Remote monitoring of Java processes in K8S using VisualVM and JMX

The original address

How to use Visual VM +JMX to monitor remote Java processes is described in Visual VM and JMX Remote Monitoring and Visual VM SSL Connection to JMX. So how do you monitor a Java process running in a K8S cluster? And the general approach is similar.

Non-SSL JMX connections

With non-SSL JMX connections, there are only a few steps you need to take to get your local VisualVM to connect to Java processes in the K8S cluster.

Step1 Modify Deployment. YAML and add the following System Properties

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.port=1100
-Dcom.sun.management.jmxremote.rmi.port=1100
-Djava.rmi.server.hostname=localhost

Note that – Djava. Rmi. Server. The hostname must be set to localhost

Step2 Modify Deployment. YAML and add Container Port

containers:
- name: ...
  image: ...
  ports:
  - containerPort: 1100
    name: tcp-jmx

Step3 Deployment Deployment

Step4 Use the kubectl forwarding port

kubectl -n <namespace> port-forward <pod-name> 1100

Step5 Start VisualVM and create a JMX connectionlocalhost:1100

SSL JMX connections

To enable SSL JMX connections, there are three additional steps, which are slightly more complicated, assuming that you have created the Java-App and VisualVM KeyStore and TrustStore in the same way that Visual VM uses SSL to connect to JMX.

Step1 Create a Secret includejava-app.keystoreandjava-app.truststore

kubectl -n <namespace> create secret generic jmx-ssl \
  --from-file=java-app.keystore \
  --from-file=java-app.truststore

Step2 Modify Deployment. Yaml to mount the Secret into the container’s/jmx-ssldirectory


 containers:
 - name: ...
   image: ...
   volumeMounts:
   - name: jmx-ssl-vol
     mountPath: /jmx-ssl
 volumes:
 - name: jmx-ssl-vol
   secret:
     secretName: jmx-ssl

Step3 Modify Deployment. YAML and add the following System Properties

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1100
-Dcom.sun.management.jmxremote.rmi.port=1100
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.keyStore=/jmx-ssl/java-app.keystore
-Djavax.net.ssl.keyStorePassword=<keystore password>
-Djavax.net.ssl.trustStore=/jmx-ssl/java-app.truststore
-Djavax.net.ssl.trustStorePassword=<truststore password>
-Djava.rmi.server.hostname=localhost

Note that – Djava. Rmi. Server. The hostname must be set to localhost

Step4 Modify Deployment. YAML and add Container Port

containers:
- name: ...
  image: ...
  ports:
  - containerPort: 1100
    name: tcp-jmx
  ...

Step5 Deployment Deployment

Step6 Use the kubectl forwarding port

kubectl -n <namespace> port-forward <pod-name> 1100

Step7 Start VisualVM and create a JMX connectionlocalhost:1100

jvisualvm -J-Djavax.net.ssl.keyStore=<path to visualvm.keystore> \ - J-Djavax.net.ssl.keyStorePassword= < visualvm. Keystore password > \ - J-Djavax.net.ssl.trustStore= < path to visualvm. Truststore > \ - J-Djavax.net.ssl.trustStorePassword= < visualvm. Truststore password >

K8S sample configuration file

The relevant K8S sample configuration file is here (the Tomcat example).

Remote monitoring of Java processes in K8S using VisualVM and JMX

Non-SSL JMX connections

SSL JMX connections

K8S sample configuration file

Related Posts

Interviewer: How is the ORDER BY order? How to optimize?

< JVM Profiles: Bytecode and Class Loaders > 04- More on class loaders

Practical application of chain of responsibility model