Allow remote connections again when running in agent mode

[eidottermihi]

The change in #675 breaks my use case (=case 4 as discussed in #673 ), where ActiveMQ Artemis is monitored via Java Agent but with specified jmxUrl or hostPort.

Since 0.17.0 this is no longer possible:

SEVERE [io.prometheus.jmx.JmxCollector] Configuration error: When running jmx_exporter as a Java agent, you must not configure 'jmxUrl' or 'hostPort' because you don't want to monitor a remote JVM.

ActiveMQ Artemis uses a management.xml by default, which restricts access to certain MBeans (see https://activemq.apache.org/components/artemis/documentation/latest/management ).
Therefore, it is necessary to connect "remotely" via JMX to be able to provide a username and password, altough running in agent mode:

jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
username: aUsername
password: aPassword

I had to downgrade to 0.16.1 to still be able to monitor ActiveMQ Artemis.

[dhoard]

I feel the jmx-exporter restriction is correct/valid.

If Artemis security can't be defined to allow the jmx-exporter (as an agent / in-process) to work correctly, you can run the jmx-exporter in standalone mode.

[fstab]

Here's what happened with rel 0.16.1 and previous releases: If you configure the jmxUrl, jmx_exporter will scrape from that remote URL even if jmx_exporter is run as a Java agent.

Here's the relevant code from rel 0.16.1:

jmx_exporter/collector/src/main/java/io/prometheus/jmx/JmxScraper.java

Lines 80 to 98 in d56097f

	if (jmxUrl.isEmpty()) {
	beanConn = ManagementFactory.getPlatformMBeanServer();
	} else {
	Map<String, Object> environment = new HashMap<String, Object>();
	if (username != null && username.length() != 0 && password != null && password.length() != 0) {
	String[] credent = new String[] {username, password};
	environment.put(javax.management.remote.JMXConnector.CREDENTIALS, credent);
	}
	if (ssl) {
	environment.put(Context.SECURITY_PROTOCOL, "ssl");
	SslRMIClientSocketFactory clientSocketFactory = new SslRMIClientSocketFactory();
	environment.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, clientSocketFactory);
	environment.put("com.sun.jndi.rmi.factory.socket", clientSocketFactory);
	}
	jmxc = JMXConnectorFactory.connect(new JMXServiceURL(jmxUrl), environment);
	beanConn = jmxc.getMBeanServerConnection();
	}
	try {

This lead to confusion among users. If users start jmx_exporter as a Java agent, they expect jmx_exporter to monitor the local Java process and not a remote JVM via jmxUrl.

In order to make this clearer, rel 0.17 and newer enforce this: Either you start jmx_exporter as a Java agent, then it will monitor the local JVM process. Or you start it in standalone mode, then it will scrape the jmxUrl. However, you cannot do both.

As @dhoard says, you should run jmx_exporter in standalone mode like this:

java -jar jmx_prometheus_httpserver-0.17.0.jar 12345 config.yaml

[eidottermihi]

It is clear to me that I can just run jmx_exporter in standalone mode, however I liked the agent approach a lot more because in this mode running the actual app and the jmx_exporter is tightly coupled (e.g. no need to manage two systemd units).

Due to Artemis using JAAS to secure its MBeans one has to specify credentials (username / password), which I think is only possibly when using a "remote" JMX connection.

Thanks for the clarification and for describing your motivation for the change, so I think Artemis is quite an "edge case" here. Therefor I'm closing the issue.