Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/steadybit/extension-jvm
A Steadybit extension for jvm applications based actions (discovery / attacks)
https://github.com/steadybit/extension-jvm
attack chaos-engineering discovery fault helm java jvm kubernetes process
Last synced: 5 days ago
JSON representation
A Steadybit extension for jvm applications based actions (discovery / attacks)
- Host: GitHub
- URL: https://github.com/steadybit/extension-jvm
- Owner: steadybit
- License: mit
- Created: 2023-06-02T12:15:21.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-01-20T15:07:30.000Z (22 days ago)
- Last Synced: 2025-01-29T05:32:35.119Z (13 days ago)
- Topics: attack, chaos-engineering, discovery, fault, helm, java, jvm, kubernetes, process
- Language: Java
- Homepage: https://hub.steadybit.com/extension/com.steadybit.extension_jvm
- Size: 1.64 MB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Steadybit extension-jvm
This [Steadybit](https://www.steadybit.com/) extension provides a JVM instance discovery and the various actions for JVM
instances targets.
Learn about the capabilities of this extension in
our [Reliability Hub](https://hub.steadybit.com/extension/com.steadybit.extension_jvm).
## Configuration
| Environment Variable | Helm value | Meaning | Required | Default |
|---------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------|---------|
| `STEADYBIT_EXTENSION_RUNTIME` | `container.runtime` | The container runtime to user either `docker`, `containerd` or `cri-o`. Will be automatically configured if not specified. | yes | (auto) |
| `STEADYBIT_EXTENSION_SOCKET` | `containerRuntimes.(docker/containerd/cri-o).socket` | The socket used to connect to the container runtime. Will be automatically configured if not specified. | yes | (auto) |
| `STEADYBIT_EXTENSION_CONTAINERD_NAMESPACE` | | The containerd namespace to use. | yes | k8s.io |
| `STEADYBIT_EXTENSION_RUNC_ROOT` | `containerRuntimes.(docker/containerd/cri-o).runcRoot` | The runc root to use. | yes | (auto) |
| `STEADYBIT_EXTENSION_RUNC_DEBUG` | | Activate debug mode for run. | | |
| `STEADYBIT_EXTENSION_JVM_ATTACHMENT_ENABLED` | | is jvm attachment enabled | no | true |
| `STEADYBIT_EXTENSION_JAVA_AGENT_ATTACHMENT_PORT` | | java agent attachment port | no | 8095 |
| `STEADYBIT_EXTENSION_CONTAINER_ADDRESS` | | public ip of the extension | no | |
| `STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_JVM` | `discovery.attributes.excludes.jvm` | List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*" | false | |
The extension supports all environment variables provided
by [steadybit/extension-kit](https://github.com/steadybit/extension-kit#environment-variables).
When installed as linux package this configuration is in`/etc/steadybit/extension-jvm`.
## Needed capabilities
The capabilities needed by this extension are: (which are provided by the helm chart)
- `SYS_ADMIN`
- `SYS_RESOURCE`
- `SYS_PTRACE`
- `KILL`
- `NET_ADMIN`
- `DAC_OVERRIDE`
- `SETUID`
- `SETGID`
- `AUDIT_WRITE`
## Needed access to the java process
To be able to discover we need access to the java process. This is done by using the `attach` mechanism of the JVM. This
is a standard mechanism and is used by many other tools.
You may see a warning in the logs of the JVM that the extension is attaching to the JVM. This is normal and expected.
It will look like this:
```
WARNING: A Java agent has been loaded dynamically (...javaagent-init.jar)
WARNING: Dynamic loading of agents will be disallowed by default in a future release
```
To avoid this warning or be able to use this extension in future java releases you can use the
`-XX:+EnableDynamicAgentLoading` flag in your JVM commandline to be able to load the javaagent dynamically.
## Needed configuration for Spring Boot
In order to discover the spring boot applications correctly you need to enable some JMX beans and set an application name.
Add these to your `application.properties`:
```properties
spring.application.name=my-application-name
spring.jmx.enabled=true
management.endpoints.jmx.exposure.include=beans,mappings
```
## Installation
### Kubernetes
Detailed information about agent and extension installation in kubernetes can also be found in
our [documentation](https://docs.steadybit.com/install-and-configure/install-agent/install-on-kubernetes).
#### Recommended (via agent helm chart)
All extensions provide a helm chart that is also integrated in the
[helm-chart](https://github.com/steadybit/helm-charts/tree/main/charts/steadybit-agent) of the agent.
The extension is installed by default when you install the agent.
You can provide additional values to configure this extension.
```
--set extension-jvm.container.runtime={{YOUR-CONTAINER-RUNTIME}} \
```
Additional configuration options can be found in
the [helm-chart](https://github.com/steadybit/extension-jvm/blob/main/charts/steadybit-extension-jvm/values.yaml) of the
extension.
#### Alternative (via own helm chart)
If you need more control, you can install the extension via its
dedicated [helm-chart](https://github.com/steadybit/extension-jvm/blob/main/charts/steadybit-extension-jvm).
```bash
helm repo add steadybit-extension-jvm https://steadybit.github.io/extension-jvm
helm repo update
helm upgrade steadybit-extension-jvm \
--install \
--wait \
--timeout 5m0s \
--create-namespace \
--namespace steadybit-agent \
--set container.runtime=docker \
steadybit-extension-jvm/steadybit-extension-jvm
```
### Linux Package
Please use
our [agent-linux.sh script](https://docs.steadybit.com/install-and-configure/install-agent/install-on-linux-hosts)
to install the extension on your Linux machine. The script will download the latest version of the extension and install
it using the package manager.
After installing, configure the extension by editing `/etc/steadybit/extension-jvm` and then restart the service.
## Extension registration
Make sure that the extension is registered with the agent. In most cases this is done automatically. Please refer to
the [documentation](https://docs.steadybit.com/install-and-configure/install-agent/extension-registration) for more
information about extension registration and how to verify.
## Anatomy of the extension / Security
We try to limit the access needed for the extension to the absolute minimum. So the extension itself can run as a
non-root user on a read-only root file-system and will, by default, if deployed using the provided helm chart.
In order to execute certain actions the extension needs extended capabilities, see details below.
### Discovery / state attacks
For discovery the extension needs access to the container runtime socket.
### Resource and network attacks
To `attach` to the target JVM the extension starts an attachment process in the target's linux namespace(s),
control group(s), using the root user (`uid=0`, `gid=0`). This process is short-lived and terminates after attachment.
This requires the following capabilities:
`SYS_ADMIN`, `SYS_RESOURCE`, `SYS_PTRACE`, `KILL`, `NET_ADMIN`, `DAC_OVERRIDE`, `SETUID`, `SETGID`, `AUDIT_WRITE`
## FAQ
#### How do I exclude my JVM from the discovery mechanism?
Add the `steadybit.agent.disable-jvm-attachment` flag to your JVM commandline like in this example:
```
java -Dsteadybit.agent.disable-jvm-attachment -jar spring-boot-sample.jar --server.port=0
```