Here is a guide to setting up Tomcat5 on Redhat FC5 running with SELinux enabled, specifically dealing with how to replace the FC5 GNU Java with the “proper” Sun JDK whilst doing it the “Redhat Way”
To complete this guide, it will help if you have experience of the installation of linux, and the use of yum to manage packages on Fedora installations. This guide was compiled whilst performing an installation on a virtual machine using VMWare Server v1.0.1 – however, this method should be identical to the setup of an identical system on a “proper” machine.
NOTE: This does not concern configuration of apache/mod_jk/tomcat or installation webapps themselves, but will get you a working installation to start from.
1. Base install FC5:
Insert CD1 and boot – press enter at boot menu to commence installation.
Choose appropriate keyboard/country settings.
Setup partition table as appropriate; timezones, root password, etc
Packages:
Choose “Webserver” only; select “Customize now”. Within the package selection trees:
- Desktop environment: Remove if required
- Applications: Install editor of choice (vim-enhanced), text-based internet (links)
- Development libraries: None
- Servers: Webserver (cryptoutils, httpd manual, mod_ssl, tomcat5, tomcat5-webapps, tomcat5-admin-webapps)
- Base System: Remove X server, Dial-up networking tools and GUI admin tools as appropriate.
- Languages: Add British support
“Next”: Let packages sort out the dependencies…
“Next” to complete the installation (insert CDs as appropriate when prompted).
Reboot when prompted.
2. Post-install setup
Login as root and start to setup the JPackage repository in yum as follows. First import the JPackage rpm keys:
wget http://jpackage.org/jpackage.asc rpm --import jpackage.asc
Then install the JPackage repository information for yum:
cd /etc/yum.repos.d wget http://jpackage.org/jpackage.repo
Install rpm tools (following the instructions from yum to install required dependencies as necessary – currently this is 6 new and 8 updates):
yum install fedora-rpmdevtools yum install rpm-build
Download the latest Sun JDK package as a self-extracting rpm (as of 14th Sept 2006, this is JDK 5.0 Update 8. You may be best downloading this locally and transferring via sftp/scp if you didn’t install X and GNOME/KDE). Make the file executable and run it:
cd chmod a+x jdk-1_5_0_08-linux-i586-rpm.bin ./jdk-1_5_0_08-linux-i586-rpm.bin
After agreeing to the license agreement, JDK installer will unpack, checksum and install the JDK rpm. After this step, we need to install the compatability libraries to allow the system to recognise the existance of the newly installed java version:
yum --enablerepo=jpackage-generic-nonfree install java-1.5.0-sun-compat
Again, follow yum’s prompts to download extra packages where required.
3. Check Java version
java -version
should give you your default java version:
[root@fc5test ~]# java -version java version "1.5.0_08" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_08-b03) Java HotSpot(TM) Client VM (build 1.5.0_08-b03, mixed mode, sharing)
If this is NOT set to 1.5.0.xx, then you’ll need to change the system default by using alternatives as follows to change it:
alternatives --config java
4. Setup firewall rules
Setup the firewall rules by using:
system-config-securitylevel-tui
Ensure that the following ports are enabled:
- ssh (!!)
- http
- https
- 8080 (under custom porrts)
This gives quite a restrictive set of rules – if you need to tighten or loosen further, you can use the interface again, or use iptables as a command line program to do so.
5. Setup mod_proxy_ajp
mod_jk is no longer used in Apache 2.2.x to allow Apache to proxy for Tomcat – now mod_proxy_ajp is used which is already supplied with the Apache binary. This needs to be set to load in the Apache config so add the line (if it doesn’t already exist in /etc/httpd/conf.d/proxy_ajp.conf):
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
into the modules section of httpd.conf.
Lastly, we need to setup apache to perform proxying using the ajp protocol which could be as simple as:
<VirtualHost *:80> ServerName fc5test ProxyRequests Off ProxyPreserveHost On ProxyPass /webapp ajp://127.0.0.1:8009/webapp </VirtualHost>
Port 8009 is the Tomcat backend that Apache will connect to when proxying.
6. SELinux Part 1 – Relax Policy
By default SE-Linux is turned on, and to check this do:
selinuxenabled echo $?
A return value of 0 indicates that SE-Linux is enabled on the system, and any audit messages can be viewed on console, or in /var/log/messages. However, the default policy setting “strict” does not allow Apache to bind to Tomcat on port 8009, and so we need to make some changes to fix this. The first involves changing the default policy by editing /etc/selinux/config and setting the policy to “permissive”. A subsequent reboot will enable this policy, and after this, we will be able to see any problems in the SELINUX policy by searching /var/log/messages for log entries with “avc: denied“.
7. Test Apache and Tomcat
Use the init scripts to start the relevant services up:
/etc/init.d/httpd start /etc/init.d/tomcat5 start
Now check that the services are running properly by using a web browser and trying to go to http://<server IP> (tests standard Apache http), https://<server ip> (tests Apache secure web service – will get a self-signed cert warning here), and finally http://<server ip>:8080 (to test Tomcat5).
If this has all worked well, you should now have a fully working Tomcat5 installation running on FC5! If you get a 503 error, then it’s likely you’ve tried the address where Apache is proxying for Tomcat, and you haven’t changed or corrected the SELinux policy as in step 6.
8. SELinux Part 2 – Adjust Policy
After adjusting the SELinux behaviour, rebooting, starting Apache and Tomcat and setting up the ajp proxy, you can now try to see if the proxying will work (in the example above: http://<server ip>/webapp). Use a sample “Hello World” application here (you may need to deploy a .war file using the Tomcat manager).
Now inspect /var/log/messages to see if the SELinux policy would have denied this connection. If you see something along the lines of:
Sep 15 10:56:57 fc5test kernel: audit(1158314217.408:259): avc: denied { name_connect } for pid=2245 comm="httpd" dest=8009 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
then there is some work to do. Note, the “avc: denied” message references httpd (the Apache daemon) and port 8009 as the destination for a tcp socket connection (this is the Tomcat port from earlier). To allow Apache to perform network connects, you can do the following:
setsebool -P httpd_can_network_connect=1
This will allow Apache to perform network connections and will store this change in the booleans.local file in /etc/selinux/targeted/modules/active so it will be reloaded at next boot. The other way is probably to recomplie the policy from source making appropriate changes, but given this is a tunable policy already, this will create unnecessary work. Then change the /etc/selinux/config file to set the policy to “enforcing” and reboot again. On reboot, you should be able to access the proxied webapp as previously setup. I strongly advise against switching to a “strict” policy unless you know what you are doing with SELinux, and have corrected the policy accordingly to take account of any unwanted “denied” messages (or you may find it won’t even boot up!).
9. Set Apache and Tomcat to start at boot
This is simply a case of using chkconfig to set the default runlevels for the relevant services:
chkconfig --level 345 httpd on chkconfig --level 345 tomcat5 on
A reboot and retest will confirm that all is working well and setup as required.
10. Running yum to update packages
When running yum to update the system packages, the following needs to be used (this is as of 15th Sept 2006):
yum --disablerepo=jpackage* --exclude=java-1.5.0-sun-compat \ --exclude=jdk update
This avoids yum trying (and failing) to find the required jdk version (it looks for 2000:1.5.0_08-fcs but 1.5.0_08-fcs is installed). It also solves an issue with a missing geronimo package as well). It may well be worth altering /etc/yum.repos.d/jpackage.repo and setting enabled=0 in the section [jpackage-generic] at this point, as this will remove the need to use the --disablerepo argument above.
This guide (v1.3) written by G. Coates, 15th Sept 2006. All errors and omissions are probably my fault.
Tomcat 5 on Fedora Core 5 by Graeme Coates is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Excellent post. Thank you.
One note.
The java file should be jdk-1_5_0_09-linux-i586-rpm.bin only. Otherwise, ‘yum –enablerepo=jpackage-generic-nonfree install java-1.5.0-sun-compat’ will give an error.
rpm −e −nodeps httpd
RPM version 4.4.2
Copyright (C) 1998-2002 – Red Hat, Inc.
This program may be freely redistributed under the terms of the GNU GPL
Usage: rpm [-aKfgpWHqV] [-aKfgpWHqVcdils] [-aKfgpWHqVcdilsaKfgpWHqV] [-aKfgpWHqV cdilsaKfgpWHqV] [-aKfgpWHqVcdilsaKfgpWHqV] [-aKfgpWHqVcdilsaKfgpWHqVK] [-aKfgpWH qVcdilsaKfgpWHqVK] [-aKfgpWHqVcdilsaKfgpWHqVKi] [-aKfgpWHqVcdilsaKfgpWHqVKiv] [- aKfgpWHqVcdilsaKfgpWHqVKiv] [-aKfgpWHqVcdilsaKfgpWHqVKiv?] [-a|–all] [-f|–file ] [-g|–group]
[-p|–package] [-W|–ftswalk] [–pkgid] [–hdrid] [–fileid]
[–specfile] [–triggeredby] [–whatrequires] [–whatprovides]
[–nomanifest] [-c|–configfiles] [-d|–docfiles] [–dump] [-l|–list]
[–queryformat=QUERYFORMAT] [-s|–state] [–nomd5] [–nofiles]
[–nodeps] [–noscript] [–comfollow] [–logical] [–nochdir]
[–nostat] [–physical] [–seedot] [–xdev] [–whiteout]
[–addsign] [-K|–checksig] [–delsign] [–import] [–resign]
[–nodigest] [–nosignature] [–initdb] [–rebuilddb] [–aid]
[–allfiles] [–allmatches] [–badreloc] [-e|–erase +]
[–excludedocs] [–excludepath=] [–fileconflicts] [–force]
[-F|–freshen +] [-h|–hash] [–ignorearch] [–ignoreos]
[–ignoresize] [-i|–install] [–justdb] [–nodeps] [–nomd5]
[–nocontexts] [–noorder] [–nosuggest] [–noscripts]
[–notriggers] [–oldpackage] [–percent] [–prefix=]
[–relocate==] [–repackage] [–replacefiles]
[–replacepkgs] [–test] [-U|–upgrade +]
[-D|–define ‘MACRO EXPR’] [-E|–eval ‘EXPR’] [–macros=]
[–nodigest] [–nosignature] [–rcfile=] [-r|–root ROOT]
[–querytags] [–showrc] [–quiet] [-v|–verbose] [–version]
[-?|–help] [–usage] [–scripts] [–setperms] [–setugids]
[–conflicts] [–obsoletes] [–provides] [–requires] [–info]
[–changelog] [–xml] [–triggers] [–last] [–filesbypkg]
[–fileclass] [–filecolor] [–filecontext] [–fscontext]
[–recontext] [–fileprovide] [–filerequire] [–redhatprovides]
[–redhatrequires] [–buildpolicy=] [–with=]
[–without=]
please help after running “rpm −e −nodeps httpd” we are getting this response.
Please email me for my consulting rates 🙂 – though I would ask why you’re trying to uninstall apache while (hint: unsuccessfully) ignoring the dependencies…?
Nice tutorial…. thanks !!!