简单说明
JRE:JAVA的运行环境,包含JAVA虚拟机和基础类库
JDK:JAVA的开发工具包,包含JRE以及源码编译工具和调试分析工具
JDK和JRE下载地址:
http://www.oracle.com/technetwork/java/javase/archive-139210.html
目前公司使用的JAVA版本包括1.6、1.7和1.8三个版本,下载对应的JRE和JDK软件包备用
相应的JRE下载Server JRE,已下载备用的JAVA:
jdk-6u45-linux-x64.bin
jre-6u45-linux-x64.bin
jdk-7u80-linux-x64.tar.gz
server-jre-7u80-linux-x64.tar.gz
jdk-8u172-linux-x64.tar.gz
server-jre-8u172-linux-x64.tar.gz
目前公司使用的TOMCAT包含6、7和8三个版本
很多关于TOMCAT的BUG的修复方式是使用最新版本的软件包,建议下载当前大版本的最新版本包
tomcat下载地址:
https://archive.apache.org/dist/tomcat/
已下载备用的TOMCAT:
apache-tomcat-6.0.53.tar.gz
apache-tomcat-7.0.86.tar.gz
apache-tomcat-8.0.51.tar.gz
多版本JAVA环境部署
1° 参照《CentOS6实验机模板搭建部署》 克隆一台实验机,调整内存为16G,并进一步配置主机名和hosts文件:
hostname web
echo "$(grep -E '127|::1' /etc/hosts)">/etc/hosts
echo "$(ifconfig eth0|grep inet|awk -F'[ :]' '{print $13}') $(hostname)">>/etc/hosts
sed -i "s/^HOSTNAME.*$/HOSTNAME=$(hostname)/g" /etc/sysconfig/network
ping -c 3 $(hostname)
2° 配置安装多版本JAVA环境:
su -
mkdir -pv /usr/local/java
cd /usr/local/java
# 解压安装:
bash /tmp/jre-6u45-linux-x64.bin
tar -xf /tmp/server-jre-7u80-linux-x64.tar.gz
mv -v jdk1.7.0_80 jre1.7.0_80
tar -xf /tmp/server-jre-8u172-linux-x64.tar.gz
mv -v jdk1.8.0_172 jre1.8.0_172
# 更改权限,创建软连接:
chown root: -R .
ln -s /usr/local/java/jre1.6.0_45 java_1.6
ln -s /usr/local/java/jre1.7.0_80 java_1.7
ln -s /usr/local/java/jre1.8.0_172 java_1.8
# 创建环境配置文件:
cat >java_1.6_env<<EOF
export JAVA_HOME=/usr/local/java/java_1.6
export CLASSPATH=\$JAVA_HOME/lib:\$JAVA_HOME/jre/lib
export PATH=\$JAVA_HOME/bin:\$JAVA_HOME/jre/bin:\$PATH
EOF
chmod 444 java_1.6_env
cat >java_1.7_env<<EOF
export JAVA_HOME=/usr/local/java/java_1.7
export CLASSPATH=\$JAVA_HOME/lib:\$JAVA_HOME/jre/lib
export PATH=\$JAVA_HOME/bin:\$JAVA_HOME/jre/bin:\$PATH
EOF
chmod 444 java_1.7_env
cat >java_1.8_env<<EOF
export JAVA_HOME=/usr/local/java/java_1.8
export CLASSPATH=\$JAVA_HOME/lib:\$JAVA_HOME/jre/lib
export PATH=\$JAVA_HOME/bin:\$JAVA_HOME/jre/bin:\$PATH
EOF
chmod 444 java_1.8_env
# 安全加固,防篡改:
chattr +i /usr/local/java
3° 如果要做JRE的版本升级,则:
目录解锁 /usr/local/java
下载高版本的JRE包
解压;更改权限;重建软连接
目录加锁 /usr/local/java
4° 如果需要使用JDK环境,则:
# 解锁
chattr -i /usr/local/java
# 解压安装
bash /tmp/jdk-6u45-linux-x64.bin
tar -xf /tmp/jdk-7u80-linux-x64.tar.gz
tar -xf /tmp/jdk-8u172-linux-x64.tar.gz
# 更改权限
chown root: -R jdk1.6.0_45 jdk1.7.0_80 jdk1.8.0_172
# 重建软连接
rm -vf java_1.6 java_1.7 java_1.8
ln -s /usr/local/java/jdk1.6.0_45 java_1.6
ln -s /usr/local/java/jdk1.7.0_80 java_1.7
ln -s /usr/local/java/jdk1.8.0_172 java_1.8
# 加锁
chattr +i /usr/local/java
# 如果没有使用JDK环境的需求,建议只使用JRE环境即可
# JDK环境具有编译Java源码的功能,不使用也是一项加固项
多版本TOMCAT部署优化
1° 解压安装:
su -
mkdir -pv /usr/local/tomcat
cd /usr/local/tomcat
# 解压安装:
tar -xf /tmp/apache-tomcat-6.0.53.tar.gz
tar -xf /tmp/apache-tomcat-7.0.86.tar.gz
tar -xf /tmp/apache-tomcat-8.0.51.tar.gz
# 更改权限,创建软连接:
chown root: -R .
ln -s /usr/local/tomcat/apache-tomcat-6.0.53 tomcat6
ln -s /usr/local/tomcat/apache-tomcat-7.0.86 tomcat7
ln -s /usr/local/tomcat/apache-tomcat-8.0.51 tomcat8
2° 优化配置:
# 优化配置catalina.sh:
unset OPTS1 OPTS2 OPTS3 OPTS4
OPTS1="-Djava.security.egd=file:/dev/./urandom -Xms1256m -Xmx1512m"
OPTS2=${OPTS1}" -XX:PermSize=164m -XX:MaxPermSize=228m"
OPTS3=${OPTS2}" -XX:-UseGCOverheadLimit"
OPTS4=${OPTS3}" -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp"
sed -i "s|cygwin=false|JAVA_OPTS=\"${OPTS3}\"\n&|g" tomcat*/bin/catalina.sh
sed -i "s|cygwin=false|# JAVA_OPTS=\"${OPTS4}\"\n&|g" tomcat*/bin/catalina.sh
# 参数 -Djava.security.egd=file:/dev/./urandom 是优化随机数的参数
# 解决TOMCAT启动卡死问题:
# org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory
# 根据需求和系统资源配置内存限额
# 一般情况下内存溢出时的堆栈dump功能是不开的
# 如果经常发生内存溢出,则打开该配置
# 优化配置server.xml:
sed -i 's/8005/18080/g' tomcat*/conf/server.xml
sed -i 's/8443/9443/g' tomcat*/conf/server.xml
sed -i 's/8009/28080/g' tomcat*/conf/server.xml
# 统一配置端口
sed -i 's/Connector port="8080" protocol="HTTP\/1.1"/&\
maxThreads="800" acceptCount="1000"\
compression="on"\
compressionMinSize="2048"\
noCompressionUserAgents="gozilla,traviata"\
compressableMimeType="text\/html,text\/xml,text\/javascript,text\/css,text\/plain"/g' tomcat*/conf/server.xml
# 配置8080服务端口相关参数,增加最大线程数,开启压缩
sed -i 's|appBase="webapps"|appBase="/web/project/tomcat6"|g' tomcat6/conf/server.xml
sed -i 's|appBase="webapps"|appBase="/web/project/tomcat7"|g' tomcat7/conf/server.xml
sed -i 's|appBase="webapps"|appBase="/web/project/tomcat8"|g' tomcat8/conf/server.xml
# 设置appBase目录
sed -i 's|<!-- Access log processes all example|\
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="/web/logs/access/tomcat6"\
prefix="tomcat6_access_log." suffix=".txt"\
pattern="%h %l %u %t \"%r\" %s %b" />\
&|g' tomcat6/conf/server.xml
sed -i 's|directory="logs"|directory="/web/logs/access/tomcat7"|g' tomcat7/conf/server.xml
sed -i 's/localhost_access_log/tomcat7_access_log/g' tomcat7/conf/server.xml
sed -i 's|directory="logs"|directory="/web/logs/access/tomcat8"|g' tomcat8/conf/server.xml
sed -i 's/localhost_access_log/tomcat8_access_log/g' tomcat8/conf/server.xml
# 设置Access log目录和文件名前缀
3° 日志日切脚本部署:
cat >tomcat6/bin/cat.sh<<EOF
#!/bin/bash
source ~/.bash_profile
cd \$(dirname \$0)
d=\$(date +%Y%m%d.%H.%M.%S)
# catalina.out 日切
cd ../logs/
cp catalina.out catalina.out.\${d}
echo '' > catalina.out
tar -czf catalina.out.\${d}.tar.gz catalina.out.\${d} --remove-files
find . -name 'catalina.out.*.tar.gz' -type f -mtime +30 -exec rm -rf {} \;
# 杂项日志清理
find . -name 'catalina.*.log' -type f -mtime +30 -exec rm -rf {} \;
find . -name 'host-manager.*.log' -type f -mtime +30 -exec rm -rf {} \;
find . -name 'localhost.*.log' -type f -mtime +30 -exec rm -rf {} \;
find . -name 'manager.*.log' -type f -mtime +30 -exec rm -rf {} \;
# access log 日切
cd /web/logs/access/tomcat6
find . -name "*.txt" -type f -mtime +0 -exec tar -czf {}.tar.gz {} --remove-files \;
find . -name "*.tar.gz" -type f -mtime +30 -exec rm -rf {} \;
EOF
cp -av tomcat6/bin/cat.sh tomcat7/bin/cat.sh
sed -i 's/tomcat6/tomcat7/g' tomcat7/bin/cat.sh
cp -av tomcat6/bin/cat.sh tomcat8/bin/cat.sh
sed -i 's/tomcat6/tomcat8/g' tomcat8/bin/cat.sh
chmod +x tomcat*/bin/cat.sh
# 部署日志切割脚本
4° 其他简单优化和加固:
find tomcat*/ -type f ! -perm -o=r -exec ls -l {} \;
find tomcat*/ -type f ! -perm -o=r -exec chmod o+r {} \;
# 因为要使用其他组用户复制,因此其他组至少要有读的权限
# 主要是增加conf目录下的配置文件读权限
rm -rf tomcat*/webapps
# 删掉自带的项目包
5° 安全加固,防篡改:
chattr +i /usr/local/tomcat
6° 如果要做TOMCAT的版本升级,则:
目录解锁 /usr/local/tomcat
解压安装
更改权限,重建软连接
优化配置
目录加锁 /usr/local/tomcat
业务环境部署
1° 业务环境说明:
web_pro 业务用户
/web 业务环境主目录
/web/project 业务代码目录
/web/logs 访问日志和项目日志目录
/web/profile 第三方接口配置文件目录
/web/checkTOMCAT 检测拉起脚本目录
2° 业务环境部署:
# 添加业务账号
useradd -u 8080 web_pro
echo web_pro|passwd --stdin web_pro
# 创建业务目录,实际生产应该根据需求将这些目录挂载相应的数据盘
mkdir -pv /web/{profile,project,logs,checkTOMCAT}
chown web_pro: -R /web
chmod 750 -R /web
# 业务账号系统资源限额
echo 'web_pro soft nproc 2047'>>/etc/security/limits.conf
echo 'web_pro hard nproc 16384'>>/etc/security/limits.conf
echo 'web_pro soft nofile 1024'>>/etc/security/limits.conf
echo 'web_pro hard nofile 65536'>>/etc/security/limits.conf
echo 'web_pro soft stack 10240'>>/etc/security/limits.conf
echo 'web_pro hard stack 32768'>>/etc/security/limits.conf
echo 'session required pam_limits.so'>>/etc/pam.d/login
cat >>/etc/profile<<EOF
if [ \$USER = "web_pro" ]; then
if [ \$SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 65536
else
ulimit -u 16384 -n 65536
fi
fi
EOF
# 这个系统资源限额是从oracle11g的官当上扒下来的...
3° 自动拉起脚本部署:
su - web_pro
cd /web/checkTOMCAT
cat>checktomcat.sh<<EOF
#!/bin/bash
source /etc/profile
# 工作目录
CPWD=\$(dirname \${0})
# 配置表单
CHKLIST=\${CPWD}/checktomcat.lst
# 超时对比文件
TIMESTANDARD=\${CPWD}/checktomcat.tsd
# 自动拉起行为日志
CHECKLOG=\${CPWD}/checktomcat_log.txt
# 脚本运行日志
RUNLOG=\${CPWD}/checktomcat_run_\$(date +%F).log
echo "\$(date +%F.%T) Check file \${CHKLIST}">>\${RUNLOG}
# 处理过程:
while read line
do
if [ "\${line:0:1}" == "#" -o "\${line}" == "" ]
then
continue
# 如果配置表单为注释行或者空行,则忽略
fi
# 标志性项目名:BIN目录:统计进程数项目名:启动命令:监控日志:日志超时时间
# 标志性项目名 便于人工识别项目
# 统计进程数项目名 唯一定义该项目的进程 不能有歧义
VNAME=\$(echo \${line}|awk -F ':' '{print \$1}')
VWORKDIR=\$(echo \${line}|awk -F ':' '{print \$2}')
VPROC=\$(echo \${line}|awk -F ':' '{print \$3}')
VSTART=\$(echo \${line}|awk -F ':' '{print \$4}')
VLOG=\$(echo \${line}|awk -F ':' '{print \$5}')
VTIME=\$(echo \${line}|awk -F ':' '{print \$6}')
# 如果配置表单该行BIN目录不存在,则打日志并忽略该行处理
if [ -d "\${VWORKDIR}" ]
then
cd "\${VWORKDIR}"
else
echo "\$(date +%F.%T) WARNNING \${VWORKDIR} is not exists, check \${VNAME} is skip...">>\$CHECKLOG
continue
fi
# 当前该项目的进程数量
PROCCOUNTS=\$(ps -ef|grep "\${VPROC}"|grep java|grep -v "grep"|wc -l)
# 注意:\${VPROC}必须能够唯一标识该项目的进程
# 如果当前该项目的进程数量为0,则拉起该项目
if [ "\${PROCCOUNTS}" == "0" ]
then
echo \${VNAME} not running, restarted.>>\${CHECKLOG}
echo "\$(date +%F.%T) \${VNAME} not running">>\${CHECKLOG}
echo "\$(date +%F.%T) \${VSTART}">>\${CHECKLOG}
\${VSTART} &
continue
fi
# 日志超时检测
if [ "\${VTIME}" != "0" ]
then
# 刷新对比文件的时间戳
touch -t \$(date -d "-\${VTIME} second" +"%Y%m%d%H%M.%S") \${TIMESTANDARD}
# 对比日志是否比对比文件时间戳新
LOGFILECOUNTS=\$(find \${VLOG} -newer \${TIMESTANDARD}|wc -l)
if [ "\${LOGFILECOUNTS}" == "0" ]
then
echo "\${VLOG} is not exists or is expired \${VTIME} second.">>\${CHECKLOG}
echo "\$(date +"%F.%T") \${VNAME} logfile is expired \${VTIME} second">>\${CHECKLOG}
echo "\$(date +"%F.%T") \${VSTART}">>\${CHECKLOG}
touch \${VLOG}
for i in \$(ps -ef|grep "\${VPROC}"|grep java|grep -v "grep"|awk '{print \$2}')
do
kill -9 \${i}
done
# 杀掉该项目的所有进程
\${VSTART} &
continue
fi
fi
done<\${CHKLIST}
cd \${CPWD}
EOF
chmod 700 checktomcat.sh
# 创建配置表单
echo '# TOMCAT_NAME:BIN_PATH:PROCESS_NAME:START_SCRIPT:CHECK_LOG:LOG_TIMEOUT:PORT_OFFSET'>checktomcat.lst
# 生效自动任务
crontab -l>/tmp/web_pro_crontab.txt
echo "# Check TOMCAT Process" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * /web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 10;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 20;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 30;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 40;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 50;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "0 3 * * * /usr/bin/find /web/checkTOMCAT/checktomcat_run_*.log -type f -mtime +30 -exec rm -rf {} \;" >>/tmp/web_pro_crontab.txt
cat /tmp/web_pro_crontab.txt |crontab
rm -rf /tmp/web_pro_crontab.txt
4° 项目一键部署脚本:
cat >pro_deploy.sh<<EOF
#!/bin/bash
source ~/.bash_profile
# JAVA环境目录
JAVA_ENV=/usr/local/java
# TOMCAT模板目录
TOMCAT_ENV=/usr/local/tomcat
# 实例目录
IPWD=/web
# 工作目录
CPWD=\$(dirname \${0})
# 配置表单
CHKLIST=\${CPWD}/checktomcat.lst
# 执行帮助
if [ "\$#" -ne 6 ]
then
echo \$"Usage: bash \$(basename \$0) -n PRO_NAME -j JAVA_VERSION -t TOMCAT_VERSION"
echo \$"Example: bash \$(basename \$0) -n vincent_test -j java_1.6 -t tomcat6"
echo \$"JAVA_VERSION can be java_1.6/java_1.7/java_1.8"
echo \$"TOMCAT_VERSION can be tomcat6/tomcat7/tomcat8"
exit 1
fi
while [ "\$#" -gt 0 ]
do
case "\$1" in
-n)
shift
typeset -l PRO_NAME="\${1}"
shift
;;
-j)
shift
typeset -l JAVA_VERSION="\${1}"
shift
;;
-t)
shift
typeset -l TOMCAT_VERSION="\${1}"
shift
;;
esac
done
# 端口偏移
PORT_OFFSET=\$(awk -F':' '{if(\$NF~/[0-9]+/) print \$NF}' \${CHKLIST}|wc -l)
# 实例名称
TOMCAT_NAME=\${TOMCAT_VERSION}_\$((8080+\$PORT_OFFSET))_\${PRO_NAME}
# 实例复制
cp -a \${TOMCAT_ENV}/\${TOMCAT_VERSION}/ \${IPWD}/\${TOMCAT_NAME}
# 配置文件修改
sed -i "s|#!/bin/sh|&\nsource \${JAVA_ENV}/\${JAVA_VERSION}_env|g" \${IPWD}/\${TOMCAT_NAME}/bin/catalina.sh
sed -i "s/tomcat.*\$/\${TOMCAT_NAME}/g" \${IPWD}/\${TOMCAT_NAME}/bin/cat.sh
sed -i "s/18080/\$((18080+\$PORT_OFFSET))/g" \${IPWD}/\${TOMCAT_NAME}/conf/server.xml
sed -i "s/8080/\$((8080+\$PORT_OFFSET))/g" \${IPWD}/\${TOMCAT_NAME}/conf/server.xml
sed -i "s/9443/\$((9443+\$PORT_OFFSET))/g" \${IPWD}/\${TOMCAT_NAME}/conf/server.xml
sed -i "s/28080/\$((28080+\$PORT_OFFSET))/g" \${IPWD}/\${TOMCAT_NAME}/conf/server.xml
sed -i "s/tomcat[678]/\${TOMCAT_NAME}/g" \${IPWD}/\${TOMCAT_NAME}/conf/server.xml
# 配置表单添加
echo "\${PRO_NAME}:\${IPWD}/\${TOMCAT_NAME}/bin:\${TOMCAT_NAME}:./startup.sh:CHECK_LOG:0:\${PORT_OFFSET}">>\${CHKLIST}
# 添加日志日切任务
crontab -l>/tmp/web_pro_crontab.txt
echo "# \${TOMCAT_NAME} DAILY LOG ARCHIVE" >>/tmp/web_pro_crontab.txt
echo "0 3 * * * /bin/bash /web/\${TOMCAT_NAME}/bin/cat.sh">>/tmp/web_pro_crontab.txt
cat /tmp/web_pro_crontab.txt |crontab
rm -rf /tmp/web_pro_crontab.txt
# 生成测试页面:
mkdir -p /web/project/\${TOMCAT_NAME}/ROOT
echo "\$(hostname -i):\${TOMCAT_NAME}">>/web/project/\${TOMCAT_NAME}/ROOT/index.html
echo "curl http://\$(hostname -i):\$((8080+\$PORT_OFFSET))/index.html"
EOF
chmod +x pro_deploy.sh
# 测试:
bash pro_deploy.sh -n vincent_test -j java_1.6 -t tomcat6
bash pro_deploy.sh -n vincent_test -j java_1.7 -t tomcat7
bash pro_deploy.sh -n vincent_test -j java_1.8 -t tomcat8
# 测试删除:
echo '# TOMCAT_NAME:BIN_PATH:PROCESS_NAME:START_SCRIPT:CHECK_LOG:LOG_TIMEOUT:PORT_OFFSET'>checktomcat.lst
echo "# Check TOMCAT Process" >/tmp/web_pro_crontab.txt
echo "*/1 * * * * /web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 10;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 20;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 30;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 40;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "*/1 * * * * sleep 50;/web/checkTOMCAT/checktomcat.sh> /dev/null 2>&1" >>/tmp/web_pro_crontab.txt
echo "0 3 * * * /usr/bin/find /web/checkTOMCAT/checktomcat_run_*.log -type f -mtime +30 -exec rm -rf {} \;" >>/tmp/web_pro_crontab.txt
cat /tmp/web_pro_crontab.txt |crontab
rm -rf /tmp/web_pro_crontab.txt
ps -ef|grep java|grep -v grep|awk '{print $2}'|xargs kill -9
rm -rf /web/tomcat* /web/project/* /web/logs/access/*
5° TOMCAT升级:
TOMCAT是一个较为轻量级的WEB容器,如果需要升级,直接下载最新的压缩包,解压替换bin和lib即可
6° 收尾简单加固:
su -
chattr +i /web/tomcat*/bin
chattr +i /web/tomcat*/conf
chattr +i /web/tomcat*/lib
# 对tomcat主要目录进行加锁
cd /web/checkTOMCAT/
chattr +i *.sh
# 加锁自检脚本
[TOC]