Best practices for customizing Fedora 4 configuration files
128 views
Skip to first unread message
Jim Coble
Apr 27, 2016, 8:49:01 AM4/27/16
to Fedora Tech
We are planning to use MySQL (rather than LevelDB) as the Infinispan persistence mechanism in Fedora 4. If we follow the instructions here ... https://github.com/fcrepo4/fcrepo4/pull/978 ... to do so, that exposes the MySQL username and password in the process listing on the server (e.g., 'ps').
It looks as though I could put the username and password directly in the WEB-INF/classes/config/infinispan/jdbc-mysql/infinispan.xml file in the deployed web app (in place of the system property references). So, two questions ...
(1) Is there a better way to "hide" the MySQL username and password so it at least doesn't show up in a process listing?
(2) If customizing this file is the best way to do this, is there advice on best practices for customizing Fedora 4 configuration files? Customize it in place in the deployed web app? Put the custom version somewhere else and symlink from the deployed web app? Or ...?
Thanks.
--Jim Coble
Duke University Libraries
Aaron Coburn
Apr 27, 2016, 9:05:16 AM4/27/16
to fedor...@googlegroups.com
Hello, Jim,
I would recommend making the configuration changes directly in the infinispan configuration (infinispan.xml), but I would *very, very strongly* recommend storing that modified configuration outside of the unpacked war file.
As an example, this is my JAVA_OPTS (at present) for our fedora4 instance:
JAVA_OPTS="-Dfile.encoding=UTF-8 \
-Dfcrepo.home=/mnt/data/fcrepo \
-Dfcrepo.modeshape.configuration=file:/etc/fcrepo/repository.json \
-Dfcrepo.activemq.configuration=file:/etc/fcrepo/activemq.xml \
-Dfcrepo.ispn.configuration=/etc/fcrepo/infinispan.xml \
-Dfcrepo.auth.webac.authorization=/etc/fcrepo/root-authentication.ttl \
-Dfcrepo.spring.audit.configuration=file:/etc/fcrepo/audit.xml \
-Dlogback.configurationFile=/etc/fcrepo/logback.xml \
-Dfcrepo.ispn.alternative.cache=ispn.alt.cache \
-Dfcrepo.ispn.binary.cache=ispn.binary.cache \
-Dfcrepo.ispn.cache=ispn.cache \
-Dfcrepo.ispn.binary.alternative.cache=ispn.binary.alt.cache \
-Dfcrepo.ispn.repo.cache=ispn.repo.cache \
-Dfcrepo.modeshape.index.directory=modeshape.index \
-Dfcrepo.binary.directory=binary.store \
-Dfcrepo.activemq.directory=activemq \
-Dcom.arjuna.ats.arjuna.common.ObjectStoreEnvironmentBean.default.objectStoreDir=arjuna.common.object.store \
-Dcom.arjuna.ats.arjuna.objectstore.objectStoreDir=arjuna.object.store \
-Dnet.sf.ehcache.skipUpdateCheck=true \
-Dfcrepo.audit.container=/audit \
-XX:+UseConcMarkSweepGC
-XX:+CMSClassUnloadingEnabled \
-XX:+UseG1GC
-XX:ConcGCThreads=5 \
-XX:MaxGCPauseMillis=200
-XX:ParallelGCThreads=20 \
-XX:+UseParNewGC
-XX:MaxMetaspaceSize=512M \
-Xms1024m
-Xmx2048m"
You will see that all of the configuration files are stored outside of the unpacked war file. In my case, that's /etc/fcrepo, but it could be any place that makes sense for your system.
All of those configuration files are highly customized, and by placing them in a directory that I control, any of my changes aren't overwritten when re-deploying a war file.
At a minimum, I would highly recommend that any production deployments of fedora store at least these configuration files separately, and if you customize these at all, you should absolutely do this.
repository.json (this is the central config for modeshape, and you should control that)
activemq.xml (you should at least turn the topic into a queue)
infinispan.xml
root-authentication.ttl (if you're using webac)
logback.xml (to make logging configuration more sensical -- e.g. by writing to /var/log/fcrepo/fcrepo.log rather than catalina.out)
Regards,
Aaron
> --
> You received this message because you are subscribed to the Google Groups "Fedora Tech" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to fedora-tech...@googlegroups.com.
> To post to this group, send email to fedor...@googlegroups.com.
> Visit this group at https://groups.google.com/group/fedora-tech.
> For more options, visit https://groups.google.com/d/optout.
I would recommend making the configuration changes directly in the infinispan configuration (infinispan.xml), but I would *very, very strongly* recommend storing that modified configuration outside of the unpacked war file.
As an example, this is my JAVA_OPTS (at present) for our fedora4 instance:
JAVA_OPTS="-Dfile.encoding=UTF-8 \
-Dfcrepo.home=/mnt/data/fcrepo \
-Dfcrepo.modeshape.configuration=file:/etc/fcrepo/repository.json \
-Dfcrepo.activemq.configuration=file:/etc/fcrepo/activemq.xml \
-Dfcrepo.ispn.configuration=/etc/fcrepo/infinispan.xml \
-Dfcrepo.auth.webac.authorization=/etc/fcrepo/root-authentication.ttl \
-Dfcrepo.spring.audit.configuration=file:/etc/fcrepo/audit.xml \
-Dlogback.configurationFile=/etc/fcrepo/logback.xml \
-Dfcrepo.ispn.alternative.cache=ispn.alt.cache \
-Dfcrepo.ispn.binary.cache=ispn.binary.cache \
-Dfcrepo.ispn.cache=ispn.cache \
-Dfcrepo.ispn.binary.alternative.cache=ispn.binary.alt.cache \
-Dfcrepo.ispn.repo.cache=ispn.repo.cache \
-Dfcrepo.modeshape.index.directory=modeshape.index \
-Dfcrepo.binary.directory=binary.store \
-Dfcrepo.activemq.directory=activemq \
-Dcom.arjuna.ats.arjuna.common.ObjectStoreEnvironmentBean.default.objectStoreDir=arjuna.common.object.store \
-Dcom.arjuna.ats.arjuna.objectstore.objectStoreDir=arjuna.object.store \
-Dnet.sf.ehcache.skipUpdateCheck=true \
-Dfcrepo.audit.container=/audit \
-XX:+UseConcMarkSweepGC
-XX:+CMSClassUnloadingEnabled \
-XX:+UseG1GC
-XX:ConcGCThreads=5 \
-XX:MaxGCPauseMillis=200
-XX:ParallelGCThreads=20 \
-XX:+UseParNewGC
-XX:MaxMetaspaceSize=512M \
-Xms1024m
-Xmx2048m"
You will see that all of the configuration files are stored outside of the unpacked war file. In my case, that's /etc/fcrepo, but it could be any place that makes sense for your system.
All of those configuration files are highly customized, and by placing them in a directory that I control, any of my changes aren't overwritten when re-deploying a war file.
At a minimum, I would highly recommend that any production deployments of fedora store at least these configuration files separately, and if you customize these at all, you should absolutely do this.
repository.json (this is the central config for modeshape, and you should control that)
activemq.xml (you should at least turn the topic into a queue)
infinispan.xml
root-authentication.ttl (if you're using webac)
logback.xml (to make logging configuration more sensical -- e.g. by writing to /var/log/fcrepo/fcrepo.log rather than catalina.out)
Regards,
Aaron
> You received this message because you are subscribed to the Google Groups "Fedora Tech" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to fedora-tech...@googlegroups.com.
> To post to this group, send email to fedor...@googlegroups.com.
> Visit this group at https://groups.google.com/group/fedora-tech.
> For more options, visit https://groups.google.com/d/optout.
Jim Coble
Apr 27, 2016, 9:15:52 AM4/27/16
to Fedora Tech
Thanks, Aaron!
--Jim
Esmé Cowles
Apr 27, 2016, 9:27:06 AM4/27/16
to fedor...@googlegroups.com
Jim-
The one thing I'd add to Aaron's excellent advice is that the MySQL infinispan.xml file also includes a commented-out example of using a JNDI datasource instead of hard-coding the JDBC connection parameters. This would let you configure the pooling, drivers, etc. the way you would for any Java webapp.
-Esmé
The one thing I'd add to Aaron's excellent advice is that the MySQL infinispan.xml file also includes a commented-out example of using a JNDI datasource instead of hard-coding the JDBC connection parameters. This would let you configure the pooling, drivers, etc. the way you would for any Java webapp.
-Esmé
Andrew Woods
Apr 27, 2016, 10:21:49 AM4/27/16
to fedor...@googlegroups.com
Thanks for the detailed response, Aaron.
I have captured the suggestions under Fedora's FAQ:
Andrew
Stefano Cossu
Apr 27, 2016, 12:43:09 PM4/27/16
to fedor...@googlegroups.com
Hi Aaron,
Thanks for the excellent sample.
On the memory management side, has anyone tried the -XX:+UseStringDeduplication option? I have read about it recently [1] and I wonder how much Fedora deals with strings and how much it would improve performance.
Thanks,
Stefano
[1] http://blog.takipi.com/garbage-collectors-serial-vs-parallel-vs-cms-vs-the-g1-and-whats-new-in-java-8/
Thanks for the excellent sample.
On the memory management side, has anyone tried the -XX:+UseStringDeduplication option? I have read about it recently [1] and I wonder how much Fedora deals with strings and how much it would improve performance.
Thanks,
Stefano
[1] http://blog.takipi.com/garbage-collectors-serial-vs-parallel-vs-cms-vs-the-g1-and-whats-new-in-java-8/
--
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
Reply all
Reply to author
Forward
0 new messages