Hello,
I don’t have a strong feeling towards or against changing the default. While I agree that having ad-hoc access to diagnostics is good, I am also ok with having to prepare that once, even when it means I can’t catch the first instability.
Having said that I had a lot of bad experiences with APM tools instrumentations my application without the application owner beeing aware of it (causing a lot of support effort). From that point of view I will probably disable the dynamic loading by default, since most of my tools used in production don’t require ad-hoc instrumentation (mostly only Thread.print or Heapdump). So thanks for the reminder that this option exists (and thanks for fixing it to apply to all loading).
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: serviceability-dev <serviceability-dev-r...@openjdk.org> im Auftrag von Jaroslav Bachorik <j.bacho...@gmail.com>
Gesendet: Montag, März 20, 2023 11:37 AM
An: Ron Pressler <ron.press...@oracle.com>
Cc: Andrei Pangin <andrei.pan...@gmail.com>; jigsaw-...@openjdk.org <jigsaw-...@openjdk.org>; serviceability-dev@openjdk.org <serviceability-dev@openjdk.org>
Betreff: Re: [External] : Re: Disallowing the dynamic loading of agents by default
Gesendet: Montag, März 20, 2023 11:37 AM
An: Ron Pressler <ron.press...@oracle.com>
Cc: Andrei Pangin <andrei.pan...@gmail.com>; jigsaw-...@openjdk.org <jigsaw-...@openjdk.org>; serviceability-dev@openjdk.org <serviceability-dev@openjdk.org>
Betreff: Re: [External] : Re: Disallowing the dynamic loading of agents by default
Hi,
On Mon, Mar 20, 2023 at 11:11 AM Ron Pressler <ron.press...@oracle.com> wrote:
Hi.
The majority of serviceability tools don’t require dynamically loading an agent, and the majority of applications never load an agent dynamically.
The majority of the JDK built-in tools, I would say. What about eg. the JMC agent?
True, there are some tools that will be affected, which is why the decision was to introduce the flag in JDK 9 and to announce this change, but change the default in a later version to give tools ample time to prepare their users. The rationale for this change then hasn’t changed, but will be reiterated in a JEP (we just wanted to announce this ahead of the JEP to give tool authors another reminder more than six months ahead of JDK 21). The only change between then and now is that even fewer use cases require dynamically loaded agents, and so the impact is even smaller
As a maintainer of one of such tools I can confidently say that this change will either kill the tool as the ease of use will be gone or the workaround (eg. using JAVA_TOOL_OPTIONS) will completely defeat the purpose of this change. Having to put a flag when starting the JVM to allow dynamic loading of agents sounds a bit nonsensical to me - it would be much easier to directly add the agent to the JVM startup and then implement a lightweight control protocol over socket/shared memory to enabled/disable the agent features dynamically.
It is also true that, when starting an application you don’t know that you *will* need to load an agent, but in most situations you know that you might. E.g. processes that are too critical to bring down even for deep maintenance (although not many of these are written in modern version of Java anyone) or canary services that are under trial. The relatively few sophisticated users who know how to write ad-hoc agents can even opt to enable dynamic agent loading on all their servers; these users are better equipped to can weigh the risks and tradeoffs involved.
Wouldn't having this enabled system-wide actually defeat the purpose of having this flag? Considering that the dynamic attach can be performed only on the same host under the same user as the target process there seems to be a very small chance of loading agents accidentally. In the end people would set up their systems to enabled dynamic agent loading via eg. JAVA_TOOL_OPTIONS and we will be in the same place as before, with the additional hurdle of setting everything up.
Finally, some tools that require a dynamically loaded JVM TI agents, such as profilers that profile native code, are so tied to the VM's internals that the best place for them is in the JDK. If anything, the bigger problem is not that profilers are used too much in production, but too little, including less advanced ones that don’t require an agent. There is plenty of time to enhance the JDK’s built-in profiling capabilities ahead of demand.
I think this is an overly optimistic view. It is *much more* difficult to enhance the JDK's built-in profiling capabilities than do the same in an external profiling agent.
Overall, I don't seem to understand the anticipated attack vectors this change is supposed to prevent. AFAIK, in order to do the dynamic agent load one needs to have full access to the target process. That means that there are more convenient and straightforward ways to do anything nefarious than loading a JVMTI agent. Am I missing some other usages where the JVMTI agent would actually give access to something which would be otherwise inaccessible considering that the attacher and attachee must be on the same host and under the same user?
Cheers,
-JB-
— Ron
On 20 Mar 2023, at 01:21, Andrei Pangin <andrei.pan...@gmail.com> wrote:
Hi all,
Serviceability has been one of the biggest Java strengths, but the proposed change is going to have a large negative impact on it.
Disallowing dynamic agents by default means it will no longer be possible to attach a profiler to a running app in runtime. JFR cannot close this gap due to lack of capabilities modern Java profilers have (that's a separate topic though).
When an issue happens with a live app, it's already too late to add a command line argument. Furthermore, it may not be even feasible to add an agent at startup in containerized applications. Starting profiler on demand from the host OS or from a sidecar is the only viable solution in these cases.
Next, it's hard to predict beforehand what tools exactly might be useful for troubleshooting: e.g., one tool may be better for finding memory leaks, a different one for analyzing CPU performance. Adding all possible tools at startup does not seem a reasonable approach, especially when tools may conflict with each other.
The most important aspect of dynamic agents is the possibility to make a special tool just in time for solving a particular problem. A typical example is to get a value of some field in a live app without dumping the entire 60 GB heap. Another common use case is hot patching for fixing trivial bugs or for adding debug logs dynamically. The prominent example is when the dynamic agent has proved irreplaceable aid in addressing the notorious log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046.
I would be grateful to know more about the reasons why we should give up all the above advantages of dynamic agents in their good and legitimate use cases.
Thank you,
Andrei
чт, 16 мар. 2023 г. в 18:48, Ron Pressler <ron.press...@oracle.com>:
Hi.
In JDK 21 we intend to disallow the dynamic loading of agents by default. This
will affect tools that use the Attach API to load an agent into a JVM some time
after the JVM has started [1]. There is no change to any of the mechanisms that
load an agent at JVM startup (-javaagent/-agentlib on the command line or the
Launcher-Agent-Class attribute in the main JAR's manifest).
This change in default behavior was proposed in 2017 as part of JEP 261 [2][3].
At that time the consensus was to switch to this default not in JDK 9 but in a
later release to give tool maintainers sufficient time to inform their users.
To allow the dynamic loading of agents, users will need to specify
-XX:+EnableDynamicAgentLoading on the command line.
I'll post a draft JEP for review shortly.
-- Ron
[1]: https://docs.oracle.com/en/java/javase/19/docs/api/jdk.attach/com/sun/tools/attach/package-summary.html
[2]: https://openjdk.org/jeps/261
[3]: https://mail.openjdk.org/pipermail/jigsaw-dev/2017-April/012040.html
