Re: Updating configTest to include shutdown port validation

[Christopher Schultz]

Amit,

On 6/20/25 11:32 AM, Amit Pande wrote:
Thank you Mark for the feedback.
Reason to ask for shutdown port availability was that, configtest already check 
that for connector ports. E.g.

SEVERE: Failed to initialize component 
[Connector["nbhttps-jsse-nio-127.0.0.1-12345"]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
         at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1075)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
         at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:522)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
         at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:957)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:735)
         at 
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
         at java.base/java.lang.reflect.Method.invoke(Unknown Source)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
Caused by: java.net.BindException: Address already in use
         at java.base/sun.nio.ch.Net.bind0(Native Method)
         at java.base/sun.nio.ch.Net.bind(Unknown Source)
         at java.base/sun.nio.ch.ServerSocketChannelImpl.netBind(Unknown Source)
         at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source)
         at 
org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:266)
         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
         at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1399)
         at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1412)
         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:633)
         at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
         at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1073)
         ... 11 more

And a follow up question, even with the SEVERE error like above (or while 
creating the SSL context due to incorrect store password for instance),  the 
return code is 0. Did I miss anything here?

Jun 20, 2025 10:23:15 AM org.apache.catalina.startup.Catalina load
INFO: Server initialization in [2457] milliseconds
[me@mymachine bin]# echo $?
0

A single connector failing won't cause the server to fail to start. So 
it doesn't cause the configtest to fail, either.

-chris

________________________________
From: Mark Thomas <ma...@apache.org>
Sent: Friday, June 20, 2025 2:58 AM
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: Updating configTest to include shutdown port validation

Cohesity Security Advisory: Automated detections have identified this email as 
SUSPICIOUS for the following reasons:

  Message matched bulk signature 'BULK.LUC.High'
  Message matched suspicious signature 
'SentimentCM_Subject.HiddenPath.URL.Phishing'
  Use extra caution with this email. If you believe this detection was in error 
or have questions, please contact secur...@cohesity.com.

On 20/06/2025 01:18, Amit Pande wrote:
Hello,

I was testing out the "configtest"  option of the catalina.sh/.bat and observed 
that does not do validation for the shutdown port.

There are lots of things it doesn't explicitly test. Why is the shutdown
port of particular interest?

https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2F8bbdabe02c384cf15aa43dafb66a5b42440edac3%2Fjava%2Forg%2Fapache%2Fcatalina%2Fstartup%2FBootstrap.java&data=05%7C02%7Camit.pande%40cohesity.com%7C891eb88268c24f0f45e208ddafd045ed%7Cb3c5c12c459546ac9b80e6d7b886903f%7C0%7C0%7C638860031236032446%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2Gg7g%2Bto9fxn8S30F9qDuDp93iLpWFPPvkXboUqTLlc%3D&reserved=0<https://github.com/apache/tomcat/blob/8bbdabe02c384cf15aa43dafb66a5b42440edac3/java/org/apache/catalina/startup/Bootstrap.java>

                  case "configtest":
                      daemon.load(args);
                      if (null == daemon.getServer()) {
                          System.exit(1);
                      }
                      // Can we add the shutdown port validation code here?
                     // Check if the port is an integter, check if this port is 
available for use

The integer check will be performed automatically as part of parsing the
file. You'll see a warning for non-integer values.

Port availability is a tricky one. Just because the port is available
now, that is no guarantee it will be available when you start the instance.

Consider the case of three Tomcat instances on a single machine, all
using the same shutdown port. Run the configtest on each and it passes.
Try starting them and you get failures.

I'm not convinced there is much value in a port availability test.

                    // Not 100% sure yet if this is the right place
                     validateShutdownPort(daemon.getServer().getPorrt());
                      System.exit(0);
                      break;

Appreciate feedback on whether this is a good idea to enhance the server.xml 
config validation check?

I'm not yet convinced.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org