RFR: 8341310: Test containers/docker/TestJcmdWithSideCar.java fails after JDK-8327114 [v3]

Sebastian Lövdahl duke at openjdk.org
Wed Oct 2 19:40:35 UTC 2024 

On Wed, 2 Oct 2024 18:46:07 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:

>> The change of [JDK-8327114](https://bugs.openjdk.org/browse/JDK-8327114) also increased test coverage. In particular, the `TestJcmdWithSideCar.java` test got enhanced to cover these cases (prior to [JDK-8327114](https://bugs.openjdk.org/browse/JDK-8327114) only case 1 was tested):
>> 
>> 1. Shared volumes between attachee and attacher and shared pid namespace
>> 2. Shared volumes between attachee and attacher and shared pid namespace, both running with elevated privileges
>> 3. Shared pid namespace between attachee and attacher only
>> 4. Shared pid namespace between attachee and attacher, both running with elevated privileges
>> 
>> The OpenJDK attach code is able to handle cases 1 through 3 which pass, but the last case, `4`, hasn't been implemented yet when running as regular user and directing the container runtime to map the container user to that user as well. Thus, the test fails. For now I propose to disable the 4th test case. It can get re-enabled once the product code got updated to account for this case (tracked in https://bugs.openjdk.org/browse/JDK-8341349).
>> 
>> Thoughts? Could somebody please run this through Oracle's test system in order to see if this fixes the issue? Thank you!
>
> Severin Gehwolf has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - Revert "Improve runtime of test"
>    
>    This reverts commit 5b2f646c73b747f6fff364347031074d24e49822.
>  - Revert "Remove the attachee container if it exists"
>    
>    This reverts commit ef7abf249268c30f726bee19dde3337d92c6493d.

> It can get re-enabled once the product code got updated to account for this case (tracked in https://bugs.openjdk.org/browse/JDK-8341349).

I spent some time thinking about this, and I'm not sure if it can be solved?

The test case that fails with Podman is `ACCESS_TMP_VIA_PROC_ROOT`. That is, we try to attach to another JVM by accessing the target JVM's root filesystem through `/proc/[pid]/root`. But for processes with elevated privileges `/proc/[pid]/root` can only be read by `root`. That is why it works with the default setup of Docker but not Podman. Or am I missing something?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/21289#issuecomment-2389535881

More information about the serviceability-dev mailing list