Onno,
On 6/18/21 01:07, Sugar Moose wrote:
Hi,
I am using Ansible role robertdebock.tomcat to install Tomcat. This role uses
archives from the Tomcat site to install Tomcat. I have always thought that
this is a fine approach but the customer has pointed out that a package install
is preferred because it makes installing security updates easier. This customer
uses Ubuntu 18.04 and the position of the InfraOps engineers is that installing
Tomcat from the official Ubuntu repository is always preferred.
I don't know how exactly using apt packages makes life a lot easier when it
comes to security updates. I think it depends. If Ansible manages the version
it looks more or less the same to me. The Ansible role would have an var for
example tomcat_version and the value would determine the what version is on the
system. Updating Tomcat using Ansible would be same proces: update
tomcat_version var and provision the node. When Ansible is not managing the
version but is used for example only for the initial install using Ansible
package module it becomes a bit of a puzzle to figure out how this would work.
And also would have some drawbacks. Ansible is good at configuration management
and orchestration for example. Apt not really.
What is the position / what are the thoughts on this in the Tomcat community?
On the Tomcat website I could find no information on package install. I don't
think a recommended installation approach is mentioned there.
The Apache Tomcat documentation doesn't recommend anything because there
is no reason to do so: your deployment is your own business.
I can't speak for anyone else.
I install Tomcat from the ASF-provided packages. I do that for several
reasons:
1. My preferred Linux distribution (Debian) is often lagging behind on
version numbers, though they are very responsive when it comes to
security updates. This has gotten *much* better in the "recent" past.
I've been using Tomcat since 2003; old habits die hard.
2. Package-managed Tomcat bundles often have huge numbers of dependent
packages, none of which I care to have the package-manager install
automatically.
3. Package-managed Tomcat bundles are often limited in the versions they
support. Maybe you want to run Tomcat 8.5 but the distribution has
decided that Tomcat 9.0 is the best and what they support. Maybe you
want to use Tomcat 10 which is semi-experimental but no packag-emanager
I know of has it. So there are some practical considerations as well.
4. If I upgrade my Tomcat myself, I know exactly where every
configuration file is and how to fix it if things break. If the
package-manager does it, it may stomp on some important configuration of
mine.
Most of the above come down to "I've always done it this way", or "I'm
too stubborn to learn how the package-manager wants to do things."
Honestly, switching to package-managed JVMs was great for me *because of
the security updates*. I suspect that if I ever take the time to learn
more about how Debian does Tomcat packaging, configuration, etc. I'll be
very happy with the results and will never go back to downloading tarballs.
YMMV
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
