On Mon, 1 Jul 2024 07:19:48 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last r
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Clarify PID 1 check with comment
-
Changes:
- all:
On Mon, 1 Jul 2024 12:55:24 GMT, Kevin Walls wrote:
>(!havePidNSes && nsPid > 1)
> I didn't get this at first, I think it's because PID 1 can't have a parent?
> (in the same namespace)
That was my assumption as well. Is that correct @larry-cable? Maybe it could be
worth clarifying with a
On 7/1/24 5:59 AM, Kevin Walls wrote:
On Mon, 1 Jul 2024 07:19:48 GMT, Sebastian Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since
On Mon, 1 Jul 2024 07:19:48 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last r
On Mon, 1 Jul 2024 07:19:48 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last r
On Fri, 28 Jun 2024 18:02:28 GMT, Kevin Walls wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Add test for the elevated privileges case
>
>
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Adapt code style
-
Changes:
- all: https://git.openj
On Wed, 5 Jun 2024 06:22:17 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last
On Wed, 5 Jun 2024 06:22:17 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last
On Wed, 5 Jun 2024 06:22:17 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit since the last
On Mon, 3 Jun 2024 23:07:00 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry Cable
>
> it looks as though I can
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Add test for the elevated privileges case
-
Changes:
On 6/4/24 5:57 AM, Sebastian Lövdahl wrote:
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with two
additional
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Wed, 22 May 2024 19:04:22 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry Cable
>
> On 5/22/24 11:58 AM,
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Wed, 22 May 2024 18:40:00 GMT, Larry Cable wrote:
> I haven't but I will BTW which linux capabilities should be enabled in order
> to prevent a /proc/... style attach due to lack of permissions to access
> target's /proc fs? Rgds - Larry
I know for sure that `CAP_NET_BIND_SERVICE` prevents
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Tue, 21 May 2024 21:06:22 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - Remove unused `SELF_PID_NS`
>> - Rewrite in line with suggestion from Larry Cable
>
> Hi Sebastian!
>
> On
On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with two
> additional commits si
On Mon, 6 May 2024 18:31:06 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Reworked attach logic
>
> On 5/6/24 10:35 AM, Sebastian Lövdahl wrote:
>>
>> I pushed an updated attempt at this
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with two
additional commits since the last revision:
- Remove unused `SELF_PID_NS`
- Rewrite in line with suggestion from
On Sun, 12 May 2024 18:38:34 GMT, Sebastian Lövdahl wrote:
> In these cases, is it not a requirement that jcmd is run as root? So even if
> the target process is run with elevated privileges, attaching would always
> work. Or is there some way to attach from host to container with a non-root
On Mon, 6 May 2024 18:31:06 GMT, Larry Cable wrote:
>> Sebastian Lövdahl has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Reworked attach logic
>
> On 5/6/24 10:35 AM, Sebastian Lövdahl wrote:
>>
>> I pushed an updated attempt at this
I did some thinking on this issue over the weekend and came up with an
idea that *may* improve the probability of an attach succeeding in the
case that the target has elevated privileges and the jcmd is not in the
same mnt namespace as the target JVM.
basically, the idea is to recurse
On 5/3/24 10:43 AM, jdoylei wrote:
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
I think it boils down to the same reason as why the fix for JDK-8226919 was needed in
the first
wrote:
On Mon, 6 May 2024 17:29:05 GMT, Sebastian Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Reworked att
On Mon, 6 May 2024 17:29:05 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit si
On Mon, 6 May 2024 17:29:05 GMT, Sebastian Lövdahl wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
>> (Kubernetes debug container)
>
> Sebastian Lövdahl has updated the pull request incrementally with one
> additional commit si
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Sebastian Lövdahl has updated the pull request incrementally with one
additional commit since the last revision:
Reworked attach logic
-
Changes:
- all:
I'll send you another diff, I have something that I think may work...
On 5/6/24 9:16 AM, Sebastian Lövdahl wrote:
Yep, that sounds reasonable. I'll try to work something out along
these lines, thanks for the input!
Unfortunately, /proc//cwd is also restricted in the same way
as /proc//root
On Fri, 3 May 2024 17:40:54 GMT, jdoylei wrote:
> > I think it boils down to the same reason as why the fix for JDK-8226919 was
> > needed in the first place - a non-root user cannot read the symlinks in
> > `/proc//ns` for a process running with more privileges even though
> > it's run by
Yep, that sounds reasonable. I'll try to work something out along these
lines, thanks for the input!
Unfortunately, /proc//cwd is also restricted in the same way
as /proc//root is.
/Sebastian
On 2024-05-05 00:06, Laurence Cable wrote:
so I think to summarize the logic we require:
1) if we
so I think to summarize the logic we require:
1) if we can determine that the attacher and attachee occupy the same
mnt ns (/proc//ns/mnt == /proc//ns/mnt), return "/tmp"
2) if they are not in the same mnt ns:
- test the /proc//root/tmp path for readability, if it
is, return that
- if
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
> I think it boils down to the same reason as why the fix for JDK-8226919 was
> needed in the first place - a non-root
Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Thanks for the patch @larry-cable, much appreciated! I really like this idea.
I tried it out a bit locally. These cases seem to work:
- attaching to a process running on the
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Thanks for the patch @larry-cable, much appreciated! I really like this idea.
I tried it out a bit locally. These cases seem t
diff --git
a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
b/src/jdk.attach/linux/classes/sun/tools/attach/V
irtualMachineImpl.java
index 81d4fd259ed..74bd60c791d 100644
--- a/src/jdk.attach/linux/classes/sun/tools/attach/VirtualMachineImpl.java
+++
in Linux may have wrong behaviour when pid ==
ns_pid (Kubernetes debug container)
**Warning! This email originated from outside the organization. Do not open
attachments unless you recognize the sender. If you suspect this email is
malicious, use the "Report Email" button.
Replies to
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
Ran the following tests locally:
$ make test TEST="jtreg:test/hotspot/jtreg/containers"
...
===
:13:51 GMT, Sebastian Lövdahl wrote:
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
This is a first stab at fixing the regression introduced in #17628. There has
been a bit of discussion in
https://mail.openjdk.org/pipermail/serviceability-dev/
On Thu, 2 May 2024 10:13:51 GMT, Sebastian Lövdahl wrote:
> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
> (Kubernetes debug container)
This is a first stab at fixing the regression introduced in #17628. There has
been a bit of discussion in
https://mail.openj
On 5/2/24 3:09 AM, Sebastian Lövdahl wrote:
Interesting, TIL about /proc//ns. I tried to look for something
like that but couldn't find anything relevant in /proc//status.
ok
So, a pixel perfect solution could compare these IDs to know whether
/tmp or /proc//root/tmp should be used.
>
8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
-
Commit messages:
- 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid
(Kubernetes debug container)
Changes: https://git.openjdk.org/jdk/pull/19055/files
Webrev
Interesting, TIL about /proc//ns. I tried to look for something
like that but couldn't find anything relevant in /proc//status.
So, a pixel perfect solution could compare these IDs to know whether
/tmp or /proc//root/tmp should be used.
> 2. jcmd treats it as a heuristic and attempts each
just to demonstrate:
$ docker run -it --name=js1 openjdk:17.0.1-jdk /bin/jshell
...
$ docker run -it --name js2 --pid=container:js1 openjdk:17.0.1 /bin/jshell
$ docker exec -it js1 bash
bash-4.4# ls /tmp/hsperfdata_root
1 26
bash-4.4# readlink /proc/26/ns/pid
pid:[4026532751]
bash-4.4#
On 5/1/24 2:03 PM, Doyle, James, K wrote:
Hi Sebastian,
I think I can confirm that there is a regression.
Thanks for reproducing the regression, your test makes sense to me, and I think
it is similar to the scenario we have with Kubernetes debug containers
(separate filesystems, but same
Hi Sebastian,
> I think I can confirm that there is a regression.
Thanks for reproducing the regression, your test makes sense to me, and I think
it is similar to the scenario we have with Kubernetes debug containers
(separate filesystems, but same PID namespace).
I noticed some of the other
Hi all,
It seems like my fix for https://bugs.openjdk.org/browse/JDK-8226919
regressed one use-case for Kubernetes debug containers (and other
technically similar approaches). Quoting @jdoylei from
https://github.com/openjdk/jdk/pull/17628#issuecomment-1969769654:
"We're running jcmd
56 matches
Mail list logo