'Re: RFR: 8261242: [Linux] OSContainer::is_containerized() returns true when run outside a container'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    Re: RFR: 8261242: [Linux] OSContainer::is_containerized() returns true when run outside a container
From:       Severin Gehwolf <sgehwolf () openjdk ! org>
Date:       2024-03-22 12:56:21
Message-ID: 4igI0UicqIV8pAhAFkxreyNnV9rZiaZZ98JI5TZWpEo=.3a2747f4-bfc2-4e09-9172-2b2f6d9bc2d6 () github ! com
[Download RAW message or body]

On Mon, 11 Mar 2024 16:55:36 GMT, Severin Gehwolf <sgehwolf@openjdk.org> wrote:

> Please review this enhancement to the container detection code which allows it to \
> figure out whether the JVM is actually running inside a container (`podman`, \
> `docker`, `crio`), or with some other means that enforces memory/cpu limits by \
> means of the cgroup filesystem. If neither of those conditions hold, the JVM runs \
> in not containerized mode, addressing the issue described in the JBS tracker. For \
> example, on my Linux system `is_containerized() == false" is being indicated with \
> the following trace log line: 
> 
> [0.001s][debug][os,container] OSContainer::init: is_containerized() = false because \
> no cpu or memory limit is present 
> 
> This state is being exposed by the Java `Metrics` API class using the new (still \
> JDK internal) `isContainerized()` method. Example: 
> 
> java -XshowSettings:system --version
> Operating System Metrics:
> Provider: cgroupv1
> System not containerized.
> openjdk 23-internal 2024-09-17
> OpenJDK Runtime Environment (fastdebug build 23-internal-adhoc.sgehwolf.jdk-jdk)
> OpenJDK 64-Bit Server VM (fastdebug build 23-internal-adhoc.sgehwolf.jdk-jdk, mixed \
> mode, sharing) 
> 
> The basic property this is being built on is the observation that the cgroup \
> controllers typically get mounted read only into containers. Note that the current \
> container tests assert that `OSContainer::is_containerized() == true` in various \
> tests. Therefore, using the heuristic of "is any memory or cpu limit present" isn't \
> sufficient. I had considered that in an earlier iteration, but many container tests \
> failed. 
> Overall, I think, with this patch we improve the current situation of claiming a \
> containerized system being present when it's actually just a regular Linux system. 
> Testing:
> 
> - [x] GHA (risc-v failure seems infra related)
> - [x] Container tests on Linux x86_64 of cgroups v1 and cgroups v2 (including \
>                 gtests)
> - [x] Some manual testing using cri-o
> 
> Thoughts?

Anyone willing to review this?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/18201#issuecomment-2015043712


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic