JDK-8297744 : JVM in a container can access all cpu cores on host even when cpu limit is set
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 17.0.5
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • OS: linux
  • CPU: x86_64
  • Submitted: 2022-11-24
  • Updated: 2022-12-19
  • Resolved: 2022-12-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdResolved
Related Reports
Relates :  
JDK-8289568 - Do not use CPU Shares to compute active processor count
Relates :  
JDK-8281181 - Do not use CPU Shares to compute active processor count
Description
A DESCRIPTION OF THE PROBLEM :
since `17.0.5`, I've noticed that my java application running in a container has access to all the cores on my host machine even when setting cpu contraints on container runtime (either with `--cpus`, `--cpu-shares` or in kubernetes with resource limits).

Here is a test app with cpu limit set to "1", running in a kubernetes pod:

https://user-images.githubusercontent.com/7240895/203778182-03a36ab1-f711-481d-a57a-1cb586317c43.png

As we can see, it seems that our app disregards the limits set on cpu completely.

we could also exec into the container and run `java -XshowSettings:system -version`:

https://user-images.githubusercontent.com/7240895/203779882-689ffc96-d69a-41b0-be65-e0f62f570055.png

=> `Effective CPU Count: 32`

or with `jshell`:

https://user-images.githubusercontent.com/7240895/203779617-608c8148-31f4-496d-add2-02b942a6943a.png

the observed behaviour might be caused by this update: https://bugs.openjdk.org/browse/JDK-8289568

--- 

When running the same test on `eclipse-temurin:17.0.4.1_1-jdk` (with `{"resources":{"requests":{"cpu":"1000m"}}}` or when explicitly setting `-XX:ActiveProcessorCount=1` this behaviour is no longer observed:

https://user-images.githubusercontent.com/7240895/203781211-fbc43cb5-d24a-40bb-8487-3b4eae33f5cf.png

and `Effective CPU Count` is "1" and `Runtime.getRuntime().availableProcessors()` returns "1"

REGRESSION : Last worked in version 17


FREQUENCY : always
Comments
Submitter has reported that this is not an issue. Closing.
19-12-2022
Additional Information from submitter: ============================ It seems that the problem is with the underlying gke cluster on which the issue was first observed. Has to do with this (intended) change: https://bugs.openjdk.org/browse/JDK-8289568 This is not a JVM bug. Please disregard this ticket
02-12-2022
Yes this seems likely to be caused by JDK-8281181 being backported to 17.0.5. The solution should be to set -XX:+UseContainerCpuShares
29-11-2022
Moving it to dev team for analysis.
29-11-2022