This document is meant to facilitate discussion of the design of the AS 7 domain management features. More specifically, it is a list of requirements for those features. The intent is not to focus on how those requirements are realized; see other documents such as the Domain Management Model Design wiki for that. It is helpful to familiarize yourself with the definitions in that wiki, as the requirements below often use those terms.
At this point these requirements are organized
- A domain is a management policy that applies to one or more servers/nodes, which may or may not be part of a cluster
- The primary and authoritative representation of the domain, the domain model, will be stored in the domain.xml file.
- All changes made to the in-memory model must be written to the domain.xml file
- Various client interfaces to the domain will also be provided including
- JON/JOPR
- Java based management API
- AS Admin Console
- CLI tool
- All client interfaces must be able to view the complete logical domain model representation
- All client interfaces must also be able to view non-classified components, those which are not part of the domain but instead come from deployments or legacy management mechanisms.
- The domain model always takes precedence over deployment specified resources/components.
- It must be clear in all client interfaces which actions:
- affect the domain model
- affect components associated with the domain model but not the domain model itself (e.g. an obscure property exposed via a component's managment interface that isn't part of the domain model).
- affect non-classified components
- Deployment of applications will only take place at the Server Group, and Cluster level, as well as being able to be a part of an Action Group.
- We will support configuration changes that are made one time, that apply to the entire Server Group or Cluster.
- Run-time configuration changes can be applied without restarting the server, if its defined in the API for that component.
- We will have three main startup modes:
- Stand alone - single private domain, intended for the developer case, and would have the default EE set of services available after startup.
- Domain controller - server that runs the domain controller profile.
- No consideration of HA for the domain controller.
- Domain member - a server that gets its profile from a domain controller.
- Domain configuration information will be allowed to be hand edited only with the server down.
- We will have a "server/lib" profile. (Comment: let's disambiguate the term 'profile'. What's discussed here is an element in the overall set of capabilities a server is running.)
- This handles the case of things like JDBC drivers, and third party libraries for applications, that are provided by the customer, and not provided by us.
- At the server group level we would have the ability to keep each InstalledImage in sync with the MasterRepository, or not.
- If synchronization is turned off, the customers provisioning scripts/tools, etc. would be responsible for keeping all the InstalledImages in the server group in sync.
- When a server joins a server group/cluster, end user applications and "server/lib" would be kept in sync, if syncing is turned on.
- We still need to isolate end user jars from our jars in the "server/lib" profile. This must encompass all end user provided content.
- What about all the binaries, and configuration files?
- Yes, these should have an index, with hashes, etc., and be synced as a server joins a server group/cluster.
- We will allow dynamic addition of a server to a domain/server group/cluster, etc.
- The domain controller will have a setting that will either allow this or not.
- The options for when you don't allow the dynamic addition of the server would be:
- Die (server is shutdown).
- Put in stand-by mode, without starting any services, until an administrator has added the server to the domain.
- A server will always be in a server group.
- This may be a one-to-one relationship.
- The domain controller will always have the complete list of services that are possible to be started.
- A server group will also contain the full list of services, but with only certain services enabled, unless of course it requires all the services, then all of them would be enabled.
- Maven, Ant, JBoss Tools/JDBS deployment scenarios all need to continue to function as they do today, from a user point of view.
- The following elements need to be configurable at the server level
- Logging levels (default can be pulled from group)
- JVM Parameters (default can be pulled from group)
- System properties (default can be pulled from group)
- Pool sizes [Thread,DB, etc] (default can be pulled from group)
- IP addresses
- When the domain controller is down the servers in the group or cluster will continue to work, but no administration will be possible until the domain controller becomes available.
- HA solution TBD (could be as simple as telling the customer to use a monitoring process that restarts if it fails, like watchdog, or if they have solutions like Tivoli, HP OpenView, they provide those functions).
- The requirement here, is that we need to be able to create a new domain controller to replace the current one, and have all the servers within the domain, understand where the new domain controller is.
- When a server starts, and cannot contact the domain controller, then the following applies:
- Start with the last known state, but log a BIG warning!.
- Don't start, because there may have been administration changes that would mean the last known state (synchronization) could be incorrect for the server group/cluster.
- Don't start and you know that a synchronization operation has failed as the last operation.
- You shouldn't be able to start if you have never joined a domain to begin with.
- Obviously, doesn't include the developer case with a private domain.
- We will need an "agent" or "
server managerhost controller" or "domain slave", call it what you will, that the domain controller will talk to it.- The "agent" will need to be local to the server (may be a one to one relationship, if every server is on its own OS instance, or may be one to many if there are many servers on one OS instance).
- We must have one "agent", regardless of whether the customer is using JON or not, or has multiple products or not.
- This may not be possible in the case where we have multiple version families deployed in one customer environment.
- We will have a REST interface for management.
- May not cover the entire management API, but will evolve.
The profile server API will be the programmatic API (Java).- The REST interface will be the basis for the CLI (it sits on top of it).
- We must have a domain controller API.
- This is also part of the programmatic API.
- Changes to the profile service API do not have to be backward compatible, since only JON and the Admin Console are the current users.
- We will expose selected management capabilities through JMX, but not everything.
- Exactly what this would be is TBD
- There are quite of few projects that have exposed their management interface through JMX.
- So, we will need to add profile service support, via wrapper over their internal management API.
- Projects must have an internal management API, and not be directly dependent on JMX for their management API.
- Projects must maintain a
profile servicemanagement API wrapper over their internal management API.- This is an integration requirement.
- We will not have a management capability for the old "pruned" or "deprecated" parts of EE 6.
- We need to have the ability to have a profile generator.
- Post install, can use the services in the domain model, with dependency information to allow users to create their own profile, that will actually work.
- This gives formal support to what customers do with "slimming" today.
- We need to be able to manage all the network request paths:
- JMS
- HTTP
- IIOP
- Remoting
- It shall be possible within domain.xml to specify what capabilities/subsystems are allowed (whitelist) or disallowed (blacklist) in order to ensure that undesired subsystems are not inadvertently started causing unexpected performance penalties.
- Domain subsystems and extensions are the recommended SPI for adding custom configuration driven services. Legacy models, such as single xml file deployments, will be deferred until community demand drives a particular solution
- Domain Controller is just a
Server ManagerHost Controller running in "master" mode (one less JVM) - Admin console will run in a Server instance, with a possible many-to-one relationship to the "controller"
- The Standalone class will be renamed to ServerModel to avoid confusion with the "standalone" use case
- Domain and Standalone will not share bootstrap as they are fundamentally different (AbstractServer bytes the dust)
- Statistics will be associated with the domain
Server ManagerHost Controller will handle stats/runtime queries to allow load distribution- DC will potentially redirect to the SM to simplify this
- The "update" objects will be responsible for determining if the update is "runtime" or "requires restart" or "may require restart"
- Incremental domain updates are low-priority for 7 GA.
- Logging will be passed to the server via a stdin command pattern to solve the chicken egg problem
- Security Manager Policies will not be in the domain
- Policy file location and security manager impl class will be part of the JVM section of the domain
- Domain will have password element for clear-text and inline encrypted passwords and a password ref to keystore
- Domain will contain SSL element with keystore, truststore, keyPassword, trustPassword, module-ref to alternative keymanager, trustmanager
- Ability to load custom security providers in domain.xml
- Ability to sync keystores
- security realms (e.g. login-config.xml) will be represented as a subsystem in the domain.xml, other subsystems will reference it, and it will provide natural language configs for login modules
- DC & SM will use authentication
Comments