Hi Onno, On 18.06.21 07:07, Sugar Moose wrote: > I am using Ansible role robertdebock.tomcat to install Tomcat. This role uses > archives from the Tomcat site to install Tomcat. I have always thought that > this is a fine approach but the customer has pointed out that a package > install is preferred because it makes installing security updates easier. > This customer uses Ubuntu 18.04 and the position of the InfraOps engineers is > that installing Tomcat from the official Ubuntu repository is always > preferred.
Installing Tomcat directly from the archives is easy and straight forward, in my opinion it should be perfectly fine using upstream as source (you should at least verify the download). Especially, if Tomcat plays a major role of the system (i.e. running some business critical applications), I would always stick to the version from Tomcat archives. You will end up with a more recent version of Tomcat, as it is actively developed, those versions will contain all security fixes (directly from the team and without possible backporting of security fixes). If you use CATALINA_HOME and CATALINA_BASE variables you can easily switch between different Tomcat versions, making it very easy to manage updates and possible necessary rollbacks. I would only stick to the distro-provided packages, if it is a small (in other words not that important) application running in Tomcat. Just for reference: With Ubuntu 18.04, you would end up with 9.0.16 vs. 9.0.48 (Tomcat project) or 8.5.39 vs. 8.5.68 (Tomcat project), which is about 2 years old software. For any errors you might get on distro packages, first hint would most likely be to update to a recent Tomcat version. Even if security fixed are backported by the distro, you would end up with versions missing a lot of fixes and improvements. > I don't know how exactly using apt packages makes life a lot easier when it > comes to security updates. I think it depends. If Ansible manages the version > it looks more or less the same to me. The Ansible role would have an var for > example tomcat_version and the value would determine the what version is on > the system. Updating Tomcat using Ansible would be same proces: update > tomcat_version var and provision the node. When Ansible is not managing the > version but is used for example only for the initial install using Ansible > package module it becomes a bit of a puzzle to figure out how this would > work. And also would have some drawbacks. Ansible is good at configuration > management and orchestration for example. Apt not really. Yes, Ansible is much more flexible for managing the configuration and deployment-parts. You will need something for that task, even if you use the distro-provided packages. > What is the position / what are the thoughts on this in the Tomcat community? > On the Tomcat website I could find no information on package install. I don't > think a recommended installation approach is mentioned there. In short: If your application in Tomcat is important, use the Tomcat archive up to date versions, if not distro packages might be sufficient. This might be challenging, if Tomcat is managed by the infrastructure team (from my experience, there is always a trend towards the distro packages, sometimes with the argument support by the distro). It might help, if managing the Tomcat can be done by the applications support/devops team (however, that might depend on the organisation constraints). hth, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
