From our and our clients' experiences of developing and using eXist in production environments there are a number of lessons which we have learned. This Good Practice guide is an attempt to cover some of the considerations that should be taken into account when deploying eXist for use in a production environment.
The concepts laid out within this document should not be considered absolute or accepted wholesale, more that they should be used as suggestions to guide users in their eXist deployments.
Ensure that your server is up-to-date and patched with any necessary security fixes.
eXist is written in Java - so for performance and security reasons, please ensure that you have the latest and greatest Java JDK release installed. At present this is the 1.6 branch, details of the latest version can always be found here - http://java.sun.com
Most users will install an officially released version of eXist on their production systems, usually this is perfectly fine. However there can be advantages to installing eXist from source code on a production system.
eXist may be installed from source code to a production system in one of two ways -
via. Local Build Machine (preferred) |
You checkout the eXist code for a release branch (or trunk) from our Subversion repository to a local machine, from here you build a distribution which you test and then deploy to your live server. |
---|---|
Directly from Subversion |
In this case you dont use a local machine for building an eXist distribution, but you checkout the code for a release branch (or trunk) directly from our Subversion repository on your server and build it in-situ. |
If you install eXist from source code, some advantages might be -
patches |
If patches or fixes are developed that are relevant to your specific needs, you can update your code and re-build eXist. |
---|---|
features |
If you are following trunk and new features are developed which you are interested in, you can update your code and re-build to take advantage of these. |
If you are upgrading the version of eXist that you use in your production system, please always follow these two points -
There are four main things to consider here -
At present eXist ships with fairly relaxed permissions to facilitate rapid application development, for production systems these should be constrained -
admin account |
The password of the admin account is blank by default! Ensure that you set a decent password. |
---|---|
default-permissions |
The default permissions for creating resources and collections in eXist are set in conf.xml. The current settings are fairly sane, but you may like to improve on them for your own application security. |
/db permissions |
declare namespace xmldb = "http://exist-db.org/xquery/xmldb"; xmldb:set-collection-permissions("/db", "admin", "dba", 508) |
eXist should be deployed and configured to run whilst following the security best practices of the operating system on which it is deployed.
Typically we would recommend creating an "exist" user account and "exist" user group with no login priviledges (i.e. no shell and empty password), changing the permissions of the eXist installation to be owned by that user and group, and then running eXist using those credentials. An example of this on OpenSolaris might be -
$ pfexec groupadd exist $ pfexec useradd -c "eXist Native XML Database" -d /home/exist -g exist -m exist $ pfexec chown -R exist:exist /opt/eXist
For any live application it is recognised best practice to keep the attack surface of the application as small as possible. There are two aspects to this -
eXist is no exception and should be configured for your production systems so that it provides only what you need and no more. For example, the majority of applications will be unlikely to require the WebDAV or SOAP Admin features for operation in a live environment, and as such these and other services can be disabled easily. Things to consider for a live environment -
Standalone mode |
eXist can be operated in a cut-down standalone mode (see server.(sh|bat)). This provides just the core services from the database, no webapp filesystem access, and no documentation. The entire application has to be stored in the database and is served from there. This is an ideal starting place for a production system. |
---|---|
Services |
eXist provides several services for accessing the database. You should reduce these to the absolute minimum that you need for your production application. If you are operating in Standalone mode, this is done via. server.xml, else see webapp/WEB-INF/web.xml. You should look at each configured service, servlet or filter and ask yourself - do we use this? Most production environments are unlikely to need WebDAV or SOAP Admin (Axis). |
Extension Modules |
eXist loads several XQuery and Index extension modules by default. You should modify the builtin-modules section of conf.xml, to ONLY load what you need for your application. |
You should ensure that you have enough memory and disk space in your system so that eXist can cope with any peak demmands by your users.
-Xmx |
However you decide to deploy and start eXist, please ensure that you allocate enough maximum memory to eXist via. the Java -Xmx setting. See backup.sh and startup.sh. |
---|---|
cacheSize and collectionCache |
These two settings in the db-connection of conf.xml should be adjusted appropriately based on your -Xmx setting (above). See the tuning guide for advice on sensible values. |
disk space |
Please ensure that you have plenty of space for your database to grow. Unsurprisingly running out of disk space can result in database corruptions or having to rollback the database to a known state. |
It has been reported by large scale users that keeping the eXist application, database data files and database journal on seperate disks connected to different I/O channels can have a positive impact on performance. The location of the database data files and database journal can be changed in conf.xml.
This is fundamental - Make sure you have them, they are up-to-date and that they work!
eXist provides 3 different mechanisms for performing backups -
Each of these backup mechanisms is schedulable either with eXist or with your operating system scheduler. See the backup page and conf.xml for further details.
eXist like any Web Application Server (Tomcat, WebLogic, GlassFish, etc) should not be directly exposed to the Web. Instead, we would strongly recommend proxying your eXist powered Web Application through a Web Server such as Nginx or Apache HTTPD. See here for futher details.
If you proxy eXist through a Web Server, then you may also configure your firewall to only allow external access directly to the Web Server. If done correctly this also means that web users will not be able to access any eXist services except your application which is proxyied into the Web Servers namespace.