The way I have done it in the past is to separate each tomcat instance by a local user on the machine. I use linux so I have no idea if this would work on windoze. This was done to separate powers and isolate permissions. I am actually looking for critique of this setup as well. So please feel free to blast away.
Example : Let's say I have 4 websites. site1.com site2.com site3.com site4.com I have : An NGINX proxy in front of the apache servers that sits in a public segment. A tomcat server fronted by NGINX to terminate SSL that sits in a private segment. Tomcat is installed in /opt/company/tomcat-8.5 and a symlink exists /opt/company/tomcat-latest --> /opt/company/tomcat-8.5 Systemd requires a startup script. /usr/lib/systemd/system/tomcat8@.service <systemd_service_file> # Systemd unit file for tomcat instances. # # To create clones of this service: # 1. systemctl enable tomcat@name.service # 2. create catalina.base directory structure in # /var/lib/tomcats/name # /usr/lib/systemd/system/tomcatN.service [Unit] Description=Apache Tomcat 8 After=network.target [Service] Type=simple User=%I Group=%I # Run ExecStartPre with root-permissions PermissionsStartOnly=true ExecStartPre=-/usr/bin/mkdir /var/run/tomcat8 #ExecStartPre=/opt/company/utility/tomcat8/pre-run.sh ExecStartPre=/usr/bin/chown -R root:tomcat8r /var/run/tomcat8 ExecStartPre=/usr/bin/chmod 770 /var/run/tomcat8 Environment="NAME=%I" EnvironmentFile=/etc/sysconfig/tomcat8@%I #ExecStart=/opt/company/tomcat8/bin/catalina.sh start ExecStart=/opt/company/tomcat8/bin/startup.sh ExecStop=/opt/company/tomcat8/bin/shutdown.sh RemainAfterExit=yes #User=%I #Group=%I [Install] WantedBy=multi-user.target </systemd service file> Tomcat is setup as a service using the following service file : <service_file> # Service-specific configuration file for tomcat8. This will be sourced by # the systemd script after the global configuration file # /etc/sysconfig/tomcat8@userNN, thus allowing values to be overridden in # a per-service manner. (NN being the numerical value for the specififed use 01-99) # # NEVER change the systemd unit file itself. To change values for all services make # your changes in /etc/sysconfig/tomcat8@userNN. # # To change values for a specific service make your edits here. # To create a new service a config file must exist for the user in # /etc/sysconfig/tomcat8@userNN. All of the tomcat environment variables will be # handled inside that config file for that user. When calling systemctl, systemd # will look the specificed config file based on the username passed to it. # Start the new service by executing : systemctl start tomcat8\@user99 replacing # user 99 with the appropriate user. # Make the service start at boot time by executing the following command: # systemctl enable tomcat8\@user99 again replacing user 99 with the appropriate # user. TOMCAT_CFG_LOADED=1 # Run tomcat under the Java Security Manager SECURITY_MANAGER="false" # Where your java installation lives JAVA_HOME="/opt/company/java-1.8" # Where your tomcat installation lives CATALINA_BASE="/home/user01/website" CATALINA_HOME="/opt/company/tomcat8" #JASPER_HOME="" CATALINA_TMPDIR="/home/user01/website/temp" # You can pass some parameters to java here if you wish to JAVA_OPTS="-Xms2048m -Xmx2048m -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -Dspring.profiles.active=development" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=/usr/lib" # What user should run tomcat TOMCAT_USER="user01" TOMCAT_LOG="/home/user01/website/logs/catalina.out" # You can change your tomcat locale here #LANG="en_US" # Run tomcat under the Java Security Manager #SECURITY_MANAGER="false" # Time to wait in seconds, before killing process #SHUTDOWN_WAIT="30" # Whether to annoy the user with "attempting to shut down" messages or not #SHUTDOWN_VERBOSE="true" # Set the TOMCAT_PID location CATALINA_PID="/var/run/tomcat8/tomcat8-user01.pid" # Connector port is 8080 for this tomcat8 instance #CONNECTOR_PORT="8080" # If you wish to further customize your tomcat environment, # put your own definitions here # (i.e. LD_LIBRARY_PATH for some jdbc drivers) #CLASSPATH="" #The above will not work without makeing changes to the base tomcat startup scripts. </service_file> A user is created for each site : site1.com = user01 site2.com = user02 site3.com = user03 site4.com = user04 A sysconfig file is created for each user. /etc/sysconfig/tomcat8@user01 /etc/sysconfig/tomcat8@user02 /etc/sysconfig/tomcat8@user03 /etc/sysconfig/tomcat8@user04 The tomcat configs for each website are stored in /home/user01/website/conf as an example. Each user is assigned their own unique port.using a scheme. Example : user01 = 8101 user02 = 8102 user03 = 8103 user04 = 8104 and so on. I have ran into some challenges that I have not been able to explain. Which is another reason I am posting this again for more eyes to be on it. Hope that helps. On Fri, Feb 22, 2019 at 12:26 AM Jerry Malcolm <techst...@malcolms.com> wrote: > I need a bit of brainstorming. I have a production Tomcat server that > hosts several web sites. A couple of these websites are > high-availability sensitive. Any downtime will cost the customer. So > obviously I want to minimize downtime. On the other hand, I am always > adding/removing/testing other virtual hosts which requires configuration > changes and periodic reboots of Tomcat. I'm not at CPU capacity or > memory capacity on the box. So that is not the problem. What I'd really > like to do is run both a production TC instance AND a 'development/test' > TC instance on the same box with the luxury of bouncing or taking the > dev TC down any time necessary without affecting the production TC. I'm > using Apache httpd as the front end and routing via mod_jk to TC. The > separation of function on the two instances would be at domain level. > Domain A runs on production, Domain B runs on dev. I am using the basic > mod_jk worker config currently. If I change the dev instance to run a > different port, is it simply a matter of having worker1 and worker2 that > route to the different TC instances, and assign either worker1 or > worker2 to each virtual host in httpd? I figure some people have done > this in the past. Is this the easiest way to do this? Is there a better > way? > > Thx as always. > > Jerry > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
