I would prefer to disable remote access to both ssh and jmx and document it clearly.
I once accidentally left ssh enable by default in production, and had to scramble to to disable it -D On Wed, Mar 28, 2012 at 1:27 AM, Freeman Fang <[email protected]> wrote: > Hi Achim, > > Disable ssh remote access by default will break backward compatibility, and > as we do have credentials configured by default, I believe it's fine for us > to enable SSH/JMX remote access , and I think a lot of users just start > Karaf on server machine and they maintain it daily from remote console(SSH > or JMX), so it's should be more convenient for end user if they need less > configuration, just my 0.02$ > > Regards > Freeman > > > On 2012-3-28, at 下午4:01, Achim Nierbeck wrote: > > Hi, > > it's just something I learned in the past working with the Operating > departments. > Actually I think it would also be better to not open the SSH port as > default configuration and document how to do it if in need. > I favor a behavior like Tomcat does, the administration console is not > "enabled" cause no credentials are configured. > That's why I think we should start with a "secured" default > configuration and document how to weaken it if needed :) > > regards, Achim > > 2012/3/28 Freeman Fang <[email protected]>: > > Hi Achim, > > Hmm, isn't the username/password used here to protect in this case? IMO, the > > JMX behavior should keep same as the ssh behavior, currently the ssh is > > remote accessible, we have > > sshHost=0.0.0.0, of course the remote access need username/password, it's > > really weird from my point of view we enable ssh remote access by default > > but not the jmx, I don't see any real difference between the two. > > > Regards > > Freeman > > > On 2012-3-28, at 下午3:08, Achim Nierbeck wrote: > > > I'm not sure if this is something that needs to be fixed. > > I'd rather suggest to document this, cause if it's not bound to the > > local interface we open a possible security hole here. > > Cause anybody could be able to access and alter the Karaf server through > > JMX. > > > Regards, Achim > > > 2012/3/28 Freeman Fang <[email protected]>: > > > Hi, > > > > I think this is something we need fix, create KARAF-1295[1] to track it. > > > > [1]https://issues.apache.org/jira/browse/KARAF-1295 > > > > Regards > > > Freeman > > > > On 2012-3-28, at 上午1:34, Dan Tran wrote: > > > > karaf by default only binds its JMX listener ports to localhost and > > > therefor all remote access is forbidden. You need to fix up you > > > o.a.k.managemnt, to bind JMX listener ports to 0.0.0.0 > > > > serviceUrl = > > > service:jmx:rmi://0.0.0.0:${rmiServerPort}/jndi/rmi://0.0.0.0:${rmiRegistryPort}/karaf-${karaf.name} > > > > -D > > > > > > On Mon, Mar 26, 2012 at 3:27 PM, Nick Dimos <[email protected]> wrote: > > > > Hi Tiago, > > > > > I faced the same issue some time ago and I believe it is a routing problem. > > > > Can you please check the network interfaces of your server? In which network > > > > interface does the running Tomcat bind its rmi server? > > > > In any case you can use tcpdump or other traffic monitoring tool to check > > > > where the problem is. > > > > > > On Mon, Mar 26, 2012 at 8:38 PM, Thiago Souza <[email protected]> wrote: > > > > > Hi Dan, > > > > > Client machine is: > > > > Windows Server 2008 R2 Datacenter 64-bit > > > > Java(TM) SE Runtime Environment (build 1.7.0_03-b05) > > > > > Server machine is: > > > > Ubuntu 11.10 64-bit > > > > OpenJDK Runtime Environment (IcedTea6 1.11pre) > > > > (6b23~pre11-0ubuntu1.11.10.2) > > > > > There is nothing relevant in log... and I get same behavior with > > > > jconsole... > > > > > Cheers! > > > > > On Mon, Mar 26, 2012 at 14:30, Dan Tran <[email protected]> wrote: > > > > > On Mon, Mar 26, 2012 at 10:20 AM, Thiago Souza <[email protected]> > > > > wrote: > > > > Could you tell us more about yr karaf platform ( OS, jre )? > > > > > Are you able to see any thing from debug log? > > > > > How about JConsole? > > > > > -D > > > > > > Hi Niko, > > > > > Thanks for your help... but this is already configured... also, I > > > > can > > > > successfuly connect to other jvm (running tomcat only) from the same > > > > client > > > > machine using this configuration... I just can't connect to karaf based > > > > jvm... > > > > > Thanks > > > > > On Mon, Mar 26, 2012 at 12:06, Nick Dimos <[email protected]> > > > > wrote: > > > > > Hi Tiago, > > > > > Can you please check this: > > > > http://stackoverflow.com/questions/834581/remote-jmx-connection > > > > > Hope that helps. > > > > Cheers, > > > > Nikos > > > > > > On Mon, Mar 26, 2012 at 5:44 PM, Thiago Souza <[email protected]> > > > > wrote: > > > > > Hi Mike, > > > > > Thanks for you reply! There is no firewall configured thought > > > > =/... > > > > Unfortunately what I really need is JVisualVM due to it's > > > > profiling > > > > tools... > > > > > Also, I'm quite sure user/password is correct, I'm using default > > > > configuration.... > > > > > Cheers, > > > > Thiago Souza > > > > > > On Fri, Mar 23, 2012 at 23:51, mikevan <[email protected]> > > > > wrote: > > > > > Thiago, > > > > > So, here's some background on what's probably causing your issue. > > > > JVisualVM > > > > actually uses two ports when you connect to a JMX Server remotely. > > > > We > > > > already know about the one that configured in Karaf 1099. However, > > > > JVisualVM > > > > also randomly selects a port to connect to the JMX Server. If your > > > > version > > > > of Karaf is behind a firewall, on a highly protected VM (like in a > > > > VMWare > > > > cloud), or has other security concerns associated with it, you may > > > > never > > > > be > > > > able to reliabley connect. > > > > > Thats' why Karaf has a sub-project for a JMX webconsole page. A > > > > couple > > > > of > > > > pretty smart developers work extra hard to make that page, and I > > > > would > > > > suggest you use that if you're having trouble connecting to teh JMX > > > > server > > > > holding your Karaf mbean information. > > > > > Please let me know if that helps. > > > > > ----- > > > > Mike Van (All links open in new tabs) > > > > Committer - Kalumet > > > > > Atraxia Technologies > > > > > Mike Van's Open Source Technologies Blog > > > > -- > > > > View this message in context: > > > > > http://karaf.922171.n3.nabble.com/Connect-to-remote-JMX-tp3846988p3853241.html > > > > Sent from the Karaf - User mailing list archive at Nabble.com. > > > > > > > > > > > > --------------------------------------------- > > > Freeman Fang > > > > FuseSource > > > Email:[email protected] > > > Web: fusesource.com > > > Twitter: freemanfang > > > Blog: http://freemanfang.blogspot.com > > > > > > > > > > > > > > > -- > > > Apache Karaf <http://karaf.apache.org/> Committer & PMC > > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> > > Committer & Project Lead > > blog <http://notizblog.nierbeck.de/> > > > > --------------------------------------------- > > Freeman Fang > > > FuseSource > > Email:[email protected] > > Web: fusesource.com > > Twitter: freemanfang > > Blog: http://freemanfang.blogspot.com > > > > > > > > > > > > > > -- > > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> > Committer & Project Lead > blog <http://notizblog.nierbeck.de/> > > > --------------------------------------------- > Freeman Fang > > FuseSource > Email:[email protected] > Web: fusesource.com > Twitter: freemanfang > Blog: http://freemanfang.blogspot.com > > > > > > > > >
