tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C├ędric Couralet <cedric.coura...@gmail.com>
Subject Re: JMX with Listener
Date Tue, 11 Dec 2012 18:08:55 GMT
> Okay.
>> Now for my problems or questions: - Apparently, the Jmx listener
>> listens on 0.0.0.0 (confirmed by a netstat) on the two ports
>> configured for the listener, is it normal ? I thought that
>> useLocalPorts would restrain the listening only to 127.0.0.1.
>
> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
> whatever that resolves to on your server). Can you confirm that you
> are editing the correct server.xml? If you edit it in one place and
> then deploy it, please make sure you have the latest version installed
> under CATALINA_BASE/conf.
>

So it should force 127.0.0.1, ok !

>> - with jvisualvm i am able to connect through jmx with the url
>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>
>>
> without entering the credentials (nagios:nagios).
>> I thought that by entering
>> com.sun.management.jmxremote.authenticate=true, even read access
>> would be restricted.
>
> I think you need to double-check that you are actually using the
> configuration you think you are.
>

I think too now :) i'll double check it.

Is there a way to dump the jmx configuration in the jvm?
It happens on all the tomcat in use (a lot) and i'm quite sure I am
not mistaken the server.xml for every one of them.

One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :

-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access

while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).

is it my mistake?


> Another note: using traditional JMX with Nagios is going to suck. You
> are probably going to make, say, 5 connections to your server every
> minute to check on things like heap size, request-time, etc. Each of
> those connections requires a complete JMX connection which is not
> cheap to make -- especially if the client is running on the same
> server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or
> whatever).

We don't really use nagios as is. We use check_MK, an agent installed
on the  host for which i developped a plug in to get only the
informations I want, with one connection to JMX (thus my need to
restrict to localhost).


> If you just want to make some quick checks, consider looking at the
> JMXProxyServlet which is provided by the manager webapp. I believe it
> will be a much lighter-weight solution (and does not require all of
> this crazy setup to configure JMX authentication, etc.).

Some ancient rules force us to disactivate the manager webapp (those
rules originated from some vulnerabilities with the manager webapp I
believe), but i'm trying to get it back with the appropriate security,
evebn if only to ease deployments :).

Thanks for the help !

> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8
> pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u
> =BzhT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message