Virtual Guru's Blog – Home of Virtualization Workshops

April 15, 2009

Glassfish 2.1 App Server and MySQL 5.1 AMI on OpenSolaris 2008.11

Filed under: amazon_aws, cloud, glassfish, opensolaris, Virtualization — natiku @ 1:15 am

We will create a MySQL 5.1 and Glassfish 2.1 developer profile bundle, we will run both applications as non-root user for higher security.
This time I will like to use as much as possible (re)configuration from Glassfish CLI management instead of direct editing Glassfish XML configuration files.

This entry is part of ‘OpenSolaris on Amazon EC2’ workshop


GlassFish/SJS AS in production – which bundle, which profile, …?

Specifics of OpenSolaris setup on Amazon EC2

Amazon AWS is designed for OS configurations, where instance admin login into instance as ROOT with SSH key, ROOT user don’t have password (is locked), so we can’t ‘sudo’ to it. This is imposing some limitations in non-root SW install when some tasks need to be done directly as root user due to known limitations of pfexec command.

Glassfish 2.1 AMI Targets on Amazon EC2

From past Glassfish on Solaris Amazon EC2 user feedback, most users are skilled developers who want to use AMI instances to porting their JAVA apps to Glassfish and/or EC2 Solaris platform. So in this Glassfish 2.1 AMI image we will focus on reasonable secure developer oriented installation in Cloud environment.

AMI creation side
  • Create Glassfish 21 user
  • Install Glassfish 2.1 as non-root user
  • Create basic SMF Glassfish integration
  • Add Glassfish tools to Glassfish user path
  • Allow Glassfish user to control Glassfish SMF service
  • Secure admin to use SSL and bind to ‘localhost’ only
  • Tune Glassfish 2.1 memory usage
  • Clean install data and logs
AMI deployment side
  • User will change Glassfish admin password
  • User will generate new SSL key
  • Optionaly: User will open admin domain to all public IPs, so it can be accessed by WEB
  • User will restart Glassfish 2.1 to load new installation

Create MySQL 5.1 AMI-752CCB1C instance and install there GF 2.1

Use pre-created AMI with MySQL 5.1 AMI-752CCB1C

Check snapshots

zfs list -t snapshot
NAME                             USED  AVAIL  REFER  MOUNTPOINT
rpool/ROOT/opensolaris@install   140M      -  2.65G  -
zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                   4.07G  5.53G    72K  /rpool
rpool/ROOT              3.21G  5.53G    18K  legacy
rpool/ROOT/opensolaris  3.21G  5.53G  3.07G  /
rpool/dump               293M  5.53G   293M  -
rpool/export              56K  5.53G    19K  /export
rpool/export/home         37K  5.53G    37K  /export/home
rpool/swap               586M  6.10G    16K  -
root@jsc-xen-14:~# zfs list -t snapshot
NAME                             USED  AVAIL  REFER  MOUNTPOINT
rpool/ROOT/opensolaris@install   140M      -  2.65G  -
zfs destroy rpool/ROOT/opensolaris@install
zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                   3.93G  5.66G    72K  /rpool
rpool/ROOT              3.07G  5.66G    18K  legacy
rpool/ROOT/opensolaris  3.07G  5.66G  3.07G  /
rpool/dump               293M  5.66G   293M  -
rpool/export              56K  5.66G    19K  /export
rpool/export/home         37K  5.66G    37K  /export/home
rpool/swap               586M  6.24G    16K  -

Check PKG IPS setup

1. Check if image is cleaned

du -s -h /var/pkg/download/
34M     /var/pkg/download/
du -s -h /var/pkg/index/
36M     /var/pkg/index/

2. Check if PKG IPS is set up to auto clean cache

No, set it

pkg property -H flush-content-cache-on-success
flush-content-cache-on-success False
pkg set-property flush-content-cache-on-success True

Install JDK6 from OpenSolaris release repo

pkg install SUNWj6dev

Install ANT from OpenSolaris release repo

pkg install SUNWant

Install MySQL 5.1 and J Connector

1. We will use AMI with MySQL 5.1, until this version will be in official OpenSolaris REPO

Use pre-created AMI with MySQL 5.1 AMI-752ccb1c

2. Install Mysql Connector/J 5.1

Note: We will use version 5.1 from official OpenSolaris REPO

pkg install SUNWmysql5jdbc

Glasshish 2.1 Install from JAR distribution as non-root user

GlassFish Project – v2.1 FinalBuild

The Open Sourcing Clustering features are included in this promotion.

Create non-root runtime user (account locked by default)

groupadd gf21
useradd -d /export/home/gf21 -m -s /usr/bin/bash -g gf21 gf21

Note: User will don’t have enough privileges to start/stop GF service, I consider to add to it profile , see separate section for it

1. Install glassfish 2.1

mkdir /opt/gf21; chown gf21:gf21 /opt/gf21
su - gf21
cd /opt/gf21
wget  http://java.net/download/javaee5/v2.1_branch/promoted/SunOS_X86/glassfish-installer-v2.1-b60e-sunos_x86.jar
java -Xmx256m -jar glassfish-installer-v2.1-b60e-sunos_x86.jar
Accept license with "A"
Installation will by unpacked in ./glassfish

2. Configure glassfish 2.1 (Create domain1)

cd /opt/gf21/glassfish
chmod -R +x lib/ant/bin
lib/ant/bin/ant -f setup.xml
create.domain:
[exec] Using port 4848 for Admin.
[exec] Using port 8080 for HTTP Instance.
[exec] Using port 7676 for JMS.
[exec] Using port 3700 for IIOP.
[exec] Using port 8181 for HTTP_SSL.
[exec] Using default port 3820 for IIOP_SSL.
[exec] Using default port 3920 for IIOP_MUTUALAUTH.
[exec] Using default port 8686 for JMX_ADMIN.
[exec] Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file.
[exec] ------ Using Profile [developer] to create the domain ------
....
[exec] Security Store uses: JKS
[exec] Domain domain1 created.
[exec] Login information relevant to admin user name [admin] for this domain [domain1] stored at
[/export/home/gf21/.asadminpass] successfully.

3. Backup original domain1 configuration

cp /opt/gf21/glassfish/domains/domain1/config/domain.xml /opt/gf21/glassfish/domains/domain1/config/domain.xml.org

4. Put glassfish tools into path

echo export PATH=$PATH:/opt/gf21/glassfish/bin >>~/.profile
exit
su - gf21

5) Create minimal Glassfish SMF script for automatic start / stop

How to Create a Service Management Facility (SMF) Manifest

cat >/opt/gf21/smf-glassfish.xml <<EOF
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='glassfish:domain1'>
<service name='application/glassfish/domain1' type='service' version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local' />
</dependency>
<dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/service' />
</dependency>
<method_context>
<method_credential user='gf21'  group='gf21' />
</method_context>
<exec_method type='method' name='start' exec='/opt/gf21/glassfish/bin/asadmin start-domain domain1' timeout_seconds='600' />
<exec_method type='method' name='stop' exec='/opt/gf21/glassfish/bin/asadmin stop-domain domain1' timeout_seconds='600' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>Glassfish V2.1 Simple non-root user SMF</loctext>
</common_name>
</template>
</service>
</service_bundle>
EOF

6. Load SMF this XML definition and start service

Execute as root, pfexec as gf21 fail on these ?
exit
whoami
root
/usr/sbin/svccfg validate /opt/gf21/smf-glassfish.xml
/usr/sbin/svccfg import /opt/gf21/smf-glassfish.xml
/usr/sbin/svcadm enable svc:/application/glassfish/domain1:default
svcs /application/glassfish/domain1
STATE          STIME    FMRI
online*        12:50:01 svc:/application/glassfish/domain1:default
Wait after is service is online
svcs /application/glassfish/domain1
online         12:05:29 svc:/application/glassfish/domain1:default

7. Add line to create authorization into auth_attr

Good Article: Less known Solaris features: RBAC and Privileges
Part 1: Introduction
Part 2: Role based access control
Part 3: Privileges

as root
echo "solaris.smf.manage.glassfish/domain1:::Glassfish Domain1 Server management::" >> /etc/security/auth_attr

8. Add service authorization to user gf21

usermod -A solaris.smf.manage.glassfish/domain1 gf21

9. Add authorization to restart and manage service

svccfg -s glassfish/domain1 setprop general/action_authorization=astring: 'solaris.smf.manage.glassfish/domain1'
svccfg -s glassfish/domain1 setprop general/value_authorization=astring: 'solaris.smf.manage.glassfish/domain1'
svcadm refresf glassfish/domain1

10. Secure default instance domain1 admin interface by using SSL and localhost

su - gf21
asadmin get  server.http-service.http-listener.admin-listener.address
server.http-service.http-listener.admin-listener.address = 0.0.0.0
asadmin set server.http-service.http-listener.admin-listener.address=127.0.0.1
asadmin  get server.http-service.http-listener.admin-listener.security-enabled
server.http-service.http-listener.admin-listener.security-enabled = false
asadmin  set server.http-service.http-listener.admin-listener.security-enabled=true

11. Optional: Tuning Glassfish configuration for Amazon EC2 c1.small

Tune JVM HEAP memory in /opt/glassfish/domains/domain1/config/domain.xml,
Amazon AWS m1.small which have 1700MB RAM, so for Solaris for JeOS we can put there 1024MB
(But we need to keep in mind also memory needs of MySQL and ZFS ARCH chache ?)

Chane Java Heap memory from 512M to 1024M

asadmin  create-jvm-options --  "-Xmx1024m"
cat /opt/gf21/glassfish/domains/domain1/config/domain.xml | grep Xmx
<jvm-options>-Xmx512m</jvm-options>
<jvm-options>-Xmx1024m</jvm-options>
asadmin delete-jvm-options -- -Xmx512m
cat /opt/gf21/glassfish/domains/domain1/config/domain.xml | grep Xmx
<jvm-options>-Xmx1024m</jvm-options>

Note: c1.small have only one CPU, do we need optimize threads , need to be investigated together with MySQL setup needs

12. Restart glassfish SMF service

Execute as root, pfexec as gf21 fail on these ? Most work NOW !
exit
whoami
root
/usr/sbin/svcadm disable -t svc:/application/glassfish/domain1:default
/usr/sbin/svcadm enable svc:/application/glassfish/domain1:default
svcs /application/glassfish/domain1
STATE          STIME    FMRI
online*        12:50:01 svc:/application/glassfish/domain1:default
svcs /application/glassfish/domain1
online         12:05:29 svc:/application/glassfish/domain1:default

13. Check running GF2.2 running instance under gf21:gf21 (Still under root)

ps -ef |grep gf21
gf21 16270     1   0 08:20:29 ?           0:42 /usr/jdk/instances/jdk1.6.0/jre/../bin/java -Dcom.sun.aas.instanceRoot=/opt/gf2
svcs glassfish/domain1
STATE          STIME    FMRI
online          8:21:12 svc:/application/glassfish/domain1:default
svcs -l glassfish/domain1 | grep logfile
lofile /var/svc/log/application-glassfish-domain1:default.log
tail  /var/svc/log/application-glassfish-domain1:default.log
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.
netstat -an | egrep "8080|8181|4848|3700|3820|3920|8686"
*.3700               *.*                0      0 49152      0 LISTEN
*.3820               *.*                0      0 49152      0 LISTEN
*.3920               *.*                0      0 49152      0 LISTEN
*.8686               *.*                0      0 49152      0 LISTEN
*.8080               *.*                0      0 49152      0 LISTEN
*.8181               *.*                0      0 49152      0 LISTEN
127.0.0.1.4848         *.*                0      0 49152      0 LISTEN
*.3700               *.*                0      0 49152      0 LISTEN
*.3820               *.*                0      0 49152      0 LISTEN
*.3920               *.*                0      0 49152      0 LISTEN
*.8686               *.*                0      0 49152      0 LISTEN
*.8080               *.*                0      0 49152      0 LISTEN
*.8181               *.*                0      0 49152      0 LISTEN
Advertisements

2 Comments »

  1. Cool……………..
    I am loving combination of GlassFish , MySQL and OpenSolaris.

    Comment by Homer Yau — April 30, 2009 @ 11:28 am

  2. Any chance you could post a how-to for enabling clustering for this AMI?

    Comment by Jeff Cybulski — October 13, 2009 @ 12:48 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: