geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik B. Craig" <gineme...@gmail.com>
Subject Re: Too easy to kill the server using the web console
Date Tue, 28 Aug 2007 14:50:23 GMT
Joe,

I did actually not-so-gracefully stumble into this previously, so I do know
the pain it can cause.
I think perhaps the best behavior in this situation might be to not only
prevent removal of components that would cripple the console, but also
display a prompt when it is attempted saying something along the lines of
"This component must be removed manually from command line, as doing so will
render the admin console useless".



On 8/28/07, Joe Bohn <joe.bohn@earthlink.net> wrote:
>
> GERONIMO-3401 ( https://issues.apache.org/jira/browse/GERONIMO-3401 )
> records a problem where it is possible for the user to cripple the web
> console, the server or both with 1 or 2 mouse clicks.
>
> When stopping some system-modules such as the following from the web
> console, the web console itself is also stopped due to direct and
> transitive dependencies:
> - activemq-broker
> - connector-deployer
> - geronimo-gbean-deployer
> - j2ee-corba-yoko
> - j2ee-deployer
> - j2ee-security
> - j2ee-server
> - j2ee-system
> - jasper
> - jee-specs
> - openejb
> - openjpa
> - rmi-naming
> - server-security-config
> - tomcat6
> - tomcat6-deployer
> - jetty6
> - jetty6-deployer
> - transaction
> - webservices-common
> - xmlbeans
>
>
> The result is an error in the browser, and exception in the server, and
> the web console disabled.  One cheap way to help prevent this problem is
> to add a challenge when any system module is stopped to ensure the user
> is aware that stopping a system module might result in rendering the web
> console unusable.  The situation can be recovered via the CLI by
> subsequently starting the web console but this might not be obvious to
> the user and often a server restart is necessary before the CLI itself
> can function again.
>
> However, there is another problem that is much more serious.  If the
> user selects "uninstall" on any of the modules listed above, in addition
> to the web console being disabled, the server itself is corrupted.  In
> fact, in most cases the server cannot start once it is shutdown.  AFAIK,
> there is no easy recovery from this. There is a challenge already
> provided to he user when uninstall is selected but it doesn't hint at
> the potential severity of the consequences.
>
> I'm thinking we should remove the uninstall capability from the system
> module view in the web console until we have more pluggable components
> that can be installed/uninstalled without crippling the entire server. A
> challenge (even if worded more strongly) just doesn't seem sufficient.
> Of course we have this same exposure with the CLI but it isn't quite as
> easy to shoot yourself in the foot there with just 2 mouse clicks.
> Thoughts?
>
> Joe
>
>


-- 
Erik B. Craig

Mime
View raw message