On Tue, 21 May 2024 17:10:15 GMT, Sebastian Lövdahl <d...@openjdk.org> wrote:
>> 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid >> (Kubernetes debug container) > > Sebastian Lövdahl has updated the pull request incrementally with two > additional commits since the last revision: > > - Remove unused `SELF_PID_NS` > - Rewrite in line with suggestion from Larry Cable I set up rootless Docker in a VM by following https://docs.docker.com/engine/security/rootless. slovdahl@slovdahl-virtual-machine:~$ systemctl status --user docker.service ● docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/home/slovdahl/.config/systemd/user/docker.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-05-22 13:55:06 EEST; 5min ago Docs: https://docs.docker.com/go/rootless/ Main PID: 3314 (rootlesskit) Tasks: 58 Memory: 596.4M CPU: 16.821s CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service ├─3314 rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd> ├─3325 /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dock> ├─3343 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 3325 tap0 ├─3350 dockerd ├─3373 containerd --config /run/user/1000/docker/containerd/containerd.toml └─4116 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 3a84c6c9f7b8ee6220b8953b65ff56639dd51335999cb37580292f4944ee0e65 -address /run/user/1000/docker/containerd/containerd.sock Started a container running as my user: slovdahl@slovdahl-virtual-machine:~$ docker run --name reproducer --rm -v .:/app -w /app eclipse-temurin:17 java Reproducer.java Hello, World! Bound to port 81 Using the Ubuntu OpenJDK 17 package: slovdahl@slovdahl-virtual-machine:~$ java -version openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-122.04.1) OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-122.04.1, mixed mode, sharing) slovdahl@slovdahl-virtual-machine:~$ jcmd 4139 jdk.compiler/com.sun.tools.javac.launcher.Main Reproducer.java 5965 jdk.jcmd/sun.tools.jcmd.JCmd slovdahl@slovdahl-virtual-machine:~$ jcmd 4139 VM.version 4139: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 Using mainline JDK without the changes in this PR: slovdahl@slovdahl-virtual-machine:~$ /jdk/bin/jcmd 4139 VM.version 4139: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 Using JDK built from this PR: slovdahl@slovdahl-virtual-machine:~$ /jdk/bin/jcmd 4139 VM.version 4139: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 Using a sidecar container mounted into the same PID namespace with Eclipse Temurin 17: slovdahl@slovdahl-virtual-machine:~$ docker run --interactive --tty --rm --pid=container:reproducer eclipse-temurin:17.0.11_9-jdk-jammy /bin/bash root@b746aeae40d2:/# jcmd 44 jdk.jcmd/sun.tools.jcmd.JCmd root@b746aeae40d2:/# jcmd 1 VM.version 1: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 Using a sidecar container mounted into the same PID namespace with mainline JDK (expected to fail): slovdahl@slovdahl-virtual-machine:~$ docker run --interactive --tty --rm --pid=container:reproducer --volume /jdk/:/jdk ubuntu:22.04 /bin/bash root@7b0c9dc87175:/# /jdk/bin/jcmd 1 jdk.compiler/com.sun.tools.javac.launcher.Main Reproducer.java 234 jdk.jcmd/sun.tools.jcmd.JCmd root@7b0c9dc87175:/# /jdk/bin/jcmd 1 VM.version 1: com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file /tmp/.java_pid1: target process 1 doesn't respond within 10500ms or HotSpot VM not loaded at jdk.attach/sun.tools.attach.VirtualMachineImpl.<init>(VirtualMachineImpl.java:99) at jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:58) at jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:207) at jdk.jcmd/sun.tools.jcmd.JCmd.executeCommandForPid(JCmd.java:113) at jdk.jcmd/sun.tools.jcmd.JCmd.main(JCmd.java:97) Using a sidecar container mounted into the same PID namespace with JDK built from this PR: slovdahl@slovdahl-virtual-machine:~$ docker run --interactive --tty --rm --pid=container:reproducer --volume /jdk/:/jdk ubuntu:22.04 /bin/bash root@1ed0633e74eb:/# /jdk/bin/jcmd 1 jdk.compiler/com.sun.tools.javac.launcher.Main Reproducer.java 154 jdk.jcmd/sun.tools.jcmd.JCmd root@1ed0633e74eb:/# /jdk/bin/jcmd 1 VM.version 1: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 Starting the target container with elevated privileges: slovdahl@slovdahl-virtual-machine:~$ docker run --name reproducer --cap-add=CAP_NET_RAW --rm -v .:/app -w /app eclipse-temurin:17 java Reproducer.java Hello, World! Bound to port 81 slovdahl@slovdahl-virtual-machine:~$ sudo getpcaps 7332 7332: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep Attaching from a sidecar container with a JDK built from this PR: slovdahl@slovdahl-virtual-machine:~$ docker run --interactive --tty --rm --pid=container:reproducer --volume /jdk/:/jdk ubuntu:22.04 /bin/bash root@07d305e00ade:/# /jdk/bin/jcmd 1 VM.version 1: OpenJDK 64-Bit Server VM version 17.0.11+9 JDK 17.0.11 ------------- PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2124549900
