RFR: 8264482: container info misleads on non-container environment

Yasumasa Suenaga ysuenaga at openjdk.java.net
Wed Mar 31 14:20:31 UTC 2021 

On Wed, 31 Mar 2021 12:22:36 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:

>> hs_err log and `VM.info` dcmd shows cgroup information as container information even though the process run on non-container environment as following.
>> 
>> container (cgroup) information:
>> container_type: cgroupv2
>> cpu_cpuset_cpus: not supported
>> cpu_memory_nodes: not supported
>> active_processor_count: 4
>> cpu_quota: not supported
>> cpu_period: not supported
>> cpu_shares: not supported
>> memory_limit_in_bytes: unlimited
>> memory_and_swap_limit_in_bytes: unlimited
>> memory_soft_limit_in_bytes: unlimited
>> memory_usage_in_bytes: 164163584
>> memory_max_usage_in_bytes: not supported
>> 
>> We can use cgroup outside of container, so it is useful to show. However cgroup is different from container. We should distinguish them.
>> And also it is useful if we can see container runtime in this section. So I added it. We can see following contents in this section after this change.
>> 
>> cgroup information:
>> cgroup_type: cgroupv2
>> container runtime: podman
>> cpu_cpuset_cpus: not supported
>> cpu_memory_nodes: not supported
>> active_processor_count: 4
>> cpu_quota: not supported
>> cpu_period: not supported
>> cpu_shares: not supported
>> memory_limit_in_bytes: unlimited
>> memory_and_swap_limit_in_bytes: unlimited
>> memory_soft_limit_in_bytes: unlimited
>> memory_usage_in_bytes: 256176128
>> memory_max_usage_in_bytes: not supported
>> 
>> In case of systemd, it checks PID (PID 1 or not) and `$container` in PID 1. We should check them to know the JVM runs on the container or not.
>> 
>> https://github.com/systemd/systemd/blob/68337e55f62cf49b7bdfb73dc5662e23b0ea17fa/src/basic/virt.c#L619
>
> src/hotspot/os/linux/osContainer_linux.cpp line 75:
> 
>> 73:   if (getpid() == 1) {
>> 74:     // This process is in container
>> 75:     _runtime = os::strdup_check_oom(getenv("container"));
> 
> In my testing this shows `oci`:
> 
> $ podman run --rm -ti fedora:33
> [root at 2322a30ef7cd /]# echo $container
> oci
> 
> So I'm not sure this will be very helpful. Systemd does some fairly involved translation:
> https://github.com/systemd/systemd/blob/68337e55f62cf49b7bdfb73dc5662e23b0ea17fa/src/basic/virt.c#L677
> 
> Those heuristics will involve a partial implementation of https://bugs.openjdk.java.net/browse/JDK-8261242
> 
> Also consider that there are multiple container runtimes when podman is in use (I don't know about docker). For example `crun` and `runc`. In a way, container runtime then becomes ambiguous too.

I think it is ok if we can know the process was run on a container. It is better to know what runtime was used if possible - it might not be mandatory. So I think we can refer /run/.containerenv and /.dockerenv now like systemd. It might not be enough, but it would be acceptable.

JDK-8261242 has been assigned to Harold, so I will not start to work for it now.
(I can work for it of course if you agree with the above.)

-------------

PR: https://git.openjdk.java.net/jdk/pull/3280

More information about the hotspot-runtime-dev mailing list