I have published an article regarding our Dojo approach at kloia: Click here!
Recently i had to dig into a JVM thead wait/blocking/locking troubleshooting and i decided to write down my notes just for future reference for myself and for you!:)
Pre requirements to be known:
1. JVM Memory Space: This is divided to 3 following parts:
1.a Native Heap/Code Cache:
– Byte Code for JIT
– Native code which are already converted from Byte Code
– Mmap(Memory Map) files
1.b PermGen/Metaspace: Beginning from Java8, this area has no upper limit in order to avoid OutOfMemory errors. Operating System will use SWAP area(Virtual Memory) if the usafe goes beyond Physical Memory.
1.b.i. Size: This is defined my XX parameter
1.b.ii. Heap Structure: The following are stored under Metaspace:
- Class Definitions Metadata: Class Name, Object Arrays, Internal Object used by JVM, optimization information
- Static Member Variables (Variable itself / Object Reference)
1.c Heap: All runtime created stateless&stateful objects, app data, caches are stored in Heap.
1.c.i. Heap Size: Heap size is defined by two parameters:
- Xms(Initial Memory Allocation)
- Xmx(Maximum Memory Allocation)
1.c.ii. Heap Structure: Heap is divided into following spaces:
Young: Divided into 2 parts:
- Eden: First space used when the object is created.
- Survival: The objects which are survived from GC(Garbage Collection) are stored on so called S0/S1
- Tenured/OldGen: Objects reacted to max tenured threshold are moved to this space
Here is the model as a schema:
2. Footprint Requirement: This can be calculated considering the following formula:
- Number of ear, jar, war files that the single JVM process will handle
- Number of Java classes to be loaded during runtime
- Data cache(file, DB …) footprint
- Number of threads that are allowed to be created
Usually heap size 3-4 GB. is a starting point….
3. GC(Garbage Collection): Minimizing the GC frequency is a key factor for performance. Concurrent users and requests generate JVM GC HeartBeat. The frequency should be monitored.
4. Young vs Tenured: The typical ratio is 1/3, for example if you have 4 GB. Heap, 1GB for Young, 3GB for Tenured is expected. But this is totally depent to your business rules and traffic patterns.
5. Thread Dump Analyzer: There are various tools that you can use, the ones that i prefer are:
Use XX:+HeapDumpOnOutOfMemoryError in order to create the Heap Dump in case of OutofMemory.
Here are the most popular focus areas that should be analyzed:
- Memory Leak
- Too many open files
- CPU usage
As a last experience, there is an intersting jar which makes fullGC every 300 sec.:
That can be considered for non performance required applications….
Google recently announced that, Chrome will alert “NOT SECURE” for the websites not running under HTTPS:
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
In case you have a WordPress site, there are 2 main ways to do that:
1- Converting WordPress to HTTPS mode:
1-a: Change the site URL: The siteurl can only be changed by command line. Find the wp-config.php and update it.
1-b: Change the existing http links: Go to DB and update the links. Beside in case there are plugins which inject their code seperately, you need find all. This is very painful!
1-c: Create a SSL certificate and verify it on a certificate authority.
2- Keeping WordPress a usual and use CloudFlare:
2-a Force HTTPS
2-b Enable HTTPS Rewrite: This is the crucial point. By that, you do not need to edit WordPress http links, as CloudFlare will be replacing them on the fly! (In case you are not under HSTS, it will not replace image links)
2-c Now you should see that links except images are not converted on the fly. Go to https://hstspreload.org and register your domain for HSTS.
**** Be careful! All subdomains and subsubdomains from now on should work under https! ****
Here is my latest kloia blog post:
Here is my post on kloia blog:
Routing Mesh is not magic, it just uses ha-proxy inside to route the traffic to the related container.
What is the use-case of Routing Mesh?
You have plenty of services/apps working on HTTP/HTTPS and you do not want to deal with ports. Routing Mesh simply, manages the "Virtual Hosting"
1. In case you have Docker Datacenter UCP:
Step1: Enable Routing Mesh
UCP –> Admin Settings –> Routing Mesh –> Enable HTTP Routing Mesh –> Update (I used port 8090 just for test, normally it should be 80)
Step2: Create a service
UCP –> Resources –> Services –> Create a Service
Service Name: meshtest
Image Name: nginx:latest
Next –> Rosources –> Networks
Choose the network "ucp-hrm"
Next –> Environment
Create a Service Label "com.docker.ucp.mesh.http.80" with label "external_route=http://meshtest,internal_port=80"
2. In case you just have Docker 1.12+:
Add the following to you docker-compose YAML under the necessary service:
Save Settings and it works!
During the installation of Docker Engine and UCP(Universal Control Plane), there is a risk that the networks it chooses by default like 172.17.0.0/16, 172.18.0.0/16, 172.19.0.0/16, 172.20.0.0/16 may overlap with your existing LANs in your organization. Although there are some related posts:
IMHO they do not provide a practical solution for that particular case…
Beside, there are the following open issues under github:
Here is a workaround we have founded and applied and working:
- Before the installtion of Docker Engine/UCP, create a virtual interface or extend the netmask of the current interface covering all corporate networks:
ifconfig eth0:0 <yourinternalcorporateIPAddress> netmask <netmask> up
- After you finalize the Docker Engine, swarm or UCP, you will notice that it uses A Class(10.x.x.x/x) or C Class(192.168.x.x/x) rather than 172.x.x.x !!!! Docker installation is smart that it jumps to other network classes.
- Revert back your network interface you the initial state ad that's all!!
You need to install 1.21.1 CS(Commercial Support) version of the Docker Engine specific commercial version, in case Ubuntu, here is the way to do that:
sudo rpm –import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"
curl -s 'https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add –import
sudo apt-get update && sudo apt-get install apt-transport-https
sudo apt-get install -y linux-image-extra-$(uname -r) linux-image-extra-virtual
echo "deb https://packages.docker.com/1.12/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update && sudo apt-get install docker-engine=1.12.1~cs1-0~trusty
service docker restart
You can use the following for Ansible, Docker, ebextensions or any automated provisioning you need. The first command especially saves time otherwise you have to click on "Accept license" on browser in order to download from Oracle…
# wget –no-check-certificate –no-cookies –header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u102-b14/jdk-8u102-linux-x64.rpm
# rpm -Uvh jdk-8u102-linux-x64.rpm
# alternatives –install /usr/bin/java java /usr/java/latest/bin/java 200000
# alternatives –install /usr/bin/javac javac /usr/java/latest/bin/javac 200000
# alternatives –install /usr/bin/jar jar /usr/java/latest/bin/jar 200000
# export JAVA_HOME="/usr/java/latest/"
# wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
# rpm –import https://jenkins-ci.org/redhat/jenkins-ci.org.key
# yum update -y
# yum install jenkins -y
# systemctl enable jenkins.service
# systemctl restart jenkins.service
Another typical error happened during i tried to install a new Python module:
Deryas-MacBook-Pro:etugra dsezen$ sudo pip install zeep The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. You are using pip version 7.1.0, however version 8.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting zeep Downloading zeep-0.14.0-py2.py3-none-any.whl (65kB) 100% |████████████████████████████████| 65kB 245kB/s Requirement already satisfied (use --upgrade to upgrade): lxml>=3.0.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): pytz in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python (from zeep) Requirement already satisfied (use --upgrade to upgrade): appdirs>=1.4.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): cached-property>=1.0.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): defusedxml>=0.4.1 in /Library/Python/2.7/site-packages (from zeep) Collecting six>=1.9.0 (from zeep) Downloading six-1.10.0-py2.py3-none-any.whl Collecting isodate>=0.5.4 (from zeep) Collecting requests>=2.7.0 (from zeep) Downloading requests-2.11.1-py2.py3-none-any.whl (514kB) 100% |████████████████████████████████| 516kB 283kB/s Installing collected packages: six, isodate, requests, zeep Found existing installation: six 1.4.1 DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project. Uninstalling six-1.4.1: Exception: . . . OSError: [Errno 1] Operation not permitted: '/tmp/pip-zeJjMk-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'
Just i didn't want to digout whatever the hell reason regarding with access rights, Python 2.7 vs 3.x awesomeness and directly injected a Dockerfile a solved the problem right away!
FROM python:3-onbuild MAINTAINER funkydorian RUN mkdir /etugra VOLUME /etugra WORKDIR /etugra CMD python -m pip install zeep ENV PYTHONPATH .:/usr/local/lib/python3.5 CMD ["python","./etugra.py","secinitd.log"]
Build the image with:
docker build -t etugra .
Run the code whenever i make a change simply by:
docker run -it --rm --name etugra -v $PWD:/etugra etugra