JDK-8327114 : Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container)
  • Type: Bug
  • Component: core-svc
  • Sub-Component: tools
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-03-01
  • Updated: 2024-10-24
  • Resolved: 2024-09-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 24
24 b18Fixed
Related Reports
Relates :  
JDK-8226919 - attach in linux hangs due to permission denied accessing /proc/pid/root
Relates :  
JDK-8341310 - Test TestJcmdWithSideCar.java should skip ACCESS_TMP_VIA_PROC_ROOT (after JDK-8327114)
Relates :  
JDK-8341309 - Test com/sun/tools/attach/PermissionTest.java fails after JDK-8327114 when Security manager is enabled
Relates :  
JDK-8341246 - Test com/sun/tools/attach/PermissionTest.java fails access denied after JDK-8327114
Relates :  
JDK-8341518 - TestJcmdWithSideCar.java fails with 'sun.tools.jcmd.JCmd' missing from stdout/stderr
Relates :  
JDK-8342449 - reimplement: JDK-8327114 Attach in Linux may have wrong behavior when pid == ns_pid
Relates :  
JDK-8341482 - Attach API access to /proc filesystem should use doPrivileged
Description
Noted in comments after the commit for:

8226919: attach in linux hangs due to permission denied accessing /proc/pid/root
https://github.com/openjdk/jdk/pull/17628

"a Kubernetes debug container may be a little different from other Docker container scenarios because these are two different containers with different root filesystems but the same Linux process namespace. So jcmd using /proc/<pid>/root is necessary to find the socket file, even though jcmd and the target JVM both agree the PID is the same"

"Could the findSocketFile logic be made more robust to the different namespace/filesystem scenarios? E.g. attempt /proc/<pid>/root first? Or perhaps there is a way (not pid != ns_pid) to more accurately determine whether / and /proc/<pid>/root are the same filesystem and /tmp is OK?"


If pid == ns_pid, means using /tmp and not /proc/<pid>/root/tmp for attach, this may be an issue if processes share the process namespace but not filesystem.  Needs verification.
Comments
Changeset: 52ba7282 Branch: master Author: Sebastian Lövdahl <sebastian.lovdahl@hibox.tv> Committer: Severin Gehwolf <sgehwolf@openjdk.org> Date: 2024-09-30 08:33:12 +0000 URL: https://git.openjdk.org/jdk/commit/52ba72823be0c969ab873ead2863ec48f883210b
30-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/19055 Date: 2024-05-02 10:13:51 +0000
09-07-2024
solution should test if attachee (JVM) "mnt" namespace is equal to, or not, with the "attacher" (JVM) "mnt" namespace. pid equivalence should *not* be performed here in order to determine if attach peers share a filesystem in common. - "attachee" should always default to using "/proc/self/root/tmp" - "attacher" should check accessibility of "/proc/<attachee_pid>/root/tmp and use that, failing that the attacher should: Files.readSymbolLink(Path.of("/proc", Integer.toString(attacheePid), "ns", "mnt") then compare with: Files.readSymbolLink(Path.of("/proc/self/ns/mnt") if these Paths are equal then the attacher and attachee share a common mount namespace, and an attach can proceed via "/tmp" otherwise an attach exception should be thrown
02-05-2024