[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    Re: RFR: 8193710 - jcmd -l and jps commands do not list Java processes running in Docker containers
From:       David Holmes <david.holmes () oracle ! com>
Date:       2018-01-22 22:15:46
Message-ID: dfaf8cb8-3e94-1157-418e-e7eabb98df10 () oracle ! com
[Download RAW message or body]

Thanks Bob. Seems okay.

David

On 23/01/2018 3:20 AM, Bob Vandette wrote:
> Please review this change that resolves the detection of Java processes that are \
> running in cgroup based containers.
> 
> This latest (and hopefully final) update of this fix addresses comments from David \
> Holmes and Mandy Chung. 
> Bug:
> 
> https://bugs.openjdk.java.net/browse/JDK-8193710
> 
> Webrev:
> 
> http://cr.openjdk.java.net/~bobv/8193710/webrev.02/
> 
> Summary:
> 
> This changeset enables the ability to use jcmd and jps running on a Host to
> list the java processes that are running in docker (cgroup based) containers.
> 
> I've tested this change by examining processes running as root on both host and in
> docker containers as well as under my userid using "jps and jcmd -l".
> I've also tested updates to the getFile functions with a small example program that \
> I wrote. 
> 
> Here are some implementation details that I've added to the Linux specific \
> implementation class: 
> src/jdk.internal.jvmstat/linux/classes/sun/jvmstat/PlatformSupportImpl.java
> 
> /* Implementation Details:
> *
> * Java processes that run in docker containers are typically running
> * under cgroups with separate pid namespaces which means that pids
> * within the container are different that the pid which is visible
> * from the host.  The container pids typically start with 1 and
> * increase.  The java process running in the container will use these
> * pids when creating the hsperfdata files.  In order to locate java
> * processes that are running in containers, we take advantage of
> * the Linux proc file system which maps the containers tmp directory
> * to the hosts under /proc/{hostpid}/root/tmp.  We use the /proc status
> * file /proc/{hostpid}/status to determine the containers pid and
> * then access the hsperfdata file.  The status file contains an
> * entry "NSPid:" which shows the mapping from the hostpid to the
> * containers pid.
> *
> * Example:
> *
> * NSPid: 24345 11
> *
> * In this example process 24345 is visible from the host,
> * is running under the PID namespace and has a container specific
> * pid of 11.
> *
> * The search for Java processes is done by first looking in the
> * traditional /tmp for host process hsperfdata files and then
> * the search will container in every /proc/*/root/tmp directory.
> * There are of course added complications to this search that
> * need to be taken into account.
> *
> * 1. duplication of tmp directories
> *
> * /proc/{hostpid}/root/tmp directories exist for many processes
> * that are running on a Linux kernel that has cgroups enabled even
> * if they are not running in a container.  To avoid this duplication,
> * we compare the inode of the /proc tmp directories to /tmp and
> * skip these duplicated directories.
> *
> * 2. Containerized processes without PID namespaces being enabled.
> *
> * If a container is running a Java process without namespaces being
> * enabled, an hsperfdata file will only be located at
> * /proc/{hostpid}/root/tmp/{hostpid}.  This is handled by
> * checking the last component in the path for both the hostpid
> * and potential namespacepids (if one exists).
> */
> 
> Bob.
> 


[prev in list] [next in list] [prev in thread] [next in thread]