====== Tomcat Administration ======

===== Tag 1 =====

==== 1.2 - tomcat.sh ====
<code>
#!/bin/sh

### Start Config ###

TOMCAT_VERSION=10.1.20
INSTANCE_NAME=workshop

### End Config ####

CATALINA_HOME=/opt/tomcat/products/${TOMCAT_VERSION}
CATALINA_BASE=/opt/tomcat/instances/${INSTANCE_NAME}

export CATALINA_HOME
export CATALINA_BASE

case "$1" in
start)
        $CATALINA_HOME/bin/startup.sh
        ;;
stop)
        $CATALINA_HOME/bin/shutdown.sh
        ;;
*)
        echo "Usage: $0 {start|stop}"
        exit 1
        ;;
esac
</code>

==== 1.3 - Erweiterung setenv.sh ====

<code>
CATALINA_TMPDIR="${CATALINA_VAR}/temp"
CATALINA_PID="${CATALINA_VAR}/logs/tomcat.pid"
CATALINA_OUT="${CATALINA_VAR}/logs/catalina.out"
CATALINA_OPTS="-Dcatalina.var=${CATALINA_VAR}"
</code>

==== 1.4 - OOM ====
<code>
JAVA_OOM="-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/tomcat/workshop -XX:OnOutOfMemoryError=${CATALINA_HOME}/bin/oom.sh"
CATALINA_OPTS="$CATALINA_OPTS $JAVA_OOM"
</code>

==== 1.4 - action.bash ====

<code>
#!/bin/bash
dumps=`ls -1rt /var/tomcat/java_pid*.hprof | tail -1`;
printf "Memory Dump:\n $dumps" >> /tmp/dumps.log
# printf "Memory Dump:\n $dumps" | mailx -s "Memory Dump" "admin@example.zz"
</code>

==== 1.8 - Valve und Filter ====

<code>
<Context>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="10"/>
</Context>
</code>

<code>
   <filter>
      <filter-name>ExpiresFilter</filter-name>
      <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
      <init-param>
         <param-name>ExpiresByType text</param-name>
         <param-value>access plus 2 days</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>ExpiresFilter</filter-name>
      <url-pattern>*.html</url-pattern>
      <dispatcher>REQUEST</dispatcher>
   </filter-mapping>
</code>

===== Tag 2 =====

==== 2.4 - SSL Connector ====

<code>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
   maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >
   <SSLHostConfig protocols="all,-TLSv1,-TLSv1.1"
                  ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"
                  honorCipherOrder="true" >
      <Certificate 
           certificateKeystoreFile="${catalina.base}/conf/keystore.jks"
           certificateKeystorePassword="changeit" />
    </SSLHostConfig>
</Connector>
</code>

==== 2.5 - Anpassungen logging.properties ====

<code>
handlers = 1catalina.org.apache.juli.AsyncFileHandler,
2localhost.org.apache.juli.AsyncFileHandler,
3manager.org.apache.juli.AsyncFileHandler, 4hostmanager.
org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler,
5workshop1.org.apache.juli.AsyncFileHandler,
6workshop2.org.apache.juli.AsyncFileHandler
</code>
<code>
5workshop1.org.apache.juli.AsyncFileHandler.level = FINE
5workshop1.org.apache.juli.AsyncFileHandler.directory = ${catalina.var}/logs
5workshop1.org.apache.juli.AsyncFileHandler.prefix = workshop_log1.
5workshop1.org.apache.juli.AsyncFileHandler.maxDays = 90
5workshop1.org.apache.juli.AsyncFileHandler.encoding = UTF-8

6workshop2.org.apache.juli.AsyncFileHandler.level = FINE
6workshop2.org.apache.juli.AsyncFileHandler.directory = ${catalina.var}/logs
6workshop2.org.apache.juli.AsyncFileHandler.prefix = workshop_log2.
6workshop2.org.apache.juli.AsyncFileHandler.maxDays = 90
6workshop2.org.apache.juli.AsyncFileHandler.encoding = UTF-8
</code>
<code>
ws_log.handlers = 5workshop1.org.apache.juli.AsyncFileHandler
de.kippdata.workshop.handlers = 6workshop2.org.apache.juli.AsyncFileHandler
</code>
==== 2.6 - log4j.xml ====
<code>
<?xml version="1.0" encoding="UTF-8"?>
<!-- You can add the attribute monitorInterval (seconds)
     to the Configuration element for hot config reloading, 
     for example: <Configuration monitorInterval="60"> -->
<Configuration status="warn" monitorInterval="60">
  <Appenders>
    <RollingFile name="default"
                 fileName="${sys:catalina.var}/logs/catalina.log"
                 filePattern="${sys:catalina.var}/logs/catalina.log.%d{yyyy-MM-dd-HHmmss}">
      <PatternLayout>
        <pattern>%d %r %p [%t] %c (%F:%L) - %m%n</pattern>
      </PatternLayout>
      <!-- Daily Rotation, schedule is cron style
           with columns seconds, minutes, hours, day-of-month,
           month, day-of-week, year(optional) -->
      <CronTriggeringPolicy schedule="0 0 0 * * ?" />
    </RollingFile>
  </Appenders>
  <Loggers>
    <Root level="info">
      <AppenderRef ref="default"/>
    </Root>
<!-- Example for changing a log level
    <Logger name="org.apache.catalina"
            level="info" additivity="false">
      <AppenderRef ref="default"/>
    </Logger>
    <Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost]"
            level="info" additivity="false">
      <AppenderRef ref="default"/>
    </Logger>
    <Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]"
            level="info" additivity="false">
      <AppenderRef ref="default"/>
    </Logger>
-->
  </Loggers>
</Configuration>
</code>

==== 2.7 - JMX Remote ====
<code>
JMX_OPTS_NOSSL_NOAUTH="\
-Dcom.sun.management.jmxremote=true \
-Dcom.sun.management.jmxremote.port=1090 \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=false \
"

JMX_OPTS_SSL_NOAUTH="\
-Dcom.sun.management.jmxremote=true \
-Dcom.sun.management.jmxremote.port=1090 \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.authenticate=false \
-Djavax.net.ssl.keyStorePassword=workshop \
-Djavax.net.ssl.keyStore=${CATALINA_BASE}/conf/keystore.jks \
"

JMX_OPTS_SSL_AUTH="\
-Dcom.sun.management.jmxremote=true \
-Dcom.sun.management.jmxremote.port=1090 \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.access.file=${CATALINA_BASE}/conf/jmxremote.access \
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password \
-Djavax.net.ssl.keyStorePassword=workshop \
-Djavax.net.ssl.keyStore=${CATALINA_BASE}/conf/keystore.jks \
"

CATALINA_OPTS="$CATALINA_OPTS $JMX_OPTS_NOSSL_NOAUTH"
</code>

===== Tag 3 =====

==== 3.7 - Ressources ====

<code>
<Context docBase="/opt/webapps/workshop/3.1.0/workshop.war">
   <Resources>
      <PreResources className="org.apache.catalina.webresources.DirResourceSet"
                     base="${catalina.base}/conf/workshop" webAppMount="/WEB-INF/classes" />
   </Resources>
</Context>
</code>

==== 3.8 - LDAP Realm ====

<code>
   <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionName="cn=tcmanager,ou=specialusers,dc=linuxhotel,dc=de"
          connectionPassword="secret"
          connectionURL="ldap://ldapserver:389/"
          userBase="ou=people,dc=linuxhotel,dc=de"
          userSubtree="true"
          userSearch="(uid={0})"
          roleBase="ou=groups,dc=linuxhotel,dc=de"
          roleSubtree="true"
          roleName="cn"
          roleSearch="(uniqueMember={0})"
          />
</code>

===== Tag 4 =====


===== Tag 5 =====

==== 5.1 - docker ====

<code>
FROM alpine:3.15

#### OpenJDK 17
RUN apk update
RUN apk add openjdk17-jre-headless
ENV JAVA_HOME /usr/lib/jvm/java-17-openjdk

#### tcnative
#ENV TCNATIVE 1.2.33
#RUN apk add openjdk17-jdk apr-dev openssl-dev gcc make musl-dev
#RUN wget -O /tmp/tomcat-native-${TCNATIVE}-src.tar.gz https://dlcdn.apache.org/tomcat/tomcat-connectors/native/${TCNATIVE}/source/tomcat-native-${TCNATIVE}-src.tar.gz; \
#  cd /tmp; \
#  tar -zxf tomcat-native-${TCNATIVE}-src.tar.gz; \
#  cd tomcat-native-${TCNATIVE}-src/native; \
#  ./configure --prefix=/opt/tcnative/${TCNATIVE}; \
#  make; \
#  make install; \
#  cd /tmp; \
#  rm -rf /tmp/tomcat-native*

#### tomcat
ENV TOMCATVERSION 10.0.20
ENV INSTANCENAME workshop
ENV TOMCATDIR /opt/tomcat
ENV WARFILE workshop.war
ENV APPVERSION 3.1.0
ENV CATALINA_HOME ${TOMCATDIR}/products/apache-tomcat-${TOMCATVERSION}
ENV CATALINA_BASE ${TOMCATDIR}/instances/${INSTANCENAME}
ENV CATALINA_VAR /var/tomcat/${INSTANCENAME}
ENV PATH $CATALINA_HOME/bin:$PATH
ENV TCUSER tcrun
ENV TCGROUP tcgroup

# create CATALINA_HOME
RUN mkdir -p "${TOMCATDIR}/products"; \
  cd ${TOMCATDIR}/products; \
  wget -O /tmp/tomcat-product.tar.gz "https://archive.apache.org/dist/tomcat/tomcat-10/v${TOMCATVERSION}/bin/apache-tomcat-${TOMCATVERSION}.tar.gz"; \
  tar -zxf /tmp/tomcat-product.tar.gz; \
  rm /tmp/tomcat-product.tar.gz

# create CATALINA_BASE
COPY ${INSTANCENAME}.tar /tmp/${INSTANCENAME}.tar
RUN mkdir -p ${TOMCATDIR}/instances; \
  cd ${TOMCATDIR}/instances; \
  tar -xf /tmp/${INSTANCENAME}.tar; \
  rm /tmp/${INSTANCENAME}.tar

# create CATALINA_VAR
RUN mkdir -p /var/tomcat/${INSTANCENAME}; \
  cd /var/tomcat/${INSTANCENAME}; \
  mkdir logs temp webapps work

# create webappdir
RUN mkdir -p /opt/webapps/${INSTANCENAME}/${APPVERSION}-jee9
COPY $WARFILE /opt/webapps/${INSTANCENAME}/${APPVERSION}-jee9/

# create runtime user and change rights
RUN addgroup $TCGROUP; \
  adduser -h /opt/tomcat -H -G $TCGROUP -s /bin/sh -D $TCUSER; \
  chown -R $TCUSER:$TCGROUP /opt/tomcat; \
  chown -R $TCUSER:$TCGROUP /var/tomcat; \
  chown -R $TCUSER:$TCGROUP /opt/webapps

WORKDIR $CATALINA_BASE
EXPOSE 8080 8443

USER $TCUSER
CMD ["catalina.sh","run"]
</code>

==== 5.3 - einfacher Proxy ====
<code>
<VirtualHost *:80>
  ProxyPass /workshop http://localhost:8180/workshop
  ProxyPassReverse /workshop http://localhost:8080/workshop
  ProxyPassReverse /workshop http://localhost:8180/workshop
  ProxyPreserveHost On
</VirtualHost>
</code>

==== 5.6 - Monitoring ====

<code>
   ProxyPass /lbmanager !
   <Location /lbmanager>
      SetHandler balancer-manager
      AuthType basic
      AuthName "Proxy Balancer"
      AuthBasicProvider file
      AuthUserFile htpasswd.intern
      Require user proxyadmin
   </Location>
</code>

<code>
  LogFormat "%h %l %u %t \"%r\" %>s %b %{BALANCER_ROUTE_CHANGED}e %{BALANCER_WORKER_ROUTE}e %{BALANCER_SESSION_ROUTE}e %D" proxyextended
  CustomLog "logs/proxy_access_log" proxyextended
</code>