Help wanted to set JMX options and be able to monitor Keycloak with VisualVM

1,346 views

Skip to first unread message

Fabrice G.

unread,

Mar 19, 2021, 2:38:15 PM3/19/21

to Keycloak User

Hi,

Background :

I'm using the latest (12.0.4) docker image of Keycloak in a local deployment with docker-compose and I'm trying to monitor the JVM using VisualVM.

I first tried to set the various JMX setting through the new JAVA_OPTS_APPEND introduced in KC 12.x container :

- JAVA_OPTS_APPEND=

-Dcom.sun.management.jmxremote=true

-Dcom.sun.management.jmxremote.rmi.port=9091

-Dcom.sun.management.jmxremote.port=9091

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false

-Dcom.sun.management.jmxremote.local.only=false

-Djava.rmi.server.hostname=0.0.0.0

But this result in :

oidcprovider_1 | =========================================================================

oidcprovider_1 |

oidcprovider_1 | JBoss Bootstrap Environment

oidcprovider_1 |

oidcprovider_1 | JBOSS_HOME: /opt/jboss/keycloak

oidcprovider_1 |

oidcprovider_1 | JAVA: java

oidcprovider_1 |

oidcprovider_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.rmi.port=9091 -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=0.0.0.0 -agentlib:jdwp=transport=dt_socket,address=*:8100,server=y,suspend=n --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED

oidcprovider_1 |

oidcprovider_1 | =========================================================================

oidcprovider_1 |

oidcprovider_1 | Listening for transport dt_socket at address: 8100

oidcprovider_1 | WARNING: Failed to load the specified log manager class org.jboss.logmanager.LogManager

oidcprovider_1 | Mar 19, 2021 6:22:11 PM org.jboss.msc.service.ServiceContainerImpl <clinit>

oidcprovider_1 | INFO: JBoss MSC version 1.4.12.Final

oidcprovider_1 | Mar 19, 2021 6:22:11 PM org.jboss.threads.Version <clinit>

oidcprovider_1 | INFO: JBoss Threads version 2.4.0.Final

oidcprovider_1 | Mar 19, 2021 6:22:11 PM org.jboss.as.server.ApplicationServerService start

oidcprovider_1 | INFO: WFLYSRV0049: Keycloak 12.0.4 (WildFly Core 13.0.3.Final) starting

oidcprovider_1 | Mar 19, 2021 6:22:12 PM org.jboss.vfs.TempFileProvider create

oidcprovider_1 | INFO: VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this

oidcprovider_1 | Mar 19, 2021 6:22:13 PM org.wildfly.security.Version <clinit>

oidcprovider_1 | INFO: ELY00001: WildFly Elytron version 1.13.1.Final

oidcprovider_1 | Mar 19, 2021 6:22:15 PM org.jboss.as.controller.AbstractOperationContext executeStep

oidcprovider_1 | ERROR: WFLYCTL0013: Operation ("parallel-extension-add") failed - address: ([])

oidcprovider_1 | java.lang.RuntimeException: WFLYCTL0079: Failed initializing module org.jboss.as.logging

oidcprovider_1 | at org.jboss.a...@13.0.3.Final//org.jboss.as.controller.extension.ParallelExtensionAddHandler$1.execute(ParallelExtensionAddHandler.java:115)

....

which seems to be caused by this issue .

To workaround the above, I've tried the following JAVA_OPTS :

- JAVA_OPTS=

-server

-Xms64m

-Xmx512m

-XX:MetaspaceSize=96M

-XX:MaxMetaspaceSize=256m

-Djava.net.preferIPv4Stack=true

-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager

-Xbootclasspath/a:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.17.Final.jar

-Djava.util.logging.manager=org.jboss.logmanager.LogManager

-Djava.awt.headless=true

-Dcom.sun.management.jmxremote=true

-Dcom.sun.management.jmxremote.rmi.port=9091

-Dcom.sun.management.jmxremote.port=9091

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false

-Dcom.sun.management.jmxremote.local.only=false

-Djava.rmi.server.hostname=0.0.0.0

And got the following error :

oidcprovider_1 | =========================================================================

oidcprovider_1 |

oidcprovider_1 | JBoss Bootstrap Environment

oidcprovider_1 |

oidcprovider_1 | JBOSS_HOME: /opt/jboss/keycloak

oidcprovider_1 |

oidcprovider_1 | JAVA: java

oidcprovider_1 |

oidcprovider_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager -Xbootclasspath/a:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.17.Final.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Djava.awt.headless=true -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.rmi.port=9091 -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=0.0.0.0 -agentlib:jdwp=transport=dt_socket,address=*:8100,server=y,suspend=n --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED

oidcprovider_1 |

oidcprovider_1 | =========================================================================

oidcprovider_1 |

oidcprovider_1 | Listening for transport dt_socket at address: 8100

oidcprovider_1 | Mar 19, 2021 6:33:34 PM java.lang.System$LoggerFinder lambda$accessProvider$0

oidcprovider_1 | WARNING: Failed to instantiate LoggerFinder provider; Using default.

oidcprovider_1 | java.lang.IllegalStateException: The LogManager was not properly installed (you must set the "java.util.logging.manager" system property to "org.jboss.logmanager.LogManager")

oidcprovider_1 | at org.jboss.logmanager.Logger.getLogger(Logger.java:57)

oidcprovider_1 | at org.jboss...@13.0.3.Final//org.jboss.as.server.Main.main(Main.java:89)

oidcprovider_1 | at org.jboss.modules.Module.run(Module.java:352)

oidcprovider_1 | at org.jboss.modules.Module.run(Module.java:320)

oidcprovider_1 | at org.jboss.modules.Main.main(Main.java:617)

oidcprovider_oidcprovider_1 exited with code 1

Which I don't understand since the java.util.logging.manager is set properly in the JAVA_OPTS.

help will be greatly appreciated here .

Regards,

Thomas Darimont

unread,

Mar 19, 2021, 4:37:44 PM3/19/21

to Fabrice G., Keycloak User

Hello Fabrice,

the following works for me:

# Run Keycloak locally
```
docker run \
-d \
--name keycloak-jmx \
--rm \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-e PROXY_ADDRESS_FORWARDING=true \
-e KEYCLOAK_STATISTICS=true \
--net=host \
quay.io/keycloak/keycloak:12.0.4 -Djboss.bind.address.private=127.0.0.1 -Djboss.bind.address=127.0.0.1
```

# Create a management user for JMX
```
docker exec -it keycloak-jmx /opt/jboss/keycloak/bin/add-user.sh jmxuser password
```

# Export jboss-cli-client.jar locally
```
docker cp keycloak-jmx:/opt/jboss/keycloak/bin/client/jboss-cli-client.jar .
```

# Start VisualVM with jboss-cli-client.jar
```
visualvm -cp:a ./jboss-cli-client.jar
```

# Create new JMX Connection in VisualVM

JMX URL: `service:jmx:http-remoting-jmx://localhost:9990`
Username: `jmxuser`
Password: `password`
Do not require SSL: on (for the demo...)

Done.

Cheers,
Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/cc9e396e-fde1-471e-b8da-cc9d7650fec7n%40googlegroups.com.