[jboss-as7-dev] Remoting issues
Kabir Khan
kabir.khan at jboss.com
Mon Sep 26 10:38:03 EDT 2011
>From chat discussions I am doing the following for servers, in the order below:
1) Using 2 separate endpoints for our current configuration, i.e.
<management>
<management-interfaces>
<native-interface interface="management" port="9999" />
</management-interfaces>
</management>
gives a 'management' endpoint. If there a remoting subsystem exists, that results in a 'subsystem' endpoint.
2) Ability to choose the subsystem endpoint for management.
Something along the lines of this for a domain mode server which needs an endpoint to connect back to the HC:
<server-group>
<subsystem-management-endpoint/>
</server-group>
This will cause it to use the remoting subsystem endpoint, absense of this will create the management endpoint.
For a standalone server:
<management>
<management-interfaces>
<native-remoting connector="some-remoting-connector" />
</management-interfaces>
</management>
This will not open the management endpoint but use the subsystem one instead. This needs a little bit more thinking to install the correct channel open listener into the connector
3) Better configuration of connectors and channel open listeners in the remoting subsystem
4) Meet with Darran later this week to understand the security stuff a bit better
On 25 Sep 2011, at 12:24, Kabir Khan wrote:
>
> On 23 Sep 2011, at 17:32, Brian Stansberry wrote:
>
>> On 9/23/11 7:18 AM, Kabir Khan wrote:
>>> So:
>>>
>>> 1) HC continues to function the same way as it does at the moment.
>>> 2) For standalone servers we use a remoting-connector attribute to say we want to use a connector from the remoting subsystem, if we use the interface and address we open the endpoint ourselves.
>>> 3) For domain mode servers we use the native management stuff to say we want to use the endpoint from the remoting subsystems. This is slightly different from your
>>>> <server-group name="main-server-group" profile="default">
>>>> <native-management remoting-connector="management"/>
>>>> </server-group>
>>>
>>> since as far as I know domain mode servers don't actually open a management server connection, they connect in to the HC. So something like
>>> <server-group name="main-server-group" profile="default">
>>> <native-management remoting-endpoint="endpoint"/>
>>> </server-group>
>>>
>>
>> I didn't like "name" as the attribute name so I guessed. It should reference whatever the appropriate element is in the remoting subsystem config. Seems the remoting configuration needs to be fleshed out to clarify exactly what it should be.
> Yeah, I'll do that on Monday
>>
>> <native-management remoting-endpoint="endpoint"/> -- I'm not sure what a "remoting-endpoint" is in any of the remoting subsystem config examples I've seen.
>
> The remoting subsystem currently installs an endpoint behind the scenes, so we could just use
> <native-management/>
> which would then pull out the remoting subsystem endpoint
>
>>
>>> Since the channels are named I think they would need to be configured as well under the sockets as mentioned already:
>>>>> <subsystem xmlns="urn:jboss:domain:remoting:1.0"/>
>>>>> <connector socket-binding="remote-management">
>>>>> <security-stuff><security-stuff/>
>>>>> <channel name="server" type="management"/>
>>
>> What does the "type" attribute mean? And are these channels part of the persistent config? Or are they runtime-only resources created when some external service in injects a service that represents the connector and creates a channel?
> For each channel there is a channel listener service which listens on the named channel. Currently that does stuff that understands how to handle the management protocol, so the 'type' parameter is there to be able to handle other kinds of protocols
>>
>>>>> </connector>
>>>>> <connector socket-binding="user">
>>>>> <security-stuff><security-stuff/>
>>>>> <channel name="jndi" type="jndi"/>
>>>>> <channel name="jndi" type="ejb"/>
>>>>> </connector>
>>>>> </subsystem>
>>>
>>>
>>> Security becomes a bit strange as it is currently configured as follows which applies to both the configured management interfaces:
>>> <management>
>>> <security-realms>
>>> SNIP
>>> </security-realms>
>>> <management-interfaces>
>>> <native-interface interface="management" port="9999" />
>>> <http-interface interface="management" port="9990"/>
>>> </management-interfaces>
>>> </management>
>>>
>>> Since security is configured at connector level I'm not sure what to do when we have:
>>> <management>
>>> <security-realms>
>>> SNIP
>>> </security-realms>
>>> <management-interfaces>
>>> <native-remoting-interface remoting-connector="management"/>
>>> <http-interface interface="management" port="9990"/>
>>> </management-interfaces>
>>> </management>
>>> In any case the native one gets whatever the remoting subsystem sets up. So I guess we either leave it as it is, and only apply the security settings from here to http-interface. Or we need to allow the security stuff to be used in the individual management interface entries so we could have:
>>> <management>
>>> <management-interfaces>
>>> <native-interface remoting-connector="management"/>
>>> <http-interface interface="management" port="9990">
>>> <security-realms>
>>> SNIP
>>> </security-realms>
>>> <http-interface>
>>> </management-interfaces>
>>> </management>
>>>
>>
>> Currently, the <security-realms> element defines a set of possibilities and the one one to use is done via an attribute that refers to one by name:
>>
>>
>>
>> <management>
>> <security-realms>
>> <security-realm name="PropertiesMgmtSecurityRealm">
>> ...
>> </security-realm>
>> </security-realms>
>> <management-interfaces>
>> <native-interface interface="management" port="9999"
>> security-realm="PropertiesMgmtSecurityRealm"/>
>> <http-interface interface="management" port="9990"/>
>> </management-interfaces>
>> </management>
>>
>> So there is no need to in-line the security-realm config.
>>
>> How this would work in the case where <native-interface> is pointing to a remoting subsystem resource, I'm not sure. We need to understand how the security aspects of the remoting subsystem configuration are going to work.
>>
>>>
>>> On 22 Sep 2011, at 21:41, Brian Stansberry wrote:
>>>
>>>> Real quick reply:
>>>>
>>>> 1) IMO only having a single remoting socket for both management and
>>>> other uses is A Real Good Thing™. But if there are situations that
>>>> prevent that, I don't think it's terrible.
>>>>
>>>> 2) We need to continue to support AS 7.0-style configs. That to me means
>>>> for cases where that style config is used, we create a separate endpoint.
>>>>
>>>> 3) For a domain mode server, we can't force people to add a remoting
>>>> subsystem in their domain.xml profile. We talked about having the
>>>> HostController generate one, but that will result in the server having a
>>>> profile that does not match what was configured in domain.xml --
>>>> suddenly a bonus subsystem appears. That is no good.
>>>>
>>>> 4) For a domain mode server if the HostController is going to configure
>>>> the server to set up a native management interface that points to the
>>>> remoting subsystem in the profile, it needs to be told how to do so. One
>>>> solution, is, in domain.xml:
>>>>
>>>> <server-group name="main-server-group" profile="default">
>>>> <native-management remoting-connector="management"/>
>>>> </server-group>
>>>>
>>>> In summary, I think reusing the remoting subsystem endpoint is great and
>>>> we should have our standard configs set up that way but there are cases
>>>> where things aren't going to be configured that way.
>>>>
>>>> On 9/22/11 2:19 PM, Kabir Khan wrote:
>>>>> I'm trying to understand the issues in remoting subsystem vs the management usage a bit better before I dig into this. We have 3 ways remoting is set up:
>>>>>
>>>>> 1) Standalone server
>>>>> a) Endpoint is set up when installing the subsystem
>>>>> b) Management is set up and creates a new stream server and channel open listener for ("management") with the endpoint from a) injected
>>>>>
>>>>> 2) Host controller
>>>>> a) Endpoint is set up by the bootstrap
>>>>> b) Bootstrap sets up the management stream server and channel open listeners for (using endpoint from a) injected
>>>>> -"management" - i.e. traffic on the management address
>>>>> -"server" - i.e. traffic from a server
>>>>> -"domain" - if it is the master, to listen to traffic from slaves
>>>>> c) If it is a slave it connects to the master on the "domain" channel
>>>>>
>>>>> 3) Domain mode server
>>>>> a) Endpoint is set up when installing the subsystem
>>>>> b) No management stream server is created
>>>>> c) A channel is opened to the HC using the endpoint from a) on the "server" channel.
>>>>>
>>>>> So, I think the issue is that the core depends on stuff set up by a subsystem? A problem in 3 is that if there is no remoting subsystem no endpoint is created, so communication with HC will not start and we will not get the subsystem config from the HC.
>>>>>
>>>>> Something doesn't feel quite right but I'm not sure what, so I'm throwing out some ideas.
>>>>>
>>>>> The remoting subsystem is quite basic at the moment and the code to set up new connectors is commented out.
>>>>>
>>>>> So maybe we should stick with what we have for HC:
>>>>> <management>
>>>>> <security-realms>
>>>>> SNIP
>>>>> </security-realms>
>>>>> <management-interfaces>
>>>>> <native-interface interface="management" port="9999" />
>>>>> <http-interface interface="management" port="9990"/>
>>>>> </management-interfaces>
>>>>> </management>
>>>>>
>>>>> But for the standalone server case do something like
>>>>>
>>>>> <management>
>>>>> <management-interfaces>
>>>>> <native-channel name="server" />
>>>>> <http-interface interface="management" port="9990">
>>>>> </management-interfaces>
>>>>> </management>
>>>>>
>>>>> <subsystem xmlns="urn:jboss:domain:remoting:1.0"/>
>>>>> <connector socket-binding="remote-management">
>>>>> <security-stuff><security-stuff/>
>>>>> <channel name="server" type="management"/>
>>>>> </connector>
>>>>> <connector socket-binding="user">
>>>>> <security-stuff><security-stuff/>
>>>>> <channel name="jndi" type="jndi"/>
>>>>> <channel name="jndi" type="ejb"/>
>>>>> </connector>
>>>>> </subsystem>
>>>>>
>>>>> Or maybe everything all goes over one socket so
>>>>> <subsystem xmlns="urn:jboss:domain:remoting:1.0"/>
>>>>> <connector socket-binding="remote-management">
>>>>> <security-stuff><security-stuff/>
>>>>> <channel name="server" type="management"/>
>>>>> <channel name="jndi" type="jndi"/>
>>>>> <channel name="jndi" type="ejb"/>
>>>>> </connector>
>>>>> </subsystem>
>>>>>
>>>>> I'm not clear on the security side of this but we now have the http side of it securing itself in one way and the native channel in another, so maybe this is better
>>>>>
>>>>> <management>
>>>>> <management-interfaces>
>>>>> <native-channel name="server" />
>>>>> <http-interface interface="management" port="9990">
>>>>> <security-realms>
>>>>> SNIP
>>>>> </security-realms>
>>>>> </http-interface>
>>>>> </management-interfaces>
>>>>> </management>
>>>>>
>>>>>
>>>>> Or the alternative for the domain mode server is to use two endpoints, one for management installed by the core, and one for other stuff installed by the remoting subsystem.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> jboss-as7-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>>
>>>> --
>>>> Brian Stansberry
>>>> Principal Software Engineer
>>>> JBoss by Red Hat
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> jboss-as7-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>
>>
>> --
>> Brian Stansberry
>> Principal Software Engineer
>> JBoss by Red Hat
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
More information about the jboss-as7-dev
mailing list