tomcat-ansible-role
tomcat-ansible-role
Ansible role to install and configure Apache Tomcat on CentOS/RHEL.
Requirements
- Tomcat supported versions by this role:
- 7.0
- 8.0
- 8.5
- 9.0 (9.0.1 or later)
- CentOS/RHEL 7 or 8
- SELinux disabled
Installation
$ ansible-galaxy install zaxos.tomcat-ansible-role
Example Playbook
- hosts: servers
become: true
vars:
tomcat_version: 8.5.23
tomcat_permissions_production: True
tomcat_users:
- username: "tomcat"
password: "t3mpp@ssw0rd"
roles: "tomcat,admin,manager,manager-gui"
- username: "exampleuser"
password: "us3rp@ssw0rd"
roles: "tomcat"
roles:
- role: zaxos.tomcat-ansible-role
Role Variables
The main variable:
tomcat_version
: tomcat version to install
Some variables that require review:
tomcat_install_java
: True
By default OpenJDK Java will be installed. Change it to "False" if you don't want OpenJDK Java to be installed by this role.tomcat_java_version
: 1.8
OpenJDK Java version to be installed. Default is "1.8". Currently, latest OpenJDK Java version is "11".tomcat_install_path
: /opt
Location in which tomcat will be installed. Default is "/opt".- JVM memory management:
You can set the minimum and maximum memory heap size with the following JVM -Xms and -Xmx variables as a percentage of the total system memory. For example, for a 2GB RAM system, using the default values: Xms=307m (15% of 2048MB), Xmx=1126m (55% of 2048MB).tomcat_jvm_memory_percentage_xms
: 15tomcat_jvm_memory_percentage_xmx
: 55
tomcat_allow_manager_access_only_from_localhost
: False
If set to "True", tomcat manager app will be accessible only from localhost for security reasons. (This behavior is default for Tomcat 8.5 and 9.0)tomcat_allow_host_manager_access_only_from_localhost
: False
If set to "True", tomcat host manager app will be accessible only from localhost for security reasons. (This behavior is default for Tomcat 8.5 and 9.0)tomcat_users
: List of tomcat users to be created. See example for the expected format.tomcat_debug_mode
: False
Change it to "True" in order to configure tomcat to allow remote debugging. Default debug port is set to tcp/8000 (you can change it through the corresponding variable).
File permissions:
tomcat_permissions_production
: False
For production installation, set this variable to "True" for more strict security. For development or low-security/more-ease installation, set this variable to "False". Default is "False".- If set to "True", all tomcat files are owned by root with group tomcat. Owner has read/write privileges, group only has read and world has no permissions. The exceptions are the logs, temp and work directory that are owned by the tomcat user rather than root.
- If set to "False", all tomcat files are owned by tomcat with group tomcat. Owner and group has read/write privileges and world only has read permissions.
tomcat_webapps_auto_deployment
: True
For better security, auto-deployment should be disabled and web applications should be deployed as exploded directories. If auto-deployment is disabled, set this to "False". This variable makes sense only for production installation (if tomcat_permissions_production is "True"). Default is "True".- If set to "True", webapps subdirectory is owned by tomcat with group tomcat.
- If set to "False", webapps subdirectory is owned by root with group tomcat.
tomcat_permissions_ensure_on_every_run
: True
If set to "True", file permissions are ensured on every playbook run. If set to "False", file permissions are set only when tomcat is installed (on first playbook run).tomcat_prod_modes
:
Lists Tomcat subdirectories, directory modes and file modes respectively. Permissions applied recursively.
tomcat_prod_modes:
- ['bin', '2750', '0640']
- ['conf', '2750', '0640']
- ['lib', '2750', '0640']
- ['logs', '0300', '0640']
- ['temp', '0750', '0640']
- ['work', '0750', '0640']
- ['webapps', '0750', '0640']
Tomcat ports:
tomcat_port_connector
: 8080tomcat_port_shutdown
: 8005tomcat_port_redirect
: 8443tomcat_port_ajp
: 8009tomcat_port_debug
: 8000
Tomcat AJP:
tomcat_ajp_enabled
: False
Set to "True" to enable AJP Connector.tomcat_ajp_listen_address
: "::1"
By default, the connector will listen on the loopback address. Unless the JVM is configured otherwise using system properties, the Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured with either "0.0.0.0" or "::". The APR/native connector will only listen on IPv4 addresses if configured with "0.0.0.0" and will listen on IPv6 addresses (and optionally IPv4 addresses depending on the setting of ipv6v6only) if configured with "::".tomcat_ajp_secret
: "my-@jp-s3cr3t"
This attribute must be specified with a non-null, non-zero length value unless "secretRequired" is explicitly configured to be "false". Please change the default value to something secure.tomcat_ajp_secret_required
: True
Set to "False" to configure "secretRequired=False".
Some defaults (probably not requiring tampering):
tomcat_service_name
: tomcattomcat_service_enabled_on_startup
: Truetomcat_java_home
: /usr/lib/jvm/jretomcat_downloadURL
: https://archive.apache.org/disttomcat_user
: tomcattomcat_group
: tomcattomcat_listen_address
: 0.0.0.0tomcat_temp_download_path
: /tmp/ansibletomcattempdirtomcat_systemd_config_path
: /etc/systemd/system
Custom templates for server.xml, users.xml, systemd service file, etc.:
- In case the default templates don't suit your needs, you can use your own custom templates by changing the following variables:
tomcat_template_server
tomcat_template_users
tomcat_template_systemd_service
tomcat_template_setenv
tomcat_template_manager_context
tomcat_template_host_manager_context
Optional variables (by default undefined):
- You can set custom user uid and group gid for homogeneity across multiple servers. For example:
tomcat_user_uid
: 500tomcat_group_gid
: 500
In case of uninstallation:
tomcat_state
: absent- To uninstall tomcat that was installed using this role, set this variable to "absent". Default value is "present".
tomcat_uninstall_create_backup
: True
By default, in a better safe than sorry basis, a backup tar archive will be created at "tomcat_install_path" before deletion.tomcat_uninstall_remove_java
: False
Change it to "True" to uninstall Java after tomcat is uninstalled.- By default, tomcat user and group will be removed. Change to "False" to preserve them after tomcat is uninstalled.
tomcat_uninstall_remove_user
: Truetomcat_uninstall_remove_group
: True
tomcat_uninstall_remove_all
: False
In order to override the above values and uninstall everything, set it to "True".
Variables for Disconnected remote environment:
tomcat_remote_is_disconnected
: False
Change it to "True" if your remote host (managed host) is offline and cannot access internet.
About
Ansible role to install and configure Apache Tomcat on CentOS/RHEL
Install
ansible-galaxy install zaxos/tomcat-ansible-role
License
gpl-2.0
Downloads
102192
Owner