java Tomcat7 在 Ubuntu 14.04 x64 [Digitalocean] 上启动太晚
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26431922/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Tomcat7 starts too late on Ubuntu 14.04 x64 [Digitalocean]
提问by yuceel
i am using digitalocean and trying to install and start tomcat on ubuntu but unfortunately i can not do it. (created new droplets and tried 10 times)
我正在使用 digitalocean 并尝试在 ubuntu 上安装并启动 tomcat,但不幸的是我无法做到。(创建新的液滴并尝试了 10 次)
1GB Ram 30GB SSD Disk Amsterdam 2 Ubuntu 14.04 x64
1GB 内存 30GB SSD 磁盘阿姆斯特丹 2 Ubuntu 14.04 x64
When i start tomcat, it says "Tomcat started". But i can not access page from browser. and ./shutdown.sh returns error.
当我启动 tomcat 时,它说“Tomcat 已启动”。但我无法从浏览器访问页面。和 ./shutdown.sh 返回错误。
What can be the problem ?
可能是什么问题?
I noticed something now. While i am writing this question, tomcat page is displayed. it took 28 minutes to display the page
我现在注意到了一些事情。在我写这个问题时,显示了 tomcat 页面。显示页面用了 28 分钟
catalina.out says: INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [1,718,769] milliseconds.
catalina.out 说:信息:使用 [SHA1PRNG] 创建用于会话 ID 生成的 SecureRandom 实例花费了 [1,718,769] 毫秒。
Here are my installation steps (These steps works on different vps but doesn't work on digitalocean droplets):
这是我的安装步骤(这些步骤适用于不同的 vps,但不适用于 digitalocean droplets):
Install oracle jdk
安装oracle jdk
sudo apt-get install python-software-properties
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer
sudo apt-get install oracle-java7-set-default
java -version
java version "1.7.0_72"
Java(TM) SE Runtime Environment (build 1.7.0_72-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.72-b04, mixed mode)
Set java path
设置java路径
sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/java-7-oracle"
source /etc/environment
wget http://ftp.itu.edu.tr/Mirror/Apache/tomcat/tomcat-7/v7.0.56/bin/apache-tomcat-7.0.56.tar.gz
tar xvzf apache-tomcat-7.0.56.tar.gz
mv apache-tomcat-7.0.56/ apache-tomcat-7.0.56-server-1/
Start Tomcat
启动Tomcat
./startup.sh
Using CATALINA_BASE: /usr/local/apache-tomcat-7.0.56-server-1
Using CATALINA_HOME: /usr/local/apache-tomcat-7.0.56-server-1
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-7.0.56-server-1/temp
Using JRE_HOME: /usr/lib/jvm/java-7-oracle/jre
Using CLASSPATH: /usr/local/apache-tomcat-7.0.56-server-1/bin/bootstrap.jar:/usr/local/apache-tomcat-7.0.56-server-1/bin/tomcat-juli.jar
Tomcat started.
Checkout Port 8080
结帐端口 8080
netstat -ln
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::8009 :::* LISTEN
tcp6 0 0 :::8080 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
Checkout process
结账流程
ps -ef | grep tomcat
root 2825 1 1 14:23 pts/0 00:00:03 /usr/lib/jvm/java-7-oracle/jre/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-7.0.56-server-1/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/apache-tomcat-7.0.56-server-1/endorsed -classpath /usr/local/apache-tomcat-7.0.56-server-1/bin/bootstrap.jar:/usr/local/apache-tomcat-7.0.56-server-1/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat-7.0.56-server-1 -Dcatalina.home=/usr/local/apache-tomcat-7.0.56-server-1 -Djava.io.tmpdir=/usr/local/apache-tomcat-7.0.56-server-1/temp org.apache.catalina.startup.Bootstrap start
Open web site at port 8080 http://5.101.107.56:8080/Page is waiting... [content is displayed after 28 minute or more]
在8080端口打开网站http://5.101.107.56:8080/页面正在等待... [28分钟或更长时间后显示内容]
Try to shutdown tomcat if content is not displayed yet (before tomcat starts properly).
如果内容尚未显示(在 tomcat 正常启动之前),请尝试关闭 tomcat。
./shutdown.sh
SEVERE: Could not contact localhost:8005. Tomcat may not be running.
Oct 17, 2014 2:40:29 PM org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSoc
Checkout logs
结帐日志
catalina.out
Oct 17, 2014 2:31:47 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Oct 17, 2014 2:31:47 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1492 ms
Oct 17, 2014 2:31:47 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Oct 17, 2014 2:31:47 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.56
Oct 17, 2014 2:31:47 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.56-server-1/webapps/host-manager
I also installed nginx and navigate to http://5.XXX.XXX.XX/nginx welcome page is opened immediately
我也安装了nginx并导航到http://5.XXX.XXX.XX/nginx欢迎页面立即打开
I checked catalina.out when i see the page in browser, it says:
当我在浏览器中看到页面时,我检查了 catalina.out,它说:
Oct 17, 2014 2:31:47 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /usr/local/apache-tomcat-7.0.56-server-1/webapps/host-manager
Oct 17, 2014 3:00:27 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took **[1,718,769] milliseconds.**
Memory:
记忆:
total used free shared buffers cached
Mem: 1017912 849512 168400 332 18780 688468
回答by yuceel
Replacing securerandom.source=file:/dev/urandomwith securerandom.source=file:/dev/./urandomin $JAVA_PATH/jre/lib/security/java.securityhas solved my problem.
替换securerandom.source=file:/dev/urandom为securerandom.source=file:/dev/./urandomin$JAVA_PATH/jre/lib/security/java.security解决了我的问题。
Even when file:/dev/urandomis specified, JRE will still use /dev/randomfor SHA1PRNG (see bug JDK-4705093):
即使file:/dev/urandom指定了,JRE 仍将/dev/random用于 SHA1PRNG(请参阅错误JDK-4705093):
In SHA1PRNG, there is a SeedGenerator which does various things depending on the configuration.
If java.security.egd or securerandom.source point to "file:/dev/random" or "file:/dev/urandom", we will use NativeSeedGenerator, which calls super() which calls SeedGenerator.URLSeedGenerator(/dev/random). (A nested class within SeedGenerator.) The only things that changed in this bug was that urandom will also trigger use of this code path.
If those properties point to another URL that exists, we'll initialize SeedGenerator.URLSeedGenerator(url). This is why "file:///dev/urandom", "file:/./dev/random", etc. will work.
在 SHA1PRNG 中,有一个 SeedGenerator,它根据配置执行各种操作。
如果 java.security.egd 或 securerandom.source 指向“file:/dev/random”或“file:/dev/urandom”,我们将使用 NativeSeedGenerator,它调用 super() 调用 SeedGenerator.URLSeedGenerator(/dev/random )。(SeedGenerator 中的嵌套类。)此错误中唯一更改的是 urandom 还将触发使用此代码路径。
如果这些属性指向另一个存在的 URL,我们将初始化 SeedGenerator.URLSeedGenerator(url)。这就是为什么“file:///dev/urandom”、“file:/./dev/random”等会起作用的原因。
From Wikipedia on /dev/random:
In this implementation, the generator keeps an estimate of the number of bits of noise in the entropy pool. From this entropy pool random numbers are created. When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/randomshould be suitable for uses that need very high quality randomnesssuch as one-time pad or key generation.
When the entropy pool is empty, reads from /dev/random will blockuntil additional environmental noise is gathered.The intent is to serve as a cryptographically secure pseudorandom number generator, delivering output with entropy as large as possible. This is suggested for use in generating cryptographic keys for high-value or long-term protection.
在这个实现中,生成器保持对熵池中噪声位数的估计。从这个熵池中创建随机数。读取时,/dev/random 设备将仅返回熵池中估计的噪声位数内的随机字节。/dev/random应该适合需要非常高质量随机性的用途, 例如一次性填充或密钥生成。
当熵池为空时,从 /dev/random 读取将阻塞,直到收集到额外的环境噪声。目的是作为一个加密安全的伪随机数生成器,提供尽可能大的熵输出。建议将其用于生成高价值或长期保护的加密密钥。
Environmental noise?
环境噪音?
The random number generator gathers environmental noisefrom device drivers and other sourcesinto an entropy pool. The generator also keeps an estimate of the number of bits of noise in the entropy pool. From this entropy pool random numbers are created.
随机数生成器将来自设备驱动程序和其他来源的环境噪声收集到一个熵池中。生成器还保持对熵池中噪声位数的估计。从这个熵池中创建随机数。
That means in practice, it's possible to block tomcat for an unknown amount of time.
这意味着在实践中,有可能在未知的时间内阻止 tomcat。
回答by Zouzias
This also works:
这也有效:
Actually, by setting the following in /etc/default/tomcat7, I was fine:
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xmx1024m -XX:MaxPermSize=512m -XX:+UseConcMarkSweepGC"
实际上,通过在 /etc/default/tomcat7 中设置以下内容,我很好:
JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xmx1024m -XX:MaxPermSize=512m -XX:+UseConcMarkSweepGC"
Comment from :
评论来自:
回答by Sebastian Marsching
While using /dev/urandomas the source for entropy is a workaround that reduces the startup time for Tomcat, it is not a good idea because it can have unintended side effects.
虽然/dev/urandom用作熵的来源是一种减少 Tomcat 启动时间的变通方法,但这并不是一个好主意,因为它可能会产生意想不到的副作用。
Other components running in the Tomcat server (e.g. web applications) might depend on a securely initialized SecureRandominstance and there might be security issues when the entropy for the random numbers is not sufficient.
Tomcat 服务器中运行的其他组件(例如 Web 应用程序)可能依赖于安全初始化的SecureRandom实例,并且当随机数的熵不足时可能会出现安全问题。
Actually, this is one of the reasons why using /dev/urandomdoes not work, but /dev/./urandomdoes. The SHA1PRNG heavily relies on a good seed. If the seed is not good, the random numbers are predictable. Therefore, the developer ensured that for this purpose /dev/randomis used as the source of entropy, even if the JVM is configured to use /dev/urandom. There are two bug reports about this (bug 1, bug 2).
实际上,这就是为什么使用/dev/urandom不起作用的原因之一,但/dev/./urandom确实如此。SHA1PRNG 严重依赖于好的种子。如果种子不好,随机数是可预测的。因此,开发人员确保为此目的/dev/random将其用作熵的来源,即使 JVM 配置为使用/dev/urandom. 有两个关于此的错误报告(错误 1,错误 2)。
So instead of changing the entropy source to /dev/urandom, one should rather make sure that /dev/randomhas enough entropy. If the system has a hardware RNG, installing rng-toolsshould do the trick. Otherwise, installing havegedprovides a very good source of entropy that does not rely on a special hardware RNG to be present. In a virtual machine, rng-toolscan use entropy from the host through a virtual hardware RNG. As an alternative to this, EGDcould be used, but at the moment this software is not included in the Ubuntu repositories, so that it is bothersome to use it.
因此,与其将熵源更改为/dev/urandom,不如确保它/dev/random具有足够的熵。如果系统有硬件 RNG,安装rng-tools应该可以解决问题。否则,安装haveged提供了一个非常好的熵源,它不依赖于特殊硬件 RNG 的存在。在虚拟机中,rng-tools可以通过虚拟硬件 RNG 使用来自主机的熵。作为替代方案,可以使用EGD,但目前该软件未包含在 Ubuntu 存储库中,因此使用起来很麻烦。
