Java.sun.com is down again - breaking bad apps across the land
This morning around 8:00 UTC Nagios alerted me, that the thread count on a number of Apache Tomcat servers I support for a client started to rise dramatically. I've discovered that a library that is part of the application was trying to fetch DTDs like http://java.sun.com/dtd/properties.dtd from java.sun.com. The servers are unreachable so each request thread was taking 30+ seconds to time out. I've worked around the problem by putting an iptables rule for 192.9.162.55 port 80, that would reject the request immediately and informed to client to look for a permanent solution.
In case the library can't be fixed (I don't know who developed it), I'm planning on putting the relevant DTD files on a local HTTP server and redirect all requests for java.sun.com to that virtual host (eg. through relevant entries in the hosts file).
Check your application servers and the software you use if it processes XML documents. One way to check:
$ netstat -ant | grep -E '192.9.162.55:80[[:space:]]+SYN_SENT' | wc -l
184
$
SYN_SENT is because the 192.9.162.55 (java.sun.com) is not responding ATM. If it becomes reachable again, just s/[[:space::]]+SYN_SENT// .Relevant URLs for more information:
http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic/
http://www.oasis-open.org/committees/entity/spec-2001-08-06.html
And a previous discussion here about the same problem:
http://news.ycombinator.com/item?id=3094075
37 comments
[ 7.0 ms ] story [ 104 ms ] thread(I've been dealing with Oracle for a few years. It started with just database stuff, but they kept buying applications I supported, now they own Solaris ... anyway.)
In Big Enterprise the alternative [1] to Oracle is Microsoft.
You're darned if you do and darned if you don't.
[1] Don't even mention open source. Not going to fly at BE, in my experience.
There I was in the data center at 3 a.m., trying to figure out why my mirrored drive server wasn't booting on it's surviving disk.
I was groggy as heck, and even basic vi commands required a lot of thought. Actual thinking took more effort. The Support Engineer walked me through even the basic stuff
"Okay, now 'yank-yank put' to copy that line"
And a few minutes later the server booted and all was well.
We're moving as quickly as possible away from Solaris, to Linux. But service quality isn't the driver - it never is.
The problem is cost.
The most popular virtualisation software out there that's full-featured and free to use... is shutting down their website for three days for planned maintenance?
This is something that would have happened in 1993. Maybe. Between this and java.sun.com being offline it's pretty much the biggest red flag to stay away from Oracle as far as possible I could imagine.
http://download.virtualbox.org/virtualbox/4.1.14/
There's likely a few downloads on torrent sites for the download as well.
Since it's FLOSS it should be legal to grab it from torrents anyway.
Take a breath, you have more important things to worry about.
In all cases, since the DTDs are more or less versioned through their filenames, with quite a minimal rate of changes, caching them (even if not outright saving them forever) should be the default action.
lxml is better.
the "| wc -l" was tacked in for the submission :)
To be honest though, if this have already happened TWICE do people really have any excuse for using a server that goes down a lot for something important?
Why would you NOT just download the stuff on some separate server and at most run some cronjob to keep it up to date?
Or am I just being stupid?
To make sure that these libraries did not attempt to talk servers outside my company's control, I had to dig through the code and implement "neutered" forms of schema look-up interfaces, etc. I can't recall exact details. The default behavior was promiscuity and presumption, and making sure that these libraries didn't strike-up conversations with random servers was not trivial or terribly well documented. So, I'm not surprised by the current state of affairs.
I want to define whitelists for each environment in which my app will run -- development, QA, production, etc. To which hosts may it connect? Where may it access files? What else might I wish to constrain as way of avoiding inadvertent dependencies? Particular queues/topics on messaging buses? Database schemas within a particular server (network restrictions are too coarse for this)? When asking this question, I'm not trying to protect myself from rogue developers with malevolent intentions -- I just want to avoid a scenario like the one described by the OP.
Recently, I started-up the Java app upon which I am currently working and watched its network behavior via Microsoft's Wireshark-esque network monitoring tool. It turns out that EHCache now asks one of Terracotta's servers for the most recent EHCache version number so that it can spit an out-of-date warning in the logs. Benign and useful, but I still had to spend a few minutes in the EHCache source to make sure that, if Terracotta's servers were down, our app would still start-up.
Should one do this at the OS level (jails, perhaps)? I'm not limiting this idea to just Java apps, but I'm really only an expert in the Java space.
I also argue that the whitelist would help codify inter-app dependencies in large IT environments. A few years ago, the large IT shop for which I worked did a disaster recovery drill where they literally deployed 10's of apps in an IBM-provided datacenter as a dry run. One thing they learned was that a particular production app was erroneously configured to log certain audit events to a server in a QA environment (which was not part of the disaster recovery plan for obvious reasons). Whitelists would have prevented this issue.
If you still need this functionality in a Java security manager I believe you could build it using the existing hooks, they look quite powerful and flexible.
Now, the real pain I've had with the Security Manager in Tomcat 5.5 was writing the rules for a pre-canned application, not written with SM in mind. It was quite a tedious process, but all MAC systems are tedious to set-up initially. That's life.
I had thought about using AspectJ to wrap interesting points in various APIs and then do "stuff". The obvious behavior is to restrict usage based on whitelists. However, it might also be interesting to run one's app in an access logging mode, especially when trying to wrap some controls around a previously unrestricted production application.
https://lwn.net/Articles/365224/
Create a non-privleged user. Restrict the account r/w to certain directories. Run the app as that user.
Want to only allow access to a whitelist of hosts? No dice.
I have not done this, but I think you can do that with iptables.