[GR-40463] Add initial support for JMX to Native Image

[roberttoyonaga]

Related issue: #4732

Currently, a native image JMX server can be started and a java client can connect. Methods can be invoked on managed beans remotely. The server will start automatically if JMX is specified at executable runtime (ie. -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.port=9999). JMX should work with password authentication and SSL for both client and server.

To build a native image as a JMX server, use the option --enable-monitoring=jmxserver (or --enable-monitoring=jmxserver,jvmstat to also export JMX connector address to instrumentation buffer so that it can be discovered and read by other JVMs on the same system).
To build as a JMX client, use --enable-monitoring=jmxclient

[christianhaeubl]

Thanks for contributing. I added a few comments.

[christianhaeubl]

The goal is that this works in the same way as the existing management features, such as JFR or jvmstat. For that reason, please annotate all your features with @AutomaticFeature and implement isInConfiguration(...).

The existing management features can be enabled selectively via the API option --enable-monitoring (see VMInspectionOptions). For your new functionality, you can add new values to that option. There were changes in that area recently, so please look at the latest version that is available in master.

[roberttoyonaga]

Ok both the jmx client and server features are now @AutomaticFeature and can be included using --enable-monitoring=jmxclient,jmxserver

[christianhaeubl]

I think that those substitutions are still needed if the JMX support is not included into Native Image.

[roberttoyonaga]

I added them back and also created a new BooleanSupplier: JmxClientNotIncluded. If the JmxClientFeature is not included, then those methods will remain substituted. Is this a good approach? I also did a similar thing for JMXConnectorFactory.connect method.

[christianhaeubl]

JVM_MaxObjectInspectionAge should be easy to implement for the serial GC:

• add a field that holds the timestamp of the last full garbage collection to GCImpl.
• set this field when a full collection finishes (see GCImpl.doCollectOnce)
• add a new method to the classes Heap and HeapImpl so that it is possible to query the new GCImpl field.
• add a substitution for JVM_MaxObjectInspectionAge that calls the new Heap method.

I will take care of the G1-specific implementation once this PR is ready for integration.

[roberttoyonaga]

I implemented your suggestion. However, I am not sure how to substitute JVM_MaxObjectInspectionAge because it is a C function that JNI native method Java_sun_rmi_transport_GC_maxObjectInspectionAge calls. So I have just changed the existing sun.rmi.transport.GC.maxObjectInspectionAge java method substitution. Is this what you meant?

[christianhaeubl]

I suppose this configuration is JDK-specific?

@vjovanov, @christianwimmer : is there any better way to do that? There is quite a lot of configuration in this PR.

[roberttoyonaga]

Yes it is JDK specific

[olpaw]

If a feature requires that much configuration, it is better to use config-*.json files. Combined with https://www.graalvm.org/22.0/reference-manual/native-image/Reflection/#conditional-configuration it should be possible to make sure that the config data is only applied if JMX support is requested.

[olpaw]

If a feature requires that much configuration, it is better to use config-*.json files.

I just realized that unfortunately that does not work in this case because this is not an external Feature thus the META-INF/native-image based approach cannot be used. Sorry for the noise!

[vjovanov]

At the moment I don't see a better way to do this. For the build-time init future programming model changes will help in the future. For reachability metadata, we would need both programming model changes and the JDK modifications.

[fniephaus]

It seems this is causing a build to fail: https://github.com/oracle/graal/actions/runs/3441384844/jobs/5776652403#step:13:1356

Maybe this should use ManagementFactory.getRuntimeMXBean().getInputArguments()?

[roberttoyonaga]

Oh I see! Thanks! I think SubstrateRuntimeMXBean.getInputArguments also uses com.oracle.svm.core.JavaMainWrapper$JavaMainSupport, but it does a check first to see if it's actually available.

[fniephaus]

Right, and you get exactly a SubstrateRuntimeMXBean when you use ManagementFactory.getRuntimeMXBean(). 😉

[fniephaus]

Running the internal gates against e00d0ec now. Would be great to add some tests for this in a follow up PR.

[fniephaus]

When building the native-image driver or the native-image-configure tool, I see:

The following classes have unspecified initialization policy:
com.sun.jmx.remote.util.EnvHelp
com.sun.jmx.mbeanserver.Introspector
java.beans.Introspector
com.sun.jmx.mbeanserver.JavaBeansAccessor
com.sun.jmx.mbeanserver.MXBeanLookup
Error: To fix the error either specify the initialization policy for given classes or set -H:-AssertInitializationSpecifiedForAllClasses
Error: Use -H:+ReportExceptionStackTraces to print stacktrace of underlying exception

If you could work on a fix for that, that'd be great. I'm going to look into implementing getMaxObjectInspectionAge() for the G1 GC.

[roberttoyonaga]

com.sun.jmx.mbeanserver.Introspector
Ok no problem! These errors are with jdk 17 right?

[fniephaus]

These errors are with jdk 17 right?

Yes, that's correct.

[roberttoyonaga]

When building the native-image driver or the native-image-configure tool:
I'm pretty sure I know what the problem is, but I can't seem to reproduce those errors.

[fniephaus]

Try building with:

$ cd substratevm
$ mx --dy /vm --native-images=lib:native-image-agent --extra-image-builder-argument=-H:+AssertInitializationSpecifiedForAllClasses build

This gives me a few more classes:

The following classes have unspecified initialization policy:
com.sun.jmx.mbeanserver.MBeanInstantiator
com.sun.jmx.remote.security.FileLoginModule
com.sun.jmx.remote.internal.ArrayNotificationBuffer
java.beans.Introspector
com.sun.jmx.mbeanserver.Introspector
com.sun.jmx.remote.security.HashedPasswordManager
com.sun.jmx.remote.internal.ServerNotifForwarder
com.sun.jmx.remote.util.EnvHelp
com.sun.jmx.mbeanserver.MXBeanLookup
com.sun.jmx.defaults.JmxProperties
com.sun.jmx.remote.security.JMXPluggableAuthenticator
com.sun.jmx.remote.security.JMXSubjectDomainCombiner
com.sun.jmx.remote.internal.ServerCommunicatorAdmin
com.sun.jmx.mbeanserver.JavaBeansAccessor

[roberttoyonaga]

mx --dy /vm --native-images=lib:native-image-agent --extra-image-builder-argument=-H:+AssertInitializationSpecifiedForAllClasses build

Strangely, building with this and jdk 17, I was still unable to reproduce the error complaining about the unspecified init policies. But I have specified policies for them anyway and pushed the changes.

[fniephaus]

When I build GraalPy, I see the following problem popping up:

Error: Detected a string in the image heap that contains a user directory. This means that file system information from the native image build is persisted and available at image runtime, which is most likely an error.
String that is problematic: sdk/mxbuild/linux-amd64/GRAALVM_7CA0CDF709_JAVA17_STAGE1/graalvm-7ca0cdf709-java17-23.0.0-dev/conf/management/jmxremote.password
Disallowed substring with user directory: sdk/mxbuild/linux-amd64/GRAALVM_7CA0CDF709_JAVA17_STAGE1/graalvm-7ca0cdf709-java17-23.0.0-dev
This check can be disabled using the option -H:-DetectUserDirectoriesInImageHeap
Detailed message:
Trace: Object was reached by
  trying to constant fold static field com.sun.jmx.remote.security.FileLoginModule.DEFAULT_PASSWORD_FILE_NAME
    at com.sun.jmx.remote.security.FileLoginModule.initialize(FileLoginModule.java:197)
  parsing method com.sun.jmx.remote.security.FileLoginModule.initialize(FileLoginModule.java:174) reachable via the parsing context
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:745)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
    at com.oracle.svm.core.jdk.Target_java_security_AccessController.executePrivileged(SecuritySubstitutions.java:147)
    at java.security.AccessController.doPrivileged(AccessController.java:569)
    at com.oracle.svm.core.containers.CgroupUtil.readAllLinesPrivileged(CgroupUtil.java:72)
    at com.oracle.svm.core.containers.CgroupSubsystemFactory.determineType(CgroupSubsystemFactory.java:121)
    at com.oracle.svm.core.containers.CgroupSubsystemFactory.create(CgroupSubsystemFactory.java:50)
    at com.oracle.svm.core.containers.CgroupMetrics.getInstance(CgroupMetrics.java:164)

#5400 may actually fix this already but I still have to verify that.

Nonetheless, I also found more classes with an unspecified initialization policy:

The following classes have unspecified initialization policy:
com.sun.jmx.remote.security.JMXPluggableAuthenticator$FileLoginConfig

com.sun.jmx.mbeanserver.Introspector
com.sun.jmx.mbeanserver.JavaBeansAccessor
com.sun.jmx.mbeanserver.MXBeanLookup
com.sun.jmx.remote.util.EnvHelp
java.beans.Introspector
java.rmi.dgc.VMID
java.rmi.MarshalledObject$MarshalledObjectInputStream
java.rmi.server.LogStream
java.rmi.server.ObjID
java.rmi.server.RemoteServer
java.rmi.server.RMIClassLoader
java.rmi.server.UID
jdk.management.jfr.MBeanUtils
jdk.management.jfr.SettingDescriptorInfo
sun.rmi.registry.RegistryImpl
sun.rmi.runtime.Log
sun.rmi.runtime.Log$LoggerLog
sun.rmi.runtime.Log$LogStreamLog
sun.rmi.runtime.NewThreadAction
sun.rmi.runtime.RuntimeUtil
sun.rmi.server.LoaderHandler
sun.rmi.server.MarshalInputStream
sun.rmi.server.UnicastRef
sun.rmi.server.UnicastRef2
sun.rmi.server.UnicastServerRef
sun.rmi.server.Util
sun.rmi.transport.ConnectionInputStream
sun.rmi.transport.DGCAckHandler
sun.rmi.transport.DGCClient
sun.rmi.transport.DGCImpl
sun.rmi.transport.GC
sun.rmi.transport.ObjectTable
sun.rmi.transport.tcp.TCPChannel
sun.rmi.transport.tcp.TCPEndpoint
sun.rmi.transport.tcp.TCPTransport
sun.rmi.transport.Transport

@roberttoyonaga could you please take care of the missing initialization policies while I try and fix the GraalPy and a couple of other issues?

[roberttoyonaga]

When I build GraalPy, I see the following problem popping up:

@fniephaus It seems like the problem is that, in the JDK code, the pathFileLoginModule.DEFAULT_PASSWORD_FILE_NAME is computed and stored as a static final member. I think this would cause FileLoginModule.DEFAULT_PASSWORD_FILE_NAME to get initialized at build time (due to me specifying build time init for class FileLoginModule), which ends up storing this path computed in hosted mode in the image heap. I changed the initialization policy to runtime, which I think should fix the problem.

Nonetheless, I also found more classes with an unspecified initialization policy:

All of the classes listed there should have already had their initialization policies specified in JmxServerFeature and JmxClientFeature (for jdk 17+). Is it possible any of the tests are using jdk version <17?

I've now updated things such that those classes have their policies specified regardless of jdk version used to build with.

[roberttoyonaga]

Running the internal gates against e00d0ec now. Would be great to add some tests for this in a follow up PR.

I added some tests for JMX locally. Should I include them as part of the PR or is it better to still separate them into a following pull request?

[fniephaus]

Is it possible any of the tests are using jdk version <17?

Yes, we still run some gates against JDK11, although we are winding them down as we speak.

I added some tests for JMX locally. Should I include them as part of the PR or is it better to still separate them into a following pull request?

Tests are always welcome! 🙂

[roberttoyonaga]

Yes, we still run some gates against JDK11, although we are winding them down as we speak.

Ok the initialization policies should now be specified for jdk 11 too.

Tests are always welcome! slightly_smiling_face

Ok I included some tests! :)

[fniephaus]

I changed the initialization policy to runtime, which I think should fix the problem.

Thanks! Now, I only see this again:

The following classes have unspecified initialization policy:
com.sun.jmx.remote.security.JMXPluggableAuthenticator$FileLoginConfig

I'm going to fix this. Our internal CE gate seem to pass, I'm looking into fixes for our EE tests.

[fniephaus]

This was merged via #5596. 🎉