Running Tomcat Automatically At Linux Startup

A potential drawback of installing Tomcat from a binary distribution instead of using a Linux-packaged version is that you’ll have to do some extra legwork to make Tomcat start automatically when Linux boots up.  To make this process easy and pain-free, follow this simple guide.

Step 1 – Create A Tomcat-Specific User and User Group

It’s a bad idea to run Tomcat as the root user, especially if you’re going to be starting Tomcat automatically.  It’s much more secure to create a new group and user specifically to run Tomcat.  You can do so with the following commands (in this example, we have created a user group named tomcat, and a user named tomcat with the password tomcat; you can certainly be more creative if you wish):

$ groupadd tomcat
$ useradd -s /sbin/nologin -g tomcat -d /path/to/tomcat tomcat

$ useradd -r -s /sbin/nologin tomcat

-r for system user
$ passwd tomcat

-r, –system
Create a system account.

System users will be created with no aging information in /etc/shadow, and their
numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
/etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
creation of groups).

Note that useradd will not create a home directory for such an user, regardless
of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the
-m options if you want a home directory for a system account to be created.

-s, –shell SHELL
The name of the user’s login shell. The default is to leave this field blank,
which causes the system to select the default login shell specified by the SHELL
variable in /etc/default/useradd, or an empty string by default.


useradd -m -d /home/thenewuser -s /bin/bash -c "the new user" -U thenewuser

-c “message” : extra information about the user.

-U thenewuser : Create a group with the same name as the user, and add the user to this group.

-N : the -N argument tells the system not to create a group having the user’s name

-m, –create-home are same: Create the user’s home directory if it does not exist.

-d, –home HOME_DIR : The new user will be created using HOME_DIR as the value for the user’s login directory.
if -d is not used the default homedirectory will be /home/thenewuser

-m -d /data/thenewuser : the -m argument creates the /data/thenewuser homedirectory, specified by the -d argument.

-M : the -M argument tells the system not to create a home directory

-s /bin/bash : the -s is used for specifing the user’s default shell, /bin/bash in this case.

-s or –shell are same.

-s /sbin/nologin : The /sbin/nologin for Fedora and /usr/sbin/nologin for Debian are two shells that return you a polite message like “this account is not available” and do not allow you to log into the system. This message can be customized.

-s /bin/false : Is an old shell used to deny a user’s login. The /bin/false exits immediatly when false exists. The user accounts with /bin/false or /bin/true as their default shells are locked.

-s /sbin/nologin belongs to unix-linux while /bin/false part of GNU Coreutils. These shells must be listed in the /etc/shells file, to work.

The users with /sbin/nologin (or /usr/sbin/nologin) can connect through ssh or ftp, but the users with /bin/false are completely locked out from the system.

with useradd -D : You can also view the default parameters set for new user to be created using

# useradd -D

Step 2 – Adjust Ownership For New Users And Groups

Now that you have created a user to run Tomcat, you’ll need to give them access to the correct directories.  Use the following commands, substituting your own usernames and groups as necessary:

# chown -R tomcat.tomcat /path/to/tomcat
# chmod 775 /path/to/tomcat/webapps
The first gives ownership of the Tomcat directories to the Tomcat user, and the second gives the user write access for the webapps directory.

Step 3 – Relay Traffic For Non-Root Tomcat User

When running Tomcat as a user other than the root user, you will not be able to bind to port 80, which is where Tomcat listens for HTTP requests.  To get around this, you can use Netfilter, which is packaged with all major Linux distributions:

# iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
# iptables -t nat -I OUTPUT -p tcp –dport 80 -j REDIRECT –to-ports 8080
To preserve these rules through re-boot, save them with the “ip-tables-save” command, and then follow the procedure appropriate for your Linux distribution (for most distributions, this means editing the iptables init script; Debian users should load the configuration via a script called by if-up.d or pre-up.d).

Step 3 – Create A Custom init Script

To start Tomcat at Linux boot time, we’ll need to create an init script that calls the and scripts included with Tomcat.

The actual creation of this script is outside the scope of this article, but there are many useful resources available online.  All you need to know in order to use the basic init script format to call Tomcat is how the and scripts work.

For more information about these scripts, visit our Tomcat Start page, which includes a simple, step-by-step guide to Tomcat’s three start-up shell scripts.

like :

chmod 774 /opt/apache-tomcat-8.0.12-1/ -Rf

export JAVA_OPTS=”-agentlib:hprof=cpu=samples,file=/var/log/cpuTest.log”



/bin/su -s /bin/bash $TOMCAT_OWNER -c $CATALINA_HOME/bin/




Create bootable USB stick from ISO in Mac OS X

Convert the ISO to UDRW format

Mac OS X provides all the tools needed to convert the ISO image to UDRW. The following command will convert the ISO image to the UDRW format.

hdiutil convert -format UDRW -o destination_file.img source_file.iso

You will notice that the destination_file.img from the command will create the file destination_file.img.dmg really. This is because the hdiutil program automatically adds the dmg file extension. This is not a problem as the file extension won’t affect the format of the image.

Prepare the USB stick

Check your USB stick and make a backup if there is any important data on it, as the next steps are going to delete everything on it.

To prepare the USb stick we are going to delete all the partitions on the stick and create an empty partition. To do this we need to know the device name of the USB stick. Open a terminal and execute the following command:

$ diskutil list

You will see a list of disks and partitions. The goal is to identify the USB stick in this output. Depending on your system configuration your output might look different from this one. This appears to show 3 physical discs but it does not. The /dev/disk1 is a virtual disk created because of the partition encryption (FileVault 2) I enabled in Mac OS X.

#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *500.1 GB   disk0
1:                        EFI                         209.7 MB   disk0s1
2:          Apple_CoreStorage                         399.5 GB   disk0s2
3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
5:                 Apple_Boot Boot OS X               134.2 MB   disk0s5
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:                  Apple_HFS MacOSX                 *399.2 GB   disk1
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 GB     disk2
1:       Microsoft Basic Data UNTITLED 1              2.0 GB     disk2s1

As shown in the output above, the connected USB stick is a small 2.0 GB drive with a FAT partition on it. We are now going to remove this partition in the next step. For the following steps we will need the name of the disk which in this case is “/dev/disk2”.

With the following command the data on the disk (your USB stick) will be deleted!

$ diskutil partitionDisk /dev/disk2 1 "Free Space" "unused" "100%"

With this command the USB stick was re-partitioned to have 1 partition without formatting and 100% of the size of the stick. If you check it again with “diskutil list” you will see the changes already, also the USB stick will no longer be shown in the Finder.

Copy the image to the USB stick

Now we can copy the disk image we created to the USB stick. This is done via the dd(1)command. This command will copy the image to the disk (substitute the appropriate disk name for your USB stick here, as with the re-partitioning command):

$ sudo dd if=destination_file.img.dmg of=/dev/disk2 bs=1m

The dd command does not show any output before it has finished the copy process, so be patient and wait for it to complete.

$ diskutil eject /dev/disk2

To eject the USB stick, use the above command. After this is done, the bootable USB stick is ready to be used.

Original link

IspConfig migration from one server to other.

Usefull link 

You need to backup /var/vmail, /var/www (or the place where you stored the websites), the ispconfig database, all mysql databases of the websites incl. the “mysql” database, the users and passwords in /etc/passwd and /etc/group. Make sure that you backup the directories with preserved permoissions.

We must backup:
c. /var/www (web content)
b. /var/vmail (mail content)
a. /etc/passwd and /etc/group (users)
d. MySQL databases (is it better to stop mysql and tar.gz the /var/lib/mysql?)
e. All /etc/
f. /var/log

MY migration script


#database root password
export username=
export password=
NOW=$(date +”%d-%m-%Y”)

ssh root@IP_OLD rm -rf /root/BACKUP_SERVER/vmail.tar.gz
ssh root@IP_OLD tar -zcvf /root/BACKUP_SERVER/vmail.tar.gz /var/vmail
scp root@IP_OLD:/root/BACKUP_SERVER/vmail.tar.gz ./BACKUP_SERVER/
tar -zxvf vmail.tar.gz
cd ..
rm -rf /var/vmail
mv ./BACKUP_SERVER/var/vmail /var/

ssh root@IP_OLD rm -rf /root/BACKUP_SERVER/www.tar.gz
ssh root@IP_OLD tar -zcvf /root/BACKUP_SERVER/www.tar.gz /var/www
scp root@IP_OLD:/root/BACKUP_SERVER/www.tar.gz ./BACKUP_SERVER/
tar -zxvf www.tar.gz
cd ..
rm -rf /var/www
mv ./BACKUP_SERVER/var/www /var/

ssh root@IP_OLD rm -rf /root/BACKUP_SERVER/log.tar.gz
ssh root@IP_OLD tar -zcvf /root/BACKUP_SERVER/log.tar.gz /var/log
scp root@IP_OLD:/root/BACKUP_SERVER/log.tar.gz ./BACKUP_SERVER/
tar -zxvf log.tar.gz
cd ..
rm -rf /var/log
mv ./BACKUP_SERVER/var/log /var/

ssh root@IP_OLD rm -rf /root/BACKUP_SERVER/opt.tar.gz
ssh root@IP_OLD tar -zcvf /root/BACKUP_SERVER/opt.tar.gz /var/opt
scp root@IP_OLD:/root/BACKUP_SERVER/opt.tar.gz ./BACKUP_SERVER/
tar -zxvf opt.tar.gz
cd ..
rm -rf /var/opt
mv ./BACKUP_SERVER/var/opt /var/

export NOW

array=(mydb1 mydb2)
for DATABASE in “${array[@]}”



echo “COPY FILE”

mysql -u $username -p”$password” -e “DROP DATABASE IF EXISTS $DATABASE”

mysql -u $username -p”$password” -e “CREATE DATABASE $DATABASE”

echo “RESTORE”
mysql -u $username -p”$password” $DATABASE < ./BACKUP_SQL/$DATABASE$NOW.sql

echo “FINE”

export password=”


array=( pgdb1 pgdb2 )

for DATABASE in “${array[@]}”



echo “COPY FILE”


dropdb –host –port 5432 –username “postgres” –no-password $DATABASE

createdb –host –port 5432 –username “postgres” –no-password $DATABASE

pg_restore –host -U postgres -d $DATABASE –verbose ./BACKUP_SQL/$DATABASE$NOW.backup

Increase space Virtual Box and Linux Partition

Clone the disk

VBoxManage clonehd “path/WebServer.vmdk” “path/WebServer.vdi” –format vdi

resize 20*1024 = 20GB

VBoxManage modifyhd “path/WebServer.vdi” –resize 20480

reconvert into vmdk

VBoxManage clonehd “path/WebServer.vdi” “path/WebServer.vmdk” –format vmdk

File -> Virtual Media Manager -> Removed existing images (note, I removed them only from the registry).

1. Open the Oracle VM VirtuaBox Manager
Click on File -> Virtual Media Manager (or Ctrl+D)
2. Delete the hard disk entry in question (select and press “Del” on keyboard)
3. Open “Settings” of the Virtual Machine, go to “Storage”, click “Add Attachment”, select “Add Hard Disk” and “Choose existing disk“, then selected the vdi file and you are done.

  1. Download “gparted-live-x.xx.x-x-ixxx.iso” file from Mount this iso file as CD. Virtual Machine -> Settings -> Storage -> Controller IDE (Right Click) -> Add CD/DVD -> Select gparted-live-x.xx.x-x-ixxx.iso file
  2. Run virtual machine, Virtual Machine will boot from this CD. Choose default values with pressing “Enter”, “Enter” … until Gpart ISO GUI starts. Select tool gpart program and start.
  3. Extend disk size as below;
    • Right click on partitions and if “possible” click on “Disable Active Partion”.
    • Extend Partition as much as possible from GUI (for this case 500GB).
    • Right click the partition which is disabled and select “Enable Active Partion”.
    • Apply and wait until the operations finished.
    • Shut down virtual machine.
    • Unmount gparted-live-x.xx.x-x-ixxx.iso.
      $ Virtual Machine -> Settings -> Storage-> Controller IDE (Right Click on gparted-live-x.xx.x-x-ixxx.iso) -> Remove Attachement
    • Start the virtual machine.


df -h

File system              Dim. Usati Dispon. Uso% Montato su
/dev/mapper/centos-root   19G  6,2G     13G  34% /
devtmpfs                 910M     0    910M   0% /dev
tmpfs                    920M     0    920M   0% /dev/shm
tmpfs                    920M  8,6M    912M   1% /run
tmpfs                    920M     0    920M   0% /sys/fs/cgroup
/dev/sda1               1014M  188M    827M  19% /boot
tmpfs                    184M     0    184M   0% /run/user/0


resize2fs /dev/mapper/centos-root

lvextend -l+100%FREE /dev/mapper/centos-root

resize2fs /dev/mapper/centos-root

xfs_growfs /dev/mapper/centos-root

df -ha

Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Step 1: Create public and private keys using ssh-key-gen on local-host

jsmith@local-host$ [Note: You are on local-host here]

jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith@local-host

Step 2: Copy the public key to remote-host using ssh-copy-id

jsmith@local-host$ ssh-copy-id -i ~/.ssh/ remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.

Step 3: Login to remote-host without entering the password

jsmith@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from
[Note: SSH did not ask for password.]

jsmith@remote-host$ [Note: You are on remote-host here]

The above 3 simple steps should get the job done in most cases.

How to create custom service for Centos 7

Create a script like :


Description = FaradCrmService

After =


ExecStart = /var/opt/jdk1.8.0_91/bin/java -jar /root/software/fia/farad-1.5.4.RELEASE.jar


WantedBy =

Put the script into -> /usr/lib/systemd/system/farad.service

create a symbolic link like this : ln -s /usr/lib/systemd/system/farad.service /etc/systemd/system/

enable the service : systemctl enable farad.service

start the service : service farad start

if modify the script, reload it with : systemctl daemon-reload

check it status : systemctl status farad.service

Apache not start : device: AH01760: failed to create lock (client_lock)

This’s very likely that Apache leaving a bunch of stray semaphore sets
lying around after an attempted restart of apache.

you can use the following commands to check:
#ipcs -s | grep apache

and use the following to kill:
ipcs -s | grep apache | awk ‘ { print $2 } ‘ | xargs -n 1 ipcrm -s

use the username you starts apache (e.g., specified by “User” directive)
instead of ‘apache’ in the commands.

Device: AH01760: failed to create lock (client_lock) – all nonce-count checking, one-time nonces, and MD5-sess algorithm disabled

Now, in almost all cases, Apache should start properly. If it doesn’t, you may just be completely out of available semaphores. You may want to increase your available semaphores, and you’ll need to tickle your kernel to do so. Add this to /etc/sysctl.conf:

And then run sysctl -p to pick up the new changes.


Use SSL certificate free for 3 months

Create your key (mail.saic.key) and your request (mail.saic.csr):

openssl req -new -newkey rsa:4096 -nodes -subj ‘/, Inc./C=IT/ST=Italy/L=Viadana’ -keyout mail.saic.key -out mail.saic.csr

Go to this website and follow the istruction for have back the certificate for your Common Name ( and the authority certificate :

Certificate Authority

I configured my dns.

I set all file permission

chmod 444 mail.saic.*

then vim /etc/postfix/

smtp_tls_key_file                         = /etc/ssl/certs/mail.saic.key

smtp_tls_cert_file                        = /etc/ssl/certs/mail.saic.crt

smtp_tls_CAfile                           = /etc/ssl/certs/

here the console for renew the certificate



It can be useful to check a certificate and key before applying them to your server. The following commands help verify the certificate, key, and CSR (Certificate Signing Request).

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5


Self Signed Certificate : Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Convert private key into pem

openssl rsa -in private.key -text > private.pem

Verifying that a Certificate is issued by a CA

$ openssl verify -verbose -CAfile cacert.pem  server.crt
server.crt: OK

here a website to verify