Showing posts with label jboss. Show all posts
Showing posts with label jboss. Show all posts

Saturday, July 31, 2010

JBoss Performance Tuning

JBoss version EAP-4.3.0.GA_CP03
Configuration production 

Preface

This advice is primarily on how to tune and/or slim JBossAS. The two concepts are orthogonal in most cases. While reducing idle service threads through slimming won't have a large impact on performance, using less memory and resources may allow you to tune other performance aspects. Of course this does reduce startup time. Furthermore, as a general security concept -- remove services you don't use. We will separate the two categories: slimming and tuning. We start by using the production configuration and trimming from there.
Note for those concerned that this advice will make a technically non-J2EE-compliant instance of JBoss, as removing key J2EE services would cause JBoss to fail the TCK. Most performance tuning/administrative tasks done in real-world installations technically fall in this category.

  1. Tune the garbage collector

    • Set -Xms and -Xmx to the same value - This increase predictability by removing the most important sizing decision from the virtual machine.
    • Use server VM - The server JVM is better suited to longer running applications.
      To enable it simply set the -server option on the command line.
    • Turn off distributed gc - Set it to run every 30 minute at least
      -Dsun.rmi.dgc.client.gcInterval=1800000
      -Dsun.rmi.dgc.server.gcInterval=1800000
    • Turn on parallel gc - If you have multiple proessors you can do your garbage collection with multiple threads.
      Use the flag -XX:+UseParallelGC.
    • Don't choose an heap larger then 70% of your OS memory
    • Tune the Heap ratio - The heap ratio specifies how the amount of the total heap will be partitioned between the
      young and the tenured space. For example, setting -XX:NewRatio=3 means that the ratio between the
      young and tenured generation is 1:3
    • XX:+DisableExplicitGC turn's off explicit garbage collection from java code.
  2. Don't use Huge heaps, use a cluster More JVMs/smaller heaps can outperform fewer JVMs/Larger Heaps. So instead of huge heaps, use additional server nodes.
    Set up a JBoss cluster and balance work between nodes.

  3. For Disabling Development mode in JBoss Tomcat. Look for the code below in server/production/deploy/jboss-web.deployer/conf/web.xml


    • development - To disable on access checks for JSP pages compilation set this to false.
    • modificationTestInterval - If development has to be set to true for any reason (such as dynamic generation of JSPs), setting this to a high value will improve performance a lot.
    • checkInterval - If development is false and checkInterval is greater than zero, background compilations are enabled. checkInterval is the time in seconds between checks to see if a JSP page needs to be recompiled. Default is 0. 
    <servlet>
      <servlet-name>jsp</servlet-name>
      <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>

    Add the following parameters as required

    <init-param>
       <param-name>development</param-name>
       <param-value>false</param-value>
    </init-param>  

  4. Generic Database Connection Pool configuration Edit server/production/deploy/oracle-ds.xml
    <datasources>
       ....
    
    <!--pooling parameters-->
    <min-pool-size>5</min-pool-size>
    <max-pool-size>100</max-pool-size>
    <blocking-timeout-millis>5000</blocking-timeout-millis> 
    <idle-timeout-minutes>15</idle-timeout-minutes>
    <prepared-statement-cache-size>100</prepared-statement-cache-size>




    • : this is the number of prepared statements per connection to be kept open and reused in subsequent requests.
    • Disable the connection debugging
    • increase max size of pools to appropriate level

  5. Deployment Scanner - The deployment scanner scanning every 5 seconds eats up cycles especially on systems with a slow filesystem. Edit server/production/conf/jboss-service.xml. change the scan period to larger duration.
    <!-- An mbean for hot deployment/undeployment of archives. --> 
    <mbean code="org.jboss.deployment.scanner.URLDeploymentScanner" 
    name="jboss.deployment:type=DeploymentScanner,flavor=URL">
    ...
    
    
    <attribute name="ScanPeriod">5000</attribute>
    ...
    </mbean> 
  6. Lots of EJB requests ? switch to the PoolInvoker? open server/production/conf/standardjboss.xml and find the following fragment:

    <invoker-mbean>jboss:service=invoker,type=jrmp</invoker-mbean>

    On JBoss should find 4 occurrences of it: stateless-rmi-invoker, clustered-stateless-rmi-invoker, stateful-rmi-invoker,entity-rmi-invoker. Now replace this fragment for desired EJB types:

    <invoker-mbean>jboss:service=invoker,type=pooled</invoker-mbean>

  7. If you are using the Pooled Invoker then you may need to change the MaxPoolSize? attribute in pool configuration if required. Edit server/production/conf/jboss-service.xml

    <mbean code="org.jboss.invocation.pooled.server.PooledInvoker" 
    name="jboss:service=invoker,type=pooled"> 
    <attribute name="NumAcceptThreads">1</attribute>
    <attribute name="MaxPoolSize">300</attribute>
    <attribute name="ClientMaxPoolSize">300</attribute>
    <attribute name="SocketTimeout">60000</attribute>
    <attribute name="ServerBindAddress">${jboss.bind.address}</attribute>
    <attribute name="ServerBindPort">4445</attribute>
    <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute>
    <attribute name="ClientConnectPort">0</attribute>
    <attribute name="EnableTcpNoDelay">false</attribute>
    <depends optional-attribute-name="TransactionManagerService">
    jboss:service=TransactionManager</depends>
    </mbean> 

  8. JBoss Logging

    * Enable the logging for file in production enviornment.
    * Disabled for console and the priority to be error.
  9. Tune the Operating System - Each operating system sets default tuning parameters differently. For Windows platforms, the default settings are usually sufficient. However, the UNIX and Linux operating systems usually need to be tuned appropriately.

    * Increase default socket send/receive buffer.
    * Optimize MTU.
    * Use Big Memory Pages.

Saturday, March 20, 2010

Securing JBoss Web Console

The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed. To secure the Web Console using a username/password file - 
  1. Locate the web-console.war directory in JBoss. This will normally be in <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar directory.  
  2. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml and uncomment the following security-constraint block


    <!-- A security constraint that restricts access to the HTML JMX console
               to users with the role JBossAdmin. Edit the roles to what you want and
               uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
               secured access to the HTML JMX console. 
           -->
       <security-constraint>
         <web-resource-collection>
           <web-resource-name>HtmlAdaptor</web-resource-name>
           <description>An example security config that only allows users with the
             role JBossAdmin to access the HTML JMX console web application
           </description>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
           <role-name>JBossAdmin</role-name>
         </auth-constraint>
       </security-constraint>
       <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>JBoss JMX Console</realm-name>
       </login-config>
       <security-role>
          <role-name>JBossAdmin</role-name>
       </security-role>
  3. Edit the <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-roles.properties and web-console-users.properties, and move those files to <JBOSS Install dir>/server/default/conf/props directory. and change the users and passwords to what you desire. The only change above should be to web-console-users.properties, i.e, set a password.
  4. Edit <JBOSS Install dir>/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml and uncomment the following security-domain block:-

    <jboss-web>
    <!-- Uncomment the security-domain to enable security. You will
               need to edit the htmladaptor login configuration to setup the
               login modules used to authentication users.
             -->
             <security-domain>java:/jaas/jmx-console</security-domain>
         </jboss-web>
  5.  The security-domain value of web-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done. edit <JBOSS Install dir>/server/default/conf/login-config.xml Change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)
<module-option name="usersProperties">props/web-console-users.properties</module-option>
     <module-option name="rolesProperties">props/web-console-roles.properties</module-option>

    Securing JBoss jmx-console

    Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

    The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.To secure the JMX Console using a username/password file:
    1. Locate the jmx-console.war directory. This will normally be in /server/default/deploy directory.
    2. Edit /server/default/deploy/jmx-console.war/WEB-INF/web.xml and uncomment the following security-constraint block


      A security constraint that restricts access to the HTML JMX console
      to users with the role JBossAdmin. Edit the roles to what you want and
      uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
      secured access to the HTML JMX console.
      <security-constraint>
           <web-resource-collection>
             <web-resource-name>HtmlAdaptor</web-resource-name>
             <description>An example security config that only allows users with the
               role JBossAdmin to access the HTML JMX console web application
             </description>
             <url-pattern>/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
             <role-name>JBossAdmin</role-name>
          </auth-constraint>
        </security-constraint>
          <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>JBoss JMX Console</realm-name>
          </login-config>
        <security-role>
          <role-name>JBossAdmin</role-name>
        </security-role> 
      
      
    3. Edit /server/default/conf/props/jmx-console-users.properties (version &gt;=4.0.2) and /server/default/conf/props/jmx-console-roles.properties (version &gt;=4.0.2) and change the users and passwords to what you desire. They will need the JBossAdmin role specified in the web.xml file to run the JMX Console. The only change above should be to jmx-console-users.properties, i.e, set a password.
    4. Edit /server/default/jmx-console.war/WEB-INF/jboss-web.xml and uncomment the following security-domain block:-
      <jboss-web>
               <!-- Uncomment the security-domain to enable security. You will
                 need to edit the htmladaptor login configuration to setup the
                 login modules used to authentication users.
               -->
               <security-domain>java:/jaas/jmx-console</security-domain>
            </jboss-web>




    The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which defines how authentication and authorization is done.