c******n
发帖数: 4965 | 1 【 以下文字转载自 Java 讨论区 】
发信人: creation (努力自由泳50m/45sec !), 信区: Java
标 题: trick to use JMX on EC2
发信站: BBS 未名空间站 (Fri Sep 16 01:46:21 2011, 美东)
many java applications are written as JMX MBeans
but EC2 presents many problems for JMX
1) normally you have only port 22 open, changing security group is a hassle
if you are just debugging for one shot.
2) the second port used by JMX is determined dynamically, so you don't know
which port to open
3) JMX is going to figure out the *internal* ip of EC2 and let your JMX
client to connect to RMI on that IP, which can not be reached.
so to solve these
1) use ssh tunnel, + iptables on client
2) http://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx , i.e. setup RMI connector explicitly.
3) http://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx , "-Djava.rmi.server.hostname="
note that in 2) you should NOT supply the
-Dcom.sun.management.jmxremote.port=
argument, otherwise JMX will still use the dynamic port selection
for 1), the trick is to forward your tunnel the traffic onto the remote JMX
port through ssh, so your jconsole needs to connect to localhost instead.
another problem is that the remote JMX is going to ask you to connect to the
external_IP instead, not localhost, so you need to use iptables to route
all your packets onto the remote external_IP to localhost, on which the ssh
tunnel is listening.
########### iptables script ###########
EXTERNAL_BOX_IP=1.2.3.4
PORT=7500
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
############################
then creates the tunnel onto remote EC2 (whose ip is 1.2.3.4)
ssh -L7500:1.2.3.4:7500 1.2.3.4
then you can use jconsole to connect to 1.2.3.4:7500
the link above provides an easier trick without using iptables, i.e. let JMX
tell a lie and say -Djava.rmi.server.hostname=localhost . this
would not work if you do not connect through ssh tunnel, but open up
security group.
have fun!
yang |
|
