Re: JMX with Listener
2012/12/11 André Warnier a...@ice-sa.com: Cédric Couralet wrote: ... One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? No, it is not a mistake. The above are lines extracted from a shell script, I presume. In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent. The {} form helps to clarify things for the shell when the character which *follows* the name of the variable, could be considered by the shell as part of the variable name. For example in : echo something $my_file_conf it is not clear whether the name of the variable is my or my_file or my_file_conf. (or anything in-between), and by default the shell will use the longer possibility. Writing this as echo something ${my_file}_conf leaves only one possible interpretation. In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity (because / cannot be part of a variable name), but the form ${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone to oversights. (But it is slightly more work to type, and as programmers are a notoriously lazy and hubristic bunch, they rarely go through the trouble). I suppose that - just to kid Christopher - I could on like this, talking about interpolation and stuff, but I'll leave it at that because it's already late here. I finally had some times to do some testing. First even with useLocalPorts=true, the JmxConnectorServer listen on all interfaces but won't accept connection from remote host. From the tomcat code, only the rmi client socket is forced to localhost at least on tomcat 6.0.x. A RMI server Socket could be created to force listening on a specified interface but I am not sure of any side effect. Second, for my password problem, there was a problem with my configuration. In the tomcat service for JavaOptions, i had -Dcom.sun.management.jmxremote.authenticate=true (with a space after true), so when parsing the system properties in the Listener, the lines (in the init() method): String authenticateValue = System.getProperty( com.sun.management.jmxremote.authenticate, true); authenticate = Boolean.parseBoolean(authenticateValue); returned false. This is only a problem with tomcat as a service (on windows), in command line i'm guessing the double space won't be taken into account by the shell. And now, another problem with this is that i can't reference catalina.base in those options. I tried : %CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values are expanded. Is it possible at all? It is not so much of a problem, i can write the path by hand, but it would be nice to have. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote: 2012/12/11 André Warnier a...@ice-sa.com: Cédric Couralet wrote: ... One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? No, it is not a mistake. The above are lines extracted from a shell script, I presume. In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent. The {} form helps to clarify things for the shell when the character which *follows* the name of the variable, could be considered by the shell as part of the variable name. For example in : echo something $my_file_conf it is not clear whether the name of the variable is my or my_file or my_file_conf. (or anything in-between), and by default the shell will use the longer possibility. Writing this as echo something ${my_file}_conf leaves only one possible interpretation. In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity (because / cannot be part of a variable name), but the form ${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone to oversights. (But it is slightly more work to type, and as programmers are a notoriously lazy and hubristic bunch, they rarely go through the trouble). I suppose that - just to kid Christopher - I could on like this, talking about interpolation and stuff, but I'll leave it at that because it's already late here. I finally had some times to do some testing. First even with useLocalPorts=true, the JmxConnectorServer listen on all interfaces but won't accept connection from remote host. From the tomcat code, only the rmi client socket is forced to localhost at least on tomcat 6.0.x. A RMI server Socket could be created to force listening on a specified interface but I am not sure of any side effect. Second, for my password problem, there was a problem with my configuration. In the tomcat service for JavaOptions, i had -Dcom.sun.management.jmxremote.authenticate=true (with a space after true), so when parsing the system properties in the Listener, the lines (in the init() method): String authenticateValue = System.getProperty( com.sun.management.jmxremote.authenticate, true); authenticate = Boolean.parseBoolean(authenticateValue); returned false. This is only a problem with tomcat as a service (on windows), in command line i'm guessing the double space won't be taken into account by the shell. And now, another problem with this is that i can't reference catalina.base in those options. I tried : %CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values are expanded. Is it possible at all? It is not so much of a problem, i can write the path by hand, but it would be nice to have. Where do you /set/ CATALINA_BASE ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck.
Re: JMX with Listener
Cédric Couralet wrote: Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck. When you run Tomcat 7 as a Service, you run in fact the program tomcat7.exe. This program is a service wrapper. It contains the necessary plumbing to behave like a Service for Windows, and itself then runs the Java VM which runs Tomcat. When it starts the Java VM, it also provides it with run parameters, which it takes from the Windows Registry. Tomcat7.exe is a renamed copy of the Apache prunsrv program, of which more info here : http://commons.apache.org/daemon/procrun.html That's one part of it. The second part is the tomcat7w.exe program. That is also a renamed version of the prunmgr program of the same Apache procrun project. This program is a GUI Registry editor, which /sets/ the parameters in the Registry, that tomcat7.exe will later read and interpret to run the JVM. More info here : http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html To remove/install the Tomcat7 service, you can run the service.bat command-file in (tomcat_dir)/bin. Now /this/ command-file is a Windows command-file, and it looks in the Windows environment of the process in which you run it, for a value %CATALINA_BASE%. And then it uses that value to set the appropriate parameters to run the tomcat7.exe program in install service mode (which initially sets the Registry parameters). So if you open a command window, set the CATALINA_BASE variable, and then run the service.bat script to create the service, that would probably do what you want. Later if you want to change it, you can probably do this by running tomcat7.exe with the //US (update service) switch (see the doc). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
2012/12/17 André Warnier a...@ice-sa.com: Cédric Couralet wrote: Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck. [snip great explanation on tomcat as a windows service] Later if you want to change it, you can probably do this by running tomcat7.exe with the //US (update service) switch (see the doc). Thank you for all this :) I know I can probably do it by updating (or uninstall/install) the service, but I was wondering if one could set a jvm option like -Dtest=true and then reference it in another Java option like -Dtest2=${test}, but it is far from being a question in topic. My initial problem is resolved : - JMXRemoteLifecycleListener listens on all interface - seems normal as any connection from remote hosts seems to be rejected. - the authenticate=true was not taken into account by tomcat - it was due to a space after the true in the java_options for the service. That space cause the line authenticate=Boolean.parseBolean(authenticateValue) to return false. It can't happen when running in command line, as the spaces will be considered as one by the shell. Thanks everyone for the big help. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 12/11/12 7:50 AM, Cédric Couralet wrote: In our tomcat, we use at the moment the JMXRemoteLifecycleListener configured as : Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener rmiRegistryPortPlatform=10001 rmiServerPortPlatform=10002 useLocalPorts=true / Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. I think you need to double-check that you are actually using the configuration you think you are. Another note: using traditional JMX with Nagios is going to suck. You are probably going to make, say, 5 connections to your server every minute to check on things like heap size, request-time, etc. Each of those connections requires a complete JMX connection which is not cheap to make -- especially if the client is running on the same server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or whatever). If you just want to make some quick checks, consider looking at the JMXProxyServlet which is provided by the manager webapp. I believe it will be a much lighter-weight solution (and does not require all of this crazy setup to configure JMX authentication, etc.). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8 pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u =BzhT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JMX with Listener
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: JMX with Listener Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Which brings up the point that the hosts file might have an incorrect entry for localhost - that needs to be checked as well. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. I think you need to double-check that you are actually using the configuration you think you are. I think too now :) i'll double check it. Is there a way to dump the jmx configuration in the jvm? It happens on all the tomcat in use (a lot) and i'm quite sure I am not mistaken the server.xml for every one of them. One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? Another note: using traditional JMX with Nagios is going to suck. You are probably going to make, say, 5 connections to your server every minute to check on things like heap size, request-time, etc. Each of those connections requires a complete JMX connection which is not cheap to make -- especially if the client is running on the same server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or whatever). We don't really use nagios as is. We use check_MK, an agent installed on the host for which i developped a plug in to get only the informations I want, with one connection to JMX (thus my need to restrict to localhost). If you just want to make some quick checks, consider looking at the JMXProxyServlet which is provided by the manager webapp. I believe it will be a much lighter-weight solution (and does not require all of this crazy setup to configure JMX authentication, etc.). Some ancient rules force us to disactivate the manager webapp (those rules originated from some vulnerabilities with the manager webapp I believe), but i'm trying to get it back with the appropriate security, evebn if only to ease deployments :). Thanks for the help ! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8 pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u =BzhT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 12/11/12 1:08 PM, Cédric Couralet wrote: Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! No, it forces the hostname localhost. That might mean 10.0.0.1 on your system. Try host localhost and see what happens. - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. I think you need to double-check that you are actually using the configuration you think you are. I think too now :) i'll double check it. Is there a way to dump the jmx configuration in the jvm? It happens on all the tomcat in use (a lot) and i'm quite sure I am not mistaken the server.xml for every one of them. You can see which ports are which using netstat. I don't believe you can ask for the port numbers for your JMX listeners via JMX: you just check the ports actually in use. You can check all the system properties, of course, using jvisualvm. One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password - -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? As long as a bash-like shell is interpreting it, the {} will not interfere: they are just an explicit notation to the shell where the environment variable's name begins and ends. Another note: using traditional JMX with Nagios is going to suck. You are probably going to make, say, 5 connections to your server every minute to check on things like heap size, request-time, etc. Each of those connections requires a complete JMX connection which is not cheap to make -- especially if the client is running on the same server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or whatever). We don't really use nagios as is. We use check_MK, an agent installed on the host for which i developped a plug in to get only the informations I want, with one connection to JMX (thus my need to restrict to localhost). Gotcha. check_MK looks interesting, especially because you get RRD databases for free. Hooray graphs! If you just want to make some quick checks, consider looking at the JMXProxyServlet which is provided by the manager webapp. I believe it will be a much lighter-weight solution (and does not require all of this crazy setup to configure JMX authentication, etc.). Some ancient rules force us to disactivate the manager webapp (those rules originated from some vulnerabilities with the manager webapp I believe), but i'm trying to get it back with the appropriate security, evebn if only to ease deployments :). Note that you can enable access only to the JMXProxyServlet by simply not allowing users to access other resources (like deploy/undeploy, etc.). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0 s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0 =AdZM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! No, it forces the hostname localhost. That might mean 10.0.0.1 on your system. Try host localhost and see what happens. Yes, i should have thought of that sooner, I saw a couple of times a windows server without any localhost in its host file. thanks for the help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote: ... One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? No, it is not a mistake. The above are lines extracted from a shell script, I presume. In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent. The {} form helps to clarify things for the shell when the character which *follows* the name of the variable, could be considered by the shell as part of the variable name. For example in : echo something $my_file_conf it is not clear whether the name of the variable is my or my_file or my_file_conf. (or anything in-between), and by default the shell will use the longer possibility. Writing this as echo something ${my_file}_conf leaves only one possible interpretation. In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity (because / cannot be part of a variable name), but the form ${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone to oversights. (But it is slightly more work to type, and as programmers are a notoriously lazy and hubristic bunch, they rarely go through the trouble). I suppose that - just to kid Christopher - I could on like this, talking about interpolation and stuff, but I'll leave it at that because it's already late here. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org