Glassfish 2.1 App Server and MySQL 5.1 AMI on OpenSolaris 2008.11

We will create a MySQL 5.1 and Glassfish 2.1 developer profile bundle, we will run both applications as non-root user for higher security.
This time I will like to use as much as possible (re)configuration from Glassfish CLI management instead of direct editing Glassfish XML configuration files.

This entry is part of 'OpenSolaris on Amazon EC2' workshop


GlassFish/SJS AS in production - which bundle, which profile, ...?

Specifics of OpenSolaris setup on Amazon EC2

Amazon AWS is designed for OS configurations, where instance admin login into instance as ROOT with SSH key, ROOT user don't have password (is locked), so we can't 'sudo' to it. This is imposing some limitations in non-root SW install when some tasks need to be done directly as root user due to known limitations of pfexec command.

Glassfish 2.1 AMI Targets on Amazon EC2

From past Glassfish on Solaris Amazon EC2 user feedback, most users are skilled developers who want to use AMI instances to porting their JAVA apps to Glassfish and/or EC2 Solaris platform. So in this Glassfish 2.1 AMI image we will focus on reasonable secure developer oriented installation in Cloud environment.

AMI creation side
  • Create Glassfish 21 user
  • Install Glassfish 2.1 as non-root user
  • Create basic SMF Glassfish integration
  • Add Glassfish tools to Glassfish user path
  • Allow Glassfish user to control Glassfish SMF service
  • Secure admin to use SSL and bind to 'localhost' only
  • Tune Glassfish 2.1 memory usage
  • Clean install data and logs
AMI deployment side
  • User will change Glassfish admin password
  • User will generate new SSL key
  • Optionaly: User will open admin domain to all public IPs, so it can be accessed by WEB
  • User will restart Glassfish 2.1 to load new installation

Create MySQL 5.1 AMI-752CCB1C instance and install there GF 2.1

Use pre-created AMI with MySQL 5.1 AMI-752CCB1C

Check snapshots

zfs list -t snapshot
NAME                             USED  AVAIL  REFER  MOUNTPOINT
rpool/ROOT/opensolaris@install   140M      -  2.65G  -
zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                   4.07G  5.53G    72K  /rpool
rpool/ROOT              3.21G  5.53G    18K  legacy
rpool/ROOT/opensolaris  3.21G  5.53G  3.07G  /
rpool/dump               293M  5.53G   293M  -
rpool/export              56K  5.53G    19K  /export
rpool/export/home         37K  5.53G    37K  /export/home
rpool/swap               586M  6.10G    16K  -
root@jsc-xen-14:~# zfs list -t snapshot
NAME                             USED  AVAIL  REFER  MOUNTPOINT
rpool/ROOT/opensolaris@install   140M      -  2.65G  -
zfs destroy rpool/ROOT/opensolaris@install
zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                   3.93G  5.66G    72K  /rpool
rpool/ROOT              3.07G  5.66G    18K  legacy
rpool/ROOT/opensolaris  3.07G  5.66G  3.07G  /
rpool/dump               293M  5.66G   293M  -
rpool/export              56K  5.66G    19K  /export
rpool/export/home         37K  5.66G    37K  /export/home
rpool/swap               586M  6.24G    16K  -

Check PKG IPS setup

1. Check if image is cleaned

du -s -h /var/pkg/download/
34M     /var/pkg/download/

du -s -h /var/pkg/index/
36M     /var/pkg/index/

2. Check if PKG IPS is set up to auto clean cache

No, set it

pkg property -H flush-content-cache-on-success
flush-content-cache-on-success False

pkg set-property flush-content-cache-on-success True

Install JDK6 from OpenSolaris release repo

pkg install SUNWj6dev

Install ANT from OpenSolaris release repo

pkg install SUNWant

Install MySQL 5.1 and J Connector

1. We will use AMI with MySQL 5.1, until this version will be in official OpenSolaris REPO

Use pre-created AMI with MySQL 5.1 AMI-752ccb1c

2. Install Mysql Connector/J 5.1

Note: We will use version 5.1 from official OpenSolaris REPO

pkg install SUNWmysql5jdbc

Glasshish 2.1 Install from JAR distribution as non-root user

GlassFish Project - v2.1 FinalBuild

The Open Sourcing Clustering features are included in this promotion.

Create non-root runtime user (account locked by default)

groupadd gf21
useradd -d /export/home/gf21 -m -s /usr/bin/bash -g gf21 gf21

Note: User will don't have enough privileges to start/stop GF service, I consider to add to it profile , see separate section for it

1. Install glassfish 2.1

mkdir /opt/gf21; chown gf21:gf21 /opt/gf21

su - gf21

cd /opt/gf21
wget  http://java.net/download/javaee5/v2.1_branch/promoted/SunOS_X86/glassfish-installer-v2.1-b60e-sunos_x86.jar

java -Xmx256m -jar glassfish-installer-v2.1-b60e-sunos_x86.jar

Accept license with "A"

Installation will by unpacked in ./glassfish

2. Configure glassfish 2.1 (Create domain1)

cd /opt/gf21/glassfish

chmod -R +x lib/ant/bin

lib/ant/bin/ant -f setup.xml 

create.domain:
     [exec] Using port 4848 for Admin.
     [exec] Using port 8080 for HTTP Instance.
     [exec] Using port 7676 for JMS.
     [exec] Using port 3700 for IIOP.
     [exec] Using port 8181 for HTTP_SSL.
     [exec] Using default port 3820 for IIOP_SSL.
     [exec] Using default port 3920 for IIOP_MUTUALAUTH.
     [exec] Using default port 8686 for JMX_ADMIN.
     [exec] Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file.
     [exec] ------ Using Profile [developer] to create the domain ------
....
     [exec] Security Store uses: JKS
     [exec] Domain domain1 created.
     [exec] Login information relevant to admin user name [admin] for this domain [domain1] stored at
         [/export/home/gf21/.asadminpass] successfully.

3. Backup original domain1 configuration

cp /opt/gf21/glassfish/domains/domain1/config/domain.xml /opt/gf21/glassfish/domains/domain1/config/domain.xml.org

4. Put glassfish tools into path

echo export PATH=$PATH:/opt/gf21/glassfish/bin >>~/.profile
exit
su - gf21

5) Create minimal Glassfish SMF script for automatic start / stop

How to Create a Service Management Facility (SMF) Manifest

cat >/opt/gf21/smf-glassfish.xml <<EOF
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='glassfish:domain1'>

<service name='application/glassfish/domain1' type='service' version='1'>
        <create_default_instance enabled='true' />
        <single_instance />
        <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
            <service_fmri value='svc:/system/filesystem/local' />

        </dependency>
        <dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
            <service_fmri value='svc:/network/service' />
        </dependency>
        <method_context>
            <method_credential user='gf21'  group='gf21' />

         </method_context>
        <exec_method type='method' name='start' exec='/opt/gf21/glassfish/bin/asadmin start-domain domain1' timeout_seconds='600' />
        <exec_method type='method' name='stop' exec='/opt/gf21/glassfish/bin/asadmin stop-domain domain1' timeout_seconds='600' />
       <property_group name='startd' type='framework'>
                <propval name='duration' type='astring' value='transient' />
        </property_group>

        <stability value='Unstable' />
        <template>
                <common_name>
                        <loctext xml:lang='C'>Glassfish V2.1 Simple non-root user SMF</loctext>
                </common_name>

        </template>
</service>
</service_bundle>
EOF

6. Load SMF this XML definition and start service

Execute as root, pfexec as gf21 fail on these ?

exit
whoami 
root

/usr/sbin/svccfg validate /opt/gf21/smf-glassfish.xml

/usr/sbin/svccfg import /opt/gf21/smf-glassfish.xml

/usr/sbin/svcadm enable svc:/application/glassfish/domain1:default

svcs /application/glassfish/domain1
STATE          STIME    FMRI
online\*        12:50:01 svc:/application/glassfish/domain1:default

Wait after is service is online

svcs /application/glassfish/domain1
online         12:05:29 svc:/application/glassfish/domain1:default

7. Add line to create authorization into auth_attr

Good Article: Less known Solaris features: RBAC and Privileges
Part 1: Introduction
Part 2: Role based access control
Part 3: Privileges

as root
echo "solaris.smf.manage.glassfish/domain1:::Glassfish Domain1 Server management::" >> /etc/security/auth_attr

8. Add service authorization to user gf21

usermod -A solaris.smf.manage.glassfish/domain1 gf21

9. Add authorization to restart and manage service

svccfg -s glassfish/domain1 setprop general/action_authorization=astring: 'solaris.smf.manage.glassfish/domain1'
svccfg -s glassfish/domain1 setprop general/value_authorization=astring: 'solaris.smf.manage.glassfish/domain1'
svcadm refresf glassfish/domain1 

10. Secure default instance domain1 admin interface by using SSL and localhost

su - gf21

asadmin get  server.http-service.http-listener.admin-listener.address

  server.http-service.http-listener.admin-listener.address = 0.0.0.0

asadmin set server.http-service.http-listener.admin-listener.address=127.0.0.1

  asadmin  get server.http-service.http-listener.admin-listener.security-enabled

server.http-service.http-listener.admin-listener.security-enabled = false

  asadmin  set server.http-service.http-listener.admin-listener.security-enabled=true 

11. Optional: Tuning Glassfish configuration for Amazon EC2 c1.small

Tune JVM HEAP memory in /opt/glassfish/domains/domain1/config/domain.xml,
Amazon AWS m1.small which have 1700MB RAM, so for Solaris for JeOS we can put there 1024MB
(But we need to keep in mind also memory needs of MySQL and ZFS ARCH chache ?)

Chane Java Heap memory from 512M to 1024M

asadmin  create-jvm-options --  "-Xmx1024m"

cat /opt/gf21/glassfish/domains/domain1/config/domain.xml | grep Xmx
        <jvm-options>-Xmx512m</jvm-options>

        <jvm-options>-Xmx1024m</jvm-options>

asadmin delete-jvm-options -- -Xmx512m

cat /opt/gf21/glassfish/domains/domain1/config/domain.xml | grep Xmx
        <jvm-options>-Xmx1024m</jvm-options>

Note: c1.small have only one CPU, do we need optimize threads , need to be investigated together with MySQL setup needs

12. Restart glassfish SMF service

Execute as root, pfexec as gf21 fail on these ? Most work NOW !

exit
whoami 
root

/usr/sbin/svcadm disable -t svc:/application/glassfish/domain1:default

/usr/sbin/svcadm enable svc:/application/glassfish/domain1:default

svcs /application/glassfish/domain1
STATE          STIME    FMRI
online\*        12:50:01 svc:/application/glassfish/domain1:default

svcs /application/glassfish/domain1
online         12:05:29 svc:/application/glassfish/domain1:default

13. Check running GF2.2 running instance under gf21:gf21 (Still under root)

ps -ef |grep gf21
    gf21 16270     1   0 08:20:29 ?           0:42 /usr/jdk/instances/jdk1.6.0/jre/../bin/java -Dcom.sun.aas.instanceRoot=/opt/gf2

svcs glassfish/domain1
STATE          STIME    FMRI
online          8:21:12 svc:/application/glassfish/domain1:default

svcs -l glassfish/domain1 | grep logfile
lofile /var/svc/log/application-glassfish-domain1:default.log

tail  /var/svc/log/application-glassfish-domain1:default.log

Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.

netstat -an | egrep "8080|8181|4848|3700|3820|3920|8686"
      \*.3700               \*.\*                0      0 49152      0 LISTEN
      \*.3820               \*.\*                0      0 49152      0 LISTEN
      \*.3920               \*.\*                0      0 49152      0 LISTEN
      \*.8686               \*.\*                0      0 49152      0 LISTEN
      \*.8080               \*.\*                0      0 49152      0 LISTEN
      \*.8181               \*.\*                0      0 49152      0 LISTEN
127.0.0.1.4848         \*.\*                0      0 49152      0 LISTEN
      \*.3700               \*.\*                0      0 49152      0 LISTEN
      \*.3820               \*.\*                0      0 49152      0 LISTEN
      \*.3920               \*.\*                0      0 49152      0 LISTEN
      \*.8686               \*.\*                0      0 49152      0 LISTEN
      \*.8080               \*.\*                0      0 49152      0 LISTEN
      \*.8181               \*.\*                0      0 49152      0 LISTEN
Comments:

Cool.................
I am loving combination of GlassFish , MySQL and OpenSolaris.

Posted by Homer Yau on April 30, 2009 at 04:28 AM PDT #

Any chance you could post a how-to for enabling clustering for this AMI?

Posted by Jeff Cybulski on October 13, 2009 at 05:48 AM PDT #

How can I get Web access to the admin console? I am trying to access through port 4848, but couldn't connect.

Posted by Salekul on February 02, 2011 at 08:26 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Hands-on experience with Virtualization

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today