Red Hat Bugzilla – Bug 1311638
Issues when root tries to attach to non-root JVMs
Last modified: 2016-11-24 11:08:28 EST
Description of problem: There's a well-known issue that on Linux/UNIX root is not allowed to attach to non-root JVMs, see https://bugs.openjdk.java.net/browse/JDK-8036559. I'd like to point out an additional issue in this area: 1) Run the attached AttachTarget as user1 on a terminal 2) Run the attached AttachClient as user1 on a terminal 3) Notice how this works 4) sudo killall -9 java ; sudo rm -rf /tmp/hsperfdata* /tmp/.attach_pid* /tmp/.java_pid* ; 5) Run the attached AttachTarget as user1 on a terminal 6) Run the attached AttachClient as root on a terminal 7) Notice how this fails - unrequested thread dump on AttachTarget terminal and "com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file: target process not responding or HotSpot VM not loaded" printed after a pause on the root terminal 8) sudo killall -9 java ; sudo rm -rf /tmp/hsperfdata* /tmp/.attach_pid* /tmp/.java_pid* ; 9) Run the attached AttachTarget as user1 on a terminal 10) Run the attached AttachClient as user1 on a terminal 11) Notice how this works 12) Run the attached AttachClient as root on a terminal 13) Notice how this fails differently than 6) above - no thread dump on AttachTarget terminal but "java.io.IOException: well-known file is not secure" is printed immediately on the root terminal I think ideally the upstream issue should be fixed. But if that is not going to happen then at least we should avoid printing out the unrequested thread dump on attach target terminal and provide consistent errors for root when trying to connect non-root JVMs, the current situation is just messy. Version-Release number of selected component (if applicable): OpenJDK 1.7 / OpenJDK 1.8
Created attachment 1130253 [details] AttachTarget.java
Created attachment 1130254 [details] AttachClient.java
Assigning to Elliott, who may have come across something similar when working on Thermostat.
Additional inconvenience here for root is that VirtualMachine.list() returns descriptors for all running JVMs, including non-root ones and VirtualMachine.attach(...) hangs shortly and then fails on those non-root JVMs but attach() would be required to know (via getProperties()) whether a JVM is a root or non-root owned one so skipping non-root JVMs as root is a bit hard AFAICS. (For non-root users VirtualMachine.list() returns only JVMs of the same user.) Thanks,
Looks like Attach API isn't reliable even for the user running the JVMs: https://bugzilla.redhat.com/show_bug.cgi?id=1315256
(In reply to Marko Myllynen from comment #4) > Additional inconvenience here for root is that > > VirtualMachine.list() > > returns descriptors for all running JVMs, including non-root ones and > > VirtualMachine.attach(...) > > hangs shortly and then fails on those non-root JVMs but attach() would be > required to know (via getProperties()) whether a JVM is a root or non-root > owned one so skipping non-root JVMs as root is a bit hard AFAICS. > > (For non-root users VirtualMachine.list() returns only JVMs of the same > user.) > > Thanks, FWIW: The way we worked around this problem in Thermostat is that we drop to the JVM owning user before doing the attach. You can get the pid from VirtualMachineDescriptor.id(). Then look up the owning user via /proc/<pid>/status. Once you have the JMX connect URL you should be able to connect.
I think it's best to fix this issue upstream, and allow root to attach to non-root JVMs. This will give users the expected behaviour and get rid of the confusing errors mentioned above. I have proposed a new patch upstream targeting OpenJDK 9: http://mail.openjdk.java.net/pipermail/serviceability-dev/2016-March/019108.html
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.