr/java/jdk1.7.0_10/jre/lib/charsets.pack
Error: Could not open input file: /usr/java/jdk1.7.0_10/lib/tools.pack
Error: Could not open input file: /usr/java/jdk1.7.0_10/jre/lib/ext/localedata.pack
It is safe to ignore.
I didnt dig into why this output happened but it did not seem to affect my install. Now that Java is installed we need to add the java install to the alternatives system, and make it so that the JAVA_HOME environment variable is set for all our users when they log in. Lets do that by creating a file in /etc/profile.d called java.sh Using your favorite text editor create the file /etc/profile.d/java.sh and enter the following lines into the file and then save it:
Now the file needs to be set executable so issue the following command:
chmod +x /etc/profile.d/java.sh
Now to add java to the alternatives system
alternatives --install /usr/bin/java java /usr/java/latest/jre/bin/java 20000
alternatives --install /usr/bin/jar jar /usr/java/latest/bin/jar 20000
alternatives --install /usr/bin/javac javac /usr/java/latest/bin/javac 20000
Lets test that this works by typing:
Right now we should get no output. Now try logging off our server, and logging back in. Once you do that type the command again. We should now see:
Now we need to unpack Tomcat, and the jsvc daemon.
tar xzvf apache-tomcat-7.0.34.tar.gz -C /opt/
This will unpack Tomcat into the /opt directory into a folder named apache-tomcat-7.0.34 Once that is done unpack the commons-daemon source code. That code is bundled with tomcat:
tar xzvf commons-daemon-native.tar.gz -C /usr/local/src/
The source code for the jsvc daemon is now in /usr/local/src/commons-daemon-1.0.10-native-src and needs to be built. Before we can build it we still need to install a couple of things on our server. According to the docs we need a compiler, and make. In an effort to make it simple I will be using yum and the groupinstall option to install “Development tools” This will provide git, make, gcc, cpp, and many other tools.
yum -y groupinstall "Development tools"
Once that is complete we have what we need to build jsvc, so lets do that now. Since we are using CentOS we will want to:
From here we can issue the configure command:
This should render some output, the last thing it says if you were successful is this:
*** All done ***
Now you can issue “make”
Lets do that now.
If you got no errors you should now have a binary file in the same directory as you called jsvc. Since this Makefile does not have a target for install the next natural step of make install would fail. You have to manually place the binary somewhere on your system. I like to just put it with the tomcat binaries since thats the only thing I use jsvc for, so thats what Ill do now:
cp jsvc /opt/apache-tomcat-7.0.34/bin/
You should now have Java 7, Tomcat 7, and jsvc 1.0.10 installed on your system. We are getting close to being done. Only a few more steps left!!
Doing some Tomcat configuration, and making Tomcat start at boot
Now that we have all these things installed we need to do some configuration, and also make it so Tomcat will start when the system boots up. Lets begin with making tomcat start at boot. Im going to provide you with the init script I wrote and use on my systems. You can get the latest version from here. Download it and save the file in /etc/init.d as tomcat
wget https://raw.github.com/michaelrice/tomcat_files/master/init.d/tomcat -O /etc/init.d/tomcat
This file needs to be executable so lets issue the following command:
chmod +x /etc/init.d/tomcat
Now we need to make sure tomcat will start at boot:
chkconfig --add tomcat && chkconfig tomcat on
This will add tomcat to the chkconfig system, and enable it for start up on boot. Lets take a look at what this file does for us. On line 4 we see this:
# chkconfig: – 85 15
This is needed for chkconfig so our command above would work. For more information see man chkconfig. Scroll down in the file until you see:
This is where the user that tomcat will run as is defined. By default it wants to run as the user named tomcat. We have not created that user yet, but we will shortly. The next two things to notice are right below the TOMCAT_USER line.
These locations on the file system are not there by default so we need to add them, and make sure our tomcat user has access to them, but lets keep looking through this file for now and we will fix all the things at once. Lets scroll down to lines 20 and 21
[ -f /etc/profile.d/tomcat.sh ] && . /etc/profile.d/tomcat.sh
[ -f /etc/profile.d/java.sh ] && . /etc/profile.d/java.sh
This is checking to see if these files exist and if so source them, this will set up our environment variables for us. The tomcat file is missing still, but we will add it soon. I think one of the last things to note here in this file is the JSVC_BIN variable. If you put jsvc in some other location than where I put it then you need to adjust this to your location. Finally on line 62 we have the command we use to start tomcat. You should not need to adjust this, but if you need to thats where to do it. Now that we know what this file will do for us, lets fix all the things we found while going through it.
Finializing the Tomcat bits
The first problem we found above was our script is looking for a “tomcat” user and we dont have one yet, so lets add one:
useradd -r tomcat -m
This added a new system user named tomcat, and created a group also named tomcat. A home dir was created in /home/tomcat The next problem we found was that a couple of files need to be created, and our tomcat user needs access to them. Lets make it happen:
mkdir -p /var/lock/subsys/tomcat/
mkdir -p /var/run/tomcat/
chown -R tomcat. /var/run/tomcat
chown -R tomcat. /var/lock/subsys/tomcat
Finally the tomcat.sh file needs to be created and make executable. Using your favorite text editor create the file /etc/profile.d/tomcat.sh and add the following to it, then save it:
Now we need to make it executable:
chmod +x /etc/profile.d/tomcat.sh
You may have noticed that the location of CATALINA_HOME and CATALINA_TMPDIR dont exist on our server, good catch. I use symlinks to this. Lets get them created.
ln -s /opt/apache-tomcat-7.0.34/ /opt/tomcat
I do this so if I update tomcat I only have to update this symlink and do not have to edit my init script, or my profile.d script. Now all we have left for tomcat is to make sure we have the server.xml file created correctly, and if we want to allow access to the manager we need to make a tomcat-users.xml file as well. I have provided the server.xml and the tomcat-users.xml file I used here. Those files need to be saved in /opt/tomcat/conf/ as server.xml and tomcat-users.xml Once you have done that you should be able to start tomcat, so lets try that now.
service tomcat start
Lets verify its running:
We should see some output like the following:
[root@tomcat-demo unix]# ss -nap
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 ::ffff:127.0.0.1:8009 :::* users:((“jsvc”,20103,39))
LISTEN 0 100 ::ffff:127.0.0.1:8080 :::* users:((“jsvc”,20103,38))
This shows us that jsvc has a process listening on port 8009 and 8080, on the local loop back interface only, just like we setup in our config file. This is wonderful now we are done with tomcat for now. Lets move on to httpd and setting up the ajp.
Apache httpd and mod_proxy_ajp
We need to install httpd now.
yum -y install httpd && chkconfig httpd on
We do not need to do anything to get mod_proxy_ajp it is part of the base httpd install as of 2.2. Now that our web server is installed lets configure our first vhost, and serve up some tomcat content. Using your favorite text editor open the httpd.conf file located at /etc/httpd/conf/httpd.conf The vhost section is at the bottom of the file by default. In my case I added the following:
Allow from all
ProxyPass / ajp://localhost:8009/
Next I need to open port 80 on my firewall, since the default firewall will be blocking traffic on port 80. Using my text editor I will edit /etc/sysconfig/iptables so it looks like so:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
Next I need to load this new rule set like so:
iptables-restore < /etc/sysconfig/iptables
Now I am done, and Im ready to fire up httpd and visit my site.
service httpd start
You can now visit your site in a browser and see the default Tomcat landing page, as well as add a /manager and log in using "tomcat" as the user, and "s3cret" as your password. In the coming weeks I will be adding more info about how to do vhosting using this method, and eventually covering how to do this all in a few mins using chef