jstatd Command in Linux
jstatd is a tool that comes with Java, which stands for JVM statistics daemon. It helps keep track of when Java virtual machines (JVMs) are started or stopped on a computer. This tool allows other programs to remotely monitor and gather information about the JVMs running on that computer. It is compatible with any system that supports Java, including Linux and Windows.
Table of Contents
Here is a comprehensive guide to the options available with the jstatd command −
- What is jstatd Command in Linux?
- Syntax of jstatd Command
- jstatd Command Options
- Installation of jstatd Command
- Security Considerations of jstatd Command
- How to Use jstatd Command in Linux
What is jstatd Command in Linux?
jstatd is a command-line tool that acts as a server for monitoring Java HotSpot VMs (Virtual Machines). It manages Java HotSpot VMs starting or termination. This allows remote tools like jstat and jps to connect to running JVMs on the same machine. These tools can then collect information about the JVM process. The jstatd server needs an RMI registry on the machine to work. It tries to connect to the registry on the default port.
You can also set a port using the -p port option. If no RMI registry is found, jstatd will create one. This registry is created on the specified port or the default port if none is set. To stop the creation of an internal RMI registry, use the -nr option.
Syntax of jstatd Command
The jstat command can be executed with or without optional flags −
jstatd [options]
jstatd Command Options
The jstatd command can accept several optional flags that are listed in the following table along with the description −
| Option | Description |
|---|---|
| -nr | It stops jstatd from creating its own RMI registry if it canât find one already running. |
| -p port | It sets the port where the RMI registry should be found. If the -nr option is not specified and the registry isn't there, it will be created at this port. |
| -r rmiport | It specifies the port for the RMI connector. If you don't set it, a random available port will be used. |
| -n rminame | It specifies the name of the remote RMI object in the registry. By default, it's named JStatRemoteHost. If you run multiple jstatd servers on the same machine, you can give each server a unique name with this option. But remember, the unique name must also be used by monitoring clients in their host and VM IDs. |
| -Joption | It passes a specific Java setting to the JVM, such as memory limits. For example, -J-Xms128m sets the initial memory to 128 MB. |
To learn more about his tool simply type man jstatd in the terminal and press ENTER to access the jstatd manual page −
man jstatd
Installation of jstatd Command
The jstatd tool is not pre-installed on Linux systems. It comes as part of the JDK (Java Development Kit). So, if the JDK is installed on your system, the jstatd command will be available to use. However, if the JDK is not installed on your Linux distribution, you need to install it before you can use jstatd. The installation command depends on your Linux distribution, as shown in the following snippet −
#for Debian-based systems sudo apt install default-jdk #for RHEL/CentOS systems sudo yum install java-1.8.0-openjdk-devel #for Arch Linux sudo pacman -S jdk-openjdk
These commands install JDK on the respective distribution, which includes tools like jstatd. You can confirm the jstatd installation on your system by running the following command −
which jstatd
If jstatd is installed on your system, this command will return the path to the jstatd executable, as shown below −
Alternatively, you can access the man page to confirm the jstatd installation on Linux. If the man command returns the manual page for the jstatd command, it means that jstatd is installed on your system. However, if you receive a message stating that no manual entry is available for jstatd, this means jstatd is not installed on your system.
Security Considerations of jstatd Command
jstatd server monitors only those JVMs that have appropriate native access permissions. It is important to note that the jstatd must run with the same user credentials as the target JVMs it intends to monitor.
User Credentials
Some user accounts, like the root user on Solaris, Linux, and macOS, have permission to access the instrumentation of any JVM on the system. If jstatd runs with such privileged credentials, it can monitor all JVMs, but this poses additional security concerns.
Lack of Authentication
The jstatd server does not authenticate remote clients. Therefore, running jstatd exposes instrumentation from all JVMs that the jstatd process can access to any user on the network, which may not be ideal for security-sensitive environments.
Consider Local Security Policies
Before starting the jstatd process, you must consider your local security policies, especially in production environments or on insecure networks.
Security Policy Requirement
When no other security manager is installed, the jstatd server installs an instance of RMISecurityPolicy. A security policy file must be specified, adhering to the Default Policy Implementation and Policy File Syntax.
Example Policy File
The following example policy file allows jstatd to run without security exceptions, while still being more restrictive than granting all permissions −
grant codebase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
Create the Policy File
Copy the above policy text into a file named jstatd.all.policy and run jstatd with the Policy File. For this purpose, run the following command −
jstatd -J-Djava.security.policy=jstatd.all.policy
Consider Custom Policy for Restrictive Environments
You can create a custom policy file to limit access to specific trusted hosts or networks for environments with strict security practices. However, this must be applied carefully because such measures can still be vulnerable to IP address spoofing attacks.
Note: If your security concerns cannot be effectively addressed with a custom policy, consider not running the jstatd server and using jstat and jps tools locally instead.
How to Use jstatd Command in Linux?
To use jstatd command in Linux, you must go through the following steps −
You can start the RMI registry on a specific port of your choice, like this −
rmiregistry 2000
You can replace 2000 with any other available port of your choice. This step is optional and you can skip it. In that case, jstatd will create an RMI registry automatically.
To start the jstatd daemon using an internal RMI registry, simply execute the jstatd command, as follows −
jstatd -J-Djava.security.policy=all
Run the following command to start the jstatd session with an external RMI registry −
rmiregistry & jstatd -J-Djava.security.policy=all.policy
You can start a jstatd session with an External RMI Registry bound to a specific name −
rmiregistry 2020& jstatd -J-Djava.security.policy=all.policy -p 2020 -n AlternateJstatdServerName
This command starts an external RMI registry on port 2020 bound to AlternateJstatdServerName.
You can stop the creation of an In-Process RMI Registry with the following command −
jstatd -J-Djava.security.policy=all.policy -nr
If the RMI registry is not in process, then this command encounters an error.
You can start a jstatd session with RMI logging enabled with the following command −
jstatd -J-Djava.security.policy=all.policy -J-Djava.rmi.server.logCalls=true
This feature is useful for troubleshooting and monitoring server activities.
Conclusion
jstatd is a valuable tool for monitoring Java Virtual Machines (JVMs) on systems running Java. It enables remote access to JVM statistics and requires an RMI registry to function properly.
In this tutorial, we explained how to install and configure jstatd on Linux, ensuring that you have the appropriate security measures in place. Whether you use an internal or external RMI registry, jstatd offers flexibility in monitoring JVMs, making it an essential component for Java developers and system administrators.