[GE users] Enabling JMX on a 6.2 qmaster

andre Andre.Alefeld at sun.com
Thu Feb 5 19:20:16 GMT 2009


Hi Victor,

can you try to restart the master with the 
$SGE_ROOT/default/common/jmx/java.policy file changed to have the 
AllPermissions at the end set ?
cp $SGE_ROOT/default/common/jmx/java.policy  
$SGE_ROOT/default/common/jmx/java.policy.saved
vi $SGE_ROOT/default/common/jmx/java.policy
grant {
   permission java.security.AllPermission;
};

Also check the permissions of the $SGE_ROOT/default/common/jmx/* files, 
they should be owned by the sge admin user.

Andre




victor73 wrote:
> Andre,
>
> Turned up all the log settings to FINE and restarted the master.
> However, not much additional information is to found in jgdi0.log. On
> the other hand, jgdi.stderr has a few exceptions in it (see below). It
> appears that the master is unable to read jgdi.jar, however, there
> doesn't appear to be anything wrong with the file's permissions, so it
> must be the security manager preventing it right?
>
> -Victor
>
> access: access allowed (javax.management.MBeanPermission
> sun.management.MemoryPoolImpl#Usage[java.lang:name=PS Perm
> Gen,type=MemoryPool] getAttribute)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.
> java:272)
>         at
> java.security.AccessController.checkPermission(AccessController.java:546
> )
>         at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermissi
> on(DefaultMBeanServerInterceptor.java:1806)
>         at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttributes(Defa
> ultMBeanServerInterceptor.java:715)
>         at
> com.sun.jmx.mbeanserver.JmxMBeanServer.getAttributes(JmxMBeanServer.java
> :665)
>         at
> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionI
> mpl.java:1407)
>         at
> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionIm
> pl.java:72)
>         at
> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RM
> IConnectionImpl.java:1264)
>         at
> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIC
> onnectionImpl.java:1359)
>         at
> javax.management.remote.rmi.RMIConnectionImpl.getAttributes(RMIConnectio
> nImpl.java:636)
>         at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at
> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>         at sun.rmi.transport.Transport$1.run(Transport.java:159)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>         at
> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>         at
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.j
> ava:790)
>         at
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.ja
> va:649)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecuto
> r.java:886)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
> va:908)
>         at java.lang.Thread.run(Thread.java:619)
> access: domain 0 ProtectionDomain
> (file:/usr/local/packages/sge6.2/lib/jgdi.jar <no signer certificates>)
>  sun.misc.Launcher$AppClassLoader at 558fe7c3
>  <no principals>
>  java.security.Permissions at 38a97b0b (
>  (java.lang.RuntimePermission exitVM)
>  (java.io.FilePermission /usr/local/packages/sge6.2/lib/jgdi.jar read)
> )
>
>
> access: access allowed (javax.management.MBeanPermission
> sun.management.MemoryPoolImpl#UsageThreshold[java.lang:name=PS Perm
> Gen,type=MemoryPool] getAttribute)
>
>
>
> -----Original Message-----
> From: Andre.Alefeld at Sun.COM [mailto:Andre.Alefeld at Sun.COM] 
> Sent: Monday, February 02, 2009 12:56 PM
> To: users at gridengine.sunsource.net
> Cc: Dan.Templeton at Sun.COM
> Subject: Re: [GE users] Enabling JMX on a 6.2 qmaster
>
> Hi Victor,
>
> do you get any logging in $SGE_ROOT/default/spool/qmaster/jgdi* ?
> You can get more logging by adjusting 
> $SGE_ROOT/default/common/jmx/logging.properties and do a tail -f on 
> jgdi0.log.
> You have to restart the master to make the logging changes available.
>
> Andre
>
> victor73 wrote:
>   
>> Hi Andre,
>>
>> So under the MBeans tab, the top level nodes of the tree that I see
>>     
> are:
>   
>> JMImplementation, com.sun.management, java.lang, and
>>     
> java.util.logging.
>   
>> I've traversed these nodes looking for gridengine information to no
>> avail. Perhaps it's not possible to add JMX support after
>>     
> installation,
>   
>> or something got missed... I've rechecked all the steps in your
>>     
> original
>   
>> response, and everything is in place. Any other ideas?
>>
>> -Victor
>>
>> -----Original Message-----
>> From: Andre.Alefeld at Sun.COM [mailto:Andre.Alefeld at Sun.COM] 
>> Sent: Saturday, January 31, 2009 4:34 AM
>> To: Felix, Victor
>> Cc: users; Dan.Templeton at Sun.COM
>> Subject: Re: [GE users] Enabling JMX on a 6.2 qmaster
>>
>> Hi Victor,
>>
>> can't you see under the MBeans tab the gridengine node ?
>>
>> Andre
>>
>> Felix, Victor wrote:
>>   
>>     
>>> Hi guys,
>>>
>>> So I tried the script and I can now connect to the qmaster machine on
>>> the configured JMX port with jconsole. I see a lot of information on
>>>     
>>>       
>> the
>>   
>>     
>>> various tabs, such as the memory, threads, classes, etc... However,
>>> under the MBean tab I don't see anything really related to SGE at
>>>       
> all.
>   
>>> If I can connect and see that stuff, then SSL/authentication
>>>       
> shouldn't
>   
>>> be the problem anymore right? Or is it possible that the SGE related
>>> controls are only available when full blown security is used, and I'm
>>> only seeing vanilla JMX information pertaining to the JVM?
>>>
>>> -Victor
>>>
>>> -----Original Message-----
>>> From: Dan.Templeton at Sun.COM [mailto:Dan.Templeton at Sun.COM] 
>>> Sent: Wednesday, January 28, 2009 7:31 AM
>>> To: users at gridengine.sunsource.net
>>> Cc: victor73
>>> Subject: Re: [GE users] Enabling JMX on a 6.2 qmaster
>>>
>>> I had similar issues when I put together the HPC software demo.  The 
>>> only way I found to make the JMX connection work was to install the 
>>> cluster with full security and go through all of the steps of 
>>> certificate management.  Anything less failed.
>>>
>>> Daniel
>>>
>>> andre wrote:
>>>   
>>>     
>>>       
>>>> Hi Victor,
>>>>
>>>> can you try the following script:
>>>>
>>>> . <sge_root dir>/default/common/settings.sh
>>>> or
>>>> source <sge_root dir>/default/common/settings.csh
>>>>
>>>>
>>>> #!/bin/sh
>>>>
>>>> # source SGE env
>>>> . /<sge_root>/default/common/settings.sh
>>>>
>>>> jconsole -pluginpath 
>>>> $JAVA_HOME/demo/scripting/jconsole-plugin/jconsole-plugin.jar 
>>>> -J-Djava.security.manager=java.rmi.RMISecurityManager 
>>>> -J-Djava.security.policy=$SGE_ROOT/util/rmiconsole.policy 
>>>>
>>>>     
>>>>       
>>>>         
> -J-Djavax.net.ssl.trustStore=/var/sgeCA/port$SGE_QMASTER_PORT/default/pr
>   
>>   
>>     
>>> ivate/keystore 
>>>   
>>>
>>>     
>>>       
> -J-Djavax.net.ssl.keyStore=/var/sgeCA/port$SGE_QMASTER_PORT/default/priv
>   
>>   
>>     
>>> ate/keystore 
>>>   
>>>     
>>>       
>>>> -J-Djavax.net.debug=ssl -J-Djavax.net.ssl.keyStorePassword=<pw>  
>>>> -J-Djavax.net.ssl.keyPassword=<pw>
>>>>
>>>>
>>>>
>>>> The other possibility is to switch off SSL authentication in 
>>>> $SGE_ROOT/default/common/jmx/management.properties
>>>>
>>>> com.sun.grid.jgdi.management.jmxremote.ssl=false
>>>> ..
>>>> com.sun.grid.jgdi.management.jmxremote.ssl.need.client.auth=false
>>>>
>>>> Andre
>>>>
>>>> victor73 wrote:
>>>>     
>>>>       
>>>>         
>>>>> Thanks Andre,
>>>>>
>>>>> I've put all the files in place and configured the bootstrap file
>>>>>           
> as
>   
>>>>> well as the qmaster with the correct settings for the path to
>>>>> libjvm.so and the jvm. When I start the master I have verified that
>>>>>       
>>>>>         
>>>>>           
>>> my
>>>   
>>>     
>>>       
>>>>> configured port is opened up and listening. I also get jgdi0.log,
>>>>> jgdi.stdout and jgdi.stderr files... Everything seems to be fine
>>>>> except when I try to connect with jconsole. To simplify things,
>>>>>           
> I've
>   
>>>>> turned off ssl and authentication in the management.properties
>>>>>           
> file.
>   
>>>>> When I try to connect with jconsole
>>>>>
>>>>>   
>>>>>       
>>>>>         
>>>>>           
>>>>>> jconsole -J-Djava.security.manager=java.rmi.RMISecurityManager
>>>>>>         
>>>>>>           
>>>>>>             
>>> -J-Djava.security.policy=$SGE_ROOT/util/rmiconsole.policy
>>>     
>>>       
>> qmaster:12345
>>   
>>     
>>>   
>>>     
>>>       
>>>>>>     
>>>>>>         
>>>>>>           
>>>>>>             
>>>>> I get this in the jgdi.stderr file
>>>>>
>>>>> ============================
>>>>> access: access allowed (java.io.FilePermission
>>>>> /usr/local/packages/sge-root/lib/- read)
>>>>> java.lang.Exception: Stack trace
>>>>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> java.security.AccessControlContext.checkPermission(AccessControlContext.
>   
>>   
>>     
>>> java:272)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> java.security.AccessController.checkPermission(AccessController.java:546
>   
>>   
>>     
>>> )
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
>>> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermissi
>   
>>   
>>     
>>> on(DefaultMBeanServerInterceptor.java:1806)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermissi
>   
>>   
>>     
>>> on(DefaultMBeanServerInterceptor.java:1789)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.isInstanceOf(Defau
>   
>>   
>>     
>>> ltMBeanServerInterceptor.java:1399)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> com.sun.jmx.mbeanserver.JmxMBeanServer.isInstanceOf(JmxMBeanServer.java:
>   
>>   
>>     
>>> 1051)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionI
>   
>>   
>>     
>>> mpl.java:1432)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionIm
>   
>>   
>>     
>>> pl.java:72)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RM
>   
>>   
>>     
>>> IConnectionImpl.java:1264)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIC
>   
>>   
>>     
>>> onnectionImpl.java:1359)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> javax.management.remote.rmi.RMIConnectionImpl.isInstanceOf(RMIConnection
>   
>>   
>>     
>>> Impl.java:898)
>>>   
>>>     
>>>       
>>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>>       
>>>>>         
>>>>>           
>>> Method)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
>   
>>   
>>     
>>> a:39)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
>   
>>   
>>     
>>> Impl.java:25)
>>>   
>>>     
>>>       
>>>>>         at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>>   
>>>     
>>>       
>>>>>         at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>>>         at java.security.AccessController.doPrivileged(Native
>>>>>         
>>>>>           
>> Method)
>>   
>>     
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
>>> sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>   
>>   
>>     
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.j
>   
>>   
>>     
>>> ava:790)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.ja
>   
>>   
>>     
>>> va:649)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecuto
>   
>>   
>>     
>>> r.java:885)
>>>   
>>>     
>>>       
>>>>>         at
>>>>>       
>>>>>         
>>>>>           
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
>   
>>   
>>     
>>> va:907)
>>>   
>>>     
>>>       
>>>>>         at java.lang.Thread.run(Thread.java:619)
>>>>> access: domain 0 ProtectionDomain
>>>>> (file:/usr/local/packages/sge6.2/lib/jgdi.jar <no signer
>>>>> certificates>)
>>>>>  sun.misc.Launcher$AppClassLoader at 558fe7c3
>>>>>  <no principals>
>>>>>  java.security.Permissions at 38a97b0b (
>>>>>  (java.lang.RuntimePermission exitVM)
>>>>>  (java.io.FilePermission /usr/local/packages/sge6.2/lib/jgdi.jar
>>>>>       
>>>>>         
>>>>>           
>>> read)
>>>   
>>>     
>>>       
>>>>> )
>>>>>
>>>>> access: access allowed (javax.management.MBeanPermission
>>>>> sun.management.RuntimeImpl#-[java.lang:type=Runtime] isInstanceOf)
>>>>> =====================
>>>>>
>>>>> Seems like I'm bumping into a security manager problem. The other
>>>>> thing I've tried is:
>>>>>
>>>>> $java  -cp $SGE_ROOT/lib/juti.jar:$SGE_ROOT/lib/jgdi.jar
>>>>> com.sun.grid.jgdi.examples.jmxeventmonitor.Main
>>>>>
>>>>> but after configuring the GUI and attempting to connect, I get an
>>>>> error dialog with:
>>>>>
>>>>> =====================
>>>>> connection to
>>>>>       
>>>>>         
>>>>>           
>>> service:jmx:rmi:///jndi/rmi://qmaster:12345/jmxrmifailed;
>>>   
>>>     
>>>       
>>>>> nested exception is:
>>>>> 	com.sun.grid.jgdi.JGDIException: jmx connection id contains no
>>>>>       
>>>>>         
>>>>>           
>>> jgdi
>>>   
>>>     
>>>       
>>>>> session id. Please check qmaster's JAAS configuration
>>>>> (JGDILoginModule)
>>>>> =====================
>>>>>
>>>>> My jaas.config file is present and is identical to the provided
>>>>> template in $SGE_ROOT/util...
>>>>> Any ideas?
>>>>>
>>>>> -Victor
>>>>>   
>>>>>       
>>>>>         
>>>>>           
>>>> -- 
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>>         
> -
>   
>>>>     
>>>>       
>>>>         
>>> - - -
>>>   
>>>     
>>>       
>>>> Andre Alefeld                Phone: ++49 (0)941 3075-255
>>>> Software Engineering         Fax:   ++49 (0)941 3075-222
>>>> Sun Microsystems GmbH
>>>> Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com
>>>> D-93049 Regensburg           http://www.sun.com/gridware
>>>>
>>>>     
>>>>       
>>>>         
>>> ------------------------------------------------------
>>>
>>>     
>>>       
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessage
>   
>>   
>>     
>>> Id=100004
>>>
>>> To unsubscribe from this discussion, e-mail:
>>> [users-unsubscribe at gridengine.sunsource.net].
>>>   
>>>     
>>>       
>>   
>>     
>
>
>   


-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Andre Alefeld                Phone: ++49 (0)941 3075-255
Software Engineering         Fax:   ++49 (0)941 3075-222
Sun Microsystems GmbH
Dr.-Leo-Ritter-Str. 7	     mailto: andre.alefeld at sun.com
D-93049 Regensburg           http://www.sun.com/gridware

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=102236

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list