Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tomcat next

2,114 views

Published on

slide used at jbcnconf 2016

Published in: Internet
  • Be the first to comment

Tomcat next

  1. 1. Apache Tomcat NEXT progress report Jean-Frederic Clere Manager Sat, 18th Jun
  2. 2. 2 AGENDA • Who I am • New features required by specifications • Tomcat specific new features • Tomcat features removed • Internal changes • Why Apache Tomcat 8.5? • HTTP/2 and ALPN • SNI • OpenSSLImplementation • Migration from 8.0 to 8.5 • Get involved • Questions
  3. 3. 3 Who I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH)
  4. 4. 4 Tomcat
  5. 5. 5 Tomcat versions Tomcat Java EE Minimum Java SE Servlet JSP EL WebSocket JASPIC 1st Stable Release EOL 5.x 4 1.4 2.4 2.0 N/A N/A N/A 08 2004 09 2012 6.x 5 5 2.5 2.1 2.1 N/A N/A 02 2007 12 2016 7.x 6 6 3.0 2.2 2.2 1.1 N/A 01 2011 TBD 8.0.x 7 7 3.1 2.3 3.0 1.1 N/A 02 2014 09 2016? 8.5.x 7 7 3.1 2.3 3.0 1.1 1.1 Now! TBD 9.x 8 8 4.0 2.4? 3.1? 2.0? 1.1? 2017 TBD
  6. 6. 6 Specifications mandated new features JavaEE8 ● Key elements ● HTTP/2 ● Simplification ● Better integration for managed beans ● Better infrastructure for the cloud
  7. 7. 7 Specifications Servlet 4.0 ● HTTP/2 ● Usability improvements ● HttpFilter, default methods ● Clarifications ● Enhancement requests
  8. 8. 8 Specifications HTTP2 ● HTTP/2 requires some TLS features ● Server Name Indication (SNI) ● Application Layer Protocol Negotiation (ALPN) ● Full support ● 8.5.3 considered stable. ● h2c available (for proxies) ● h2 requires APR/native/OpenSSL due to ALPN requirements ● Server push available
  9. 9. 9 Specifications Servlet 4.0 HTTP2 ● Java EE 8 must run on Java 8 ● Java EE 8 requires Servlet 4.0 ● Servlet 4.0 requires HTTP/2 ● HTTP/2 requires ALPN ● Java 8 does not, and will not, support ALPN ● ALPN support should be available from Java 9
  10. 10. 10 Specifications Other ● WebSocket 1.2 (keep 1.1?) ● Standard extension for compression/multiplexing? ● JSP 2.4 (keep 2.3?) ● Imports to clarify (EL 3.0 related) ● EL 3.1 (keep 3.0?) ● Only minor improvements/clarifications needed ● JASPIC 1.1 (New!) ● Java Authentication Service Provider Interface for Containers. For OAuth
  11. 11. 11 Tomcat New Features TLS support improvements (1) ● Major rewrite of TLS support ● Tomcat 8 supports ● one TLS virtual host per connector ● one certificate per virtual host ● Tomcat 9 supports ● multiple virtual hosts per connector (SNI) ● multiple certificates per virtual host ● TLS configuration has changed to support this
  12. 12. 12 Tomcat New Features TLS support improvements (2) ● SNI and multiple certificates supported by all connectors ● APR/native support via the OpenSSL API ● JSSE support via parsing the initial handshake ● ALPN supported by APR/native or OpenSSLImplementation ● JSSE support is currently TBD ● Common (where possible) configuration for all connectors ● Some JSSE / OpenSSL differences remain. • OpenSSL engine option of NIO and NIO2 connectors • Allows openssl performance with NIO/NIO2 APIs • Use automagically when tc-native is installed.
  13. 13. 13 Tomcat Removed Features Old blocking O/I connectors... ● BIO HTTP and BIO AJP connectors ● Websocket and Servlet 3.1 require non-blocking IO ● Emulation of non-blocking bad: • Complex • No scalable • Risky: stuff that might break. • Decision remove them. • Still 3 connectors: • NIO default connectors • NIO2 introducted in Tomcat8 • APR/Native still available. (require native libraries)
  14. 14. 14 Tomcat Removed Features Comet ● Proprietary interface for asynchronous I/O ● Users are moving (have moved) to WebSocket ● Adds complexity to all the connectors ● Therefore decided to remove it
  15. 15. 15 Internal Changes Connectors ● Removed ● BIO ● Comet ● Reduce duplication ● HTTP upgrade from 12 classes to 3 ● HTTP/1.1 cleanup = removed ~ 50% (~2500 loc) ● AJP 1.3 cleanup = remove ~ 30% ● No connector specific HTTP/2 code ● Implementation specific per connector → Endpoint ● Implementation specific per connection → SocketWrapper
  16. 16. 16 Internal Changes Websocket ● Refactored I/O implementation ● Direct to Tomcat’s I/O layer ● Not via Servlet 3.1 non-blocking API ● Simpler ● Faster ● Extension support likely to require further refactoring?
  17. 17. 17 Internal Changes Other ● Remove use of system properties for configuration ● Move to per Context / Host / Server / Connector ● keep the system property as a default ● Made RFC 6265 CookieProcessor the default ● Note UTF-8 extension
  18. 18. 18 Why Tomcat 8.5? EE8 late... ● Tomcat 9 stable release is tied to the release of Java EE 8 ● Java EE 8 has been repeatedly delayed ● Currently delayed until at least H1 2017 ● Don't want users to have to wait another year+ to get access our new features: ● HTTP/2 ● OpenSSL encryption for JSSE ● TLS virtual hosting ● JASPIC ● Hence, Tomcat 8.5...
  19. 19. 19 What is Tomcat 8.5? Tomcat 9.0.0.M4... ● Started from Apache Tomcat 9.0.0M4 ● Reverted all Servlet 4.0 API changes ● Reworked code that required Java 8 ● Tomcat specific Push Server API ● Configuration compatible with 8.0.x ● “big” removal: ● Comet (migrate to WebSocket) ● BIO (Connector… probably not noticed) • We might reintroduce stuff if needed (no one asked till now)
  20. 20. 20 Tomcat 8.5 timing Possible roadmap ● 6 months of 8.0.x and 8.5.x ● Extended if needed. ● ~ one month between releases ● ~ after no more 8.0.x releases ● First 8.5 release 24 March 2016 ● Current release: 8.5.3 stable ● Expect last 8.0.x around end of September 2016.
  21. 21. 21 Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2015: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc
  22. 22. 22 HTTP/2 general • HTTP/2: • Binary • Frame • Multiplex • Based on SPDY • TLS everywhere: • Browers use https and strong ciphers • No forward proxy • h2c: Clear text only with reverse proxy (proxy to back-end server)
  23. 23. 23 HTTP/2 generalHTTP/2 general • Two specifications: • Hypertext Transfer Protocol version 2 - RFC7540 • HPACK - Header Compression for HTTP/2 - RFC7541 • By the Internet Engineering Task Force • ALPN Application-Layer Protocol Negotiation - RFC 7301
  24. 24. 24 HTTP/2 MultiplexedHTTP/2 Multiplexed Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
  25. 25. 25 HTTP/2 : more • HTTP headers compression • ~ 80 % save • Request priority • Both sides • Server Push • Prevents round trips to get page elements. • Faster / better rendering on browsers.
  26. 26. 26 HTTP/2 When Browsers • Browser with HTTP/2 and TLS • FireFox 34 • Chrome 40 (with ALPN before was NPN) • IE 11 • Opera and Safari 9 • Stats from docs.trafficserver and ci.trafficserver: • More than 50% is over HTTP/2 (data from April) • → go for it now!
  27. 27. 27 ALPN Client Hello (Firefox)
  28. 28. 28 ALPN Server Hello (tomcat)
  29. 29. 29 TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector> <Connector port="8004" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
  30. 30. 30 Tomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work.
  31. 31. 31 Tomcat / Performances 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
  32. 32. 32 Tomcat / Performances 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
  33. 33. 33 Tomcat / Demo • No server push (may be change it: SimpleImagePush) • Multiplexing • headers compression • Page html page: • That requires a lot (~1000) of (~4Kbytes) images to render.
  34. 34. 34 SNI Client Hello (Firefox)
  35. 35. 35 TC connector server.xmlTC connector server.xml <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" maxThreads="150" secure="true" scheme="https" defaultSSLHostConfigName="local1.com" port="8443" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig honorCipherOrder="false" hostName="local1.com" > <Certificate certificateKeyFile="conf/local1.key" certificateFile="conf/local1.crt" type="RSA" /> </SSLHostConfig> <SSLHostConfig honorCipherOrder="false" hostName="local2.com"> <Certificate certificateKeyFile="conf/local2.key" certificateFile="conf/local2.crt" type="RSA" /> </SSLHostConfig> </Connector>
  36. 36. 36 Tomcat / Demo • 2 pairs of key/certificate • local1.com • local2.com • /etc/hosts • 127.0.0.1 localhost local1.com local2.com • SNI allows to select the right key/certificate
  37. 37. 37 Why a new SSLImplementation • JSSE: • Very slow • Missing features: like ALPN (JEP 244: TLS Application-Layer Protocol Negotiation) • Hardware acceleration used to be very partial (like AES in early java8) • Native connector: • Fast but a lot of native code • Use OpenSSL for SSL/TLS. • New OpenSSL implemetation: • Fast. • Uses only a OpenSSL for native code (no native socket, poller etc). • Works with NIO and NIO2. • Uses OpenSSL for SSL/TLS. (warp, unwarp, handshake etc).
  38. 38. 38 OpenSSLImplementation • Code orginates from netty-tcnative a forked Tomcat Native • Prototype (last year): • Done with the BeFriNe University • Tested and ported to tc_trunk last summer • SSL Configuration compatible with the JSSE configuration style (*) • Uses keystores (*) • Uses SSL BIO to wrap/unwarp, handshake • Uses java NIO or NIO2 Sockets for the reads and writes • Automatically enabled when TC native is installed/enabled (*)
  39. 39. 39 How TLS is done in Tomcat Tomcat JSSE Con. Javastdlib JSSE SSL Engine NIO/NIO2 Tomcat Native APR JNIs Webserver APR Internals APR Connector OpenSSL OS Sockets JavaC/Native Webserver OpenSSL Impl.
  40. 40. 40 How does that works SSLContext JSSESSLContext OpenSSLContext SSLEngine SSLContext OpenSSLEngine createSSLEngine() createSSLEngine() wrap() unwrap() getSession() etc... Overrides
  41. 41. 41 How does wrap works wrap(plaintext, encrypted) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writePlainTextData write_ToSSL SSL_write readEncryptedData readFromBIO BIO_read
  42. 42. 42 How does unwrap works unwrap(encrypted, plaintext) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writeEncryptedData writeToBIO BIO_write readPlaintextData readFromSSL SSL_read
  43. 43. 43 Connector Throughput (c80) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec
  44. 44. 44 TC connector server.xmlTC connector server.xml OLD NATIVE CONNECTOR WAY: <Connector port="8002" scheme="https" SSLEnabled="true" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> NEW OPENSSLImplementation WAY: (AprLifecycleListener" with SSLEngine="on" + tcnative libs) <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
  45. 45. 45 Migration from Apache Tomcat 8.0.x ● Aiming to make it a seamless process for most users ● Some users will have some work to do ● Configuration files can be re-used ● Will need migration to use new TLS features ● Some removed features will not be replaced ● Comet (Stick with final 8.0, revert 7.0 or migrate WebSocket) ● Work arounds may be added for some removed features ● BIO ● Removed deprecated code may be restored ● Manager, Context, RealmBase
  46. 46. 46 GET INVOLVED Help is welcomed ;-) • SVN: • http://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk/ • http://svn.apache.org/repos/asf/tomcat/trunk/ • MAIL LISTS: • dev@tomcat.apache.org Dev list. • users@tomcat.apache.org Users list. • WIKI: • http://wiki.apache.org/tomcat/FrontPage
  47. 47. THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews

×