Help wanted to set JMX options and be able to monitor Keycloak with VisualVM

618 views
Skip to first unread message

Fabrice G.

unread,
Mar 19, 2021, 2:38:15 PM3/19/21
to Keycloak User
Hi,

Background :
I'm using the latest (12.0.4) docker image of Keycloak in a local deployment with docker-compose and I'm trying to monitor the JVM using VisualVM.

I first tried to set the various JMX setting through the new JAVA_OPTS_APPEND introduced in KC 12.x container :

      - JAVA_OPTS_APPEND=
        -Dcom.sun.management.jmxremote=true
        -Dcom.sun.management.jmxremote.rmi.port=9091
        -Dcom.sun.management.jmxremote.port=9091
        -Dcom.sun.management.jmxremote.ssl=false
        -Dcom.sun.management.jmxremote.authenticate=false
        -Dcom.sun.management.jmxremote.local.only=false
        -Djava.rmi.server.hostname=0.0.0.0

But this result in :

oidcprovider_1     | =========================================================================
oidcprovider_1     | 
oidcprovider_1     |   JBoss Bootstrap Environment
oidcprovider_1     | 
oidcprovider_1     |   JBOSS_HOME: /opt/jboss/keycloak
oidcprovider_1     | 
oidcprovider_1     |   JAVA: java
oidcprovider_1     | 
oidcprovider_1     |   JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.rmi.port=9091 -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=0.0.0.0 -agentlib:jdwp=transport=dt_socket,address=*:8100,server=y,suspend=n  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
oidcprovider_1     | 
oidcprovider_1     | =========================================================================
oidcprovider_1     | 
oidcprovider_1     | Listening for transport dt_socket at address: 8100
oidcprovider_1     | WARNING: Failed to load the specified log manager class org.jboss.logmanager.LogManager
oidcprovider_1     | Mar 19, 2021 6:22:11 PM org.jboss.msc.service.ServiceContainerImpl <clinit>
oidcprovider_1     | INFO: JBoss MSC version 1.4.12.Final
oidcprovider_1     | Mar 19, 2021 6:22:11 PM org.jboss.threads.Version <clinit>
oidcprovider_1     | INFO: JBoss Threads version 2.4.0.Final
oidcprovider_1     | Mar 19, 2021 6:22:11 PM org.jboss.as.server.ApplicationServerService start
oidcprovider_1     | INFO: WFLYSRV0049: Keycloak 12.0.4 (WildFly Core 13.0.3.Final) starting
oidcprovider_1     | Mar 19, 2021 6:22:12 PM org.jboss.vfs.TempFileProvider create
oidcprovider_1     | INFO: VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
oidcprovider_1     | Mar 19, 2021 6:22:13 PM org.wildfly.security.Version <clinit>
oidcprovider_1     | INFO: ELY00001: WildFly Elytron version 1.13.1.Final
oidcprovider_1     | Mar 19, 2021 6:22:15 PM org.jboss.as.controller.AbstractOperationContext executeStep
oidcprovider_1     | ERROR: WFLYCTL0013: Operation ("parallel-extension-add") failed - address: ([])
oidcprovider_1     | java.lang.RuntimeException: WFLYCTL0079: Failed initializing module org.jboss.as.logging
oidcprovider_1     | at org.jboss.a...@13.0.3.Final//org.jboss.as.controller.extension.ParallelExtensionAddHandler$1.execute(ParallelExtensionAddHandler.java:115)
....

which seems to be caused by  this issue .

To workaround the above, I've tried the following JAVA_OPTS :
      - JAVA_OPTS=
        -server 
        -Xms64m 
        -Xmx512m 
        -XX:MetaspaceSize=96M 
        -XX:MaxMetaspaceSize=256m 
        -Djava.net.preferIPv4Stack=true 
        -Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager
        -Xbootclasspath/a:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.17.Final.jar
        -Djava.util.logging.manager=org.jboss.logmanager.LogManager
        -Djava.awt.headless=true
        -Dcom.sun.management.jmxremote=true
        -Dcom.sun.management.jmxremote.rmi.port=9091
        -Dcom.sun.management.jmxremote.port=9091
        -Dcom.sun.management.jmxremote.ssl=false
        -Dcom.sun.management.jmxremote.authenticate=false
        -Dcom.sun.management.jmxremote.local.only=false
        -Djava.rmi.server.hostname=0.0.0.0

And got the following error :

oidcprovider_1     | =========================================================================
oidcprovider_1     | 
oidcprovider_1     |   JBoss Bootstrap Environment
oidcprovider_1     | 
oidcprovider_1     |   JBOSS_HOME: /opt/jboss/keycloak
oidcprovider_1     | 
oidcprovider_1     |   JAVA: java
oidcprovider_1     | 
oidcprovider_1     |   JAVA_OPTS:   -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager -Xbootclasspath/a:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.17.Final.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Djava.awt.headless=true -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.rmi.port=9091 -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=0.0.0.0  -agentlib:jdwp=transport=dt_socket,address=*:8100,server=y,suspend=n  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
oidcprovider_1     | 
oidcprovider_1     | =========================================================================
oidcprovider_1     | 
oidcprovider_1     | Listening for transport dt_socket at address: 8100
oidcprovider_1     | Mar 19, 2021 6:33:34 PM java.lang.System$LoggerFinder lambda$accessProvider$0
oidcprovider_1     | WARNING: Failed to instantiate LoggerFinder provider; Using default.
oidcprovider_1     | java.lang.IllegalStateException: The LogManager was not properly installed (you must set the "java.util.logging.manager" system property to "org.jboss.logmanager.LogManager")
oidcprovider_1     | at org.jboss.logmanager.Logger.getLogger(Logger.java:57)
oidcprovider_1     | at org.jboss...@13.0.3.Final//org.jboss.as.server.Main.main(Main.java:89)
oidcprovider_1     | at org.jboss.modules.Module.run(Module.java:352)
oidcprovider_1     | at org.jboss.modules.Module.run(Module.java:320)
oidcprovider_1     | at org.jboss.modules.Main.main(Main.java:617)
oidcprovider_oidcprovider_1 exited with code 1

Which I don't understand since the  java.util.logging.manager is set properly in the JAVA_OPTS.

help will be greatly appreciated here .

Regards,

    

Thomas Darimont

unread,
Mar 19, 2021, 4:37:44 PM3/19/21
to Fabrice G., Keycloak User
Hello Fabrice,

the following works for me:

# Run Keycloak locally
```
docker run \
-d \
--name keycloak-jmx \
--rm \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-e PROXY_ADDRESS_FORWARDING=true \
-e KEYCLOAK_STATISTICS=true \
--net=host \
quay.io/keycloak/keycloak:12.0.4 -Djboss.bind.address.private=127.0.0.1 -Djboss.bind.address=127.0.0.1
```

# Create a management user for JMX
```
docker exec -it keycloak-jmx /opt/jboss/keycloak/bin/add-user.sh jmxuser password
```

# Export jboss-cli-client.jar locally
```
docker cp keycloak-jmx:/opt/jboss/keycloak/bin/client/jboss-cli-client.jar .
```

# Start VisualVM with jboss-cli-client.jar
```
visualvm -cp:a ./jboss-cli-client.jar
```

# Create new JMX Connection in VisualVM

JMX URL: `service:jmx:http-remoting-jmx://localhost:9990`
Username: `jmxuser`
Password: `password`
Do not require SSL: on (for the demo...)

Done.

image.png

image.png

Cheers,
Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/cc9e396e-fde1-471e-b8da-cc9d7650fec7n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages