tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JMX with Listener
Date Tue, 11 Dec 2012 18:25:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cédric,

On 12/11/12 1:08 PM, Cédric Couralet wrote:
>> Okay.
>>> Now for my problems or questions: - Apparently, the Jmx
>>> listener listens on 0.0.0.0 (confirmed by a netstat) on the two
>>> ports configured for the listener, is it normal ? I thought
>>> that useLocalPorts would restrain the listening only to
>>> 127.0.0.1.
>> 
>> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"... 
>> whatever that resolves to on your server). Can you confirm that
>> you are editing the correct server.xml? If you edit it in one
>> place and then deploy it, please make sure you have the latest
>> version installed under CATALINA_BASE/conf.
>> 
> 
> So it should force 127.0.0.1, ok !

No, it forces the hostname "localhost". That might mean 10.0.0.1 on
your system. Try "host localhost" and see what happens.

>>> - with jvisualvm i am able to connect through jmx with the url 
>>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>>
>>>
>>
>>> 
without entering the credentials (nagios:nagios).
>>> I thought that by entering 
>>> com.sun.management.jmxremote.authenticate=true, even read
>>> access would be restricted.
>> 
>> I think you need to double-check that you are actually using the 
>> configuration you think you are.
>> 
> 
> I think too now :) i'll double check it.
> 
> Is there a way to dump the jmx configuration in the jvm? It happens
> on all the tomcat in use (a lot) and i'm quite sure I am not
> mistaken the server.xml for every one of them.

You can see which ports are which using netstat. I don't believe you
can ask for the port numbers for your JMX listeners via JMX: you just
check the ports actually in use. You can check all the system
properties, of course, using jvisualvm.

> One question, though, in the tomcat doc (for 6.0.x) for the 
> JMXRemoteListener, the configuration is :
> 
> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>
> 
-
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
> 
> while mine is
> -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
>
> 
(notice the {} ).
> 
> is it my mistake?

As long as a bash-like shell is interpreting it, the {} will not
interfere: they are just an explicit notation to the shell where the
environment variable's name begins and ends.

>> Another note: using traditional JMX with Nagios is going to suck.
>> You are probably going to make, say, 5 connections to your server
>> every minute to check on things like heap size, request-time,
>> etc. Each of those connections requires a complete JMX connection
>> which is not cheap to make -- especially if the client is running
>> on the same server. That's 5 JVMs, 5 JMX connections, etc. every
>> minute (or 5 or whatever).
> 
> We don't really use nagios as is. We use check_MK, an agent
> installed on the  host for which i developped a plug in to get only
> the informations I want, with one connection to JMX (thus my need
> to restrict to localhost).

Gotcha. check_MK looks interesting, especially because you get RRD
databases for free. Hooray graphs!

>> If you just want to make some quick checks, consider looking at
>> the JMXProxyServlet which is provided by the manager webapp. I
>> believe it will be a much lighter-weight solution (and does not
>> require all of this crazy setup to configure JMX authentication,
>> etc.).
> 
> Some ancient rules force us to disactivate the manager webapp
> (those rules originated from some vulnerabilities with the manager
> webapp I believe), but i'm trying to get it back with the
> appropriate security, evebn if only to ease deployments :).

Note that you can enable access only to the JMXProxyServlet by simply
not allowing users to access other resources (like deploy/undeploy, etc.).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0
s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0
=AdZM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message