New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Newrelic agent with 2.0.0 #14690
Comments
We can fix it, here is the deal:
we fixed and added safety around these situations too in #13880. Anyway, I think we can now safely add permissions to |
By the way, this is the best way to workaround it in the meantime: https://docs.oracle.com/javase/tutorial/ext/basics/install.html |
Yeah, we don't read from any of the standard locations and add to our policy. Its worth looking at too, since what you did probably should have worked, but i want to investigate first, just concerned about what kind of stuff might be in these standard locations on various distros etc. |
Thanks a lot, I'll try the workaround. |
FTR, I also tried to pass in the policy explicitly by adding |
yeah, I see this is the mechanism newrelic support recommends to their users: https://discuss.newrelic.com/t/flux-scheduler-not-able-to-load-newrelic-jar/2114 so its less about us changing our classpath logic I think, changing that would only mean a more confusing exception follows (like newrelic not having access to connect somewhere, write to its log file, something like that). its more about allowing you to do this in the system files like they recommend (without having to resort to installing it into an extension directory). and if you don't configure access for your agent then it predictably fails on that agent jar. |
its kind of a downer, on java 7 < update 51:
After update 51 the SocketPermission improves into two (they broke back compat here and changed how listen ports are checked, yet kept stopThread for back compat?!?!?!):
On java 8 and 9 the RMI is cleaned up and removed, but ephemeral port and stopThread remains. Looks like in 9 they work on cleaning up their own house with permissions to jdk internals though, which is a positive. Anyway, sucking in the system/user configuration naively has some downsides and undoes some work, but its probably what we should do. Just makes life difficult as usual, I'll work up something. |
Awesome, thanks @rmuir ! |
Posting this in case its related to #13785
I'm trying to run ES 2.0.0 with a newrelic agent, but I'm getting
See complete log below:
I tried setting a custom java policy for my
elasticsearch
user by creating/usr/share/elasticsearch/.java.policy
with the following content:, but to no effect.
I also tried to add the above to the global java policy, but it didn't work either.
I managed to get the agent to work by disabling the security manager entirely (
-Dsecurity.manager.enabled=false
), but I don't really want to do this in production.The text was updated successfully, but these errors were encountered: