BlogicBlog: View from the trenches

The blog about Java and XML with focus on troubleshooting issues and tools.

Wednesday, March 22, 2006

Oh Tomcat of the multiple conflicting ports!

Permanent article link

Ever tried running multiple Tomcat on the same machine and have that fail because of the port conflict. And not because of the HTTP listen port conflict - because you did know about that one and changed it. But, rather, because of the other ports that are open out of the box as well that even Tomcat's documentation does not mention.

So, turns out that Tomcat 5, has 3 ports open and what interesting ports they are:
  1. 8080 - that's the one they tell you about and it is where all the normal HTTP traffic goes to
  2. 8009 - that's an AJP connector that you need if you are behind a webserver like apache that will pass the requests to you. Why is it on by default, I don't know. You have to configure the webserver side anyway, how difficult would it be to uncomment it at the same time. And if - for whatever reason - you are running Tomcat on its own, you now have another obscure port to worry about as a management hassle or even a possible attack vector.
  3. 8005 - This one is interesting. It is binded to the localhost only and it is how you shutdown the tomcat when you run the shutdown script. And to shut it down, all you need to do is telnet to the port and say the magic word, which for tomcat 5.0 is hardcoded at SHUTDOWN and for 5.5 is helpfully kept in the open in the server.xml . You don't even need to be the same account to do this, just a user on the same system. This small issue has been acknowledged by the Tomcat's team.
So, to make this also a fishing lesson rather than a handout of seafood, here is a generic way to check those ports without having to page down the 19K of semi-commented-out XML.

The command should be all in one line:

...\xmlstarlet-1.0.1\xml sel -T -t
-m //*[.//@port]
-m ancestor::* -o -+ -b
-v local-name()
-i @port -o : -v @port -b

The command line above means: for each element that has an attribute port or a child with such an attribute, print the element with offset based on it nesting depth; if this particular element does have the port attribute, print the port value as well.

The result for the default Tomcat's setup is:


BlogicBlogger Over and Out


At March 23, 2006 5:34 AM, Anonymous Anonymous said...

Why not create a virtual network interface, and virtual ip address to bind each tomcat instance to?

seems more scalable, more fault tolerant, and also means you won't run into these kinda problems...

At March 23, 2006 8:04 AM, Blogger BlogicBlogger said...

Two issues with this suggestion:
1) You need to know that you have a problem with multiple ports before considering solutions such as virtual interfaces and such. The blog post was exactly because I did not know there were multiple ports
2) Even if you have virtual IP addresses, 8005 still binds to localhost, so you would have the issue there anyway


Post a Comment

Links to this post:

Create a Link

<< Home