Not working on JBoss EAP 6.0.1 (Update)
Closed this issue · 6 comments
Hi,
I really need to get this working on JBoss EAP 6.0.1.
When I run the following command (have taken out sensitive info..) there isn't any output, its blank and an error isn't generated either.
java -cp /usr/share/jboss-as/modules/org/jboss/as/cli/main/jboss-as-cli-7.1.3.Final-redhat-4.jar:profilecloner.jar org.jboss.tfonteyne.profilecloner.Main --controller=hostname --port=9999 --username=dave --password=**** "/socket-binding-group=full-ha-sockets full-ha-sockets-copy"
or:
java -cp /usr/share/jboss-as/modules/org/jboss/as/cli/main/jboss-as-cli-7.1.3.Final-redhat-4.jar:profilecloner.jar org.jboss.tfonteyne.profilecloner.Main --controller=hostname --port=9999 --username=dave --password=**** "/profile=full-ha full-ha-copy"
I need to be able to clone the Full and Full-HA profile on JBoss EAP 6.0.1.
java -version
java version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
Thanks.
It's not a real issue with tool. The reason is that EAP 6.0.0 and 6.0.1 did not ship with 'jboss-cli-client.jar' and need a much longer classpath as the equivalent:
/home/tom/i/eap/601 is my EAP installation directory:
/home/tom/i/eap/601/modules/org/jboss/remoting3/remoting-jmx/main/remoting-jmx-1.0.4.Final-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/remoting3/main/jboss-remoting-3.2.14.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/logging/main/jboss-logging-3.1.2.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/xnio/main/xnio-api-3.0.7.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/xnio/nio/main/xnio-nio-3.0.7.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/sasl/main/jboss-sasl-1.0.3.Final-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/marshalling/main/jboss-marshalling-1.3.15.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/marshalling/river/main/jboss-marshalling-river-1.3.15.GA-redhat-1.jar:/home/tom/i/eap/601/modules/org/jboss/as/cli/main/jboss-as-cli-7.1.3.Final-redhat-4.jar:/home/tom/i/eap/601/modules/org/jboss/staxmapper/main/staxmapper-1.1.0.Final-redhat-2.jar:/home/tom/i/eap/601/modules/org/jboss/as/protocol/main/jboss-as-protocol-7.1.3.Final-redhat-4.jar:/home/tom/i/eap/601/modules/org/jboss/dmr/main/jboss-dmr-1.1.1.Final-redhat-2.jar:/home/tom/i/eap/601/modules/org/jboss/as/controller-client/main/jboss-as-controller-client-7.1.3.Final-redhat-4.jar:/home/tom/i/eap/601/modules/org/jboss/threads/main/jboss-threads-2.0.0.GA-redhat-2.jar:/home/tom/i/eap/601/modules/org/jboss/as/controller/main/jboss-as-controller-7.1.3.Final-redhat-4.jar
Basically take a copy of bin/jconsole.sh and replace the last line with:
java -cp
the CLASSPATH will be constructed automatically by the script.
Hi, thanks for your reply - whilst socket cloning works, I am still having issues with profile cloning, please see below:
FYI - jboss home = /usr/share/jboss-as
When trying to clone the full profile:
java -cp $CLASSPATH:/usr/share/jboss-as/bin/profilecloner.jar org.jboss.tfonteyne.profilecloner.Main -c hostname -p 9999 -u dave -p **** /profile=full full-copy
WARN: can't load the config file because JBOSS_HOME environment variable is not set.
WARN: can't load the config file because JBOSS_HOME environment variable is not set.
May 28, 2015 10:52:11 AM org.xnio.Xnio
INFO: XNIO Version 3.0.7.GA-redhat-1
May 28, 2015 10:52:11 AM org.xnio.nio.NioXnio
INFO: XNIO NIO Implementation Version 3.0.7.GA-redhat-1
May 28, 2015 10:52:11 AM org.jboss.remoting3.EndpointImpl
INFO: JBoss Remoting version 3.2.14.GA-redhat-1
java.lang.IllegalArgumentException: Unknown type: PROPERTY
at org.jboss.tfonteyne.profilecloner.GenericCloner.getNode(GenericCloner.java:290)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getList(GenericCloner.java:255)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getNode(GenericCloner.java:288)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getObject(GenericCloner.java:269)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getNode(GenericCloner.java:286)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getList(GenericCloner.java:255)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getNode(GenericCloner.java:288)
at org.jboss.tfonteyne.profilecloner.GenericCloner.handleProperty(GenericCloner.java:201)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getChildResource(GenericCloner.java:112)
at org.jboss.tfonteyne.profilecloner.GenericCloner.handleProperty(GenericCloner.java:229)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getChildResource(GenericCloner.java:112)
at org.jboss.tfonteyne.profilecloner.GenericCloner.handleProperty(GenericCloner.java:229)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getChildResource(GenericCloner.java:112)
at org.jboss.tfonteyne.profilecloner.GenericCloner.handleProperty(GenericCloner.java:229)
at org.jboss.tfonteyne.profilecloner.GenericCloner.getChildResource(GenericCloner.java:159)
at org.jboss.tfonteyne.profilecloner.GenericCloner.copy(GenericCloner.java:75)
at org.jboss.tfonteyne.profilecloner.Main.(Main.java:133)
at org.jboss.tfonteyne.profilecloner.Main.main(Main.java:112)
Successful attempt at cloning full-ha-sockets:
java -cp $CLASSPATH:/usr/share/jboss-as/bin/profilecloner.jar org.jboss.tfonteyne.profilecloner.Main -c hostname -p 9999 -u dave -p **** /socket-binding-group=full-ha-sockets full-ha-sockets-copy
WARN: can't load the config file because JBOSS_HOME environment variable is not set.
WARN: can't load the config file because JBOSS_HOME environment variable is not set.
May 28, 2015 10:50:46 AM org.xnio.Xnio
INFO: XNIO Version 3.0.7.GA-redhat-1
May 28, 2015 10:50:46 AM org.xnio.nio.NioXnio
INFO: XNIO NIO Implementation Version 3.0.7.GA-redhat-1
May 28, 2015 10:50:46 AM org.jboss.remoting3.EndpointImpl
INFO: JBoss Remoting version 3.2.14.GA-redhat-1
batch
/socket-binding-group="full-ha-sockets-copy":add(default-interface="public",name="full-ha-sockets")
/socket-binding-group="full-ha-sockets-copy"/remote-destination-outbound-socket-binding="mail-smtp":add(fixed-source-port="false",host="localhost",port="25")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="ajp":add(fixed-port="false",name="ajp",port="8009")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="http":add(fixed-port="false",name="http",port="8080")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="https":add(fixed-port="false",name="https",port="8443")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jacorb":add(fixed-port="false",interface="unsecure",name="jacorb",port="3528")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jacorb-ssl":add(fixed-port="false",interface="unsecure",name="jacorb-ssl",port="3529")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jgroups-mping":add(fixed-port="false",multicast-address="${jboss.default.multicast.address:230.0.0.4}",multicast-port="45700",name="jgroups-mping",port="0")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jgroups-tcp":add(fixed-port="false",name="jgroups-tcp",port="7600")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jgroups-tcp-fd":add(fixed-port="false",name="jgroups-tcp-fd",port="57600")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jgroups-udp":add(fixed-port="false",multicast-address="${jboss.default.multicast.address:230.0.0.4}",multicast-port="45688",name="jgroups-udp",port="55200")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="jgroups-udp-fd":add(fixed-port="false",name="jgroups-udp-fd",port="54200")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="messaging":add(fixed-port="false",name="messaging",port="5445")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="messaging-group":add(fixed-port="false",multicast-address="${jboss.messaging.group.address:231.7.7.7}",multicast-port="${jboss.messaging.group.port:9876}",name="messaging-group",port="0")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="messaging-throughput":add(fixed-port="false",name="messaging-throughput",port="5455")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="modcluster":add(fixed-port="false",multicast-address="224.0.1.105",multicast-port="23364",name="modcluster",port="0")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="osgi-http":add(fixed-port="false",interface="management",name="osgi-http",port="8090")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="remoting":add(fixed-port="false",name="remoting",port="4447")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="txn-recovery-environment":add(fixed-port="false",name="txn-recovery-environment",port="4712")
/socket-binding-group="full-ha-sockets-copy"/socket-binding="txn-status-manager":add(fixed-port="false",name="txn-status-manager",port="4713")
run-batch
ah... you hit an incompatibility between 6.0/x and 6.1 and higher which I more or less forgot about.
In 6.0.x the "module-options" of a login-module (security subsystem) were rather inflexible. Login modules was a LIST, and the options all together a single OBJECT. Starting in 6.1 this was redone and login-modules was made a proper child resource with the options underneath.
Considering how old 6.0.1 is I have no plan to modify the cloner to support this very old version.
Keep in mind that 6.0.1 still has many known issues (also security issues!!) so upgrading should be a high priority.
workaround is easy: manually removed all "module-option" attributes, run the cloner, then add the options again.
Hi again,
Unfortunately our application vendor mandates on JBoss EAP 6.0.1 and all major development has been against this version. It won't be for another 1-2 years that we are likely to be able to upgrade to a newer version :(.
I take your response as though there is a workaround for 6.0.1, however are you able to give an example of a module-option that you remove to ensure I interpret your statement correctly?
For instance, via jboss-cli in domain mode, going to /profile=full/subsystem=security I see the following:
pwd
/profile=full/subsystem=security
[domain@hostname:9999 subsystem=security] ls
security-domain vault deep-copy-subject-mode=false
Looking in the domain.xml file I can see an examples of lines that have module-option. here is such an entry in the jboss-cli:
pwd
/profile=full/subsystem=security/security-domain=other/authentication=classic
[domain@hostname:9999 authentication=classic] :read-resource
{
"outcome" => "success",
"result" => {"login-modules" => [
{
"code" => "Remoting",
"flag" => "optional",
"module-options" => [("password-stacking" => "useFirstPass")]
},
{
"code" => "RealmDirect",
"flag" => "required",
"module-options" => [("password-stacking" => "useFirstPass")]
}
]}
}
So in the example above, would it just be a case of removing the 2 module-options lines for Remoting and RealmDirect? Or alternatively, did you remove both login-modules completely and re-add them.
I'd be interested in seeing your cli examples.
Thanks again!
yes, for example from the "full" profile you have:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
Change that manually into:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
</login-module>
<login-module code="RealmDirect" flag="required">
</login-module>
</authentication>
</security-domain>
and repeat for any other domains you may have added.
Then run the cloner with /profile=full full-copy
and add those options manually back in. Adding them back is best done be editing the xml.
One of the reasons for the 6.1+ change was that your only choice in 6.0 was to add/modify the whole "login-modules" in one go which becomes a horrible CLI command when there are a number of options. If you really need it all in CLI, then start with manually bringing the original config down to:
<security-domain name="other" cache-type="default">
</security-domain>
and add the below to the resulting CLI code immediately after the :add() for the security-domain
/profile=full/subsystem=security/security-domain=other/authentication=classic:write-attribute(name=login-modules, value=[{"code" => "Remoting","flag" => "optional","module-options" => [("password-stacking" => "useFirstPass")] }, {"code" => "RealmDirect","flag" => "required","module-options" => [("password-stacking" => "useFirstPass")]} ] )
You can imagine that for more complicated authentication setups this becomes a bit of a mess to write/read.
Btw, your original statement used -p for port and password. You can only use "-p" for the password. The port option must be the full "--port=9999"
Fantastic!
Pleased to confirm this now works! I've become very accustomed to some of the nuances with the 6.0.1. cli, especially around adding JVM options and as you say, having to add things in one go.
I'll work on a cli to remove the bits in the xml and then use your examples to help me add the options back in.
Appreciate your time and help on this. Certainly looking forward to upgrading to a newer JBoss version at some point in the future.
Fingers crossed the generated batch statements work as well!
Regards,
David.