分类 默认分类 下的文章

MAT Java 内存分析工具

当前 MAT 可以分析 HPROF 二进制(produced by Sun, HP, SAP, etc… JVMs) 和 IBM system dumps (after preprocessing them), 以及 IBM portable heap dumps (PHD) .

  • find the biggest objects, as MAT provides reasonable accumulated size (retained size)
  • explore the object graph, both inbound and outbound references
  • compute paths from the garbage collector roots to interesting objects
  • find memory waste, like redundant String objects, empty collection objects, etc...

如何获得 heap dump

note: 从JDK 6 update 14 and above, HPROF 里面也包含所有线程的 callstatck.
参考: Heap Dump Analysis with Memory Analyzer, Part 1: Heap Dumps

Java heap dump OQL samples - where

where 可以包含:

=, <=, >, <, [ NOT ] LIKE, [ NOT ] IN, IMPLEMENTS (relational operations)
AND OR != , =
字段可以 [. ] . .

  • SELECT * FROM java.net.URL u where u.port = 443
  • SELECT * FROM java.net.URL u where toString(u.host) = "api.google.com"
  • SELECT * FROM java.net.URL u where u.@displayName like ".api.google.com."
  • SELECT * FROM "com.tianxiaohui." u where toString(u) like ".Metrics.*" //正则

ss linux command

The ss command is capable of showing more information than the netstat and is faster. The netstat command reads various /proc files to gather information. However this approach falls weak when there are lots of connections to display. This makes it slower. The ss command gets its information directly from kernel space.

ss -l
ss -t
ss -u
ss -nt
ss -ltp
ss -nt '( dst :443 or dst :80 )'

netstat 命令参数

This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.

netstat -t -l 查看监听的 tcp
netstat -t --wide
netstat -an |grep :8080 端口8080 上的连接 (有些外部的)

只针对 linux, Mac 和 win 有些不一样.

  • a all
  • r 显示路由表
  • s statistics
  • n 不做主机和端口转换, 数字形式 number
  • c continuous print
  • e extend 多显示 owner
  • p 显示 program
  • l listening
    --wide 不截取

状态:
ESTABLISHED
The socket has an established connection.
SYN_SENT
The socket is actively attempting to establish a connection.
SYN_RECV
A connection request has been received from the network.
FIN_WAIT1
The socket is closed, and the connection is shutting down.
FIN_WAIT2
Connection is closed, and the socket is waiting for a shutdown from the remote end.
TIME_WAIT
The socket is waiting after close to handle packets still in the network.
CLOSED
The socket is not being used.
CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.
LAST_ACK
The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
LISTEN
The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.
CLOSING
Both sockets are shut down but we still don't have all our data sent.
UNKNOWN
The state of the socket is unknown.

https://en.wikipedia.org/wiki/Netstat
https://linux.die.net/man/8/netstat
https://www.computerhope.com/unix/unetstat.htm

docker internal

if you look in the Linux kernel, there is no such thing as a container

  • Containers share the host kernel
  • Containers use the kernel ability to group processes for resource control
  • Containers ensure isolation through namespaces
  • Containers feel like lightweight VMs (lower footprint, faster)

history

  • Chroot circa 1982
  • FreeBSD Jails circa 2000
  • Solaris Zones circa 2004
  • Meiosys - MetaClusters with Checkpoint/Restore 2004-05
  • Linux OpenVZ circa 2005 (not in mainstream Linux)
  • AIX WPARs circa 2007
  • LXC circa 2008
  • Systemd-nspawn circa 2010-2013
  • Docker circa 2013
    -- built on LXC
    -- moved to libcontainer (March 2014)
    -- appC (CoreOS) announced (December 2014)
    -- Open Containers standard for convergence with Docker Announced (June 2015)
    -- moved to runC (OCF compliant) (July 2015)

how it works

Namespaces, cgroups, Images, Layers & copy-on-write

Kernel Namespaces: isolation

  • Process trees (PID Namespace)
  • Mounts (MNT namespace) wc -l /proc/mounts
  • Network (Net namespace) ip addr
  • Users / UIDs (User Namespace)
  • Hostnames (UTS Namespace) hostname
  • Inter Process Communication (IPC Namespace) ipcs

Control Group: accounting

Kernel control groups (cgroups) allow you to do accounting on resources used by processes, a little bit of access control on device nodes and other things such as freezing groups of processes.

IPTables (networking)

solation on the networking level is achieved through the creation of virtual switches in the linux kernel. Linux Bridge is a kernel module, first introduced in 2.2 kernel (circa 2000). And it is administered using the brctl command on Linux.

Types of Containers

Given the above constructs, containers may be divided into 3 types as follows:

  1. System Containers share rootfs, PID, network, IPC and UTS with host system but live inside a cgroup.
  2. Application Containers live inside a cgroup and use namespaces (PID, network, IPC, chroot) for isolation from host system
  3. Pods use namespaces for isolation from host system but create sub groups which share PID, network, IPC and UTS except the rootfs.

docker providing

  • Image management
  • Resource Isolation
  • File System Isolation
  • Network Isolation
  • Change Management
  • Sharing
  • Process Management
  • Service Discovery (DNS since 1.10)

refer:

  1. https://docs.docker.com/engine/docker-overview/
  2. http://docker-saigon.github.io/post/Docker-Internals/
  3. https://www.youtube.com/watch?v=sK5i-N34im8