Merge pull request #37 from rhuss/35-b-properties

Adapted to latest jolokia-opts changes & added karaf images created by fish-pepper

.gitignore

@@ -1,3 +1 @@
-README-RHEL.md
-.idea
-*.iml
+.DS_Store

java/images.yml

@@ -26,4 +26,4 @@ config:
       lib:
         version:
           maven: "3.3.3-1.el7"
-          jolokia: "1.3.2.redhat-1"
+          jolokia: "1.3.5"

java/images/jboss/Dockerfile

@@ -3,9 +3,9 @@ FROM jboss/base-jdk:8
 ENV MAVEN_VERSION="3.3.3" \
     JOLOKIA_VERSION="1.3.5" \
     PATH=$PATH:"/usr/local/s2i" \
-    AB_JOLOKIA_CONFIG="/opt/jolokia/jolokia.properties" \
+    AB_JOLOKIA_PASSWORD_RANDOM="true" \
     AB_JOLOKIA_AUTH_OPENSHIFT="true" \
-    JAVA_DATA_DIR=/deployments/data
+    JAVA_DATA_DIR="/deployments/data"
 
 # Some version information
 LABEL io.fabric8.s2i.version.maven="3.3.3" \
@@ -26,6 +26,7 @@ RUN echo securerandom.source=file:/dev/urandom >> /usr/lib/jvm/java/jre/lib/secu
 # Add jboss user to the root group
 RUN usermod -g root -G jboss jboss
 
+
 # Download Maven from Apache
 RUN curl https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz | \
     tar -xzf - -C /opt \
@@ -34,26 +35,26 @@ RUN curl https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries
 
 
 # Jolokia agent
-RUN mkdir -p /opt/jolokia \
- && curl http://central.maven.org/maven2/org/jolokia/jolokia-agent-jvm/${JOLOKIA_VERSION}/jolokia-agent-jvm-${JOLOKIA_VERSION}-agent.jar \
+RUN mkdir -p /opt/jolokia/etc \
+ && curl http://central.maven.org/maven2/org/jolokia/jolokia-jvm/1.3.5/jolokia-jvm-1.3.5-agent.jar \
          -o /opt/jolokia/jolokia.jar
 ADD jolokia-opts /opt/jolokia/jolokia-opts
 RUN chmod 444 /opt/jolokia/jolokia.jar \
- && chmod 755 /opt/jolokia/jolokia-opts
+ && chmod 755 /opt/jolokia/jolokia-opts \
+ && chmod 775 /opt/jolokia/etc \
+ && chgrp root /opt/jolokia/etc
 
 EXPOSE 8778
 
-ADD jolokia.properties /opt/jolokia.properties
 
 # S2I scripts + README
 COPY s2i /usr/local/s2i
 RUN chmod 755 /usr/local/s2i/*
 ADD README.md /usr/local/s2i/usage.txt
 
 # Add run script as /opt/run-java/run-java.sh and make it executable
-COPY run-java.sh /opt/run-java/run-java.sh
-COPY java-container-options /opt/run-java/java-container-options
-RUN chmod 755 /opt/run-java/run-java.sh /opt/run-java/java-container-options
+COPY run-java.sh debug-options container-limits java-default-options /opt/run-java/
+RUN chmod 755 /opt/run-java/run-java.sh /opt/run-java/java-default-options /opt/run-java/container-limits /opt/run-java/debug-options
 
 # Adding run-env.sh to set app dir
 COPY run-env.sh /opt/run-java/run-env.sh

java/images/jboss/README.md

@@ -35,16 +35,19 @@ during building and running.
 
 * **AB_JOLOKIA_OFF** : If set disables activation of Joloka (i.e. echos an empty value). By default, Jolokia is enabled.
 * **AB_JOLOKIA_CONFIG** : If set uses this file (including path) as Jolokia JVM agent properties (as described 
-  in Jolokia's [reference manual](http://www.jolokia.org/reference/html/agents.html#agents-jvm)). 
-  By default this is `/opt/jolokia/jolokia.properties`. 
+  in Jolokia's [reference manual](http://www.jolokia.org/reference/html/agents.html#agents-jvm)). If not set, 
+  the `/opt/jolokia/etc/jolokia.properties` will be created using the settings as defined in this document, otherwise
+  the reset of the settings in this document are ignored.
 * **AB_JOLOKIA_HOST** : Host address to bind to (Default: `0.0.0.0`)
 * **AB_JOLOKIA_PORT** : Port to use (Default: `8778`)
-* **AB_JOLOKIA_USER** : User for authentication. By default authentication is switched off.
-* **AB_JOLOKIA_PASSWORD** : Password for authentication. By default authentication is switched off.
+* **AB_JOLOKIA_USER** : User for basic authentication. Defaults to 'jolokia'
+* **AB_JOLOKIA_PASSWORD** : Password for basic authentication. By default authentication is switched off.
+* **AB_JOLOKIA_PASSWORD_RANDOM** : Should a random AB_JOLOKIA_PASSWORD be generated? Generated value will be written to `/opt/jolokia/etc/jolokia.pw`
 * **AB_JOLOKIA_HTTPS** : Switch on secure communication with https. By default self signed server certificates are generated
   if no `serverCert` configuration is given in `AB_JOLOKIA_OPTS`
 * **AB_JOLOKIA_ID** : Agent ID to use (`$HOSTNAME` by default, which is the container id)
-* **AB_JOLOKIA_OPTS**  : Additional options to be appended to the agent opts. They should be given in the format 
+* **AB_JOLOKIA_DISCOVERY_ENABLED** : Enable Jolokia discovery.  Defaults to false.
+* **AB_JOLOKIA_OPTS**  : Additional options to be appended to the agent configuration. They should be given in the format 
   "key=value,key=value,..."
 
 Some options for integration in various environments:

java/images/jboss/container-limits

@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# Detected container limits
+# If found these are exposed as the following environment variables:
+#
+# - CONTAINER_MAX_MEMORY
+# - CONTAINER_CORE_LIMIT
+#
+# This script is meant to be sourced.
+
+ceiling() {
+  awk -vnumber="$1" -vdiv="$2" '
+    function ceiling(x){
+      return x%1 ? int(x)+1 : x
+    }
+    BEGIN{
+      print ceiling(number/div)
+    }
+  '
+}
+
+# Based on the cgroup limits, figure out the max number of core we should utilize
+core_limit() {
+  local cpu_period_file="/sys/fs/cgroup/cpu/cpu.cfs_period_us"
+  local cpu_quota_file="/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
+  if [ -r "${cpu_period_file}" ]; then
+    local cpu_period="$(cat ${cpu_period_file})"
+
+    if [ -r "${cpu_quota_file}" ]; then
+      local cpu_quota="$(cat ${cpu_quota_file})"
+      # cfs_quota_us == -1 --> no restrictions
+      if [ "x$cpu_quota" != "x-1" ]; then
+        ceiling "$cpu_quota" "$cpu_period"
+      fi
+    fi
+  fi
+}
+
+max_memory() {
+  # High number which is the max limit unti which memory is supposed to be
+  # unbounded. 512 TB for now.
+  local max_mem_unbounded="562949953421312"
+  local mem_file="/sys/fs/cgroup/memory/memory.limit_in_bytes"
+  if [ -r "${mem_file}" ]; then
+    local max_mem="$(cat ${mem_file})"
+    if [ ${max_mem} -lt ${max_mem_unbounded} ]; then
+      echo "${max_mem}"
+    fi
+  fi
+}
+
+local limit="$(core_limit)"
+if [ x$limit != x ]; then
+   export CONTAINER_CORE_LIMIT="$limit"
+fi
+
+local max_mem="$(max_memory)"
+if [ x$max_mem != x ]; then
+  export CONTAINER_MAX_MEMORY="$max_mem"
+fi

java/images/jboss/debug-options

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Check for debug options and echo them if enabled. Meant to be included by
+# a run script.
+
+debug_options() {
+  if [ "x${JAVA_ENABLE_DEBUG}" != "x" -o "x${JAVA_DEBUG_ENABLE}" != "x" -o "x${JAVA_DEBUG}" != "x" ]; then
+    local debug_port=${JAVA_DEBUG_PORT:-5005}
+    echo "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=${debug_port}"
+  fi
+}
+
+## Echo options, trimming trailing and multiple spaces
+echo "$(debug_options)" | awk '$1=$1'

java/images/jboss/java-default-options

@@ -0,0 +1,75 @@
+#!/bin/sh
+# =================================================================
+# Detect whether running in a container and set appropriate options
+# for limiting Java VM resources
+#
+# Usage: JAVA_OPTIONS="$(java-container-options.sh)"
+
+# Env Vars respected:
+
+# JAVA_OPTIONS: Checked for already set options
+# JAVA_MAX_MEM_RATIO: Ratio use to calculate a default maximum Memory, in percent.
+#                     E.g. the default value "50" implies that 50% of the Memory
+#                     given to the container is used as the maximum heap memory with
+#                     '-Xmx'. It is a heuristic and should be better backed up with real
+#                     experiments and measurements.
+#                     For a good overviews what tuning options are available -->
+#                             https://youtu.be/Vt4G-pHXfs4
+#                             https://www.youtube.com/watch?v=w1rZOY5gbvk
+#                             https://vimeo.com/album/4133413/video/181900266
+# Also note that heap is only a small portion of the memory used by a JVM. There are lot
+# of other memory areas (metadata, thread, code cache, ...) which addes to the overall
+# size. There is no easy solution for this, 50% seems to be are reasonable compromise.
+# However, when your container gets killed because of an OOM, then you should tune
+# the absolute values
+#
+
+# Check for memory options and calculate a sane default if not given
+max_memory() {
+  # Check whether -Xmx is already given in JAVA_OPTIONS. Then we dont
+  # do anything here
+  if echo "${JAVA_OPTIONS}" | grep -q -- "-Xmx"; then
+    return
+  fi
+
+  # Check if explicitely disabled
+  if [ "x$JAVA_MAX_MEM_RATIO" = "x0" ]; then
+    return
+  fi
+
+  # Check for the 'real memory size' and caluclate mx from a ratio
+  # given (default is 50%)
+  if [ "x$CONTAINER_MAX_MEMORY" != x ]; then
+    local max_mem="${CONTAINER_MAX_MEMORY}"
+    local ratio=${JAVA_MAX_MEM_RATIO:-50}
+    local mx=$(echo "${max_mem} ${ratio} 1048576" | awk '{printf "%d\n" , ($1*$2)/(100*$3) + 0.5}')
+    echo "-Xmx${mx}m"
+  fi
+}
+
+# Switch on diagnostics except when switched off
+diagnostics() {
+  if [ "x$JAVA_DIAGNOSTICS" != "x" ]; then
+    echo "-XX:NativeMemoryTracking=summary -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+UnlockDiagnosticVMOptions"
+  fi
+}
+
+cpu_core_tunning() {
+  local core_limit="${JAVA_CORE_LIMIT}"
+  if [ "x$core_limit" = "x0" ]; then
+    return
+  fi
+
+  if [ "x$CONTAINER_CORE_LIMIT" != x ]; then
+    if [ "x$core_limit" = x ]; then
+      core_limit="${CONTAINER_CORE_LIMIT}"
+    fi
+    echo "-XX:ParallelGCThreads=${core_limit} " \
+         "-XX:ConcGCThreads=${core_limit} " \
+         "-XX:ParallelGCThreads=${core_limit} " \
+         "-Djava.util.concurrent.ForkJoinPool.common.parallelism=${core_limit}"
+  fi
+}
+
+## Echo options, trimming trailing and multiple spaces
+echo "$(max_memory) $(diagnostics) $(cpu_core_tunning)" | awk '$1=$1'

java/images/jboss/jolokia-opts

@@ -1,8 +1,5 @@
 #!/bin/sh
 
-dir=${AB_JOLOKIA_DIR:-/opt/jolokia}
-sep="="
-
 # Check whether a given config is contained in AB_JOLOKIA_OPTS
 is_in_jolokia_opts() {
   local prop=$1
@@ -13,66 +10,83 @@ is_in_jolokia_opts() {
   fi
 }
 
-if [ -z ${AB_JOLOKIA_OFF+x} ]; then
-   opts="-javaagent:$dir/jolokia.jar"
-   config=${AB_JOLOKIA_CONFIG:-$dir/jolokia.properties}
-   if [ -f "$config" ]; then
-      # Configuration takes precedence
-      opts="${opts}${sep}config=${config}"
-      sep=","
-      grep -q -e '^host' ${config} && host_in_config=1
-   fi
-   if [ -z ${AB_JOLOKIA_HOST+x} ] && [ -z ${host_in_config+x} ]; then
-      AB_JOLOKIA_HOST='0.0.0.0'
-   fi
-   if [ -n "$AB_JOLOKIA_HOST" ]; then
-      opts="${opts}${sep}host=${AB_JOLOKIA_HOST}"
-      sep=","
-   fi
-   if [ -n "$AB_JOLOKIA_PORT" ]; then
-      opts="${opts}${sep}port=${AB_JOLOKIA_PORT}"
-      sep=","
-   fi
-   if [ -n "$AB_JOLOKIA_USER" ]; then
-      opts="${opts}${sep}user=${AB_JOLOKIA_USER}"
-      sep=","
-   fi
-   if [ -n "$AB_JOLOKIA_PASSWORD" ]; then
-      opts="${opts}${sep}password=${AB_JOLOKIA_PASSWORD}"
-      sep=","
-   fi
-   if [ -n "$AB_JOLOKIA_HTTPS" ]; then
-      opts="${opts}${sep}protocol=https"
-      use_https=1
-      sep=","
-   fi
-   # Integration with OpenShift client cert auth is enabled
-   # by default if not explicitly turned off by setting to 'false'
-   if [ "x${AB_JOLOKIA_AUTH_OPENSHIFT}" != "xfalse" ] && [ -f "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" ]; then
-      auth_opts="useSslClientAuthentication=true,extraClientCheck=true"
-      if [ -z ${use_https+x} ]; then
-        auth_opts="${auth_opts},protocol=https"
-      fi
-      if [ $(is_in_jolokia_opts "caCert") != "yes" ]; then
-         auth_opts="${auth_opts},caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-      fi
-      if [ $(is_in_jolokia_opts "clientPrincipal") != "yes" ]; then
-         if [  x"${AB_JOLOKIA_AUTH_OPENSHIFT}" != x"${AB_JOLOKIA_AUTH_OPENSHIFT/=/}" ]; then
-            # Supposed to contain a principal name to check
-            auth_opts="${auth_opts},clientPrincipal=`echo ${AB_JOLOKIA_AUTH_OPENSHIFT} | sed -e 's/ /\\\\ /g'`"
-         else
-            auth_opts="${auth_opts},clientPrincipal=cn=system:master-proxy"
-         fi
-      fi
-      opts="${opts}${sep}${auth_opts}"
-      sep=","
-   fi
-   # Add extra opts to the end
-   if [ -n "${AB_JOLOKIA_OPTS}" ]; then
-      opts="${opts}${sep}${AB_JOLOKIA_OPTS}"
-      sep=","
-   fi
-   if [ "x$sep" != 'x=' ] ; then
-     echo ${opts}
-   fi
+get_jolokia_properties() {
+
+  echo "host=${AB_JOLOKIA_HOST:-*}"
+  echo "port=${AB_JOLOKIA_PORT:-8778}"
+  echo "discoveryEnabled=${AB_JOLOKIA_DISCOVERY_ENABLED:=false}"
+
+  if [ -n "$AB_JOLOKIA_PASSWORD" ]; then
+     echo "user=${AB_JOLOKIA_USER:-jolokia}"
+     echo "password=${AB_JOLOKIA_PASSWORD}"
+  fi
+  if [ -n "$AB_JOLOKIA_HTTPS" ]; then
+     echo "protocol=https"
+     use_https=1
+  fi
+
+  # Integration with OpenShift client cert auth is enabled
+  # by default if not explicitly turned off by setting to 'false'
+  if [ "x${AB_JOLOKIA_AUTH_OPENSHIFT}" != "xfalse" ] && [ -f "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" ]; then
+     echo "useSslClientAuthentication=true"
+     echo "extraClientCheck=true"
+
+     if [ -z ${use_https+x} ]; then
+       echo "protocol=https"
+     fi
+     if [ $(is_in_jolokia_opts "caCert") != "yes" ]; then
+        echo "caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+     fi
+
+     if [ $(is_in_jolokia_opts "clientPrincipal") != "yes" ]; then
+        if [  x"${AB_JOLOKIA_AUTH_OPENSHIFT}" != x"${AB_JOLOKIA_AUTH_OPENSHIFT/=/}" ]; then
+           # Supposed to contain a principal name to check
+           echo "clientPrincipal=`echo ${AB_JOLOKIA_AUTH_OPENSHIFT} | sed -e 's/ /\\\\ /g'`"
+        else
+           echo "clientPrincipal=cn=system:master-proxy"
+        fi
+     fi
+  fi
+
+  # Add extra opts
+  if [ -n "${AB_JOLOKIA_OPTS}" ]; then
+     echo "${AB_JOLOKIA_OPTS}" | tr "," "\n"
+  fi
+
+}
+
+write_jolokia_properties() {
+  local jolokia_property_file="$1"
+
+  # Setup Jolokia to accept basic auth, using a randomly generated password that is stored
+  # in the container in the ${DEPLOYMENTS_DIR}/jolokia.pw file.
+  if [ "$AB_JOLOKIA_PASSWORD_RANDOM" == "true" ]; then
+    pw_file="/opt/jolokia/etc/jolokia.pw"
+    if [ -f "${pw_file}" ] ; then
+      AB_JOLOKIA_PASSWORD=`cat "${pw_file}"`
+    else
+      AB_JOLOKIA_PASSWORD=`tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1`
+      touch "${pw_file}"
+      chmod 660 "${pw_file}"
+      cat > "${pw_file}" <<EOF
+$AB_JOLOKIA_PASSWORD
+EOF
+    fi
+    export AB_JOLOKIA_PASSWORD
+  fi
+
+  touch "${jolokia_property_file}"
+  chmod 660 "${jolokia_property_file}"
+  cat > "${jolokia_property_file}" <<EOF
+$(get_jolokia_properties)
+EOF
+
+}
+
+if [ -z "${AB_JOLOKIA_OFF+x}" ]; then
+  if [ -z "${AB_JOLOKIA_CONFIG}" ]; then
+    AB_JOLOKIA_CONFIG="/opt/jolokia/etc/jolokia.properties"
+    write_jolokia_properties "$AB_JOLOKIA_CONFIG"
+  fi
+  echo "-javaagent:/opt/jolokia/jolokia.jar=config=${AB_JOLOKIA_CONFIG}"
 fi