Permission to a readonly Permissions object error when trying to read Java heap memory size

Template for a good bug report, formatted with Markdown:

  • versions used (SonarQube, Scanner, Plugin, and any relevant extension)
    Version: 8.1.0.31237
  • error observed (wrap logs/code around triple quote ``` for proper formatting)
    Trying to read Java heap memory size from Sonarqube CE running with the following config:
    /usr/lib/jvm/java-11-openjdk-11.0.6.10-1.el7_7.x86_64/bin/java -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djava.io.tmpdir=/var/sonarqube/temp --add-opens=java.base/java.util=ALL-UNNAMED -Xmx2G -Xms128m -XX:+HeapDumpOnOutOfMemoryError -Dcom.sun.management.jmxremote.port=3332 -Dcom.sun.management.jmxremote.rmi.port=3332 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dhttp.nonProxyHosts=localhost|127.|[::1] -cp ./lib/common/:/usr/local/sonarqube-8.1.0.31237/lib/jdbc/mssql/mssql-jdbc-7.2.2.jre11.jar org.sonar.ce.app.CeServer /var/sonarqube/temp/sq-process14733455275180470625properties

I get the following error (using nagios to retrieve data:
/usr/local/nagios/scripts/check_java -u service:jmx:rmi:///jndi/rmi://:3332/jmxrmi -t Mem -U MB -w 70 -c 85
Could not retrieve data: java.lang.SecurityException: attempt to add a Permission to a readonly Permissions object

It works when trying to retrieve data from Sonarqube WS engine for example:
/usr/local/nagios/scripts/check_java -u service:jmx:rmi:///jndi/rmi://:3331/jmxrmi -t Mem -U MB -w 70 -c 85
OK: Memory Usage: 10% (107 MB / 1024 MB)
| heapMemoryUsed=107MB;;;0;
| heapMemoryCommited=185MB;;;0;
| heapMemoryMax=1024MB;;;0;
| nonheapMemoryUsed=152MB;;;0;
| nonheapMemoryCommited=173MB;;;0;

  • steps to reproduce
    I only used Nagios plugin check_java but one can try to read rmi with other tools.
  • potential workaround
    Use OS tools to check memory used

Similar issue that I found:

Welcome to the community! What did you defined for the property sonar.ce.javaAdditionalOpts in your sonar.properties?

Cheers :slight_smile:
sonar.ce.javaAdditionalOpts=-Dcom.sun.management.jmxremote.port=3332 -Dcom.sun.management.jmxremote.rmi.port=3332 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

Hi,

We have the same issue.

Our context : we use SonarQube 8.2 official Docker version

Our goal is to monitor SonarQube by exporting JMX metrics to Prometheus via the JMX Exporter.

We have this issue only with the CE JVM.
The JMX metrics of the WEB and ES JVMs can be exported remotely.

We have reproduced this issue with three monitoring tools: the JConsole of the Oracle JDK, the JMXExporter and JMXTerm.

Each time we try to get the JMX metrics from the CE JVM, we get the SecurityException describe above (We can eventually join a complete log with CE log level set to DEBUG).

Our sonar.ce.javaAdditionalOpts is quite the same as described above:

sonar.ce.javaAdditionalOpts: -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=9270 -Dcom.sun.management.jmxremote.rmi.port=9271

We have exported the ports 9270 and 9271 of the SonarQube container to make them accessible remotely.

We are currently using an incomplete workaround: we can export some JMX metrics by using the JMX Exporter as an agent in the CE JVM…
… but the the PendingTimemetric of the CE JVM is missing because it is implemented as an Option in the SonarQube code and this type is not supported by the JMX Exporter when it tries to get the attributes of the CE JMX bean.
And, as it written in the SQ monitoring Web page, this metric is important to us as it “together with PendingCount, helps you know if analyses are stacking and taking too long to start processing”.

Thus we are very interested in a fix or any workaround to get the JMX metrics of the CE JVM when SonarQube runs in a Docker container.

Thanks in advance.

Is there an update for this issue raised on the 23rd April ?

Hi,

The issue has also been reported in this topic (JMX for Compute Engine) and a ticket has been created in SonarSource JIRA (https://jira.sonarsource.com/browse/SONAR-13559).

You can vote for the latter to show your interest to see it to be fixed.

Best regards.

–
Rodolphe

1 Like