Apache Tomcat Tips and Tricks from the Pros

Apache Tomcat Tips and Tricks from the Pros The webinar will begin shortly... Select audio mode (telephone or VOIP) Telephone dial-in: France: +33 (0) 426 460 175 Germany: +49 (0) 895 4998 6652 Netherlands: +31 (0) 708 912 549 United Kingdom: +44 (0) 20 3051 4836 United States: +1 702 824 9512 Access code: 234-077-969 Audio Pin: Shown in your control panel or confirmation e-mail Questions will be addressed at the end of the webinar Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 1

Apache Tomcat Tips and Tricks from the Pros Filip Hanik Mark Thomas November 2008 Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.

Welcome Use the questions pane to ask any questions We'll answer them at the end Questions needing longer answers we'll put on the SpringSource blog: http://blog.springsource.com/ If you have a problem, ask a question and one of our colleagues will help you A recording will be available from: http://www.springsource.com/webinars Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 3

About SpringSource Created, developed and leads the Spring Framework Offers a host of production ready, enterprise grade products Offers full commercial support for Spring and Apache products Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4

About Us Apache Tomcat Committers for 5+ years Apache Software Foundation members Senior Software Engineers and Consultants SpringSource Covalent Division Performance, troubleshooting and security experts Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5

Tomcat versions Tomcat 6.0.x is the latest and greatest 5.5.x bugs and security 4.1.x occasional bugs and security 3.x, 4.0.x, 5.0.x are unsupported 7.x is on the horizon dependent on the Servlet 3.0 specification some discussions on the mailing list some preparatory work under way Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6

Agenda Tomcat for large-scale deployments Tomcat & JVM upgrades (and roll backs) Production settings Building Tomcat Native the APR based native connector Connector selection Virtual hosting Undocumented options Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7

Large scale deployment Folder structure Overview apache-tomcat-6.0.x/ - bin - conf - lib - logs - temp - webapps - work Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8

Large scale deployment Folder structure Overview apache-tomcat-6.0.x/ - bin - used during startup - conf - CATALINA_BASE - lib - CATALINA_HOME - logs - logging.properties - temp - CATALINA_TMPDIR - webapps server.xml (<Host>) - work - server.xml (<Host>) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9

Large scale deployment Starting Tomcat bin/ startup.(sh bat) shutdown.(sh bat) <start> <stop> catalina.(sh bat) Startup Scripts Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10

Large scale deployment Starting Tomcat catalina.(sh bat) <invokes> <invokes> setclasspath.(sh bat) setenv.(sh bat) JVM Launch Startup Scripts Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11

Large scale deployments Setting custom options setenv.sh - Any custom options here JAVA_HOME JAVA_OPTS CATALINA_OPTS CATALINA_HOME CATALINA_BASE CATALINA_TMPDIR CATALINA_PID Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12

Large scale deployments Setting custom options setenv.sh doesn't ship with Tomcat Upgrading Tomcat Simply copy setenv.sh No need to modify Tomcat scripts, or keep track of changes inside Tomcat scripts Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 13

Upgrades / downgrades JVM setenv.sh JAVA_HOME points to 1.5 or 1.6 Easy to switch back and forth No need to modify any Tomcat scripts /usr/local/tomcat/ - apache-tomcat-6.0.16/ - apache-tomcat-6.0.18/ - jdk1.5.0_16/ - jdk1.6.0_10/ Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14

Upgrades / downgrades Tomcat Instance data can be separated out /usr/local/tomcat/ - apache-tomcat-6.0.16/ - apache-tomcat-6.0.18/ - jdk1.5.0_16/ - jdk1.6.0_10/ - tomcat-instance-01 Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15

Upgrades / downgrades Tomcat Instance data can be separated out /usr/local/tomcat/ - apache-tomcat-6.0.16/ - apache-tomcat-6.0.18/ - jdk1.5.0_16/ - jdk1.6.0_10/ - tomcat-instance-01/ - bin - conf - logs - webapps - work - temp Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16

Upgrades / downgrades So far setenv.sh CATALINA_HOME=/usr/local/apache-tomcat-6.0.18 CATALINA_BASE=/usr/local/tomcat-instance-01 JAVA_HOME=/usr/local/jdk1.6.0_10 CATALINA_PID=$CATALINA_BASE/logs/tomcat.pid Modify JAVA_HOME to change JVM Modify CATALINA_HOME to change Tomcat Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17

Upgrades / downgrades In production Most important thing during a production upgrade: How to downgrade/roll back if something goes wrong? With Tomcat, that's easy, keep multiple installations With JVM, that's easy, keep multiple installations Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18

Upgrades / downgrades Package managers Using packages, like RPM Considering using packages that install side by side rather than override Overriding would slow down and complicate the roll-back process Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19

Production settings server.xml <Server port="8005" shutdown="shutdown" > Will allow unauthorized shut-down of Tomcat instance Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20

Production settings server.xml <Server port="-1" shutdown="shutdown" > Disables shut-down port Also disables use of shutdown.sh catalina.sh stop Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21

Production settings server.xml <Server port="-1" shutdown="shutdown" > Stop Tomcat 'kill <pid>' Still is graceful shut-down shut-down hook Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22

Production settings Removing applications ROOT replace with your own /examples security best practice /docs security best practice /manager security best practice will disable remote deployment /host-manager security best practice will disable remote host management Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23

Production settings Logging conf/logging.properties.handlers = \ 1catalina.org.apache.juli.FileHandler, \ java.util.logging.consolehandler Causes duplicate logging May fill up catalina.out (no rotation) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24

Production settings Logging conf/logging.properties.handlers = \ 1catalina.org.apache.juli.FileHandler Only log to file For development, logging to stdout/stderr is sometimes easier to work with Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25

Production settings Rotating catalina.out http://www.cronolog.org - example tool >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & Rotate on a daily basis 2>&1 /bin/cronolog %Y-%m-%d.catalina.out Changes made in catalina.sh Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26

Production settings Access logging Access Logging can be done using a valve Valve logs as soon as the request is done Introspects request and response to generate output <Valve classname="org.apache.catalina.valves.accesslogvalve" pattern="%h %l %u %t %r %s %b" directory="${catalina.base}/logs" prefix="tomcat_access_" suffix=".log" /> Pattern similar to that of httpd http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27

Production settings Global defaults Sharing a connection pool <GlobalNamingResources> <Resource type="javax.sql.datasource" name="sharedpool"/> </GlobalNamingResources> conf/context.xml <Context> <ResourceLink global="sharedpool" name="jdbc/ds"/> </Context> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28

Production settings Global defaults All global defaults can be configured in conf/context.xml Can be overridden by application conf/web.xml Can be overridden by application Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 29

Production settings Templating Use catalina.properties for server.xml substitution variables #server shutdown port in catalina.properties shutdown.port=-1 <Server port="${shutdown.port}"> </Server> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30

Production settings Deployment methods Tomcat supports several deployment methods <Context> elements in server.xml Auto deploy WAR file Auto deploy directory Auto deploy XML file Remote deployment Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31

Production settings Deployment methods Tomcat supports several deployment methods Best practice Select one preferred method Mixing methods may cause unwanted behavior Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32

Building Tomcat Native Unpack your OpenSSL source distro./configure prefix=/tomcat/openssl shared -m64 make make test make install Some platforms like 'make install' before make test' Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33

Building Tomcat Native Unpack your APR source distro export CC='gcc -m64'./configure prefix=/tomcat/apr make make install Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34

Building Tomcat Native Unpack your APR Util source distro export CC='gcc -m64'./configure prefix=/tomcat/apr --with-apr=/tomcat/apr make make install Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35

Building Tomcat Native Unpack your tomcat-native.tar.gz distro export CC='gcc -m64'./configure prefix=/tomcat/tcnative -m64 \ --with-apr=/tomcat/apr \ --with-ssl=/tomcat/openssl make make install Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 36

Building Tomcat Native setenv.sh JAVA_OPTS="-Djava.library.path=\ /tomcat/apr:\ /tomcat/openssl:\ /tomcat/tcnative" Remember, if compiled in 64bit (-m64) You must use a 64 bit JVM Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 37

Connector selection Requirement Connectors in preference order Stability BIO NIO/APR SSL APR NIO BIO Low concurrency BIO APR NIO High concurrency No Keep-Alive High concurrency Keep-Alive BIO APR NIO APR NIO BIO Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 38

Connector selection Why would you use the NIO connector? The Native (APR) connector is unstable on Solaris NIO is a pure Java solution It is easy to switch between NIO and BIO with SSL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 39

Virtual hosting What is it? Multiple host names served by a single Tomcat instance http://bart.foo.com http://homer.foo.com rather than http://www.foo.com/bart http://www.foo.com/homer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 40

Virtual hosting Host definition Each host requires an entry in server.xml Each host requires their own appbase Default host still required <Engine name="catalina" defaulthost="bart.foo.com"> <Host name="bart.foo.com" appbase="webapps-bart"/> <Host name="homer.foo.com" appbase="webapps-homer"/> </Engine> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 41

Virtual hosting Context definition Standard rules apply http://tomcat.apache.org/ tomcat-6.0-doc/config/context.html http://bart.foo.com/ is served by the root context for the host bart.foo.com ROOT.xml, ROOT.war, ROOT Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 42

Virtual hosting Common pitfalls DNS not configured overlapping appbase values docbase==appbase Not using ROOT.war Multiple definitions for same WAR/dir Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 43

Undocumented options ExtendedAccessLogValve W3C Extended Log File Format http://www.w3.org/tr/wd-logfile.html http://tomcat.apache.org/ tomcat-6.0-doc/api/org/apache/catalina/ valves/extendedaccesslogvalve.html Enhancements include logging of: Request parameters (helpful for POST) ServletContext attributes HttpServletRequest methods Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 44

Undocumented options Caching Content requiring authentication should not be cached Tomcat sets caching headers to enforce this IE uses a local cache to download files IE downloads the file and then obeys the headers and deletes it from the cache before you have a chance to open it Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 45

Undocumented options Caching Tomcat can be configured to allow private caching recommended allow public caching not recommended <Context... > <Valve classname="...authenticator" securepageswithpragma="false" </Context> <Context... > <Valve classname="...authenticator" disableproxycaching="false" </Context> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 46

Undocumented options Caching classname depends on the authentication type configured All in package org.apache.catalina.authenticator BasicAuthenticator FormAuthenticator DigestAuthenticator SSLAuthenticator Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 47

Apache Tomcat support Enterprise level commercial support Guaranteed SLA's Guaranteed bug fixes Security notifications and patches Consulting Troubleshooting Training Security, performance and best practices reviews Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 48

Enterprise support options Severity Response Workaround Permanent Correction Platinum Plan Times: 24 x 7 x 365 Method: phone or web Level 1 1 Hour 72 Hours Next Release Level 2 4 Hours 5 Business Days Next Release Level 3 1 Business Day Next Release Next Release Gold Plan Times: 6AM 6PM local time, weekdays, excluding national holidays Method: phone or web Severity Response Workaround Permanent Correction Level 1 4 Hours 72 Hours Next Release Level 2 1 Business Day 5 Business Days Next Release Level 3 2 Business Days Next Release Next Release Silver Plan Times: 6AM 6PM local time, weekdays, excluding national holidays Method: web Severity Response Workaround Permanent Correction Level 1 1 Business Day None Next Release Level 2 2 Business Days None Next Release Level 3 4 Business Days None Next Release Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 49

Thank you for attending Find out more at: http://tomcat.apache.org SpringSource Enterprise support: http://springsource.com/support insidesales@springsource.com +1 800-444-1935 Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 50

Questions? Filip Hanik filip.hanik@springsource.com Mark Thomas mark.thomas@springsource.com http://springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 51