I ran my Glassfish zone
through the quickstart
and it bore up fairly well; it doesn’t piss memory, and autodeploy is reliable (2 improvements on my
last tomcat deployment).
Now I’ve got a database ,
I’m almost ready to deploy something useful, but first it’d be nice to have the appserver managed by the OS (rather than firing it up by hand).
Glassfish SMF integration
makes it easy to run a domain as an SMF service, so the first thing I need is a domain.
domain attraction
A glassfish domain is a group of ‘server instances’ (JVMs to you and me).
Each domain has its own logs, collection of webapps, admin accounts, etc.
(see the Administration Guide p36 onwards for a detailed overview).
I’m not clustering (yet), so my domain just has 1 JVM -
I’ll keep it under /domains :
goldfish # zfs create tank/delegated/goldfish/domains
goldfish # zfs set mountpoint=/domains tank/delegated/goldfish/domainsTo create a domain you run asadmin create-domain (see ‘asadmin help’ for suprisingly good documentation)
goldfish # /j2ee/bin/asadmin create-domain \
--adminport 4848 --instanceport 80 \
--profile cluster --user admin \
--domaindir /domains rollerdisco
Please enter the admin password> <choose a password>
Please enter the admin password again> <confirm password>
Please enter the master password [Enter to accept the default]:>
Please enter the master password again [Enter to accept the default]:>
On Unix platform, port numbers below 1024 may require special privileges.
Domain being created with profile:cluster, as specified on command line or environment.
Security Store used should be JKS
goldfish #
manifestation
To automate domain startup, store the admin and ‘master’ (keystore) passwords in a file
which you can feed to asadmin tasks :
goldfish # cat > /domains/rollerdisco/.aspass
AS_ADMIN_PASSWORD=whatever-you-specified
AS_ADMIN_MASTERPASSWORD=only-need-this-if-you-went-for-non-defaultchangeit
^DNow tell asadmin create-service to build an SMF manifest for your domain.
goldfish # /j2ee/bin/asadmin create-service --passwordfile/domains/rollerdisco/.aspass \
> --type das --serviceproperties net_privaddr /domains/rollerdisco/
java.lang.IllegalArgumentException: Present Platform, OS: SunOS version: 5.11 is not Solaris 10. This facility is not supported on platforms other than Solaris 10.
goldfish # # >_<
Damn it! Solaris Express shows up as ‘5.11’ in uname – and since glassfish is only checking for solaris 10, it refuses to build a service. We need to persuade it to run anyway.
Luckily, Angelo wrote a
DTrace script to tamper with the uname() syscall .
We just need the PID of the shell we’re running asadmin from.
goldfish # uname -a
SunOS goldfish 5.11 snv_61 i86pc i386 i86pc
goldfish # echo $$
8539Then run Angelos D script up in the global zone
(which has DTrace privileges ) :
vera # ./unamespoofer.d 8539
Changing output of uname for pid 8539 and its descendants...and now if we retry
goldfish # uname -a
SunOS goldfish 5.10 snv_61 i86pc i386 i86pc
goldfish #
goldfish # /j2ee/bin/asadmin create-service --passwordfile /domains/rollerdisco/.aspass \
> --type das --serviceproperties net_privaddr /domains/rollerdisco/
The SMF Service was created successfully. Here are the details:
Name of the service:application/SUNWappserver/rollerdisco
Type of the service:Domain
Configuration location of the service:/domains
Manifest file location on the system:/var/svc/manifest/application/SUNWappserver/rollerdisco_domains/Domain-service-smf.xml.
The service could be enabled using svcadm command.
Command create-service executed successfully.
goldfish # # \o/
You can cancel that D script now – glassfish itself doesn’t mind the OS version
(this bug -#1308 – should be fixed in glassfish b45).
One last gotcha: on rebooting, the service went into maintenance mode.
The logs mentioned it couldn’t find ’/j2ee/bin/asadmin’, but it was there when I checked.
/j2ee is a ZFS filesystem holding my glassfish install.
Turns out the glassfish manifest doesn’t list any dependencies, so
SMF tries to start it before the ZFS filesystems are brought up.
So edit the created manifest, and right below the
<dependency
name='network'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/milestone/network:default' />
</dependency>
<dependency
name='filesystem-local'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/local:default' />
</dependency>
Then reimport it:
goldfish # svccfg import /var/svc/manifest/application/SUNWappserver/rollerdisco_domains/Domain-service-smf.xml(filed as bug #2910 – the fix will be in b46).
Now we can start the service:
goldfish # svcadm enable rollerdiscoIt’ll take a minute or two, but should come up OK.
priviligious fanatics
SMF also lets Glassfish run as root relatively safely (even if we weren’t in a zone).
A normal root shell can do pretty much anything it likes:
goldfish # ppriv -S $$
4139: -bash
flags =
E: zone
I: basic
P: zone
L: zone Look at the glassfish service:
goldfish # ppriv -S $(pgrep java)
3081: /j2ee/jdk/bin/java -client -XX:MaxPermSize=192m -Xmx512m -XX:NewRatio=
flags = PRIV_AWARE
E: basic,net_privaddr
I: basic,net_privaddr
P: basic,net_privaddr
L: zone‘basic’ privilege lets you fork, exec, symlink, write files you own, etc. It’s the same rights
the ‘nobody’ user has1.
By default, this is the privilege SMF grants glassfish:
goldfish # svccfg -s rollerdisco 'listprop start/privileges'
start/privileges astring basic,net_privaddrRemember : On Solaris 10 (or higher
For example, net_privaddr lets you open ports < 1024 . If I hadn’t specifically
asked for it (the ’—serviceproperties’ option to create-service) glassfish wouldn’t be able
to run on port 80, even as root (which is why create-domain warned me about it).
1 Admittedly, root probably owns more files than nobody on the average server.