-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cédric,
On 12/11/12 1:08 PM, Cédric Couralet wrote: >> Okay. >>> Now for my problems or questions: - Apparently, the Jmx >>> listener listens on 0.0.0.0 (confirmed by a netstat) on the two >>> ports configured for the listener, is it normal ? I thought >>> that useLocalPorts would restrain the listening only to >>> 127.0.0.1. >> >> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"... >> whatever that resolves to on your server). Can you confirm that >> you are editing the correct server.xml? If you edit it in one >> place and then deploy it, please make sure you have the latest >> version installed under CATALINA_BASE/conf. >> > > So it should force 127.0.0.1, ok ! No, it forces the hostname "localhost". That might mean 10.0.0.1 on your system. Try "host localhost" and see what happens. >>> - with jvisualvm i am able to connect through jmx with the url >>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi >>> >>> >> >>> without entering the credentials (nagios:nagios). >>> I thought that by entering >>> com.sun.management.jmxremote.authenticate=true, even read >>> access would be restricted. >> >> I think you need to double-check that you are actually using the >> configuration you think you are. >> > > I think too now :) i'll double check it. > > Is there a way to dump the jmx configuration in the jvm? It happens > on all the tomcat in use (a lot) and i'm quite sure I am not > mistaken the server.xml for every one of them. You can see which ports are which using netstat. I don't believe you can ask for the port numbers for your JMX listeners via JMX: you just check the ports actually in use. You can check all the system properties, of course, using jvisualvm. > One question, though, in the tomcat doc (for 6.0.x) for the > JMXRemoteListener, the configuration is : > > -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password > > - -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access > > while mine is > -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password > > (notice the {} ). > > is it my mistake? As long as a bash-like shell is interpreting it, the {} will not interfere: they are just an explicit notation to the shell where the environment variable's name begins and ends. >> Another note: using traditional JMX with Nagios is going to suck. >> You are probably going to make, say, 5 connections to your server >> every minute to check on things like heap size, request-time, >> etc. Each of those connections requires a complete JMX connection >> which is not cheap to make -- especially if the client is running >> on the same server. That's 5 JVMs, 5 JMX connections, etc. every >> minute (or 5 or whatever). > > We don't really use nagios as is. We use check_MK, an agent > installed on the host for which i developped a plug in to get only > the informations I want, with one connection to JMX (thus my need > to restrict to localhost). Gotcha. check_MK looks interesting, especially because you get RRD databases for free. Hooray graphs! >> If you just want to make some quick checks, consider looking at >> the JMXProxyServlet which is provided by the manager webapp. I >> believe it will be a much lighter-weight solution (and does not >> require all of this crazy setup to configure JMX authentication, >> etc.). > > Some ancient rules force us to disactivate the manager webapp > (those rules originated from some vulnerabilities with the manager > webapp I believe), but i'm trying to get it back with the > appropriate security, evebn if only to ease deployments :). Note that you can enable access only to the JMXProxyServlet by simply not allowing users to access other resources (like deploy/undeploy, etc.). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0 s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0 =AdZM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org