extension-jvm

command module

v1.1.7 Latest Latest Go to latest Published: Apr 8, 2024 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/steadybit/extension-jvm

Links

Open Source Insights

README ¶

Steadybit extension-jvm

This Steadybit extension provides a jvm instance discovery and the various actions for jvm instances targets.

Learn about the capabilities of this extension in our Reliability Hub.

Configuration

Environment Variable	Helm value	Meaning	Required	Default
`STEADYBIT_EXTENSION_RUNTIME`	`container.runtime`	The container runtime to user either `docker`, `containerd` or `cri-o`. Will be automatically configured if not specified.	yes	(auto)
`STEADYBIT_EXTENSION_SOCKET`	`containerRuntimes.(docker/containerd/cri-o).socket`	The socket used to connect to the container runtime. Will be automatically configured if not specified.	yes	(auto)
`STEADYBIT_EXTENSION_CONTAINERD_NAMESPACE`		The containerd namespace to use.	yes	k8s.io
`STEADYBIT_EXTENSION_RUNC_ROOT`	`containerRuntimes.(docker/containerd/cri-o).runcRoot`	The runc root to use.	yes	(auto)
`STEADYBIT_EXTENSION_RUNC_DEBUG`		Activate debug mode for run.
`STEADYBIT_EXTENSION_JVM_ATTACHMENT_ENABLED`		is jvm attachment enabled	no	true
`STEADYBIT_EXTENSION_JAVA_AGENT_ATTACHMENT_PORT`		java agent attachment port	no	8095
`STEADYBIT_EXTENSION_CONTAINER_ADDRESS`		public ip of the extension	no
`STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_JVM`	`discovery.attributes.excludes.jvm`	List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*"	false

The extension supports all environment variables provided by steadybit/extension-kit.

When installed as linux package this configuration is in/etc/steadybit/extension-jvm.

Needed capabilities

The capabilities needed by this extension are: (which are provided by the helm chart)

SYS_ADMIN
SYS_RESOURCE
SYS_PTRACE
KILL
NET_ADMIN
DAC_OVERRIDE
SETUID
SETGID
AUDIT_WRITE

Needed access to the java process

To be able to discover we need access to the java process. This is done by using the attach mechanism of the JVM. This is a standard mechanism and is used by many other tools. You may see a warning in the logs of the JVM that the extension is attaching to the JVM. This is normal and expected. It will look like this:

WARNING: A Java agent has been loaded dynamically (...javaagent-init.jar)
WARNING: Dynamic loading of agents will be disallowed by default in a future release

To avoid this warning or be able to use this extension in future java releases you can use the -XX:+EnableDynamicAgentLoading flag in your JVM commandline to be able to load the javaagent dynamically.

Installation

Using Helm in Kubernetes

$ helm repo add steadybit-extension-jvm https://steadybit.github.io/extension-jvm
$ helm repo update
$ helm upgrade steadybit-extension-jvm \
    --install \
    --wait \
    --timeout 5m0s \
    --create-namespace \
    --namespace steadybit-extension \
    --set container.runtime=docker \
    steadybit-extension-jvm/steadybit-extension-jvm

Using Docker

docker run \
  --rm \
  -p 8087 \
  --privileged \
  --pid=host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /run/docker/runtime-runc/moby:/run/docker/runtime-runc/moby\
  -v /sys/fs/cgroup:/sys/fs/cgroup\
  --name steadybit-extension-jvm \
  ghcr.io/steadybit/extension-jvm:latest

Linux Package

Please use our agent-linux.sh script to install the extension on your Linux machine. The script will download the latest version of the extension and install it using the package manager.

Register the extension

Make sure to register the extension at the steadybit platform. Please refer to the documentation for more information.

Anatomy of the extension / Security

We try to limit the needed access needed for the extension to the absolute minimum. So the extension itself can run as a non-root user on a read-only root file-system and will by default if deployed using the provided helm-chart. In order do execute certain actions the extension needs certain capabilities.

discovery / state attacks

For discovery the extension needs access to the container runtime socket.

resource and network attacks

The jvm attachment reuses the target container's linux namespace(s), control group(s) and user. This requires the following capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, KILL, NET_ADMIN, DAC_OVERRIDE, SETUID, SETGID, AUDIT_WRITE.

How do I exclude my JVM from the discovery mechanism?

Add the steadybit.agent.disable-jvm-attachment flag to your JVM commandline like in this example:

java -Dsteadybit.agent.disable-jvm-attachment -jar spring-boot-sample.jar --server.port=0

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
config
e2e
extjvm
attachment
attachment/plugin_tracking
attachment/remote_jvm_connections
attack
common
container
container/types
controller
hotspot
hsperf
java_process
jvm
procfs
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL