Dear All,

I hang out on Freenode's #tomcat IRC channel (http://freenode.net/freenode_and_irc.shtml) quite a bit. One of the issues that comes up frequently is that people cannot install Tomcat on their Linux machine. When asked, it turns out that they are using a re-packaged Tomcat. That is a Tomcat server that has been shoehorned into an RPM or APT package.

Personally, I like package managers as much as we all do. I use FreeBSD's ports collection for practically everything. However, I find myself installing Tomcat manually every time, even though there is a FreeBSD port for it.

The reason for that is simple: Tomcat comes as a compact package. All files are placed in logically named directories and all documentation (http://tomcat.apache.org/tomcat-6.0-doc/index.html) describes solutions using those file and directory names.

So on IRC I find myself suggesting people uninstall the RPM or APT package and manually install Tomcat instead. It seems that I am not alone in this. (http://mail-archives.apache.org/mod_mbox/tomcat-users/200805.mbox/%3C4eedb92a0805020805w353a307fhf8d58076d6db1415@ma il.gmail.com%3E) Those that follow my advise (imagine that, stubborn system administrators ;) ) usually end up with a working installation in a few commands.

So here is how I advise people to install Tomcat on Linux, or any system for that matter.


first, download tomcat from http://tomcat.apache.org/download-60.cgi
% unzip apache-tomcat*.zip
% cd apache-tomcat/bin
% chmod 755 *.sh
% ./catalina.sh run


What do you think, are RPM-ed Tomcat servers useful or not? Do you use a vanilla Tomcat or a re-packaged one?

I agree completely! Tomcat is one of the few programs i don't apt-get. Another advantage is it is easy to move or copy (backup) your entire tomcat instance. I always use a seperate user to run tomcat (for security reasons). If you use a packaged version this is done for you, here's how i do it manually:
use adduser -shell /bin/false, and give the user the name 'tomcat' (or whatever you like).
Next edit /etc/shadow and remove the hashed password
Then use sudo -u tomcat ./startup.sh

I often have trouble getting the java_home variable, especially when i start it as a different user. I found that you can put a setenv.sh in the tomcat bin directory containing the export always works. For instance:

export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.06

Dear Richard,

I did not know about seten.sh. Thanks for the tip.

If you run Tomcat as a non-root user, how do you bind it to port 80?

Kees Jan

You don't :). I use an apache in front of it. I'm still waiting for someone to build in the same trick to tomcat as with apache (starting as root to claim the port and then switching the process to another user), but i guess that's hard to do or something.

I really think tomcat as root is a bad idea. There's a reason why the unix guys came up with ways to set permissions on files. If you run tomcat as root, you leave it up to the programmer to make absolutely sure that some hacker can not convince your app to truncate /etc/passwd for him. Maybe i'm a bad programmer, but i wouldn't trust even myself with that responsiblity. If you run tomcat as a normal user at least the damage is restricted to tomcat files, most of which i mostly leave read-only to the tomcat user

Richard

$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

That magic formula lets you run tomcat as a non-root user on port 8080, and lets iptables forward traffic on port 80 to it.

BTW, I've done some performance testing of mod_jk vs tomcat's http connector vs tomcat's nio connector. Each is about twice as fast as the other. So sticking apache in front of tomcat will give you about 25-35% the throughput that you can achieve if you dump it and use the nio connector.

$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

That magic formula lets you run tomcat as a non-root user on port 8080, and lets iptables forward traffic on port 80 to it.

That is a great tip! I have worked with iptables to block traffic but never for this. I imagine this is faster than apache in between.

BTW, I've done some performance testing of mod_jk vs tomcat's http connector vs tomcat's nio connector. Each is about twice as fast as the other. So sticking apache in front of tomcat will give you about 25-35% the throughput that you can achieve if you dump it and use the nio connector.

Interesting. Is there a place where you have posted these figures and describe the precise way you measured this? I'm sure people would like to do the tests over for their own setup.

It was part of my team's JavaOne presentation (http://developers.sun.com/learning/javaoneonline/2008/pdf/TS-6391.pdf) this year. Not a lot of details on the performance testing in the slides, but there's a graph on page 42. I left out the graph of the NIO connector, but I managed to get about 30,000 rps out of it.

$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

That magic formula lets you run tomcat as a non-root user on port 8080, and lets iptables forward traffic on port 80 to it.

Yes, I use this. works great.
You should never run an appserver as root ever, it's just plain lazy.
I'm waiting for Linux to support something like Solaris 10 where you can strip the root requirement off port 80

BTW, I've done some performance testing of mod_jk vs tomcat's http connector vs tomcat's nio connector. Each is about twice as fast as the other. So sticking apache in front of tomcat will give you about 25-35% the throughput that you can achieve if you dump it and use the nio connector.

Usually a tomcat app is part of a bigger website ecosystem hosted by an apache httpd or (yes, sorry) iis. So putting tomcat on port 80 is not an option.

How would apache's mod_proxy + tomcat http perform?

I think I've read (haven't tested) that mod_proxy gives pretty much the same performance as mod_proxy. It's basically just a subset of mod_jk's features. I don't know of any compelling reason to choose mod_proxy over mod_jk, do you?

mod_proxy is a easier to configure. You only have to add ProxyPass / ProxyPassReverse directives to your apache config.

Well, it seems that the current mood is against mod_jk. The perception is that mod_jk is no longer under active development. That's not necessarily a bad thing, but it's a sign on the wall.

Here is a blog entry from about 2006 discussing mod_jk vs. mod_proxy (http://anilsaldhana.blogspot.com/2006/04/modjk-versus-modproxy.html). It has some interesting links on the comparison.

Sorry, I should have said "mod_proxy gives pretty much the same performance as mod_jk". IMHO, mod_jk is not very hard to configure. :)

Here is a free chapter from the tomcat book: http://oreilly.com/catalog/9780596101060/chapter/index.html

It discusses performance tuning Tomcat.