We are planning to migrate our java web application build environment to Cloudbees but one aspect is currently blocking us. We are developing a multi-tenant application. It uses host subdomain to identify tenants and we use wildcard dns entries to do that in production (e.g. : *.example.com).
In development, we have hardcoded a few entries in our hosts file to mimic that. Those entries are enough to run our tests :
...
127.0.0.1 test1.app.dev
127.0.0.1 test2.app.dev
127.0.0.1 test3.app.dev
127.0.0.1 test4.app.dev
So basically, Jenkins should set the hosts file, then launch our app using our web container locally. Then the test suite is executed against the running web app.
I tried to add a pre-process step in the Jenkins project configuration to edit the hosts file but as expected, the Jenkins job does not have permission to do that.
Is there a way to change the hosts file before my test suite is run? Or is there something else we could do to simulate wildcard dns entries?
You could use the xip.io service from 37signals:
http://37signals.com/svn/posts/3191-announcing-pow-040-with-xipio-support
Thus your host names would be
test1.127.0.0.1.xip.io
test2.127.0.0.1.xip.io
test3.127.0.0.1.xip.io
test4.127.0.0.1.xip.io
I'd personally try and keep these in a centrally configured area, just in case the xip.io service was decommissioned, but it's probably fairly cheap to operate and so should be around for a while at least.
Related
I have an OpenShift environment built with an Apache AAA Pod (service and route) that allows external (to OpenShift) https requests via an intranet browser (yes, I mean intranet and not internet). Apache is setup as a proxy server for multiple pods/services inside of OpenShift. I also have a new pod that was recently created that runs Jenkins. Jenkins has a web interface built in. I am able to get to the Jenkins web GUI by setting up a ProxyPass and ProxyPassReverse for the default Jenkins web address.
Now here comes the problem...
When I go to example.com/jenkins, Apache sees the request and passes it to the Jenkins Pod but the Pod returns another address example.com/login. For this I have to enter another ProxyPass and Reverse into Apache. I then get that in and find that every link on the presented Jenkins Web GUI has another link that seems to present https://example.com/*. This is a problem because there are dozens of sub links and sub pages that each seem to require a separate ProxyPass and Reverse entry.
To add to this, I cannot simply pass "/" to the Jenkins pod because there are other pods and services that are being passed through the Apache server. My department does not have access to create new URLs on a whim so I have to stick with example.com/ as my only path into my OpenShift setup.
How can I do one of the following:
Change Jenkins to force the presented URL to include a header for every link. Like putting .../jenkins/* in front of every link so that I can use .../jenkins/ as my ProxyPass & Reverse to cover all jenkins web GUI URLs.
Configure Apache to convert the URLs coming from the Jenkins Pod into a URL that is presented to the web browser in such a way that .../jenkins/ is added between & /login or any other jenkins web links.
Some other option that I have not thought of yet that may have worked for others with similar setups.
(Sorry for the long question but there are a lot of details that needed to be included as this is a complex issue.)
You could startup jenkins at a different context path: java -jar jenkins.war --prefix=/jenkins, or start it up behind tomcat with a different context path.
Have you set the Jenkins URL in the Jenkins->Manage Jenkins->Configure System?
you can achieve this in two steps
implement the route changes at proxy level
implement the route changes at app level
I have implemented the same with Openshift environment.
Thanks.
I have a website that I am trying to convert to a docker-compose solution.
Part of the website is a CMS (WordPress, specifically), and there are also a few Java web applications that are currently handled by tomcat.
The current approach is that I have an official WordPress container and an official Tomcat container. I load my custom content in the WordPress (via a MySQL container which is not really a part of this question) and the WAR files into tomcat.
So the problem is this:
Parts of the WordPress website have links to Java applications. Previously, some of these links were relative links as simple as /Application1 and the user would be able to access the Java application.
Now, since they are hosted in separate containers, I cannot do this because there is nothing named "Application1" in the WordPress container. I have modified the htaccess file for the WordPress container with a RewriteRules like this:
# Tomcat exposes port 8085
RewriteRule ^.*Application1/(.*)$ http://localhost:8085/Application1/$1 [R,L]
But this means that if the user clicks the link for Application1 in wordpress, their browser will then redirect them to localhost:8085 - which works fine if you run this set of containers locally, but does not work for remote users.
I could change localhost to the actual name of the server this will run on. But then it would need to be manually updated for every server this stack will run on, or reset to localhost for developers.
I could combine WordPress and Tomcat into a single container, but we were hoping to keep them separate so that when we need to upgrade, we just change the version of the container we are pulling rather than having to rebuild a custom container from scratch.
Is there a more seamless way to do this, so that the URL in the user's browser never changes? Is there way to get this working so that remote users won't even know that the different parts of the site are hosted in different containers?
Assuming you do docker-compose in development and also in production, you replace localhost with servicename of the corresponding upstream.
Lets say, you have 3 containers: httpd, fpm ( wordpress) and java ( tomcat ). You configure httpd, to redirect to fpm:9000 if its domain.tld/php and redirect to java:8086 if the request is domain.tld/Application1.
All you need to understand is, that the actual service-name you have in docker-compose is available as a hostname in the container ( all containers ) - so containers can reach themselfs using the service-name of the other container - that makes inter-container communication very easy and pre-configureable, without knowing the actual container IPs ( which will change during development / production and host migrations )
I think I figured it out: I should have been using a proxy instead of a RewriteRule.
This seems to get me what I want:
ProxyPass "/Application1" "http://my-tomcat-server:8080/Application1"
ProxyPassReverse "/Application1" "http://my-tomcat-server:8080/Application1"
Jmeter load testing if add ip address in hosts file.i have already tried in host file configuration
I believe you should add DNS Cache Manager to your Test Plan, it has Static Host Table feature which can be used as the equivalent of hosts file manipulation on OS level
See The DNS Cache Manager: The Right Way To Test Load Balanced Apps article for more details.
We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server
I have an existing web application which I have been building with an ant script and deploying as a .war file to Tomcat.
I am trying to add Drupal to my current technology stack to provide CMS and general UI-related functionality so that I don't have to write my html pages by hand and rather use templates.
During the installation of Drupal7, some of the instructions suggest that I go to this directory:
/etc/apache2/sites-available
and change the DocumentRoot to
/home/myuser/drupal/drupal7
If I make the docroot a basic directory on the file system, how will this impact how the application will work? In addition to Apache, I also have Tomcat server. My goal is to get them to all play nice together. How is this best accomplished?
If I make the docroot a basic directory on the filesystem
I'm not sure what you mean by this. There's no qualitative difference between /var/www and /home/mysuser/drupal/drupal7. The latter is longer and in the user's home directory, but assuming this user would be administering the service anyway that doesn't matter.
Next, the best way to make Tomcat and Apache get along is probably to run one of them on different subdomains. You could use the same domain, but that'd mean you had to run one of the daemons off a nonstandard port and that looks strange and might run into firewall trouble with some users.