Hi,
I keep upgrading Lucee through the administrator and it works great.
But naturally I am wondering, if I should also keep upgrading Tomcat and JVM as well.
Currently I am on:
Lucee 5.2.3.35
Tomcat 8.028
JVM 1.8.0_121
Upgrading JVM would be easy, but which one should I pick for a given Lucee version ?
I am even less sure about upgrading Tomcat. I have checked some upgrade guides on the Tomcat website and felt like “pain, but could be done”. But which version to pick ? And does it really make sense, just for the sake of it ?
Is there some general reccommendation for this ?
Or the best is: “Don’t fix what ain’t broken!” ?
Regards
Ivan
Hi Ivan,
Both your Tomcat Version and your Java version have security vulnerabilities. See:
https://tomcat.apache.org/security-8.html
I would pick the latest Java 8 version, currently 1.8.0_152 - Java 9 is a new major version of Java that just came out a few weeks ago, and while that should work I don’t think many Lucee users have upgraded yet so you may be on unchartered waters there. The JVM update should be pretty straight forward.
To update Tomcat - you may want to switch to the 8.5 version, as the 8.0 is still being patched for security vulnerabilities but the patches are taking a long time to make it to that branch. You can see in the link I posted that Tomcat 8.5 was patched on Oct 1st, but 8.0 has not yet received the patch. If you are going to go with Java 9, then Tomcat 9 might also make sense to use.
The above all assumes that you are not using a Tomcat package provided by the operating system. Sometimes Ubuntu or Redhat will patch just the security vulnerabilities in their LTS distributions, so you will see the same version number of Tomcat but you have to actually check with yum / apt-get to make sure you have the latest. You can look at the package change log to see, they will include which CVE’s they have patched.
–
Pete Freitag
HackMyCF / HackMyCF
1 Like
Hi Pete,
thanks a lot for this.
I have tried it first locally and upgraded the JVM to 1.8.0_152. I have also upgraded Tomcat libraries to 8.5.23 following this guide:
http://docs.lucee.org/guides/Various/installation-installer-documentation/installation-windows/upgrade-tomcat.html
It was actually very easy.
But then I have found this recommendation on Tomcat’s webpage:
When migrating from one major Tomcat version to another (e.g. from Tomcat 7 to Tomcat 8, or from Tomcat 8 to Tomcat 8.5), you should not copy the configuration files from the old version to the new version. The recommended approach is to start with the default configuration of the new version of Apache Tomcat and to adjust it as necessary.
( Apache Tomcat® - Migration Guide )
I have tried to do this quite hard, but could not get it work. I could start Tomcat, but got Tomcat’s 404s instead of my sites.
When I reverted back to the original conf files everything worked.
Well, it’s sort of ambiguous result.
But maybe I have just misconfigured something, I will try to revisit it later.
Regards
Ivan
any reason you didn’t just use the lucee windows installer?
I have tried that first, but ended up with an error - it couldn’t copy some jars.
So, just testing it on a local machine, I was curious to explore the manual upgrade option a bit.
I thought, I could decide later which is better option for the production server.
Probably you are right and it should be the installer. I should have had closer look at why it threw error, before messing up with anything else.
I will try reverting back to the original files and run the installer again.
Thanks for pointing me in right direction.
I have reverted back and runned the installer again. I got error it could not install Lucee service:
Failed installing 'Lucee' service
Script stderr:
Program ended with an error exit code
Error running C:\lucee\tomcat\bin\service.bat install Lucee: Program ended with an error exit code
Executing C:\lucee\tomcat\bin\autostart.bat
Script exit code: 0
Script output:
the Lucee Service will now start automatically after a reboot.
But after restart everything seems to be running all right.
I can see it was wrong idea to try to upgrade Tomcat manually.
I am new to tomcat… are you saying just installing the latest version of lucee using the automated installed will upgrade tomcat, java and lucee? So I don’t have to worry about anything else? Is it usually a pain free experience?
Jordan regularly updates the versions of Tomcat and Java included in the installer:
We prefer to maintain our own separate java installation though and not use the included JVM. As you can see it’s already out of date (current version 8 update is 152).
So I haven’t been keeping up with my JRE. Tomcat is running latest version. Is there anything I need to know on updating Java before I do it on Linux boxes? Do I just download the RPM and run it?
BTW, Where is the lucee config to see where it is pointing to Java?
Follow up question. Just looked ( because I was shocked that our Java version was outdated ) and it appears that Lucee uses its own version of Java. The version installed on our server is LATEST, but the Lucee version is _102. Some help getting this updated would be appreciated.
Seems to me that it would be best to point Lucee to use the version of Java being updated by updates rather than the one included in Lucee. Thoughts?
IF this is the best approach, what is the config file / location that I can just point to $JAVA_HOME?
Thanks in advance!
Yes, that’s what we do using the JAVA_HOME environment variable. On Tomcat/Windows you use the Lucee-Tomcat Service Control applet to specify the path as %JAVA_HOME%\jre\bin\server\jvm.dll.
On Linux I belive you set the path in the tomcat/bin/setenv.sh file.
Thanks @Julian_Halliwell! Looked in the tomcat/bin/setenv.sh file and I don’t see anything there about the JVM path to set. Anyone know how to do this on Linux?
Sorry I don’t use Linux, but there’s some guidance in the RUNNING.txt file you should find in your Tomcat installation root.
dump( server.system.properties[ "java.home" ] );
Done. Found the instructions in the lucee/tomcat/
RUNNING.txt. Just had to add “JRE_HOME=path-to-jre;” within lucee/tomcat/bin/setenv.sh file as you instructed me. Just didn’t see that variable set in that script. Went from Java 1.8_102 to 1.8_141 with a save of a file.
Nice, thanks for the help!