RFR: 8193710 - jcmd -l and jps commands do not list Java processes running in Docker containers

David Holmes david.holmes at oracle.com
Mon Jan 22 22:15:46 UTC 2018


Thanks Bob. Seems okay.

David

On 23/01/2018 3:20 AM, Bob Vandette wrote:
> Please review this change that resolves the detection of Java processes that are running in cgroup
> based containers.
> 
> This latest (and hopefully final) update of this fix addresses comments from David Holmes and Mandy Chung.
> 
> Bug:
> 
> https://bugs.openjdk.java.net/browse/JDK-8193710
> 
> Webrev:
> 
> http://cr.openjdk.java.net/~bobv/8193710/webrev.02/
> 
> Summary:
> 
> This changeset enables the ability to use jcmd and jps running on a Host to
> list the java processes that are running in docker (cgroup based) containers.
> 
> I’ve tested this change by examining processes running as root on both host and in
> docker containers as well as under my userid using “jps and jcmd -l”.
> I’ve also tested updates to the getFile functions with a small example program that I wrote.
> 
> 
> Here are some implementation details that I’ve added to the Linux specific implementation class:
> 
>         src/jdk.internal.jvmstat/linux/classes/sun/jvmstat/PlatformSupportImpl.java
> 
>     /* Implementation Details:
>      *
>      * Java processes that run in docker containers are typically running
>      * under cgroups with separate pid namespaces which means that pids
>      * within the container are different that the pid which is visible
>      * from the host.  The container pids typically start with 1 and
>      * increase.  The java process running in the container will use these
>      * pids when creating the hsperfdata files.  In order to locate java
>      * processes that are running in containers, we take advantage of
>      * the Linux proc file system which maps the containers tmp directory
>      * to the hosts under /proc/{hostpid}/root/tmp.  We use the /proc status
>      * file /proc/{hostpid}/status to determine the containers pid and
>      * then access the hsperfdata file.  The status file contains an
>      * entry "NSPid:" which shows the mapping from the hostpid to the
>      * containers pid.
>      *
>      * Example:
>      *
>      * NSPid: 24345 11
>      *
>      * In this example process 24345 is visible from the host,
>      * is running under the PID namespace and has a container specific
>      * pid of 11.
>      *
>      * The search for Java processes is done by first looking in the
>      * traditional /tmp for host process hsperfdata files and then
>      * the search will container in every /proc/*/root/tmp directory.
>      * There are of course added complications to this search that
>      * need to be taken into account.
>      *
>      * 1. duplication of tmp directories
>      *
>      * /proc/{hostpid}/root/tmp directories exist for many processes
>      * that are running on a Linux kernel that has cgroups enabled even
>      * if they are not running in a container.  To avoid this duplication,
>      * we compare the inode of the /proc tmp directories to /tmp and
>      * skip these duplicated directories.
>      *
>      * 2. Containerized processes without PID namespaces being enabled.
>      *
>      * If a container is running a Java process without namespaces being
>      * enabled, an hsperfdata file will only be located at
>      * /proc/{hostpid}/root/tmp/{hostpid}.  This is handled by
>      * checking the last component in the path for both the hostpid
>      * and potential namespacepids (if one exists).
>      */
> 
> Bob.
> 


More information about the serviceability-dev mailing list