软件准备
安装
jdk,mysql,tomcat,nginx安装省略。
tomcat jsvc配置
到tomcat的bin目录下,解压commons-daemon-native.tar.gz,进入commons-daemon-native
./configure
make
复制jsvc文件到tomcat的bin目录下。
复制ommons-daemon-nativexxx/unix/samples目录下的Tomcat7.sh到tomcat的bin目录。
修改tomcat7.sh
把其中的JAVA_OPTS=改为JAVA_OPTS="-server -Xmx4000M -Xms2000M -Xmn500M -XX:PermSize=300M -XX:MaxPermSize=300M -Xss256K -XX:+DisableExplicitGC -XX:SurvivorRatio=1 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+CMSParallelRemarkEnabled -XX:+UseCMSCompactAtFullCollection -XX:CMSFullGCsBeforeCompaction=0 -XX:+CMSClassUnloadingEnabled -XX:LargePageSizeInBytes=128M -XX:+UseFastAccessorMethods -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=80 -XX:SoftRefLRUPolicyMSPerMB=0 -XX:+PrintClassHistogram -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintHeapAtGC -Xloggc:logs/gc.log"
在其中case的start处增加-Djava.security.manager \ -Djava.security.policy="$CATALINA_BASE/conf/catalina.policy" \
修改catalina.policy中的内容为:
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
grant {
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
permission javax.security.auth.AuthPermission "setReadOnly";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.AuthPermission "refreshCredential";
permission javax.security.auth.AuthPermission "destroyCredential";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "refreshLoginConfiguration";
permission java.util.logging.LoggingPermission "control";
permission java.net.NetPermission "setDefaultAuthenticator";
permission java.net.NetPermission "requestPasswordAuthentication";
permission java.net.NetPermission "specifyStreamHandler";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission java.sql.SQLPermission "setLog";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission javax.net.ssl.SSLPermission "getSSLSessionContext";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.security.SecurityPermission "insertProvider.SunJCE";
};
grant {
permission java.net.SocketPermission "*:1-", "connect, accept";
permission java.util.PropertyPermission "os.*", "read";
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.*", "read";
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission ".", "read";
};
grant codeBase "file:/xxx/-" {
permission java.io.FilePermission "/xxx/", "read";
permission java.io.FilePermission "/xxx/-", "read, write, delete";
};
jmx监控
在其中case的start处增加:
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=8199 \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access \
在tomcat的conf目录建立jmxremote.password和jmxremote.access,并更改其权限为700
cat jmxremote.access
xxxx readonly
cat jmxremote.password
xxxx tomcat
nginx安装与配置
先打上ajp补丁
patch -p1
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_gzip_static_module --with-http_sysguard_module --add-module=/path/yaoweibin-nginx_ajp_module-xxx/
make && make install
nginx基础配置省略
nginx中ajp相关配置
首先去掉tomcat的server.xml中 的相关注释。
以下是nginx相关配置文件
upstream tomcats
{
server 127.0.0.1:8009 srun_id=jvm1;
jvm_route $cookie_JSESSIONID reverse;
keepalive 10;
}
以上内容添加在http段,详细就不写了。
需要处理java的server相关配置
location / {
if (!-f $request_filename) {
ajp_pass tomcats;
}
if (!-d $request_filename) {
ajp_pass tomcats;
}
root /xxx/web;
}
location ~ .*.jsp$
{
ajp_pass tomcats;
}
延伸阅读
【JVM启动参数介绍】
-Xmn -Eden Generation的Heap大小,一般设置为Xmx的1/3或1/4
-Xmx -设置JVM Heap大小最大值,这里的heap = New Generation + Old Generation,但不包括PermGen
-Xms -设置JVM Heap大小初始值
-XX:NewRatio -New/Old的大小比率
-XX:NewSize -New Generation Heap的大小
-XX:MaxNewSize -可以通过NewRatio和-Xmx计算得到
-XX:SurvivorRatio -Eden/Survivor Space大小比率
-XX:PermSize -PermGen的初始值
-XX:MaxPermSize -PermGen最大值
-Xss: -设置每个线程的Stack大小
-XX:+UseParNewGC -表示多CPU下缩短Minor GC的时间
-XX:+UseParallelGC -设置后可以使用并行清除收集器【多CPU】
-XX:+ParallelGCThreads -可用来增加并行度【多CPU】
-XX:+AggressiveOpts -是否激活最近的试验性性能调整
-XX:-Xnoclassgc -是否允许类垃圾收集,默认设置是允许类 GC
-XX:+UseLargePages -是否支持大页面堆
-XX:+UseFastAccessorMethods -在指定了这个参数后,JDK会将所有的get/set方法都转为本地代码
-XX:+UseConcMarkSweepGC -缩短major收集的时间,此选项在Heap比较大而且Full GC时间较长的情况下使用更合适
-verbose:gc -输出一些gc信息
-XX:+PrintGCDetails -输出gc详细信息
-XX:+PrintGCTimeStamps -包含时间戳信息
-XX:+PrintHeapAtGC -包括gc前后Heap状况
-XX:+PrintTenuringDistribution -输出对象存活时间和Tenured Generation的其他信息
-XX:+PrintHeapUsageOverTime -以时间戳输出heap利用率和容量信息
-Xloggc:filename -输出gc信息到日志文件
tomcat java policy相关知识
http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html
jmx相关知识
阅读(4518) | 评论(0) | 转发(0) |
