为何在配置JMX时Java打开3个端口？ [英] Why Java opens 3 ports when JMX is configured?

问题描述

我在Centos6上使用JDK7运行我的Java程序。我使用以下选项启用JMX：

I run my Java program with JDK7 on Centos6. I enable JMX using the following options:

JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true"

当我检查哪些端口被打开时，我发现了2个额外的随机端口：

When I check what ports are opened I discover 2 additional random ports:

netstat -plunt | grep java
tcp        0      0 :::9123                     :::*                        LISTEN      13295/java
tcp        0      0 :::59927                    :::*                        LISTEN      13295/java
tcp        0      0 :::59928                    :::*                        LISTEN      13295/java

请注意，每次重启仅配置的端口9123保持不变，和另外两个端口更改值。

Please note that each restart only configured port 9123 remains same, and two additional ports change values.

netstat -plunt | grep java
tcp        0      0 :::9123                     :::*                        LISTEN      13331/java
tcp        0      0 :::59932                    :::*                        LISTEN      13331/java
tcp        0      0 :::59933                    :::*                        LISTEN      13331/java

什么是2个额外的端口以及为什么打开它们？

What are 2 additional ports and why they are opened?

如何配置2个额外的随机端口？

How can I configure 2 additional random ports?

如何配置： ：ffff：127.0.0.1 将出现在JMX打开的所有端口之前？

How can I configure ::ffff:127.0.0.1 will appear before all ports opened by JMX?

为什么连接JConsole时不使用一个端口？

Why one port is not used when connecting with JConsole?

已添加以澄清答案

不幸的是，额外的随机端口仍然打开
为了提醒您，我使用Centos 6.
我的Tomcat设置看起来像这样（Tomcat不部署任何应用程序）：

Unfortunately, the additional random port is still opened To remind you, I use Centos 6. My Tomcat settings are look like this (Tomcat does not deploy any applications):

CATALINA_OPTS="${CATALINA_OPTS}  -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.useLocalHostname=true -Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.rmi.port=9123"

Tomcat进程看起来像这样：

Tomcat process looks like this:

/usr/java/jdk1.7.0_51/bin/java -Djava.util.logging.config.file=/usr/tomcat-7.0.47/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.useLocalHostname=true -Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.rmi.port=9123 -Djava.endorsed.dirs=/usr/tomcat-7.0.47/endorsed -classpath /usr/tomcat-7.0.47/bin/bootstrap.jar:/usr/tomcat-7.0.47/bin/tomcat-juli.jar -Dcatalina.base=/usr/tomcat-7.0.47 -Dcatalina.home=/usr/tomcat-7.0.47 -Djava.io.tmpdir=/usr/tomcat-7.0.47/temp org.apache.catalina.startup.Bootstrap start

不幸的是，每当我看到额外的监听端口时：

Unfortunately, each time I see additional listening port:

tcp        0      0 :::38830                    :::*                        LISTEN      790/java
tcp        0      0 ::ffff:127.0.0.1:8080       :::*                        LISTEN      790/java
tcp        0      0 :::9123                     :::*                        LISTEN      790/java

追加运行：

tcp        0      0 ::ffff:127.0.0.1:8080       :::*                        LISTEN      2348/java
tcp        0      0 :::36252                    :::*                        LISTEN      2348/java
tcp        0      0 :::9123                     :::*                        LISTEN      2348/java

BTW，为什么我可以在RMI端口之前看不到 :: ffff：127.0.0.1 ？

BTW, why I can not see ::ffff:127.0.0.1 before RMI ports?

第二次添加澄清评论

它与Tomcat无关。我试图用类似的设置运行ant：
Ant进程如下所示：

It is not related to Tomcat. I have tried to run ant with similar settings: Ant process looks like this:

/usr/bin/java -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.useLocalHostname=true -Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.rmi.port=9123 -classpath /usr/apache-ant-1.9.2/lib/ant-launcher.jar -Dant.home=/usr/apache-ant-1.9.2 -Dant.library.dir=/usr/apache-ant-1.9.2/lib org.apache.tools.ant.launch.Launcher -cp  sleep

不幸的是，每次我看到额外的监听端口：

Unfortunately, each time I see additional listening port:

tcp        0      0 :::41200                    :::*                        LISTEN      13597/java
tcp        0      0 :::9123                     :::*                        LISTEN      13597/java

追加运行：

tcp        0      0 :::58356                    :::*                        LISTEN      13629/java
tcp        0      0 :::9123                     :::*                        LISTEN      13629/java

答：这是Java的错误

我成功打开了Java上的bug：
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8035404

I success to open bug on Java: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8035404

推荐答案

与普遍看法相反，JMX / RMI不需要打开所有这些端口。你实际上可以强制它们相同，这意味着在一天结束时你只需要在防火墙上打一个洞（如果你担心防火墙）。

Contrary to common belief JMX/RMI doesn't need to open all these ports. You can actually force them to be same which will mean that at the end of the day you'll only need to punch one hole in the firewall (if firewall is your concern).

尝试设置系统属性：

com.sun.management.jmxremote.port
com.sun.management.jmxremote.rmi.port

到相同的值!!

明确设置这些将阻止RMI选择随机端口。将它们设置为相同的值将确保它打开更少的端口来监听。

Explicitly setting these will stop RMI from picking random ports. Setting them to the same value will make sure it opens less ports to listen on.

这将在Java 7更新25或更高版本中有效。

This will work in Java 7 update 25 or later.

您看到应用程序打开的第三个端口（如果您遵循我的建议，则为第二个端口）由 Java Attach API 使用。这是JConsole用于连接本地进程的内容。默认情况下，Java Attach API功能自Java 6启用，而不管 com.sun.management.jmxremote 属性。此功能将使用随机端口，但它确实无关紧要，因为该功能仅允许来自主机本身的连接。如果您真的不喜欢此功能，则可以在命令行中添加 -XX：+ DisableAttachMechanism 以禁用Java Attach API功能。然后你将不会再看到在一个随机端口上监听的java进程（在这种情况下是Tomcat）。

The third port that you see opened by your application (or the second if you followed my advice above) is used by the Java Attach API. It is what JConsole uses for connecting to "Local Process". The Java Attach API feature is enabled by default since Java 6 regardless of the com.sun.management.jmxremote property. This feature will use a random port but it really doesn't matter because the feature only allows connections from the host itself. If you really dislike this feature then you can add -XX:+DisableAttachMechanism to the command line to disable the Java Attach API feature. Then you'll no longer see the java process (in this case Tomcat) listening on a random port.

使用自定义应用程序，您将使用 RMIServerSocketFactory 但这是Tomcat所以你必须使用Tomcat的 JMX远程生命周期监听器。

With a custom made application you would use a RMIServerSocketFactory but this is Tomcat so you would have to do it using Tomcat's JMX Remote Lifecycle Listener.

关于另一方面，自Java 7以来你拥有 com.sun.management.jmxremote.local.only 属性并不重要。它确保只有来自主机的连接本身是允许的。请注意，JMX库没有通过绑定到loopback接口来实现这一点，而loopback接口肯定是一种方式，但由于主机可能有多个环回接口，因此也会略有不准确。

On the other hand it doesn't matter now that you have the com.sun.management.jmxremote.local.only property since Java 7. It makes sure that only connections from the host itself are allowed. Mind you that JMX library doesn't achieve this by binding to loopback interface which would certainly be one way of doing it but also slight inaccurate as a host can potentially have several loopback interfaces.

实际上大体上（最近添加了JDK和JMX）我会说Tomcat的 JMX远程生命周期监听器现在是多余的，除非你想要绑定到一些非常奇怪的网络接口。

In fact by and large (with the most recent additions to JDK wrt JMX) I would say that Tomcat's JMX Remote Lifecycle Listener is now redundant except if you want to bind to some really odd network interface.

这篇关于为何在配置JMX时Java打开3个端口？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！