Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-1149

Karaf MBeanServer is not usable behind firewall

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: karaf-management
    • Labels:
      None

      Description

      If network administrator opens the network ports to use Karaf MBean server (for instance, by default, 1099 for the RMI Registry and 44444 for the RMI server), the JVM open random port for JMX communication.

      It could be helpful to provide a JMX agent or at least to document how to use Karaf MBean server behind firewalls.

        Activity

        Hide
        jbonofre Jean-Baptiste Onofré added a comment -

        Just tested on Docker without problem. Here's the details.

        First, I started Karaf in docker with ports 1099 and 44444 published:

        docker run -i -t -p 1099:1099 -p 44444:44444 --name karaf karaf
        

        Then, I can use jconsole to connect to the MBean service using the following URL: service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root.

        I also tried to publish all port randomly on docker using --publish-all=true:

        docker run -i -t --publish-all=true --name karaf karaf
        

        With docker ps, we can see the ports bound (in my case on 32768). Then I used the following URL: service:jmx:rmi:///jndi/rmi://localhost:32768/karaf-root without problem.

        Show
        jbonofre Jean-Baptiste Onofré added a comment - Just tested on Docker without problem. Here's the details. First, I started Karaf in docker with ports 1099 and 44444 published: docker run -i -t -p 1099:1099 -p 44444:44444 --name karaf karaf Then, I can use jconsole to connect to the MBean service using the following URL: service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root . I also tried to publish all port randomly on docker using --publish-all=true : docker run -i -t --publish-all= true --name karaf karaf With docker ps , we can see the ports bound (in my case on 32768). Then I used the following URL: service:jmx:rmi:///jndi/rmi://localhost:32768/karaf-root without problem.
        Hide
        jbonofre Jean-Baptiste Onofré added a comment -

        Re-testing with Docker.

        Show
        jbonofre Jean-Baptiste Onofré added a comment - Re-testing with Docker.
        Hide
        jbonofre Jean-Baptiste Onofré added a comment -

        We have a similar issue with Docker.

        I think that we have to use something like:

        -Dcom.sun.management.jmxremote.local.only=false
        -Djava.rmi.server.hostname=x.x.x.x
        

        Right now, we use something like:

        -Djava.rmi.server.hostname=x.x.x.x
        -Dcom.sun.management.jmxremote.port=44444
        -Dcom.sun.management.jmxremote.rmi.port=1099
        -Dcom.sun.management.jmxremote
        -Dcom.sun.management.jmxremote.authenticate=false 
        -Dcom.sun.management.jmxremote.ssl=false
        

        Let me check the code in the Karaf MBeanServer.

        Show
        jbonofre Jean-Baptiste Onofré added a comment - We have a similar issue with Docker. I think that we have to use something like: -Dcom.sun.management.jmxremote.local.only= false -Djava.rmi.server.hostname=x.x.x.x Right now, we use something like: -Djava.rmi.server.hostname=x.x.x.x -Dcom.sun.management.jmxremote.port=44444 -Dcom.sun.management.jmxremote.rmi.port=1099 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate= false -Dcom.sun.management.jmxremote.ssl= false Let me check the code in the Karaf MBeanServer.
        Hide
        gnt Guillaume Nodet added a comment -

        Both ports are already configurable in etc/org.apache.karaf.management with rmiRegistryPort and rmiServerPort.
        The only thing the agent does is to create a custom remote connection which we already do in the ConnectorServerFactory class.

        Show
        gnt Guillaume Nodet added a comment - Both ports are already configurable in etc/org.apache.karaf.management with rmiRegistryPort and rmiServerPort . The only thing the agent does is to create a custom remote connection which we already do in the ConnectorServerFactory class.
        Hide
        jbonofre Jean-Baptiste Onofré added a comment -

        I will test and include it in Karaf with some documentation (postpone to next Karaf release).

        Show
        jbonofre Jean-Baptiste Onofré added a comment - I will test and include it in Karaf with some documentation (postpone to next Karaf release).
        Hide
        jbonofre Jean-Baptiste Onofré added a comment -

        Here's an example of agent to go through firewall:

        https://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx

        Show
        jbonofre Jean-Baptiste Onofré added a comment - Here's an example of agent to go through firewall: https://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx
        Hide
        danttran Dan Tran added a comment -

        dan: do you mean external firewall or the internal linux iptables?

        JB:

        I saw the issue today with a customer, with a hardware firewall:

        • Karaf is installed on host A
        • jconsole is on my laptop

        Between A and my laptop, we have a firewall (Cisco IoS) on which I opened the required port.

        But the JVM bind a random port for the jconsole/JMX communication (specific to Sun JVM). A simple workaround is to create a JMX agent.

        Regards
        JB

        Show
        danttran Dan Tran added a comment - dan: do you mean external firewall or the internal linux iptables? JB: I saw the issue today with a customer, with a hardware firewall: Karaf is installed on host A jconsole is on my laptop Between A and my laptop, we have a firewall (Cisco IoS) on which I opened the required port. But the JVM bind a random port for the jconsole/JMX communication (specific to Sun JVM). A simple workaround is to create a JMX agent. Regards JB

          People

          • Assignee:
            jbonofre Jean-Baptiste Onofré
            Reporter:
            jbonofre Jean-Baptiste Onofré
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development