Authordsezen

JVM Thread Dump Analysis Notes

facebooktwittergoogle_pluslinkedinmailby feather

Recently i had to dig into a JVM thead wait/blocking/locking troubleshooting and i decided to write down my notes just for future reference for myself and for you!:)

 

Pre requirements to be known:

1. JVM Memory Space: This is divided to 3 following parts:

1.a Native Heap/Code Cache:  

– Byte Code for JIT

– Native code which are already converted from Byte Code

– Mmap(Memory Map) files

1.b PermGen/Metaspace: Beginning from Java8, this area has no upper limit in order to avoid OutOfMemory errors. Operating System will use SWAP area(Virtual Memory) if the usafe goes beyond Physical Memory.

1.b.i. Size: This is defined my XX parameter 

1.b.ii. Heap Structure: The following are stored under Metaspace:

  • Class Definitions Metadata: Class Name, Object Arrays, Internal Object used by JVM, optimization information
  • Static Member Variables (Variable itself / Object Reference) 

 1.c Heap: All runtime created stateless&stateful objects, app data, caches are stored in Heap.

1.c.i. Heap Size: Heap size is defined by two parameters:

  • Xms(Initial Memory Allocation) 
  • Xmx(Maximum Memory Allocation) 

1.c.ii. Heap Structure: Heap is divided into following spaces:

  • Young: Divided into 2 parts:

    • Eden: First space used when the object is created.
    • Survival: The objects which are survived from GC(Garbage Collection) are stored on so called S0/S1
  • Tenured/OldGen: Objects reacted to max tenured threshold are moved to this space

Here is the model as a schema:

JVM_Memory_Model

Ref. schema

 

2. Footprint Requirement: This can be calculated considering the following formula:

  • Number of ear, jar, war files that the single JVM process will handle
  • Number of Java classes to be loaded during runtime
  • Data cache(file, DB …) footprint
  • Number of threads that are allowed to be created

Usually heap size 3-4 GB. is a starting point….

3. GC(Garbage Collection): Minimizing the GC frequency is a key factor for performance. Concurrent users and requests generate JVM GC HeartBeat. The frequency should be monitored. 

4. Young vs Tenured: The typical ratio is 1/3, for example if you have 4 GB. Heap, 1GB for Young, 3GB for Tenured is expected. But this is totally depent to your business rules and traffic patterns. 

5. Thread Dump Analyzer: There are various tools that you can use, the ones that i prefer are:

  • https://spotify.github.io/threaddump-analyzer/

  • http://fastthread.io/

Use XX:+HeapDumpOnOutOfMemoryError in order to create the Heap Dump in case of OutofMemory.

Here are the most popular focus areas that should be analyzed:

  • Memory Leak
  • Too many open files
  • CPU usage
  • Deadlocks
  • ClassNotFoundException
  • NoClassDefFoundError

As a last experience, there is an intersting jar which makes fullGC every 300 sec.:

https://github.com/jelastic-jps/payara/tree/master/payara-micro-cluster 

That can be considered for non performance required applications…. 

Docker Routing Mesh

facebooktwittergoogle_pluslinkedinmailby feather

Routing Mesh is not magic, it just uses ha-proxy inside to route the traffic to the related container.

What is the use-case of Routing Mesh? 

You have plenty of services/apps working on HTTP/HTTPS and you do not want to deal with ports. Routing Mesh simply, manages the "Virtual Hosting" 

1. In case you have Docker Datacenter UCP: 

Step1: Enable Routing Mesh

UCP –> Admin Settings –> Routing Mesh –> Enable HTTP Routing Mesh –> Update (I used port 8090 just for test, normally it should be 80)

ucp_routing_mesh

Step2: Create a service

UCP –> Resources –> Services –> Create a Service 

Service Name: meshtest

Image Name: nginx:latest

Next –> Rosources –> Networks

Choose the network "ucp-hrm"

Next –> Environment

Create a Service Label "com.docker.ucp.mesh.http.80" with label "external_route=http://meshtest,internal_port=80"

ucp_routingmesh02

2. In case you just have Docker 1.12+:

Add the following to you docker-compose YAML under the necessary service:

#    labels:
#      com.docker.ucp.mesh.http.80=external_route=http://meshtest,internal_port=80

 

 

 

Save Settings and it works!

ucp_routingmesh03

 

Docker overlay or bridge networks overlapping with the corporate networks problem

facebooktwittergoogle_pluslinkedinmailby feather

During the installation of Docker Engine and UCP(Universal Control Plane), there is a risk that the networks it chooses by default like 172.17.0.0/16, 172.18.0.0/16, 172.19.0.0/16, 172.20.0.0/16 may overlap with your existing LANs in your organization. Although there are some related posts:

https://forums.docker.com/t/dtr-network-overlaps-corporate-lan/22193/2

https://blog.docker.com/2016/03/docker-networking-design-philosophy/

https://github.com/docker/docker.github.io/blob/master/engine/userguide/networking/default_network/build-bridges.md

IMHO they do not provide a practical solution for that particular case…

Beside, there are the following open issues under github:

https://github.com/docker/docker/issues/21776

https://github.com/docker/docker/pull/29376

Here is a workaround we have founded and applied and working:

  • Before the installtion of Docker Engine/UCP, create a virtual interface or extend the netmask of the current interface covering all corporate networks:
ifconfig eth0:0 <yourinternalcorporateIPAddress> netmask <netmask> up
  • After you finalize the Docker Engine, swarm or UCP, you will notice that it uses A Class(10.x.x.x/x) or C Class(192.168.x.x/x) rather than 172.x.x.x !!!! Docker installation is smart that it jumps to other network classes.
  • Revert back your network interface you the initial state ad that's all!! 

 

“Your engine version 1.12.3 OSS is too old. UCP requires at least version 1.12.1 CS or 1.13.0 OSS” error while installing Docker Datacenter UCP

facebooktwittergoogle_pluslinkedinmailby feather

You need to install 1.21.1 CS(Commercial Support) version of the Docker Engine specific commercial version, in case Ubuntu, here is the way to do that:

sudo rpm –import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"

curl -s 'https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add –import

sudo apt-get update && sudo apt-get install apt-transport-https

sudo apt-get install -y linux-image-extra-$(uname -r) linux-image-extra-virtual

echo "deb https://packages.docker.com/1.12/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list

sudo apt-get update && sudo apt-get install docker-engine=1.12.1~cs1-0~trusty

docker info

service docker restart

Jenkins quick install guide on CentOS to be used for automated provisioning

facebooktwittergoogle_pluslinkedinmailby feather

You can use the following for Ansible, Docker, ebextensions or any automated provisioning you need. The first command especially saves time otherwise you have to click on "Accept license" on browser in order to download from Oracle…

# wget –no-check-certificate –no-cookies –header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u102-b14/jdk-8u102-linux-x64.rpm
# rpm -Uvh jdk-8u102-linux-x64.rpm
# alternatives –install /usr/bin/java java /usr/java/latest/bin/java 200000
# alternatives –install /usr/bin/javac javac /usr/java/latest/bin/javac 200000
# alternatives –install /usr/bin/jar jar /usr/java/latest/bin/jar 200000
export JAVA_HOME="/usr/java/latest/"
# wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
# rpm –import https://jenkins-ci.org/redhat/jenkins-ci.org.key
# yum update -y
# yum install jenkins -y
# systemctl enable jenkins.service
systemctl restart jenkins.service

How Docker helped me to overcome with the development environment headaches

facebooktwittergoogle_pluslinkedinmailby feather

Another typical error happened during i tried to install a new Python module:

Deryas-MacBook-Pro:etugra dsezen$ sudo pip install zeep

The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.

You are using pip version 7.1.0, however version 8.1.2 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.

The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.

Collecting zeep

  Downloading zeep-0.14.0-py2.py3-none-any.whl (65kB)

    100% |████████████████████████████████| 65kB 245kB/s 

Requirement already satisfied (use --upgrade to upgrade): lxml>=3.0.0 in /Library/Python/2.7/site-packages (from zeep)

Requirement already satisfied (use --upgrade to upgrade): pytz in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python (from zeep)

Requirement already satisfied (use --upgrade to upgrade): appdirs>=1.4.0 in /Library/Python/2.7/site-packages (from zeep)

Requirement already satisfied (use --upgrade to upgrade): cached-property>=1.0.0 in /Library/Python/2.7/site-packages (from zeep)

Requirement already satisfied (use --upgrade to upgrade): defusedxml>=0.4.1 in /Library/Python/2.7/site-packages (from zeep)

Collecting six>=1.9.0 (from zeep)

  Downloading six-1.10.0-py2.py3-none-any.whl

Collecting isodate>=0.5.4 (from zeep)

Collecting requests>=2.7.0 (from zeep)

  Downloading requests-2.11.1-py2.py3-none-any.whl (514kB)

    100% |████████████████████████████████| 516kB 283kB/s 

Installing collected packages: six, isodate, requests, zeep

  Found existing installation: six 1.4.1

    DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling six-1.4.1:
Exception:
.
.
.
OSError: [Errno 1] Operation not permitted: '/tmp/pip-zeJjMk-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'

Just i didn't want to digout whatever the hell reason regarding with access rights, Python 2.7 vs 3.x awesomeness and directly injected a Dockerfile a solved the problem right away!

FROM python:3-onbuild
MAINTAINER funkydorian

RUN mkdir /etugra
VOLUME /etugra
WORKDIR /etugra

CMD python -m pip install zeep
ENV  PYTHONPATH .:/usr/local/lib/python3.5

CMD ["python","./etugra.py","secinitd.log"]

Build the image with:

docker build -t etugra .

Run the code whenever i make a change simply by:

docker run -it --rm --name etugra -v $PWD:/etugra etugra

How to bulk remove unused Docker images

facebooktwittergoogle_pluslinkedinmailby feather

I had many unused images appeared because of my fault:


Deryas-MacBook-Pro:etugra dsezen$ docker images

REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE

etugra                      latest              0e0485e9abbf        5 minutes ago       704.1 MB

<none>                      <none>              8a2ffaa937f3        8 minutes ago       704.1 MB

<none>                      <none>              d13dd077234c        9 minutes ago       704.1 MB

<none>                      <none>              017cb8b846b7        17 minutes ago      704.1 MB

<none>                      <none>              f671aaefbeb8        18 minutes ago      704.1 MB

<none>                      <none>              280ea3ac4ae5        44 minutes ago      704.1 MB

<none>                      <none>              97dcf929d414        45 minutes ago      704.1 MB

<none>                      <none>              019bcd4d779e        53 minutes ago      704.1 MB

<none>                      <none>              053a969a5a22        55 minutes ago      704.1 MB

<none>                      <none>              94be3db991db        58 minutes ago      704.1 MB

<none>                      <none>              cd284b979277        59 minutes ago      704.1 MB

<none>                      <none>              56181d2f6edf        59 minutes ago      704.1 MB

<none>                      <none>              a55ec92c3137        About an hour ago   704.1 MB

<none>                      <none>              7e9afad720aa        About an hour ago   704.1 MB

<none>                      <none>              907bbba168bf        About an hour ago   704.1 MB

<none>                      <none>              f42d87e744f6        About an hour ago   704.1 MB

<none>                      <none>              804aa0feedf2        About an hour ago   704.1 MB

<none>                      <none>              1036b6db0f20        About an hour ago   704.1 MB

<none>                      <none>              4868a31676cb        About an hour ago   704.1 MB

<none>                      <none>              7ade30482774        About an hour ago   704.1 MB

<none>                      <none>              353b07a482be        About an hour ago   704.1 MB

<none>                      <none>              d827f90112d1        About an hour ago   704.1 MB

<none>                      <none>              efb1e94f2c4f        About an hour ago   704.1 MB

<none>                      <none>              9e1210fd7d8f        2 hours ago         684.3 MB

<none>                      <none>              63eaa30ce706        2 hours ago         684.3 MB

<none>                      <none>              b89d5acf03e5        2 hours ago         684.3 MB

<none>                      <none>              c9905abf50b8        2 hours ago         709.6 MB

<none>                      <none>              af6393bc4b96        2 hours ago         696.2 MB

<none>                      <none>              4bb0534b3bd0        21 hours ago        675.1 MB

python                      3-onbuild           61bd1f884054        11 days ago         684.3 MB

Seems docker rmi does not accept standard input, so here is the way i found so that you can overcome this:

docker images|grep none|awk {'print $3'} > /tmp/dockertmp

for i in `cat /tmp/dockertmp`; do docker rmi $i; done

Howto trigger Visual Studio Code from OSX command line

facebooktwittergoogle_pluslinkedinmailby feather

If you also need to trigger Visual Studio Code for creating a new file into the codebase, in my case Dockerfile, he is the way to do that:

1. Open Visual Studio Code

2. Type ⇧⌘P

3. Type 'Shell command' and choose 'Install code command in PATH'

This simply adds 'code' binary link to the PATH

4. Type the following to initiate a new file:

Deryas-MacBook-Pro:DIGOUT dsezen$ code Dockerfile

k8s Seattle Meetup

facebooktwittergoogle_pluslinkedinmailby feather

Meetup happened at Google Fremont.

Although there were other presentations, i could only participate the following:

1. Aqua: As there are ongoing security concerns regarding with Docker/MicroServices approaches, as a response, i see various solutions to that. After my initial bias that Aqua is YADSC(Yet-another Docker Security Scanning), i realized it has other capabilities as well. Beside the CVE scan, it has also

  • Container Inspection which actively checks suspicious behaviour
  • Fingerprint the image from dev to production, preventing spoofing
  • Multiregistry support like ECR, GCR, Quay, JFrog…
  • Anomality Detection on containers
  • Prevent malicious behaviours

Demo regarding to malicious behaviour was fork-bomb

Fork_bomb

which is also known-as 

:(){ :|:& };:

If you enter this command on your bash, you will see the effect, no responsibility is accepted:)

@chernymi demonstraited the effect of fork-bomb and container freezed, after we saw that Aqua can handle this anomality.

2. rktnetes: @wobscale beginned with explaining what is rkt and differentiation with docker, going deeper with Stage1-2-3 approach of rkt.

He continued pointing out the SPOF of dockerd for <1.11 and continerd for >=1.11

Finally, he started to explain rkynetes, which basically use rkt as the container runtime.

Some of the benefits can be summarized as

  • There is no daemon running the containers
  • Works with systemd
  • runc is supported:)
  • features/speed competes with kubernetes:

Official release seems to be coming with Kubernetes 1.3

As a summary, Kubernetes is creating its own ecosystem as well. Especially for the ones using GCP, as Google Container Engine is kubernetes, it makes sense to go with.

Kubernetes (a.k.a. k8s) London Meetup

facebooktwittergoogle_pluslinkedinmailby feather

One of my favorite thing2do when i visit London is to participate the SkillsMatter meetups.

This time i was lucky to join to the Kubernetes meetup!

Thanks for the Google to sponsor the pizza and beers before the meetup!

There was two seperate presentations:

Martin Devlin – Consul&Vault Integration with Kubernetes

Justin Santa Barbara – Kubernetes: Prologue,Present&Predictions

The second one, which is presented by Justin Santa Barbara, was interesting, also by the help of the cool presentation skills and positive energy of Justin!

Justin is one of the top committers on k8s project. 

Although there are various topics mentinoned, now i will be focusing some of the upcoming functions of the new releases:

1. Ingress: This can be referred as ingress traffic controller, waiting for L4&L7, so seems totally no need for AWS ELB in the future? 

2. DaemonSets: We can define certain pods to run on all nodes or on some nodes. Use-case of this can be 

  • having NewRelic run on each node (Which is the case for me currently)
  • having a log collection daemon on each node like SumoLogic
  • having a storage daemon like glusterd on each node

3. PetSets: This can be referred as stateful-application support. Self-healing databases can be a use-case, still trying to digout! 

The new release 1.3 is expected to be live by the end of June, lets see:)

Here are some pictures from the meetup:

kubernetes skillsmatter kubernetes skillsmatter

© 2017 Derya Sezen

Theme by Anders NorenUp ↑


visited 27 states (12%)
Create your own visited map of The World