Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Log4J JMX beans creation in tests to avoid overhead #3753

Merged
merged 1 commit into from
Apr 12, 2024
Merged

Disable Log4J JMX beans creation in tests to avoid overhead #3753

merged 1 commit into from
Apr 12, 2024

Conversation

sdavids
Copy link
Contributor

@sdavids sdavids commented Apr 3, 2024
edited
Loading

Overview

fix #3751

I hereby agree to the terms of the JUnit Contributor License Agreement.

Definition of Done

sormuras
sormuras approved these changes Apr 3, 2024
View reviewed changes
Copy link
Member

@sormuras sormuras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

marcphilipp
marcphilipp reviewed Apr 9, 2024
View reviewed changes
Copy link
Member

@marcphilipp marcphilipp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is a "best practice" from a security perspective, right? If so, we should also document it in the User Guide, shouldn't we?

junit5/documentation/src/docs/asciidoc/user-guide/running-tests.adoc

Lines 243 to 245 in e160aec

test {
systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
}

@sdavids
Copy link
Contributor Author

sdavids commented Apr 9, 2024

I guess this is a "best practice" from a security perspective, right?

Security, memory footprint, and faster initialization:

https://github.com/apache/logging-log4j2/blob/7b5d23e1403db7a7865da4783dd5cb22b0ddfb93/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/Server.java#L143-L191

https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx

JMX support is enabled by default

Personally, I would have preferred if the default was off, but I guess for backward compatibility it is on.

If so, we should also document it in the User Guide, shouldn't we?

I could modify the example you quoted to:

a)

test {
    systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
    // https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx
    systemProperty("log4j2.disableJmx", "true")
}

b)

test {
    systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
    // disable log4j2 JMX beans for security reasons
    systemProperty("log4j2.disableJmx", "true")
}

Unfortunately, each framework has its own way of doing so—I am not sure if the "how-to" belongs in the JUnit documentation.

"Someplace" we could add a note that it is a good idea to disable JMX bean creation for:

  • faster tests
  • smaller attack surface while running tests
  • lower memory footprint

As far as I am aware, there is also no official way to turn off JMX functionality on the JVM level.

This was referenced Apr 9, 2024
Closed
Closed
@marcphilipp
Copy link
Member

If so, we should also document it in the User Guide, shouldn't we?

I could modify the example you quoted to:

a)

test {
    systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
    // https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx
    systemProperty("log4j2.disableJmx", "true")
}

b)

test {
    systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
    // disable log4j2 JMX beans for security reasons
    systemProperty("log4j2.disableJmx", "true")
}

Let's go with something generic like this:

test {
    systemProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager")
    // Avoid overhead (see https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx)
    systemProperty("log4j2.disableJmx", "true")
}

Unfortunately, each framework has its own way of doing so—I am not sure if the "how-to" belongs in the JUnit documentation.

"Someplace" we could add a note that it is a good idea to disable JMX bean creation for:

* faster tests

* smaller attack surface while running tests

* lower memory footprint

As far as I am aware, there is also no official way to turn off JMX functionality on the JVM level.

I think this is outside the scope of the JUnit docs so I'd omit that for now.

marcphilipp
marcphilipp requested changes Apr 10, 2024
View reviewed changes
Copy link
Member

@marcphilipp marcphilipp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see #3753 (comment)

@sdavids
Disable Log4J JMX beans creation in tests
4ca9779 
fix #3751

Signed-off-by: Sebastian Davids <sdavids@gmx.de>
@sdavids
Copy link
Contributor Author

sdavids commented Apr 11, 2024

I have updated this PR.

I will create a PR in the log4j2 repo to disable JMX bean creation by default.

see:
apache/logging-log4j2#2462 (comment)

Depending on the outcome of the other PR we can close or merge this one.

Alternatively, we can merge this one now and I would create a new PR to revert this one, if necessary.

Up to you …

@marcphilipp marcphilipp changed the title Disable Log4J JMX beans creation in tests Disable Log4J JMX beans creation in tests to avoid overhead Apr 12, 2024
@marcphilipp marcphilipp merged commit 718baf6 into junit-team:main Apr 12, 2024
13 checks passed
@marcphilipp
Copy link
Member

Thanks! I decided to rather merge it now than keeping it open. Disabling it by default in Log4J would be a great outcome! 👍

@ppkarwasz ppkarwasz mentioned this pull request Aug 28, 2024
Closed
@sdavids
Copy link
Contributor Author

sdavids commented Sep 10, 2024

https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.24.0

Starting in version 2.24.0, JMX support is disabled by default [...]

@sdavids
Copy link
Contributor Author

sdavids commented Sep 10, 2024
edited
Loading

Should I author a PR reverting this one?

Avoid overhead (see https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx)

Log4J2 < 2.24.0: Avoid overhead (see https://logging.apache.org/log4j/2.x/manual/jmx.html#enabling-jmx)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sormuras sormuras sormuras approved these changes

@marcphilipp marcphilipp marcphilipp approved these changes

Assignees
No one assigned
Labels
theme: build type: task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disable creation of Log4J JMX beans in Gradle test conventions
4 participants
@sdavids @marcphilipp @sormuras @sbrannen