Seitenhistorie
...
Debian's Tomcat comes with an almost-usable systemd service that needs to be amended in order to:
- Avoid the systemd-house-of-horror that's still all too common with Tomcat/Java packaging
- Avoid slow startup times due to use of a blocking /dev/random (cf. Myths about urandom, also linked to from the Shib wiki).
- Allow the IDP application to write logs and metadata to the filesystem as needed (by adding more
ReadWritePaths) - Try avoiding the creation of catalina.out (we already have its content in journald using this configuration)
And since we're creating an override for the OS-supplied systemd service unit anyway we'll also set the maximum memory usage there ("-Xmx3gXmx4g" in the example below, i.e., 3GB).
Adjust this as needed, but 3- 4GB should be sufficient even for large metadata aggregates (as are common with Interfederation). Also leave a bit of RAM for the OS. (Not that you should be running anything else on an IDP server.)
| Codeblock | ||
|---|---|---|
| ||
install -o root -g root -m 0755 -d /etc/systemd/system/tomcat10.service.d cat <<'EOF' > /etc/systemd/system/tomcat10.service.d/override.conf [Service] Environment="CATALINA_OUT=/dev/null" Environment="JAVA_OPTS=-Djava.security.egd=file:/dev/urandom -Djava.awt.headless=true -Xmx3gXmx4g" Environment="JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048" ExecStart= ExecStart=/usr/bin/java \ $JAVA_OPTS $JSSE_OPTS \ -classpath ${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \ -Dcatalina.base=${CATALINA_BASE} \ -Dcatalina.home=${CATALINA_HOME} \ -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.io.tmpdir=${CATALINA_TMPDIR} \ org.apache.catalina.startup.Bootstrap ReadWritePaths=/var/log/shibboleth/ ReadWritePaths=/opt/shibboleth-idp/logs/ ReadWritePaths=/opt/shibboleth-idp/metadata/ EOF |
...
Überblick
Inhalte
Aufgabenbericht