RFR: 8228343: JCMD and attach fail to work across Linux Container boundary

[Kevin Walls]

On Tue, 8 Jun 2021 20:44:46 GMT, Kevin Walls <kevinw at openjdk.org> wrote:

> Since 8214300, jcmd cannot attach to a Java process in a docker container.
> 
> That change started using a canonicalized File to create the .attach_pidXXX file.  For a target process in a container, it will follow a symlink that is likely not the same as for the target process.  e.g. follow a symlink to a cwd of / which is not the same directory for the container host, as it is within the container.  Containerized VM never sees the file, never creates the socket file, the attach times out and fails.
> 
> To keep the 8214300 change working for non-container situations, we can keep a canonical version of the attach File to use for deleting.
> 
> For containers there will remain the problem 8214300 describes, although it is unlikely: if you start the attach to a containerized VM,  and it then exits, we can't delete the .attach_pidXXX file.  Neither the /proc/PID/cwd or canonical form are any use.
> 
> (Possibly leaving a .attach_pidXXX file if the target dies in that small window is better than the current situation.)
> 
> Here I'm suggesting the same change on AIX, although I can't build/test that.  I'm expecting it has the same problem, as /proc/pid/cwd is still a symlink.

Thanks Yasumasa --

> Can we use /proc/<PID>/root? 

root is also a symlink, like cwd, so we can't resolve its canonical location (literally "/") and put a file there, or if our target is in a container it won't see it.  So the problem is not that we can't access /proc/PID/cwd/ but it's that if using the canonical filename, jcmd and its target will resolve them differently.

Maybe it is interesting that we don't use cwd for the socket file, but it's not something I would want to start changing at this time... 8-)

-------------

PR: https://git.openjdk.java.net/jdk/pull/4418