Re: JMX with Listener
2012/12/11 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
...
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
No, it is not a mistake. The above are lines extracted from a shell script,
I presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which
*follows* the name of the variable, could be considered by the shell as part
of the variable name.
For example in :
echo something $my_file_conf
it is not clear whether the name of the variable is my or my_file or
my_file_conf.
(or anything in-between), and by default the shell will use the longer
possibility.
Writing this as
echo something ${my_file}_conf
leaves only one possible interpretation.
In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity
(because / cannot be part of a variable name), but the form
${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone
to oversights.
(But it is slightly more work to type, and as programmers are a notoriously
lazy and hubristic bunch, they rarely go through the trouble).
I suppose that - just to kid Christopher - I could on like this, talking
about interpolation and stuff, but I'll leave it at that because it's
already late here.
I finally had some times to do some testing.
First even with useLocalPorts=true, the JmxConnectorServer listen on
all interfaces but won't accept connection from remote host. From the
tomcat code, only the rmi client socket is forced to localhost at
least on tomcat 6.0.x. A RMI server Socket could be created to force
listening on a specified interface but I am not sure of any side
effect.
Second, for my password problem, there was a problem with my
configuration. In the tomcat service for JavaOptions, i had
-Dcom.sun.management.jmxremote.authenticate=true (with a space after
true), so when parsing the system properties in the Listener, the
lines (in the init() method):
String authenticateValue = System.getProperty(
com.sun.management.jmxremote.authenticate, true);
authenticate = Boolean.parseBoolean(authenticateValue);
returned false.
This is only a problem with tomcat as a service (on windows), in
command line i'm guessing the double space won't be taken into account
by the shell.
And now, another problem with this is that i can't reference
catalina.base in those options. I tried :
%CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
are expanded.
Is it possible at all?
It is not so much of a problem, i can write the path by hand, but it
would be nice to have.
Cédric
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote:
2012/12/11 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
...
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
No, it is not a mistake. The above are lines extracted from a shell script,
I presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which
*follows* the name of the variable, could be considered by the shell as part
of the variable name.
For example in :
echo something $my_file_conf
it is not clear whether the name of the variable is my or my_file or
my_file_conf.
(or anything in-between), and by default the shell will use the longer
possibility.
Writing this as
echo something ${my_file}_conf
leaves only one possible interpretation.
In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity
(because / cannot be part of a variable name), but the form
${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone
to oversights.
(But it is slightly more work to type, and as programmers are a notoriously
lazy and hubristic bunch, they rarely go through the trouble).
I suppose that - just to kid Christopher - I could on like this, talking
about interpolation and stuff, but I'll leave it at that because it's
already late here.
I finally had some times to do some testing.
First even with useLocalPorts=true, the JmxConnectorServer listen on
all interfaces but won't accept connection from remote host. From the
tomcat code, only the rmi client socket is forced to localhost at
least on tomcat 6.0.x. A RMI server Socket could be created to force
listening on a specified interface but I am not sure of any side
effect.
Second, for my password problem, there was a problem with my
configuration. In the tomcat service for JavaOptions, i had
-Dcom.sun.management.jmxremote.authenticate=true (with a space after
true), so when parsing the system properties in the Listener, the
lines (in the init() method):
String authenticateValue = System.getProperty(
com.sun.management.jmxremote.authenticate, true);
authenticate = Boolean.parseBoolean(authenticateValue);
returned false.
This is only a problem with tomcat as a service (on windows), in
command line i'm guessing the double space won't be taken into account
by the shell.
And now, another problem with this is that i can't reference
catalina.base in those options. I tried :
%CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
are expanded.
Is it possible at all?
It is not so much of a problem, i can write the path by hand, but it
would be nice to have.
Where do you /set/ CATALINA_BASE ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck.
Re: JMX with Listener
Cédric Couralet wrote: Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck. When you run Tomcat 7 as a Service, you run in fact the program tomcat7.exe. This program is a service wrapper. It contains the necessary plumbing to behave like a Service for Windows, and itself then runs the Java VM which runs Tomcat. When it starts the Java VM, it also provides it with run parameters, which it takes from the Windows Registry. Tomcat7.exe is a renamed copy of the Apache prunsrv program, of which more info here : http://commons.apache.org/daemon/procrun.html That's one part of it. The second part is the tomcat7w.exe program. That is also a renamed version of the prunmgr program of the same Apache procrun project. This program is a GUI Registry editor, which /sets/ the parameters in the Registry, that tomcat7.exe will later read and interpret to run the JVM. More info here : http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html To remove/install the Tomcat7 service, you can run the service.bat command-file in (tomcat_dir)/bin. Now /this/ command-file is a Windows command-file, and it looks in the Windows environment of the process in which you run it, for a value %CATALINA_BASE%. And then it uses that value to set the appropriate parameters to run the tomcat7.exe program in install service mode (which initially sets the Registry parameters). So if you open a command window, set the CATALINA_BASE variable, and then run the service.bat script to create the service, that would probably do what you want. Later if you want to change it, you can probably do this by running tomcat7.exe with the //US (update service) switch (see the doc). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
2012/12/17 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
Where do you /set/ CATALINA_BASE?
Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I
would like to reference it in another. As I say it, I don't think java
can
do it so i may be out of luck.
[snip great explanation on tomcat as a windows service]
Later if you want to change it, you can probably do this by running
tomcat7.exe with the //US (update service) switch (see the doc).
Thank you for all this :)
I know I can probably do it by updating (or uninstall/install) the
service, but I was wondering if one could set a jvm option like
-Dtest=true and then reference it in another Java option like
-Dtest2=${test}, but it is far from being a question in topic.
My initial problem is resolved :
- JMXRemoteLifecycleListener listens on all interface - seems normal
as any connection from remote hosts seems to be rejected.
- the authenticate=true was not taken into account by tomcat - it
was due to a space after the true in the java_options for the
service. That space cause the line
authenticate=Boolean.parseBolean(authenticateValue) to return false.
It can't happen when running in command line, as the spaces will be
considered as one by the shell.
Thanks everyone for the big help.
Cédric
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 12/11/12 7:50 AM, Cédric Couralet wrote: In our tomcat, we use at the moment the JMXRemoteLifecycleListener configured as : Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener rmiRegistryPortPlatform=10001 rmiServerPortPlatform=10002 useLocalPorts=true / Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. I think you need to double-check that you are actually using the configuration you think you are. Another note: using traditional JMX with Nagios is going to suck. You are probably going to make, say, 5 connections to your server every minute to check on things like heap size, request-time, etc. Each of those connections requires a complete JMX connection which is not cheap to make -- especially if the client is running on the same server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or whatever). If you just want to make some quick checks, consider looking at the JMXProxyServlet which is provided by the manager webapp. I believe it will be a much lighter-weight solution (and does not require all of this crazy setup to configure JMX authentication, etc.). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8 pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u =BzhT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JMX with Listener
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: JMX with Listener Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Which brings up the point that the hosts file might have an incorrect entry for localhost - that needs to be checked as well. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay.
Now for my problems or questions: - Apparently, the Jmx listener
listens on 0.0.0.0 (confirmed by a netstat) on the two ports
configured for the listener, is it normal ? I thought that
useLocalPorts would restrain the listening only to 127.0.0.1.
useLocalePorts /should/ force 127.0.0.1 (actually localhost...
whatever that resolves to on your server). Can you confirm that you
are editing the correct server.xml? If you edit it in one place and
then deploy it, please make sure you have the latest version installed
under CATALINA_BASE/conf.
So it should force 127.0.0.1, ok !
- with jvisualvm i am able to connect through jmx with the url
service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
without entering the credentials (nagios:nagios).
I thought that by entering
com.sun.management.jmxremote.authenticate=true, even read access
would be restricted.
I think you need to double-check that you are actually using the
configuration you think you are.
I think too now :) i'll double check it.
Is there a way to dump the jmx configuration in the jvm?
It happens on all the tomcat in use (a lot) and i'm quite sure I am
not mistaken the server.xml for every one of them.
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
Another note: using traditional JMX with Nagios is going to suck. You
are probably going to make, say, 5 connections to your server every
minute to check on things like heap size, request-time, etc. Each of
those connections requires a complete JMX connection which is not
cheap to make -- especially if the client is running on the same
server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or
whatever).
We don't really use nagios as is. We use check_MK, an agent installed
on the host for which i developped a plug in to get only the
informations I want, with one connection to JMX (thus my need to
restrict to localhost).
If you just want to make some quick checks, consider looking at the
JMXProxyServlet which is provided by the manager webapp. I believe it
will be a much lighter-weight solution (and does not require all of
this crazy setup to configure JMX authentication, etc.).
Some ancient rules force us to disactivate the manager webapp (those
rules originated from some vulnerabilities with the manager webapp I
believe), but i'm trying to get it back with the appropriate security,
evebn if only to ease deployments :).
Thanks for the help !
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8
pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u
=BzhT
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cédric,
On 12/11/12 1:08 PM, Cédric Couralet wrote:
Okay.
Now for my problems or questions: - Apparently, the Jmx
listener listens on 0.0.0.0 (confirmed by a netstat) on the two
ports configured for the listener, is it normal ? I thought
that useLocalPorts would restrain the listening only to
127.0.0.1.
useLocalePorts /should/ force 127.0.0.1 (actually localhost...
whatever that resolves to on your server). Can you confirm that
you are editing the correct server.xml? If you edit it in one
place and then deploy it, please make sure you have the latest
version installed under CATALINA_BASE/conf.
So it should force 127.0.0.1, ok !
No, it forces the hostname localhost. That might mean 10.0.0.1 on
your system. Try host localhost and see what happens.
- with jvisualvm i am able to connect through jmx with the url
service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
without entering the credentials (nagios:nagios).
I thought that by entering
com.sun.management.jmxremote.authenticate=true, even read
access would be restricted.
I think you need to double-check that you are actually using the
configuration you think you are.
I think too now :) i'll double check it.
Is there a way to dump the jmx configuration in the jvm? It happens
on all the tomcat in use (a lot) and i'm quite sure I am not
mistaken the server.xml for every one of them.
You can see which ports are which using netstat. I don't believe you
can ask for the port numbers for your JMX listeners via JMX: you just
check the ports actually in use. You can check all the system
properties, of course, using jvisualvm.
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
As long as a bash-like shell is interpreting it, the {} will not
interfere: they are just an explicit notation to the shell where the
environment variable's name begins and ends.
Another note: using traditional JMX with Nagios is going to suck.
You are probably going to make, say, 5 connections to your server
every minute to check on things like heap size, request-time,
etc. Each of those connections requires a complete JMX connection
which is not cheap to make -- especially if the client is running
on the same server. That's 5 JVMs, 5 JMX connections, etc. every
minute (or 5 or whatever).
We don't really use nagios as is. We use check_MK, an agent
installed on the host for which i developped a plug in to get only
the informations I want, with one connection to JMX (thus my need
to restrict to localhost).
Gotcha. check_MK looks interesting, especially because you get RRD
databases for free. Hooray graphs!
If you just want to make some quick checks, consider looking at
the JMXProxyServlet which is provided by the manager webapp. I
believe it will be a much lighter-weight solution (and does not
require all of this crazy setup to configure JMX authentication,
etc.).
Some ancient rules force us to disactivate the manager webapp
(those rules originated from some vulnerabilities with the manager
webapp I believe), but i'm trying to get it back with the
appropriate security, evebn if only to ease deployments :).
Note that you can enable access only to the JMXProxyServlet by simply
not allowing users to access other resources (like deploy/undeploy, etc.).
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0
s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0
=AdZM
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! No, it forces the hostname localhost. That might mean 10.0.0.1 on your system. Try host localhost and see what happens. Yes, i should have thought of that sooner, I saw a couple of times a windows server without any localhost in its host file. thanks for the help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote:
...
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
No, it is not a mistake. The above are lines extracted from a shell script, I
presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which *follows* the
name of the variable, could be considered by the shell as part of the variable name.
For example in :
echo something $my_file_conf
it is not clear whether the name of the variable is my or my_file or
my_file_conf.
(or anything in-between), and by default the shell will use the longer
possibility.
Writing this as
echo something ${my_file}_conf
leaves only one possible interpretation.
In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity (because /
cannot be part of a variable name), but the form
${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone to oversights.
(But it is slightly more work to type, and as programmers are a notoriously lazy and
hubristic bunch, they rarely go through the trouble).
I suppose that - just to kid Christopher - I could on like this, talking about
interpolation and stuff, but I'll leave it at that because it's already late here.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
