Discovering dependencies of mod_jk - apache

We are running a large amount of old EC2 instances which are based on Amazon Linux AMI 2014.09, a pretty old version.
We have recently built mod_jk on one of them that so that we can front Tomcat with Apache Web server 2.4.
We are in the process of identifying the dependencies of this mod_jk module. Can we re-use the mod_jk.so library that we just built with newer versions of the OS? We are running a large number of instances, so we would like to cut out the whole "building binaries from sources" step, so our ideal setup would be to take the current mod_jk.so binary and deploy it in all other EC2 instances.
The question is: can we safely do it? If not, when do we need to rebuild it? For example:
Do we need to rebuild it if we decide to launch EC2 instances with the latest Amazon Linux AMI, which is 3 years newer?
Do we need to rebuild it if the Apache's version is different?
Thank you in advance,
Meletis

I have a couple of precompiled mod_jk's in order to avoid just this cases. As per my own experience, I must recompile it in this scenarios:
Different Apache version (2.2/2.4)
Apache 32/64bits
As I stated before, according to this, you should have no more than 4 built mod_jk binaries to choose the right one from.
I could not tell you wether this is a best practice (probably not), but I have use this already built mod_jk in different Linux distributions and versions of Fedora, CentOS, Red Hat and Debian.

Related

Apache upgrade from 2.4.6 to 2.4.29

Currently, we are planning to upgrade our complete web-server node in production.
Platform is RHEL 7.1 and currently apache 2.4.6 is running there.
I also got to know from red-hat that apache 2.4.6 is directly shipped with RHEL7 and for 2.4.26 or 2.4.29, they can't comment regarding it's technical feasibility part along with it's stability on RHEL platform.
I have few concerns now :
Is going ahead with apache 2.4.26 or 2.4.29 in production would be a good option or should i get stuck with the current one ? I am doubtful whether 2.4.26 or 2.4.29 are been tested on RHEL 7 series and is technically compatible.
I tried to install apache 2.4.26 and 2.4.29 on my test-bed first ( which is a RHEL 7.4 platform ) and i came across package dependency issues which proved out to be a blocker for me. I am afraid that i might face these issues on production as well which would be very dangerous. Have you ever faced this on your system too ?
Looking out for your kind support and feedback here ... !!!
Best Regards,
looking at : httpd direct rpm download
it seems that the last supported version is httpd-2.4.6-80.el7.x86_64.rpm
so do not try update your production environment with unsupported software, stick to releases !
upgrading to RHEL7.4 seems to be trouble-maker (as far as i heard : [source required !] )
i got no feedback about RHEL7.5

Apache version 2.2 and security vulnerabilities

A penetration test has recently identified that one of our RHEL(6.7) servers running Apache 2.2.15 is vulnerable on a number of points and needs to be updated to the latest version 2.4. I have run yum update and it says that there are no packages marked for update. I understand that I will need to download the updates manually. There are a few questions I have around the requirement to upgrade Apache.
I am up to date on the 2.2 version tree. Does this mean that any security patches made to version 2.4 will be back patched to version 2.2.X as well?
I am running PHP (version 5.3.3) and MySQL (version 5.1.73) - will these be affected by upgrading the Apache version (Google tells me that there is no problem on both fronts - but I thought I'd ask before I started down this route).
If you experts tell me that I have no other choice but to upgrade, then I'm planning on using the instruction set here: https://unix.stackexchange.com/questions/138899/centos-install-using-yum-apache-2-4
Thank you in advance for your advice.
You could download the 2.4 source code from the Apache site and compile it. There's a setting which will configure for RedHat:
--enable-layout=RedHat
This setting will configure the paths for executables, configuration files, libraries etc in one go.
The following should be a reasonable starting point for a configuration line:
sh ./configure --enable-layout=RedHat --enable-mods-shared=all
then perform a make and make install
Do the same with a newer version of PHP (5.3.29 is available in the "old downloads" section, but try a newer version. Check the changes first though) and your problems should be lessened. Finally, MySQL or MariaDB is available for download and compilation too
Obviously, try all of this on a test machine first and back everything up. Your test machine should be as close as possible to your production machine. If you use something like VirtualBox to try it, you can take a snapshot at each point of the process and rollback if something goes wrong

Using httpd 2.4 instead of 2.2 on centos 6

I use Centos 6.5, I've installed apache 2.2 on my server by yum, I want to upgrade my apache to 2.4, but yum not support that, so I download apache 2.4.7 and install it to opt/apache/httpd-2.4.7 follow the tutorial here: Apache 2.4.x Manual install on RHEL 6.4 - No apache modules will load on start . I want to change environment variables to new apache version to write apache 2.4 modules (change include folder for header file, change "modules" folder when build with apxs,...). I think I must install another httpd-devel for apache 2.4.7, because I still not install httpd-devel-2.4.7, but I don't know how to install and use it instead of httpd-devel-2.2 by yum. I can not describe my problems clearly in English, so I hope you can understand it. I'm a newbie and I really need your help. Thank you!
CentOS is image of RHEL, which stands for Red Hat Enterprise Linux. RHEL is designed to be an "Enterprise class" operating system, in which you rely on software packages that are delivered from controlled repositories where they are made available only after being thoroughly tested for Enterprise level use.
From that point of view, its generally not a good idea to install packages from source code, or using third party RPMs, because once you do, your OS is no longer "Enterprise" class.
If you're trying to upgrade for security reasons, you shouldn't. Critical security updates are always backported in previous RPM releases, so you only have to update your current package from the same yum repo from where you got it first. The binary will still say it is Apache 2.2, but it will have the latest security updates.
If you need an actual feature of 2.4, the smart move is to upgrade your CentOS. It may seem like the harder option initially, but it never is in the long run.
In my experience these reports can be fairly basic/binary:
Are you running the latest version of the software? If no flag as security risk.
However this fails to take into account package managers which back port fixes to older versions and so often have addressed potential security issues.
By moving away from the packaged version you are making security updates more difficult (as can't do a simple "yum update" to address them anymore).
Apache 2.2 is still maintained for security and bug fixes - though how long for remains to be seen and it is falling further and further behind in features.
So often you just need to explain (and prove!) you have a regular patching process and so the "version of Apache" you are reporting is not really accurate in terms of security patching.
See here for more details: https://serverfault.com/questions/731657/pci-compliance-apache-versions/
Saying all that we moved to Apache 2.4 on centos a while back for some extra features we wanted and just upgrade it to the latest version as part of regular patching cycle and are not finding it too inconvenient. Yes it's not quite as simple as "yum update" but it's a decision we've made because of some features we required. Not a decision to be taken lightly as Garreth states but it had the added side effect of this not getting highlighted anymore in these sorts of security scans :-)
We made this decision despite upgrading to a newer version of Red Hat as that was still on an older version of Apache (2.4.7 if memory serves me correctly) which still missed a few features we required. Sometimes it's frustrating how far behind some of these "enterprise" versions are, but that's the downside when there are plenty of upsides to using them too (stability, security... etc.).

What AWS CLI tools are installed by default on EC2 instances?

I'm using an Amazon Linux EC2 instance and am wondering What AWS CLI tools are installed by default on it.
Is it just the EC2 CLI API tools? How can one tell? Also where is the preferred single location on an EC2 instance to install each of the various CLI tools (RDS, cloudwatch, etc.) if they aren't installed already?
If you might answer each of these questions I'd be greatly appreciative.
For the Amazon Linux AMI 2012.03, here's the list of installed packages.
To answer your question, here's the list of AWS tools:
aws-amitools-ec2-1.4.0.7
aws-apitools-as-1.0.61.0
aws-apitools-cfn-1.0.9
aws-apitools-common-1.1.0
aws-apitools-ec2-1.5.5.0
aws-apitools-elb-1.0.17.0
aws-apitools-iam-1.5.0
aws-apitools-mon-1.0.12.1
aws-apitools-rds-1.8.002
aws-cfn-bootstrap-1.1
aws-scripts-ses-2012.05.15
According to Amazon Linux AMI Basics:
to allow the installation of multiple versions of the API and AMI
tools, we have placed symlinks to the desired versions of these tools
in /opt/aws, as described here:
/opt/aws/bin—Symlink farm to /bin directories in each of the installed
tools directories.
/opt/aws/{apitools|amitools}—Products are installed in directories of
the form [name]-version and symlink [name] attached to the most
recently installed version.
/opt/aws/{apitools|amitools}/[name]/environment.sh—Used by
/etc/profile.d/aws-apitools-common.sh to set product-specific
environment variables (EC2_HOME, etc.).
There are no fixed standards or set rules about what is installed on AMIs in general.
Different Linux distros and different AMI publishers each decide what they want to put in their image and where.
In fact, an AMI doesn't even need to give you command line access to your instance through ssh if they don't want to.
If you have a specific AMI series in mind (Amazon Linux, Ubuntu 12.04 LTS from Canonical, CentOS 5.5 from RightScale) then update your question to include this.
For the record: the "minimal" variant of Amazon Linux does not have the full suite of CLI tools. Doing a yum install ec2-tools didn't get me what I wanted, so I just created a new instance with the non-minimal AMI. I also found that this minimal Linux isn't any more space-efficient, at least as originally configured; the additional 6 GB that would go to the root partition is left unallocated.

Upgrading apache tomcat from 5.5.xx to a newer 5.5 version

Is there a guide on how to do this easily? I want to upgrade it without losing all the configuration settings etc. Is there a particular method to achieve this (or config files that I can just copy to the new installation). I'm running it as a windows service at the moment so the new version will need to run in the same way too.
Thanks.
There isn't an upgrade script that will do it for you, at least not that I've ever used/found. Which, is actually a good thing, IMO. You can simply download the newer Tomcat version to a different directory than your current install (c:/tomcat55 and c:/tomcat6) and copy the configuration from you 5.5 installation. Nearly all of the basic settings are the same from 5.5 to 6.0.x, not as sure about 7.0. If you install the new service with a different service name, you don't have to worry about any conflicts (except the ports in your server.xml)
If this is a production box, I would recommend changing the ports on your new installation so you can run it alongside your current install, and test your applications before you switch over. If all is OK, you can shutdown your new Tomcat, update the ports to be what your current install is, shutdown Tomcat5.5, and start your new install and you should be good. Of course you can always run the new install on the different port, but if you're using Apache in front, you'll have to update the Apache config as well.
Hope this helps.