A Thought a Day ...: Kedar Mhaswade's Weblog

Ingredients of a Happy Marriage

Predictive Self Healing in Solaris 10 is a well thought out feature that's ready for prime time.

When Jonathan speaks, industry listens. According to him, if there is some kind of a race for Open Source Software impact on Enterprises, then GlassFish is the front runner .

It would be a surprise if GlassFish had not leveraged the new way of looking at Services support in Solaris (SMF). The stars were so aligned that this marriage could only be a success

Integration of GlassFish with Solaris 10 SMF is one of those features that makes GlassFish unique in terms of ease of use and system level integration. It is something that developers and serious System Administrators alike are going to like.

Recipe for the Impatient

1. Become root. (Remember, you are impatient, it is *not* required that you become root).
2. Create a directory for domains -- mkdir /glassfish/domains
3. Issue the command -- asadmin create-domain --adminport 8080 --instanceport 80 --domaindir /glassfish/domains smfdomain
4. Create a file like "/glassfish/domains/smfdomain/passwordfile" to store your password safely ...
   • #Required by smfdomain's auto startup ...
   • AS_ADMIN_USER=admin
   • AS_ADMIN_PASSWORD=adminadmin
   • AS_ADMIN_MASTERPASSWORD=changeit
   • Create the SMF service for this domain -- use asadmin create-service command as below: asadmin create-service --passwordfile /glassfish/domains/smfdomain/passwordfile /glassfish/domains/smfdomain
   • As instructed in output of above command, administrator now just needs to enable the service using svcadm enable smfdomain .
   • That's it. Your domain, smfdomain is running!
   •  
     
   • Note that the moment the service is put into SMF database, its life cycle will be managed by Solaris 10! So, I am going to go to the extreme here and reboot the machine remotely as I write this blog entry From my desk at home, I can hear machine in my office going down and coming back up again. The initial tries to connect fail as the SMF is bringing up my app server instance.

     

     

     and then ....

     

   • 
     

Like it?

Details of the Seamless Integration

SMF manifest for GlassFish domain is created, it is imported into SMF database and enabled by a single command. Ease of use is the order of the day and GlassFish has acted accordingly.

One more *very* important thing you'd be able to achieve -- if you are not a root user and still want to use the privileged ports (<1024). SMF provides a hook called "net_privaddr" , you'd be able to listen on privileged ports! You can just pass this flag on --serviceproperties on the create-service command line like: create-service --serviceproperties netaddr_priv ...

Yet another important feature of this GlassFish administrative command is that it helps you get there if you make any mistake. Give it a try and you'll agree with what I say. I am sure when you'll try the command you'll run into problems. Please let me know what the error messages say and whether they are helpful to you. I hope they are. If not, file a bug at the GlassFish IssueTracker .

The smf-iteam folks at Sun were immensely helpful when I implemented this feature.

I have not seen such a seamless integration of an Enterprise Server with SMF. You can let me know if I am wrong.

All the rituals for a long lasting marriage have been performed. GlassFish and S10. Long live the marriage!

Deadline for FCS is approaching. So, what are some of the goodies in this build?

There are many and I have a hard time categorizing them.

Well, the most important one is Security Manager is turned OFF by default on GlassFish Server. Although this was in b40, I think I need to highlight it. It seems all the frameworks and popular applications will now run out of the box (at least not fail with the infamous AccessControlException).

A significant change has gone in into setting up the domain/server itself. When you run ant -f setup.xml after exploding the glassfish-image.jar, you will see the following: This means that since you are a developer (well, primarily), you will not be bothered to enter the routine admin user and password for the asadmin commands!

What do you do next?

Start the Domain/Server:

glassfish/bin/asadmin start-domain

This is what you see ...

This is a long time request serviced. You now know your whereabouts. You are going to love this.

There is talk of Java EE 5 Persistence everywhere. To try out your persistence units, what you need to start is the default database called the "Java DB" that is bundled in GlassFish.

When you do "asadmin start-database" (Although a second time -- this is a bug), you see the coordinates of the bundled database! There is no need to go hunt for what version of JDBC driver, JDBC specification etc. is supported. It is *right* there. Now, you deploy your applications you would like to see how your JVM is behaving. But your affinities are already decided. You don't want a GUI. No JConsole (great tool, but I want to show you the power of asadmin). So, all you do is asadmin generate-jvm-report :

First, you start with all the system properties that the JRE has, sorted lexically : Then, on to memory, using asadmin generate-jvm-report --type=memory and more memory But you are interested in how your threads are doing: asadmin generate-jvm-report --type=thread:

and

GlassFish has a concept of a domain. More precisely, it is the administrative domain. At first, it may be perceived a little difficult to understand, especially given that in Java EE paradigm, one is used to servers rather than domains. This is especially true with developers.
This post tries to explain what a GlassFish Domain (domain, henceforth) is, how to use it effectively if you want to quickly deploy your applications to GlassFish and the reasons to call it a domain.

A domain (statically) is an administrative name space. It's a boundary, all GlassFish entities within which are controlled by an administrator or more precisely administrative three tuple (Let's call it Admin 3T). This three tuple is called "admin user, admin password, certificate database password (or master password). If you are a developer, you don't really care about the master password and it defaults to "changeit". This is the password with which your keystore (cacerts.jks) is locked and most of the times, you don't care about this.

This is how your domains look like.

A domain (dynamically) is a Java EE Engine. Thus it is your server, once you have started it. In other words, at run time, a domain = server. Thus, a running domain can host user Java EE applications and can be effectively used as the target for your deployments. For developers, this is what they care about. It is for developers that this gap has been bridged and they can forget about the domain. The defaults are so carefully chosen that you'd never need to know about the fact that you are managing and deploying to a domain!

So, what is that that domain provides on top of behaving like a server? Here is a list of things:

• Domain provides you with a built-in administration capability.
• Domain has multiple system applications predeployed which facilitate the management. Thus the entire admin console
• is available as a system web application. All you need to do it connect to "http://localhost:admin-port(4848)".
• Domain has another system application predeployed to take care of all the asadmin commands. Note that (almost) all the asadmin commands invoke the running domain in
• Domain has an EJB Timer Service already configured to work with. A timer database is also created.
• Domain has a JDBC Connection Pool configured for the EJB timer database.
• Domain has two keyfiles created by default so that one has authentication realms for the security conscious people. All you need to do is create the security mappings in your applications.
• Domain has a default web.xml that decides the default behavior of all deployed web applications.
• Domain has a JMX Connector's Server end so that you can easily connect to the admin infrastructure, using JConsole and browse the MBeans. As you know MBeans are to Administration what EJB's are to Enterprise Computing.

All this is enabled by a simple set of steps:

1. Either you download GlassFish and invoke ant -f setup.xml that creates the so-called fully configured, ready-to-go default domain, OR
2. Explode the GlassFish image and do [glassfish]/bin/asadmin create-domain --adminport 4848 mydomain

All this is great. But how does a developer exploit it?

Simple. Your answer is NetBeans. Just download "The" IDE and do the following:

• Go to the Runtime tab and right click for "Adding a target server".
  See how NetBeans itentifies your default domain, domain1. The port is also identified. This is the administration port. Next, you could provide the user name and password for administration. That's it. This domain is now deployment ready .
• You need to create a web application. Just create it using the intuitive menus in the IDE.
• The IDE is so well integrated with the GlassFish domain/server is that it just allows you to start the GlassFish server in debug mode and debug your application. This is really seamless!
• 
• Here is your application deployed and being tested!

This is how I develop and test my applications. I am a developer. Hope fellow developers find this as easy as I do.

If you are a CLI fan, there are a bunch of intuitive asadmin commands that configure the domain/server.
If you are an ANT fan, there are ANT tasks like sun-appserv-deploy that help you continue to write your build.xml files.
We are planning to integrate asadmin into a scripting language of your choice. You'd have to wait till Mustang releases, though.
I know this sounds easy. But it sounds so because it is so.

Finally, the $1M Question: Why do you call it a domain? Well, the reason lies in more sophisticated Sun Software like Application Server Standard Edition (SE) . When you enter into the real enterprise arena, it is no more a server. It is a bunch of servers (which are also known as app server instances, each of which is a Java EE Engine) that are woven into clusters to impart the coveted high availability. Still, the "Administrative" domain remains the same. You don't have to learn a new concept when you go from one edition of the product to an advanced one. A set of simple rules emerges:

• A Domain is comprised of a set of Instances. A Domain is "bigger" than an Instance.
• Domain has a "dual nature". For a simple case, Domain equals Instance (I tend to relate to the dual nature of electron -- "is it a wave, is it a particle" here ).
  

Thus, it is the best of both the worlds: For developers, a domain is a server. For system administrators, a domain is something that they manage so that an uninterrupted service is provided!

Makes sense to me. How about you? Please let me know ...

Following text pertains to GlassFish App Server and Sun's App server 9.0 Beta.

Learning any Language is a cognitive activity. Language designers have to strive hard to design it such that its constructs are simple.

The idea is simple. You want to manage the GlassFish server and you are a fan of Command Line Interfaces (CLI's). The CLI's can become arbitrarily complex and unless there is an attempt made to ease the administrator's woes, they are going to give in to other sophisticated UI's. It is obvious that CLI's enjoy the so-called "batch-mode" that user community is used to, but that alone should not be a license to make it hard for a normal human being because at some point, the CLI's themselves tend to become "Languages". Examples of this include:

• Just ls the directory (list it).
• Now, cd to where you installed Software.
• Grep for "analysis" in this file.
• ...

GlassFish Administration takes several steps in this direction of making the life of administrators easier. One of the steps is to reduce the number of commands that administrator has to remember or find out. Imagine that administrator needs to configure several elements that are arranged in an abstract hierarchy as shown below.

my-server
    |---- web-engine (name=web-engine, port=88, host=localhost)
	         |---- virtual-server (name=vs1, id=foo.com)
	|---- ejb-engine (name=ejb30, pool-size=40)
	|---- thread-pools (size=32)
	|---- applications
	         |---- app1 (name=petstore, context-root=/pets)
...

The elements have several attributes. The basic operations that are of stereotyped nature are:

• Listing the immediate or all children of a node at any level in the hierarchy
• Getting and setting the attributes of a node at any level in the hierarchy.

These two operations resemble the familiar File System Explorer kind of UI. User wants to see a list of nodes in the hierarchy and also, wants to get/set the attributes of a node of choice.

The GlassFish Administration CLI aka asadmin capitalizes on this observation and delivers a powerful UI in conjuction with two symbols one that is made popular by Java's package names, the '.' and a symbol that matches anything -- the asterisk '*' to denote anything and everything. So, where will you begin?

Obviously, by asking asadmin "What have you got?". And the asterisk is the succint notation to do that! Yes, you got it, the command is:

Voila! Here is curtailed output: (See here for the complete output).

domain.applications
domain.applications.j2ee-application.MEjbApp
domain.applications.j2ee-application.__JWSappclients
...

server.ejb-container
server.ejb-container.ejb-timer-service
server.http-service
...

server.http-service.http-listener.admin-listener
server.http-service.http-listener.http-listener-1
server.http-service.http-listener.http-listener-2
...

server.http-service.virtual-server.__asadmin
server.http-service.virtual-server.server
server.iiop-service
...
server.java-config

...

Thus, this command shows the children in the abstract configuration hierarchy that GlassFish domain is comprised of! Now one can use get and set on a particular node as:

asadmin get server.java-config.*

-- I want to get all the attributes -- now I don't want any nodes because that is the forte of the list command. Here is the output of the get command:

server.java-config.bytecode-preprocessors =
server.java-config.classpath-prefix =
server.java-config.classpath-suffix =
server.java-config.debug-enabled = false
server.java-config.debug-options = -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=
9009
server.java-config.env-classpath-ignored = true
server.java-config.java-home = ${com.sun.aas.javaRoot}
server.java-config.javac-options = -g
server.java-config.jvm-options = -client,-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed,-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy,-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf,-Dsun.rmi.dgc.server.gcInterval=3600000,-Dsun.rmi.dgc.client.gcInterval=3600000,-Xmx512m,-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks,-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks,-Djava.ext.dirs=${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib,-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver,-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder,-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory,-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar,-Dcom.sun.enterprise.taglisteners=jsf-impl.jar,-XX:NewRatio=2
server.java-config.native-library-path-prefix =
server.java-config.native-library-path-suffix =
server.java-config.rmic-options = -iiop -poa -alwaysgenerate -keepgenerated -g
server.java-config.server-classpath =
server.java-config.system-classpath = ${com.sun.aas.installRoot}/lib/appserv-launch.jar

Alternatively, while doing the "set", you just get the full name of the attribute, use the '=' symbol and the value for that attribute. And that's there to it.

Languages are infinite. Their grammars are finite. This is a little language with only 3 powerful constructs -- list, get and set. I am not going to fill more pages describing the each and every dotted name because that's not the purpose of this post. It is just to encourage you to do it. So, download the 9.0 PE Beta , start the server and get-list-set!

And do you know the biggest enabler of this powerful feature? --- Right, it is your (as a user) intuition and logical use of common actions that we associate with some English verbs! No need to read any manual.

There are so many scripts that use these dotted names to configure GlassFish. All these users thank us because we did not make them RTFM and remember a distinct command (e.g. setApplicationScanInterval) for each attribute.

Output of the list command -- your entry point into the dotted names ...

asadmin list "*"

domain.applications
domain.applications.j2ee-application.MEjbApp
domain.applications.j2ee-application.__JWSappclients
domain.applications.j2ee-application.__ejb_container_timer_app
domain.applications.web-module.adminapp
domain.applications.web-module.admingui
domain.resources
domain.resources.jdbc-connection-pool.DerbyPool
domain.resources.jdbc-connection-pool.__CallFlowPool
domain.resources.jdbc-connection-pool.__TimerPool
domain.resources.jdbc-resource.jdbc/__CallFlowPool
domain.resources.jdbc-resource.jdbc/__TimerPool
domain.resources.jdbc-resource.jdbc/__default
server
server.admin-service
server.admin-service.das-config
server.admin-service.jmx-connector.system
server.application-ref.MEjbApp
server.application-ref.__JWSappclients
server.application-ref.__ejb_container_timer_app
server.application-ref.adminapp
server.application-ref.admingui
server.applications
server.applications.j2ee-application.MEjbApp
server.applications.j2ee-application.__JWSappclients
server.applications.j2ee-application.__ejb_container_timer_app
server.applications.web-module.adminapp
server.applications.web-module.admingui
server.diagnostic-service
server.ejb-container
server.ejb-container.ejb-timer-service
server.http-service
server.http-service.access-log
server.http-service.connection-pool
server.http-service.http-file-cache
server.http-service.http-listener.admin-listener
server.http-service.http-listener.http-listener-1
server.http-service.http-listener.http-listener-2
server.http-service.http-protocol
server.http-service.keep-alive
server.http-service.request-processing
server.http-service.virtual-server.__asadmin
server.http-service.virtual-server.server
server.iiop-service
server.iiop-service.iiop-listener.SSL
server.iiop-service.iiop-listener.SSL.ssl
server.iiop-service.iiop-listener.SSL_MUTUALAUTH
server.iiop-service.iiop-listener.SSL_MUTUALAUTH.ssl
server.iiop-service.iiop-listener.orb-listener-1
server.iiop-service.orb
server.java-config
server.jms-service
server.jms-service.jms-host.default_JMS_host
server.log-service
server.log-service.module-log-levels
server.management-rules
server.mdb-container
server.monitoring-service
server.monitoring-service.module-monitoring-levels
server.resource-ref.jdbc/__CallFlowPool
server.resource-ref.jdbc/__TimerPool
server.resource-ref.jdbc/__default
server.resources
server.resources.jdbc-connection-pool.DerbyPool
server.resources.jdbc-connection-pool.__CallFlowPool
server.resources.jdbc-connection-pool.__TimerPool
server.resources.jdbc-resource.jdbc/__CallFlowPool
server.resources.jdbc-resource.jdbc/__TimerPool
server.resources.jdbc-resource.jdbc/__default
server.security-service
server.security-service.audit-module.default
server.security-service.auth-realm.admin-realm
server.security-service.auth-realm.certificate
server.security-service.auth-realm.file
server.security-service.jacc-provider.default
server.security-service.message-security-config.SOAP
server.security-service.message-security-config.SOAP.provider-config.ClientProvider
server.security-service.message-security-config.SOAP.provider-config.ClientProvider.request-policy
server.security-service.message-security-config.SOAP.provider-config.ClientProvider.response-policy
server.security-service.message-security-config.SOAP.provider-config.ServerProvider
server.security-service.message-security-config.SOAP.provider-config.ServerProvider.request-policy
server.security-service.message-security-config.SOAP.provider-config.ServerProvider.response-policy
server.thread-pools
server.thread-pools.thread-pool.thread-pool-1
server.transaction-service
server.web-container

Neat?

See this approved project -- Removal of --password from GlassFish Administration CLI

Stay tuned ...

Starting 19 January 2006, I will be writing about various features of GlassFish Administration. Whereas it is exciting to write about various goodies of GlassFish itself, I will be concentrating on the administration. This should cover the administration command line interface (asadmin), administration GUI, JMX infrastructure, configuration, logging and so on and so forth.

Administrative experience is one of the most significant features of GlassFish. It has a sophisticated command line interface with over 200 consistently defined commands. It also has a state-of-the-art Graphical User Interface. It can fully be managed programmatically using what are called Appserver Management Extensions (AMX). The Administrative infrastructure is based on JMX. The interaction with the Tiger-fame JConsole is smooth. GlassFish also contains a proprietary JSR 160 Connector that works over HTTP and HTTPS. Most of the configuration is stored in a text file in XML format and efforts are on to improve its editing experience. Monitoring is dynamically configurable and there is lots of monitoring data available should you suspect a particular subsystem to malfunction. Call-flow capability has improved the visibility of the internals. It integrates well with Solaris-10's SMF so that the domains get the restartability as specified by SMF.