ActiveMQ Artemis not displaying the web console when run in Docker

Tim
June 18, 2022
262 views
3 votes
3 Answers

I am deploying the ActiveMQ Artemis in Docker from the quay.io using docker desktop in my local machine (using Windows 10).

I issued below command to start the latest image:

docker run -e AMQ_USER=admin -e AMQ_PASSWORD=admin -p8161:8161 -p61616:61616 -p5672:5672 --rm --name artemis quay.io/artemiscloud/activemq-artemis-broker

Note: dev.latest tag is not available, so used the latest tag.

The ActiveMQ Artemis instance in the Docker container starts successfully, and I’m able to login to the web console:

...
2022-06-18 20:08:26,820 INFO  [org.apache.activemq.artemis.core.server] AMQ221007: Server is now live
2022-06-18 20:08:26,821 INFO  [org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.22.0 [broker, nodeID=68f4db2b-ef42-11ec-b609-0242ac110002]
2022-06-18 20:08:27,607 INFO  [org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
2022-06-18 20:08:27,746 INFO  [org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
2022-06-18 20:08:28,414 INFO  [io.hawt.HawtioContextListener] Initialising hawtio services
2022-06-18 20:08:28,438 INFO  [io.hawt.system.ConfigManager] Configuration will be discovered via system properties
2022-06-18 20:08:28,443 INFO  [io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.14.2
2022-06-18 20:08:28,459 INFO  [io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "activemq" authorized role(s): "admin" role principal classes: "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
2022-06-18 20:08:28,480 INFO  [io.hawt.web.auth.LoginRedirectFilter] Hawtio loginRedirectFilter is using 1800 sec. HttpSession timeout
2022-06-18 20:08:28,520 INFO  [io.hawt.web.proxy.ProxyServlet] Proxy servlet is disabled
2022-06-18 20:08:28,539 INFO  [io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/home/jboss/broker/etc/jolokia-access.xml]
2022-06-18 20:08:28,788 INFO  [org.apache.activemq.artemis] AMQ241001: HTTP Server started at http://172.17.0.2:8161
2022-06-18 20:08:28,789 INFO  [org.apache.activemq.artemis] AMQ241002: Artemis Jolokia REST API available at http://172.17.0.2:8161/console/jolokia
2022-06-18 20:08:28,790 INFO  [org.apache.activemq.artemis] AMQ241004: Artemis Console available at http://172.17.0.2:8161/console
2022-06-18 20:14:28,681 INFO  [io.hawt.web.auth.LoginServlet] Hawtio login is using 1800 sec. HttpSession timeout
2022-06-18 20:14:30,401 INFO  [io.hawt.web.auth.keycloak.KeycloakServlet] Keycloak integration is disabled
2022-06-18 20:14:34,273 INFO  [io.hawt.web.auth.LoginServlet] Logging in user: admin

I am unable to view the Consumer, Producer, Sessions, Queues, etc tags.

I understand that we need to modify the IPs in jolokia-access.xml and restart, but I can’t edit the file within docker exec -it artemis bash within the image and restart it if executed without --rm in Docker run command.

Is there any envrionment variable to disable cors or strict in jolokia-access.xml?

Below is what I see at http://localhost:8161/console:

The log indicates that the console is available at http://172.17.0.2:8161/console. However, this is not accessible since the docker is totally a different network. When I try to access it I get below message:

This site can’t be reached 172.17.0.2 took too long to respond

And when I access the end point http://localhost:8161/console/jolokia I get the message:

{ error_type: "java.lang.Exception", error: "java.lang.Exception : Origin null is not allowed to call this agent", status: 403 }

Answers

Chosen as BEST ANSWER

In order to bypass the jolokia in the docker,

I created a reverse proxy using nginx server in the docker and set the headers.

Below is the steps I followed,

Run an nginx instance,

> docker run -d --name nginx-proxy -p 80:80 nginx

copy the existing default.conf to local system, using below command

# my present working directory is a temp folder 
> docker cp nginx-proxy:/etc/nginx/conf.d/default.conf .

Identified the hostname/ip address of the aretmis container, since i need to set this to the header of Origin

> docker exec artemis hostname -i

Updated below content to the default.conf file

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    location / {
     if ($request_method = 'OPTIONS') {
        add_header Origin http://172.17.0.2;
        add_header 'Access-Control-Allow-Origin' '*';

        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

        add_header 'Access-Control-Max-Age' 86400;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204; break;
     }

     if ($request_method = 'POST') {
        add_header Origin http://172.17.0.2;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
     if ($request_method = 'GET') {
        add_header Origin http://172.17.0.2;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }

      proxy_pass http://172.17.0.2:8161/;
      proxy_set_header Origin http://172.17.0.2;
      proxy_set_header Host      $host:$server_port;
      proxy_set_header X-Real-IP $remote_addr;
    }

    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
     error_page   500 502 503 504  /50x.html;
     location = /50x.html {
        root   /usr/share/nginx/html;
     }
}

Note: don't forget the ; at the end.
copy the default to the nginx server, we can validate and reload the new config without stopping the container.

# I am in my temp directory 
# to copy use below command
> docker cp default.conf nginx-proxy:/etc/nginx/conf.d/default.conf

# to validate the config file use below command
> docker exec nginx-proxy nginx -t

# to restart send singal using below command
> docker exec nginx-proxy nginx -r reload

Since we are exposing the 80 port for the nginx container, we can hit the http://localhost:80/console to access the ArtemisMQ page.
This can be use only for Development purpose. Not suitable for production.

Refered How to set nginx reverse proxy blog

Additional Note:

I had to validate whether i am able to access the jolokia endpoint from within the the nginx server of docker, used below command.

> docker exec -it nginx-proxy bash

The curl command I used to verify.

root@681b68921481:/# curl -H "Origin: http://172.17.0.2" http://admin:[email protected]:8161/console/jolokia/

Output:

{"request":{"type":"version"},"value":{"agent":"1.7.0","protocol":"7.2","config":{"listenForHttpService":"true","authIgnoreCerts":"false","agentId":"172.17.0.2-1-6c008c24-servlet","debug":"fal
se","agentType":"servlet","policyLocation":"file:/home/jboss/broker/etc/jolokia-access.xml","agentContext":"/jolokia","serializeException":"false","mimeType":"text/plain","dispatcherCla
sses":"org.jolokia.http.Jsr160ProxyNotEnabledByDefaultAnymoreDispatcher","multicastGroup":"239.192.48.84","authMode":"basic","authMatch":"any","streaming":"true","canonicalNaming":"true","hist
oryMaxEntries":"10","allowErrorDetails":"false","allowDnsReverseLookup":"true","realm":"jolokia","includeStackTrace":"false","multicastPort":"24884","mbeanQualifier":"qualifier=hawtio","useRes

(Edit)

- DomenicoFrancescoBruscino
- June 20, 2022 at 10:11 am
- 0 votes
0
ArtemisCloud broker containers restrict access to the container network for security reasons but Docker Desktop for Windows doesn’t support the host networking driver.

You could overwriting the default broker config mounting your own etc folder on /home/jboss/broker/etc, i.e.
```
docker run -v /tmp/my-broker-etc:/home/jboss/broker/etc -e AMQ_USER=admin -e AMQ_PASSWORD=admin -p8161:8161 -p61616:61616 -p5672:5672 --rm --name artemis quay.io/artemiscloud/activemq-artemis-broker
```
Docker makes deploying microservice applications very easy but it has some limitations for a production environment. I would take a look to the ArtemisCloud.io operator that provide a way to deploy the Apache ActiveMQ Artemis Broker on Kubernetes.
Login or Signup to reply.

- vifito
- March 7, 2023 at 2:22 pm
- 0 votes
0
I solved creating a custom script launch.sh to override launcher in the image quay.io/artemiscloud/activemq-artemis-broker and disable CORS limitation to works web console runnig at docker.
```
# Download script
wget https://gist.githubusercontent.com/vifito/36b00547251ab84225d986fd7d4f18f3/raw -O launch.sh

# Set exec permission
chmod +x launch.sh

# docker run
docker run -d --name amq 
  -e AMQ_USER=admin -e AMQ_PASSWORD=admin 
  -p 8161:8161 -p 61616:61616 
  -v `pwd`/launch.sh:/opt/amq/bin/launch.sh 
  quay.io/artemiscloud/activemq-artemis-broker

# Open console
xdg-open http://0.0.0.0:8161/console
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.