Re: [OT] Inspecting JMX

Thu, 26 Jan 2012 14:36:33 -0800 

On 26/01/2012 20:33, Christopher Schultz wrote:
> Chuck
> 
> On 1/26/12 1:41 PM, Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:[email protected]] 
>>> Subject: [OT] Inspecting JMX
> 
>>> Should I just give up and use JmxRemoteLifecycleListener?
> 
>> Yes.  You really aren't get to get anywhere on EC2 without it.
> 
> Okay, so I enabled the JmxRemoteLifecycleListener like this:
> 
>   <Listener
>    className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
>    rmiRegistryPortPlatform="1234"
>    rmiServerPortPlatform="1235"
>    />
> 
> ... and had the same problem: the client connects to the registry port
> and then tries to connect to [public IP]:1235.
> 
> So, I tried adding useLocalPorts="true" to the above and not I'm able
> to connect -- using the same URL as before, actually:

In addition to the valve...

See if you can get the unauthenticated version to work first, you will
probably need to set the hostname, too:

 -Djava.rmi.server.hostname=www.externalhostname.com
 -Dcom.sun.management.jmxremote=true
 -Dcom.sun.management.jmxremote.ssl=false
 -Dcom.sun.management.jmxremote.authenticate=false


p

>  ./check_jmx \
>    -U service:jmx:rmi:///jndi/rmi://localhost:1234/jmxrmi \
>    -O java.lang:type=Memory -A HeapMemoryUsage -K used \
>    -I HeapMemoryUsage -J used -vvvv -w 4248302272 -c 5498760192
> 
> JMX OK
> HeapMemoryUsage.used=39749208{committed=59572224;init=67108864;max=59703296;used=39749208}
> 
> So, that's good. The JmxRemoteLifecycleListener installs a special
> RMIClientSocketFactory that always binds to "localhost" instead of
> whatever the default is that the JVM uses. I'm surprised there's not a
> way to tell the JVM to do this kind of thing. I wasn't able to find
> any canonical source of information about what system properties
> affect the JMX configuration... just lots of "simple" examples of how
> things should "just work". :(
> 
> The nice thing about having the JmxRemoteLifecycleListener installed
> is that the ports are predictable and so I can tunnel them. Now I can
> use jconsole from my computer to observe whats happening on the server.
> 
>>> Should I hack the code for check_jmx to use the Attach API.
> 
>> Maybe; might be fun.  (Always seemed to be a security hole to me
>> :-)
> 
> It looks simple to code... I'll take a look at it. I'm sure I'll have
> some similar kind of problem.
> 
> Thanks,
> -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 

-- 

[key:62590808]

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to