ISTI-ansible-roles
/
ansible-role-tomcat-multiple-instances
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Import the old role.

This commit is contained in:
Andrea Dell'Amico 2020-06-01 19:00:45 +02:00
parent c636ad2ff9
commit e0d2777941
25 changed files with 10082 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -1,31 +1,22 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs multiple instances of tomcat, using the binaries from the distribution packages.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
tomcat_m_instances:
- { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
The tomcat role, <git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-tomcat.git>
License
-------
@ -35,4 +26,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

98
defaults/main.yml
View File

@ -1,2 +1,98 @@
---
# defaults file for ansible-role-template
tomcat_version: 7
#tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
# Disable the main tomcat instance
tomcat_service_enabled: False
tomcat_m_instances_install: True
tomcat_m_host_manager_install: False
tomcat_m_manager_install: False
# Users and roles for the manager
tomcat_m_manager_gui_user_enabled: False
tomcat_m_manager_gui_user: guiadmin
tomcat_m_manager_gui_r: "manager-gui"
#tomcat_m_manager_gui_pwd: *Use a vault file*
tomcat_m_manager_script_user_enabled: True
tomcat_m_manager_script_user: scriptadmin
tomcat_m_manager_script_r: "manager-script"
#tomcat_m_manager_script_pwd: *Use a vault file*
tomcat_m_manager_jmx_user_enabled: False
tomcat_m_manager_jmx_user: jmxadmin
tomcat_m_manager_jmx_r: "manager-jmx"
#tomcat_m_manager_jmx_pwd: *Use a vault file*
tomcat_m_manager_status_user_enabled: False
tomcat_m_manager_status_user: statusadmin
tomcat_m_manager_status_r: "manager-status"
#tomcat_m_manager_status_pwd: *Use a vault file*
#tomcat_m_manager_other_roles:
# - { role: '', user: '', password: '', user_roles: '' }
tomcat_m_instances_base_path: '/var/lib/tomcat_instances'
tomcat_m_instances_logdir_base: '/var/log/tomcat_instances'
tomcat_m_cache_base: '/var/cache/tomcat-instances'
tomcat_m_default_user: 'tomcat{{ tomcat_version }}'
tomcat_m_use_default_user: True
tomcat_m_user_home: False
tomcat_m_default_user_shell: /bin/false
# Workaround for the '50 days shutdown' bug, until a fixed package will be available
tomcat_m_shutdown_port: -1
tomcat_m_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}"
tomcat_m_max_threads: 200
tomcat_m_min_heap_size: 2048m
tomcat_m_heap_size: '{{ tomcat_m_min_heap_size }}'
tomcat_m_permgen_size: 512m
tomcat_m_file_encoding: 'UTF-8'
tomcat_m_restart_timeout: 300
# -server -Djava.awt.headless=true are always used. No need to specify them
tomcat_m_java_opts_heap: "-Xms{{ tomcat_m_min_heap_size }} -Xmx{{ tomcat_m_heap_size }}"
tomcat_m_java_opts_permgen: "-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
tomcat_m_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
tomcat_m_java_opts: ""
tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC"
# Use "-XX:+UseConcMarkSweepGC" to enable the CMS garbage collector (improved
# response time). If you use that option and you run Tomcat on a machine with
# exactly one CPU chip that contains one or two cores, you should also add
# the "-XX:+CMSIncrementalMode" option.
#tomcat_m_other_java_opts: "-Djsse.enableSNIExtension=false"
tomcat_m_reverse_proxy_name_enabled: False
tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}'
tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}'
tomcat_m_proxy_enabled: False
tomcat_m_proxy_http_host: 'localhost'
tomcat_m_proxy_http_port: '3128'
tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}'
tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}'
tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}"
tomcat_m_other_java_opts: ""
tomcat_m_webapps_autodeploy: False
tomcat_m_webapps_unpack: False
tomcat_m_start_instances: True
tomcat_m_enable_instances: True
tomcat_m_jndi_pool: False
tomcat_m_direct_access: False
# JMX and debugging
tomcat_m_enable_remote_debugging: False
tomcat_m_remote_debugging_host: '0.0.0.0'
tomcat_m_remote_debugging_port: '8100'
tomcat_m_remote_debugging_uri: '{{ tomcat_m_remote_debugging_host }}:{{ tomcat_m_remote_debugging_port }}'
tomcat_m_jmx_enabled: False
tomcat_m_jmx_auth_enabled: False
tomcat_m_jmx_use_ssl: False
tomcat_m_jmx_port: 8186
# The following works with jdk >= 7.0.25 only
tomcat_m_jmx_disable_additional_ports: True
tomcat_m_jmx_localhost_only: False
tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}'
#tomcat_m_jmx_auth_dir: '{{ tomcat_m_instances_base_path }}'
# tomcat_m_jmx_monitorpass: define_in_a_vault_file
# tomcat_m_jmx_controlpass: define_in_a_vault_file
# This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy
#
#tomcat_m_instances:
# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }

35
files/context.xml Normal file
View File

@ -0,0 +1,35 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
</Context>

2
files/jmxremote.access Normal file
View File

@ -0,0 +1,2 @@
monitorRole readonly
controlRole readwrite

49
files/logging.properties Normal file
View File

@ -0,0 +1,49 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
# For example, set the com.xyz.foo logger to only log SEVERE
# messages:
#org.apache.catalina.startup.ContextConfig.level = FINE
#org.apache.catalina.startup.HostConfig.level = FINE
#org.apache.catalina.session.ManagerBase.level = FINE
#org.apache.catalina.core.AprLifecycleListener.level=FINE

52
files/policy.d/01system.policy Normal file
View File

@ -0,0 +1,52 @@
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
// catalina.corepolicy - Security Policy Permissions for Tomcat 6
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to the codebase specific to each web application:
//
// * Read access to the document root directory
//
// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};

10
files/policy.d/02debian.policy Normal file
View File

@ -0,0 +1,10 @@
// These permissions apply to all JARs from Debian packages
grant codeBase "file:/usr/share/java/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/maven-repo/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/ant/lib/-" {
permission java.security.AllPermission;
};

32
files/policy.d/03catalina.policy Normal file
View File

@ -0,0 +1,32 @@
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
permission java.util.PropertyPermission "catalina.base", "read";
permission java.util.logging.LoggingPermission "control";
permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
// To enable per context logging configuration, permit read access to the appropriate file.
// Be sure that the logging configuration is secure before enabling such access
// eg for the examples web application:
// permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};

59
files/policy.d/04webapps.policy Normal file
View File

@ -0,0 +1,59 @@
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// Precompiled JSPs need access to this package.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
// Example JSPs need those to work properly
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// Precompiled JSPs need access to this system property.
permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
// java.io.tmpdir should be usable as a temporary file directory
permission java.util.PropertyPermission "java.io.tmpdir", "read";
permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
};

32
files/policy.d/50local.policy Normal file
View File

@ -0,0 +1,32 @@
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

4283
files/web.xml Normal file
View File

File diff suppressed because it is too large Load Diff

28
handlers/main.yml
View File

@ -1,2 +1,28 @@
---
# handlers file for ansible-role-template
- name: tomcat restart instances with changed configs
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
with_items: '{{ restart_needed.results }}'
when: item is changed
ignore_errors: True
- name: tomcat restart instances with changed jmx config
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
with_items: '{{ jmx_restart_needed.results }}'
when: item is changed
ignore_errors: True
- name: tomcat instances restart
service: name='tomcat-instance-{{ item.http_port }}' state=restarted sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True
- name: enable tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=started enabled=yes sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True
- name: disable tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=stopped enabled=no sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True

61
meta/main.yml
View File

@ -1,61 +1,28 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- tomcat
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies:
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-tomcat.git
version: master
name: tomcat
state: latest

214
tasks/main.yml
View File

@ -1,2 +1,214 @@
---
# tasks file for ansible-role-template
#
# Note: the library role 'tomcat' is a dependency
#
- name: disable the tomcat main instance
service: name='tomcat{{ tomcat_version }}' state=stopped enabled=no
when: not tomcat_service_enabled
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create a tomcat user for each instance if needed
user: name={{ item.user }} home={{ item.user_home }} createhome=false shell={{ item.user_shell | default('/bin/false') }}
with_items: '{{ tomcat_m_instances }}'
when:
- not tomcat_m_use_default_user | bool
- item.user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create a tomcat user if needed
user: name={{ tomcat_m_default_user }} home={{ tomcat_m_instances_base_path }} createhome=false shell={{ tomcat_m_default_user_shell }}
when:
- tomcat_m_use_default_user | bool
- tomcat_m_default_user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances directory trees
file: dest={{ item.0.instance_path }}/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0755 state=directory
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'common/classes', 'conf/Catalina/localhost', 'conf/policy.d', 'lib', 'server/classes', 'shared/classes', 'webapps' ]
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances log dirs
file: dest={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances work dirs
file: dest={{ tomcat_m_cache_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create links to work dir inside the instances directory tree
file: src={{ tomcat_m_cache_base }}/{{ item.http_port }} dest={{ item.instance_path }}/work state=link
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create links to log dir inside the instances directory tree
file: src={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} dest={{ item.instance_path }}/logs state=link
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the catalina tmp directory
file: dest={{ item.catalina_tmp_directory }} state=directory owner={{ item.user }} group={{ item.user }} mode=0700
with_items: '{{ tomcat_m_instances }}'
when: item.catalina_tmp_directory is defined
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Populate the instances conf directory
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'context.xml' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install catalina.properties
template: src={{ item[1] }}.j2 dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'catalina.properties' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_catalina_properties' ]
- name: Populate the instances conf/policy.d directory
copy: src=policy.d/{{ item[1] }} dest={{ item.0.instance_path }}/conf/policy.d/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ '01system.policy', '02debian.policy', '03catalina.policy', '04webapps.policy', '50local.policy' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install logging.properties if we do not use log4j for the tomcat logging
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'logging.properties' ]
when:
- tomcat_use_log4j is defined
- not tomcat_use_log4j | bool
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install the server.xml conf file
template: src=tomcat-server.xml.j2 dest={{ item.instance_path }}/conf/server.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the web.xml file
template: src=tomcat-web.xml.j2 dest={{ item.instance_path }}/conf/web.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the tomcat-admin package if the host-manager or manager apps are required
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes
when: tomcat_m_host_manager_install | bool or tomcat_m_manager_install | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat host manager
template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_host_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the instances startup scripts
template: src=tomcat-instance.init.j2 dest=/etc/init.d/tomcat-instance-{{ item.http_port }} mode=0755 owner=root group=root
with_items: '{{ tomcat_m_instances }}'
register: reload_systemd
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_init' ]
- name: Install the tomcat instances default file
template: src=tomcat-default.j2 dest=/etc/default/tomcat-instance-{{ item.http_port }} mode=0640 owner=root group={{ item.user }}
with_items: '{{ tomcat_m_instances }}'
notify: tomcat instances restart
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_default', 'jdk' ]
- name: Reload the systemd daemon if we are running on a systemd-backed server
command: systemctl daemon-reload
when:
- ansible_service_mgr == 'systemd'
- reload_systemd | bool
- name: Install a custom context.xml file
template: src=tomcat-context.xml.j2 dest={{ item.instance_path }}/conf/context.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
when: tomcat_m_jndi_pool | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_contextxml', 'jdk' ]
- name: Install a logrotate entry for the access log file
template: src=tomcat.logrotate.j2 dest=/etc/logrotate.d/tomcat_instance-{{ item.http_port }} owner=root group=root mode=0644
with_items: '{{ tomcat_m_instances }}'
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf' ]
- name: Install the jmx authorization file
template: src=jmxremote.passwd.j2 dest={{ item.instance_path }}/conf/jmxremote.passwd owner={{ item.user }} group={{ item.user }} mode=0600
with_items: '{{ tomcat_m_instances }}'
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Install the jmx role file
copy: src=jmxremote.access dest={{ item.instance_path }}/conf/jmxremote.access owner={{ item.user }} group={{ item.user }} mode=0644
with_items: '{{ tomcat_m_instances }}'
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Start all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=started sleep=20
with_items: '{{ tomcat_m_instances }}'
when:
- tomcat_first_install.changed | bool
- tomcat_m_start_instances | bool
tags: [ 'tomcat', 'tomcat_instances']
ignore_errors: True
- name: Enable all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' enabled=yes
with_items: '{{ tomcat_m_instances }}'
when: tomcat_m_enable_instances | bool
tags: [ 'tomcat', 'tomcat_instances']

135
templates/catalina.properties.j2 Normal file
View File

@ -0,0 +1,135 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
#
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
#
# List of comma-separated paths defining the contents of the "common"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank,the JVM system loader will be used as Catalina's "common"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
#
# List of comma-separated paths defining the contents of the "server"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank, the "common" loader will be used as Catalina's "server"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
server.loader=${catalina.base}/server/classes,${catalina.base}/server/*.jar
#
# List of comma-separated paths defining the contents of the "shared"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
# the "common" loader will be used as Catalina's "shared" loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
# Please note that for single jars, e.g. bar.jar, you need the URL form
# starting with file:.
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
# List of JAR files that should not be scanned for configuration information
# such as web fragments, TLD files etc. It must be a comma separated list of
# JAR file names.
# The JARs listed below include:
# - Tomcat Bootstrap JARs
# - Tomcat API JARs
# - Catalina JARs
# - Jasper JARs
# - Tomcat JARs
# - Common non-Tomcat JARs
# - Sun JDK JARs
# - Apple JDK JARs
tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
jasper.jar,jasper-el.jar,ecj-*.jar,\
tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
tomcat-jni.jar,tomcat-spdy.jar,\
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
tomcat-jdbc.jar,\
tools.jar,\
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
commons-math*.jar,commons-pool*.jar,\
jstl.jar,\
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
xom-*.jar
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for Servlet 3.0 pluggability features. These features include web
# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
# must be a comma separated list of JAR file names.
org.apache.catalina.startup.ContextConfig.jarsToSkip=
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for TLDs. The list must be a comma separated list of JAR file names.
org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
#
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
{% if tomcat_m_catalina_opts is defined %}
# Custom configurations
{% for opt in tomcat_m_catalina_opts %}
{{ opt }}
{% endfor %}
{% endif %}

2
templates/jmxremote.passwd.j2 Normal file
View File

@ -0,0 +1,2 @@
monitorRole {{ item.jmx_monitorpass }}
controlRole {{ item.jmx_controlpass }}

79
templates/tomcat-context.xml.j2 Normal file
View File

@ -0,0 +1,79 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
{% if tomcat_m_jndi_pool %}
{% if tomcat_jndi_pool_databases is defined %}
{% for pool in tomcat_jndi_pool_databases %}
<Resource name="{{ pool. jndi_resource_name | default('jdbc/postgres') }}"
auth="Container"
type="{{ pool.jndi_resource_type | default('javax.sql.DataSource') }}"
driverClassName="{{ pool.jndi_class_name | default('org.postgresql.Driver') }}"
url="jdbc:postgresql://{{ pool. jndi_db_host }}:{{ pool.jndi_db_port | default (5432) }}/{{ pool.jndi_db_name }}"
username="{{ pool.jndi_db_user }}" password="{{ pool.jndi_db_pwd }}"
maxActive="20"
initialSize="0"
minIdle="0"
maxIdle="8"
maxWait="10000"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
testWhileIdle="true"
validationQuery="SELECT 1"
maxAge="600000"
rollbackOnReturn="true"
/>
{% endfor %}
{% else %}
<Resource name="jdbc/postgres"
auth="Container"
type="javax.sql.DataSource"
driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://{{ tomcat_jndi_pool_host }}:{{ tomcat_jndi_pool_db_port | default (5432) }}/{{ tomcat_jndi_pool_db }}"
username="{{ tomcat_jndi_pool_db_user }}" password="{{ tomcat_jndi_pool_db_pwd }}"
maxActive="20"
initialSize="0"
minIdle="0"
maxIdle="8"
maxWait="10000"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
testWhileIdle="true"
validationQuery="SELECT 1"
maxAge="600000"
rollbackOnReturn="true"
/>
{% endif %}
{% endif %}
</Context>

80
templates/tomcat-default.j2 Normal file
View File

@ -0,0 +1,80 @@
{% if limits_nofile_value is defined %}
ulimit -Hn {{ limits_nofile_value }}
ulimit -Sn {{ limits_nofile_value }}
{% endif %}
TOMCAT_USER={{ item.user }}
TOMCAT_GROUP={{ item.user }}
JAVA_HOME={{ item.java_home }}
JAVA_OPTS="-server -Djava.awt.headless=true -Dfile.encoding={{ tomcat_m_file_encoding }}"
{% if jdk_default >= 8 %}
JAVA_OPTS="{{ tomcat_m_additional_java_8_opts }} $JAVA_OPTS"
{% endif %}
{% if item.java_heap is defined %}
JAVA_HEAP="{{ item.java_heap }}"
{% else %}
JAVA_HEAP="{{ tomcat_m_java_opts_heap }}"
{% endif %}
JAVA_PERMGEN=
{% if jdk_default <= 7 %}
{% if item.java_permgen_size is defined %}
JAVA_PERMGEN="-XX:MaxPermSize={{ item.java_permgen_size }}"
{% else %}
JAVA_PERMGEN="-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
{% endif %}
{% endif %}
{% if item.java_opts is defined %}
JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN"
{% endif %}
{% if item.java_gc_opts is defined %}
JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
{% endif %}
{% if item.proxy_enabled is defined and item.proxy_enabled %}
{% if item.proxy_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}"
{% else %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}"
{% endif %}
{% endif %}
{% if item.other_java_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
{% endif %}
{% if item.jmx_enabled is defined and item.jmx_enabled %}
# JMX settings
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ item.jmx_port | default('8186') }}"
{% if item.jmx_use_ssl is defined and item.jmx_use_ssl %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=true"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
{% endif %}
{% if item.jmx_localhost_only is defined and item.jmx_localhost_only %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.hostname=127.0.0.1"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname={{ tomcat_m_jmx_ip_address }}"
{% endif %}
{% if item.jmx_auth_enabled is defined and item.jmx_auth_enabled %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ item.jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ item.jmx_auth_dir }}/jmxremote.access"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
{% endif %}
{% if item.jmx_disable_additional_ports is defined and item.jmx_disable_additional_ports %}
JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ item.jmx_port }}"
{% endif %}
{% endif %}
{% if item.remote_debugging is defined and item.remote_debugging %}
# You will be able to use a java debugger on port {{ item.remote_debugging_uri }}.
JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ item.remote_debugging_uri }},server=y,suspend=n"
{% endif %}
# WARNING: This directory will be destroyed and recreated at every startup !
{% if item.catalina_tmp_directory is defined %}
JVM_TMP={{ item.catalina_tmp_directory }}/jvm_tmp
{% else %}
JVM_TMP={{ item.instance_path }}/tmp/jvm_tmp
{% endif %}
{% if item.catalina_tmp_directory is defined %}
export CATALINA_TMPDIR={{ item.catalina_tmp_directory }}
{% endif %}
# Additional options not managed by the provisioning tools
if [ -f /etc/default/tomcat-instance-{{ item.http_port }}.local ] ; then
. /etc/default/tomcat-instance-{{ item.http_port }}.local
fi

3
templates/tomcat-host-manager.xml.j2 Normal file
View File

@ -0,0 +1,3 @@
<Context path="/host-manager"
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/host-manager"
antiResourceLocking="false" privileged="true" />

310
templates/tomcat-instance.init.j2 Executable file
View File

@ -0,0 +1,310 @@
#!/bin/sh
#
# /etc/init.d/tomcat-instance-{{ item.http_port }} -- startup script for the Tomcat {{ tomcat_version }} {{ item.user }} servlet engine on port {{ item.http_port }}
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for Tomcat by Stefan Gybas <sgybas@debian.org>.
# Modified for Tomcat6 by Thierry Carrez <thierry.carrez@ubuntu.com>.
# Modified for Tomcat7 by Ernesto Hernandez-Novich <emhn@itverx.com.ve>.
# Additional improvements by Jason Brittain <jason.brittain@mulesoft.com>.
#
### BEGIN INIT INFO
# Provides: tomcat-instance-{{ item.http_port }}
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start Tomcat.
# Description: Start the Tomcat servlet engine.
### END INIT INFO
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=tomcat-instance-{{ item.http_port }}
DESC="Tomcat servlet engine"
DEFAULT=/etc/default/$NAME
JVM_TMP=/var/tmp/$NAME-tmp
if [ `id -u` -ne 0 ]; then
echo "You need root privileges to run this script"
exit 1
fi
# Make sure tomcat is started with system locale
if [ -r /etc/default/locale ]; then
. /etc/default/locale
export LANG
fi
. /lib/lsb/init-functions
if [ -r /etc/default/rcS ]; then
. /etc/default/rcS
fi
# The following variables can be overwritten in $DEFAULT
# Run Tomcat {{ tomcat_version }} as this user ID and group ID
TOMCAT{{ tomcat_version }}_USER={{ item.user }}
TOMCAT{{ tomcat_version }}_GROUP={{ item.user }}
# this is a work-around until there is a suitable runtime replacement
# for dpkg-architecture for arch:all packages
# this function sets the variable OPENJDKS
find_openjdks()
{
for jvmdir in /usr/lib/jvm/java-11-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-11-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-8-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-8-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-7-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-7-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-6-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-6-openjdk-common" ]
then
OPENJDKS="${OPENJDKS} ${jvmdir}"
fi
done
}
OPENJDKS=""
find_openjdks
# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
# defined in $DEFAULT)
JDK_DIRS="/usr/lib/jvm/default-java ${OPENJDKS} /usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun"
# Look for the right JVM to use
for jdir in $JDK_DIRS; do
if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
JAVA_HOME="$jdir"
fi
done
export JAVA_HOME
# Directory where the Tomcat binary distribution resides
CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}
# Directory for per-instance configuration files and webapps
CATALINA_BASE={{ item.instance_path }}
# Use the Java security manager? (yes/no)
TOMCAT{{ tomcat_version }}_SECURITY=no
# Default Java options
# Set java.awt.headless=true if JAVA_OPTS is not set so the
# Xalan XSL transformer can work without X11 display on JDK 1.4+
# It also looks like the default heap size of 64M is not enough for most cases
# so the maximum heap size is set to 128M
if [ -z "$JAVA_OPTS" ]; then
JAVA_OPTS="-Djava.awt.headless=true -Xmx512M"
fi
# End of variables that can be overwritten in $DEFAULT
# overwrite settings from default file
if [ -f "$DEFAULT" ]; then
. "$DEFAULT"
fi
if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
log_failure_msg "$NAME is not installed"
exit 1
fi
POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
if [ -z "$CATALINA_TMPDIR" ]; then
CATALINA_TMPDIR="$JVM_TMP"
fi
# Set the JSP compiler if set in the ${ NAME }.default file
if [ -n "$JSP_COMPILER" ]; then
JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
fi
SECURITY=""
if [ "$TOMCAT{{ tomcat_version }}_SECURITY" = "yes" ]; then
SECURITY="-security"
fi
# Define other required variables
CATALINA_PID="/var/run/$NAME.pid"
CATALINA_SH="$CATALINA_HOME/bin/catalina.sh"
# Look for Java Secure Sockets Extension (JSSE) JARs
if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
JSSE_HOME="${JAVA_HOME}/jre/"
fi
catalina_sh() {
# Escape any double quotes in the value of JAVA_OPTS
JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')"
AUTHBIND_COMMAND=""
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
fi
# Define the command to run Tomcat's catalina.sh as a daemon
# set -a tells sh to export assigned variables to spawned shells.
TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \
CATALINA_HOME=\"$CATALINA_HOME\"; \
CATALINA_BASE=\"$CATALINA_BASE\"; \
JAVA_OPTS=\"$JAVA_OPTS\"; \
CATALINA_PID=\"$CATALINA_PID\"; \
CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \
LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \
cd \"$CATALINA_BASE\"; \
\"$CATALINA_SH\" $@"
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
TOMCAT_SH="'$TOMCAT_SH'"
fi
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT{{ tomcat_version }}_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
start-stop-daemon --start -b -u "$TOMCAT{{ tomcat_version }}_USER" -g "$TOMCAT{{ tomcat_version }}_GROUP" \
-c "$TOMCAT{{ tomcat_version }}_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
status="$?"
set +a -e
return $status
}
case "$1" in
start)
if [ -z "$JAVA_HOME" ]; then
log_failure_msg "no JDK found - please set JAVA_HOME"
exit 1
fi
if [ ! -d "$CATALINA_BASE/conf" ]; then
log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE"
exit 1
fi
log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
# Regenerate POLICY_CACHE file
umask 022
echo "// AUTO-GENERATED FILE from {{ item.instance_path }}/conf/policy.d/" \
> "$POLICY_CACHE"
echo "" >> "$POLICY_CACHE"
cat $CATALINA_BASE/conf/policy.d/*.policy \
>> "$POLICY_CACHE"
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary directory"
exit 1
}
chown $TOMCAT{{ tomcat_version }}_USER "$JVM_TMP"
catalina_sh start $SECURITY
sleep 5
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
if [ -f "$CATALINA_PID" ]; then
rm -f "$CATALINA_PID"
fi
log_end_msg 1
else
log_end_msg 0
fi
else
log_progress_msg "(already running)"
log_end_msg 0
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
set +e
if [ -f "$CATALINA_PID" ]; then
start-stop-daemon --stop --pidfile "$CATALINA_PID" \
--user "$TOMCAT{{ tomcat_version }}_USER" \
--retry=TERM/20/KILL/5 >/dev/null
if [ $? -eq 1 ]; then
log_progress_msg "$DESC is not running but pid file exists, cleaning up"
elif [ $? -eq 3 ]; then
PID="`cat $CATALINA_PID`"
log_failure_msg "Failed to stop $NAME (pid $PID)"
exit 1
fi
rm -f "$CATALINA_PID"
rm -rf "$JVM_TMP"
else
log_progress_msg "(not running)"
fi
log_end_msg 0
set -e
;;
status)
set +e
start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null 2>&1
if [ "$?" = "0" ]; then
if [ -f "$CATALINA_PID" ]; then
log_success_msg "$DESC is not running, but pid file exists."
exit 1
else
log_success_msg "$DESC is not running."
exit 3
fi
else
log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
fi
set -e
;;
restart|force-reload)
if [ -f "$CATALINA_PID" ]; then
$0 stop
sleep 1
fi
$0 start
;;
try-restart)
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
$0 start
fi
;;
*)
log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
exit 1
;;
esac
exit 0

3
templates/tomcat-manager.xml.j2 Normal file
View File

@ -0,0 +1,3 @@
<Context path="/manager"
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/manager"
antiResourceLocking="false" privileged="true" />

146
templates/tomcat-server.xml.j2 Normal file
View File

@ -0,0 +1,146 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
{% if item.shutdown_port == '-1' %}
<Server port="{{ item.shutdown_port }}" shutdown="SHUTDOWN_PORT_DISABLED">
{% else %}
<Server port="{{ item.shutdown_port }}" shutdown="{{ tomcat_m_shutdown_pwd }}">
{% endif %}
{% if tomcat_version <= 7 %}
<Listener className="org.apache.catalina.core.JasperListener" />
{% endif %}
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
{% if item.http_enabled %}
<Executor name="tomcatThreadPool"
namePrefix="catalina-exec-"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}"
minSpareThreads="10"
/>
{% endif %}
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
{% if item.http_enabled %}
<!-- A http "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
enableLookups="false"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}" connectionTimeout="60000"
URIEncoding="UTF-8"
bindOnInit="false" address="{{ item.http_address }}"
port="{{ item.http_port }}" protocol="HTTP/1.1"
maxPostSize="{{ item.max_post_size | default(104857600) }}"
useBodyEncodingForURI="true"
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
{% if tomcat_m_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_m_reverse_proxy_name }}"
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
{% endif %}
/>
{% endif %}
{% if item.ajp_enabled %}
<!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
<Connector port="{{ item.ajp_port }}" protocol="AJP/1.3"
enableLookups="false"
address="{{ item.ajp_address }}"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}"
connectionTimeout="60000"
maxPostSize="{{ item.max_post_size | default(104857600) }}"
{% if tomcat_m_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_m_reverse_proxy_name }}"
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
{% endif %}
URIEncoding="UTF-8"
bindOnInit="false" />
{% endif %}
<Engine name="Catalina" defaultHost="localhost">
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
{% if item.unpack is defined %}
unpackWARs="{{ item.unpack }}"
{% else %}
unpackWARs="False"
{% endif %}
{% if item.autodeploy is defined %}
autoDeploy="{{ item.autodeploy }}"
{% else %}
autoDeploy="False"
{% endif %}
>
{% if item.access_log_enabled %}
<!-- Automatically substitutes the IP with the one contained
in the x-forwarded-for header if that header is set -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="combined" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access." suffix="log"
{% if tomcat_m_direct_access %}
pattern="combined"
{% else %}
pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i"
{% endif %}
rotatable="False"
/>
{% endif %}
</Host>
</Engine>
</Service>
</Server>

49
templates/tomcat-users.xml.j2 Normal file
View File

@ -0,0 +1,49 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
{% if tomcat_m_host_manager_install or tomcat_m_manager_install %}
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
{% if tomcat_m_manager_gui_user_enabled %}
<user username="{{ tomcat_m_manager_gui_user }}" password="{{ tomcat_m_manager_gui_pwd }}" roles="{{ tomcat_m_manager_gui_r }}"/>
{% endif %}
{% if tomcat_m_manager_script_user_enabled %}
<user username="{{ tomcat_m_manager_script_user }}" password="{{ tomcat_m_manager_script_pwd }}" roles="{{ tomcat_m_manager_script_r }}"/>
{% endif %}
{% if tomcat_m_manager_jmx_user_enabled %}
<user username="{{ tomcat_m_manager_jmx_user }}" password="{{ tomcat_m_manager_jmx_pwd }}" roles="{{ tomcat_m_manager_jmx_r }}"/>
{% endif %}
{% if tomcat_m_manager_status_user_enabled %}
<user username="{{ tomcat_m_manager_status_user }}" password="{{ tomcat_m_manager_status_pwd }}" roles="{{ tomcat_m_manager_status_r }}"/>
{% endif %}
{% if tomcat_m_manager_other_roles is defined %}
{% for t_adm in tomcat_m_manager_other_roles %}
<role rolename="{{ t_adm.role }}"/>
<user username="{{ t_adm.user }}" password="{{ t_adm.password }}" roles="{{ t_adm.user_roles }}"/>
{% endfor %}
{% endif %}
{% endif %}
</tomcat-users>

4344
templates/tomcat-web.xml.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

17
templates/tomcat.logrotate.j2 Normal file
View File

@ -0,0 +1,17 @@
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/catalina.out {
copytruncate
{{ item.log_rotation_freq }}
rotate {{ item.log_retain }}
compress
missingok
create 640 {{ item.user }} adm
}
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/localhost_access.log {
copytruncate
{{ item.log_rotation_freq }}
rotate {{ item.log_retain }}
compress
missingok
create 640 {{ item.user }} adm
}