Environment Setup
- CentOS Linux release 7.3.1611 (Core)
- JDK 1.7.0.131
- Tomcat 7.0.76
- Jenkins 2.48
Linux 作業系統就不多說了,我是安裝在 VM 上
Jenkins 官網中並沒有說明記憶體最低需求,但建議給 16GB (您真是愛開玩笑呢)
我給它 6GB,Jenkins plugins 不要裝太多還夠用
1. Install JDK 1.7
因為產品是以 JDK 1.7 進行開發的,最好保持環境一致
1.1 2017/06/05 更新
Oracle 已不提供 JDK 1.7 的載點,從GOOGLE找到FTP載點下載 jdk-7u80-linux-x64.tar.gz,並手動安裝
安裝 Tomcat7 之後,再安裝 JDK 1.7的話,有可能會被 OpenJDK 蓋過設定。記得RECHECK
tar -xzvf jdk-7u80-linux-x64.tar.gz sudo mv jdk1.7.0_80/ /usr/lib/jvm/ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.7.0_80/bin/java" 1 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.7.0_80/bin/javac" 1 sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.7.0_80/bin/javaws" 1 sudo update-alternatives --config java
There are 2 choices for the alternative java (providing /usr/bin/java). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java 1071 auto mode 1 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java 1071 manual mode 2 /usr/lib/jvm/jdk1.7.0_80/bin/java 1 manual mode Press enter to keep the current choice[*], or type selection number: 2Java Version
java -version
java version "1.7.0_80" Java(TM) SE Runtime Environment (build 1.7.0_80-b15) Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)
1.2 In CentOS 7 (Older way)
# 下載 JDK 1.7
wget \
--no-cookies \
--no-check-certificate \
--header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
-O jdk-7u80-linux-x64.rpm \
http://download.oracle.com/otn-pub/java/jdk/7u80-b15/jdk-7u80-linux-x64.rpm
# root 權限安裝
rpm -ivh jdk-7u80-linux-x64.rpm
# Java will be installed into /usr/java
ll /usr/java/
total 4 lrwxrwxrwx 1 root root 16 Mar 6 10:52 default -> /usr/java/latest drwxr-xr-x 8 root root 4096 Mar 6 10:52 jdk1.7.0_80 lrwxrwxrwx 1 root root 21 Mar 6 10:52 latest -> /usr/java/jdk1.7.0_80
1.3 In Ubuntu OS (Older way)
參考 https://help.ubuntu.com/community/Java
sudo add-apt-repository ppa:webupd8team/java sudo apt-get update sudo apt-get install oracle-java7-installer
安裝成功後,路徑應為 /usr/lib/jvm/java-7-oracle
2. Install Tomcat 7
因為產品是使用 Java Servlet ,所以選擇 Tomcat 7
# 下載 Tomcat 7 tar,直接佈署 wget http://ftp.tc.edu.tw/pub/Apache/tomcat/tomcat-7/v7.0.76/bin/apache-tomcat-7.0.76.tar.gz # 解壓縮 tar -xf apache-tomcat-7.0.76.tar.gz # 搬到 /usr/local/tomcat7,需要 root 權限 mv apache-tomcat-7.0.76 /usr/local/tomcat7當要執行/結束 Tomcat 7 時,可以下指令
# 先移動到 Tomcat7 目錄 cd /usr/local/tomcat7/ # Start script ./bin/startup.sh # Shutdown script ./bin/shutdown.sh
2.1 Tomcat Service Script
不過每次都要這麼做,其實也蠻累的
重點是,我還想讓它可以開機時啟動啊
2.1.1 Systemctl command
CentOS 7 使用 systemctl 取代 service 指令
i). Tomcat 7 Environment Setup
Tomcat 建議可以建立 setenv.sh/setenv.bat 來設定環境
在執行 catalina.sh 時,如果 setenv.sh 存在時就會自動執行
預設是不存在,所以手動建立新檔案 /usr/local/tomcat7/bin/setenv.sh
可參考 https://gist.github.com/patmandenver/cadb5f3eb567a439ec01
#
# Cutom Environment Variables for Tomcat
#
############################################
export JAVA_HOME=/usr/java/jdk1.7.0_80/jre
export PATH=${JAVA_HOME}/bin:${PATH}
############################################
#
# JAVA_OPTS
# You could do all this in one export command
# But I am going to be long winded and explain
# Why and add links
#
# Oracle Notes
# - https://docs.oracle.com/javase/8/docs/technotes/tools/windows/java.html
# - A good visual
# https://redstack.wordpress.com/2011/01/06/visualising-garbage-collection-in-the-jvm/
#############################################
# -server
# Select the java HotSpot Server JVM
# The 64-bit version of the JDK support only the Server VM,
# so in that case the option is implicit
# ... so it's redundant to today's world but it make me feel good.
export JAVA_OPTS="-server"
# -Xms/Xmx
# Xms Sets the initial size of the Heap
# Xmx sets the Maximum size of the Heap.
# http://stackoverflow.com/questions/16087153/what-happens-when-we-set-xmx-and-xms-equal-size
# http://crunchify.com/jvm-tuning-heapsize-stacksize-garbage-collection-fundamental/
export JAVA_OPTS="$JAVA_OPTS -Xms1024M -Xmx1024M"
# -NewSize/MaxNewSize
# Set the size of the young generation
# Most newly created objects are made here
# Objects taht did not become unreachbale and survice the young
# Generation heap are copied to the Old Generation
# See http://www.cubrid.org/blog/dev-platform/understanding-java-garbage-collection
# https://redstack.wordpress.com/2011/01/06/visualising-garbage-collection-in-the-jvm/
export JAVA_OPTS="$JAVA_OPTS -XX:NewSize=512m -XX:MaxNewSize=512m"
# -PermSize/MaxPermSize
# Store classes and interned character strings
# http://stackoverflow.com/questions/12114174/what-does-xxmaxpermsize-do
# Warning!
# Decprecated in Java 8!! replace -XX:MetaspaceSize !!!
export JAVA_OPTS="$JAVA_OPTS -XX:PermSize=256m -XX:MaxPermSize=256m"
# -HeapDumpPath
# Set the file where the heap dump will write out its error
export JAVA_OPTS="$JAVA_OPTS -XX:HeapDumpPath=/usr/local/tomcat/logs/java_heapdump_pid_%p.log"
# -java.security.egd
# This one is abit of a debate
# If you don't set this it will use /dev/random on startup
# which can block and make tomcat startup slower.
# But it's technically more secure... but no one has shown
# a way to break the results of urandom which is faster.
# For more details see.
# http://www.2uo.de/myths-about-urandom/
export JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom"
#################################################
# CATALINA_OPTS
# This are basically JAVA_OPTS but only used by tomcat
# and only run on Tomcat start see
# http://stackoverflow.com/questions/11222365/catalina-opts-vs-java-opts-what-is-the-difference
# for more details
#
################################################
# Add tomcat pid
CATALINA_PID="$CATALINA_BASE/tomcat.pid"
ii). Tomcat 7 Systemctl Script
在 /usr/lib/systemd/system 中,新建新檔案 tomcat7.service
由於指定了一般使用者 ciserver,所以 PIDFile path 要在這個使用者有權限的地方
(不然通常是放在 /var/run/)
[Unit] Description=Apache Tomcat 7 After=syslog.target network.target [Service] Type=forking PIDFile=/usr/local/tomcat7/tomcat.pid ExecStart=/usr/local/tomcat7/bin/startup.sh ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true User=ciserver Group=ciserver [Install] WantedBy=multi-user.target
常用指令 (需 root)
# 當修改檔案內容後,都需要重新 LOAD systemctl daemon-reload # 執行 systemctl start systemd-tomcat # 停止 systemctl stop systemd-tomcat # 開機時自動執行 systemctl enable systemd-tomcat # 取消開機自動執行 systemctl disable systemd-tomcat
2.1.2 Service command (Older way)
上網找了大大提供的 tomcat service script
下載並修改內容中的名稱與路徑,放到 /etc/init.d/tomcat7
#!/bin/bash
#
# tomcat
#
# chkconfig: 345 96 30
# description: Start up the Tomcat servlet engine.
#
# processname: java
# pidfile: /var/run/tomcat.pid
#
### BEGIN INIT INFO
# Provides: tomcat
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Should-Start: distcache
# Short-Description: start and stop Apache HTTP Server
# Description: implementation for Servlet 2.5 and JSP 2.1
## END INIT INFO
# Source function library.
. /etc/init.d/functions
## tomcat installation directory. *[改這裡]
PROCESS_NAME=tomcat
## *[改這裡]
CATALINA_HOME="/usr/local/tomcat7/"
## run as a diffent user. *[改這裡]
TOMCAT_USER=ciserver
## Path to the pid, runnning info file
pidfile=${PIDFILE-/var/run/${PROCESS_NAME}.pid};
lockfile=${LOCKFILE-/var/lock/subsys/${PROCESS_NAME}};
RETVAL=0
case "$1" in
start)
PID=`pidofproc -p ${pidfile} ${PROCESS_NAME}`
if [[ (-n ${PID}) && ($PID -gt 0) ]]; then
logger -s "${PROCESS_NAME}(pid ${PID}) is already running."
exit;
fi
if [ -f $CATALINA_HOME/bin/startup.sh ];
then
logger -s "Starting Tomcat"
/bin/su -l ${TOMCAT_USER} -c "$CATALINA_HOME/bin/startup.sh -Dprocessname=${PROCESS_NAME}"
PID=`ps -eaf|grep processname=${PROCESS_NAME}|grep -v grep|awk '{print $2}'`
RETVAL=$?
[ $RETVAL = 0 ] && touch ${lockfile}
[ $RETVAL = 0 ] && echo "${PID}" > ${pidfile}
fi
;;
stop)
PID=`pidofproc -p ${pidfile} ${PROCESS_NAME}`
## if PID valid run shutdown.sh
if [[ -z ${PID} ]];then
logger -s "${PROCESS_NAME} is not running."
exit;
fi
if [[ (${PID} -gt 0) && (-f $CATALINA_HOME/bin/shutdown.sh) ]];
then
logger -s "Stopping Tomcat"
/bin/su -l ${TOMCAT_USER} -c "$CATALINA_HOME/bin/shutdown.sh"
RETVAL=$?
[ $RETVAL = 0 ] && rm -f ${lockfile}
[ $RETVAL = 0 ] && rm -f ${pidfile}
fi
;;
status)
status -p ${pidfile} ${PROCESS_NAME}
RETVAL=$?
;;
restart)
$0 stop
$0 start
;;
version)
if [ -f $CATALINA_HOME/bin/version.sh ];
then
logger -s "Display Tomcat Version"
/bin/su -l ${TOMCAT_USER} -c "$CATALINA_HOME/bin/version.sh"
RETVAL=$?
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|status|version}"
exit 1
;;
esac
exit $RETVAL
2.2 tomcat-users.xml 設定檔
Setup User Accounts ,讓 Jenkins 把 Web 專案佈署在 Tomcat7 上
cd /usr/local/tomcat7 # Edit conf/tomcat-users.xml file and paste inside <tomcat-users></tomcat-users> <!-- For IDE/Jenkins can manager tomcat --> <role rolename="manager-script" /> <user username="manager" password="_SECRET_PASSWORD_" roles="manager-script" />
2.3 Enable HTTPS + AuthBind
自己產生一個憑證供使用
cd /usr/local/tomcat7/ mkdir keystore cd keystore # Generate the keystore # keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore
Enter keystore password: # {password}自行輸入
Re-enter new password:
What is your first and last name?
[Unknown]: Clone Lin
What is the name of your organizational unit?
[Unknown]: private
What is the name of your organization?
[Unknown]: private
What is the name of your City or Locality?
[Unknown]: Taiwan
What is the name of your State or Province?
[Unknown]: Clone
What is the two-letter country code for this unit?
[Unknown]: tw
Is CN=Clone Lin, OU=private, O=private, L=Taiwan, ST=Clone, C=tw correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
# ll
total 4
-rw-rw-r-- 1 clone clone 2232 Mar 9 08:44 tomcat.keystore
修改 tomcat server 設定,開啟 SSL/TLS port 443
cd /usr/locat/tomcat7/
# Edit conf/server.xml
<Connector port="443" protocol="HTTP/1.1"
maxThreads="200"
redirectPort="8443"
URIEncoding="UTF-8"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/usr/local/tomcat7/keystore/tomcat.keystore"
keystorePass="_SECRET_PASSWORD_"
clientAuth="false" sslProtocol="TLS" />
當 Bind port number < 1024 時,會需要 root 權限。但我又不想讓 tomcat 有 root 權限
這裡使用 AuthBind 使 User 可以成功 Bind port 443
因為 CentOS 沒辦法使用 yum 安裝,所以要下載編譯後安裝
GitHub : https://github.com/tootedom/authbind-centos-rpm
# 下載並編譯安裝
wget http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz
tar -xf authbind_2.1.1.tar.gz
cd authbind-2.1.1/
make
# root 權限安裝
make install
# 開啟 tomcat 將使用的port (這裡的動作都要root 權限)
touch /etc/authbind/byport/443
chmod 500 /etc/authbind/byport/443
chown {username}:{group} /etc/authbind/byport/443
# Tomcat 若是 yum 安裝,預設帳號與群組是 “tomcat”
# 修改啟動 Tomcat Server 的腳本
# 可以修改 /usr/local/tomcat/bin/catalina.sh or /usr/local/tomcat/bin/startup.sh
# 這裡選擇修改 startup.sh
# 將原本執行的指令註解,新增 authbind --deep。修改後結果如下:
#exec "$PRGDIR"/"$EXECUTABLE" start "$@"
exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
到這一步,重啟Tomcat Server就可以了
2.4 Iptables rules
預設是擋掉的,自已增加規則
這裡用 8080 port 舉例,443 port 也是用相同做法
(iptables -A means Append; iptables -I means Insert)
# 嚴謹一點的像是 iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "Tomcat Server port" # 簡單一點的就是 iptables -I INPUT -p tcp --dport 8080 -j ACCEPT # 顯示目前 IPTABLES 規則 iptables-save # 儲存 IPTABLES 規則 # CentOS 已經改用 Firewalld 取代 IPTABLES 了,可以使用下列指令新增規則 # 若不加上 --permanent 表示為 Runtime rule,不會儲存 firewall-cmd --zone=public --add-port=443/tcp --permanent # 重新載入,確認是否成功 firewall-cmd --reload
3. Install Jenkins 2.48
官網 : https://jenkins.io/
有兩種安裝方式,一種是下載 war 檔案,放到 tomcat/webapp 中執行口別一種是使用 RPM 安
裝方式
這裡使用 war 方式安裝
# 選擇 stable 版本 wget http://mirrors.jenkins.io/war-stable/latest/jenkins.war cp jenkins.war /usr/local/tomcat7/webapps/
打開 Browser,輸入 URL: http://127.0.0.1/jenkins/
第一次安裝 Jenkins 時,會提示輸入安裝密碼
按照提示將密碼貼到對應的輸入框即可
cat /home/clone/.jenkins/secrets/initialAdminPassword
60a9fe50f451436b987979704006b33a
安裝類型有 通用安裝 / 自定義安裝
安裝過程較長,成功畫面如下
上圖是測試安裝的截圖,是英文版的
後來選擇 Jenkins stable 版本,安裝後是中文版的
沒有留言:
張貼留言