-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cédric,
On 12/11/12 1:08 PM, Cédric Couralet wrote:
>> Okay.
>>> Now for my problems or questions: - Apparently, the Jmx
>>> listener listens on 0.0.0.0 (confirmed by a netstat) on the two
>>> ports configured for the listener, is it normal ? I thought
>>> that useLocalPorts would restrain the listening only to
>>> 127.0.0.1.
>>
>> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
>> whatever that resolves to on your server). Can you confirm that
>> you are editing the correct server.xml? If you edit it in one
>> place and then deploy it, please make sure you have the latest
>> version installed under CATALINA_BASE/conf.
>>
>
> So it should force 127.0.0.1, ok !
No, it forces the hostname "localhost". That might mean 10.0.0.1 on
your system. Try "host localhost" and see what happens.
>>> - with jvisualvm i am able to connect through jmx with the url
>>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>>
>>>
>>
>>>
without entering the credentials (nagios:nagios).
>>> I thought that by entering
>>> com.sun.management.jmxremote.authenticate=true, even read
>>> access would be restricted.
>>
>> I think you need to double-check that you are actually using the
>> configuration you think you are.
>>
>
> I think too now :) i'll double check it.
>
> Is there a way to dump the jmx configuration in the jvm? It happens
> on all the tomcat in use (a lot) and i'm quite sure I am not
> mistaken the server.xml for every one of them.
You can see which ports are which using netstat. I don't believe you
can ask for the port numbers for your JMX listeners via JMX: you just
check the ports actually in use. You can check all the system
properties, of course, using jvisualvm.
> One question, though, in the tomcat doc (for 6.0.x) for the
> JMXRemoteListener, the configuration is :
>
> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>
>
-
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
>
> while mine is
> -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
>
>
(notice the {} ).
>
> is it my mistake?
As long as a bash-like shell is interpreting it, the {} will not
interfere: they are just an explicit notation to the shell where the
environment variable's name begins and ends.
>> Another note: using traditional JMX with Nagios is going to suck.
>> You are probably going to make, say, 5 connections to your server
>> every minute to check on things like heap size, request-time,
>> etc. Each of those connections requires a complete JMX connection
>> which is not cheap to make -- especially if the client is running
>> on the same server. That's 5 JVMs, 5 JMX connections, etc. every
>> minute (or 5 or whatever).
>
> We don't really use nagios as is. We use check_MK, an agent
> installed on the host for which i developped a plug in to get only
> the informations I want, with one connection to JMX (thus my need
> to restrict to localhost).
Gotcha. check_MK looks interesting, especially because you get RRD
databases for free. Hooray graphs!
>> If you just want to make some quick checks, consider looking at
>> the JMXProxyServlet which is provided by the manager webapp. I
>> believe it will be a much lighter-weight solution (and does not
>> require all of this crazy setup to configure JMX authentication,
>> etc.).
>
> Some ancient rules force us to disactivate the manager webapp
> (those rules originated from some vulnerabilities with the manager
> webapp I believe), but i'm trying to get it back with the
> appropriate security, evebn if only to ease deployments :).
Note that you can enable access only to the JMXProxyServlet by simply
not allowing users to access other resources (like deploy/undeploy, etc.).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0
s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0
=AdZM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
