JDK-8255008 : Serviceability tools don't fully support Containers
  • Type: Bug
  • Component: core-svc
  • Sub-Component: tools
  • Affected Version: 16
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2020-10-19
  • Updated: 2025-01-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
JDK-8286030 - Avoid JVM crash when containers share the same /tmp dir
Relates :  
JDK-8226919 - attach in linux hangs due to permission denied accessing /proc/pid/root
Relates :  
JDK-8179498 - attach in linux should be relative to /proc/pid/root and namespace aware
Relates :  
JDK-8276971 - Investigate docker daemon plugin for serviceability support
Description
The JDK-8179498 fix improved the usage of the serviceability tools for interacting with Linux containers but has a few drawbacks.  This solution requires that the client tools being run on a host attempting access to container based Java processes must be run as root.  The other problem is that this solution is Linux specific and can't be supported by Mac or Windows hosts.

Cloud based monitoring software that would like to utilize jcmd in order to enable and get access to JFR recordings or Java Heap dumps for containerized process must open up security holes to make use of the previous fix on Linux and can't even use jcmd for Windows or Macs.

Here's one possible solution to this set of problems:

Modify the JDK to add a new Java property jdk.attach.tmpdir which will optionally alter the location where the attach files, communication and socket files are stored in order to add support for containers. This property could also be extracted from an environment variable such as JDK_ATTACH_TMPDIR.

This is needed since accessing /proc/*/root/tmp requires root privs and is not available on other operating system platforms.

This proposal redirects the file access to the hosts tmp directory so accesses are handled that same way as local Java processes.

All containers that startup and run Java would have to use these additional options to enable this:

Example:

Java:  -Djdk.attach.tmpdir=/container-attachdir -XX:+UnlockCommercialFeature -XX:+FlightRecorder -XX:+StartAttachListener
Docker:  --volume /tmp/container-attachdir:/container-attachdir

This fix has to also use more than just the pid for the naming of the files in $jdk_attach_dir/hsperfdata_{user}/{pid} and $jdk_attach_dir/.java_pid{pid} since we'll have no way of mapping these pids to host pids.  The name of the container along with the local container pid in all places the original host pid was used.  The hostname for containers (/etc/hostname) is typically the containerid.

-XX:+StartAttachListener must be specified for container processes since the normal signal handshaking currently used to initiate an attach cannot be used since there is no way of associating a container pid with a host pid without root access.

For example:

$jdk_attach_dir/hsperfdata_{user}/e4f3e2e4fd97:10
$jdk_attach_dir/.java_pid:e4f3e2e4fd97:10

With all this in place, jcmd running on the host can initiate a JFR to dump of a recording from each container to the hosts /tmp/container-attachdir/e4f3e2e4fd97:10/recording.jfr file.
Comments
> If we want "jps" to work both inside the container, AND on the host, we may need to create both of these files. Wasn't this what JDK-8228343 fixed? Inside a container: bash-5.1$ jps 55 Jps 8 Hello The outside (host) perspective: sudo jps 16468 Hello 16618 Jps
03-05-2022
With JDK 17, the behavior is like this: - JVM runs inside a (rootless) container. It thinks its PID is 1 and its user id is "root". - From the host's perspective, the JVM's PID is 1234, and its user id is "iklam" During JVM start-up, mmap_create_shared() in perfMemory_posix.cpp tries to create the following file /tmp/hsperfdata_root/1 but if you run "jps" on the host, it really wants to see /tmp/hsperfdata_iklam/1234 If we want "jps" to work both inside the container, AND on the host, we may need to create both of these files.
22-10-2021
in addition to a cmd line property this also requires a corresponding environment variable(s) It also might be useful to expand the utility of this by generalizing the usage of the shared directory beyond just the attach protocol
19-10-2020