RFR: 8193710 - jcmd -l and jps commands do not list Java processes running in Docker containers
David Holmes
david.holmes at oracle.com
Mon Jan 22 22:15:46 UTC 2018
Thanks Bob. Seems okay.
David
On 23/01/2018 3:20 AM, Bob Vandette wrote:
> Please review this change that resolves the detection of Java processes that are running in cgroup
> based containers.
>
> This latest (and hopefully final) update of this fix addresses comments from David Holmes and Mandy Chung.
>
> Bug:
>
> https://bugs.openjdk.java.net/browse/JDK-8193710
>
> Webrev:
>
> http://cr.openjdk.java.net/~bobv/8193710/webrev.02/
>
> Summary:
>
> This changeset enables the ability to use jcmd and jps running on a Host to
> list the java processes that are running in docker (cgroup based) containers.
>
> I’ve tested this change by examining processes running as root on both host and in
> docker containers as well as under my userid using “jps and jcmd -l”.
> I’ve also tested updates to the getFile functions with a small example program that I wrote.
>
>
> Here are some implementation details that I’ve added to the Linux specific implementation class:
>
> src/jdk.internal.jvmstat/linux/classes/sun/jvmstat/PlatformSupportImpl.java
>
> /* Implementation Details:
> *
> * Java processes that run in docker containers are typically running
> * under cgroups with separate pid namespaces which means that pids
> * within the container are different that the pid which is visible
> * from the host. The container pids typically start with 1 and
> * increase. The java process running in the container will use these
> * pids when creating the hsperfdata files. In order to locate java
> * processes that are running in containers, we take advantage of
> * the Linux proc file system which maps the containers tmp directory
> * to the hosts under /proc/{hostpid}/root/tmp. We use the /proc status
> * file /proc/{hostpid}/status to determine the containers pid and
> * then access the hsperfdata file. The status file contains an
> * entry "NSPid:" which shows the mapping from the hostpid to the
> * containers pid.
> *
> * Example:
> *
> * NSPid: 24345 11
> *
> * In this example process 24345 is visible from the host,
> * is running under the PID namespace and has a container specific
> * pid of 11.
> *
> * The search for Java processes is done by first looking in the
> * traditional /tmp for host process hsperfdata files and then
> * the search will container in every /proc/*/root/tmp directory.
> * There are of course added complications to this search that
> * need to be taken into account.
> *
> * 1. duplication of tmp directories
> *
> * /proc/{hostpid}/root/tmp directories exist for many processes
> * that are running on a Linux kernel that has cgroups enabled even
> * if they are not running in a container. To avoid this duplication,
> * we compare the inode of the /proc tmp directories to /tmp and
> * skip these duplicated directories.
> *
> * 2. Containerized processes without PID namespaces being enabled.
> *
> * If a container is running a Java process without namespaces being
> * enabled, an hsperfdata file will only be located at
> * /proc/{hostpid}/root/tmp/{hostpid}. This is handled by
> * checking the last component in the path for both the hostpid
> * and potential namespacepids (if one exists).
> */
>
> Bob.
>
More information about the serviceability-dev
mailing list