|
| 1 | +JMX Setup Quick Guide |
| 2 | +===================== |
| 3 | + |
| 4 | +Using many Java diagnostic tools (e.g. Visual VM, Mission Control or SJK) over the network requires a remote JVM to listen to JMX protocol on TCP socket. |
| 5 | +Typically JMX port is enabled via JVM startup options, though it can also be activated ad hoc via `jcmd`. |
| 6 | + |
| 7 | + |
| 8 | +Configuring JMX via command line |
| 9 | +-------------------------------- |
| 10 | + |
| 11 | +[Official documentation][1] is useful, but here is a quick summary. |
| 12 | + |
| 13 | +Minimal config for JMX would look like |
| 14 | + |
| 15 | + java ... |
| 16 | + -Dcom.sun.management.jmxremote.port=5555 |
| 17 | + -Dcom.sun.management.jmxremote.authenticate=false |
| 18 | + -Dcom.sun.management.jmxremote.ssl=false |
| 19 | + ... |
| 20 | + |
| 21 | +This will let you use hostname:5555 as JMX socket address to connect to JVM. |
| 22 | + |
| 23 | +Example above is totally *insecure*, I have warned you. |
| 24 | + |
| 25 | +For securing JMX please consult [docs][1]. |
| 26 | + |
| 27 | +Couple extra properties you better add to the real config: |
| 28 | + |
| 29 | + * `com.sun.management.jmxremote.rmi.port=5555` set is to same port value |
| 30 | +if you do not want JVM to open another random port. |
| 31 | + |
| 32 | + * `java.rmi.server.hostname` see network quirks below. |
| 33 | + |
| 34 | + |
| 35 | +JMX Network quirks |
| 36 | +------------------ |
| 37 | + |
| 38 | +JMX is a weird protocol. |
| 39 | + |
| 40 | +Assuming you have JMX socket `hostA:5555`, communications would look like. |
| 41 | + |
| 42 | + JXM Client JMX Server |
| 43 | + | | |
| 44 | + connect on hostA:5555 -----------> |
| 45 | + <---return "stub" hostX:portX ---| |
| 46 | + | | |
| 47 | + connect on hostX:portX-----------> |
| 48 | + <------- start talking JMX ------> |
| 49 | + |
| 50 | +So the client would attempt to connect to a certain `host:port` returned from JMX Server. |
| 51 | +This is mechanics of Java RMI protocol and it is not very friendly to sophisticated network topologies. |
| 52 | + |
| 53 | +This gives us two strategies for JMX address configuration. |
| 54 | + |
| 55 | +JMX on host you can directly connect |
| 56 | +------------------------------------ |
| 57 | + |
| 58 | +Directly connect host A means you can ping address A and process on host can bind socket on address A |
| 59 | +(i.e. there is no NAT between you and host A). |
| 60 | + |
| 61 | +In this can minimal *unsecured* config would be. |
| 62 | + |
| 63 | + java ... |
| 64 | + -Dcom.sun.management.jmxremote.port=5555 |
| 65 | + -Dcom.sun.management.jmxremote.rmi.port=5555 |
| 66 | + -Dcom.sun.management.jmxremote.authenticate=false |
| 67 | + -Dcom.sun.management.jmxremote.ssl=false |
| 68 | + -Djava.rmi.server.hostname=HostA |
| 69 | + ... |
| 70 | + |
| 71 | +You may omit `java.rmi.server.hostname` if you have a single interface and not using dual (IPv4 / IPv6) stack. |
| 72 | + |
| 73 | + |
| 74 | +In this case you would probably need security. |
| 75 | + |
| 76 | +JMX via port forwarding |
| 77 | +----------------------- |
| 78 | + |
| 79 | +If you access host via port forwarding (`ssh`, `kubectl` etc), you need to |
| 80 | +force JVM to use local host for JMX. |
| 81 | + |
| 82 | +In this can minimal config would be. |
| 83 | + |
| 84 | + java ... |
| 85 | + -Dcom.sun.management.jmxremote.port=5555 |
| 86 | + -Dcom.sun.management.jmxremote.rmi.port=5555 |
| 87 | + -Dcom.sun.management.jmxremote.authenticate=false |
| 88 | + -Dcom.sun.management.jmxremote.ssl=false |
| 89 | + -Djava.rmi.server.hostname=127.0.0.1 |
| 90 | + ... |
| 91 | + |
| 92 | +Forwarded port must be the same on both sides. Now both connections made by JMX would be |
| 93 | +properly forwarded. |
| 94 | + |
| 95 | +In this case you probably already have a layer of security and leaving JMX unsecured could be justified. |
| 96 | + |
| 97 | + |
| 98 | +Using `JCMD` to start JMX port without JVM restart |
| 99 | +-------------------------------------------------- |
| 100 | + |
| 101 | +If you have local access to the host where JVM is running, but no JMX configured you can fix it with `jcmd`. |
| 102 | + |
| 103 | +Below is command to open JMX protocol listener on port 5555. |
| 104 | + |
| 105 | + jcmd PID ManagementAgent.start \ |
| 106 | + jmxremote.authenticate=false \ |
| 107 | + jmxremote.ssl=false \ |
| 108 | + jmxremote.port=5555 |
| 109 | + |
| 110 | +Configuration options here are the same properties as above but with `com.sun.managment` stripped. |
| 111 | + |
| 112 | +All forwarding issues mentioned above are applied too. |
| 113 | + |
| 114 | + |
| 115 | + [1]: https://docs.oracle.com/en/java/javase/11/management/monitoring-and-management-using-jmx-technology.html#GUID-805517EC-2D33-4D61-81D8-4D0FA770D1B8 |
0 commit comments